Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Overview

This document will help you with the steps to Configure NetFlow in Juniper SRX Series Devices
with Seceon SIEM to have a better visibility of threats happening in your environment .

Description

This article provides an example of configuring J-Flow on an SRX Series device.

Note: J-Flow does not require a license on SRX devices.

Symptoms :

  • J-Flow versions 5, 8, and 9 are supported on SRX Series devices.

  • J-Flow version 9 on standalone devices is supported as of:

    • SRX Branch devices (SRX1x0, SRX2x0, SRX550, SRX650)

      • Junos 10.4

    • SRX-HE devices (SRX1400, SRX3x00, SRX5x00)

      • Junos 12.1X45-D10

    • SRX3x0 & SRX550M

      • Junos 15.1X49-D30

    • SRX1500, SRX4100, SRX4200, vSRX

      • 15.1X49-D80

    • SRX4600

      • Junos 17.4R1-S1

  • J-Flow version 9 on chassis cluster devices as of:

    • SRX Branch devices (SRX-300/320/340/345/380/550HM)

      • Junos 20.1R1

    • SRX-HE devices (SRX1400, SRX3x00, SRX5x00)

      • Junos 12.1X45-D10

    • SRX1500, SRX4100, SRX4200, vSRX

      • Junos 15.1X49-D80

    • SRX4600

      • Junos 17.4R1-S1

Configuration example for J-Flow version 9 for SRX-Branch standalone devices (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650)

Note: SRX Branch chassis clusters do not support the use of J-flow version 9.

The following procedure provides an example of the J-Flow configuration for version 9:

  • Configure the J-Flow v9 template (as of now, only the IPv4 template is supported):

user@host# set services flow-monitoring version9 template ipv4-test ipv4-template

  • Specify the sampling rate and run-length:

user@host# set forwarding-options sampling input rate 100 user@host# set forwarding-options sampling input run-length 0

  • Configure the external flow collector and its port address. The J-Flow v9 template is associated with the external flow collector. Up to eight flow collectors can be simultaneously configured:

user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 port 2222 user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 version9 template ipv4-test

  • Configure the inline-jflow, so that the sampling and the J-Flow service thread are implemented in the forwarding engine:

user@host# set forwarding-options sampling family inet output inline-jflow source-address 10.10.10.10

  • Configure the sampling filter on an interface (or interfaces) in the direction in which the J-Flow service is required:

user@host# set interfaces ge-0/0/14 unit 0 family inet sampling input user@host# set interfaces ge-0/0/14 unit 0 family inet address 2.2.2.1/24

Configuration example for J-Flow versions 5 and 8 :

The following procedure provides an example of the J-Flow configuration for versions 5 and 8 (this procedure should also work with NetFlow versions 5 and 8):

  • Enable sampling on one or more interfaces and specify the direction:

user@host# set interfaces ge-0/0/0 unit 0 family inet sampling input user@host# set interfaces ge-0/0/0 unit 0 family inet sampling output

  • Specify the sampling rate:

Caution : Activation of flow collection can have a significant impact on the performance of the SRX Series device. The smaller the sample rate, bigger the impact. It is recommended to not use a sampling input rate of 1.

user@host# set forwarding-options sampling input rate 100

  • Specify the UDP port number of the host that is collecting cflowd packets:

user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 port 2056

  • Specify the version format: 5, 8, or 500 (ASN 500):

If version 5:

user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 version 5

If version 500:

user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 version 500

If version 8:

user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 version 8 user@host# set forwarding-options sampling family inet output flow-server 10.10.10.1 aggregation source-destination-prefix caida-compliant

  • Configure the NTP server details:

user@host# set system ntp server 10.10.10.254

Application Note

Juniper Flow Monitoring  (includes diagrams of how J-Flow works and v9 configuration example)

  • No labels