Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Types of Flow Sources

JSA Flow Processor can process flows from multiple sources, which are categorized as either internal or external sources.

Internal Flow Sources

Sources that include packet data by connecting to a SPAN port or a network TAP are considered internal sources. These sources provide raw packet data to a monitoring port on the Flow Processor, which converts the packet details into flow records.

JSA does not keep the entire packet payload. Instead, it captures a snapshot of the flow, referred to as the payload or content capture, which includes packets from the beginning of the communication.

Flow collection from internal sources normally requires a dedicated Flow Processor.

External Flow Sources

JSA supports the following external flow sources:

  • NetFlow

  • IPFIX

  • sFlow

  • J-Flow

  • Packeteer

  • Network interface

For more information about the fields that are supported for each flow source type, see the Juniper Secure Analytics Users Guide.

External sources do not require as much CPU utilization to process so you can send the flows directly to a Flow Processor. In this configuration, you may have a dedicated flow processor, receiving and creating flow data.

If your Flow Processor collects flows from multiple sources, you can assign each flow source a distinct name. A distinct name helps to distinguish the external flow data from other sources.

JSA can forward external flow source data by using the spoofing or non-spoofing method:

Spoofing

Resends the inbound data that is received from a flow source to a secondary destination.

To configure the spoofing method, configure the flow source so that the Monitoring Interface is set to the management port on which the data is received.

When you use a specific interface, the Flow Processor uses a promiscuous mode capture to collect the flow data, rather than the default UDP listening port on port 2055. This way, the Flow Processor can capture and forward the data.

Non-Spoofing

For the non-spoofing method, configure the Monitoring Interface parameter in the flow source configuration as Any.

The Flow Processor opens the listening port, which is the port that is configured as the Monitoring Port, to accept the flow data. The data is processed and forwarded to another flow source destination.

When the data is forwarded, the source IP address of the flow becomes the IP address of the JSA system, not the original router that sent the data.

Related Documentation