Monitoring Cisco ASA Firewalls Using Netflow 9 and PRTG 7.2

 Originally published on September 27, 2009 by Dirk Paessler
Last updated on January 23, 2024 • 3 minute read

Recently Cisco has implemented NetFlow 9 for its popular ASA 5500 security and firewall appliances. But this implementation of NetFlow is quite different from what other Cisco devices provide. It is called "Netflow Security Event Logging" (NSEL) and was originally introduced on the Cisco ASA 5580.
Now, with the latest firmware (ASA 8.2.x or later), it is now extended to other Cisco ASA models. In fact ASA NetFlow was initially not intended to be used for realtime/live traffic analysis (it was created for monitoring of security events)... But it is still a viable option for bandwidth monitoring. And with PRTG Network Monitor V7.2 this option is fully supported, including bandwidth computation, Top Talkers, Top Connections and Top Protocols!

Compared to "normal" NetFlow the following limitations apply:

  • You will not see the real time data: The NSEL monitoring sends a NetFlow data packet only after a connection has been torn down. If a connection is active for minutes or hours, the ASA sends one NetFlow packet with the total of the connection. This causes peaks in PRTG's graphs while showing too little traffic before that.
  • Flows on the ASA are bidirectional (all counters for a flow will increase for traffic flowing in and out)
  • NetFlow 9 monitoring on the ASA comes at a price: CPU load.
The following screenshot shows a comparison of the bandwidth monitoring results of three different techniques. It shows traffic through an ASA device measured using SNMP (traffic on the "WAN" port), NetFlow 9 (analyzing NetFlow 9 packets of the next Cisco router upstream) and again NetFlow 9 (NetFlow9 from the ASA itself). Our knowledgebase article "Monitoring Cisco ASA Firewalls with PRTG using Netflow 9" explains how to configure the ASA and PRTG and all the other details you need to know.