Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1507
Views
0
Helpful
4
Replies

Export NetFlow from NAM to Stealthwatch

f.mary
Level 1
Level 1

‎12-09-2019 03:47 AM

Hello Cisco Community,

we have a little problem in our company with sending netflow data from the Cisco Prime NAMs to Stealtwatch. There is any documentation for this topic, but we thought that it should be possible to use the NAMs as exporters for Stealthwatch. So, we made the export configuration for the NAM and we are now able to see it as an exporter in Stealtwatch, but we are not able to see any flows from this exporter. We’ve tried to watch the exported information in Wireshark and there are the expected data showed.

Did anybody try this type of export too? Is it actually possible to use the NAMs as exporters for Stealthwatch?

We really tried anything, but we couldn’t make this work..

Labels:
0 Helpful
4 Replies 4

dcavalla
Cisco Employee
Cisco Employee

‎12-09-2019 03:57 AM

Hello,

please refer to page 16 on this guide: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf to make sure the minimum requirements are met. Don't have a NAM at hand, but if minimum requirements are met and the FC is licensed, the flows should come up.

 

Dario

0 Helpful

f.mary
Level 1
Level 1
In response to dcavalla

‎12-09-2019 06:52 AM

We already use the FC to collect data from other exporters as swithces, firewalls or routers and it works very well.

But to configure the NAM there are only few settings which can be done. Enclosed is a screenshot with the NAM configuration. 

Preview file
10 KB
0 Helpful

dcavalla
Cisco Employee
Cisco Employee
In response to f.mary

‎12-10-2019 10:03 AM

Thanks! I suppose you have already tested v9/IPFIX only combinations as well? Have you compared the required fields with the packet capture you have run?
Maybe a support case with the R&S team might help make sure the netflow export from the NAM is working as expected? I don't think it's the FC as it is working with other exporters. In my opinion it's very likely the exporter not sending data in the format the FC expects.

Hope this helps.

Dario
0 Helpful

f.mary
Level 1
Level 1
In response to dcavalla

‎12-11-2019 01:25 AM

Yes, we already tried all the possible combinations, but nothing works. I also think that the problem is with the exported format from the NAM. Do you know if there is another way to configure the NAM as netflow exporter, so that we can choose the right template for the SW FC? Or are there any specialists for the NAMs which we could ask?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents