By Jim Crilly

High speed Internet connections are common these days, but how do you know if you have an appropriate amount and when a problem occurs how do you determine who or what is using all of your bandwidth?

That’s where SNMP and NetFlow come into play. SNMP is useful for getting overall statistics about bandwidth usage per-interface but it doesn’t give any insight into what kind of traffic is passing over the link. Knowing that you’re averaging 80% utilization on your 10Mb pipe is useful because it tells you that you’re not paying for a lot bandwidth that you’re not using and that you’re not under-provisioned.

The initial installation of PRTG on the Windows host is out of the scope of this article, but it’s a simple process. Just download the installer from http://www.paessler.com/prtg and walk through the installation wizard like any other Windows application.

Enabling SNMP on your ASA is pretty simple and you only need to know a few things ahead of time:

  • Access to an ASA running at least 8.2.1 with a privilege 15 account.
  • A Windows host on which to install PRTG.
  • A community string which should be treated similarly to a password.
  • An unused UDP port on the Windows server to receive the NetFlow data.

Once we have those we can enable SNMP and NetFlow on the ASA like so:

  1. Log into the ASA with an SSH client such as PuTTY or SecureCRT with a privileged account and enter configuration mode.
    • ciscoasa> enable
    • ciscoasa config t
    • ciscoasa(config)#
  2. From there we’ll use the snmp-server command to enable the SNMP server on the ASA and tell it from where to allow SNMP traffic. If you’ve renamed the inside interface or the monitoring host traffic will be coming from another interface, e.g. a DMZ, replace the word inside with the proper interface name.
    • ciscoasa(config)# snmp-server community
    • ciscoasa(config)# snmp-server host inside community version 2c
  3. From the same prompt we can enable NetFlow as well and exit config mode.
    • ciscoasa(config)# flow-export destination inside
    • ciscoasa(config)# exit
  4. Now we can add the device to PRTG by logging into PRTG with any web browser and clicking Add Device under the Devices menu on the top left to start the Add Device wizard:
    PRTG 1
  5. For this example I already have a group called Firewalls and will add the device to that.
  6. The first half of the next step asks for basic information such as the name of the device within PRTG, its IP address and lets you select an icon to represent the device within PRTG:
    Add Device to Group Firewalls
  7. The second half of that step lets you select the discovery method and credentials used to access the device. In this case we’ll do a manual discovery, the automatic methods can create a significant number of sensors and the free version is limited to 10. By default the device will inherit all of the credentials from its parent but you can override that by unchecking the inherit box and entering them here.
    Add Sensor Filtering
  8. Because no discovery is done you will now have a blank device with no sensors so we’ll need to create one. From the Overview screen you can either click the Add Sensor link or right-click on the device and hit Add Sensor from the context menu.
    Overview Screen
  9. The Add Sensor screen shows a list of all available sensors with the ability to filter them by either entering some text or clicking on a filter in the 3 columns.
    Add Sensor Screen
  10. Start typing ‘bandwidth’ into the search box and you should see 2 sensors, SNMP Traffic and Windows Network Card.
  11. Click Add This on the SNMP Traffic sensor and the sensor settings screen appears where you can select which interfaces to poll and any additional statistics that you would like polled and graphed as well. As soon as you click Continue the sensor will be added and PRTG will begin polling and graphing the data.

To add the NetFlow sensor repeat steps 8 through 11 but choose the Netflow V9 sensor this time around. In the Netflow V9 settings page you will specify the UDP port chosen above, the IP on which to listen and how the data will be grouped.

Both of those sensors will take a little time to collect enough data for the graphs to be useful. After about 30min you should be able to click on the Netflow sensor and get a nice dashboard with several graphs detailing the traffic passing through your ASA. From there you can drill down into the various views to get an idea of who is using your bandwidth with which protocols and to/from where.

Sensor Netflow

This data can be used to determine just how effectively your company’s bandwidth is being utilized. If you find a large portion of your traffic is being used for non-business related activity like heaving streaming audio/video, Facebook games, etc it may be worthwhile looking into a content filter such as a Barracuda device. Setting this up proactively can also be critical in tracking down malware infections that can monopolize bandwidth while it attempts to spread. Waiting until there’s already a problem means that you won’t have a baseline for comparison and will make tracking down the offending device that much more difficult.