Flow collection tab

The Flow collection tab allows you to configure the sensor to receive flow records from third-party devices (for example, switches and routers) and to upload them for indexing and analysis. Flow records describe a sequence of packets with common characteristics, such as the same source and destination IP address, transport layer port information, and type of protocol. Importing flow records from a third-party device is useful when you want the VMware NSX Network Detection and Response to have visibility into the traffic flowing in parts of the network that are not monitored by a Sensor (Sensor generates flow records information of the traffic being monitored).

To configure this tab, you must first select a Sensor. Click the server Appliance button then select the appropriate appliance from the Select appliances pop-up. Click Select appliance to dismiss the pop-up.

Click the plus button to create a new entry.

The Flow collectors list includes the following fields:

Name

An optional name uniquely identifying the collector.

Generator IP(s)

An optional list IP address from which to expect flow records. If set, the collector will only accept records from sources at the specified IP addresses. Any records from other IP addresses are discarded. If left unset, the collector will accept records sent from any IP address.

We recommend setting this field to the IP address of the device that will generate flow records.

Flow type

The type of flow records that will be accepted by this collector. The integration currently supports collecting the following flow records types: NetFlow v5, NetFlow v9, IPFIX, and sFlow.

Protocol

The protocol (TCP or UDP) that will be used to transfer records to the collector. IPFIX records can be collected over either TCP or UDP; for other flow types only UDP transport is supported.

Port

The port on the sensor where the flow collector data will be received. This field is required. It accepts values from 1024 to 65535.

Actions

To delete a collector, click the delete icon.

When you are done, click Save. This triggers a reconfiguration on the sensor, after which a flow collector process is ready to receive flow records on the specified port number. The progress of the reconfiguration action can be followed on the Monitoring logs tab.

To configure a third-party device to generate flow records and send them to a Sensor, refer to the manufacturer's configuration guide. In general, ensure that:

  • The destination port configured on the third-party device matches the port number configured for the flow collector.

  • The protocol configured on the third-party device matches the protocol configured for the flow collector.

  • The flow type configured on the third-party device matches the flow type configured for the flow collector.

Troubleshooting flow collection

If there are issues with your flow collection configuration, refer to the following support article: Troubleshooting the flow integration.