https://community.cisco.com/t5/security-analytics/stealthwatch-full-netflow-analytics/m-p/4096020#M525 <P>1. Yes, Stealthwatch can marge&nbsp;<SPAN>the pre/post NAT flows. And all information is shown in the GUI.</SPAN></P> <P><SPAN>2. The timing of FlowData that is coming from FlowDevice(Router, Switch, FW) is up to Device side configuration. Please check Device side Flow export timing.</SPAN></P> Tue, 02 Jun 2020 08:41:23 GMT kyoshiik 2020-06-02T08:41:23Z https://community.cisco.com/t5/security-analytics/stealthwatch-full-netflow-analytics/m-p/4095965#M524 <P>Hi,</P><P>&nbsp;</P><P>I am new to Stealthwatch and have some questions which I cannot find in the other discussions in the community forum.</P><P>&nbsp;</P><P>We have a small deployment at one of our customers with 1 SMC and 1 FC. It is a multi-vendor environment. We have cisco, palo alto, fortinet which all seem to support netflow v9 or ipfix.</P><P>&nbsp;</P><P>From the documentation I could not quite understand how the flow-stitching (into single flow session in the GUI) and NAT stitching is done.</P><P>&nbsp;</P><P>1. When we have device doing NAT translation and exporting full netflow, NAT stitching is supposed to see this as per the documentation. But will the pre/post NAT flows be merged? Am I supposed to see my session flow with the internal client address only and the respective destination server? Where is the NAT IP shown in the web GUI?</P><P>&nbsp;</P><P>2. When I make a simple file transfer test to an external server I see the flow from the search appearing. Client -&gt; Server session with internal IP to the external server IP. However the data that has been transffered is 2-3 times more i.e. instead of 50Mb it is showing 148Mb. Is this a limitation of the flow collector doing the flow stitching or we might have some wrong configuration.</P><P>&nbsp;</P><P>I will highly appreciate any advice.</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>Emil</P> Tue, 02 Jun 2020 07:08:19 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-full-netflow-analytics/m-p/4095965#M524 efellows.support 2020-06-02T07:08:19Z https://community.cisco.com/t5/security-analytics/stealthwatch-full-netflow-analytics/m-p/4096020#M525 <P>1. Yes, Stealthwatch can marge&nbsp;<SPAN>the pre/post NAT flows. And all information is shown in the GUI.</SPAN></P> <P><SPAN>2. The timing of FlowData that is coming from FlowDevice(Router, Switch, FW) is up to Device side configuration. Please check Device side Flow export timing.</SPAN></P> Tue, 02 Jun 2020 08:41:23 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-full-netflow-analytics/m-p/4096020#M525 kyoshiik 2020-06-02T08:41:23Z https://community.cisco.com/t5/security-analytics/stealthwatch-full-netflow-analytics/m-p/4096067#M527 <P>Hello Emil,</P> <P>Stealthwatch is capable of ingesting NAT info from IPFIX NAT and NSEL. That will allow Steathwatch to stitch flows together and this process is quite reliable.&nbsp;</P> <P>&nbsp;</P> <P>NAT IP is shown when you run a flow search and enable the relative translated host column.</P> <P>&nbsp;</P> <P>For the file transfer issue, I would open a TAC case. Our Stealthwatch specialists team are located in US, EMEAR and APJC. They are typically very responsive.</P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> <P>Dario</P> Tue, 02 Jun 2020 10:54:51 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-full-netflow-analytics/m-p/4096067#M527 dcavalla 2020-06-02T10:54:51Z