MikroTik Network Router NetFlow Integration with ThreatSync+ NDR

The MikroTik router uses the NetFlow protocol to export data about IP traffic that enters its interfaces and exports this data as NetFlow fields to a NetFlow collector. The NetFlow collector is a server used to collect network traffic and upload to ThreatSync+ NDR to analyze for security, administration, accounting, and troubleshooting.

WatchGuard provides integration instructions to help customers configure WatchGuard products to work with products created by other organizations. If you want more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This document describes how to integrate MikroTik RB2011iL-RM with ThreatSync+ NDR with the NetFlow protocol.

Contents

Integration Summary

The hardware and software used to complete the steps outlined in this document include:

  • MikroTik RB2011iL-RM with MikroTik RouterOS 7.10.2
  • WatchGuard Cloud account with a ThreatSync+ NDR or Total NDR license
  • ThreatSync+ NDR Collection Agent (for more information, go to About ThreatSync+ NDR Collection Agents)

Topology

This diagram shows the integration topology of the MikroTik RB2011iL-RM and ThreatSync+ NDR.

Screenshot of the ThreatSync+ NDR and Mikrotik topology diagram

Configure the ThreatSync+ NDR Collection Agent

Make sure the ThreatSync+ NDR Collection Agent is installed on your Windows or Linux computer, and the status of the collection agent is Success. For detailed instructions about the ThreatSync+ NDR Collection Agent installation, go to Configure Collection Agents for ThreatSync+ NDR (Windows Computers) or Configure Collection Agents for ThreatSync+ NDR (Linux Computers).

Configure the MikroTik RB2011iL-RM

Before you can configure MikroTik RB2011iL-RM NetFlow, configure these basic settings.

  1. Log in to the MikroTik RB2011iL-RM Web UI at http://< IP address of the device>.
    The default IP address of interface ether2 is http://192.168.88.1.

    2. Screenshot of Mikrotik, Basic Settings 1

  2. Click Quick Set to start the basic configuration.

    3. Screenshot of Mikrotik, Basic Settings 2

  3. In the Configuration section, select the mode.
  4. In the Internet section, configure the external network and DNS servers.
  5. In the Local Network section, configure the local subnet that allows the collection agent to gather NetFlow traffic. In our example, we configured 192.168.88.1 as the internal gateway.
    1. Select the DHCP Server check box.
    2. In the DHCP Server Range text box, assign an IP address range. In our example, we assigned IP addresses from 192.168.88.2 to 192.168.88.254.
  6. For the other settings in this page, keep the default values.
  7. Click Apply Configuration.

    8. Screenshot of Mikrotik, Basic Settings 3

For more information, go to the Mikrotik documentation.

Configure NetFlow on MikroTik RB2011iL-RM

To configure the MikroTik RB2011iL-RM as a NetFlow exporter:

  1. Log in to the MikroTik RB2011iL-RM Web UI.
  2. From the left navigation, select IP > Traffic Flow.
    The Traffic Flow page opens.
  3. Click Targets.
    The Targets page opens.
  4. Click Add New.
  5. In the Src. Address text box, enter the source IP. In our example, we entered 192.168.88.1.
  6. In the Dst. Address text box, enter the collector IP. In our example, we entered 192.168.88.20.
  7. In the Port text box, enter the port number that the collector receives the NetFlow traffic from. In our example, we entered 2055.
  8. From the Version drop-down list, select the NetFlow version. In our example, we selected 9.
  9. For other settings in this page, keep the default values.
  10. Click OK.

    11. Screenshot of Mikrotik, NetFlow Profile 1

  11. Click Close to exit from the Targets page to go to the Traffic Flow page.
  12. In the General section, select Enabled.
  13. From the Interfaces drop-down list, select all.
  14. From the Cache Entries drop-down list, select 4k.
  15. In the Active Flow Timeout text box, enter the active flow timeout value. In our example, we entered 00:00:30.
  16. In the Inactive Flow Timeout text box, enter the inactive flow timeout value. In our example, we entered 00:00:15.
  17. (Optional) Select Packet Sampling.
  18. (Optional) In the Packet Sampling Space text box, enter the space value. In our example, we entered 512.
    The smaller this value is, the faster the collector gathers data.
  19. Click Apply.

    20. Screenshot of Mikrotik, NetFlow Profile 2

Test the Integration

To test the MikroTik RB2011iL-RM integration with ThreatSync+ NDR:

  1. Log in to your WatchGuard Cloud account.
  2. Select Configure > ThreatSync+ Integrations > Collection Agents. If you have a Service Provider account, you must select an account from Account Manager.
  3. Select the ThreatSync+ NDR Collection Agents tab to view the Last Activity column of your collection agent. This column shows the last time the collection agent uploaded the NetFlow records to ThreatSync+ NDR. It might take a few hours for the first upload.

    4. Screenshot of WatchGuard Cloud, the ThreatSync+ Collectors page, Test Integration 1

  4. From the navigation menu, select Monitor > ThreatSync+ to view the Network Summary page.

    5. Screenshot of WatchGuard Cloud, the ThreatSync+ Network Summary page

For more information about ThreatSync+, go to ThreatSync+.