Cisco Cisco FirePOWER Appliance 8250
35-19
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding NetFlow
Initiator and Responder Information in Connections
For connections detected directly by managed devices, the system can identify which host is the initiator,
or source, and which is the responder, or destination. However, NetFlow data does not contain initiator
or responder information.
or source, and which is the responder, or destination. However, NetFlow data does not contain initiator
or responder information.
When the system processes NetFlow records, it uses an algorithm to determine this information based
on the ports each host is using, and whether those ports are well-known:
on the ports each host is using, and whether those ports are well-known:
•
If both or neither port being used is a well-known port, the system considers the host using the
lower-number port to be the responder.
lower-number port to be the responder.
•
If only one of the hosts is using a well-known port, the system considers that host to be the
responder.
responder.
For this purpose, a well-known port is any port that is either numbered from 1 to 1023, or that contains
application protocol information in
application protocol information in
/etc/sf/services
on the managed device.
Preparing to Analyze NetFlow Data
License:
FireSIGHT
Before you configure the FireSIGHT System to analyze NetFlow data, you must enable the NetFlow
feature on the routers or other NetFlow-enabled devices you plan to use, and configure the devices to
export NetFlow version 5 data to a destination network where the sensing interface of a managed device
is connected.
feature on the routers or other NetFlow-enabled devices you plan to use, and configure the devices to
export NetFlow version 5 data to a destination network where the sensing interface of a managed device
is connected.
Note that the system can parse both NetFlow version 5 and NetFlow version 9 records. Your
NetFlow-enabled devices must use one of those versions if you want to use them with your FireSIGHT
System deployment. In addition, the system requires that specific fields be in the templates and records
that your NetFlow-enabled devices broadcast. If your NetFlow-enabled devices are using version 9,
which you can customize, you must make sure that the templates and records that the devices broadcast
contain the following fields, in any order:
NetFlow-enabled devices must use one of those versions if you want to use them with your FireSIGHT
System deployment. In addition, the system requires that specific fields be in the templates and records
that your NetFlow-enabled devices broadcast. If your NetFlow-enabled devices are using version 9,
which you can customize, you must make sure that the templates and records that the devices broadcast
contain the following fields, in any order:
•
IN_BYTES (1)
•
IN_PKTS (2)
•
PROTOCOL (4)
•
TCP_FLAGS (6)
•
L4_SRC_PORT (7)
•
IPV4_SRC_ADDR (8)
•
L4_DST_PORT (11)
•
IPV4_DST_ADDR (12)
•
LAST_SWITCHED (21)
•
FIRST_SWITCHED (22)
•
IPV6_SRC_ADDR (27)
•
IPV6_DST_ADDR (28)
Because the FireSIGHT System uses managed devices to analyze NetFlow data, your deployment must
include at least one managed device that can monitor your NetFlow-enabled devices. At least one
sensing interface on that managed device must be connected to a network where it can collect the data
that your NetFlow-enabled devices export. Because the sensing interfaces on managed devices do not
usually have IP addresses, the system does not support the direct collection of NetFlow records.
include at least one managed device that can monitor your NetFlow-enabled devices. At least one
sensing interface on that managed device must be connected to a network where it can collect the data
that your NetFlow-enabled devices export. Because the sensing interfaces on managed devices do not
usually have IP addresses, the system does not support the direct collection of NetFlow records.