Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

SSIM ASA netflow

Created: 11 Jul 2012 | 5 comments

Hello,

    After some research I found out that Cisco ASA provide their own version of Netflow. Which is called NESL.

Is there any way how to process data from this by SSIM?

We have SSIM 4.7.4 with latest updates installed. Netflow collector is set up and data from ASA could be seen by tcpdump but I can't see any events.

Thanks for any advice.

MV.

Comments 5 CommentsJump to latest comment

Avkash K's picture

I would suggest if you can directly forward ASA logs through syslog & you can setup your collector to recieve the same.

Please check below forum link, it can be helpful for you.

 

https://www-secure.symantec.com/connect/forums/ciscor-asar-event-collector

 

 

Regards,

Avkash K

mathell's picture

I have no direct experience with netflows on the ASA, but it appears to use version 9 record format so the SSIM netflow collector should work fine.  The ASA can also export this data as syslogs.  I have no idea whether the SSIM cisco ASA syslog collector parses these correctly though. Avkash, can you confirm that it does?

Avkash K's picture

Yes,

It parses the ASA syslog correctly.

Regards,

Avkash K

Milan_T's picture

Let us describe whole process of configuration for onbox (notice, that syslog director works only with onbox installed collectors).

1. Your collector is already preinstalled on SSIM - it's ok.

2. Using SSIM UI you create new configuration for Cisco ASA collector, pointing this configuration to your appliance

3. In Sensor configuration for Cisco ASA collector enable Sensor 0, with these settings:

Protocol: UDP

Host Names: *

Port Number: 10557.

Save configuration.

4. Create new configuration for Syslog Director (if does not exist) pointing it to your SSIM appliance with such configuration:

Protocol: UDP

Host Names: *

Port Number: 10514.

Switch to Director Settings and do the following:

In the upper list of collectors check box "Redirect" for Cisco ASA collector and make sure that the "Listens to" and "Director Port" are both 10557.

Save configuration.

5. Configure your point product to send events to 514 port. All these events will be redirected to 10557 port to Cisco ASA collector.