Skip to main content

Flow Collectors

Workflow for Building Agentless Microsegmentation using flow collectors

Onboarding

This section describes the steps required to integrate Flow Collctors with the Xshield platform to enable advanced endpoint visibility and telemetry ingestion.

By connecting your Collection flows from your environment, Xshield can:

  • Import your assets and Telemetry / Traffic
  • Provide deep visibility and insights of the traffic flows between assets

This integration helps enhance your organization's security posture by enabling threat visibility and forensic analysis across your network without the need for any additional agents.

Prerequisites

To successfully integrate Flow Collectors with Xshield, the customer needs to provide the following details:

  1. Flow Export Support: The switch or router should support flow export.

  2. Access to vm to run flow collectors: We should have a vm which can be used to run flow collectors and is able to receive the exported flows.

Configuring Flow Collectors Integration in Xshield Platform

  1. Login to Xshield console and navigate to Settings > Integrations > EDR > Flow Collectors. Click on Activate button.

Activate Flow Collectors in Xshield 2. Fill the below details then click Save.

SettingDescription
Collector TypeSelect either sflow or netflow based on your flow collector type
Asset ConfigurationSpecify the asset configuration either file name containing asset information or subnet range to monitor
AssetFileNameSpecify the asset configuration file name containing asset information
SubnetRangeSpecify the subnet range(s) to monitor in CIDR format (e.g., 10.0.0.0/8 or 192.168.1.0/24,172.13.1.0/2)

Note: Choose either AssetFileName or SubnetRange based on your requirement. If you don't specify an assets file, you must provide a subnet range for asset discovery.

Enter Flow Collectors Type in Xshield

Enter AssetFileName in Xshield

Enter SubnetRange in Xshield

Save Flow Collectors Configuration in Xshield

Asset Configuration

  1. If Asset Configuration using AssetFileName has been selected, click on Save again once you upload the file to blob store using the provided command. This will start the import process of adding corresponding assets into Xshield. Make sure to replace placeholders with actual names of files. Upload File using provided command

  2. After Few minutes, the corresponding assets will be available in the Assets tab in Xshield. Once we verify that IP addresses are populated on these assets, we can go ahead with uploading the flows to Xshield.

Note: If you choose to use assets file, prepare a CSV file with the following format and upload to sas url provided:


Asset Name,IP Address,MAC Address

server1,192.168.1.10,00:1A:2B:3C:4D:5E

server2,192.168.1.11,00:1A:2B:3C:4D:5F

Note: Clicking on any asset name in the assets page will take you to the details page. The asset details page will display information like IP Address, etc.

  1. IF Asset Configuration using SubnetRange has been selected, we can go ahead with uploading the flows to Xshield we will auto discover the assets and add them to Xshield.

Flow Collectors Configuration

Once the assets discovery is configured, we can start configuring the flow collectors to upload the flows to Xshield by following the steps provide in the activation page.

  1. Copy the command shown in the activation page and run it on the vm mentioned in pre-requisites.

Copy command to setup flow collector

Flow Exporter Configuration

  1. Once the flow collector is configured, it will provide an ip address and port number to which the flows need to be exported.
  2. Use the provided ip address and port number to configure the flow exporter on the switch or router.
  3. Once this is configured, the flows will start being exported to Xshield.

Note: The flow exporter configuration will vary based on the switch or router model. Please refer to the switch or router documentation for more information.

Netflow Exporter Configuration Links to Few Switches:

  1. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-17/configuration_guide/nmgmt/b_1717_nmgmt_9300_cg/configuring_flexible_netflow.html
  2. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/17-17/configuration_guide/nmgmt/b_1717_nmgmt_9600_cg/configuring_flexible_netflow.html

Sample Netflow Exporter Configuration:

flow record customrecordname
match transport source-port
match transport destination-port
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match datalink mac source address input
match datalink mac destination address input
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
collect transport tcp flags
!
!
flow exporter customexportername
description Flow Exporter configuration
destination 172.16.130.10
transport udp 2055
!
!
flow monitor custommonitorname
description Netflow monitor configuration
exporter customexportername
cache timeout active 60
record customrecordname
!
!
interface Vlan1000
ip flow monitor custommonitorname input
ip address 172.16.190.1 255.255.255.0
!
interface Vlan1001
ip flow monitor custommonitorname input
ip address 172.16.191.1 255.255.255.0
!

Sflow Exporter Configuration Links to Few Switches:

  1. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst1000/software/releases/15_2_7_e/configuration_guides/sys_mgmt/b_1527e_sys_mgmt_c1000_cg/configuring_sflow.pdf
  2. https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/example/sflow-configuring-ex-series.html
  3. https://www.arista.com/en/um-eos/eos-sflow

Sample Sflow Exporter Configuration:

1. CLI commands:

!
sflow receiver 1 172.16.83.14
sflow receiver source-interface vlan 623
!
interface vlan 623
name "VLAN 623 for SFLOW - Example"
ip address 172.16.123.1 255.255.255.0
!
!
interface GigabitEthernet2
description "connected to esxi 10.11.96.6 port vmnic1"
switchport mode trunk
switchport trunk allowed vlan 201,600-625,630-640,801-810,1000-1001
sflow flow-sampling 1024 1 max-header-size 256
sflow counters-sampling 60 1
!

2. Via UI:

Sflow Exporter Configuration Sflow Exporter Configuration Sflow Exporter Configuration

Visibility

  1. To Visualize the traffic flows between the imported assets, click on Visualiser tab and the telemetry can be visualized basing on the filters available.

Summary

This integration helps enhance your organization's security posture by enabling visibility and threat analysis across your network without the need for any additional agents.