Applies to the following Sophos products and versions
Sophos Firewall
Steps of Configuration:
- Login to the Webadmin GUI for the Sophos XG Firewall.
- Navigate to Administration > Netflow.
c. Inside netflow section , put the name of server , IP of CCE and port should be 9995
- Server Name: Netflow server's friendly name.
- Netflow Server IP/Domain: IPv4, IPv6 or hostname for the Netflow server(Seceon CCE).
- Netflow Server Port: The listening port for the Netflow Server. Records are sent to the Netflow server over the specified port, 9995.
- Netflow will only log traffic for firewall rules that have Log Firewall Traffic enabled.
d. Click on apply .
A MEESAGE WILL POP SAYING NETFLOW CONFIGURATION HAS BEEN DONE SUCCESSFULLY .
Note:
- Sophos XG Firewall supports Netflow v5. You can export all the parameters of v5.
- When a conntrack entry is destroyed at the time of closing, we send the date or traffic counters to the netflow collector.
- Further information regarding the netflow v5 record format can be found in NetFlow v5 Record Format.
- You may add up to 5 separate Netflow servers.
Reference Source: https://community.sophos.com/kb/en-us/132762
Verification of configuration :-
Verification can be done in 2 ways either on CCE or on UI
- VERIFICATION THROUGH UI
1.Open UI >>Systems
2. Dropdown systems and go inside logs and flows collection status.
3. Under Source device IP address section the device configured will reflect.
- Verification Through CCE server
sudo tcpdump -i any host 9995 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .