NetFlow flow collectors and external sources

You must configure NetFlow, which collects IP network traffic as it enters or exits an interface, to send data to the nearest QRadar® QFlow Collector or QRadar Flow Processor appliance.

QRadar QFlow Collectors also support external flow sources, such as routers that send NetFlow, sFlow, J-Flow, and Packeteer data.

For more information about these sources, see the IBM® QRadar Administration Guide.

You must configure NetFlow to send data as quickly as possible by configuring the external network device's ip-cache flow timeout value to one. Ensure that ingress and egress traffic is forwarded from the router. Not all routers can forward ingress and egress traffic. If you are configuring a router that provides only a sample of data, then configure the router to use the lowest possible sampling rate, without increasing the load on the switch.

To ensure that your NetFlow configuration is functioning correctly, you must validate your QRadar NetFlow data.