cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1706
Views
10
Helpful
2
Replies

Stealthwatch full netflow analytics

Hi,

 

I am new to Stealthwatch and have some questions which I cannot find in the other discussions in the community forum.

 

We have a small deployment at one of our customers with 1 SMC and 1 FC. It is a multi-vendor environment. We have cisco, palo alto, fortinet which all seem to support netflow v9 or ipfix.

 

From the documentation I could not quite understand how the flow-stitching (into single flow session in the GUI) and NAT stitching is done.

 

1. When we have device doing NAT translation and exporting full netflow, NAT stitching is supposed to see this as per the documentation. But will the pre/post NAT flows be merged? Am I supposed to see my session flow with the internal client address only and the respective destination server? Where is the NAT IP shown in the web GUI?

 

2. When I make a simple file transfer test to an external server I see the flow from the search appearing. Client -> Server session with internal IP to the external server IP. However the data that has been transffered is 2-3 times more i.e. instead of 50Mb it is showing 148Mb. Is this a limitation of the flow collector doing the flow stitching or we might have some wrong configuration.

 

I will highly appreciate any advice.

 

Thanks.

 

Emil

2 Replies 2

kyoshiik
Cisco Employee
Cisco Employee

1. Yes, Stealthwatch can marge the pre/post NAT flows. And all information is shown in the GUI.

2. The timing of FlowData that is coming from FlowDevice(Router, Switch, FW) is up to Device side configuration. Please check Device side Flow export timing.

dcavalla
Cisco Employee
Cisco Employee

Hello Emil,

Stealthwatch is capable of ingesting NAT info from IPFIX NAT and NSEL. That will allow Steathwatch to stitch flows together and this process is quite reliable. 

 

NAT IP is shown when you run a flow search and enable the relative translated host column.

 

For the file transfer issue, I would open a TAC case. Our Stealthwatch specialists team are located in US, EMEAR and APJC. They are typically very responsive.

 

Hope this helps.

 

Dario