Question & Answer
Question
Answer
For QRadar 7.3.1 Patch 7 and later versions
- To locate release notes for all QRadar software versions, see https://ibm.biz/qradarsoftware .
- If you already have QRadar 7.3.1.20181123182336 installed, but continue to see blank byte or packet counts, contact QRadar Support .
For QRadar 7.3.1 Patch 6 and earlier versions
QRadar has released a Cisco ASA NSEL protocol; however this is intended to convert the flow stream back to events (versus sending syslog).
A common question QRadar Support receives related to Cisco ASA devices using "netflow" records is that the messages sent from the ASA are actually firewall event messages, not flow statistics records, as commonly sent from routers via netflow. Most users will switch the ASA data feed from a netflow stream, over to a syslog stream instead. This will cause the events to show up in the "Log Activity" tab.
That said, even though they are not flow statistics records, they should show up as flows in the Network activity tab, but they will have no byte or packet counts. If they do not show up, then verify you are using a netflow v9 format. QRadar requires that netflow v9 template records be sent along in the netflow stream, and if they are not sent, qflow will not be able to decode them.
NOTE: In order for Cisco ASA NSEL netflow v9 to display records on Network Activity tab for QRadar products the template record needs to be sent every 10 minutes. If the NetFlow records are sent on a longer interval than 10 minutes, it will cause display issues.
If you are experiencing issues with blank byte and packet values you can The work around here is to configure the device to send in a different format, ie, v5, or configure it to send template records more often. However, as mentioned above, they are actually event messages, which should just be sent to QRadar via syslog, and have them show up in the event pipeline instead, and then identify a router as a source of flow session statistics, and send that in a netflow stream instead.
Verifying template issues
To verify template issues, you can capture a few hundred packets from your QRadar appliance. On the QRadar appliance that receives NetFlow data, type the following command:
tcpdump -nnAs0 -w netflow.sample.pcap -c 1000 -i eth0 host [Cisco ASA IP address] and port [netflow port used]
After the command is run a sample file will be written to the QRadar appliance named 'netflow.sample.pcap'. You can scp the file from your QRadar system back to your desktop or any Windows host and open the .pcap file using Wireshark. In Wireshark, you can choose the decode option by right-clicking one of the packets, choose "Decode As", and select the format in the right hand list, "CFLOW". If the netflow template is not being sent you should see the message "template not available" in the packet details in Wireshark.
Historical Number
1574
Was this topic helpful?
Document Information
Modified date:
30 August 2019
UID
swg21626095