4

Cisco has introduced NetFlow 9 export in the latest software version for ASA firewalls. But it seems to be meant for event logging of security events only (as a replacement for syslog messages).

But can it still be used for bandwidth monitoring, too? And if so, how must the ASA be configured?

Here the relevant info from the Cisco Website:

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
networker1
  • 61
  • 1
  • 1
  • 7

3 Answers3

2

Security Event Logging is something different to what you're after. I believe you want straight NetFlow (v5 will do) - exported to some type of analyzer.

I've used, and can recommend, ManageEngine Netflow Analyzer: http://www.manageengine.com/products/netflow/download-free.html

Grab the free edition, and fire this up on a server somewhere. Make sure the server's firewall permits traffic on port 9996 (UDP). Then, use the following config on your ASA to export network flow data:

flow-export destination outside_interface_name <netflow analyzer IP> 9996
flow-export template timeout-rate 1
flow-export delay flow-create 10

access-list netflow-export extended permit ip any any

class-map netflow-export-class
 match access-list netflow-export

policy-map global_policy
 class netflow-export-class
  flow-export event-type all destination <netflow analyzer IP>

Note that in my example, I have assumed you have a global_policy policy-map defined.

Browse to Netflow Analyzer and log in. Netflow analyzer will break down the ASA output into source/destination connections, including traffic in megabytes per connection, and will even perform port analysis to show you the applications in use.

This makes it particularly easy to see when an employee is torrenting for instance. :-)

Tim Woolford
  • 281
  • 1
  • 2
0

In my experience the bandwidth monitoring provided by Cisco is limited in what it can do. I use and recommend Fire Plotter, which works with Cisco firewalls.

http://www.fireplotter.com/

Bede
  • 421
  • 6
  • 16
0

What detail of bandwidth monitoring do you need?

If all you need is basic per-interface usage then SNMP and something like Observium or Cacti is a much better solution.

If you need for example per client (on a shared inside network) then you need to use Netflow and a Netflow collector.

HampusLi
  • 3,398
  • 15
  • 14