IPFIX

Internet Protocol Flow Information Export (IPFIX) is an accounting technology that monitors traffic flows through a switch or router. It interprets the traffic to determine the client, server, protocol, and port that is used. It also counts the number of bytes and packets, and sends that data to an IPFIX collector. IBM® Security Network Protection XGS 5000, a next generation intrusion protection system (IPS), is an example of a device that sends flow traffic in IPFIX flow format.

The process of sending IPFIX data is often referred to as a NetFlow Data Export (NDE), but IPFIX provides more flow information and deeper insight than NetFlow v9.

IBM QRadar® accepts NDEs so that it functions as an IPFIX collector. IPFIX uses User Datagram Protocol (UDP) to deliver NDEs. After an NDE is sent from the IPFIX forwarding device, the IPFIX record might be purged.

IPFIX flow source configuration

When you configure an external flow source for IPFIX, you must do the following tasks:
  • Add a NetFlow flow source.
    Note: Your QRadar system might include a default NetFlow flow source. If it does, QRadar can use the default NetFlow flow source to process the IPFIX flows.

    To confirm that your system includes a default NetFlow flow source, on the Admin tab, select Flow Sources. If default_Netflow is listed in the flow source list, IPFIX is already configured.

  • Ensure that the appropriate firewall rules are configured.

    If you change your External Flow Source Monitoring Port parameter in the Flow Collector configuration, you must also update your firewall access configuration.

  • Ensure that the appropriate ports are configured for your Flow Collector.

IPFIX flow source template

Ensure that the IPFIX template from the IPFIX source includes the following IANA-listed Information Elements:
  • protocolIdentifier (4)
  • sourceIPv4Address (8)
  • destinationIPv4Address (12)
  • sourceTransportPort (7)
  • destinationTransportPort (11)
  • octetDeltaCount (1) or postOctetDeltaCount (23)
  • packetDeltaCount (2) or postPacketDeltaCount (24)
  • tcpControlBits (6) (TCP flows only).
  • flowStartSeconds (150) or flowStartMilliseconds (152) or flowStartDeltaMicroseconds (158)
  • flowEndSeconds (151) or flowEndMilliseconds (153) or flowEndDeltaMicroseconds (159)

Supported fields

The following lists show some of the types of fields that are supported for IPFIX flow sources.

New in 7.4.3 To add support for additional IPFIX fields that are not shown by QRadar, you can use the /api/ariel/taggedfields API to create a new tagged field.
VLAN fields
The following VLAN fields are supported for IPFIX:
  • vlanId (IANA Element ID 58)
  • postVlanId (IANA Element ID 59)
  • dot1qVlanId (IANA Element ID 243)
  • dot1qPriority (IANA Element ID 244)
  • dot1qCustomerVlanId (IANA Element ID 245)
  • dot1qCustomerPriority (IANA Element ID 246)
  • postDot1qVlanId (IANA Element ID 254)
  • postDot1qCustomerVlanId (IANA Element ID 255)
  • dot1qDEI (IANA Element ID 388)
  • dot1qCustomerDEI (IANA Element ID 389)
MAC address fields
The following MAC address fields are supported for IPFIX:
  • sourceMacAddress ((IANA Element ID 56)
  • postDestinationMacAddress ((IANA Element ID 57)
  • DestinationMacAddress ((IANA Element ID 80)
  • postSourceMacAddress ((IANA Element ID 81)
Network Address Translation (NAT) fields
The following fields are supported for Network Address Translation (NAT) and Network Address Port Translation (NAPT):
  • postNATSourceIPv4Address (IANA Element ID 225)
  • postNATDestinationIPv4Address (IANA Element ID 226)
  • postNAPTSourceTransportPort (IANA Element ID 227)
  • postNAPTDestinationTransportPort (IANA Element ID 228)
MPLS fields
The following MPLS fields are supported for IPFIX:
  • mplsTopLabelType (IANA Element 46)
  • mplsTopLabelIPv4Address (IANA Element 47)
  • mplsTopLabelStackSection (IANA Element 70)
  • mplsLabelStackSection2 (IANA Element 71)
  • mplsLabelStackSection3 (IANA Element 72)
  • mplsLabelStackSection4 (IANA Element 73)
  • mplsLabelStackSection5 (IANA Element 74)
  • mplsLabelStackSection6 (IANA Element 75)
  • mplsLabelStackSection7 (IANA Element 76)
  • mplsLabelStackSection8 (IANA Element 77)
  • mplsLabelStackSection9 (IANA Element 78)
  • mplsLabelStackSection10 (IANA Element 79)
  • mplsVpnRouteDistinguisher (IANA Element 90)
  • mplsTopLabelPrefixLength (IANA Element 91)
  • mplsTopLabelIPv6Address (IANA Element 140)
  • mplsPayloadLength (IANA Element 194)
  • mplsTopLabelTTL (IANA Element 200)
  • mplsLabelStackLength (IANA Element 201)
  • mplsLabelStackDepth (IANA Element 202)
  • mplsTopLabelExp (IANA Element 203)
  • postMplsTopLabelExp (IANA Element 237)
  • pseudoWireType (IANA Element 250)
  • pseudoWireControlWord (IANA Element 251)
  • mplsLabelStackSection (IANA Element 316)
  • mplsPayloadPacketSection (IANA Element 317 )
  • sectionOffset (IANA Element 409)
  • sectionExportedOctets (IANA Element 410)