Cisco ASA firewalls implement a proprietary version of NetFlow technology known as NetFlow Security Event Logging (NSEL), which deviates from the traditional NetFlow information format of routers. This tutorial will demonstrate to IT administrators how to configure PRTG's NetFlow v9 sensor for efficient monitoring of Cisco ASA firewall traffic.
Cisco ASA NetFlow Security Event Logging (NSEL) Introduction
Cisco deployed NetFlow 9 for ASA 5500 security appliances using NSEL. It was first released on Cisco ASA 5580, and later it became available on other ASA devices (running at least firmware ASA 8.2.x). NSEL is used for post-event analysis and not for real-time traffic analysis.
NSEL Characteristics:
-
Event-based (not real time) analysis
-
Data collection after flow termination
-
Degradation in CPU performance of ASA devices
-
Need of proper template handling with the correct timeout configuration
Documentation at www.cisco.com states that ASA NetFlow will not provide real time data visibility, different from the traditional router implementation.
ASA NSEL vs Traditional NetFlow
Feature | Traditional NetFlow | Cisco ASA NSEL |
---|---|---|
Data Collection | Real-time sampling | Post-event logging |
Performance Impact | Moderate | High CPU impact |
Use Case | Live bandwidth analysis | Security event analysis |
Pre-requisites
ASA pre-requisites:
- Cisco ASA running on firmware 8.2.x or greater
- Administrative access via CLI (SSH) or ASDM
- Network Access to PRTG server IP
PRTG Requirements:
- Windows probe with available UDP port (default 2055)
- SNMP access for real-time data collection
Step 1: Enable ASA NetFlow Export
CLI Configuration
SSH into the ASA and enter the following to enable NetFlow Export:
config terminal
policy-map global_policy
class class-default
flow-export destination inside x.x.x.x 2055
flow-export template timeout-rate 30
To monitor a specific physical interface, use the following commands:
interface GigabitEthernet0/0
nameif outside
ip address 192.168.1.1 255.255.255.0
service-policy global_policy interface
ASDM Steps
Select Configuration → Firewall → Service Policy Rules and then Add NetFlow Export with the IP address and UDP port. Apply the configuration..
Validation:
show flow-export
show service-policy global
Step 2: Setup PRTG NetFlow v9 Sensor
Locate your Cisco ASA in PRTG and add a NetFlow v9 sensor. Specify the UDP port configured on your ASA. Enter the ASA's management interface IP address in the sender IP field. Configure active flow timeout to be 2 minutes greater than that configured on the ASA.
PRTG classifies traffic into Web Traffic (HTTP/HTTPS), Mail Traffic (SMTP/POP3/IMAP), VPN Traffic (IPSec/SSL), DNS services, Remote Control (SSH/RDP) and user-defined channels for VLAN and MAC address monitoring.
📖 Need more detailed configuration help? Take a look at our comprehensive KnowledgeBase Guide: Monitoring Cisco ASA Firewalls using NetFlow 9 and PRTG for advanced setup examples and troubleshooting.
SNMP Integration for Real-Time Metrics
Augment your Cisco ASA monitoring by pairing NetFlow with SNMP for live metrics:
Key SNMP Sensors:
- CPU Utilization: Track performance impact on ASA
- Interface Monitoring: Monitor outside interface and inside interface bandwidth
- Failover Status: Monitor active unit, standby unit, and failover link
- VPN Connections: Monitor authentication and session counts
Key SNMP OIDs:
1.3.6.1.4.1.9.9.109.1.1.1.1.7 - CPU Utilization
1.3.6.1.4.1.9.9.147.1.2.1.1.1.3 - Failover Status
1.3.6.1.4.1.9.9.147.1.2.1.1.1.6 - Last Failover Reason
SNMP Trap Configuration:
snmp-server host inside x.x.x.x community public
snmp-server enable traps snmp authentication
snmp-server enable traps syslog
Analyzing ASA NetFlow Data
ASA NetFlow data is bursty in nature (you will see periodic bursts in the connections counter when connections close) and subject to delayed reporting (after connections are closed, data about those connections will be reported). Keep in mind that NetFlow traffic data is counted bidirectionally and NetFlow templates need to be processed correctly in order to properly understand the NetFlow data.
Example: PRTG NetFlow v9 sensor displaying Cisco ASA traffic data with characteristic post-event spikes
Troubleshooting Common Issues
No Data Received:
- Verify ASA configuration: show flow-export
- Check network connectivity and UDP port accessibility
- Validate IP address settings in both ASA and PRTG
- Ensure ACL rules allow UDP traffic
Performance Issues:
- Monitor ASA CPU utilization via SNMP
- Adjust template timeout rates
- Turn off debug mode: no debug flow-export
Failover Environment: Configure identical NetFlow policies on both active unit and standby unit, monitor failover link status, and track last failover events in correlation with data gaps.
Syslog Integration
Configure syslog integration for complete security monitoring:
logging host inside x.x.x.x
logging trap informational
Key Events to Monitor:
- Authentication failures and VPN session events
- Failover status changes and interface alerts
- ACL denials and security policy violations
- Configuration changes via CLI or ASDM
Cisco ASA Firewall Monitoring Best Practices
Use NetFlow (post-event), SNMP (real-time) and syslog (security events) in conjunction with each other for a full picture of Cisco ASA firewalls. Monitor ASA CPU performance at all times, configure both active and standby ASAs in failover mode, and continue monitoring beyond firewalls to include routers and other network devices. Use dedicated remote probes for high traffic WAN environments, and do not exceed 50 NetFlow sensors in each Windows probe system.
Get Started with PRTG ASA Monitoring
Monitoring your Cisco ASA with PRTG's NetFlow v9 sensor is different from other NetFlow monitoring in that it has specially tailored NSEL monitoring to specifically process and display ASA's unique bidirectional flow information in an optimal way. In addition, we combine it with the use of the SNMP monitoring in real time to display CPU usage, interfaces, and failover status with smart use of NetFlow template processing.
Start monitoring your Cisco ASA firewall today. Download your free 30-day PRTG trial and configure NetFlow v9 monitoring in minutes.
Need help with ASA monitoring setup, failover configuration, or VLAN monitoring? Our technical team provides expert guidance for firewall monitoring deployments.