Blog :: Network Operations :: Security Operations

Citrix NetScaler AppFlow Reports : IPFIX or NetFlow

I thought I’d post about our new Citrix AppFlow reporting on the NetScaler IPFIX export. When we first started working with AppFlow I was naturally curious if it was an IPFIX or NetFlow technology.  We quickly learned that it is 100% compliant with the emerging IPFIX reporting standard so don’t go looking for NetScaler NetFlow.  This new export is a great addition to your network monitoring efforts.

Citrix AppFlow and IPFIX/NetFlow support on NetScaler

These new NetScaler AppFlow include details on:

  •   Applications
  •   Connections
  •   Request URL
  •   Request Host
  •   User Agent

The Applications report is interesting because Citrix is one of about a half a dozen companies that are exporting actual applications details after Deep Packet Inspection.  This is definitely something to look for in a NetFlow export because many applications hide behind TCP port 80. The first technology to do this was Cisco NBAR with Flexible NetFlow.  SonicWALL IPFIX, Exinda NetFlow, Palo Alto NetFlow, nBox all followed suit and are open for other vendors to report on.

Although Citrix calls it AppFlow it is really nothing more than IPFIX support with a well thought out use of element extensions which is how the IPFIX technology was intended to be used. Any NetFlow reporting tool or IPFIX collector should be able to give you basic reporting on AppFlow however, it requires an Advanced IPFIX reporting tool to deliver details on the unique NetScaler AppFlow elements and we worked with Citrix engineers to do this.