NetFlow Secure Event Logging (NSEL) for Secure Firewall Cloud Native Devices

Basic syslog messages from the Secure Firewall Cloud Native lack much of the data that Cloud Cisco Secure Cloud Analytics needs to determine if events reported by the Secure Firewall Cloud Native indicate a threat. Netflow Secure Event Logging (NSEL) provides Secure Cloud Analytics with that data.

"A flow is defined as a unidirectional sequence of packets with some common properties that pass through a network device. These collected flows are exported to an external device, the NetFlow collector. Network flows are highly granular; for example, flow records include details such as IP addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces, etc."1

The Secure Firewall Cloud Native supports NetFlow Version 9 services. The Secure Firewall Cloud Native implementation of NSEL provides a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow. In stateful flow tracking, tracked flows go through a series of state changes.

This documentation describes a straightforward approach to configuring NetFlow for your Secure Firewall Cloud Native devices using a set of commands in the configuration file. The Cisco NetFlow Implementation Guide provides an extremely detailed discussion of configuring NetFlow on the Secure Firewall Cloud Native and you may find it a valuable resource to accompany this content.