Reporting of Network Flow Information with IPFIX

On the Barracuda CloudGen Firewall, you can stream audit and reporting information to multiple external collectors based on the IPFIX protocol. Enable IPFIX, add collectors, and, optionally, enable IPFIX streaming for your HTTP proxy service.

Starting with firmware version 8.0.5 / 8.2.0, IPFIX now works completely independent of the audit infrastructure. In order to use IPFIX, you now just need to enable/disable IPFIX in the configuration. The audit configuration does not need to be changed in any way and has no effect on IPFIX.

Also, previous IPFIX templates have been updated to newer versions. When updating the firmware to 8.0.5 / 8.2.0, IPFIX will run in 'backward compatibility mode', that is, previous IPFIX template settings remain in their current state and now (8.0.5 / 8.2.0) have names with the prefix *DEPRECATED*. These settings remain activated to preserve the configured behavior and can be updated to their corresponding new names.

It is recommended to change such settings by selecting the corresponding new names. In this example, switch from *DEPRECATED* Uniflow Default to Uniflow Default in the respective menu list in the UI.

Open

If IPFIX is working in backward compatibility mode, the use of former templates is indicated by corresponding messages in the log line:

With firmware 8.0.5 / 8.2.0, several changes have been made to the Information Elements.

For an overview of the current information templates, see the tables below.

Some standardized fields (Information Elements) in predefined templates have changed:

• All templates now include flowStartMilliseconds and flowEndMilliseconds.

• octetTotalCount and packetTotalCount are now only included in the Extended templates.

• A new basic template (Uniflow Basic) has been introduced that offers the best compatibility with various collectors.

• Except in the basic template, firewallEvent is now included in all templates.

• The systemInitTimeMilliseconds has been added and is included in the Extended templates.

Some proprietary fields were replaced with standardized ones and apply to the deprecated templates only:

• bindIPv4Address has been replaced with postNATSourceIPv4Address

• connIPv4Address has been replaced with postNATDestinationIPv4Address

• bindTransportPort has been replaced with postNAPTSourceTransportPort

• connTransportPort has been replaced with postNAPTDestinationTransportPort

• auditCounter has been removed without replacement, because similar information can be derived from the IPFIX header

• timestamp has been removed without replacement, because similar information can be derived from the IPFIX header

The reporting of timestamps for intermediate flow records has been adapted to improve the compatibility with various collectors. Instead of reporting the flow's overall start and end times, the flow record now includes the start and end times of the corresponding intermediate interval. This change takes effect only when a non-deprecated template is configured.

The reporting timestamps now work as follows:

• If there is a preceding flow report for a flow, the report's 'end time' is used as the new 'start time'. Otherwise, the slot creation time is used.

• The timestamp of the last packet that was forwarded through the slot is sent as 'end time'.

Blocked traffic is no longer reported by default for improved compatibility with various collectors. If reporting of blocked traffic is desired and there are no compatibility concerns, it can be re-enabled as follows:

1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration. 

2. In the left menu, select Audit and Reporting.

3. In the left menu, expand Configuration Mode and click Switch to Advanced View.

4. Click Lock.

5. In the section IPFIX Export, set Report Blocked or Failed Sessions to yes.

6. Click Send Changes / Activate.

   Open

   

To configure audit & reporting with IPFIX, see How to Configure IPFIX.

To create custom information templates, see How to Create Custom IPFIX Templates.