Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Types of Flow Sources

 

JSA Flow Processor can process flows from multiple sources, which are categorized as either internal or external sources.

Internal Flow Sources

Sources that include packet data by connecting to a SPAN port or a network TAP are considered internal sources. These sources provide raw packet data to a monitoring port on the Flow Processor, which converts the packet details into flow records.

JSA does not keep the entire packet payload. Instead, it captures a snapshot of the flow, referred to as the payload or content capture, which includes packets from the beginning of the communication.

Flow collection from internal sources normally requires a dedicated Flow Processor.

External Flow Sources

JSA also supports external flow sources, such as routers that send NetFlow, sFlow, J-Flow, and Packeteer data.

External sources do not require as much CPU utilization to process so you can send them directly to a Flow Processor. In this configuration, you may have a dedicated flow processor, receiving and creating flow data.

NetFlow

NetFlow is a proprietary accounting technology that is developed by Cisco Systems. NetFlow monitors traffic flows through a switch or router, interprets the client, server, protocol, and port that is used, counts the number of bytes and packets, and sends that data to a NetFlow collector.

The process of sending data from NetFlow is often referred to as a NetFlow Data Export (NDE). You can configure JSA to accept NDEs and thus become a NetFlow collector. JSA supports NetFlow versions 1, 5, 7, and 9. For more information on NetFlow, see the Cisco web site (http://www.cisco.com).

While NetFlow expands the amount of the network that is monitored, NetFlow uses a connection-less protocol (UDP) to deliver NDEs. After an NDE is sent from a switch or router, the NetFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, NetFlow records inaccurate recording and reduced alerting capabilities. Inaccurate presentations of both traffic volumes and bidirectional flows might result.

When you configure an external flow source for NetFlow, you must do the following tasks:

  • Make sure that the appropriate firewall rules are configured. If you change your External Flow Source Monitoring Port parameter in the JSA Flow Processor configuration, you must also update your firewall access configuration.

  • Make sure that the appropriate ports are configured for your JSA flow processor.

If you are using NetFlow version 9, make sure that the NetFlow template from the NetFlow source includes the following fields:

  • FIRST_SWITCHED

  • LAST_SWITCHED

  • PROTOCOL

  • IPV4_SRC_ADDR

  • IPV4_DST_ADDR

  • L4_SRC_PORT

  • L4_DST_PORT

  • IN_BYTES or OUT_BYTES

  • IN_PKTS or OUT_PKTS

  • TCP_FLAGS (TCP flows only)

The following VLAN fields are supported for NetFlow version 9.

  • vlanId

  • postVlanId

  • dot1qVlanId

  • dot1qPriority

  • dot1qCustomerVlanId

  • dot1qCustomerPriority

  • postDot1qVlanId

  • postDotqCustomerVlanId

  • dot1qDEI

  • dot1qCustomerDEI

IPFIX

Internet Protocol Flow Information Export (IPFIX) is an accounting technology. IPFIX monitors traffic flows through a switch or router, interprets the client, server, protocol, and port that is used, counts the number of bytes and packets, and sends that data to a IPFIX collector.

The process of sending IPFIX data is often referred to as a NetFlow Data Export (NDE). IPFIX provides more flow information and deeper insight than NetFlow v9. You can configure JSA to accept NDEs and thus become an IPFIX collector. IPFIX uses User Datagram Protocol (UDP) to deliver NDEs. After an NDE is sent from the IPFIX forwarding device, the IPFIX record might be purged.

To configure JSA to accept IPFIX flow traffic, you must add a NetFlow flow source. The NetFlow flow source processes IPFIX flows by using the same process.

Your JSA system might include a default NetFlow flow source; therefore, you might not be required to configure a NetFlow flow source. To confirm that your system includes a default NetFlow flow source, select Admin > Flow Sources. If default_Netflow is listed in the flow source list, IPFIX is already configured.

When you configure an external flow source for IPFIX, you must do the following tasks:

  • Ensure that the appropriate firewall rules are configured. If you change your External Flow Source Monitoring Port parameter in the JSA Flow Processor configuration, you must also update your firewall access configuration. For more information about JSA flow processor configuration, see the Juniper Secure Analytics Administration Guide.

  • Ensure that the appropriate ports are configured for your JSA flow processor.

  • Ensure that the IPFIX template from the IPFIX source includes the following IANA-listed Information Elements:

  • protocolIdentifier (4)

  • sourceIPv4Address (8)

  • destinationIPv4Address (12)

  • sourceTransportPort (7)

  • destinationTransportPort (11)

  • octetDeltaCount (1) or postOctetDeltaCount (23)

  • packetDeltaCount (2) or postPacketDeltaCount (24)

  • tcpControlBits (6) (TCP flows only)

  • flowStartSeconds (150) or flowStartMilliseconds (152) or flowStartDeltaMicroseconds (158)

  • flowEndSeconds (151) or flowEndMilliseconds (153) or flowEndDeltaMicroseconds (159)

The following VLAN fields are supported for IPFIX.

  • vlanId

  • postVlanId

  • dot1qVlanId

  • dot1qPriority

  • dot1qCustomerVlanId

  • dot1qCustomerPriority

  • postDot1qVlanId

  • postDotqCustomerVlanId

  • dot1qDEI

  • dot1qCustomerDEI

The following MPLS fields are supported for IPFIX.

  • mplsTopLabelType

  • mplsTopLabelIPv4Address

  • mplsTopLabelStackSection

  • mplsLabelStackSection2

  • mplsLabelStackSection3

  • mplsLabelStackSection4

  • mplsLabelStackSection5

  • mplsLabelStackSection6

  • mplsLabelStackSection7

  • mplsLabelStackSection8

  • mplsLabelStackSection9

  • mplsLabelStackSection10

  • mplsVpnRouteDistinguisher

  • mplsTopLabelPrefixLength

  • mplsTopLabelIPv6Address

  • mplsPayloadLength

  • mplsTopLabelTTL

  • mplsLabelStackLength

  • mplsLabelStackDepth

  • mplstopLabelExp

  • postMplsTopLabelExp

  • pseudoWireType

  • pseudoWireControlWord

  • mplsLabelStackSection

  • mplsPayloadPacketSection

  • sectionOffset

  • sectionExportedOctets

SFlow

sFlow is a multi-vendor and user standard for sampling technology that provides continuous monitoring of application level traffic flows on all interfaces simultaneously.

A sFlow combines interface counters and flow samples into sFlow datagrams that are sent across the network to an sFlow collector. JSA supports sFlow versions 2, 4, and 5. sFlow traffic is based on sampled data and, therefore, might not represent all network traffic. For more information, see the sFlow website (www.sflow.org).

sFlow uses a connection-less protocol (UDP). When data is sent from a switch or router, the sFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, sFlow records inaccurate recording and reduced alerting capabilities. Inaccurate presentations of both traffic volumes and bidirectional flows might result.

When you configure an external flow source for sFlow, you must do the following task:

  • Make sure that the appropriate firewall rules are configured.

J-Flow

A proprietary accounting technology used by Juniper Networks that allows you to collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on a J-Flow collector. Using J-Flow, you can also enable J-Flow on a router or interface to collect network statistics for specific locations on your network.

Note that J-Flow traffic is based on sampled data and, therefore, might not represent all network traffic. For more information on J-Flow, see the Juniper Networks website (www.juniper.net).

J-Flow uses a connection-less protocol (UDP). When data is sent from a switch or router, the J-Flow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, J-Flow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.

When you configure an external flow source for J-Flow, you must:

  • Make sure the appropriate firewall rules are configured.

  • Make sure the appropriate ports are configured for your JSA Flow Processor.

The following VLAN fields are supported for J-Flow.

  • vlanId

  • postVlanId

  • dot1qVlanId

  • dot1qPriority

  • dot1qCustomerVlanId

  • dot1qCustomerPriority

  • postDot1qVlanId

  • postDotqCustomerVlanId

  • dot1qDEI

  • dot1qCustomerDEI

Packeteer

Packeteer devices collect, aggregate, and store network performance data. After you configure an external flow source for Packeteer, you can send flow information from a Packeteer device to JSA.

Packeteer uses a connection-less protocol (UDP). When data is sent from a switch or router, the Packeteer record is purged. As UDP is used to send this information and does not guarantee the delivery of data, Packeteer records inaccurate recording and reduced alerting capabilities. Inaccurate presentations of both traffic volumes and bidirectional flows might occur.

To configure Packeteer as an external flow source, you must do the following tasks:

  • Make sure that the appropriate firewall rules are configured.

  • Make sure that you configure Packeteer devices to export flow detail records and configure the JSA Flow Processor as the destination for the data export.

  • Make sure that the appropriate ports are configured for your JSA flow processor.

  • Make sure the class IDs from the Packeteer devices can automatically be detected by the JSA flow processor.

  • For more information, see the Mapping Packeteer Applications into JSA.

Flowlog File

A Flowlog file is generated from the JSA flow logs.