What is Netflow?

Netflow was designed by Cisco to collect IP network traffic. This data can then be analysed for
source, destination, protocol, class of service etc, and uses a flow cache, Flow Collector and a
Flow analyser to present the data in an understandable way.

Cisco Netflow configuration on ASA firewalls

Firstly you'll need at least ASA 8.2.1, and ASDM 6.2.1. I am using ASA version 9.0(3) and
ASDM version 7.1(6).
The Netflow settings in ASDM are located in Configuration > Logging > NetFlow

Click on Add and specify the IP address of the server running the Netflow software, and specify
a port of 2055.

The next step is to start throwing all of our traffic at the netflow collector. To do this we must set

up a service policy rule.

Firewall > Service Policy Rules and click on Add.

Select "Global - applies to all interfaces" and keep the default name of global-class

Select Source and Destination IP addresses (uses ACL) and click Next

For the Source and Destination select "any", and for the service select ip (I did also add icmp,
icmp/echo and icmp/echo-reply)

On the next page select the NetFlow tab, click on add and select the Netflow collector IP to the
one we configured in the first step, making sure that we click Send. Click OK.

Lastly click on "Finish"

We now need to set up PRTG.

Creating a Netflow sensor on PRTG for Cisco ASAs

Hopefully your firewall should have already been picked up through its own ping tests. If not
click on Devices and select add a device. We can either create a new group, or add it to an
exisiting group. Give the new device a meaning full name, and then you can click on Add
Sensor.

Select NetFlow V9, and click on "Add This"

Give the sensor a name, and set the "Receive NetFlow Packets on UDP Port" to the same port
we configured on the ASA (2055). Set the sender IP to the ASAs interface IP address, and set
the "Active Flow Timeout (Minutes) to something (I have used 30). To get some decent data I
also set the channel configuration for Infrastructure to "Detail":

Give it a little time for the collector to get some data, five minutes or so should do, and
hopefully you should start seeing some data:

(the above screenshot references a different sensor number to the one above it - but don't
worry about that - I just set up additional sensors to get a screenshot).
You can also drill down into the sensor and see the top protocols:

It's pretty quick to start getting some good information out of your firewalls using NetFlow, and
PRTG.
There are a number of Netflow systems out there, if you are good with Linux then there are
free ones available.
netflow is a very powerful, and potentially cheap way to have a fully fledged network monitoring
system.