NTA analyzes traffic and detects exceptions based on flow data sent by the routers and switches. To provide a better understanding of how to send flow data for NTA analysis, we will illustrate flow configuration through an example. Additionally, we’ll guide you on key considerations during the configuration process.
In the given network environment, a switch (IP address: 10.66.249.61) manages the flow traffic from ports GigabitEthernet1/0/2 and GigabitEthernet1/0/3, directing it to the management interface of the NTA with the IP address 10.66.249.47.
1. Configuration on the switch side:
1) This configuration command ensures that the flow from Collector ID 1 is directed to the NTA management interface IP on port 6343, with a description of ‘portal-test,’ and a maximum sFlow data section length of 1400 bytes.
2)Configure GigabitEthernet1/0/2. As depicted in the diagram, the switch is using sFlow v5.
Command explanation:
3)Configure GigabitEthernet1/0/3.
2. Configuration on the NTA side:
1) In the switch configuration, flow traffic is directed to the NTA on port 6343. To align with this, navigate to NTA Configuration > Flow Settings > Sflow Collecting Port and configure port 6343. For routers employing Netflow/Netstream/IPFIX, configure the corresponding port in NTA Configuration > Flow Settings > Netflow/Netstream/IPFIX Collecting Port. Ensure that the same flow export port is set on the router.
On the switch side, the sampling interval is configured as 30 seconds. So, in NTA Configuration -> Flow Settings > Flow Statistics Collect Interval, also configure it as 30 seconds.
Noted: The “Flow Statistics Collect Interval” should be chosen with consideration for the router’s “timeout active” value or ‘interval’ value on the switch, as it directly impacts the accuracy of the flow display.
Parameter | Description |
Flow Collection IP | IP address used by the router to send flow data to NTA. |
Flow Version | Specifies the flow protocol type and version. Needs to be consistent with the protocol type and version used on the router/switch side. If Flow Version is set to Flexible NetFlow, the flow protocol type can be NetFlow V5, NetFlow V9, or IPFIX. |
Sampling Rate Adaption | Controls whether to enable sampling rate adaption for sFlow (sFlow_v4 and sFlow_v5). |
Flow Sampling Ratio | Indicates the rate of packets to be sampled to all the packets passing through the router, which must be the same as that configured on the router. The maximum value is 65535. When sFlow_v4 or sFlow_v5 is selected for Flow Version and sampling rate adaption is enabled, this field is unavailable. |
Flow Forwarding Configuration | Specifies whether to forward collected flow data to other IP addresses. It has the following values: – Use Default Configuration: uses global default settings. For details, see user guide section 5.6 Flow Data Collection and Forwarding. – Not Forward: does not forward received flow data. – Custom: specifies IPv4 or IPv6 addresses and port numbers to which flow data will be forwarded. You can type up to eight destination addresses, with each in a separate line. |
3)Open router interface statistics on NTA (Before R90F02SP06, all interfaces are open for statistics by default, and from R90F02SP06 onwards, all interfaces are disabled by default and can be manually enabled as required.). In Configuration > Objects > Routers page, click the number in the Interface Number column to go to the Interface List page. Click Collect flow stats of selected interfaces from the drop-down box to enable collecting selected flow statistics, or click Collect flow stats of all interfaces to enable collecting flow statistics of all interfaces.
Upon completing the configuration, you can access the current flow information by navigating to NTA Monitor > Routers.
The post NTA Flow Configuration Example appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/nta-flow-configuration-example/