Tuesday, 15 March 2016

Setting up NTOPNG with the Cisco ASA on CentOS 7

Firstly refer to the installation instructions provided below (I would recommend installing from the repository):
Add a new repo:

sudo vi /etc/yum.repos.d/ntop.repo

and add:

name=ntop packages
name=ntop packages

and then run a update yum:

yum update

and install the relevent packages:

yum install ntopng ntopng-data hiredis-devel nprobe

and start the redis service:

service start redis

We should firstly setup nprobe to start collecting the flows from our ASA - so we should run something like:

/usr/local/bin/nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055  

We can also run ntopng directly initially to test it:

/usr/bin/ntopng -i "tcp://" --local-networks="" --http-port=3000 -G var/tmp/ntopng.pid --disable-login --dns-mode=1 -U ntopng -w 3050 -W 3051

* Note: '-zmq' refers to the interface that ntopng will tap into to get the flow data when we set it up. *

Remember to add an exception in the firewall (with firewalld) e.g.

sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --reload 

We should then create a configuration file for NTOP:

sudo vi /etc/ntopng/ntopng.conf

and enter something like:

--packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net ( or and not host"
-c 9hoAtewwpC2tXRMJBfifrY24B

* Note: Refer to the stdout for any warnings! *

And then proceed by running ntopng:

sudo service ntopg start

And login with the default credentails - admin/admin.

Point your netflow device at the NTOP server (UDP/2055 by default.)

To enable the services to start on boot we can issue:

systemctl enable redis.service
systemctl enable ntopng.service

systemctl enable nprobe.service 


Post a Comment