Netflow is a network traffic accounting protocol developed by Cisco Systems and currently supported by numerous vendors. To collect traffic information using Netflow, the following components are required:
-
Sensor: gathers statistics on the traffic passing through it and sends this data to the collector.
-
Collector: receives the data from the sensor and stores it.
-
Analyzer: analyzes the data gathered by the collector and forms human-readable reports (often in the form of graphs or charts).
NGFW can function as a sensor. To collect and send out statistics on the traffic passing through a specific NGFW network interface, follow these steps:
-
Create a new Netflow profile.
-
Assign the newly created Netflow profile to the network interface on which statistics are to be collected.
To create an Netflow profile, go to the Libraries ➜ Netflow profiles section, click Add, and provide the desired settings:
Name |
Description |
---|---|
Name |
Netflow profile name. |
Description |
A description of the Netflow profile. |
Netflow collector IP address |
The IP address of the server where the sensor will send the statistics. |
Netflow collector port |
The UDP port on which the collector will receive the statistics. |
Netflow protocol version |
The Netflow protocol version to be used. The protocol version must match on the sensor and collector. |
Active flow timeout, (sec.) |
In case of long data flows, such as transmitting a large file over the network, the time after which statistics will be sent to the collector without waiting for the flow to be completed. The default value is 1800 seconds. |
Inactive flow timeout, (sec.) |
The time reserved for completing an inactive flow. The default value is 15 seconds. |
Maximum flows |
Maximum number of counted flows from which statistics are gathered and sent. This limit is required to protect against DoS attacks. After reaching this number of flows, any subsequent flows will be ignored. The default value is 2000000. To remove the limit, set this to 0. |
Send NAT information |
Send information on network address translation as part of Netflow statistics. |
Template refresh rate (packets) |
The number of packets after which the template is sent to the receiving host (only for Netflow 9/10). The template contains information about the configuration of the device and various statistical information. The default value is 20 packets. |
Period to re-send old template (sec.) |
The time interval after which the old template is sent to the receiving host (only for Netflow 9/10). The template contains information about the configuration of the device and various statistical information. The default value is 1800 seconds. |