In Fireware v12.3 or higher, you can configure the Firebox as a NetFlow exporter to gain more insights into your network traffic. For example, you can use NetFlow data to troubleshoot network performance issues or investigate security concerns. NetFlow is a protocol that is used to collect and analyze IP network traffic.
When you configure NetFlow on your Firebox, you specify which interfaces to monitor. You also specify the IP address of a server known as a collector. The Firebox monitors the selected interfaces and sends streams of data known as net flow records to the collector for analysis. The collector runs a third-party application that uses the NetFlow protocol to record and analyze network traffic. Many third-party applications support the NetFlow protocol. The Firebox itself does not display or analyze flow records.
On the Firebox, you can select to monitor ingress traffic, which is traffic that arrives on an interface. For pass-through traffic, the Firebox monitors bi-directional traffic if you select to monitor both inbound and outbound interfaces. In Fireware v12.5 or higher, you can also select to monitor egress traffic, which is traffic that exits an interface.
You can select to monitor Firebox-generated (self-generated) traffic, which is outbound traffic generated by the Firebox itself. In Fireware v12.5 or higher, you can also select to monitor traffic destined for the Firebox itself.
Physical, VLAN, bridge, wireless, and link aggregation interfaces are supported in all zones (Trusted, External, Optional, and Custom).
For more information about the NetFlow protocol, see RFC 3954.
To configure NetFlow on the Firebox, see Configure NetFlow.
To configure NetFlow on the collector, see our Integration Guides or the documentation provided by your NetFlow collector service.
Flows and Flow Records
A net flow, or flow, consists of packets that share these attributes:
- Source IP address
- Destination IP address
- IP protocol
- Source port
- Destination port
- Type of Service (ToS)
The Firebox exports a flow record to the collector after the flow terminates. A flow record contains granular information about the flow, which includes:
- Time stamps for the start and end of the flow
- Number of bytes and packets in the flow
- Input and output interface index
- Layer 3 header information
- Layer 3 routing information
A flow can terminate either normally or abnormally. A flow terminates normally if:
- New traffic appears for a flow, which resets the aging timer
- The TCP session terminates
- The flow exceeds the Active Flow Timeout value
The Active Flow Timeout is the amount of time an active connection should wait before it terminates. In the Firebox NetFlow configuration, we recommend that you specify an Active Flow Timeout value that is lower than the Active Flow Timeout value on the collector. This helps to avoid data loss. If the Active Flow Timeout value is lower on the collector, the collector might stop listening while the Firebox is sending data. By default, the Active Flow Timeout value on the Firebox is 1,800 seconds.
Fireware supports NetFlow versions V5 and V9. To monitor IPv6 traffic, you must use V9.
To capture traffic that exits an interface, you can select the Egress option in Fireware v12.5 or higher.
For example, if you have an internal switch without NetFlow, enable NetFlow egress on the internal Firebox interface the switch connects to. This captures traffic that exits the internal Firebox interface, which includes traffic sent to the switch.
On the Firebox, if you select both Ingress and Egress for multiple interfaces, be aware that you might collect duplicate NetFlow data.
To avoid duplicate data, select Ingress or Egress, but not both.
The Firebox sends flow records to the collector with UDP. The information in a flow appears in clear text. There is no authentication between the Firebox and the collector, and packet transport is not encrypted.
Make sure the network between the Firebox and the collector is trusted. If the Firebox must traverse a less secure network or the Internet, we recommend that you use a VPN to protect the NetFlow data.
NetFlow can decrease the throughput and connection rate of your Firebox because of the resources required to collect and record flows. To reduce performance impacts, limit the number of interfaces that you monitor.
For large-scale enterprise networks, or if the Firebox is under significant load, you can also consider Sampling mode. In Sampling mode, the Firebox randomly selects 1 out of every n packets to sample. For example, if you specify a Sampling mode of 100, the Firebox samples 1 out of every 100 packets.
Sampling mode is less accurate because not all packets are sampled. For this reason, we do not recommend Sampling mode for small networks.
On an active/passive FireCluster, NetFlow operates on the active cluster member only.
On an active/active FireCluster, NetFlow operates on both cluster members. A flow is only monitored by the cluster member that owns the flow.
Communication between FireCluster members is not monitored.
BOVPN virtual interfaces and loopback interfaces are not supported.
If a physical interface receives only tagged VLAN packets, that interface does not appear in the list of interfaces in the NetFlow configuration. The VLAN interface that corresponds to those tagged VLAN packets appears instead.
You can configure all NetFlow settings except for interface settings in a configuration template.
We provide these guides to help you integrate the Firebox with third-party NetFlow services:
To troubleshoot NetFlow issues, we recommend that you use a packet capture tool to verify the Firebox is sending traffic. If the Firebox is sending traffic, see the documentation provided by your NetFlow collector service to troubleshoot the collector.