EdgeOS NetFlow IPFIX Configuration

EdgeOS is an operating system from Ubiquiti which allows you to configure and manage your EdgeRouter. This includes the ability to generate, view, and forward NetFlow information.

I will be using NetFlow version 10 also called IPFIX. IPFIX information can be sent to a third party collector to help gain better network visibility.  A collector like IBM’s QRadar and IPFIX can discover malicious behavior indicating a compromise, finding unusual ports, unknown destinations, and much more.

For more information on IPFIX see the following RFC’s: 5101 and 5153.


Configuration

The configuration will be from the Command Line Interface (CLI).

Set Port interface for collection, typically eth0 which is my WAN interface:

set system flow-accounting interface <interface>

Choose the ID number of the flow switching engine:

set system flow-accounting netflow engine-id <0-255>

Collect flows for egress traffic:

set system flow-accounting netflow enable-egress

Set the IP and Port of the remote collector that will receive flows:

set system flow-accounting netflow server <IP> port <2055>

Specify version number of NetFlow to use:

set system flow-accounting netflow version <10>

I have the timeout options using default values found in EdgeOS configuration.

You can double check your work once you committed and saved your configuration by using the following command to view flow activity:

show flow-accounting

Example running config

}
system {
    domain-name name.local
    flow-accounting {
        ingress-capture post-dnat
        interface eth0
        netflow {
            enable-egress {
            }
            engine-id 2
            server 192.168.0.0 {
                port 2055
            }
            timeout {
                expiry-interval 60
                flow-generic 3600
                icmp 300
                max-active-life 604800
                tcp-fin 300
                tcp-generic 3600
                tcp-rst 120
                udp 300
            }
            version 10
        }

Leave a Reply