Solved: Re: v7.x Netflow to remote collector ?

ida71 · ‎12-21-2023

I have a bunch of FTD's around the globe all managed by FMC, they are v7.x code.

The ones local to the Netflow collector (as in same subnet address range) work as expected, the ones in remote locations don't.

The ASA's they replaced used to send Netflow via the connect VPN from an inside IP, but the FTD does not appear to generate any output. I can't find any info on the Cisco Netflow configuration documentation to indicate if this is possible or how to configure it.

Anyone managed to do this ?

Thanks for any input.

MHM Cisco World · ‎12-21-2023

You need to use flexconfig to forward traffic to netflow destiantion.

https://www.google.com/search?q=ftd+config.for+stealthwatch&client=ms-android-samsung-gj-rev1&sca_esv=592829625&tbm=vid&prmd=visn&source=lnms&sa=X&ved=2ahUKEwi4rqvi3aCDAxUycvEDHdsYAykQ_AUoAXoECAIQAQ&biw=327&bih=556&dpr=2.2#fpstate=ive&vld=cid:34b8f99...

Check this video how you can config interface to send flow to specific destination.

MHM

View solution in original post

balaji.bandi · ‎12-21-2023

check below guide :

https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/netflow/216126-configure-netflow-secure-event-logging-o.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ida71 · ‎12-21-2023

Yeah found that already & followed it, no mention of remote collector & it does not work for remote FTD's. Config accepted & deployed, but zero traffic seen at collector. Works great for FTD's where the collector is accessible via the same subnet that FTD has an interface in.

Have you configured any FTD's to use a remote collector !?

The only way that guide would work, would be to use the outside interface & send via raw internet to a NAT local to the collector !

MHM Cisco World · ‎12-21-2023

Local to one FTD is work prefect' remote no.

Did you allow traffic from remote to Netflow collectors which is behind localFTD?

MHM

ida71 · ‎12-21-2023

Yes allowed remote FTD selected interface to the collector.

Had the same issue with SNMP, so had to update to SNMP v3 to the external management address, as the previous v2 used via VPN from ASA's would not work with FTD.

I'll raise an assistance ticket with TAC in the new year if no one has an answer by then.

MHM Cisco World · ‎12-21-2023

So the source is mgmt interface not outside interface?

MHM

balaji.bandi · ‎12-21-2023

how is the path to go to remote collector ?

what interface it uses (outside right ?)

if this is managed FMC, have a look on events see anything dropping.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ida71 · ‎12-21-2023

No Management (as in Out of Band) is used for SNMP v3. NetFlow is an inside interface, as it was in ASA's but traffic not seen. Setup for all FTD's is 1x Internet Outside, 1x Management OoB, 1x Port-channel supporting multiple Inside sub interfaces. ASA's they replace were the same but without the Management OoB. So SNMP v2 & Netflow was configured on an Inside interface & traversed the intersite VPN to reach the SNMP sever & Netflow collector. On working FTD where collector is in same Inside interface subnet it works, everywhere else it fails.

MHM Cisco World · ‎12-21-2023

You need to use flexconfig to forward traffic to netflow destiantion.

https://www.google.com/search?q=ftd+config.for+stealthwatch&client=ms-android-samsung-gj-rev1&sca_esv=592829625&tbm=vid&prmd=visn&source=lnms&sa=X&ved=2ahUKEwi4rqvi3aCDAxUycvEDHdsYAykQ_AUoAXoECAIQAQ&biw=327&bih=556&dpr=2.2#fpstate=ive&vld=cid:34b8f99...

Check this video how you can config interface to send flow to specific destination.

MHM

ida71 · ‎12-21-2023

I stripped content & applied Global System Defined variables, rather than my Leaf level copies & it sprung to life.

The Cli config is the same, but obviously needed something from the "GET" variables, that did not survive the copy. Will try a few more & see what it says.

FYi- You don't need to configure the Diagnostic interface, as that would not have helped me anyway.

Marvin Rhoads · ‎12-21-2023

FYI, version 7.4.1 software finally moves Netflow from a Flexconfig-based setup to a native GUI configuration.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-platform.html

ida71 · ‎12-22-2023

So update, is that it works as above on the v7.2.5 newest FTD's deployed, but same setup fails on v7.0.5 which is where I was previously attempting to do this, so I guess it will kick in as I upgrade the v7.0.5 units to v7.2.5.

Marvin thanks for the news, its about time. I'm still stunned that FTD, does not have push/pull config with FMC, like every other vendor & no effective CLi access, so relying on Flexconfig is crazy.

I got all excited after getting this working & tried to use same process to add our additional collector, it failed, but somehow managed to knock out our VPN from one location, but not the other. It's this inconsistent nature that worries me about FMC/FTD management.

So be careful !