Firebox NetFlow and Plixer Scrutinizer Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

Integration Summary

The hardware and software used to complete the steps outlined in this document include:

  • Plixer
    • Scrutinizer v18.7.30.80260
  • WatchGuard Firebox
    • Installed with Fireware v12.3 or higher

Test Topology

This diagram shows a typical NetFlow topology.

Diagram of a typical NetFlow topology

Before You Begin

Make sure your Plixer Scrutinizer services are running and your Firebox has Fireware v12.3 or higher.

Configure Your Firebox for Plixer Scrutinizer

You must configure your Firebox as a NetFlow exporter and specify connection settings for the NetFlow collector.

To configure your Firebox as a NetFlow exporter, from Fireware Web UI:

  1. Select System > NetFlow.
  2. Select Enable NetFlow .
  3. For the Protocol Version, select V5.
  4. In the Collector Address text box, type the IP address of the NetFlow collector.
  5. In the Port text box, type 9995.
    You can also type 2055, 2056, 4432, 4739, 9996, or 6343, if you configured Plixer Scrutinizer to use one of these ports.
    The Firebox must be able to communicate with the NetFlow collector at the specified IP address and port with the UDP protocol.
  6. In the Active Flow Timeout text box, type 10.
    The Active Flow Timeout setting segments your flow into small flows based on the value you specify. We recommend that you specify a Active Flow Timeout value that is lower than the Active Flow Timeout value on the collector. This helps to avoid data loss. If the Active Flow Timeout value is lower on the collector, the collector might stop listening while the Firebox is sending data.
  7. Keep the Sampling Mode disabled.
  8. To enable NetFlow for an interface, select the check box adjacent to that interface.
    If you have many interfaces, use the Interface Name search box or select an option from the Type or Zone drop-down lists to find an interface quickly.
  9. To select all interfaces, select the check box adjacent to the Interface Name text box.
  10. To monitor outbound traffic generated by the Firebox itself, select Firebox.
  11. Click Save.

Screen shot of the NetFlow configuration

For more information about NetFlow on the Firebox, see About NetFlow and Configure NetFlow in Fireware Help.

Verify the Plixer Scrutinizer Server Status

After you configure the Firebox, you must verify the status of your Plixer Scrutinizer servers.

To see the status of the Scrutinizer servers:

  1. Log in to your Plixer Scrutinizer web console with your administrator account.
  2. Make sure all the status icons for Scrutinizer servers are green.
  3. Screen shot of the Plixer Scrutinizer server status

Test the Integration

After you configure NetFlow on the Firebox, Plixer Scrutinizer shows data from Firebox.

To see NetFlow information from the Firebox, in Plixer Scrutinizer:

  1. Select Dashboards.
  2. Select Flow Expert (Read-only).
    Firebox data appears.

Screen shot of the Plixer Scrutinizer dashboard 

Screen shot of the Plixer Scrutinizer dashboard 

Screen shot of the Plixer Scrutinizer Top Hosts list