Flow capacity limits

Flow capacity limits ensure that the QFlow process in IBM QRadar is not overloaded.

When the QFlow process receives more traffic than it can deal with, an overflow record is created for each protocol that is observed in the excess traffic. These records are easily identified because they have a source IP address of 127.0.0.4 and a destination IP address of 127.0.0.5.

For example, QRadar determines that the flow capacity limit of your Flow Collector is 100,000 flows. During a peak period, the appliance captures 120,000 flows in a one minute interval. The excess 20,000 flows are not parsed, but instead an overflow record is created for each protocol that is seen in the 20,000 flows. The overflow record includes byte and packet counters, but information such as source or destination IP addresses, ports, and payload capture is not collected and stored.

Flow capacity limits

Flow capacity is determined based on a number of different factors:

Deployment flow limit: This flow limit is based on the sum of all flow licenses across your deployment.
Hardware flow limit: The hardware flow limit is the recommended number of flows calculated based on the available CPUs and memory.
User flow limits: You can set the maximum number of flows that you want QRadar to process at one time.

If a user flow limit is set, it takes precedence over both the deployment flow limit and the hardware limit.

If no user limit is set, the minimum of either the hardware limit or the deployment limit is used.

Note: To ensure that you achieve the maximum benefit from your flows per minute (FPM) license, flow capacity limits are enforced after aggregation. Updates to existing flows within the 1-minute reporting interval do not contribute to your FPM license limit.