IBM Support

QRadar: Cisco ASA Netflow NSEL - Byte & Packet counts blank

Question & Answer


Question

Why are the byte counts blank when looking at Cisco ASA flow data in the Network Activity Screen?
 

Answer

For QRadar 7.3.1 Patch 7 and later versions

QRadar supports Cisco ASA byte and packet counter fields specified as Information Elements 231 (initiatorOctets) and 232 (responderOctets) provided that the Cisco ASA appliance is version 8.4(5) or later. Administrators who are experiencing issues with blank byte or packet counts should ensure that their QRadar version is installed with QRadar 7.3.1.20181123182336 or later.
 
  • To locate release notes for all QRadar software versions, see https://ibm.biz/qradarsoftware .
  • If you already have QRadar 7.3.1.20181123182336 installed, but continue to see blank byte or packet counts, contact  QRadar Support .
 
 

For QRadar 7.3.1 Patch 6 and earlier versions

Cisco ASA NSEL flow format represents the ASA events in flow format. Cisco does not provide the source and destination bytes in the flow records, but rather a total bytes. Since we do not have a record of inbound and outbound bytes in the flow we cannot populate the fields. Unless Cisco changes the flow format records, QRadar is unable to show the flow statistics: http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html  lists the fields given by Cisco (note field 87 is total bytes, however there are no fields representing source or destination as found in regular Netflow records)

QRadar has released a Cisco ASA NSEL protocol; however this is intended to convert the flow stream back to events (versus sending syslog).

A common question QRadar Support receives related to Cisco ASA devices using "netflow" records is that the messages sent from the ASA are actually firewall event messages, not flow statistics records, as commonly sent from routers via netflow. Most users will switch the ASA data feed from a netflow stream, over to a syslog stream instead. This will cause the events to show up in the "Log Activity" tab.

That said, even though they are not flow statistics records, they should show up as flows in the Network activity tab, but they will have no byte or packet counts. If they do not show up, then verify you are using a netflow v9 format. QRadar requires that netflow v9 template records be sent along in the netflow stream, and if they are not sent, qflow will not be able to decode them.

NOTE: In order for Cisco ASA NSEL netflow v9 to display records on Network Activity tab for QRadar products the template record needs to be sent every 10 minutes. If the NetFlow records are sent on a longer interval than 10 minutes, it will cause display issues.


If you are experiencing issues with blank byte and packet values you can The work around here is to configure the device to send in a different format, ie, v5, or configure it to send template records more often. However, as mentioned above, they are actually event messages, which should just be sent to QRadar via syslog, and have them show up in the event pipeline instead, and then identify a router as a source of flow session statistics, and send that in a netflow stream instead.


Verifying template issues

To verify template issues, you can capture a few hundred packets from your QRadar appliance. On the QRadar appliance that receives NetFlow data, type the following command:

tcpdump -nnAs0 -w netflow.sample.pcap -c 1000 -i eth0 host [Cisco ASA IP address] and port [netflow port used]

After the command is run a sample file will be written to the QRadar appliance named 'netflow.sample.pcap'.  You can scp the file from your QRadar system back to your desktop or any Windows host and open the .pcap file using Wireshark. In Wireshark, you can choose the decode option by right-clicking one of the packets, choose "Decode As", and select the format in the right hand list, "CFLOW". If the netflow template is not being sent you should see the message "template not available" in the packet details in Wireshark.


 

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Flows","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

1574

Document Information

Modified date:
30 August 2019

UID

swg21626095

Page Feedback