Blog Feed Post

A Firewall Monitoring Tool You Didn’t Know Existed: NetFlow and IPFIX

IT professionals have been looking for better ways to monitor and store firewall logs for years. Properly handled, firewall events can give insight into APTs, DoS attacks, firewall rule planning and misconfigurations, policy violations, and much more. To date, Syslog has been the go-to mechanism for access to firewall log info. It’s universally supported by the firewall community, easy to understand, and it’s quick to implement on both the firewall as well as the syslog analyzer.

Unfortunately syslog is resource intensive on both the firewall and the log analyzer. It’s largely unstructured, requires string pattern matching, and the exact format and fields vary from one firewall to the next. How often do you turn on full “Accept” and “Deny” logging for every rule? Sure you can and yes it’s valuable but the amount of syslog created is tremendous.

Enter NetFlow and IPFIX

Routers and switches have supported NetFlow and IPFIX for years. In early days manufacturers realized they had precious few resources to spend and that routing packets was job #1, impact to CPU resulting from logging features must be kept to a minimum. NetFlow helped solve this, especially for Cisco Systems. Flows are structured, compact data elements that describe every IP datagram that passes through the device. When you tell the router to begin “exporting” them to a Flow Collector such as Plixer’s Scrutinizer you get deep visibility into exactly what the router is routing. Top talkers, interface utilization, DoS detection, policy violations, the list goes on.

Recently, starting with Cisco’s ASA NSEL feature, we’ve seen a sharp uptick in the number of firewalls that can export flows. Taking lessons from the router and switch community, firewall vendors have learned that NetFlow/IPFIX can be a major advantage to everyone involved. A quick list of popular firewalls that currently support NetFlow or IPFIX include:

Palo Alto Networks (NAT translations, usernames, application)

SonicWALL (NAT translations, application, URLs)

Barracuda NG Series (ACLs, MAC address) 

Cisco ASA (NAT translations, usernames, ACLs, limited due to missing fields)

CheckPoint (IPSO only, v5 fields, consumes 25% state table space)

<vendors, contact us to be added to this list, mention this blog>


Here’s why NetFlow/IPFIX has become such a popular feature in modern firewalls…


  • Flows will help you diagnose problems with firewall rules.
  • Flows will help you plan for new rule insertion. “Firewall planning”. Simply run a flow query against the source and destination addresses and see who the rule would impact.
  • You get visibility into key locations within the network that need to be closely monitored but historically couldn’t due to high “Accept” log rates. Crushing the firewall via syslog logging is a bad thing.
  • You probably already have a flow collector that you can bring to bear on the firewall’s NetFlow/IPFIX logs. As long as your collector fully supports IPFIX you should be all set. If your collector falls short you can always try Plixer Scrutinizer for free.
  • Your IT security guys, even if they don’t manage firewall rules, will get tons of network security benefit from NetFlow coming from the firewall.
  • Sometimes the only devices that are NetFlow/IPFIX enabled are the firewalls. It’s not uncommon to see a situation where the network guys just won’t turn NetFlow on in their devices. For you security types, the firewall might be your only answer to detailed traffic accounting since you control the firewall itself.


  • Flow export will be a differentiator for your firewall, especially against those that don’t support flow export or who’s exports aren’t all that robust (CheckPoint, one of the original enterprise firewalls, has poor support for NetFlow – only in IPSO and reduces connection count by 25%).
  • Customers that enable firewall flow export will get more value out of their existing solutions, encouraging maintenance renewals and hardware refreshes. Maintenance is good amirite?
  • More and more SIEM vendors are supporting NetFlow/IPFIX. While they don’t provide the same capabilities as something like Plixer’s Scrutinizer, they can still make use of the flow data for correlation purposes.
  • You get one syslog message per UDP packet while you get around 24 flows per UDP packet. Lower bandwidth, lower CPU, less overheard.

A few more notes for you firewall vendors out there that might be considering flow export features. If you want more details on any of these suggestions contact us:

  • Remember that the whole point of a flow export feature is to be more efficient at exporting detailed traffic information and the results of packet hits against ACLs/rules. If enabling flows is going to consume half the resources in your firewall you probably haven’t done it right.
  • IPFIX, just do it. Don’t use NetFlow v9. It’s Cisco’s brand and they pretty much own it and all the IDs included.
  • Don’t call it something you made up like “AppFlow” or “jFlow”. Just call it IPFIX. It’s easier for everyone. Not to hate on Citrix’s NetScaler AppFlow feature, it’s quite nice. But it’s just IPFIX with a brand name and some really interesting elements.
  • It’s not just syslog over NetFlow/IPFIX. You should include cool stuff like what Palo Alto Networks Application Aware NetFlow v9 or like what SonicWall has done with URLs and IPFIX.
  • At this point if you haven’t already added flow export then you’re catching up; do something unique and differentiating. Like, oh I don’t know, fully qualified ACL names anyone?
  • Make a big deal out of it! Talk about it in marketing materials and brief your sales engineers on it. THOROUGHLY. Other’s haven’t, they are missing an opportunity.
  • Talk to us first before you draw up your requirements; we can help. You need to know about things like timeouts, proper ifindex usage, directionality, cache size, minimum fields (see NetFlow v5) and more.
  • Send us your betas, we’ll help you test and blog about the results once you’re happy with them (the results that is, we won’t publish until you’re ready).
  • Don’t use sFlow.

Again, let us know if you have questions about NetFlow, IPFIX, or Plixer’s Scrutinizer Flow Analysis System. We’re the experts and we’re here to help.

BTW: Join the NetFlow Developments group on LinkedIn.com if you haven’t already. More info and discussion on flow analysis technology can be found there.


Read the original blog entry...

More Stories By Michael Patterson

Michael Patterson, is the founder & CEO of Plixer and the product manager for Scrutinizer NetFlow and sFlow Analyzer. Prior to starting Somix and Plixer, Mike worked in a technical support role at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix and Plixer.

Latest Stories
As popularity of the smart home is growing and continues to go mainstream, technological factors play a greater role. The IoT protocol houses the interoperability battery consumption, security, and configuration of a smart home device, and it can be difficult for companies to choose the right kind for their product. For both DIY and professionally installed smart homes, developers need to consider each of these elements for their product to be successful in the market and current smart homes.
In his general session at 21st Cloud Expo, Greg Dumas, Calligo’s Vice President and G.M. of US operations, will go over the new Global Data Protection Regulation and how Calligo can help business stay compliant in digitally globalized world. Greg Dumas is Calligo's Vice President and G.M. of US operations. Calligo is an established service provider that provides an innovative platform for trusted cloud solutions. Calligo’s customers are typically most concerned about GDPR compliance, applicatio...
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
Companies are harnessing data in ways we once associated with science fiction. Analysts have access to a plethora of visualization and reporting tools, but considering the vast amount of data businesses collect and limitations of CPUs, end users are forced to design their structures and systems with limitations. Until now. As the cloud toolkit to analyze data has evolved, GPUs have stepped in to massively parallel SQL, visualization and machine learning.
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, will lead you through the exciting evolution of the cloud. He'll look at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering ...
As hybrid cloud becomes the de-facto standard mode of operation for most enterprises, new challenges arise on how to efficiently and economically share data across environments. In his session at 21st Cloud Expo, Dr. Allon Cohen, VP of Product at Elastifile, will explore new techniques and best practices that help enterprise IT benefit from the advantages of hybrid cloud environments by enabling data availability for both legacy enterprise and cloud-native mission critical applications. By rev...
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp emp...
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
SYS-CON Events announced today that TidalScale, a leading provider of systems and services, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale has been involved in shaping the computing landscape. They've designed, developed and deployed some of the most important and successful systems and services in the history of the computing industry - internet, Ethernet, operating s...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
Infoblox delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. They are the industry leader in DNS, DHCP, and IP address management, the category known as DDI. We empower thousands of organizations to control and secure their networks from the core-enabling them to increase efficiency and visibility, improve customer service, and meet compliance requirements.
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Services at NetApp, will describe how NetApp designed a three-year program of work to migrate 25PB of a major telco's enterprise data to a new STaaS platform, and then secured a long-term contract to manage and operate the platform. This significant program blended the best of NetApp’s solutions and services capabilities to enable this telco’s successful adoption of private cloud storage and launchi...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.