Handling NSEL Events
The following table shows how various NSEL events are handled by Secure Firewall connector. For more information about these elements, see IP Flow Information Export (IPFIX) Entities document.
|
Flow Event Element ID: 233 Element Name: NF_F_FW_EVENT |
Extended Flow Event Element ID: 33002 Element Name: NF_F_FW_EXT_EVENT |
Action on Secure Firewall connector |
|---|---|---|
|
0 (default, ignore this value) |
Don’t care |
No op |
|
1 (Flow created) |
Don’t care |
Send flow to Secure Workload |
|
2 (Flow deleted) |
> 2000 (indicates the termination reason) |
Send flow to Secure Workload |
|
3 (Flow denied) |
1001 (denied by ingress ACL) |
Send flow with disposition marked as rejected to Secure Workload |
|
1002 (denied by egress ACL) |
||
|
1003 (denied connection by ASA interface or denied ICMP(v6) to device) |
||
|
1004 (first packet on TCP is not SYN) |
||
|
4 (Flow alert) |
Don’t care |
No op |
|
5 (Flow updated) |
Don’t care |
Send flow to Secure Workload |
Based on the NSEL record, Secure Firewall connector sends flow observation to Secure Workload. NSEL flow records are bidirectional. So, Secure Firewall connector sends 2 flows: forward flow and reverse flow to Secure Workload.
Here are the details about flow observation sent by Secure Firewall connector to Secure Workload.
Forward Flow observation
|
Field |
NSEL Element ID |
NSEL Element Name |
|---|---|---|
|
Protocol |
4 |
NF_F_PROTOCOL |
|
Source Address |
8 |
NF_F_SRC_ADDR_IPV4 |
|
27 |
NF_F_SRC_ADDR_IPV6 |
|
|
Source Port |
7 |
NF_F_SRC_PORT |
|
Destination Address |
12 |
NF_F_DST_ADDR_IPV4 |
|
28 |
NF_F_DST_ADDR_IPV6 |
|
|
Destination Port |
11 |
NF_F_DST_PORT |
|
Flow Start Time |
152 |
NF_F_FLOW_CREATE_TIME_MSEC |
|
Byte Count |
231 |
NF_F_FWD_FLOW_DELTA_BYTES |
|
Packet Count |
298 |
NF_F_FWD_FLOW_DELTA_PACKETS |
Reverse Flow Information
|
Field |
NSEL Element ID |
NSEL Element Name |
|---|---|---|
|
Protocol |
4 |
NF_F_PROTOCOL |
|
Source Address |
12 |
NF_F_DST_ADDR_IPV4 |
|
28 |
NF_F_DST_ADDR_IPV6 |
|
|
Source Port |
11 |
NF_F_DST_PORT |
|
Destination Address |
8 |
NF_F_SRC_ADDR_IPV4 |
|
27 |
NF_F_SRC_ADDR_IPV6 |
|
|
Destination Port |
7 |
NF_F_SRC_PORT |
|
Flow Start Time |
152 |
NF_F_FLOW_CREATE_TIME_MSEC |
|
Byte Count |
232 |
NF_F_REV_FLOW_DELTA_BYTES |
|
Packet Count |
299 |
NF_F_REV_FLOW_DELTA_PACKETS |
NAT
If the client to ASA flow is NATed, NSEL flow records indicate the NATed IP/port on the server side. Secure Firewall connector uses this information to stitch server to ASA and ASA to client flows.
Here is the NATed flow record in the forward direction.
|
Field |
NSEL Element ID |
NSEL Element Name |
|---|---|---|
|
Protocol |
4 |
NF_F_PROTOCOL |
|
Source Address |
225 |
NF_F_XLATE_SRC_ADDR_IPV4 |
|
281 |
NF_F_XLATE_SRC_ADDR_IPV6 |
|
|
Source Port |
227 |
NF_F_XLATE_SRC_PORT |
|
Destination Address |
226 |
NF_F_XLATE_DST_ADDR_IPV4 |
|
282 |
NF_F_XLATE_DST_ADDR_IPV6 |
|
|
Destination Port |
228 |
NF_F_XLATE_DST_PORT |
|
Flow Start Time |
152 |
NF_F_FLOW_CREATE_TIME_MSEC |
|
Byte Count |
231 |
NF_F_FWD_FLOW_DELTA_BYTES |
|
Packet Count |
298 |
NF_F_FWD_FLOW_DELTA_PACKETS |
The forward flow will be marked as related to the NATed flow record in the forward direction (and vice versa)
Here is the NATed flow record in the reverse direction
|
Field |
NSEL Element ID |
NSEL Element Name |
|---|---|---|
|
Protocol |
4 |
NF_F_PROTOCOL |
|
Source Address |
226 |
NF_F_XLATE_DST_ADDR_IPV4 |
|
282 |
NF_F_XLATE_DST_ADDR_IPV6 |
|
|
Source Port |
228 |
NF_F_XLATE_DST_PORT |
|
Destination Address |
225 |
NF_F_XLATE_SRC_ADDR_IPV4 |
|
281 |
NF_F_XLATE_SRC_ADDR_IPV6 |
|
|
Destination Port |
227 |
NF_F_XLATE_SRC_PORT |
|
Flow Start Time |
152 |
NF_F_FLOW_CREATE_TIME_MSEC |
|
Byte Count |
232 |
NF_F_REV_FLOW_DELTA_BYTES |
|
Packet Count |
299 |
NF_F_REV_FLOW_DELTA_PACKETS |
The reverse flow will be marked as related to the NATed flow record in the reverse direction (and vice versa).
|
Only NSEL element IDs listed in this section are supported by Secure Firewall connector. |
TCP Flags Heuristics
The NSEL records do not have TCP flags information. The Secure Firewall connector uses the following heuristics to set the TCP flags so that the flows can be further analyzed by automatic policy discovery:
-
If there are at least one forward packets, adds
SYNto the forward flow TCP flags. -
If there are at least two forward packets and one reverse packet, adds
ACKto the forward flow TCP flags andSYN-ACKto the reverse flow TCP flags. -
If the previous condition holds true and the flow event is Flow deleted, adds
FINto both forward and reverse TCP flags.