CGN - Carrier Grade NAT
Internet providers have to implement some NAT solution due to the IPv4 address depletion to enable IPv6 transition. Due to the huge number of concurrent IP connections there is a hardware based solution available by Cisco, the CGSE and ASR1000. Other options to implement CGN are ASA firewalls. There are different technologies available like NAT 44, NAT 64, DS-lite, resulting in different reporting types.
There are strong requirements of storing the NAT events (e.g. IP addresses used by end customers) for reasons like data retention, law enforcement or carrier operation.
This is addressed by IsarFlow using a special module which provides CGN analyses. IsarFlow receives the logging data via Netflow v9 and provides multiple analyses. It supports NAT 44, NAT 64, DS-lite and NSEL.
The logging of events of building and maintaining such a NAT database has been done using syslog protocol in the past. Using syslog is no longer feasible due to the high amount of events at the very same time. Cisco implemented Netflow export instead of syslog, since this is much more efficient.
The data collector performance is optimized to support even highest event rates (even in cases of traffic bursts or failover) and to store the data optionally in a compressed format (this compress the data up to 10:1).
NSEL - Netflow Secure Event Logging
Similar to CGN a ASA firewall creates events events like permit, deny or teardown of a connection (depending on the firewall rules). These events are exported via netflow (again to handle the huge amount of events possible) and can be analysed in IsarFlow finally. There is a detailed drill down available.