Netflow Export

NetFlow is an industry standard for traffic monitoring. It is a network protocol developed by Cisco for collecting network traffic patterns and volume. It lets one host (the Exporter) send information about network flows to another host (the Collector). A network flow is a unidirectional stream of packets that share a set of characteristics.

You can configure Gaia as an Exporter of NetFlow records for all the traffic that is inspected by SecureXL. This includes Accelerated and Medium Path traffic, F2F traffic, and traffic dropped by Drop Templates.

For more information, see sk102041: NetFlow support by Gaia OS.

The Collector is supplied by a different vendor, and is configured separately.

NetFlow Export configuration is a list of collectors, to which the service sends records.

To enable NetFlow, configure at least one collector.
To disable NetFlow, make sure no collectors are configured.

You can configure up to three collectors. NetFlow records go to all configured collectors. If you configure three collectors, each record is sent three times.

Notes:

The IP addresses and TCP/UDP ports reported by NetFlow are the ones, on which it expects to receive traffic. Therefore, for NATed connections, one of the two directions of flow is reported with the NATed address.
If SecureXL is not enabled or not working, NetFlow packets are not sent.
NetFlow sends the connection records after the connections have terminated. If the system is idle or the connections are long lasting, you may have to wait to see NetFlow packets.

Flow Records

You can configure Gaia operating system to export flow records using NetFlow versions 5 or 9 (RFC 3954). Regardless of which export format you choose, Gaia operating system exports values for the following fields:

Source IP address
Destination IP address
Source port
Destination port
Ingress physical interface index (defined by SNMP)
Egress physical interface index (defined by SNMP)
Packet count for this flow
Byte count for this flow
Start of flow timestamp (FIRST_SWITCHED)
End of flow timestamp (LAST_SWITCHED)
IP protocol number
TCP flags from the flow (TCP only).

Configuring Netflow Export - Gaia Portal

To configure NetFlow export:

In the navigation tree, click Network Management > NetFlow Export.
Click Add.

Enter the required data for each collector:

Parameter	Description
IP address	The IPv4 address, to which NetFlow packets are sent. This is mandatory.
UDP port Number	The UDP port number, on which the collector is listening. This is mandatory. There is no default or standard port number for NetFlow.
Export format	The NetFlow protocol version to send: 5 or 9. Each has a different packet format. The default is 9.
Source IP address	Optional: The IPv4 address of the NetFlow packets source. This must be an IPv4 address of the local host. The default (which is recommended) is an IPv4 address from the network interface, on which the NetFlow traffic is going out.

Configuring Netflow Export - Gaia Clish

Description

Configure Netflow.

Syntax

To add a Netflow collector:

add netflow collector ip <IPv4 Address of Collector> port <Destination Port on Collector> [srcaddr <Source IPv4 Address> export-format {Netflow_V5 | Netflow_V9 | IPFIX}] enable

To change settings of a Netflow collector:

set netflow collector for-ip <IPv4 Address of Collector>

ip <IPv4 Address of Collector>

port <Destination Port on Collector>

srcaddr <Source IPv4 Address> export-format {Netflow_V5 | Netflow_V9 | IPFIX}

export-format {Netflow_V5 | Netflow_V9 | IPFIX}

enable

disable

To show a Netflow collector:

show netflow collector

show netflow collector<SPACE><TAB>

show netflow all
To delete a Netflow collector:

delete netflow collector for-ip <IPv4 Address of Collector> [for-port <Destination Port on Collector>]

Important - After you add, configure, or delete features, run the save config command to save the settings permanently.

Parameters

Parameter	Description
`ip` <IPv4 Address of Collector>	Specifies the IPv4 address of the NetFlow Collector, to which NetFlow packets are sent. This is mandatory.
`port` <Destination Port on Collector>	Specifies the UDP port number on the NetFlow Collector, on which the collector is listening. This is mandatory. There is no default or standard port number for NetFlow.
`srcaddr` <Source IPv4 Address>	Optional: Specifies the IPv4 address of the NetFlow packets source. This must be an IPv4 address that belongs to one of the local interfaces of the local host. The default (which is recommended) is an IPv4 address that belongs to the network interface that connects to the NetFlow Collector.
`export-format {Netflow_V5 \| Netflow_V9 \| IPFIX}`	The NetFlow protocol version to send: NetFlow v5, NetFlow v9, or IPFIX (known as "NetFlow v10"). Each has a different packet format. The default is NetFlow v9.
`for-ip` <IPv4 Address of Collector> `for-port` <Destination Port on Collector>	These parameters specify the configured NetFlow Collector. If you only have one collector configured, you do not need these parameters. If you have two or three collectors with different IP addresses, use `for-ip`. If you have two or three collectors with the same IP address and different UDP ports, you must use `for-ip` and `for-port` to identify the one you want to work on.

Monitoring NetFlow Configuration

To see NetFlow configuration:

show netflow all

show netflow collector for-ip <IPv4 Address of Collector> [for-port <Destination Port on Collector>]

export-format

srcaddr

show netflow collector for-ip <IPv4 Address of Collector>] port

show netflow collector ip