Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1469
Views
0
Helpful
1
Replies

Stealthwatch Enterprise - Flow matching issues

Eoin.Quinn
Level 1
Level 1

‎10-18-2019 12:44 AM

Hi Guys

 

We've got Stealthwatch Enterprise up and running and so far I have to say I'm really liking it but we are having some issues with flow matching which results in a lot of traffic being picked up as being a new flow instead of being part of normal client -> server patterns.

 

We've 3 exporters at present all sending Netflow v9 format (Core router, Core firewall & Perimeter firewall) averaging about 1.5k fps. 

 

Has anyone recommendations on optimising this or encountered similar issues? Our flow record setup is as below

flow record StealthwatchFCNFRec
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last

 

Thanks Guys!

1 person had this problem
Labels:
0 Helpful
1 Reply 1

brford
Cisco Employee
Cisco Employee

‎01-04-2020 09:18 AM

It's likely not a problem with the fields in the flow record but with the sources of data being exported.  Flow matching works best when all the exporters are sending the same fields.  You presented a flow record but not all exporters (including firewalls) offer configurable flow records.

 

You said you have one router and two firewalls exporting. 

 

You did mention the models of firewalls.  That said not all firewalls send flow data the same.  Cisco's ASA exports NSEL, which while in a NetFlow format sends flow data based on the firewalls function and configuration.  For example, NSEL uses a fixed export format that will include username if authentication is configured on the firewall.  It will also include data about any IP address translations if NAT is configured.  

 

Other firewalls have their own export characteristics. 

 

A couple of suggestions. 

 

Try disabling flow export from the Core Firewall. It may be redundant with what the core router is exporting.

 

Try enabling export from an aggregation router.  Another idea might be to enable flow from either a remote access concentrator (firewall?) or wireless LAN controller (or router that connects either of those devices to the core) that bring remote access users into the network.

 

 

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents