Flow Sources
Flow information is used to detect threats and other suspicious activity that might be missed if you rely only on event information.
Flows provide network traffic information that is sent simultaneously to JSA in various formats, including Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer.
NetFlow, J-Flow, and sFlow are protocols that collect flow data from network devices, such as routers, and send this data to JSA.
NetFlow, J-Flow, and sFlow are configured in a similar way, but each one is deployed according to the protocol that each network device supports.
If you are collecting NetFlow, J-Flow, or sFlow data, verify that JSA is collecting complete flow sets. Incomplete or missing flows can make it difficult to analyze network activity.
JSA Flow Processor and Packet-based Sources
JSA captures traffic from mirror ports or taps within your network by using an JSA Flow Processor.
The JSA flow processor is enabled by default, while the mirror port or tap is connected to a monitoring interface on your JSA appliance. Common mirror port locations include core, DMZ, server, and application switches.
JSA flow processor combined with JSA and flow processors provides Layer 7 application visibility and flow analysis of network traffic regardless of the port on which the application is operating. For example, if the Internet Relay Chat (IRC) protocol is communicating on port 7500 (TCP), JSA flow processor identifies the traffic as IRC and provides a packet capture of the beginning of the conversation. This process differs from NetFlow and J-Flow, which indicate that traffic is on port 7500 (TCP) without identifying the protocol.
JSA Flow Processor are not full packet capture engines, but you can adjust the amount of content that is captured per flow. The default capture size is 64 bytes, and you can collect helpful data by using this setting. However, you might want to adjust this setting to 256 bytes to capture more content per flow. Increasing the capture size increases network traffic between your JSA flow processor and Flow Processor, and more disk storage is needed.
NetFlow Flow Processors and External Sources
You must configure NetFlow, which collects IP network traffic as it enters or exits an interface, to send data to the nearest JSA Flow Processor appliance.
JSA Flow Processor also support external flow sources, such as routers that send NetFlow, sFlow, J-Flow, and Packeteer data.
For more information about these sources, see the Juniper Secure Analytics Administration Guide.
You must configure NetFlow to send data as quickly as possible by configuring the external network device's ip-cache flow timeout value to one. Ensure that ingress and egress traffic is forwarded from the router. Not all routers can forward ingress and egress traffic. If you are configuring a router that provides only a sample of data, then configure the router to use the lowest possible sampling rate, without increasing the load on the switch.
To ensure that your NetFlow configuration is functioning correctly, you must validate your JSA NetFlow data.
For more information, see Verifying NetFlow data collection.
Verifying JSA Flow Processor Data Collection
JSA Flow Processor collect network traffic passively through network taps and span ports and can detect over 1000 networked applications. You can easily verify that your JSA flow processor is receiving network flow data.
Click the Network Activity tab.
From the Network Activity toolbar, click Search >New Search.
In the Search Parameters pane, add a flow source search filter.
From the first list, select Flow Source.
From the third list, select your Flow interface name.
Click Add Filter.
In the Search Parameters pane, add a protocol search filter.
From the first list, select Protocol.
Click Filter.
Click Add Filter.
Click Filter.
If the Source Bytes or Destination Bytes column displays many results with zero bytes, your network tap or span might be incorrectly configured. You must verify your QFlow configuration.
Configuring JSA Flow Processor Devices
You can verify that your JSA flow processor is operational and is capturing flows from routers or span ports.
Check that you are collecting flows from all routers where the traffic might cross, especially where there are multiple routes or paths exist.
If you are running dynamic routing protocols, traffic might follow different paths to and from a host.
Ensure that span ports or taps are configured correctly to process both received and transmitted packets.
Ensure that there is visibility to both sides of any asymmetric routes.
Verifying NetFlow Data Collection
To ensure that your NetFlow configuration is working correctly, you must validate your JSA NetFlow data.
Configure NetFlow to send data to the nearest JSA flow processor or JSA Flow Processor appliance.
By default, JSA listens on the management interface for NetFlow traffic on port 2055 (UDP). If you need more NetFlow ports, you can assign more ports.
Click the Network Activity tab.
From the Network Activity toolbar, click Search >New Search.
In the Search Parameters pane, add a flow source search filter.
From the first list, select Flow Source.
From the third list, select your NetFlow router's name or IP address.
If your NetFlow router is not displayed in the third list, JSA might not detect traffic from that router.
Click Add Filter.
In the Search Parameters pane, add a protocol search filter.
From the first list, select Protocol.
From the third list, select TCP.
Click Add Filter.
Click Filter.
Locate the Source Bytes and Destination Bytes columns to verify data collection.
If either column displays many results that have zero bytes, your configuration might be incomplete. You must verify your NetFlow configuration.
Disabling NetFlow Log Messages
You can disable NetFlow log messages to prevent them from using log file space.
If your NetFlow router is configured to sample flows, the following message might be logged in your JSA log file.
Nov 3 16:01:03 qflowhost \[11519\] qflow115: \[WARNING\] default_Netflow: Missed 30 flows from 10.10.1.1 (2061927611,2061927641)
This message indicates that the sequence number of the packet is missed. If the number of missed flows is consistent with your sampling rate, then you can ignore the message.
On the navigation menu, click Admin.
On the navigation menu, click System Configuration.
Click the System and License Management.
Click Systems from the Display menu.
Select the Console.
From the Deployment Actions menu, click Edit Host.
Click the Component Management icon.
From the Verify NetFlow Sequence Numbers field, select No.
Click Save.
Click Save on the Edit Managed Host pane.
Close the System and License Management window.
On the toolbar, click Deploy Changes.