LiveAction Application Note
Cisco ASA and NetFlow
Using ASA NetFlow with LiveAction Flow Software
January 2013
Table of Contents
1.
Introduction ... 1
2.
ASA NetFlow Security Event Logging ... 2
Getting Started ... 3 CLI Configuration ... 3 Enable SNMP Polling ... 3 ASDM Configuration ... 4 Enable SNMP Polling ... 4 Setup NetFlow ... 6
Setup NetFlow Service Policy ... 7
Adding the ASA to LiveAction Flow... 11
3.
ASA NSEL Reports in LiveAction... 14
NSEL Reports: Network Security Denied Report ... 14
NSEL Reports: ACL Pair Report ... 16
NSEL Use Case Scenario: Verify inbound Traffic (TFTP) connection is denied by an active ACL ... 19
4.
Appendix A ... 23
1. Introduction
NetFlow is a Cisco traffic accounting technology built into the software and hardware of many Cisco switches and routers. NetFlow tracks traffic flowing in and out of enabled routers, switches, and security devices to help answer the who, what, where, when, and how of network traffic.
Beginning with ASA software 8.2, Cisco supports NetFlow in ASA devices using NSEL (NetFlow security event logging). However, early versions of 8.2 have a bug that reports flows with incorrect interface assignments. We recommend version 8.3 or higher for use with LiveAction flow visualization. Make sure to verify the ASA memory requirements before
planning any upgrades.
With LiveAction Flow 2.0 and greater, users can take advantage of ASA NSEL exports to perform flow visualization with LiveAction. This technical note provides instructions on enabling and using ASA NetFlow exports in LiveAction software. ASA instructions are provided for the CLI and ASDM.
2. ASA NetFlow Security Event Logging
NSEL uses NetFlow v9 format for exporting NetFlow records. The process for setting up an ASA for SNMP and NetFlow monitoring in LiveAction is as follows:
1. Enable SNMP polling 2. Define the flow exporter 3. Create a class map for NetFlow
4. Create or use an existing policy map and attach the NetFlow class map 5. Apply the policy map to the global policy
6. Bring ASA into LiveAction Flow software
Getting Started
Before configuring your ASAs review the configuration commands and settings with the appropriate security personnel and/or policies in your organization. Also, make sure you are using ASA software version 8.3 or later, and if you plan to upgrade, check that you have the necessary memory available on your ASAs.
Here is the example topology we will be using for the commands:
CLI Configuration
Open a console to the ASA you wish to configure and enter configuration mode. Enable SNMP Polling
Enabling SNMP polling on your ASA will allow LiveAction to provide basic ASA status information.
snmp-server host INSIDE 192.168.1.144 poll community <string> version 2c
! Define the Flow Exporter
flow-export destination INSIDE 192.168.1.144 2055
flow-export template timeout-rate 1 !send NetFlow v9 template every 1m flow-export delay flow-create 15 !wait 15s before creating flow
! Create NetFlow Class Map
class-map netflow_class match any
! Attach NetFlow Class Map to Policy Map
! At this step you need to attach the NetFlow class map to the global ! policy. Create one if you need to, or use the default “global_policy”.
policy-map global_policy class netflow_class
flow-export event-type all destination 192.168.1.144
! Apply Policy Map to Global Policy
! If you created a new policy map in the previous step you need to apply the ! policy map as below:
service-policy <new policy map name> global
ASDM Configuration
As an alternative to CLI configuration, graphical configuration of NetFlow can be performed using ASDM. The following configuration was performed using ASDM version 6.3(1).
Enable SNMP Polling
Enabling SNMP polling on your ASA will allow LiveAction to provide basic ASA status information. Navigate to Configuration Management Access SNMP:
Click Add and enter the SNMP information:
The interface must be on the same side as the LiveAction Flow server. Set the IP address to the LiveAction server IP, enter the proper community string, set the SNMP version and select Poll. Click OK.
Setup NetFlow
Navigate to Configuration Device Management Logging NetFlow
Enter the Template Timeout Rate to 1 minute (shorter times will decrease wait for the initial display of NetFlow information in LiveAction).
Enable the Delay transmission option and set the delay to 15 seconds (shorter times will increase the granularity of flows displayed in LiveAction).
Click Add and enter the parameters LiveAction server information:
As with SNMP, the interface must be on the same side as the LiveAction Flow server. Set the IP address to the LiveAction server IP address and enter 2055 for the UDP port number. Click OK and Apply on the main NetFlow dialog.
Setup NetFlow Service Policy
The following steps will setup the rules to match NetFlow events with the collector or collectors. This is done by adding to the global service policy.
Select Configuration Firewall Service Policy Rules and click Add:
This will start the Add Service Policy Rule Wizard:
Choose Global – applies to all interfaces and click Next>
Select Any traffic and click Next>
Select the NetFlow tab and click Add.
Select All for Flow Event Type and select the collector or collectors that will receive NSEL events by selecting Send (192.168.1.144 in our example). Click OK in the dialog box and then Finish.
This will return you to the main service policy screen:
Click Apply and No on the warning screen (selecting Yes could affect the information going to syslog servers).
This concludes the ASA NetFlow setup. The next section details how to add the ASA to LiveAction.
Adding the ASA to LiveAction Flow
After setting up the ASA to allow SNMP polling and NetFlow exports, we are ready to add it to LiveAction. Because LiveAction does not support any advanced configuration of the ASA, we will be bringing it in as a generic monitored device.
Proceed to the Add Device wizard.
Choose the method of device discovery (single IP address, IP address range, or seed IP address) and enter the appropriate address information. In this example we are entering a single IP address of the ASA we are adding. Enter the SNMP parameters you configured on the ASA. Click OK.
Once your ASA has been found, make sure Select is enabled and click Add Devices.
Exiting the Device Discovery wizard will bring you to the Device Manager screen for any additional setting changes such as the polling Interval. LiveAction does not provide any advanced configuration of the ASA so that can be ignored. Before exiting make sure Polling and Flow are enabled.
LiveAction should now be polling the ASA for basic status and displaying flow information. Note that flow information does not show up until LiveAction receives the first NetFlow v9 template from the ASA.
If you need to add or remove interfaces that LiveAction is polling, just right-click on the ASA and select Add or Remove Interfaces.
3. ASA NSEL Reports in LiveAction
LiveAction provides full historical analysis of the ASA NSEL data using its built in reporting capabilities. The following section will outline the use of the Network Security Denied Report and the ACL Pair Report.
NSEL Reports: Network Security Denied Report
Select ASA device view, click on Report
NSELNetwork Security Denied: Execute Report
The source and destination IP pair is being block by the ASA with a Denied Event Counter. Right click on the flow line of interest and select View flow data for the details.
The highlighted flow from source 10.10.17.100:7648 to destination 10.2.0.100 is being denied. The reason for the deny action is because of an ingress ACL. ACL information is on the right with the hexadecimal equivalent. Please see the next section reviewing the ACL Pair Report for more information regarding the hexadecimal ACL ID.
NSEL Reports: ACL Pair Report
ACL Pair Report
This report is an area chart outlining the number of flows tied to a particular ACL.
The table from the above screen shot is shown below:
The ACL ID is made up of two parts. For example in the second line - 0xc02b00fd is the access list ID, 0x014ac695 is the entry ID inside the access list. These two numbers can be correlated to the access-list name and entry by accessing the CLI of the device and performing the “show access-list” command. The result is shown below:
As you can see, this ACL will deny any TCP flow with a port number equal to 6699. From the CLI screenshot above, we can determine the details of the ACL.
0xc02b00fd == ACL “nsel-test”
0x014ac695 == ACL entry “deny tcp any any eq 6699”
For detailed flow information in LiveAction, we can perform a top analysis for the device within the time range specified in the flow report. The results are shown below:
Note, the ACL Pair report will only consider flows with “FW Event” field equal to “Flow denied”. We can see from the top analysis report, when flows have a destination port number equal to 6,699 we have a non-zero Ingress ACL ID showing that the flows were denied by the ACL.
How ACL ID information works:
When a flow matches an access control list, the first part of ACL ID will show the access list ID, the second part will show the entry ID inside the ACL that drops the flow.
When the flow doesn’t match any of the access list entries, it will only list the access list ID, with the entry ID being all zeros.
When the flows are zoned, the ACL ID will be all zeros.
NSEL Use Case Scenario: Verify inbound Traffic (TFTP) connection is denied by an active
ACL
A user is unable to establish a TFTP connection from outside to reach a TFTP server inside the network. The network administrator can use LiveAction to verify and confirm that this traffic type is denied from an ACL Rule.
Open the Flow Report dialog, Select NSELNetwork Security Denied tab
Create a filter: “Denied_TFTP” to match TFTP traffic with a Protocol=UDP and a Dest port =69
Set the filter to “Denied_TFTP” in the Network Security Denied Events report and click Execute Report: The display shows a TFTP flow with source IP: 10.10.16.254 and a destination IP: 10.10.17.100 with Denied Events.
To see additional details, right click on the entry and select View Flow Data.
The following is a detailed top analysis report identifying the flow being denied by an ingress ACL.
The Matching ACL ID, 0x3caa9448 represents the ACL Name ID, 0x56772d18 is the ACL Entry ID and 0x00000000 is the extended ACL Entry ID.
ASA5510# show access-list Outside_access_in_1
access-list Outside_access_in_1; 3 elements; name hash: 0x3caa9448
access-list Outside_access_in_1 line 1 extended deny udp any object Mgen eq tftp 0x56772d18
access-list Outside_access_in_1 line 1 extended deny udp any host 10.10.17.100 eq tftp (hitcnt=7) 0x56772d18
access-list Outside_access_in_1 line 2 extended permit ip host 10.10.10.134 object Mgen 0xc96892e6
access-list Outside_access_in_1 line 2 extended permit ip host 10.10.10.134 host 10.10.17.100 (hitcnt=3) 0xc96892e6
access-list Outside_access_in_1 line 3 extended permit ip any any inactive (hitcnt=1) (inactive) 0x7fc62c35
From the above CLI output we see the following: 0x3caa9448 == ACL “Outside_access_in_1”
0x56772d18 == ACL entry “deny udp any object Mgen eq tftp”
4. Appendix A
Notes on ASA NetFlow Operation
• ASA software versions prior to 8.2.1.12 will incorrectly report interface flow information.
• ASA NetFlow flows are bi-directional. I.e., traffic from both directions of a session will appear as a single flow.
Copyright © 2013 ActionPacked! Networks. All rights reserved. ActionPacked!, the ActionPacked! logo and LiveAction are trademarks of ActionPacked! Networks. Other company and product names are the trademarks of their respective companies.
ActionPacked! Networks 155 Kapalulu Place, Suite 222
Honolulu, HI 96819
