Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure NetFlow Settings

Use Pre-defined NetFlow Templates

NetFlow templates provide a mechanism to identify and decode incoming flow data before sending it for further processing within Paragon Insights.

  1. Click Configuration > Data Ingest > Settings in the left-nav bar.
  2. Click the NetFlow tab on Ingest Settings page.
  3. On the NetFlow settings page, review the available templates for use in a rule.

Usage Notes:

  • Notice that there are default flow templates for IPv4, IPv6, MPLS, MPLS-IPv4, MPLS-IPv6, and VPLS, for each of NetFlow v9 and v10.

  • The NetFlow templates include recognition patterns, called include fields and exclude fields, which help to recognize, identify, and categorize the incoming messages.

  • Since NetFlow messages don’t distinguish between keys and values (all fields are simply incoming data), the templates specify which fields should be treated as keys for raw data.

Create Custom NetFlow Templates

If the existing templates do not meet your needs, you can create your own template. You can also use custom templates to support other vendors’ devices.

  1. On the Netflow settings page, click the plus (+) icon.
  2. In the Add Template window that appears, fill in the following fields (you can leave the other settings as is):

    • Template Name—Give the template a name

    • Description—Provide a description for the template

    • NetFlow version—Select Netflow v9 or Netflow v10

    • Priority—Select any value from 1 through 10 depending on the level of priority

    • Include Fields—Add one or more fields that you want included in the template you wish to use

    • Exclude Fields—Add one or more fields that you do not want included in the template you wish to use

    • Key Fields—Specify which fields in the incoming messages should be treated as keys

  3. Click Save & Deploy

    You should now see the template added to the NetFlow settings page.

  4. (Optional) Repeat the steps above to create more templates.

Usage Notes:

  • Priority - when a playbook includes multiple rules using the flow sensor, the priority value identifies which sensor and template gets priority over the other(s).

  • Include/Exclude fields - include fields to help identify the template to use, or at least a ‘short list’ of templates to use; exclude fields then narrow down to the single desired template.

    • Example 1 - consider the hb-ipfix-ipv4-template template: it includes two IPv4 fields to narrow down to hb-ipfix-ipv4-template and hb-ipfix-mpls-ipv4-template, and excludes an MPLS field to eliminate hb-ipfix-mpls-ipv4-template, leaving only hb-ipfix-ipv4-template.

    • Example 2 - consider the hb-ipfix-mpls-ipv4-template template: it includes the same two IPv4 fields to narrow down to hb-ipfix-ipv4-template and hb-ipfix-mpls-ipv4-template. It also includes an MPLS field, which immediately eliminates the former template and leaving the latter as the template to use.

Delete a NetFlow Template

To delete a NetFlow template:

  1. Click Configuration > Data Ingest > Settings from the left-nav bar.

    The Ingest Settings page is displayed.

  2. Click the NetFlow tab to view the NetFlow Settings page.
  3. Select the template that you want to delete, and click the delete (trash can) icon.

    The CONFIRM DELETE TEMPLATE pop-up appears.

  4. Do one of the following:
    Figure 1: Confirm Delete Template Pop-up Confirm Delete Template Pop-up
    • Click Yes to delete the template from the database. However, the changes are not applied to the ingest service.
      Note:

      • We recommended that you do not delete a NetFlow setting that is currently in use.

      • After you delete a particular NetFlow setting from the database, you cannot configure that NetFlow setting in new devices or device groups even if you have not deployed changes.

      • You can also deploy changes to the ingest service or roll back the changes that you have already deleted, from the Health Configuration Deployment Status page. For more information, see Commit or Roll Back Configuration Changes in Paragon Insights.

    • Select the Deploy changes check box and then click Yes to delete the template from the database, and to apply the changes to the ingest service.
    • (Optional) Click No to cancel this operation.

    The NetFlow template is deleted.

Clone an Existing NetFlow Template

To clone an existing NetFlow template:

  1. Click Configuration > Data Ingest > Settings from the left-nav bar.

    The Ingest Settings page is displayed.

  2. Click the NetFlow tab to view the NetFlow Settings page.
  3. To clone a particular template, click Clone.

    The Clone Template: <name of template> page is displayed.

    From the Clone Template: <name of template> page, you can

    • Edit the Name, Description, and Priority sections.

    • Choose between Netflow v9 or Netflow v10 versions.

    • Add or exclude fields from Include Fields, Exclude Fields, and Key Fields.

  4. After you have made the necessary edits, click Save to save the modifications and to clone the template.

    Alternatively, click Save & Deploy to save modifications, clone the template, and deploy the template.

Configure Flow Source IP Address

The raw flow data that Paragon Insights receives is in binary format and unreadable. In order to make this data usable, Paragon Insights processes the incoming flow data as follows:

  • Paragon Insights listens for incoming flow data on a configured port

  • Since NetFlow messages don’t include a field that identifies the sending device, Paragon Insights uses the configured source IP address to derive a device ID.

  • Templates identify and decode incoming flow data to determine which fields it contains

    The resulting decoded and normalized data is now in a readable and usable format.

  • Paragon Insights then performs further tagging, normalization, and aggregation as defined in the corresponding rule by the user.

  • Finally, the time-series database (TSDB) receives the data. This is where things like trigger evaluation happen.

Warning:

For NetFlow ingest, ensure that there is no source NAT in the network path(s) between the device and Paragon Insights. If the network path contains source NAT, then the received device information is not accurate.

To configure source IP addresses in Device configuration:

  1. Go to Configuration > Devices.

    You are taken to the Device page.

  2. Select a device you want to configure to send Flow data and click the edit button (pencil icon).

    You are taken to the Edit Device-Name page.

  3. Click the Device ID Details caret and enter the source IP address(es) in the Flow Source IP field.

    If you want to enter multiple source IP addresses, separate each one with a comma.

  4. Click OK.

To configure source IP addresses in Device Group configuration:

  1. Go to Configuration > Device Groups.

    You are taken to the Device Group configuration page.

  2. Select a device group you want to configure to send Flow data and click the edit button (pencil icon).

    You are taken to the Edit Device Group page.

  3. Click the Advanced caret and enter the source IP address(es) in the Flow Ingest Deploy Nodes field.

    If you want to enter multiple source IP addresses, separate each one with a comma.

  4. Click Save & Deploy.

Configure Flow Ports

To configure Flow ports in Device Groups:

  1. Go to Configuration > Device Groups.

    You are taken to the Device Group configuration page.

  2. Select a device group you want to configure to send Flow data and click the edit button (pencil icon).

    You are taken to the Edit Device Group page.

  3. Click the Advanced > Ports caret and enter the NetFlow sensor receiver ports in the Flow Ports field.

    If you want to enter multiple ports, separate each one with a comma.

  4. Click Save & Deploy.

Related Documentation