Configuring remote flow data collection

Configure the collection of flow data to measure and investigate the amount and type of traffic on a network. The appliance sends the flow data to an external event collector.

About this task

Important: The following appliance models do not support the use of the flow data policy.

GX6116
GX7412
GX7412-05
GX7412-10
GX7800

Navigating in IPS Local Management Interface: Manage System Settings > Appliance > Remote Flow Data Collection

Navigating in SiteProtector™ Management: select the Remote Flow Data Collection policy

Tip: Enable and disable flow data collection to periodically check flow data without constantly affecting traffic throughput.

The appliance receives flow data information from PAM in the form of PAMFlow. The appliance converts the PAMFlow data into the Internet Protocol Flow Information Export format (IPFIX). This conversion enables the appliance to send the flow data information to an external event collector. The appliance catalogues flow data by IP addresses (source and destination) and by port numbers.

The appliance sends events to the system log if there are errors with the flow data policy. You can find the system log at Review Analysis and Diagnostics > Logs > System.

This feature was tested with the QRadar SIEM developed by Q1 Labs. You must update the QRadar SIEM to the newest version for some integration features to work. For more information go to http://q1labs.com. Customers of Q1 Labs can go to http://partners.q1labs.com and sign in to DocCentral to view the documentation.

Procedure

Enable the appliance to collect flow data.
In the Collector field, enter the address of the external event collector. This field supports a fully qualified domain name (FDQN), IPv4, and IPv6 formats.
In the Port field, enter the port for the external event collector.
From the Protocol list, select a protocol. The appliance supports sending flow data to external event collectors using the User Datagram Protocol (UDP).
In the Template timeout field, enter a timeout interval for the template that is used by the external event collector. This setting specifies the intervals at which the template actively times out. If this setting is set to 90 seconds (the template actively times out every 90 seconds), then the appliance exports template data every 90 seconds.