Print Download PDF Send Feedback

Previous

Next

Netflow Export

NetFlow is an industry standard for traffic monitoring. It is a network protocol developed by Cisco for collecting network traffic patterns and volume. It lets one host (the Exporter) send information about network flows to another host (the Collector). A network flow is a unidirectional stream of packets that share a set of characteristics.

You can configure Security Gateways and Cluster Members that run on Gaia Operating System as an Exporter of NetFlow records for all the traffic they inspect.

Note - The state of the SecureXL on a Security Gateway is irrelevant for NetFlow export.

The Collector is supplied by a different vendor, and is configured separately.

NetFlow Export configuration is a list of collectors, to which the service sends records:

You can configure up to three collectors. NetFlow records go to all configured collectors. If you configure three collectors, each record is sent three times.

Regardless of which NetFlow export format you choose, Gaia operating system exports values for the these fields:

Notes:

For more information, see sk102041: NetFlow support by Gaia OS.

Configuring Netflow Export - Gaia Portal

Workflow:

  1. In Gaia Portal, configure the applicable NetFlow settings.
  2. In SmartConsole, configure the explicit Access Control rule with Accounting and install the Access Control policy.

To configure NetFlow export in Gaia Portal:

Important - In a cluster, you must configure all members in the same way.

  1. In the left navigation tree, click Network Management > NetFlow Export.
  2. Click Add.
  3. Enter the required data for each collector:

    Parameter

    Description

    IP address

    The IPv4 address, to which NetFlow packets are sent.

    This is mandatory.

    UDP port Number

    The UDP port number, on which the collector is listening.

    This is mandatory.

    There is no default or standard port number for NetFlow.

    Export format

    The NetFlow protocol version to send:

    • Netflow_V5
    • Netflow_V9
    • IPFIX (known as "NetFlow v10")

    Each protocol version has a different packet format.

    The default is Netflow_V9.

    Source IP address

    Optional: The IPv4 address of the NetFlow packets source.

    This must be an IPv4 address of the local host.

    The default (which is recommended) is an IPv4 address from the network interface, on which the NetFlow traffic is going out.

To configure the explicit Access Control rule in SmartConsole:

  1. In the left navigation tree, click Security Policies.
  2. Open the applicable policy.
  3. In the top left corner, click Access Control > Policy.
  4. Add an explicit rule for the traffic that you wish to export with Netflow:

    Important - In the Track column, you must select Log and Accounting.

    Source

    Destination

    VPN

    Services & Applications

    Content

    Action

    Track

    Source
    Host or
    Network
    objects

    Destination
    Host or
    Network
    objects

    *Any

    Applicable
    service
    objects

    * Any

    Accept

    Log

    Accounting

  5. Publish the session.
  6. Install the Access Control policy on the Security Gateway or Cluster object.

Configuring Netflow Export - Gaia Clish

Workflow:

  1. In Gaia Clish, configure the applicable NetFlow settings.
  2. In SmartConsole, configure the explicit Access Control rule with Accounting and install the Access Control policy.

To configure NetFlow export in Gaia Clish:

Important - In a cluster, you must configure all members in the same way. After you add, configure, or delete features, run the save config command to save the settings permanently.

add netflow collector ip <IPv4 Address of Collector> port <Destination Port on Collector> [srcaddr <Source IPv4 Address> export-format {Netflow_V5 | Netflow_V9 | IPFIX}] enable

set netflow collector for-ip <IPv4 Address of Collector>

ip <IPv4 Address of Collector>

port <Destination Port on Collector>

srcaddr <Source IPv4 Address> export-format {Netflow_V5 | Netflow_V9 | IPFIX}

export-format {Netflow_V5 | Netflow_V9 | IPFIX}

enable

disable

show netflow collector

show netflow collector<SPACE><TAB>

show netflow all

delete netflow collector for-ip <IPv4 Address of Collector> [for-port <Destination Port on Collector>]

Parameters

Parameter

Description

ip <IPv4 Address of Collector>

Specifies the IPv4 address of the NetFlow Collector, to which NetFlow packets are sent. This is mandatory.

port <Destination Port on Collector>

Specifies the UDP port number on the NetFlow Collector, on which the collector is listening. This is mandatory. There is no default or standard port number for NetFlow.

srcaddr <Source IPv4 Address>

Optional: Specifies the IPv4 address of the NetFlow packets source. This must be an IPv4 address that belongs to one of the local interfaces of the local host. The default (which is recommended) is an IPv4 address that belongs to the network interface that connects to the NetFlow Collector.

export-format {Netflow_V5 | Netflow_V9 | IPFIX}

The NetFlow protocol version to send:

  • NetFlow v5
  • NetFlow v9
  • IPFIX (known as "NetFlow v10")

Each NetFlow protocol version has a different packet format.

The default is NetFlow v9.

for-ip <IPv4 Address of Collector>

for-port <Destination Port on Collector>

These parameters specify the configured NetFlow Collector.

If you only have one collector configured, you do not need these parameters.

If you have two or three collectors with different IP addresses, use for-ip.

If you have two or three collectors with the same IP address and different UDP ports, you must use for-ip and for-port to identify the one you want to work on.

To configure the explicit Access Control rule in SmartConsole:

  1. In the left navigation tree, click Security Policies.
  2. Open the applicable policy.
  3. In the top left corner, click Access Control > Policy.
  4. Add an explicit rule for the traffic that you wish to export with Netflow:

    Important - In the Track column, you must select Log and Accounting.

    Source

    Destination

    VPN

    Services & Applications

    Content

    Action

    Track

    Source
    Host or
    Network
    objects

    Destination
    Host or
    Network
    objects

    *Any

    Applicable
    service
    objects

    * Any

    Accept

    Log

    Accounting

  5. Publish the session.
  6. Install the Access Control policy on the Security Gateway or Cluster object.