Table of Contents

Netflow Integration: Overview

Mitchell Paul-Soumis Updated by Mitchell Paul-Soumis

Read Time: 4 mins

Please note: this feature is not currently universally available in Sonar V2 and is being offered on a beta-testing basis at the moment.

What is Netflow, and What are Netflow Endpoints?

NetFlow is a catch-all term for a process originally developed by Cisco to respond to a need to gather information on a network's traffic flow and volume. This technology was further developed by the Internet Engineering Task Force (IETF) to become "Internet Protocol Flow Information eXport" or "IPFIX". Netflow works by capturing data from Netflow Endpoints and submitting that data to a Netflow Collector.

Sonar acts as a software-based Netflow Collector and serves to store the data sent to your instance by the Netflow Endpoints. Many network devices support Netflow, or some variant of it (e.g., IPFIX.) While there are a few variants, this documentation will refer to Netflow generally – just be aware that this endpoint supports Netflow version v1, v5, v7, v9, and IPFIX.

Supporting Netflow in Sonar is simple. You configure a Netflow endpoint in Sonar and specify the IP addresses you wish to allow Netflow data to be delivered from. You then configure your device to deliver Netflow data to Sonar, and Sonar will begin matching the IP addresses in the flows to your customers and storing data usage for them.

Creating a Netflow Endpoint

In order to create a new Netflow Endpoint, perform the below steps:

  1. Navigate to Settings > Networking > Netflow Endpoints, and then click on Create Netflow Endpoint:
  2. Next, supply a name to the Endpoint and select whether or not it will operate in Whitelist Mode:
    If the Whitelist Mode option is enabled, you must build up a list of allowed subnets using the Create Netflow Whitelist action. Only data originating from or destined for IPs in the whitelist will be recorded when Whitelist is enabled. Wherever possible, you should disable this option and only deliver from a point where the data sent can all be used. Enabling whitelisting requires the Sonar Netflow parser to evaluate each unique source or destination IP twice – once to see if it fits into the whitelist, and once to see if it is legitimate customer traffic. This will cause Netflow parsing to take longer and may cause performance issues with very large data sets. You can help minimize this by either disabling whitelisting or keeping your list of whitelisted networks minimal.
  3. With the Endpoint created, expand the action dropdown and select Create Netflow Allowed Subnet:
  4. This will open the creation modal for adding an allowed subnet to send Sonar Netflow traffic for data collection:
    Each subnet that will be sending data to this Endpoint will need to be added as an allowed subnet first.

Creating a Netflow Endpoint with Whitelist mode

When creating a Netflow Endpoint, and you'd like to use Whitelist mode, the steps are very similar to the overall creation.

  1. Navigate to Settings > Networking > Netflow Endpoints, and then click on Create Netflow Endpoint:
  2. Next, with the Create Netflow Endpoint modal open, enter your endpoint name and ensure Whitelist Mode is checked:
  3. With the Endpoint created, click on the Create Netflow Whitelist action button:
  4. With the Create Netflow Whitelist modal open, enter one of the subnets you'd like to whitelist:
    To maximize Netflow performance when using Whitelist Mode, it's recommended to keep your whitelisted subnets manageable. For example, listing multiple /24 subnets is less efficient than listing 192.168.0.0/16

Configuring your Delivery Agent

Each device that can deliver Netflow is configured differently, but please see below for a quick tutorial on a MikroTik router. First, open the IP menu and click on Traffic Flow.

If you only wish to collect data from certain interfaces (for example, if you have a single customer-facing interface), then select the appropriate interfaces in the Interfaces section. If this router handles a lot of traffic, you should limit the reporting interfaces to lessen the load on your router and your Sonar instance.

The Cache entries option controls the number of flows that can be in the router's memory simultaneously. If you have a high quantity of traffic, you should increase this – just be aware that it will increase memory consumption on your router. Unless you have a reason to change them, leave the active flow timeout and inactive flow timeout at their default values.

Now click the Targets button and then the + button.

Enter the address of the Netflow endpoint (52.189.73.208) in the Dst. Address field, and the port you were provided when creating the Netflow endpoint in Sonar in the Port field. Set the Version field to 5 and click OK. After a few minutes, you will see data usage for your customers begin to tabulate on their accounts in Sonar.

It is critically important that you ensure your Netflow delivery device is set up for NTP. Sonar trusts the timestamps coming from your Netflow device, and will discard any timestamps in the future. Therefore, if you are not set up for NTP, you may miss data, or write data usage in the wrong time period.

How did we do?

Being Cloud Native

Building a Device Mapper

Contact