Configuring NSEL for ASA Devices by Using a Security Cloud Control Macro
ASAs report detailed connection event data using Netflow Secure Event Logging (NSEL). You can apply Secure Cloud Analytics to this connection event data, which includes bidirectional flow statistics. This procedure describes how to configure NSEL on an ASA device and send those NSEL events to a flow collector. In this case, the flow collector is a Secure Event Connector (SEC).
This procedure refers to this macro, Configure NSEL:
flow-export destination {{interface}} {{SEC_IPv4_address}} {{SEC_NetFlow_port}}
flow-export template timeout-rate {{timeout_rate_in_mins}}
flow-export delay flow-create {{delay_flow_create_rate_in_secs}}
flow-export active refresh-interval {{refresh_interval_in_mins}}
class-map {{flow_export_class_name}}
match {{add_this_traffic_to_class_map}}
policy-map {{global_policy_map_name}}
class {{flow_export_class_name}}
flow-export event-type {{event_type}} destination {{SEC_IPv4_address}}
service-policy {{global_policy_map_name}} global
logging flow-export-syslogs disable
show run flow-export
show run policy-map {{global_policy_map_name}}
show run class-map {{flow_export_class_name}}
Here is an example of the Configure NSEL macro with all the default values filled in, a generic name for the class-map, and the class map added to the global_policy, When you are done with these procedures, your macro will resemble this:
flow-export destination {{interface}} {{SEC_IPv4_address}} {{SEC_NetFlow_port}}
flow-export template timeout-rate 60
flow-export delay flow-create 55
flow-export active refresh-interval 1
class-map flow_export_class_map
match any
policy-map global_policy
class flow_export_class_map
flow-export event-type all destination {{SEC_IPv4_address}}
logging flow-export-syslogs disable
show run flow-export
show run policy-map global_policy
show run class-map flow_export_class_map
Before you Begin
Gather the following information:
-
Read these topics if you have never worked with a Security Cloud Control Macro before:
-
IPv4 address of the SEC that will receive data from the ASA
-
Interface on the asa that will send data to the SEC
-
UDP port number used to forward NetFlow events. See Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS).
Workflow
Follow this workflow to configure NSEL for ASA devices by using a Security Cloud Control macro. You need to follow each step:
What to do next
Begin the workflow above by going to Open the Configuring NSEL Macro.