Published by Dirk Paessler
Last updated on January 23, 2024
•
3 minute read
Recently Cisco has implemented NetFlow 9 for its popular ASA 5500 security and firewall appliances. But this implementation of NetFlow is quite different from what other Cisco devices provide. It is called "Netflow Security Event Logging" (NSEL) and was originally introduced on the Cisco ASA 5580.
Now, with the latest firmware (ASA 8.2.x or later), it is now extended to other Cisco ASA models. In fact ASA NetFlow was initially not intended to be used for realtime/live traffic analysis (it was created for monitoring of security events)... But it is still a viable option for bandwidth monitoring. And with PRTG Network Monitor V7.2 this option is fully supported, including bandwidth computation, Top Talkers, Top Connections and Top Protocols!
Compared to "normal" NetFlow the following limitations apply:
- You will not see the real time data: The NSEL monitoring sends a NetFlow data packet only after a connection has been torn down. If a connection is active for minutes or hours, the ASA sends one NetFlow packet with the total of the connection. This causes peaks in PRTG's graphs while showing too little traffic before that.
- Flows on the ASA are bidirectional (all counters for a flow will increase for traffic flowing in and out)
- NetFlow 9 monitoring on the ASA comes at a price: CPU load.
Our knowledgebase article "Monitoring Cisco ASA Firewalls with PRTG using Netflow 9" explains how to configure the ASA and PRTG and all the other details you need to know.
You there!
