Monitoring traffic packet information using the NetFlow protocol

Kaspersky SD-WAN supports NetFlow versions 1, 5, and 9 for monitoring information about traffic packets on a CPE device.

NetFlow templates are used for centralized configuration of the NetFlow protocol on CPE devices. To avoid configuring each CPE device individually, you can specify basic settings in the NetFlow template and then apply the NetFlow template to CPE devices when adding or manually registering them. If you edit a setting in a NetFlow template, the setting is automatically modified on all CPE devices that are using this NetFlow template. If you edit a setting on the CPE device, the setting becomes independent of the NetFlow template, and if the setting is modified in the NetFlow template, it remains unchanged on the CPE device.

When specifying basic NetFlow settings, you can specify up to four NetFlow collectors. If you want a CPE device to send information about traffic packets to NetFlow collectors, you must enable the NetFlow protocol on network interfaces. The NetFlow protocol can be enabled when creating or editing the network interface.

Managing NetFlow templates

To display the table of NetFlow templates, go to the SD-WAN → NetFlow templates section. By default, the Default NetFlow template is created on the administrator portal, which forms the basis for all other NetFlow templates you create. Information about NetFlow templates is displayed in the following columns of the table:

• ID is the ID of the NetFlow template.
• Name is the name of the NetFlow template.
• Usage indicates whether the NetFlow template is being used by CPE devices:
  • Yes
  • No
• Updated is the date and time when the CPE template settings were last modified.
• User is the name of the user which created the NetFlow template.
• Owner is the tenant to which the NetFlow template belongs.

The actions that you can perform with the table are described in the Managing solution component tables instructions.

You can select an assigned NetFlow template to have it preselected when adding or manually registering a CPE device. For tenants, you must manually create and select an assigned NetFlow template on the self-service portal.

Creating a NetFlow template

To create a NetFlow template:

1. In the menu, go to the SD-WAN → NetFlow templates section.

   A table of NetFlow templates is displayed.

2. In the upper part of the page, click + NetFlow template.
3. This opens a window; in that window, enter the name of the NetFlow template.
4. Click Create.

The NetFlow template is created and displayed in the table.

You need to configure the created NetFlow template. For a description of NetFlow template settings, see the instructions on how to configure general NetFlow settings.

Selecting an assigned NetFlow template

You can select an assigned NetFlow template to have it preselected when adding or manually registering a CPE device. For tenants, you must manually create and select an assigned NetFlow template on the self-service portal.

To select an assigned NetFlow template:

1. In the menu, go to the SD-WAN → NetFlow templates section.

   A table of NetFlow templates is displayed.

2. Click the NetFlow template that you want to make the assigned NetFlow template.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Set as designated.

The NetFlow template becomes the assigned NetFlow template.

Importing a NetFlow template

You can export a NetFlow template and subsequently import it into another NetFlow template. NetFlow template settings are specified in accordance with the settings of the imported NetFlow template. During import, you can select the settings that you want to leave unchanged. The NetFlow template into which you are importing another NetFlow template remains applied to CPE devices, but the settings of those CPE devices are not modified.

To import a NetFlow template:

1. In the menu, go to the SD-WAN → NetFlow templates section.

   A table of NetFlow templates is displayed.

2. Click the NetFlow template that you want to export.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Export.

   An archive in the TAR.GZ format is saved on your local device. The archive does not contain information about CPE devices using the NetFlow template.

4. Click the NetFlow template into which you want to import another NetFlow template.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

5. In the upper part of the settings area, under Actions, click Import.
6. This opens a window; in that window, clear the check boxes next to the NetFlow template settings that you want to leave unchanged after import.
7. In the File field, specify the path to the TAR.GZ archive.
8. Click Import.

NetFlow template settings are modified in accordance with the settings of the imported NetFlow template.

Cloning a NetFlow template

You can clone a NetFlow template to create an identical NetFlow template with a different name.

To clone a NetFlow template:

1. In the menu, go to the SD-WAN → NetFlow templates section.

   A table of NetFlow templates is displayed.

2. Click the NetFlow template that you want to clone.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Clone.
4. This opens a window; in that window, enter the name of the new NetFlow template.
5. Click Clone.

A copy of the NetFlow template with the new name is created and displayed in the table.

Viewing the usage of a NetFlow template

You can see which CPE devices are using the NetFlow template. If a NetFlow template is in use, it cannot be deleted.

To view NetFlow template usage:

1. In the menu, go to the SD-WAN → NetFlow templates section.

   A table of NetFlow templates is displayed.

2. Click the NetFlow template for which you want to view usage information.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Show usage.

This opens a window with a table of CPE devices that are using the NetFlow template.

Deleting a NetFlow template

You cannot delete a NetFlow template if it is being used by at least one CPE device. To delete a NetFlow template that is being used by CPE devices, you must first change the NetFlow template of the CPE devices. You can see which CPE devices are using the NetFlow template.

Deleted NetFlow templates cannot be restored.

To delete a NetFlow template:

1. In the menu, go to the SD-WAN → NetFlow templates section.

   A table of NetFlow templates is displayed.

2. Click the NetFlow template that you want to delete.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Delete.
4. In the confirmation window, click Delete.

The NetFlow template is deleted and is no longer displayed in the table.

Basic NetFlow settings

You can specify basic NetFlow settings in a NetFlow template or on a CPE device. Basic NetFlow settings specified in the NetFlow template are automatically propagated to all CPE devices that use this NetFlow template.

To modify the basic NetFlow settings:

1. Specify basic NetFlow settings in one of the following ways:
   • If you want to edit basic NetFlow settings in a NetFlow template, go to the SD-WAN → NetFlow templates menu section and click the NetFlow template.
   • If you want to edit the basic NetFlow settings on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the NetFlow tab, and select the Override check box.

   Basic NetFlow settings are displayed.

2. In the NetFlow drop-down list, select Enabled. The default value is Disabled.
3. Specify the NetFlow collector:
   1. Under Collectors, click + Add.
   2. Under Host, enter the IPv4 address of the NetFlow collector.
   3. Under Port, enter the port number of the NetFlow collector. Range of values: 1 to 65,535.

   The NetFlow collector is specified and displayed in the Collectors section. You can specify up to four NetFlow collectors or delete a NetFlow collector. To delete a NetFlow collector, click the delete icon next to it.

4. In the Export version drop-down list, select the version of the NetFlow protocol:
   • 1
   • 5
   • 9 (default)
5. In the Tracking level drop-down list, select which traffic packet information the CPE device tracks:
   • ETHER to track the following information:
     • Source and destination IP addresses and ports
     • Source and destination MAC addresses
     • Outer VLAN tag
     • Protocol being used
   • FULL to track the source and destination IP addresses and ports, as well as the protocol being used. Default value.
   • VLAN to track the following information:
     • Source and destination IP addresses and ports
     • Outer VLAN tag
     • Protocol being used
   • PROTO to track the source and destination IP addresses and the protocol being used.
   • IP to track the source and destination IP addresses.
6. In the Maximum flows field, enter the maximum number of traffic flows that the CPE device can simultaneously track. Range of values: 1 to 65,535. Default value: 8192.

   The higher the value, the higher the CPU load on the CPE device.

7. In the Sampling rate field, specify how frequently the CPE device tracks the traffic packet information. For example, if you enter 10, the CPE device tracks information about every tenth packet of traffic. Range of values: 1 to 8192. Default value: 1024.

   The lower the value, the more accurate the information and the higher the CPU load on the CPE device.

8. In the Timeout maximum life (sec.) field, enter the maximum time in seconds for which the CPE device can track traffic flow information. To disable this feature, enter 0. Range of values: 1 to 9999. Default value: 60.
9. In the Hop limit field, enter the maximum number of hops to NetFlow collectors. Range of values: 1 to 255. Default value: 64.
10. If you want the CPE device to track IPv6 traffic, in the Track IPv6 drop-down list, select Enabled. The default value is Disabled.
11. In the upper part of the settings area, click Save to save the settings of the NetFlow template or CPE device.

If you want a CPE device to send information about traffic packets to NetFlow collectors, you must enable the NetFlow protocol on network interfaces. The NetFlow protocol can be enabled when creating or editing the network interface.

Changing the NetFlow template of a CPE Device

To change the NetFlow template of a CPE device:

1. In the menu, go to the SD-WAN → CPE section.

   A table of CPE devices is displayed.

2. Click the CPE device for which you want to change the NetFlow template.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

3. In the NetFlow template drop-down list, select a created NetFlow template.
4. In the upper part of the settings area, click Save to save CPE device settings.