Cisco Cisco Firepower Management Center 4000
35-17
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding NetFlow
NetFlow-enabled devices are widely used to capture and export data about the traffic that passes through
those devices. NetFlow-enabled devices have a database called the NetFlow cache that stores records of
the flows that pass through the devices. A flow, called a connection in the FireSIGHT System, is a
sequence of packets that represents a session between a source and destination host, using specific ports,
protocol, and application protocol.
those devices. NetFlow-enabled devices have a database called the NetFlow cache that stores records of
the flows that pass through the devices. A flow, called a connection in the FireSIGHT System, is a
sequence of packets that represents a session between a source and destination host, using specific ports,
protocol, and application protocol.
For the networks you specify, Cisco managed devices detect the records exported by NetFlow-enabled
devices, generate connection events based on the data in those records, and finally send those events to
the Defense Center to be logged in the database. You can also configure the system to add host and
application protocol information to the database, based on the information in NetFlow connections.
devices, generate connection events based on the data in those records, and finally send those events to
the Defense Center to be logged in the database. You can also configure the system to add host and
application protocol information to the database, based on the information in NetFlow connections.
You can use this discovery and connection data to supplement the data gathered directly by your
managed devices. This is especially useful if you have NetFlow-enabled devices deployed on networks
that your managed devices cannot monitor.
managed devices. This is especially useful if you have NetFlow-enabled devices deployed on networks
that your managed devices cannot monitor.
You configure NetFlow data collection, including connection logging, using rules in the network
discovery policy. Contrast this with connection logging for connections detected by Cisco managed
devices, which you configure per access control rule, as described in
discovery policy. Contrast this with connection logging for connections detected by Cisco managed
devices, which you configure per access control rule, as described in
. Because NetFlow data collection is linked to networks rather than
access control rules, you do not have as much granular control over which connections you want to log,
Also, the system automatically saves all NetFlow-based connection events to the Defense Center
connection event database; you cannot send them to the system log or an SNMP trap server.
Also, the system automatically saves all NetFlow-based connection events to the Defense Center
connection event database; you cannot send them to the system log or an SNMP trap server.
For more information, see:
•
•
•
•
Differences Between NetFlow and FireSIGHT Data
License:
FireSIGHT
With one exception (TCP flags), the information available in NetFlow records is more limited than the
information generated by monitoring network traffic using managed devices. Because the system cannot
directly analyze the traffic represented by NetFlow data, when the system processes NetFlow records it
uses various methods to convert that data into connection logs as well as into host and application
protocol records.
information generated by monitoring network traffic using managed devices. Because the system cannot
directly analyze the traffic represented by NetFlow data, when the system processes NetFlow records it
uses various methods to convert that data into connection logs as well as into host and application
protocol records.
There are several differences between converted NetFlow data and the discovery and connection data
gathered directly by your managed devices. You should keep the differences in mind when performing
analysis that requires:
gathered directly by your managed devices. You should keep the differences in mind when performing
analysis that requires:
•
statistics on the number of detected connections
•
operating system and other host-related information (including vulnerabilities)
•
application data, including client information, web application information, and vendor and version
server information
server information
•
knowing which host in a connection is the initiator and which is the responder
Tip
For each field in a connection event, the
table indicates the available data depending on whether the connection was
detected directly by Cisco managed devices, or if the connection event is based on NetFlow data.