In this panel, all details regarding the routing of logs and application of Netflow are configured.

What is Netflow?

Netflow is a high performance network protocol focused on collecting and monitoring information about packet flow at interfaces. Through the analysis of the data captured by NetFlow it is possible to obtain information about the analyzed networks. The use of Netflow makes it possible to concretely visualize the traffic patterns of the network, which contributes qualitatively so that the Administrator understands the profile of his network, facilitating the audit process and improving the accuracy in applying measures to improve availability and quality of services (QoS).

Netflow works by performing the following steps:

  • Checks and monitors incoming and outgoing traffic from a device;
  • It aggregates the data captured by the monitor and exports it to a management system;
  • After collecting data from the management system, it is responsible for analyzing and pre-processing the information.

During the process of packet traffic on an interface, datagrams are captured by the flowcache according to the criteria used by the router, after countless entries this process eventually expires causing the flow exporters to gather the records and forward them for analysis and processing of the Netflow, using the data for future reference. Finally, through an analysis application it is possible to use the data to visualize the flow and intensity of the traffic, allowing an analysis with a high level of specificity, for example, the origin and destination of the network traffic and the volume generated, which makes it possible to accurately determine the direct cause of possible network congestion.

Blockbit acts at the level of traffic checking and monitoring and collecting data for export to a management system.

Netflow comes integrated with Blockbit UTM and has the following features:

  • Full support for Netflow v5, v9 and IPFIX versions;
  • Full support for IPv4 and IPv6 networks;
  • Capture translation events (NAT);
  • Capture of incoming and outgoing packets;
  • Packet capture on physical, virtual, VLAN, DSL and MPLS network interfaces.

For correct operation, this service must be optionally enabled by the administrator in the system's Traffic Logging settings.

        To apply Netflow to IPv4 or IPv6 policies, enable the Traffic Logging checkbox in the Properties panel when creating policies.

Next we will analyze how to configure the requirements of the Log Forwarding panel:

  • Remote Syslog[]: When you enable this check box, Remote Syslog is activated:
    • IP: After enabling the field above, add the remote Syslog IP;
    • Port: Set the remote Syslog port;
    • Protocol: Defines the protocol used by the remote Syslog, which can be TCP or UDP.
  • Netflow[]: When you enable this check box, Netflow is activated:
    • Protocol: Defines the protocol to be used by Netflow, which can be v10 (IPFIX), v9 or v5;
    • Active Timeout: Determines the time needed to export flows to the collector;
    • Netflow Server IP: Sets the IP of the Netflow server;
    • Netflow Server Port: Sets the Netflow server port.

Click on [] to add a Netflow server, if you want to remove one of them, click on [].

Click on [] to save and activate the settings made, note that this will restart the firewall services. The following message will be displayed:

Warning: Do you want to change de settings? Firewall services will be restarted.

ATTENTION: Keep in mind that when clicking on the "Proceed" button, the firewall services will IMMEDIATELY restart, with a momentary stop in the services

Click on [] to apply the settings and restart the firewall, or on [] to close this window.

After saving the settings, click on [] and apply the settings made.

  • No labels