Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring the Flow Processor Format

SUMMARY Flow collectors can export data to flow processors in either TLV (type-length-value) or Payload format.

The TLV format stores the content metadata properties in the flow record, and can be searched without extra configuration in JSA.

The payload format stores the content metadata properties in the payload field of the flow record. To run searches on the data, you must use custom properties to extract the data from the payload.

Before you configure the format that the Flow Collector uses, ensure that you complete the following tasks:

  • Install a JSA Console with a Network Insights appliance attached as a managed host.
  • Perform a full deployment after you attach the Network Insights appliance as a managed host.
Note:

Content extension v1.3.0 introduced support for TLV fields, which supersedes earlier content extensions that were based on custom properties. If you are using content extension v1.3.0 or later, you must set the flow collector format to TLV; otherwise the rules in the content pack don't work.

  1. Log in to JSA: https://JSA_IP_Address

    The default user name is admin. The password is the password of the root user account.

  2. On the navigation menu, click Admin.
  3. In the navigation pane, click System Settings.
  4. Click the QFlow Settings menu, and in the IPFIX Additional Field Encoding field, choose the format.
    Table 1: QFlow Format Options
    Flow Processor format Description
    TLV Default setting for the flow collector format.

    Must be used when there is a Network Insights appliance in the environment.

    Network Insights V7.3.0 or later supports only TLV for content flows.

    Can be used when there is no Network Insights appliance in the environment.

    Payload Can be used when there is no Network Insights appliance in the environment.
  5. Click Save.
  6. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm your changes.
    Warning:

    When you deploy the full configuration, JSA services are restarted. During this time, events and flows are not collected, and offenses are not generated.

  7. Refresh your web browser.