Complete Guide: Cisco ASA Firewall Monitoring with PRTG NetFlow v9 and NSEL

 Published by Dirk Paessler
Last updated on September 25, 2025 • 14 minute read

Cisco ASA firewalls implement a proprietary version of NetFlow technology known as NetFlow Security Event Logging (NSEL), which deviates from the traditional NetFlow information format of routers. This tutorial will demonstrate to IT administrators how to configure PRTG's NetFlow v9 sensor for efficient monitoring of Cisco ASA firewall traffic.

monitoring cisco asa firewalls using netflow 9

Cisco ASA NetFlow Security Event Logging (NSEL) Introduction

NSEL Characteristics:

  • Event-based (not real time) analysis

  • Data collection after flow termination

  • Degradation in CPU performance of ASA devices

  • Need of proper template handling with the correct timeout configuration

Documentation at www.cisco.com states that ASA NetFlow will not provide real time data visibility, different from the traditional router implementation.

ASA NSEL vs Traditional NetFlow

Feature Traditional NetFlow Cisco ASA NSEL
Data Collection Real-time sampling Post-event logging
Performance Impact Moderate High CPU impact
Use Case Live bandwidth analysis Security event analysis

Pre-requisites

ASA pre-requisites:

  • Cisco ASA running on firmware 8.2.x or greater
  • Administrative access via CLI (SSH) or ASDM
  • Network Access to PRTG server IP
 

PRTG Requirements:

  • Windows probe with available UDP port (default 2055)
  • SNMP access for real-time data collection
New call-to-action

Step 1: Enable ASA NetFlow Export

CLI Configuration

SSH into the ASA and enter the following to enable NetFlow Export:

config terminal
policy-map global_policy
 class class-default
  flow-export destination inside x.x.x.x 2055
  flow-export template timeout-rate 30

To monitor a specific physical interface, use the following commands:

interface GigabitEthernet0/0
nameif outside
ip address 192.168.1.1 255.255.255.0
service-policy global_policy interface

 ASDM Steps

Apply the configuration..

 

Validation:

show flow-export
show service-policy global

Step 2: Setup PRTG NetFlow v9 Sensor

📖 Need more detailed configuration help? Take a look at our comprehensive KnowledgeBase Guide: Monitoring Cisco ASA Firewalls using NetFlow 9 and PRTG for advanced setup examples and troubleshooting.

SNMP Integration for Real-Time Metrics

Augment your Cisco ASA monitoring by pairing NetFlow with SNMP for live metrics:

 

Key SNMP Sensors:

  • CPU Utilization: Track performance impact on ASA
  • Interface Monitoring: Monitor outside interface and inside interface bandwidth
  • Failover Status: Monitor active unit, standby unit, and failover link
  • VPN Connections: Monitor authentication and session counts

Key SNMP OIDs:

1.3.6.1.4.1.9.9.109.1.1.1.1.7 - CPU Utilization
1.3.6.1.4.1.9.9.147.1.2.1.1.1.3 - Failover Status
1.3.6.1.4.1.9.9.147.1.2.1.1.1.6 - Last Failover Reason
 

SNMP Trap Configuration:

snmp-server host inside x.x.x.x community public
snmp-server enable traps snmp authentication
snmp-server enable traps syslog

Analyzing ASA NetFlow Data



Netflow9_ASA_Chart

Example: PRTG NetFlow v9 sensor displaying Cisco ASA traffic data with characteristic post-event spikes

Troubleshooting Common Issues

No Data Received:

  1. Verify ASA configuration: show flow-export
  2. Check network connectivity and UDP port accessibility
  3. Validate IP address settings in both ASA and PRTG
  4. Ensure ACL rules allow UDP traffic

Performance Issues:

  • Monitor ASA CPU utilization via SNMP
  • Adjust template timeout rates
  • Turn off debug mode: no debug flow-export
 

Failover Environment: Configure identical NetFlow policies on both active unit and standby unit, monitor failover link status, and track last failover events in correlation with data gaps.

Syslog Integration

Configure syslog integration for complete security monitoring:

logging host inside x.x.x.x
logging trap informational
 

Key Events to Monitor:

  • Authentication failures and VPN session events
  • Failover status changes and interface alerts
  • ACL denials and security policy violations
  • Configuration changes via CLI or ASDM

Cisco ASA Firewall Monitoring Best Practices

Get Started with PRTG ASA Monitoring

 

Start monitoring your Cisco ASA firewall today. Download your free 30-day PRTG trial and configure NetFlow v9 monitoring in minutes.

 
 

Need help with ASA monitoring setup, failover configuration, or VLAN monitoring? Our technical team provides expert guidance for firewall monitoring deployments.