Cisco ASA firewalls implement a proprietary version of NetFlow technology known as NetFlow Security Event Logging (NSEL), which deviates from the traditional NetFlow information format of routers. This tutorial will demonstrate to IT administrators how to configure PRTG's NetFlow v9 sensor for efficient monitoring of Cisco ASA firewall traffic.
Cisco deployed NetFlow 9 for ASA 5500 security appliances using NSEL. It was first released on Cisco ASA 5580, and later it became available on other ASA devices (running at least firmware ASA 8.2.x). NSEL is used for post-event analysis and not for real-time traffic analysis.
Event-based (not real time) analysis
Data collection after flow termination
Degradation in CPU performance of ASA devices
Need of proper template handling with the correct timeout configuration
Documentation at www.cisco.com states that ASA NetFlow will not provide real time data visibility, different from the traditional router implementation.
| Feature | Traditional NetFlow | Cisco ASA NSEL |
|---|---|---|
| Data Collection | Real-time sampling | Post-event logging |
| Performance Impact | Moderate | High CPU impact |
| Use Case | Live bandwidth analysis | Security event analysis |
ASA pre-requisites:
PRTG Requirements:
SSH into the ASA and enter the following to enable NetFlow Export:
config terminal
policy-map global_policy
class class-default
flow-export destination inside x.x.x.x 2055
flow-export template timeout-rate 30
To monitor a specific physical interface, use the following commands:
interface GigabitEthernet0/0
nameif outside
ip address 192.168.1.1 255.255.255.0
service-policy global_policy interface
Select Configuration → Firewall → Service Policy Rules and then Add NetFlow Export with the IP address and UDP port. Apply the configuration..
Validation:
show flow-export
show service-policy global
Locate your Cisco ASA in PRTG and add a NetFlow v9 sensor. Specify the UDP port configured on your ASA. Enter the ASA's management interface IP address in the sender IP field. Configure active flow timeout to be 2 minutes greater than that configured on the ASA.
PRTG classifies traffic into Web Traffic (HTTP/HTTPS), Mail Traffic (SMTP/POP3/IMAP), VPN Traffic (IPSec/SSL), DNS services, Remote Control (SSH/RDP) and user-defined channels for VLAN and MAC address monitoring.
📖 Need more detailed configuration help? Take a look at our comprehensive KnowledgeBase Guide: Monitoring Cisco ASA Firewalls using NetFlow 9 and PRTG for advanced setup examples and troubleshooting.
Augment your Cisco ASA monitoring by pairing NetFlow with SNMP for live metrics:
Key SNMP Sensors:
Key SNMP OIDs:
1.3.6.1.4.1.9.9.109.1.1.1.1.7 - CPU Utilization
1.3.6.1.4.1.9.9.147.1.2.1.1.1.3 - Failover Status
1.3.6.1.4.1.9.9.147.1.2.1.1.1.6 - Last Failover Reason
SNMP Trap Configuration:
snmp-server host inside x.x.x.x community public
snmp-server enable traps snmp authentication
snmp-server enable traps syslog
ASA NetFlow data is bursty in nature (you will see periodic bursts in the connections counter when connections close) and subject to delayed reporting (after connections are closed, data about those connections will be reported). Keep in mind that NetFlow traffic data is counted bidirectionally and NetFlow templates need to be processed correctly in order to properly understand the NetFlow data.
Example: PRTG NetFlow v9 sensor displaying Cisco ASA traffic data with characteristic post-event spikes
No Data Received:
Performance Issues:
Failover Environment: Configure identical NetFlow policies on both active unit and standby unit, monitor failover link status, and track last failover events in correlation with data gaps.
Configure syslog integration for complete security monitoring:
logging host inside x.x.x.x
logging trap informational
Key Events to Monitor:
Use NetFlow (post-event), SNMP (real-time) and syslog (security events) in conjunction with each other for a full picture of Cisco ASA firewalls. Monitor ASA CPU performance at all times, configure both active and standby ASAs in failover mode, and continue monitoring beyond firewalls to include routers and other network devices. Use dedicated remote probes for high traffic WAN environments, and do not exceed 50 NetFlow sensors in each Windows probe system.
Monitoring your Cisco ASA with PRTG's NetFlow v9 sensor is different from other NetFlow monitoring in that it has specially tailored NSEL monitoring to specifically process and display ASA's unique bidirectional flow information in an optimal way. In addition, we combine it with the use of the SNMP monitoring in real time to display CPU usage, interfaces, and failover status with smart use of NetFlow template processing.
Start monitoring your Cisco ASA firewall today. Download your free 30-day PRTG trial and configure NetFlow v9 monitoring in minutes.
Need help with ASA monitoring setup, failover configuration, or VLAN monitoring? Our technical team provides expert guidance for firewall monitoring deployments.