Applies To: Cloud-managed Fireboxes
This document applies to Fireboxes you manage in WatchGuard Cloud. For information that applies to Fireboxes managed in Fireware Web UI or WatchGuard System Manager, go to:
Overview
NetFlow is a protocol that is used to collect and analyze IP network traffic. To gain more insights into your network traffic, you can configure the Firebox as a NetFlow exporter. For example, you can use NetFlow data to troubleshoot network performance issues or investigate security concerns. For more information about the NetFlow protocol, go to RFC 3954.
When you configure NetFlow on your Firebox, you select the networks to monitor and specify the IP address of a server known as a collector. The Firebox monitors the selected networks and sends streams of data known as flow records to the collector for analysis. The collector runs a third-party application that uses the NetFlow protocol to record and analyze network traffic. Many third-party applications support the NetFlow protocol. The Firebox itself does not show or analyze flow records.
With ThreatSync+ NDR, you can use Windows or Linux-based collectors to monitor network traffic. Collectors take data feeds such as NetFlow, sFlow, or Windows DHCP server logs directly from third-party switches and firewalls and forward them through a secure connection to WatchGuard Cloud. ThreatSync+ uses these data feeds to identify and detect potential threats and suspicious activities, and generates alerts for you to investigate. For more information, go to About ThreatSync+ NDR Collection Agents and About ThreatSync+ NDR.
On the Firebox, you can select to monitor ingress (incoming) or egress (outgoing) traffic or both. For example, if you have an internal switch without NetFlow, you might enable NetFlow egress on the internal Firebox network the switch connects to. This captures traffic that exits the internal Firebox network, which includes traffic sent to the switch. For pass-through traffic, the Firebox monitors bi-directional traffic if you select to monitor both inbound and outbound networks. You can also select to monitor Firebox-generated traffic, which is outbound traffic generated by the Firebox itself, and traffic destined for the Firebox.
To configure NetFlow on a cloud-managed Firebox, go to Configure NetFlow Settings in WatchGuard Cloud.
To configure NetFlow on the third-party collector, go to our Integration Guides or the documentation provided by your NetFlow collector service.
Flows and Flow Records
A net flow, or flow, consists of packets that share these attributes:
- Interface
- Source IP address
- Destination IP address
- IP protocol
- Source port
- Destination port
- Type of Service (ToS)
The Firebox exports a flow record to the collector after the flow terminates. A flow record contains granular information about the flow, which includes:
- Time stamps for the start and end of the flow
- Number of bytes and packets in the flow
- Input and output interface index
- Layer 3 header information
- Layer 3 routing information
A flow can terminate either normally or abnormally. A flow terminates normally if:
- New traffic appears for a flow, which resets the aging timer
- The TCP session terminates
- The flow exceeds the Active Flow Timeout value
The Active Flow Timeout is the amount of time an active connection waits before it terminates. In the Firebox NetFlow configuration, we recommend that you specify an Active Flow Timeout value that is lower than the Active Flow Timeout value on the collector. This helps to avoid data loss. If the Active Flow Timeout value is lower on the collector, the collector might stop listening while the Firebox is sending data.
To monitor IPv6 traffic and to see post-NAT IP addresses in flow records, you must use V9. IP addresses for NAT and NAT-T (NAT traversal) events appear in flow records if you select V9 in the Firebox NetFlow configuration.
In the flow record, X-Src and X-Dst indicate the source and destination post-NAT addresses. You can use NAT events to identify which devices on the local network generated traffic.
Supported Network Types
Physical, VLAN, bridge, wireless, and link aggregation networks are supported in all zones (External, Internal, and Guest). If a physical network receives only tagged VLAN packets, that network does not appear in the list of networks in the NetFlow configuration. The network that corresponds to those tagged VLAN packets appears instead. BOVPN virtual networks and loopback networks are not supported.
Security Considerations
The Firebox sends flow records to the collector with UDP. The information in a flow appears in clear text. There is no authentication between the Firebox and the collector, and packet transport is not encrypted.
Make sure the network between the Firebox and the collector is trusted. If the Firebox must traverse a less secure network or the Internet, we recommend that you use a VPN to protect the NetFlow data.
Performance Considerations
Because of the resources required to collect and record flows, NetFlow can decrease the throughput and connection rate of your Firebox. To reduce performance impacts, limit the number of networks that you monitor.
For large-scale enterprise networks, or if the Firebox is under significant load, you can also consider Sampling Mode. In Sampling Mode, the Firebox randomly selects 1 out of every X packets to inspect. For example, if you specify a sampling rate of 100, the Firebox samples 1 out of every 100 packets.
Sampling Mode is less accurate because it captures only a subset of packets. For this reason, we do not recommend Sampling Mode for small networks.
FireCluster Support
On a FireCluster, NetFlow operates on the active cluster member only. Communication between FireCluster members is not monitored.