IPFIX

Internet Protocol Flow Information Export (IPFIX) is an accounting technology that monitors traffic flows through a switch or router. It interprets the traffic to determine the client, server, protocol, and port that is used. It also counts the number of bytes and packets, and sends that data to an IPFIX collector. IBM® Security Network Protection XGS 5000, a next generation intrusion protection system (IPS), is an example of a device that sends flow traffic in IPFIX flow format.

The process of sending IPFIX data is often referred to as a NetFlow Data Export (NDE), but IPFIX provides more flow information and deeper insight than NetFlow v9.

IBM QRadar® accepts NDEs so that it functions as an IPFIX collector. IPFIX uses User Datagram Protocol (UDP) to deliver NDEs. After an NDE is sent from the IPFIX forwarding device, the IPFIX record might be purged.

IPFIX flow source configuration

When you configure an external flow source for IPFIX, you must do the following tasks:
  • Add a NetFlow flow source.
    Note: Your QRadar system might include a default NetFlow flow source. If it does, QRadar can use the default NetFlow flow source to process the IPFIX flows.

    To confirm that your system includes a default NetFlow flow source, on the Admin tab, select Flow Sources. If default_Netflow is listed in the flow source list, IPFIX is already configured.

  • Ensure that the appropriate firewall rules are configured.

    If you change your External Flow Source Monitoring Port parameter in the Flow Collector configuration, you must also update your firewall access configuration.

  • Ensure that the appropriate ports are configured for your Flow Collector.

IPFIX flow source template

Ensure that the IPFIX template from the IPFIX source includes the following IANA-listed Information Elements:
  • protocolIdentifier (4)
  • sourceIPv4Address (8)
  • destinationIPv4Address (12)
  • sourceTransportPort (7)
  • destinationTransportPort (11)
  • octetDeltaCount (1) or postOctetDeltaCount (23)
  • packetDeltaCount (2) or postPacketDeltaCount (24)
  • tcpControlBits (6) (TCP flows only).
  • flowStartSeconds (150) or flowStartMilliseconds (152) or flowStartDeltaMicroseconds (158)
  • flowEndSeconds (151) or flowEndMilliseconds (153) or flowEndDeltaMicroseconds (159)

Supported fields

The following lists show some of the types of fields that are supported for IPFIX flow sources.

New in 7.4.3 To add support for additional IPFIX fields that are not shown by QRadar, you can use the /api/ariel/taggedfields API to create a new tagged field.
VLAN fields
The following VLAN fields are supported for IPFIX:
  • vlanId
  • postVlanId
  • dot1qVlanId
  • dot1qPriority
  • dot1qCustomerVlanId
  • dot1qCustomerPriority
  • postDot1qVlanId
  • postDotqCustomerVlanId
  • dot1qDEI
  • dot1qCustomerDEI
MAC address fields
The following MAC address fields are supported for IPFIX:
  • sourceMacAddress (56)
  • postDestinationMacAddress (57)
  • DestinationMacAddress (80)
  • postSourceMacAddress (81)
MPLS fields
The following MPLS fields are supported for IPFIX:
  • mplsTopLabelType
  • mplsTopLabelIPv4Address
  • mplsTopLabelStackSection
  • mplsLabelStackSection2
  • mplsLabelStackSection3
  • mplsLabelStackSection4
  • mplsLabelStackSection5
  • mplsLabelStackSection6
  • mplsLabelStackSection7
  • mplsLabelStackSection8
  • mplsLabelStackSection9
  • mplsLabelStackSection10
  • mplsVpnRouteDistinguisher
  • mplsTopLabelPrefixLength
  • mplsTopLabelIPv6Address
  • mplsPayloadLength
  • mplsTopLabelTTL
  • mplsLabelStackLength
  • mplsLabelStackDepth
  • mplstopLabelExp
  • postMplsTopLabelExp
  • pseudoWireType
  • pseudoWireControlWord
  • mplsLabelStackSection
  • mplsPayloadPacketSection
  • sectionOffset
  • sectionExportedOctets