NetFlow and other features are not supported due to Partial Lina Engine check if a Transparent FTD works as inline-pair

Available Languages

Download Options

  • PDF     (37.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (81.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (78.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 18, 2019
Document ID:214487

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes and helps to understand why NetFlow and other features will not work in a Firepower Threat Defense (FTD) in Transparent mode with inline-pair, and how to work around this.

    Contributed by Christian G. Hernandez R., Cisco TAC Engineer.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Firepower Management Center (FMC) basic configuration.

    • Cisco FTD basic configuration.
    • Cisco FMC flexconfig configuration.

    Components Used

    The information in this document is based on the software and hardware versions below:

    • Cisco FMC v6.3.0
    • Cisco FTD v6.3.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem: NetFlow and other features are not supported due to Partial Lina Engine check if a Transparent FTD works as inline-pair.

    Once NetFlow is configured and deployed on the system through Flex Config, NetFlow does not generate flows to the collector (flow-export destination) configured.

    flow-export destination Management 10.1.2.3 2055

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP
parameters
  eool action allow
  nop action allow
  router-alert action allow
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rsh
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
  inspect ip-options UM_STATIC_IP_OPTIONS_MAP
class class-default
  flow-export event-type flow-create destination 10.1.2.3
  flow-export event-type flow-denied destination 10.1.2.3
  flow-export event-type flow-teardown destination 10.1.2.3
  flow-export event-type flow-update destination 10.1.2.3
!
service-policy global_policy global

    As per the table below, this behavior is confirmed to be expected on the FTD due to limited Lina Engine Checks for certain features when the system is set in inline-pair mode. See details below:

    FTD interface mode

    FTD Deployment mode

    Description

    Traffic can be dropped

    Routed

    Routed

    Full LINA-engine and Snort-engine checks

    Yes

    Switched

    Transparent

    Full LINA-engine and Snort-engine checks

    Yes

    Inline Pair

    Routed or Transparent

    Partial LINA-engine and full Snort-engine checks

    Yes

    Inline Pair with Tap

    Routed or Transparent

    Partial LINA-engine and full Snort-engine checks

    No

    Passive

    Routed or Transparent

    Partial LINA-engine and full Snort-engine checks

    No

    Passive (ERSPAN)

    Routed

    Partial LINA-engine and full Snort-engine checks

    No

    https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

    NetFlow is a feature that has been confirmed as unsupported when the FTD works in inline-pair mode.

    Note: The specific features not supported by the FTD, when it works in inline-pair mode, are unknown at this time, for this, the enhancement request was opened to ask the Cisco Firepower engineering team to help to confirm the known unsupported features in this mode:  CSCvo55596 DOC: FMC limitation section stating what features are supported/unsupported when FTD in inline-set.

    Workaround

    If your setup is as specified on this document, and requires NetFlow, the only known workaround is to leave the FTD in Transparent mode and set up BVI (Bridge Virtual Interface) interfaces instead. This workaround is based on the ENH opened to include the NetFlow feature functionality for inline-pair mode deployments:

    CSCvo55574     ENH: FTD unable to collect netflow data while configured in inline-pair mode.

    Related Bugs

    CSCvo55574     ENH: FTD unable to collect netflow data while configured in inline-pair mode.

    CSCvo55585     DOC: FMC limitation section for netflow support when configured in inline-pair mode.

    CSCvo55596     DOC: FMC limitation section stating what features are supported/unsupported when FTD in inline-set.

    TAC Authored

    Contributed by Cisco Engineers

    • Christian G Hernandez R
      Cisco TAC Engineer
    • Edited by Sergio Ceron
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products