Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1325
Introduction to Network Discovery
Understanding NetFlow
Chapter 32
Understanding NetFlow
L
ICENSE
: FireSIGHT
NetFlow is an embedded instrumentation within Cisco IOS Software that
characterizes network operation. Standardized through the RFC process, NetFlow
is available not only on Cisco networking devices, but can also be embedded in
Juniper, FreeBSD, and OpenBSD devices.
NetFlow-enabled devices are widely used to capture and export data about the
NetFlow-enabled devices are widely used to capture and export data about the
traffic that passes through those devices. NetFlow-enabled devices have a
database called the NetFlow cache that stores records of the flows that pass
through the devices. A flow, called a connection in the Sourcefire 3D System, is a
sequence of packets that represents a session between a source and destination
host, using specific ports, protocol, and application protocol.
For the networks you specify, Sourcefire managed devices detect the records
For the networks you specify, Sourcefire managed devices detect the records
exported by NetFlow-enabled devices, generate connection events based on the
data in those records, and finally send those events to the Defense Center to be
logged in the database. You can also configure the system to add host and
application protocol information to the database, based on the information in
NetFlow connections.
You can use this discovery and connection data to supplement the data gathered
You can use this discovery and connection data to supplement the data gathered
directly by your managed devices. This is especially useful if you have
NetFlow-enabled devices deployed on networks that your managed devices
cannot monitor.
You configure NetFlow data collection, including connection logging, using rules
You configure NetFlow data collection, including connection logging, using rules
in the network discovery policy. Contrast this with connection logging for
connections detected by Sourcefire managed devices, which you configure per
access control rule, as described in
on page 560. Because NetFlow data collection is linked to networks
rather than access control rules, you do not have as much granular control over
which connections you want to log, Also, the system automatically saves all
NetFlow-based connection events to the Defense Center connection event
database; you cannot send them to the system log or an SNMP trap server.
For more information, see:
For more information, see:
•
•
•
•
Differences Between NetFlow and FireSIGHT Data
L
ICENSE
: FireSIGHT
With one exception (TCP flags), the information available in NetFlow records is
more limited than the information generated by monitoring network traffic using
managed devices. Because the system cannot directly analyze the traffic