Description Method
Resends the inbound data that is received from flow sources to a secondary destination. To ensure that flow source data is sent to a secondary destination, configure theMonitoring Interfaceparameter in the flow source configuration to the port on which data is received (management port). When you use a specific interface, the Flow Processor uses a promiscuous mode capture to obtain flow source data, rather than the default UDP listening port on port 2055. As a result, Flow Processor can capture flow source packets and forward the data.
Spoofing
For the non-spoofing method, configure theMonitoring Interfaceparameter in the flow source configuration as Any. The Flow Processor opens the listening port, which is the port that is configured as theMonitoring Portto accept flow source data. The data is processed and forwarded to another flow source destination.
The source IP address of the flow source data becomes the IP address of the JSA system, not the original router that sent the data.
Non-Spoofing
NetFlow
NetFlow is a proprietary accounting technology that is developed by Cisco Systems.
NetFlow monitors traffic flows through a switch or router, interprets the client, server, protocol, and port that is used, counts the number of bytes and packets, and sends that data to a NetFlow collector.
The process of sending data from NetFlow is often referred to as a NetFlow Data Export (NDE). You can configure JSA to accept NDEs and thus become a NetFlow collector. JSA supports NetFlow versions 1, 5, 7, and 9. For more information on NetFlow, see the Cisco web site athttp://www.cisco.com.
While NetFlow expands the amount of the network that is monitored, NetFlow uses a connection-less protocol (UDP) to deliver NDEs. After an NDE is sent from a switch or
alerting capabilities. Inaccurate presentations of both traffic volumes and bidirectional flows might result.
When you configure an external flow source for NetFlow, you must do the following tasks:
• Make sure that the appropriate firewall rules are configured. If you change your External Flow Source Monitoring Portparameter in the Flow Processor configuration, you must also update your firewall access configuration.
• Make sure that the appropriate ports are configured for your Flow Processor.
If you are using NetFlow version 9, make sure that the NetFlow template from the NetFlow source includes the following fields:
• FIRST_SWITCHED
• LAST_SWITCHED
• PROTOCOL
• IPV4_SRC_ADDR
• IPV4_DST_ADDR
• L4_SRC_PORT
• L4_DST_PORT
• IN_BYTES or OUT_BYTES
• IN_PKTS or OUT_PKTS
• TCP_FLAGS (TCP flows only)
IPFIX
Internet Protocol Flow Information Export (IPFIX) is an accounting technology. IPFIX monitors traffic flows through a switch or router, interprets the client, server, protocol, and port that is used, counts the number of bytes and packets, and sends that data to a IPFIX collector.
IBM Security Network Protection XGS 5000, a next generation intrusion protection system (IPS), is an example of a device that sends flow traffic in IPFIX flow format.
The process of sending IPFIX data is often referred to as a NetFlow Data Export (NDE).
IPFIX provides more flow information and deeper insight than NetFlow v9. You can configure JSA to accept NDEs and thus become an IPFIX collector. IPFIX uses User Datagram Protocol (UDP) to deliver NDEs. After an NDE is sent from the IPFIX forwarding device, the IPFIX record might be purged.
To configure JSA to accept IPFIX flow traffic, you must add a NetFlow flow source. The NetFlow flow source processes IPFIX flows by using the same process.
Your JSA system might include a default NetFlow flow source; therefore, you might not be required to configure a NetFlow flow source. To confirm that your system includes a Chapter 11: Managing Flow Sources
default NetFlow flow source, select Admin > Flow Sources. If default_Netflow is listed in the flow source list, IPFIX is already configured.
When you configure an external flow source for IPFIX, you must do the following tasks:
• Ensure that the appropriate firewall rules are configured. If you change your External Flow Source Monitoring Portparameter in the Flow Processor configuration, you must also update your firewall access configuration. For more information about Flow Processor configuration, see the Juniper Secure Analytics Administration Guide.
• Ensure that the appropriate ports are configured for your Flow Processor.
• Ensure the IPFIX template from the IPFIX source includes the following fields:
• FIRST_SWITCHED
• LAST_SWITCHED
• PROTOCOL
• IPV4_SRC_ADDR
• IPV4_DST_ADDR
• L4_SRC_PORT
• L4_DST_PORT
• IN_BYTES or OUT_BYTES
• IN_PKTS or OUT_PKTS
• TCP_FLAGS (TCP flows only)
sFlow
sFlow is a multi-vendor and user standard for sampling technology that provides continuous monitoring of application level traffic flows on all interfaces simultaneously.
A sFlow combines interface counters and flow samples into sFlow datagrams that are sent across the network to an sFlow collector. JSA supports sFlow versions 2, 4, and 5.
sFlow traffic is based on sampled data and, therefore, might not represent all network traffic. For more information, see the sflow web site atwww.sflow.org.
sFlow uses a connection-less protocol (UDP). When data is sent from a switch or router, the sFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, sFlow records inaccurate recording and reduced alerting capabilities.
Inaccurate presentations of both traffic volumes and bidirectional flows might result.
When you configure an external flow source for sFlow, you must do the following tasks:
• Make sure that the appropriate firewall rules are configured.
• Make sure that the appropriate ports are configured for your VFlow Collector.
J-Flow
A proprietary accounting technology used by Juniper Networks that allows you to collect IP traffic flow statistics. JFlow enables you to export data to a UDP port on a J-Flow collector. Using J-Flow, you can also enable J-Flow on a router or interface to collect network statistics for specific locations on your network. Note that J-Flow traffic is based on sampled data and, therefore, might not represent all network traffic. For more information on J-Flow, see theJuniper Networks website.
J-Flow uses a connection-less protocol (UDP). When data is sent from a switch or router, the J-Flow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, J-Flow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bidirectional flows.
When you configure an external flow source for J-Flow, you must:
• Make sure the appropriate firewall rules are configured.
• Make sure the appropriate ports are configured for your Flow Processor.
Packeteer
Packeteer devices collect, aggregate, and store network performance data. After you configure an external flow source for Packeteer, you can send flow information from a Packeteer device to JSA.
Packeteer uses a connection-less protocol (UDP). When data is sent from a switch or router, the Packeteer record is purged. As UDP is used to send this information and does not guarantee the delivery of data, Packeteer records inaccurate recording and reduced alerting capabilities. Inaccurate presentations of both traffic volumes and bidirectional flows might occur.
To configure Packeteer as an external flow source, you must do the following tasks:
• Make sure that the appropriate firewall rules are configured.
• Make sure that you configure Packeteer devices to export flow detail records and configure the Flow Processor as the destination for the data export.
• Make sure that the appropriate ports are configured for your Flow Processor.
• Make sure the class IDs from the Packeteer devices can automatically be detected by the Flow Processor.
• For more information, see the Mapping Packeteer Applications into JSA Technical Note.