Complete Guide: Cisco ASA Firewall Monitoring with PRTG NetFlow v9 and NSEL

Published by Dirk Paessler
Last updated on September 25, 2025 • 14 minute read

Cisco ASA firewalls implement a proprietary version of NetFlow technology known as NetFlow Security Event Logging (NSEL), which deviates from the traditional NetFlow information format of routers. This tutorial will demonstrate to IT administrators how to configure PRTG's NetFlow v9 sensor for efficient monitoring of Cisco ASA firewall traffic.

monitoring cisco asa firewalls using netflow 9

Cisco ASA NetFlow Security Event Logging (NSEL) Introduction

Cisco deployed NetFlow 9 for ASA 5500 security appliances using NSEL. It was first released on Cisco ASA 5580, and later it became available on other ASA devices (running at least firmware ASA 8.2.x). NSEL is used for post-event analysis and not for real-time traffic analysis.

NSEL Characteristics:

Event-based (not real time) analysis
Data collection after flow termination
Degradation in CPU performance of ASA devices
Need of proper template handling with the correct timeout configuration

Documentation at www.cisco.com states that ASA NetFlow will not provide real time data visibility, different from the traditional router implementation.

ASA NSEL vs Traditional NetFlow

Feature	Traditional NetFlow	Cisco ASA NSEL
Data Collection	Real-time sampling	Post-event logging
Performance Impact	Moderate	High CPU impact
Use Case	Live bandwidth analysis	Security event analysis

Pre-requisites

ASA pre-requisites:

Cisco ASA running on firmware 8.2.x or greater
Administrative access via CLI (SSH) or ASDM
Network Access to PRTG server IP

PRTG Requirements:

Windows probe with available UDP port (default 2055)
SNMP access for real-time data collection

Step 1: Enable ASA NetFlow Export

CLI Configuration

SSH into the ASA and enter the following to enable NetFlow Export:

config terminal
policy-map global_policy
 class class-default
  flow-export destination inside x.x.x.x 2055
  flow-export template timeout-rate 30

To monitor a specific physical interface, use the following commands:

interface GigabitEthernet0/0
 nameif outside
 ip address 192.168.1.1 255.255.255.0
 service-policy global_policy interface

ASDM Steps

Select Configuration → Firewall → Service Policy Rules and then Add NetFlow Export with the IP address and UDP port. Apply the configuration..

Validation:

show flow-export
show service-policy global

Step 2: Setup PRTG NetFlow v9 Sensor

Locate your Cisco ASA in PRTG and add a NetFlow v9 sensor. Specify the UDP port configured on your ASA. Enter the ASA's management interface IP address in the sender IP field. Configure active flow timeout to be 2 minutes greater than that configured on the ASA.

PRTG classifies traffic into Web Traffic (HTTP/HTTPS), Mail Traffic (SMTP/POP3/IMAP), VPN Traffic (IPSec/SSL), DNS services, Remote Control (SSH/RDP) and user-defined channels for VLAN and MAC address monitoring.

📖 Need more detailed configuration help? Take a look at our comprehensive KnowledgeBase Guide: Monitoring Cisco ASA Firewalls using NetFlow 9 and PRTG for advanced setup examples and troubleshooting.

SNMP Integration for Real-Time Metrics

Augment your Cisco ASA monitoring by pairing NetFlow with SNMP for live metrics:

Key SNMP Sensors:

CPU Utilization: Track performance impact on ASA
Interface Monitoring: Monitor outside interface and inside interface bandwidth
Failover Status: Monitor active unit, standby unit, and failover link
VPN Connections: Monitor authentication and session counts

Key SNMP OIDs:

1.3.6.1.4.1.9.9.109.1.1.1.1.7 - CPU Utilization
1.3.6.1.4.1.9.9.147.1.2.1.1.1.3 - Failover Status
1.3.6.1.4.1.9.9.147.1.2.1.1.1.6 - Last Failover Reason

SNMP Trap Configuration:

snmp-server host inside x.x.x.x community public
snmp-server enable traps snmp authentication
snmp-server enable traps syslog

Analyzing ASA NetFlow Data

ASA NetFlow data is bursty in nature (you will see periodic bursts in the connections counter when connections close) and subject to delayed reporting (after connections are closed, data about those connections will be reported). Keep in mind that NetFlow traffic data is counted bidirectionally and NetFlow templates need to be processed correctly in order to properly understand the NetFlow data.

Netflow9_ASA_Chart

Example: PRTG NetFlow v9 sensor displaying Cisco ASA traffic data with characteristic post-event spikes

Troubleshooting Common Issues

No Data Received:

Verify ASA configuration: show flow-export
Check network connectivity and UDP port accessibility
Validate IP address settings in both ASA and PRTG
Ensure ACL rules allow UDP traffic

Performance Issues:

Monitor ASA CPU utilization via SNMP
Adjust template timeout rates
Turn off debug mode: no debug flow-export

Failover Environment: Configure identical NetFlow policies on both active unit and standby unit, monitor failover link status, and track last failover events in correlation with data gaps.

Syslog Integration

Configure syslog integration for complete security monitoring:

logging host inside x.x.x.x
logging trap informational

Key Events to Monitor:

Authentication failures and VPN session events
Failover status changes and interface alerts
ACL denials and security policy violations
Configuration changes via CLI or ASDM

Cisco ASA Firewall Monitoring Best Practices

Use NetFlow (post-event), SNMP (real-time) and syslog (security events) in conjunction with each other for a full picture of Cisco ASA firewalls. Monitor ASA CPU performance at all times, configure both active and standby ASAs in failover mode, and continue monitoring beyond firewalls to include routers and other network devices. Use dedicated remote probes for high traffic WAN environments, and do not exceed 50 NetFlow sensors in each Windows probe system.

Get Started with PRTG ASA Monitoring

Monitoring your Cisco ASA with PRTG's NetFlow v9 sensor is different from other NetFlow monitoring in that it has specially tailored NSEL monitoring to specifically process and display ASA's unique bidirectional flow information in an optimal way. In addition, we combine it with the use of the SNMP monitoring in real time to display CPU usage, interfaces, and failover status with smart use of NetFlow template processing.

Start monitoring your Cisco ASA firewall today. Download your free 30-day PRTG trial and configure NetFlow v9 monitoring in minutes.

👉 Download Free PRTG Trial

Need help with ASA monitoring setup, failover configuration, or VLAN monitoring? Our technical team provides expert guidance for firewall monitoring deployments.

All about PRTG