Configuring NSEL for ASA Devices by Using a CDO Macro

ASAs report detailed connection event data using Netflow Secure Event Logging (NSEL). You can apply Secure Cloud Analytics to this connection event data, which includes bidirectional flow statistics. This procedure describes how to configure NSEL on an ASA device and send those NSEL events to a flow collector. In this case, the flow collector is a Secure Event Connector (SEC).

This procedure refers to this macro, Configure NSEL:

 flow-export destination {{interface}} {{SEC_IPv4_address}} {{SEC_NetFlow_port}}
flow-export template timeout-rate {{timeout_rate_in_mins}}
flow-export delay flow-create {{delay_flow_create_rate_in_secs}}
flow-export active refresh-interval {{refresh_interval_in_mins}}
class-map {{flow_export_class_name}}
     match {{add_this_traffic_to_class_map}}
policy-map {{global_policy_map_name}}
     class {{flow_export_class_name}}
          flow-export event-type {{event_type}} destination {{SEC_IPv4_address}}
service-policy {{global_policy_map_name}} global
logging flow-export-syslogs disable
show run flow-export
show run policy-map {{global_policy_map_name}}
show run class-map {{flow_export_class_name}}

Here is an example of the Configure NSEL macro with all the default values filled in, a generic name for the class-map, and the class map added to the global_policy, When you are done with these procedures, your macro will resemble this:

 flow-export destination {{interface}} {{SEC_IPv4_address}} {{SEC_NetFlow_port}}
flow-export template timeout-rate 60
flow-export delay flow-create 55
flow-export active refresh-interval 1
class-map flow_export_class_map
     match any
policy-map global_policy
     class flow_export_class_map
          flow-export event-type all destination {{SEC_IPv4_address}}
logging flow-export-syslogs disable
show run flow-export
show run policy-map global_policy
show run class-map flow_export_class_map

Before you Begin

Gather the following information:

• Read these topics if you have never worked with a CDO Macro before:

  • Command Line Interface Macros

    • Edit a CLI Macro

    • Run a CLI Macro

• IPv4 address of the SEC that will receive data from the ASA

• Interface on the asa that will send data to the SEC

• UDP port number used to forward NetFlow events. See Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS).

• Determine the Name of an ASA Global Policy

Workflow

Follow this workflow to configure NSEL for ASA devices by using a CDO macro. You need to follow each step:

1. Open the Configuring NSEL Macro.

2. Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC.

3. Create a Class-Map that Defines which NSEL Events Will Be Sent to the SEC.

4. Define a Policy-Map for NSEL Events.

5. Disable Redundant Syslog Messages.

6. Review and Send the Macro.

What to do next

Begin the workflow above by going to Open the Configuring NSEL Macro.