Configure NSEL for Secure Firewall Cloud Native Devices

Secure Firewall Cloud Native device report detailed connection event data using Netflow Secure Event Logging (NSEL). You can apply Cisco Secure Cloud Analytics to this connection event data, which includes bidirectional flow statistics. This procedure describes how to configure NSEL on a Secure Firewall Cloud Native device and send those NSEL events to a flow collector. In this case, the flow collector is a Secure Event Connector (SEC).

The procedure refers to a set of commands to be entered in the configuration file of the firewall.

Procedure

Step 1

In the Device Configuration tab, click Edit.

Step 2

In the configuration file, create a new CRD entry anywhere before the "snmp-server-config" and enter the commands discussed below.

Commands
########## CRD ### name: entry-name, order: order-number, generation: 1 ##########
flow-export destination {{interface}} {{SEC_IPv4_address}} {{SEC_NetFlow_port}}
    flow-export template timeout-rate {{timeout_rate_in_mins}}
    flow-export delay flow-create {{delay_flow_create_rate_in_secs}}
    flow-export active refresh-interval {{refresh_interval_in_mins}}
    class-map {{flow_export_class_name}}
         match {{add_this_traffic_to_class_map}}
    policy-map {{global_policy_map_name}}
         class {{flow_export_class_name}}
              flow-export event-type {{event_type}} destination {{SEC_IPv4_address}}
    service-policy {{global_policy_map_name}} global
    logging flow-export-syslogs disable
    show run flow-export
    show run policy-map {{global_policy_map_name}}
    show run class-map {{flow_export_class_name}}

Here is an example with all the default values filled in, a generic name for the class-map, and the class map added to the global_policy:

########## CRD ### name: nsel-config, order: 5, generation: 1 ##########
    flow-export destination outside {{SEC_IPv4_address}} {{SEC_NetFlow_port}}
    flow-export template timeout-rate 60
    flow-export delay flow-create 55
    flow-export active refresh-interval 1
    class-map flow_export_class_map
         match any
    policy-map global_policy
         class flow_export_class_map
              flow-export event-type all destination {{SEC_IPv4_address}}
    service-policy global_policy global
    logging flow-export-syslogs disable
    show run flow-export
    show run policy-map global_policy
    show run class-map flow_export_class_map

Step 3

Click Save.

Step 4