Rebasoft Support

Rebasoft operates UK business hours (8:30-17:30 x 5 days / week excluding UK bank holidays).

Access Ticket Portal

View Support Policy

Rebasoft Wiki

Repository of technical information covering installation, configuration and other useful advice. The wiki also lists the latest downloads and release information. Rebasoft recommends checking the wiki prior to raising a ticket to check whether an issue has be addressed in an article or newer software release

Netflow Configuration

Please find below, some configuration examples and links to vendor documentation below that will help you configure flow exports to your Rebasoft Application Auditor server. Please note that you will need the corresponding receiver configured based upon the port to which you export you flow information.

Blue Coat Checkpoint Firewall
Example configuration:
active-timeout seconds
collector ip ip_address port port_number
enable-acl
enable-flows
export-format
inactive-timeout seconds
srcaddr ip_address
Cisco ASA Firewall
You will need to define a Service policy pointing the flow data to the analyzer server. The below assumes your ASA is still using the default global policy.
Example configuration:

map global_policy
class class-default
flow-export event-type all destination x.x.x.x

Cisco Router (Cisco IOS)
Example configuration:

Enable Cisco Express Forwarding:
router(config)# ip cef

In the configuration terminal on the router, issue the following to start NetFlow Export.

It is necessary to enable NetFlow on all interfaces through which traffic you are interested in will flow. Now, verify that the router is generating flow stats – try ‘show ip cache flow’. Note that for routers with distributed switching (GSR’s, 75XX’s) the Rendezvous Point CLI will only show flows that made it up to the RP. To see flows on the individual linecards use the ‘attach’ or ‘if-con’ command and issue the ‘show ip cache flow’ on each LC.

Enable export of these flows with the global commands. ‘ip flow-export source’ can be set to any interface, but one which is the least likely to enter a ‘down’ state is preferable. Netflow will not be exported if the specified source is down. For this reason, we suggest the Loopback interface, or a stable Ethernet interface:

router(config)# ip flow-export version 5
router(config)# ip flow-export destination
router(config)# ip flow-export source FastEthernet0

Use the IP address of your NetFlow Collector and configured listening port.

If your router uses BGP protocol, you can configure AS to be included in exports with command:

router(config)# ip flow-export version 5 [peer-as | origin-as]

The following commands break up flows into shorter segments:

router(config)# ip flow-cache timeout active 1
router(config)# ip flow-cache timeout inactive 15

Use the commands below to enable NetFlow on each physical interface (i.e. not VLANs and Tunnels, as they are auto included) you are interested in collecting a flow from. This will normally be an Ethernet or WAN interface. You may also need to set the speed of the interface in kilobits per second. It is especially important to set the speed for frame relay or ATM virtual circuits.

interface
ip route-cache flow
bandwidth
Write the configuration with the ‘write’ or ‘copy run start’ command.
When in enabled mode, you can see current NetFlow configuration and state with the following commands:

router# show ip flow export
router# show ip cache flow
router# show ip cache verbose flow

Catalyst 4000 series in Hybrid or Native Mode
Example configuration:

Configure the switch the same as an IOS device, but instead of the command
‘ip route-cache flow’ use the command ‘ip route-cache flow infer-fields’

This series requires a Supervisor Engine IV with a NetFlow Services daughter card to support NDE.

series Catalyst switch – non-4000
If you are running CatOS?
Example configuration:

Router side:

Enter the following global commands.

Ip flow-export source
Ip flow-export version 5
Ip flow-export destination
Ip flow-cache timeout active 1

Enter the following command on each physical interface. You will need to log into each interface one at a time.
Ip route-cache flow

Switch side:
Set mls nde
Set mls nde version 5
Set mls flow full
Set mls agingtime long 128
Set mls agingtime 64
Set mls bridged-flow-statistics enable
Set mls nde enable

If not running CatOS
Enter the following global commands (all commands are entered in the router config t option).

Ip flow-export source
Ip flow-export version 5
Ip flow-export destination
Ip flow-cache timeout active 1
Mls nde sender version 5
Mls flow ip interface-full
Mls nde interface
Mls aging long 64
Mls aging normal 64

Enter the following command on each physical interface. You will need to log into each interface one at a time.
Ip route-cache flow

Cisco 4605 series – daughter card configured with VLANs
Example configuration:

In this example, the bandwidth needs to be set explicitly at the VLAN:

ip route-cache flow infer-fields
ip flow ingress infer-fields

Cisco 7600 router
Example configuration:

If you plan to export NetFlow statistics, globally enable NDE on the router by issuing the following commands:
configure terminal
ip flow-export destination
ip flow-export version
mls nde sender version
Enable NetFlow on individual interfaces by issuing the following commands:
configure terminal
interface
ip flow ingress
(Optional) To configure NetFlow sampling, do the following:
Enable sampled NetFlow globally on the router (mls sampling).
Enable sampled NetFlow on individual interfaces (mls netflow sampling).
Verify the NDE configuration to ensure that it does not conflict with other features such as QoS or multicast. Use the show ip interface command to verify the configuration.
These and other related commands can be found in the Cisco 7600 Series Cisco IOS Software Configuration Guide.

Cisco ASR 1000
Example configuration:

Enabling High-Speed Logging for Global Parameter Maps
The following example shows how to enable logging of dropped packets, and to log error messages in NetFlow Version 9 format to an external IP address:

Device# configure terminal
Device(config)# parameter-map type inspect global
Device(config-profile)# log dropped-packets
Device(config-profile)# log flow-export v9 udp destination 10.0.2.0 5000
Device(config-profile)# log flow-export template timeout-rate 5000
Device(config-profile)# end

Enabling High-Speed Logging for Firewall Actions
The following example shows how to configure high-speed logging (HSL) for inspect-type parameter-map parameter-map-hsl.

Device# configure terminal
Device(config)# parameter-map type inspect parameter-map-hsl
Device(config-profile)# audit trail on
Device(config-profile)# alert on
Device(config-profile)# one-minute high 10000
Device(config-profile)# tcp max-incomplete host 100
Device(config-profile)# exit
Device(config)# poliy-map type inspect policy-map-hsl
Device(config-pmap)# class type inspect class-map-tcp
Device(config-pmap-c)# inspect parameter-map-hsl
Device(config-pmap-c)# end

Cisco ASR 9000
Exporter Map:
Example configuration:

To configure the Exporter map, you need to define the destination (flow collector), the source interface, the port used for exporting, the version of NetFlow, and the timeout rates.

router(config)# flow exporter-map NAME
router(config-fem)# destination 10.1.1.5
router(config-fem)# source gi0/0
router(config-fem)# transport udp 2055
router(config-fem)# version v9
router(config-fem)# template data timeout 60
router(config-fem)# options interface-table timeout 60
router(config-fem)# exit

Sampler Map:

The Sampler map defines the sample rate, default for the ASR series is 10000, no default for the XR 12000, but recommended sample value is 10000 for optimal performance.

router(config)# sampler-map NAME
router(config-sm)# random 1 out-of 10000
router(config)# exit

Flow Monitor Map:

The Flow Monitor map defines the cache timeout values and associates the exporter map with this map.

router(config)# flow monitor-map NAME
router(config-fmm)# record ipv4
router(config-fmm)# exporter NAME
router(config-fmm)# cache timeout active 60
router(config-fmm)# cache timeout inactive 15
router(config-fmm)# exit

Apply the maps to the interfaces

Now that you have your maps defined, you need to apply the Flow Monitor and Sampler maps to each of your active interfaces:

router(config)# interface Gi0/0
router(config-if)# flow ipv4 monitor NAME sampler NAME ingress
router(config-if)# exit

Cisco Catalyst 2960-X
Example configuration:

The 2960x uses flow sampling without any form of packet capture. There are two types of possible NetFlow Lite sampling configurations on the 2960x:

Deterministic Sampling
Random Sampling
Deterministic Sampling
Deterministic samplers sample packets exactly as specified (I.e. the first flow out of every 100 flows). Deterministic samplers can only be applied on up to 4 interfaces. For this reason, we decided to configure random sampling.

Random Sampling
Random sampling samples a random flow out of ever X flows. The maximum sample rate for both Deterministic and Random is 1 out-of 32. It is not limited to 4 interfaces like Deterministic sampling.

In the configuration below we used Random sampling. The random sampler is configured to randomly sample 1 out of every 100 flows on the interfaces it was applied to.

Setting up NetFlow Lite on the 2960x:

step 1:
create a flow record
flow record flows
match datalink mac source address input
match datalink mac destination address input
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect flow sampler

below is specified ‘long’ as the 2960x supports 64 bit counters
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last

step 2:
create a flow exporter
flow exporter export-to-inside
description flexible NF v9
destination 10.1.1.1
source Vlan7
transport udp 2055
template data timeout 60

export option templates
option interface-table
option exporter-stats
option sampler-table

step 3:
create a flow monitor
flow monitor nftest
record flows
exporter export-to-inside
cache timeout active 60
statistics packet protocol

Below was used for the deterministic sampler configuration
sampler my-random-sampler
mode random 1 out-of 100

step 4:
apply the flow monitor ‘nftest’ to each interface with
the defined sampler ‘my-random-sampler’
input is for ingress. Egress was not supported in this release…
interface GigabitEthernet1/0/1
ip flow monitor nftest sampler my-random-sampler input

interface GigabitEthernet1/0/2
ip flow monitor nftest sampler my-random-sampler input

interface GigabitEthernet1/0/3
ip flow monitor nftest sampler my-random-sampler input

interface GigabitEthernet1/0/4
ip flow monitor nftest sampler my-random-sampler input

Repeat the above for all the interfaces ###

interface GigabitEthernet1/0/50
ip flow monitor nftest sampler my-random-sampler input
switchport mode access

interface TenGigabitEthernet1/0/1
interface TenGigabitEthernet1/0/2

Cisco Catalyst 3750 with a 3KX module
Vendor Link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/nfswitch.html#wp1014923

Cisco Catalyst 3850
Vendor Link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg.pdf

Cisco Catalyst 4948E Switch
Example configuration:

netflow-lite exporter check !naming the exporter ‘check’
transport udp 2055 !starting UDP port the NetFlow-lite export will be destined to
transport udp load-share 16 !port 2055-2070 will be used for load balancing
template data timeout 60 !specifies template data timeout
options sampler-table timeout 60 !specifies an option timezout
source 9.9.9.10 !IP address where NetFlow-lite data is sourced
destination 9.9.9.1 !IP address of the nProbe aggregator
export-protocol ipfix !export format (NetFlow-v9 or IPFIX)

netflow-lite sampler check !naming the sampler “check”
packet-rate 32 !sample 1 in every 32 packets
packet-section size 64 !sample the first 64 bytes from the packet
packet-offset 0 !the offset from the beginning of the data field is Zero

interface GigabitEthernet1/1
no switchport !specifies whether the port is a L3 port or a switch (L2) port
ip address 40.40.40.1 255.255.255.0 !ip address of the interface
netflow-lite monitor 1 !define a netflow-lite monitor
sampler check !tie the sampler “check” to monitor 1
exporter check !tie the exporter “check” to monitor 1

Cisco Catalyst 6500/6000 Series Switch
Vendor Link:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/70974-netflow-catalyst6500.html

Cisco Nexus Series 1000
Example configuration:

Create a Flow Exporter
The default flow export port used is 9995.

flow exporter flow_export_scrutinizer
description Export NetFlow to Scrutinizer
destination 10.10.91.77
source mgmt0
version 9
template data timeout 300
option exporter-stats timeout 60
option interface-table timeout 3600

Create a Flow Monitor

Create a flow monitor called v9_standard. The monitor is applied to individual interfaces or port-profiles. The flow monitor includes a defined flow exporter, a flow record (netflow-original in this case), a timeout and a cache size.

flow monitor v9_standard
description in_out_traffic
record netflow-original
exporter flow_export_scrutinizer
timeout active 60
cache size 4096
Map the Flow Monitor

Finally you need to apply your monitor to an interface or a port-profile. In this instance, as port-profiles are used extensively, we applied the monitor to the profiles.
port-profile type vethernet 72-General-Server
description VLAN 72 General Servers
vmware port-group VLAN-72-General-Server
vmware max-ports 480
switchport mode access
switchport access vlan 72
ip flow monitor v9_standard input
ip flow monitor v9_standard output
no shutdown
state enabled
port-profile type vethernet 78-General-Server
description VLAN 78 General Servers
vmware port-group VLAN-78-General-Server
vmware max-ports 240
switchport mode access
switchport access vlan 78
ip flow monitor v9_Standard input
ip flow monitor v9_Standard output
no shutdown
state enabled
port-profile type vethernet 79-Exchange-Server
description VLAN 79 Exchange Servers
vmware port-group VLAN-79-Exchange-Server
vmware max-ports 240
switchport mode access
switchport access vlan 79
ip flow monitor v9_Standard input
ip flow monitor v9_Standard output
no shutdown
state enabled
port-profile type vethernet 86-Enterprise-Servers
description VLAN 86 Enterprise Servers
vmware port-group VLAN-86-Enterprise-Server
vmware max-ports 240
switchport mode access
switchport access vlan 86
ip flow monitor v9_Standard input
ip flow monitor v9_Standard output
no shutdown
state enabled
rt-profile type vethernet 88-Oracle-Servers
description VLAN 88 Oracle Servers
vmware port-group VLAN-88-Oracle-Server
vmware max-ports 240
switchport mode access
switchport access vlan 88
ip flow monitor v9_Standard input
ip flow monitor v9_Standard output
no shutdown

Below you can see examples of virtual interface definitions and which port profile they are using:
interface Vethernet1
inherit port-profile 72-General-Server
description oit-isa1as64w8k, Network Adapter 1
vmware dvport 2112
interface Vethernet2
inherit port-profile 72-General-Server
description oit-isa1ascwtst, Network Adapter 1
vmware dvport 2124
interface Vethernet3
inherit port-profile 72-General-Server
description oit-isa1asw8kts, Network Adapter 1
vmware dvport 2142
interface Vethernet4
inherit port-profile 72-General-Server
description oit-isa1asw2kvm, Network Adapter 1
vmware dvport 2144
interface Vethernet5
inherit port-profile 72-General-Server
description oit-isa1ascogt1, Network Adapter 1
vmware dvport 2125
interface Vethernet6
inherit port-profile 72-General-Server
description oit-isa1asinet2, Network Adapter 1
vmware dvport 2118
interface Vethernet7
inherit port-profile 72-General-Server
description DOT0ISA1ASIIS03, Network Adapter 1
vmware dvport 2147
interface Vethernet8
inherit port-profile 72-General-Server
description oit-isa1astdwis, Network Adapter 1
vmware dvport 2149
interface Vethernet10
inherit port-profile 72-General-Server
description oit-isa1trackit, Network Adapter 1

vmware dvport 2146

 

Cisco Nexus Series 7000
Vendor Link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_15netflow.html

Cisco Wireless LAN Controller
Example configuration:

Configuring NetFlow (CLI)
• Create an Exporter by entering this command:
config flow create exporter exporter-name ip-addr port-number
• Create a NetFlow Monitor by entering this command:
config flow create monitor monitor-name
• Associate or dissociate a NetFlow Monitor with an Exporter by entering this command:
config flow {add | delete} monitor monitor-name exporter exporter-name
• Associate or dissociate a NetFlow Monitor with a Record by entering this command:
config flow {add | delete} monitor monitor-name record ipv4_client_app_flow_record
• Associate or dissociate a NetFlow Monitor with a WLAN by entering this command:
config wlan flow wlan-id monitor monitor-name {enable | disable}
• See a summary of NetFlow Monitors by entering this command:
show flow monitor summary
• See information about the Exporter by entering this command:
show flow exporter {summary | statistics}
• Configure a debug of NetFlow by entering this command:
debug flow {detail | error | info} {enable | disable}

 

Juniper Router
Example configuration:

Juniper supports flow exports by sampling packet headers with the routing engine and aggregating them into flows. Packet sampling is achieved by defining a firewall filter to accept and sample all traffic, applying that rule to an interface, and then configuring the sampling forwarding option.

interfaces {
ge-0/1/0 {
unit 0 {
family inet {
filter {
input all;
output all;
}
address / (<- this=”” is=”” in=”” binary=”” notation=”” b=””>
}
}
}
} firewall
{ filter all
{ term all
{ then
{ sample; accept;
}
}
}
} forwarding-options
{ sampling
{ input
{ family inet
{ rate 100;
}
} output
{ cflowd
{ port ; version ;
}
}
}
}

For more information on configuring Juniper routers, refer to: http://www.juniper.net.

Palo Alto Firewall
Example configuration:

1. Define a NetFlow server profile – this specifies the frequency of the export along with the NetFlow servers that will receive the exported data.
2. Assign the profile to a firewall interface – all traffic flowing over this interface is exported to the specified server(s).

Step 1
To define a NetFlow server profile, navigate to Device-> Server Profiles-> NetFlow in the GUI. Here you will see the following settings:
Name: Enter a name for the NetFlow settings.
Template Refresh Rate: Specify the number of minutes or number of packets after which the NetFlow template is refreshed (we recommend 1 minute; packets range 1-600, default 20).
Active Timeout: Specify the frequency at which data records are exported for each session (we recommend 1 minute).
Export PAN-OS Specific Field Types: Export PAN-OS specific fields such as App-ID and User-ID in NetFlow records.
Server Name: Specify a name to identify the server.
Server: Specify the host name or IP address of the server.
Port: Specify the port number for server access (default 9996).
Palo Alto NetFlow Servers

Step 2
Once the NetFlow profile is configured, the next step is to assign the profile to a firewall interface. For this, navigate to Network-> Interfaces-> Ethernet.
Click the link for the interface on the Ethernet tab

Then specify the NetFlow Profile –

Riverbed Steelhead Appliance
Example configuration:

(config)# ip flow-export destination interface
(config)# ip flow-export enable

Cisco Nexus 3000
Vendor Link:

http://www.cisco.com/en/US/docs/switches/datacenter/nexus3000/sw/system_mgmt/503_U5_1/b_3k_System_Mgmt_Config_503_u5_1_chapter_010010.html

 

Fortinet Firewall

Example configuration:

To setup sFlow:
Open the Fortinet CLI and enter the following global configs:
config system sflow
set collector-ip 192.168.1.1 (Collector IP)
set collector-port 9996
end

Now that we have sFlow enabled, we need to configure the interfaces:

config sys interface
edit internal
set sflow-sampler enable
set sample-rate 512
set sample-direction both
set polling-interval 60
next

end

HP Procurve Switch 2800 or 5300 series
Example configuration:

HP has supports the configuration of sFlow directly on the CLI.
From config mode:
Configure destination collector
sflow <1-3> destination
where 1-3 is the sFlow instance, IP-addr is the address of the Scrutinizer collector, and udp-port-for-sflow is the number of the listening port of the collector.
example: sflow 1 destination 192.168.1.1 6343

Activate Sampling
sflow <1-3> sampling N
where 1-3 is the sFlow instance, ports list is the port(s) setup for sFlow, and N is the number of sampled packets (to sample every 100 packets set N to 100).
example: sflow 1 sampling all 100

Activate Polling
sflow <1-3> polling N
where 1-3 is the sFlow instance, ports list is the port(s) setup for sFlow, and N is the number of interval (in seconds) between polling intervals.
example: sflow 1 polling all 60

Save Configuration
write mem

Juniper Switch or Router
Vendor Link:

http://www.juniper.net/techpubs/en_US/junos9.3/topics/task/configuration/sflow-ex-series-cli.html

Juniper EX3200 switch
Example configuration:

The following configuration enables sFlow monitoring of all interfaces on a Juniper EX3200 switch, sampling packets at 1-in-500, polling counters every 30 seconds and sending the sFlow to an analyzer (10.0.0.50) on UDP port 6343 (the default sFlow port).
protocols {
sflow {
polling-interval 30;
sample-rate 500;
collector 10.0.0.50 {
udp-port 6343;
}
interfaces ge-0/0/0.0;
interfaces ge-0/0/1.0;
interfaces ge-0/0/2.0;
interfaces ge-0/0/3.0;
interfaces ge-0/0/4.0;
interfaces ge-0/0/5.0;
interfaces ge-0/0/6.0;
interfaces ge-0/0/7.0;
interfaces ge-0/0/8.0;
interfaces ge-0/0/9.0;
interfaces ge-0/0/10.0;
interfaces ge-0/0/11.0;
interfaces ge-0/0/12.0;
interfaces ge-0/0/13.0;
interfaces ge-0/0/14.0;
interfaces ge-0/0/15.0;
interfaces ge-0/0/16.0;
interfaces ge-0/0/17.0;
interfaces ge-0/0/18.0;
interfaces ge-0/0/19.0;
interfaces ge-0/0/20.0;
interfaces ge-0/0/21.0;
interfaces ge-0/0/22.0;
interfaces ge-0/0/23.0;
}
}

ZyXEL Appliance
Example configuration:

zyxel(config)# sflow
zyxel(config)# sflow collector x.x.x.x udp-port 6343
zyxel(config)# interface port-channel 1-24
zyxel(config-interface)# sflow collector x.x.x.x poll-interval 20 sampling-rate 256
zyxel(config-interface)# exit
zyxel(config)# exit

3com Router or Switch
Example configuration:

To configure NetStream on a 3Com 5012 router, use the following sample configuration:

ip netstream export source interface
ip netstream export host

Then activate NetStream on each specific interface you want to obtain statistics from. For example, on the Serial0/0 interface, use the following command.
interface s0/0
ip netstream inbound

This will export inbound NetStream traffic statistics related to the Serial0/0 interface of the 3com router to the collector

 

Cisco NGA 3240
Vendoor Link:

http://www.cisco.com/c/en/us/support/cloud-systems-management/netflow-generation-3000-series-appliances/products-command-reference-list.html

F5 Networks Big-IP System
Vendor Link:

http://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-5-0/8.html

Fortinet switch
Example configuration:

(Config)# ipfix collector 172.16.0.151 port 2055 all
(Config)# ipfix report-timer 60

Juniper SRX Series Gateway
Example configuration:

1. Enable sampling on desired interface(s) and directions:
set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output

2. Specify sampling rate and where to send the J-Flow data:
Specify sampling rate.
Caution:Activation of Flow collection can have a significant impact on the performance of the SRX device. The smaller the sample rate, the bigger the impact .
A sampling input rate of 1 is not recommended.
set forwarding-options sampling input rate 100
Specify UDP port number of host collecting cflowd packets
set forwarding-options sampling family inet output flow-server 192.168.1.5 port 9996
Specify version format: 5, 8 or 500 (ASN 500)
set forwarding-options sampling family inet output flow-server 192.168.1.5 version 5

Juniper SRX100H
forwarding-options
Example configuration:

sampling {
input {
rate 1;
run-length 0;
max-packets-per-second 50000;
}
family inet {
output {
flow-active-timeout 60;
flow-server 192.168.33.38 {
port 9996;
}
flow-server 192.168.33.96 {
port 9996;
version 500;
}
}
}
}
}