Flow sources
IBM
QRadar Network Insights uses two
types of flow sources.
- Flow source for incoming network traffic
-
The QRadar Network Insights host processes raw traffic from a network interface flow source.
When you add a QRadar Network Insights host, an input flow source is automatically created for all non-management interfaces that are available on the host.- For Napatech network interfaces, flow sources are auto-detected and enabled by default. They cannot be edited, disabled, or deleted.
- For non-Napatech network interfaces, the auto-detected flow sources are disabled by default. You must enable them if you want to use them for monitoring network flows.
- QRadar flow sources
-
When you install IBM QRadar, a
default_Netflow
flow source is automatically added to the deployment. This flow source is enabled by default.New flow sources are created as you add QRadar Flow Collectors and Flow Processors to the deployment.
QRadar Network Insights exports the network traffic flow records to an IPFIX flow source that is running elsewhere in your QRadar deployment.
Flow source example
In the following example, a QRadar Network Insights host
(qnihw1) is connected to a QRadar
Console
(qradarhw1).
- The
default_Netflow
flow source is auto-detected and enabled. - An input flow source is created for all non-management interfaces that are connected to the QRadar Network Insights host, but they are not enabled.
- The system did not create a flow source for the management interface of the appliance (ens2f0).
- You can edit or change the enabled status for each of the flow sources.
An appliance that uses a Napatech network interface is connected.
- The napatech0 flow source is auto-detected and enabled.
- You cannot edit, delete, or change the enabled status for these flow sources.