NetFlow Export

Introduction

NetFlow is an industry standard for traffic monitoring. Cisco developed this network protocol to collect network traffic patterns and volume.

One host (the NetFlow Exporter) sends information about its network flows to a different host (the NetFlow Collector).

A network flow is a unidirectional stream of packets that contain the same set of characteristics.

You can configure Security Gateways and Cluster Members as an Exporter of NetFlow records for all the traffic that passes through.

Note - The state of the SecureXL on a Security Gateway is irrelevant for NetFlow export.

The NetFlow Collector is a different external server, and you configure it separately.

NetFlow Export configuration is a list of collectors, to which the service sends records:

To enable NetFlow, configure at minimum one NetFlow Collector.
To disable NetFlow, remove all NetFlow Collectors from the Gaia configuration.

You can configure a maximum of three NetFlow Collectors. Gaia sends the NetFlow records go to all configured NetFlow Collectors. If you configure three NetFlow Collectors, Gaia sends each NetFlow record three times.

Regardless of which NetFlow export format you configure, Gaia exports values as set of fields.

The fields

Source IP address.
Destination IP address.
Source port.
Destination port.
Ingress physical interface index (defined by SNMP).
Egress physical interface index (defined by SNMP).
Packet count for this flow.
Byte count for this flow.
Start of flow timestamp (FIRST_SWITCHED).
End of flow timestamp (LAST_SWITCHED).
IP protocol number.
TCP flags from the flow (TCP only).
VSX VSID.

Notes:

The IP addresses and TCP/UDP ports the NetFlow reports are the ones, on which the NetFlow expects to receive traffic.

Therefore, for NAT connections, the NetFlow reports one of the two directions of the flow with the NATed address.
NetFlow sends the connection records after the connections terminated.

If the connections are open for a long time, it can take time for the NetFlow to sends the records.

For more information, see sk102041.

Configuration Procedure

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Configure the NetFlow Export settings in Gaia

You can configure these settings in Gaia Portal, or in Gaia Clish.

Configuring the NetFlow settings in Gaia Portal

In the left navigation tree, click Network Management > NetFlow Export.
Optional: In the Global Options section, configure when the NetFlow starts to send the data after a connection opens, and click Apply.

This configures how frequently the NetFlow sends the number of ongoing connections.

Enter a value between 10 and 60 seconds, or enter the value 0 to disable.
In the Collectors section, click Add.

Enter the required data for each collector:

Parameter	Description
IP Address	The destination IPv4 address, to which Gaia sends the NetFlow packets. This parameter is mandatory.
UDP Port Number	The destination UDP port number, on which the collector listens. This parameter is mandatory. There is no default or standard port number for NetFlow.
Export Format	The NetFlow protocol version to use: Netflow_V5 - Protocol NetFlow v5 Netflow_V9 - Protocol NetFlow v9 IPFIX - Known as protocol "NetFlow v10" Each protocol version has a different packet format. The default is Netflow_V9.
Source IP address	Optional: The source IPv4 address of the NetFlow packets. This must be an IPv4 address of the local host. The default is an IPv4 address of the network interface, from which Gaia sends the NetFlow packets. We recommend the default.
Enable	Select this option to enable the configured NetFlow Collector.

Click OK.

In the Advanced Options section, the NetFlow Fw rule option controls for which traffic to enable the NetFlow export:

Scenario

Instructions

You performed a Clean Install of R82

By default (this option is cleared) the NetFlow export is enabled for traffic accepted by all Access Control rules.

You can select this option NetFlow Fw rule to enable the NetFlow export only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.

Important - If you selected this option, you must configure the applicable Access Control rules in SmartConsole.

You upgraded to R82 from R80.40 or lower version

You must:

Select the option NetFlow Fw rule in Gaia Portal and click Apply.
Configure the applicable Access Control rules with the Track option Log and Accounting in SmartConsole.

Configuring the NetFlow settings in Gaia Clish

Optional: Configure when the NetFlow starts to send the data after a connection opens.

set netflow liveconn_interval {<10-60> | 0}

Enter a value between 10 and 60 seconds, or enter the value 0 to disable.

Configure a new NetFlow collector:

add netflow collector ip <IPv4 Address of Collector> port <Destination Port on Collector> [srcaddr <Source IPv4 Address>] export-format {Netflow_V5 | Netflow_V9 | IPFIX} enable {yes | no}

Configure for which traffic to enable the NetFlow export:

set netflow fwrule {1 | 0}

Scenario

Instructions

You performed a Clean Install of R82

By default (value 0) the NetFlow export is enabled for traffic accepted by all Access Control rules.

You can configure the value 1 to enable the NetFlow export only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.

Important - If you configure the value 1, you must configure the applicable Access Control rules in SmartConsole.

You upgraded to R82 from R80.40 or lower version

You must:

Configure the value 0 in Gaia Clish.
Configure the applicable Access Control rules with the Track option Log and Accounting in SmartConsole.

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

In SmartConsole, configure the explicit Access Control rules

Important - This step is necessary only in these cases:

In Gaia Portal you selected the option "NetFlow Fw rule"
In Gaia Clish you ran the command "set netflow fwrule 1".

From the left navigation panel, click Security Policies.
Open the applicable policy.
In the top left corner, click Access Control > Policy.

Add an explicit rule for the traffic that you wish to export with NetFlow:

Important - In the Track column, you must select Log and Accounting.

Source	Destination	VPN	Services & Applications	Content	Action	Track
Source Host or Network objects	Destination Host or Network objects	`*Any`	Applicable service objects	`* Any`	`Accept`	`Log` `Accounting`

Source

Destination

VPN

Services & Applications

Content

Action

Track

Source
Host or
Network
objects

Destination
Host or
Network
objects

*Any

Applicable
service
objects

* Any

Accept

Log

Accounting

Publish the SmartConsole session.
Install the Access Control policy on the Security Gateway or Cluster object.

Available Commands in Gaia Clish

Syntax

Configure when the NetFlow starts to send the data after a connection opens.

set netflow liveconn_interval {<10-60> | 0}

To configure a new NetFlow collector:

add netflow collector ip <IPv4 Address of Collector> port <Destination Port on Collector> [srcaddr <Source IPv4 Address>] export-format {Netflow_V5 | Netflow_V9 | IPFIX} enable {yes | no}

To change settings of an existing NetFlow collector:

set netflow collector
      ip <IPv4 Address of Collector> port <Destination Port on Collector> export-format {Netflow_V5 | Netflow_V9 | IPFIX} [srcaddr <Source IPv4 Address>] enable {yes | no}
      for-ip <IPv4 Address of Collector>
            ip <IPv4 Address of Collector> port <Destination Port on Collector> export-format {Netflow_V5 | Netflow_V9 | IPFIX} [srcaddr <Source IPv4 Address>] enable {yes | no}
            for-port <Destination Port on Collector> ip <IPv4 Address of Collector> port <Destination Port on Collector> export-format {Netflow_V5 | Netflow_V9 | IPFIX} [srcaddr <Source IPv4 Address>] enable {yes | no}

To configure for which traffic the NetFlow exports its records:

set netflow fwrule {1 | 0}

To show the configured NetFlow collectors:

show netflow
      all
      collector
            enable
            export-format
            ip
            port
            srcaddr
            for-ip <IPv4 Address of Collector>
                  enable
                  export-format
                  port
                  srcaddr
                  for-port <Destination Port on Collector>
                        enable
                        export-format
                        srcaddr

To show when the NetFlow starts to send the data after a connection opens:

show netflow liveconn_interval

To show for which traffic the NetFlow exports its records:

show netflow fwrule

To delete a configured NetFlow collector:

delete netflow collector for-ip <IPv4 Address of Collector> [for-port <Destination Port on Collector>

CLI Parameters

Parameter

Description

ip <IPv4 Address of Collector>

Specifies the destination IPv4 address of the NetFlow Collector, to which Gaia sends the NetFlow packets.

This parameter is mandatory.

port <Destination Port on Collector>

Specifies the destination UDP port number on the NetFlow Collector, on which the collector listens.

This parameter is mandatory.

There is no default or standard port number for NetFlow.

srcaddr <Source IPv4 Address>

Optional: Specifies the source IPv4 address of the NetFlow packets.

This must be an IPv4 address of the local host.

The default is an IPv4 address of the network interface, from which Gaia sends the NetFlow packets.

We recommend the default.

export-format {Netflow_V5 | Netflow_V9 | IPFIX}

The NetFlow protocol version to use:

Netflow_V5 - Protocol NetFlow v5
Netflow_V9 - Protocol NetFlow v9 (default)
IPFIX - Known as protocol "NetFlow v10"

Each NetFlow protocol version has a different packet format.

for-ip <IPv4 Address of Collector>

for-port <Destination Port on Collector>

These parameters specify the configured NetFlow Collector.

Notes:

If you configured only one collector, it is not necessary to use these parameters.
If you configured two or three collectors with different IP addresses, use the "for-ip" parameter.
If you configured two or three collectors with the same IP address and different UDP ports, you must use the "for-ip" and "for-port" parameters to identify the collectors.

set netflow fwrule {1 | 0}

Specifies for which traffic to enable the NetFlow export:

Scenario

Instructions

You performed a Clean Install of R82

By default (value 0) the NetFlow export is enabled for traffic accepted by all Access Control rules.

You can configure the value 1 to enable the NetFlow export only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.

Important - If you configure the value 1, you must configure the applicable Access Control rules in SmartConsole.

You upgraded to R82 from R80.40 or lower version

You must:

Configure the value 0 in Gaia Clish.
Configure the applicable Access Control rules with the Track option Log and Accounting in SmartConsole.

set netflow liveconn_interval {<10-60> | 0}

Configures when the NetFlow starts to send the data after a connection opens.

Enter a value between 10 and 60 seconds, or enter the value 0 to disable

show netflow fwrule

Shows for which traffic the NetFlow exports its records:

Yes

The NetFlow export is enabled for traffic accepted by all Access Control rules.
No

The NetFlow export is enabled only for traffic accepted by Access Control rules with the Track option Log and Accounting you configured in SmartConsole.