1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR Pro Administrator’s Guide
    5. Broker VM
    6. Set up Broker VM
    7. Activate the NetFlow Collector

    Activate the NetFlow Collector

    Activating a broker VM with a NetflFlow Collector applet enables you to receive, store, and pre-process NetFlow and IPFIX flow records for later analysis.
    Ingesting records from external sources requires a
    Cortex
    XDR
     Pro per TB license.
    To receive NetFlow flow records from an external source, you must first set up the NetFlow Collector applet on a broker VM within your network. NetFlow versions 5, 9, and IPFIX are supported.
    To increase the log ingestion rate, you can add additional CPUs to the broker VM. The NetFlow Collector listens for flow records on specific ports either from any, or from specific IP addresses.
    After the NetFlow Collector is activated, the NetFlow Exporter sends flow records to the NetFlow Collector, which receives, stores, and pre-processes that data for later analysis.
    The following setups are required to meet your performance needs.
    • 4 CPUs for up to 50K flows per second (FPS).
    • 8 CPUs for up to 100K FPS.
    Since multiple network devices can send data to a single NetFlow Collector, we recommend that you configure a maximum of 50 NetFlow Collectors per broker VM applet, with a maximum aggregated rate of approximately 50K flows per second (FPS) to maintain system performance.
    Complete the following task before setting up the NetFlow Collector applet.
    Activate the NetFlow Collector.
    1. In
      Cortex
      XDR
      , select
      Settings
      Configurations
      Data Broker
      Broker VMs
       and locate your broker VM.
    2. Right-click the broker VM and select
      NetFlow Collector
      Activate
      .
    3. Click
      +Add New
      .
    4. Configure your NetFlow Collector.
      1. Define
        General Settings
        .
        • UDP Port
          —Specify the number of the UDP port on which the NetFlow Collector listens for flow records (default
          2055
          ).
          This port number must match the UDP port number in the NetFlow exporter device. The rules for each port are evaluated, line by line, on a first match basis.
          Cortex
          XDR
           discards logs for non-configured flow records without an “Any” rule.
          Since
          Cortex
          XDR
           reserves some port numbers, it is best to select a port number that is not in the range of 0-1024 (except for 514), in the range of 63000-65000 or has one of the following values: 4369, 5671, 5672, 5986, 6379, 8000, 8888, 9100, 15672, or 28672.
      2. Define
        Custom Settings
        .
        • Source Network
          —Specify the IP address or a Classless Inter-Domain Routing (CIDR) of the source network device that sends the flow records to
          Cortex
          XDR
          . Leave the field empty to receive data from any device on the specified port (default). If you do not specify an IP address or a CIDR,
          Cortex
          XDR
           can receive data from any source IP address or CIDR that transmits via the specified port. If IP addresses overlap in multiple rows in the
          Source Network
           field, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the NetFlow Collector captures the IP address in the first row.
        • Vendor
           and
          Product
          —Specify a particular vendor and product to be associated with each dataset entry or leave the default
          IP Flow
           setting.
          The
          Vendor
           and
          Product
           values are used to define the name of your XQL dataset
          <Vendor>_<Product>_raw
          . If you do not define a vendor or product,
          Cortex
          XDR
           uses the default values with the resulting dataset name
          ip_flow_ip_flow_raw
          . Consider changing the default values in order to uniquely identify the source network device.
          After each configuration, select to save your changes and then select
          Done
           to update the NetFlow Collector with your settings.
    5. (
      Optional
      ) Make additional changes to the NetFlow Collector data sources.
      • You can make additional changes to the
        Port
         by right-clicking the applicable UDP port and selecting the following.
        • Edit
          —To change the
          UDP Port
          ,
          Source Network
          ,
          Vendor
          , or
          Product
           defined.
        • Remove
          —To delete a
          Port
          .
      • You can make additional changes to the
        Source Network
         by right-clicking on the
        Source Network
         value.
        The options available change, according to the set
        Source Network
         value.
        • Edit
          —To change the
          UDP Port
          ,
          Source Network
          ,
          Vendor
          , or
          Product
           defined.
        • Remove
          —To delete a
          Port
          .
        • Copy entire row
          —To copy the
          Source Network
          ,
          Product
          , and
          Vendor
           information.
        • Open IP View
          To view network operations and to view any open incidents on this IP within a defined period. This option is only available when the
          Source Network
          value is a specific IP address or CIDR.
        • Open in Quick Launcher
          —To search for information using the Quick Launcher shortcut. This option is only available when the
          Source Network
          value is a specific IP address or CIDR.
      • To prioritize the order of the NetFlow formats listed for the configured data source, drag and drop the rows to change their order.
    6. Activate
       the NetFlow collector applet.
      After successful activation, the
      Apps
       field from the Broker VM, in which you configured the NetFlow Collector, displays
      NetFlow Collector - Active, Connected
      .
    7. (
      Optional
      ) To view NetFlow Collector metrics, hover over the
      NetFlow Collector
       link in the
      Apps
       field.
      Cortex
      XDR
       displays the following information:
      • Connectivity Status
        —Whether the applet is connected to
        Cortex
        XDR
        .
      • Logs Received
         and
        Logs Sent
        —Number of logs that the applet received and sent per second over the last 24 hours. If there are more logs received than sent, this may indicate a connectivity issue.
      • Resources
        —Displays the amount of
        CPU
        ,
        Memory
        , and
        Disk
         space the applet uses.
    8. Manage the NetFlow Collector.
      After you activate the NetFlow Collector, you can make additional changes. To modify a configuration, right-click your broker VM and select:
      • NetFlow Collector
        Configure
         to redefine the NetFlow Collector configurations.
      • NetFlow Collector
        Deactivate
         to disable the NetFlow Collector.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo