Can I use Cisco ASA's "NetFlow Security Event Logging" (NetFlow 9) for bandwidth monitoring
Security Event Logging is something different to what you're after. I believe you want straight NetFlow (v5 will do) - exported to some type of analyzer.
I've used, and can recommend, ManageEngine Netflow Analyzer: http://www.manageengine.com/products/netflow/download-free.html
Grab the free edition, and fire this up on a server somewhere. Make sure the server's firewall permits traffic on port 9996 (UDP). Then, use the following config on your ASA to export network flow data:
flow-export destination outside_interface_name <netflow analyzer IP> 9996
flow-export template timeout-rate 1
flow-export delay flow-create 10
access-list netflow-export extended permit ip any any
class-map netflow-export-class
match access-list netflow-export
policy-map global_policy
class netflow-export-class
flow-export event-type all destination <netflow analyzer IP>
Note that in my example, I have assumed you have a global_policy policy-map defined.
Browse to Netflow Analyzer and log in. Netflow analyzer will break down the ASA output into source/destination connections, including traffic in megabytes per connection, and will even perform port analysis to show you the applications in use.
This makes it particularly easy to see when an employee is torrenting for instance. :-)
Related videos on Youtube
Daltrey Waters
Updated on September 17, 2022Comments
-
Daltrey Waters almost 2 years
Cisco has introduced NetFlow 9 export in the latest software version for ASA firewalls. But it seems to be meant for event logging of security events only (as a replacement for syslog messages).
But can it still be used for bandwidth monitoring, too? And if so, how must the ASA be configured?
Here the relevant info from the Cisco Website: