Question & Answer
QRadar collects network activity information on how devices in your network communicate to each other. We refer to these communications as flows or flow records. Flows represent network activity by normalizing IP addresses, ports, byte and packet counts, as well as other details in to a flow. The flow represents a communication session between two hosts with each session represented in to 1 minute intervals. For sessions that span multiple intervals (minutes), QRadar reports a record at the end of each minute with the current metrics for each flow. As hosts communicate, a new flow records is generated when any new session is opened that uses a different core communication feature, such as source IP address, source port, destination IP, destination port, protocol, or application.
How are flows different from events?
How are flows licensed in QRadar?
For example, a host at 18.104.22.168 opens a secure connection to a server 10.10.10.10 on port 443 that lasts 5 minutes. The QFlow Collector in the network has a license of 25,000 flows per minute. The QFlow Collector sees the communication between the two servers on port 443 and combines all of the session data for each minute of the communication in to a flow record and displays the information in the Network Activity tab. This flow record counts as one flow against the 25,000 flow license limit. In a real-life scenario, there are many communications occurring across the network. Each minute, the QFlow Collector is capturing, summarizing, and rolling up communications in to unique flow records. QRadar counts the number of unique flow records and applies the number against the license for the appliance.
Figure 1: Example of how two different flow records are created in QRadar.
How does QFlow determine if a communication is continuing or has stopped?
If communication stops more for than one interval, the system believes that the communication between servers has stopped and writes the flow to disk. If communication starts again, then the flow record is created for the communication, but since it is a new session, then a new First Packet Time is displayed in the user interface.
Figure 2: Flow records display a first packet time to identify when communication began.
My flow licenses displays two numbers in the user interface. What does this mean?
- The first value represents the number of flows currently licensed to the appliance.
In the example, 10000 indicates that if an administrator exceeds 10000 flows/minute (or 166 flows/second), then a system notification will be generated by the system to alert administrators.
- The second value represents the overall number of flows that the appliances is capable of handling.
In the example, the appliance is licensed for 10000 flows/minute, but the license can be increased to handle 1.2 million FPM or 20,000 flows per second. As license is added to the Console appliance, any unallocated FPM can be assigned to a Flow Processor (17xx) or combination Event/Flow Processor (18xx) appliance.
Figure 3: An appliance displays a Flow Rate Limit of 10000 (licensed) /1200000 (hardware capacity) flows per minute.
Do dropped flows provide license giveback?
Figure 4: Example of flow license graph in the QRadar Deployment Intelligence app, filtered by License Giveback.
Figure 5: Default license rate to display flow capacity of the hardware and the licensed flow rate. As you enable routing rules for flows, graphs will begin to populate with data.
NOTE: Administrators who both forward and drop data should review their routing rules to ensure their configurations are correct. Forwarded flow data must use online forwarding mode to ensure that the data is sent from the pipeline to the external appliance. Administrators who attempt to use offline routing rules will not receive forwarded data as offline forwarding requires data to be read from disk and dropped flows are never written to disk.
Was this topic helpful?
07 January 2021