Configuring Netflow

Introduction

Netflow is an industry standard for traffic monitoring. Cisco developed this network protocol to collect network traffic patterns and volume.

One host (the Netflow Exporter) sends information about its network flows to a different host (the Netflow Collector).

A network flow is a unidirectional stream of packets that contain the same set of characteristics.

You can configure a Quantum Spark Applicance as an Exporter of NetFlow records for all the traffic that passes through it.

The Netflow Collector is a different external server, and you configure it separately.

Netflow Export configuration is a list of collectors, to which the service sends records:

  • To enable Netflow, configure at minimum one Netflow Collector.

  • To disable Netflow, remove all Netflow Collectors from the Gaia Embedded configuration.

You can configure a maximum of three Netflow Collectors. Gaia Embedded sends the NetFlow records go to all configured Netflow Collectors. If you configure three Netflow Collectors, Gaia Embedded sends each Netflow record three times.

Regardless of which Netflow export format you configure, Gaia Embedded exports values as set of fields.

  • Source IP address.

  • Destination IP address.

  • Source port.

  • Destination port.

  • Ingress physical interface index (defined by SNMP).

  • Egress physical interface index (defined by SNMP).

  • Packet count for this flow.

  • Byte count for this flow.

  • Start of flow timestamp (FIRST_SWITCHED).

  • End of flow timestamp (LAST_SWITCHED).

  • IP protocol number.

  • TCP flags from the flow (TCP only).

Notes:

  • The IP addresses and TCP/UDP ports the Netflow reports are the ones, on which the Netflow expects to receive traffic.

    Therefore, for NAT connections, the Netflow reports one of the two directions of the flow with the NATed address.

  • Netflow sends the connection records after the connections terminated.

    If the connections are open for a long time, it can take time for the Netflow to sends the records.

Configuration Procedure for Centrally Managed

    1. Add the Netflow Collector.

      See add netflow collector.

    2. If needed, change the Netflow Collector configuration.

      See set netflow collector.

    1. From the left navigation panel, click Security Policies.

    2. Open the applicable policy.

    3. In the top left corner, click Access Control > Policy.

    4. Add an explicit rule for the traffic that you wish to export with Netflow:

      Source

      Destination

      VPN

      Services & Applications

      Content

      Action

      Track

      Source

      Host or

      Network

      objects

      Destination

      Host or

      Network

      objects

      *Any

      Applicable

      service

      objects

      *Any

      Accept

      Log

      Accounting

    5. Publish the SmartConsole session.

    6. Install the Access Control policy on the Quantum Spark Appliance object.