NetFlow Config for edge devices

Thank you for installing our NetFlow Threat Hunting app. Here is a quick guide on how to configure your edge device to successfully send NetFlow data to our cloud collector. Depending on your device’s vendor the configuration can be different. If you cannot find your vendor on this page, please let us know.

NetFlow can be sent directly or via encrypted IPSec session.

  • NetFlow collector cluster: 3.125.65.28, udp/3000
  • Syslog collector cluster: 3.125.65.28, udp/3001
  • VPN headend cluster: 3.123.23.159

Cisco IOS Router

flow record FREC
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect counter bytes long
 collect counter packets long
 collect timestamp absolute first
 collect timestamp absolute last
!
flow exporter FEXP
 destination 3.125.65.28
 transport udp 3000
 template data timeout 20
 option interface-table
 option application-table timeout 10
!
flow monitor FMON
 exporter FEXP
 cache timeout active 60
 record FREC
!
interface GigabitEthernetX/X
 ip flow monitor FMON input
 ip flow monitor FMON output

Cisco IOS Router VPN Config for NetFlow encryption

crypto ikev2 profile netflow-encryption
 match identity remote address 3.123.23.159 255.255.255.255  # our VPN headend
 identity local address XXX.XXX.XXX.XXX                     # your public IP
 authentication local pre-share
 authentication remote pre-share
 keyring local netflow-encryption

crypto ikev2 keyring netflow-encryption
 peer remote-router
  address 3.123.23.159                                       # our VPN headend 
  pre-shared-key XXXXXXXXXX                                 # secret received via email

crypto ipsec profile netflow-encryption
 set transform-set netflow-encryption 
 set ikev2-profile netflow-encryption

crypto ipsec transform-set netflow-encryption esp-aes esp-sha256-hmac 
 mode transport

crypto ikev2 proposal netflow-encryption
 encryption aes-cbc-256
 integrity sha256
 group 2
!
crypto ikev2 policy netflow-encryption
 proposal netflow-encryption


interface Tunnel10
 ip address 1.0.0.1 255.255.255.252  # internal /30 network, do not change
 tunnel source GigabitEthernetXX                            # your interface towards the Internet
 tunnel mode ipsec ipv4
 tunnel destination 3.64.216.57                             # our VPN headend
 tunnel protection ipsec profile netflow-encryption

# route netflow traffic via the tunnel
ip route 3.125.65.28 255.255.255.255 1.0.0.2

Cisco IOS Switch

! Note that some Cisco switches require sampler config
! It is always better to use IOS Router with unsampled NetFlow
!
flow record FREC
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect counter bytes long
 collect counter packets long
!
!
flow exporter FEXP
 destination 3.125.65.28
 transport udp 3000
 template data timeout 20
 option interface-table
 option application-table timeout 10
!
flow monitor FMON
 exporter FEXP
 cache timeout active 60
 record FREC
!
!
sampler FLOWSAMPLER
 mode random 1 out-of 32
!
int GigabitEthernetX/X
 ip flow monitor FMON sampler FLOWSAMPLER input

Cisco ASA

!
flow-export destination inside 3.125.65.28 3000 
flow-export template timeout-rate 1 
flow-export delay flow-create 60 
!
access-list netflow-export extended permit ip any any 
!
class-map netflow-export-class 
 match access-list netflow-export 
!
policy-map global_policy 
 class netflow-export-class 
  flow-export event-type all destination 3.125.65.28 
!
service-policy global_policy global
!

Palo Alto Firewall

The following steps describe how to configure the Netflow Server Profile:

  1. Go to Device > Server Profiles > Netflow
  2. Click Add to bring up the Netflow Server Profile
  3. Add a Name for the Netflow settings
  4. Click Add and fill the Name (name to identify the server) and Server (3.125.65.28) field
  5. The port is automatically populated as 2055, but you need to change it to 3000

The profile can be assigned to an existing Palo Alto Networks firewall interface, so that all traffic flowing over that interface is exported to the specified server above.

To assign the profile created above to the interface, follow the steps below:

  1. Click on Network > Interfaces, go to either Ethernet, VLAN, Loopback or Tunnel tabs
  2. Select any interface and assign the above created Netflow Server Profile  in the Netflow Profile field.

Commit changes.

 

Note : (Required for PA-7000 Series and PA-5200 Series firewalls) Configure a service route for the interface that the firewall will use to send NetFlow records.

You cannot use the management (MGT) interface to send NetFlow records from the PA-7000 Series and PA-5200 Series firewalls. For other firewall models, a service route is optional. For all firewalls, the interface that sends NetFlow records does not have to be the same as the interface for which the firewall collects the records.
 

  1. Select Device>Setup>Services
    1. (Firewall with multiple virtual systems) Select one of the following: Global or Virtual Systems
  2. Select Service Route Configurations and Customize
  3. Select protocol IPv4 or IPv6
  4. Click Netflow
  5. Select the Source Interface 
    1. Any, Use default, MGT are not valid interface options for PA-7000 and PA-52000 Series firewalls
  6. Select a Source Address IP
  7. Click OK twice

 

MicroTik Router

The first half of configuring the MikroTik Router is enabling NetFlow and determining which interfaces you want to collect flow from. In the below example, all interfaces are monitored. The second half of the configuration specifies the collector and what NetFlow version to send to the collector. Let us first begin with the Command Line Interface (CLI)\Terminal configuration.

/ip traffic-flow
set enabled=yes;
set interfaces all;
set cache-entries 1k;
set active-flow-timeout 1m;
set inactive-flow-timeout 15s;
print

[admin@MikroTik] ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 1k
active-flow-timeout: 1m
inactive-flow-timeout: 15s
[admin@MikroTik] ip traffic-flow>
/ip traffic-flow target
add 3.125.65.28:3000 disabled=no version=9;
print

[admin@MikroTik] ip traffic-flow target> print
Flags: X - disabled
# ADDRESS VERSION
0 3.125.65.28:3000 9
[admin@MikroTik] ip traffic-flow target>

Ubiquiti EdgeMAX

configure
!
set system flow-accounting interface {INTERFACE_NAME}
set system flow-accounting netflow enable-ingress
set system flow-accounting netflow engine-id 1
set system flow-accounting netflow server 3.125.65.28 port 3000
set system flow-accounting netflow version 9
commit

FortiGate Firewall

Go to the FortiGate community article to see how to configure NetFlow.

Splunk

The following example shows how to send all the data to syslog collector. To foward data, edit outputs.conf:

[tcpout:secone]
server = 3.125.65.28:3001
sendCookedData = false

Squid

The following example shows how to send squid messages to syslog collector.  To foward data, edit squid.conf:

access_log udp://3.125.65.28:3001

Emissary

The following example shows how to configure Emissary to send logs to collector:

apiVersion: getambassador.io/v3alpha1
kind: LogService
metadata:
  name: als
spec:
  service: "3.125.65.28:3002"
  driver: http
  driver_config: {}  # NB: driver_config must be set, even if it's empty
  grpc: true         # NB: grpc must be true and it will use the V3 transport protocol

Go to the Ambassador article for more details.

HAProxy

The following example shows how to configure HAProxy to send logs to collector:

log-forward syslog
# Sends outgoing messages via UDP
log 3.125.65.28:3001 local0

Go to the HAProxy article for more details.

Vmware vSphere Distributed Switch (VDS)

Go to the Vmware Docs article to see how to configure NetFlow Settings.