Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC

NSEL messages can be sent to any one of the SECs you have onboarded to your tenant. These instructions refer to this section of the macro:

flow-export destination {{interface}} {{SEC_IPv4_address}} {{SEC_NetFlow_port}}

flow-export template timeout-rate {{timeout_rate_in_mins}}

flow-export delay flow-create {{delay_flow_create_rate_in_secs}}

flow-export active refresh-interval {{refresh_interval_in_mins}}

Before you begin

This is part of a larger workflow. See Configuring NSEL for ASA Devices by Using a CDO Macro before getting started.

Procedure

Step 1

The flow-export destination command defines the collector to which the NetFlow packets are sent. In this case, you are sending them to an SEC. Fill in the fields for these parameters:

  • {{interface}}-Enter the name of the interface on the ASA from which the NetFlow events are sent.

  • {{SEC_IPv4_address}}-Enter the IPv4 address of the SEC. The SEC functions as the flow collector.

  • {{SEC_NetFlow_port}}-Enter the UDP port number on the SEC to which NetFlow packets are sent.

Step 2

The flow-export template timeout-rate command specifies the interval at which template records are sent to all configured output destinations.

  • {{timeout_rate_in_mins}}-Enter the number of minutes before templates are resent. We recommend using a value of 60 minutes. The SEC does not process the templates. A large number reduces traffic to the SEC.

Step 3

The flow-export delay flow-create command delays the sending of flow-create events by the specified number of seconds. This value matches the recommended Active Timeout value and reduces the number of flow events exported from the ASA. At that rate, expect NSEL events to first appear in CDO at the close of a connection or within 55 seconds of the creation of the connection, whichever happens earlier. If this command is not configured, there is no delay, and the flow-create event is exported as soon as the flow is created.

  • {{delay_flow_create_rate_in_secs}}-Enter the number of seconds delay between sending flow-create events. We recommend using a value of 55 seconds.

Step 4

The flow-export active refresh-interval command defines the frequency that status updates for long-lived flows will be sent from ASA. Valid values are from 1-60 minutes. In the Flow Update Interval field, configuring the flow-export active refresh-interval to be at least 5 seconds more than the flow-export delay flow-create interval prevents flow-update events from appearing before flow-creation events.

  • {{refresh_interval_in_mins}}-We recommend using a value of 1 minute. Valid values are from 1-60 minutes.

What to do next

Continue to Create a Class-Map that Defines which NSEL Events Will Be Sent to the SEC.