Cisco ASA and NetFlow - Using ASA NetFlow with LiveActioncdnx.liveaction.com/knowledgeBase/Configuration-Cisco-ASA-and-NetFlow... · 1-1 Cisco ASA and NetFlow – Using ASA NetFlow

Copyright © 2016 LiveAction, Inc. All rights reserved. LiveAction, LiveNX, LiveUX, the LiveAction Logo and LiveAction Software are trademarks of LiveAction, Inc. Information subject to change without notice.

LiveAction, Inc. 3500 WEST BAYSHORE ROAD PALO ALTO, CA 94303

Cisco ASA and NetFlow - Using ASA NetFlow with LiveAction

CONFIGURATION

LIVEACTION, INC.

1-1 Cisco ASA and NetFlow – Using ASA NetFlow with LiveAction Flow

Table of Contents

1. Introduction

2. ASA NetFlow Security Event Logging

a. Getting Started

b. CLI Configuration

i. Enable SNMP Polling

c. ASDM Configuration

i. Enable SNMP Polling

ii. Setup NetFlow

iii. Setup NetFlow Service Policy

d. Adding the ASA to LiveAction Flow

3. ASA NSEL Reports in LiveAction

a. NSEL Reports: Network Security Denied Report

b. NSEL Reports: ACL Pair Report

c. NSEL Use case Scenario: Verify inbound Traffic (TFTP) connection is denied by an active ACL

4. Appendix A

a. Notes on ASAS NetFlow Operation


Introduction

NetFlow is a Cisco traffic accounting technology built into the software and hardware of many Cisco switches and routers. NetFlow tracks traffic flowing in and out of enabled routers, switches, and security devices to help answer the who, what, where, when, and how of network traffic.

Beginning with ASA software 8.2, Cisco supports NetFlow in ASA devices using NSEL (NetFlow security event logging). However, early versions of 8.2 have a bug that reports flows with incorrect interface assignments. We recommend version 8.3 or higher for use with LiveAction flow visualization. Make sure to verify the ASA memory requirements before planning any upgrades.

With LiveAction Flow 2.0 and greater, users can take advantage of ASA NSEL exports to perform flow visualization with LiveAction. This technical note provides instructions on enabling and using ASA NetFlow exports in LiveAction software. ASA instructions are provided for the CLI and ASDM.

If you have any questions about this guide, or need any assistance in general please contact LiveAction support: [email protected]

mailto:[email protected]


ASA NetFlow Security Event Logging

NSEL uses NetFlow v9 format for exporting NetFlow records. The process for setting up an ASA for SNMP and NetFlow monitoring in LiveAction is as follows:

1. Enable SNMP polling

2. Define the flow exporter

3. Create a class map for NetFlow

4. Create or use an existing policy map and attach the NetFlow class map

5. Apply the policy map to the global policy

6. Bring ASA into LiveAction Flow software

Getting Started

Before configuring your ASAs review the configuration commands and settings with the appropriate security personnel and/or policies in your organization. Also, make sure you are using ASA software version 8.3 or later, and if you plan to upgrade, check that you have the necessary memory available on your ASAs.

Here is the example topology we will be using for the commands:


CLI Configuration

Open a console to the ASA you wish to configure and enter configuration mode.

Enable SNMP Polling

Enabling SNMP polling on your ASA will allow LiveAction to provide basic ASA status information.

snmp-server host INSIDE 192.168.1.144 poll community <string> version 2c

! Define the Flow Exporter

flow-export destination INSIDE 192.168.1.144 2055

flow-export template timeout-rate 1 !send NetFlow v9 template every 1m

flow-export delay flow-create 15 !wait 15s before creating flow

! Create NetFlow Class Map

class-map netflow_class

match any

! Attach NetFlow Class Map to Policy Map

! At this step you need to attach the NetFlow class map to the global

! policy. Create one if you need to, or use the default “global_policy”.

policy-map global_policy

class netflow_class

flow-export event-type all destination 192.168.1.144

! Apply Policy Map to Global Policy

! If you created a new policy map in the previous step you need to apply

the ! policy map as below:

service-policy <new policy map name> global


ASDM Configuration

As an alternative to CLI configuration, graphical configuration of NetFlow can be performed using ASDM. The following configuration was performed using ASDM version 6.3(1)

Enable SNMP Polling

Enabling SNMP polling on your ASA will allow LiveAction to provide basic ASA status information.

Navigate to Configuration Management Access SNMP:

Click Add and enter the SNMP information:


The interface must be on the same side as the LiveAction Flow server. Set the IP address to the LiveAction Server IP, enter the proper community string, set the SNMP version and select Poll. Click OK.

Set NetFlow

Navigate to Configuration Device Management > Logging > NetFlow


Enter the Template Timeout Rate to 1 minute (shorter times will decrease wait for the initial display of NetFlow information in LiveAction).

Enable the Delay transmission option and set the delay to 15 seconds (shorter times will increase the granularity of flows displayed in LiveAction).

Click Add and enter the parameters LiveAction server information:

As with SNMP, the interface must be on the same side as the LiveAction Flow server. Set the IP address to the LiveAction server IP address and enter 2055 for the UDP port number. Click OK and Apply on the main NetFlow dialog.


Setup NetFlow Service Policy

The following steps will setup the rules to match NetFlow events with the collector(s). This is done by adding to the global service policy.

Select Configuration Firewall Service Policy Rules and click Add:

The “Add Service Policy Rule Wizard” will begin, select Global – applies to all interfaces, and click Next


Select Any Traffic and click Next

Select the NetFlow tab and click Add.

An “Add Flow Event” window will popup. In the “Flow Event Type” drop-down list, select All. Also, select the collector(s) that will receive the NSEL events by checking the box Send (192.168.1.144 in our example below). Click OK in the dialog box and then Finish.


This will return you to the main service policy screen. Click Apply.

A “Redundant Syslogs” window will popup, select No. Selecting Yes could affect the information going to the syslog server.

This concludes the ASA NetFlow setup.


Adding the ASA to LiveAction Flow

After setting up the ASA to allow SNMP polling and NetFlow exports, we are ready to add it to LiveAction. Because LiveAction does not support any advanced configuration of the ASA, we will be bringing it in as a generic monitored device.

Let’s proceed with adding the ASA to LiveAction by going to File > Discovery Devices

Choose the method of device discovery (single IP address, IP address range, or seed IP address) and enter the appropriate address information. In this example, we are entering a single IP address of the ASA we are adding. Enter the SNMP parameters you configured on the ASA and click OK.


Once your ASA has been discovered, make sure Select is enabled and click Add Devices.

Exiting the Device Discovery wizard will bring you to the Device Manager screen for any additional setting changes such as the polling Interval. LiveAction does not provide any advanced configuration of the ASA so that can be ignored. Before exiting make sure Polling and Flow are enabled.

LiveAction should now be polling the ASA for basic status and displaying flow information. Note that flow information does not show up until LiveAction receives the first NetFlow v9 template from the ASA.


If you need to add or remove interfaces that LiveAction is polling, just right-click on the ASA and select Add or Remove Interfaces.


ASA NSEL Reports in LiveAction

LiveAction provides full historical analysis of the ASA NSEL data using it’s built in reporting capabilities. The following section will outline the use of the Network Security Denied Report and the ACL Pair Report.

NSEL Reports: Network Security Denied Report

In the device tree, select the ASA and right click on it, select Flow > Reports


NSEL Network Security Denied: Execute Report

The source and destination IP pair are being block by the ASA with a Denied Event Counter. Right click on the flow line of interest, in this example: Drill Down on Src IP and Dst IP > Top Analysis Report.

The highlighted flow from source 10.1.17.100:7648 to destination 10.2.0.100 is being denied. The reason for the deny action is because of an ingress ACL. ACL information is on the right with the hexadecimal equivalent. Please see the next section reviewing the ACL Pair Report for more information regarding the hexadecimal ACL ID.


Here is a closer look at the highlighted flow from source 10.1.17.100:7648 to destination 10.2.0.100 is being denied.

NSEL Reports: ACL Pair Report

This report is an area chart outlining the number of flows tied to a particular ACL.

The table from the above screen shot is shown below:


The ACL ID is made up of two parts. For example, in the screen shot above, second row of the “Ingress ACL ID” column - 0xc02b00fd is the access list ID, 0x014ac695 is the entry ID inside the access list. These two numbers can be correlated to the access-list name and entry by accessing the CLI of the device and performing the “show access-list” command. The result is shown below:

As you can see, this ACL will deny any TCP flow with a port number equal to 6699. From the CLI screenshot above, we can determine the details of the ACL.

0xc02b00fd == ACL “nsel-test”

0x014ac695 == ACL entry “deny tcp any any eq 6699”


For detailed flow information in LiveAction, we can perform a top analysis for the device within the time range specified in the flow report. The results are shown below:

Note, the ACL Pair report will only consider flows with “FW Event” field equal to “Flow denied”. We can see from the top analysis report, when flows have a destination port number equal to 6,699 we have a non-zero Ingress ACL ID showing that the flows were denied by the ACL.

How ACL ID information works:

When a flow matches an access control list, the first part of ACL ID will show the access list ID, the second part will show the entry ID inside the ACL that drops the flow.

When the flow doesn’t match any of the access list entries, it will only list the access list ID, with the entry ID being all zeros.

When the flows are zoned, the ACL ID will be all zeros.


NSEL Use Case Scenario: Verify inbound Traffic (TFTP) connection is denied by an active ACL

When a user is unable to establish a TFTP connection from outside to reach a TFTP server inside the network, the network administrator can use LiveAction to verify and confirm that this traffic type is denied from an ACL Rule.

Open the Reports menu and select Flow. Then select NSELNetwork Security Denied

Create a filter: “Denied_TFTP” to match TFTP traffic with a Protocol=UDP and a Dest port =69


Set the filter to “Denied TFTP” in the Network Security Denied Events report and click Execute Report. The display shows a TFTP flow with source IP: 10.10.16.254 and a destination IP: 10.10.17.100 with Denied Events.

To see additional details, right click on the entry and select Drill Down on 10.10.16.254 and 10.10.17.100 > Top Analysis Report.


The following is a detailed Top Analysis Report identifying the flow being denied by an ingress ACL.

The Matching ACL ID, 0x3caa9448 represents the ACL Name ID, 0x56772d18 is the ACL Entry ID and 0x00000000 is the extended ACL Entry ID.

From the CLI output below, we see the following:

0x3caa9448 == ACL “Outside_access_in_1” 0x56772d18 == ACL entry “deny udp any object Mgen eq tftp”

Copyright © 2016 LiveAction, Inc. All rights reserved. LiveAction, LiveNX, LiveUX, the LiveAction Logo and LiveAction Software are trademarks of LiveAction, Inc. Information subject to change without notice.

Appendix A

Notes on ASA NetFlow Operation

ASA software versions prior to 8.2.1.12 will incorrectly report interface flow information.

ASA NetFlow flows are bi-directional. I.e., traffic from both directions of a session will appear as a single

flow.

Cisco ASA and NetFlow - Using ASA NetFlow with LiveActioncdnx.liveaction.com/knowledgeBase/Configuration-Cisco-ASA-and-NetFlow... · 1-1 Cisco ASA and NetFlow – Using ASA NetFlow

Documents