This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPFix flow export

Hi guys,

we currently evaluating Sophos firewalls in order to replace our old cisco routers. Everything is fine so far except one thing. We need to export flow data in Netflow 5 format.

As I can see, IPFix is supported right now, the output is done via ulogd. Unfortunately the export format is not working fine with our management tool (LiveAction).

I don't understand why the IPFix export marks all flows with ifindex 0 instead of the actual ifindex id, this kills all exported information, I guess thats not the way it should do it.

Is there a possibility to get another plugin for ulogd which exports flowdata as Netflow instead of IPFix?

I tried the following things:

- Fprobe is running but it’s a mess with ifindex

- Fporbe-ulog, needs kernel module ipt_ULOG.ko, not on the system and no kernel headers to recompile it

- Ipt-netflow, needs to have compiled a new kernel module, as there are no kernel sources available this (best) option is out at the moment

Are the header packeds somewhere available?

Can we do something else in order to export Netflow 5 data, or is it possible to play with the IPFix output?

Thanks a lot,

Daniel

This thread was automatically locked due to age.

Scott_Klassen over 9 years ago

Hi Daniel,

The only thing you can do on your own is to create a feature request at feature.astaro.com to add Netflow (may already be requests for the same thing). Unlike Cisco, making changes from the shell, without the express direction of Sophos Support, voids your support contract. No exceptions. Not a good idea. If this will be a large order of UTMs, contact Sophos sales to put you in touch with pre-sales engineering for suggestions.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
DanielKrueger over 9 years ago in reply to Scott_Klassen

Hello Scott,

thanks for your replay. I have to make a decition now and it's not the way to go for me to send a feature request into the cloud and then hope someone picks it up.
I would be happy with IPFix, but it's unusable as the current implementation not even sends the correct ifindex interface information to the collector.
Cancel
Vote Up 0 Vote Down

Cancel
Scott_Klassen over 9 years ago

As far as a 3rd party Netflow/IPFix Collector that works with the UTM export data, the one that I know of that works is by Plixer. https://www.plixer.com/blog/netflow/astaro-ipfix-reporting-astaro-netflow-support/. You may want to see if a trial is available to see if it will work for you.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
DanielKrueger over 9 years ago in reply to Scott_Klassen

Is there a chance to alter the IPFIX template in oder to get the needed output data?
Cancel
Vote Up 0 Vote Down

Cancel
DanielKrueger over 9 years ago in reply to DanielKrueger

I'm quite sure there is something not right with the output.

A standard IPFIX output looks like this:
ID:301 - 10.0.0.2:4242->10.0.0.3:80 P:17 IF/OF:3/5 00:10:58 64

Sophos output:
ID:256 - 100.1.0.5:8262->100.1.0.12:80 P:6 IF/OF:0/0 00:10:55 336

The interface ifindex ID is missing.
Cancel
Vote Up 0 Vote Down

Cancel