Skip to main content

 

 

Cisco Defense Orchestrator

Configuring NSEL for ASA Devices Using a CDO Macro

ASAs report detailed connection event data using Netflow Secure Event Logging (NSEL). You can apply Stealthwatch Cloud analytics to this connection event data, which includes bidirectional flow statistics. This procedure describes how to configure NSEL on an ASA device and send those NSEL events to a flow collector. In this case, the flow collector is a Secure Event Connector (SEC).

This procedure refers to this macro, Configure NSEL

flow-export destination {{interface}} {{IPv4_address}} {{NetFlow_port}}
flow-export template timeout-rate {{timeout_rate_in_mins}}
flow-export delay flow-create {{delay_flow_create_rate_in_secs}}
flow-export active refresh-interval {{refresh_interval_in_mins}}
class-map {{flow_export_class_name}}
     match {{add_this_traffic_to_class_map}}
policy-map {{flow_export_policy_name}}
     class {{flow_export_class_name}}
          flow-export event-type {{event_type}} destination {{IPv4_address}}
logging flow-export-syslogs disable
show run flow-export
show run policy-map {{flow_export_policy_name}}
show run class-map {{flow_export_class_name}}

Here is an example of the Configure NSEL macro with all the default values filled in and a generic name for the class-map:

flow-export destination {{interface}} {{IPv4_address}} {{NetFlow_port}}
flow-export template timeout-rate 60
flow-export delay flow-create 55
flow-export active refresh-interval 1
class-map flow_export_class_map
     match any
policy-map {{flow_export_policy_name}}
     class flow_export_class_map
          flow-export event-type all destination {{IPv4_address}}
logging flow-export-syslogs disable
show run flow-export
show run policy-map {{flow_export_policy_name}}
show run class-map flow_export_class_map

Before You Begin

Gather the following information:

Workflow

These are the tasks you need to complete to configure NetFlow Secure Event Logging (NSEL) on an ASA for CDO. Complete all of the following tasks:

  1. Open the Configuring NSEL macro.
  2. Define the destination of NSEL messages and the interval at which they are sent to one of the SECs installed on your tenant. 
  3. Create a class-map that defines the traffic for which the ASA will send out NSEL events. 
  4. Define a policy-map for NSEL events.
  5. Disable redundant syslog messages.
  6. Review and Send the macro.

Open the Configuring NSEL Macro 

  1. On the Devices & Services page, select the ASA(s) on which you want to configure NetFlow Secure Event Logging (NSEL).
  2. In the Device Actions pane, click Command Line Interface.
  3. Click the Macro star clipboard_e5e914e9454dca0a1982ab3d2dae7f514.png to show the list of available macros.
  4. From the list of macros, select Configuring NSEL.
  5. Under the Macro box, click View Parameters.

Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC

NSEL messages can be sent to any one of the SECs you have onboarded to your tenant. These instructions refer to this section of the macro:

flow-export destination {{interface}} {{IPv4_address}} {{NetFlow_port}}
flow-export template timeout-rate {{timeout_rate_in_mins}}
flow-export delay flow-create {{delay_flow_create_rate_in_secs}}
flow-export active refresh-interval {{refresh_interval_in_mins}}

  1. The flow-export destination command defines the collector to which the NetFlow packets are sent. In this case, you are sending them to an SEC. Fill in the fields for these parameters: 
  • {{interface}}-Enter the name of the interface on the ASA from which the NetFlow events are sent. 
  • {{IPv4_address}}-Enter the IPv4 address of the SEC. The SEC functions as the flow collector.
  • {{NetFlow_port}}-Enter the UDP port number on the SEC to which NetFlow packets are sent. 
  1. The flow-export template timeout-rate command specifies the interval at which template records are sent to all configured output destinations. 
  • {{timeout_rate_in_mins}}-Enter the number of minutes before templates are resent. We recommend using a value of 60 minutes. The SEC does not process the templates. A large number reduces traffic to the SEC.
  1. The flow-export delay flow-create command delays the sending of flow-create events by the specified number of seconds. This value matches the recommended Active Timeout value and reduces the number of flow events exported from the ASA. At that rate, expect NSEL events to first appear in CDO at the close of a connection or within 55 seconds of the creation of the connection, whichever happens earlier. If this command is not configured, there is no delay, and the flow-create event is exported as soon as the flow is created. 
  • {{delay_flow_create_rate_in_secs}}-Enter the number of seconds delay between sending flow-create events. We recommend using a value of 55 seconds.
  1. The flow-export active refresh-interval command defines the frequency that status updates for long-lived flows will be sent from ASA. Valid values are from 1-60 minutes. In the Flow Update Interval field, configuring the flow-export active refresh-interval to be at least 5 seconds more than the flow-export delay flow-create interval prevents flow-update events from appearing before flow-creation events. 
  • {{refresh_interval_in_mins}}-We recommend using a value of 1 minute. Valid values are from 1-60 minutes.

Create a Class-Map that Defines which NSEL Events Will Be Sent to the SEC

The following commands in the macro group all NSEL events in a class and then export that class to the Secure Event Connector (SEC). These instructions refer to this section of the macro:

class-map {{flow_export_class_name}}
    match {{add_this_traffic_to_class_map}}

  1. The class-map command names the class map that identifies NSEL traffic that will be exported to the SEC. 
  • {{flow-export-class-name}}-Enter a name for your class map. The name may be up to 40 characters in length. The names “class-default” and any name that begins with “_internal” or “_default” are reserved. All types of class maps use the same name space, so you cannot re-use a name already used by another type of class map.
  1. Identify the traffic that is going to be associated with (matched with) your class-map. Choose one of these options for the value of {{add_this_traffic_to_class_map}}:

Define a Policy-Map for NSEL Events

The task assigns NetFlow export actions to the class you created in the previous task, and the class to a new policy map. These instructions refer to this section of the macro:

policy-map {{flow_export_policy_name}}
    class {{flow_export_class_name}}
        flow-export event-type {{event_type}} destination {{IPv4_address}}

  1. The policy-map command creates a policy-map. In the next task, you associate this policy map with the global policy.
  1. The class command inherits the name of the class-map you created in the previous task.
  2. The flow-export event-type {{event-type}} destination {{IPv4_address}} command defines which event types should be sent to flow collector, (in this case the SEC). 
  • {{event-type}}-The event_type keyword is the name of the supported event being filtered. We recommend using the value "all".
  • {{IPv4_address}}-This is the IPv4 address of the SEC. Its value is inherited from the value you entered in the first task of the workflow.

Disable Redundant Syslog Messages

These instructions refer to this section of the macro. You do not need to modify the command.

logging flow-export-syslogs disable

Enabling NetFlow to export flow information makes the syslog messages in the following table redundant. In the interest of performance, we recommend that you disable redundant syslog messages, because the same information is exported through NetFlow.

Note: When NSEL and syslog messages are both enabled, there is no guarantee of chronological ordering between the two logging types.

Syslog Messages with Equivalent NSEL Events

Syslog Message

Description

NSEL Event ID

NSEL Extended Event ID

106100

Generated whenever an access control rule (ACL) is encountered.

1—Flow was created (if the ACL allowed the flow).

3—Flow was denied (if the ACL denied the flow).

0—If the ACL allowed the flow.

1001—Flow was denied by the ingress ACL.

1002—Flow was denied by the egress ACL.

106015

A TCP flow was denied because the first packet was not a SYN packet.

3—Flow was denied.

1004—Flow was denied because the first packet was not a TCP SYN packet.

106023

When a flow was denied by an ACL attached to an interface through the access-group command.

3—Flow was denied.

1001—Flow was denied by the ingress ACL.

1002—Flow was denied by the egress ACL.

302013, 302015, 302017, 302020

TCP, UDP, GRE, and ICMP connection creation.

1—Flow was created.

0—Ignore.

302014, 302016, 302018, 302021

TCP, UDP, GRE, and ICMP connection teardown.

2—Flow was deleted.

0—Ignore.

> 2000—Flow was torn down.

313001

An ICMP packet to the device was denied.

3—Flow was denied.

1003—To-the-box flow was denied because of configuration.

313008

An ICMP v6 packet to the device was denied.

3—Flow was denied.

1003—To-the-box flow was denied because of configuration.

710003

An attempt to connect to the device interface was denied.

3—Flow was denied.

1003—To-the-box flow was denied because of configuration.

If you do not want to disable redundant syslog messages, you can edit this macro and delete only this line from it:

logging flow-export-syslogs disable

You can later enable or disable individual syslog messages by following the procedure in the Disabling and Reenabling NetFlow-related Syslog Messages.

Review and Send the Macro

  1. After filling in the fields of the macro, click Review to review the commands before they are sent to the ASA.
  2. If you are satisfied with your responses to the commands, click Send
  3. After you send the command, you may see the message, "Some commands may have made changes to the running config" along with two links.

cli_may_have_changed.png

  • Clicking Write to Disk saves the changes made by this command, and any other changes in the running-configuration, to the device's startup configuration. 
  • Clicking Dismiss dismisses the message.

 

Related Articles