“Does my WatchGuard firewall support NetFlow?” Customers who have WatchGuard firewalls have asked me this question many times over the years.
The answer is YES! We can finally put WatchGuard on the list of firewalls that support flow technologies.
In Firmware v12.3 or higher, you can finally configure the WatchGuard as a NetFlow exporter to gain more insights into your network traffic.
When you configure NetFlow on your WatchGuard, you specify which interfaces to monitor. You also specify the IP address of collector and the UDP port number that you want send the export flows through. The WatchGuard monitors the selected interfaces and sends streams of data known as NetFlow records to the collector for analysis.
WatchGuard only monitors ingress network traffic on the selected interfaces. For pass-through, or bi-directional traffic, you want to select both inbound and outbound interfaces. This is nothing new if you are used to NetFlow version 5. You can also choose to monitor Firebox-generated (self-generated) traffic, which is outbound traffic generated by the firewall itself.
Monitoring via NetFlow is supported on the physical, VLAN, bridge, wireless, and link aggregation interfaces in all zones (Trusted, External, Optional, and Custom).
WatchGuard NetFlow configuration process
To configure NetFlow from the WatchGuard web UI:
- Select System > NetFlow.
- Select Enable NetFlow.
- For the protocol version, select V5 or V9.
To monitor IPv6 traffic, you must use V9. - In the Collector Address text box, type the IPv4 or IPv6 address of the collector. The collector is the server that collects NetFlow data from the Firebox.
- In the Port text box, type the port configured on the collector.
The Firebox must be able to communicate with the collector at the specified IP address and port with the UDP protocol. - In the Active Flow Timeout text box, type a number between 1 and 60 minutes (default 30).
We recommend that you specify an Active Flow Timeout value of 1. - (Optional) To enable Sampling Mode, select the Sample every 1 out of checkbox.
- If you enabled Sampling Mode, in the adjacent text box, type a number between 2 and 65535 packets.
- To enable NetFlow for an interface, select the checkbox adjacent to that interface.
If you have many interfaces, use the Interface Name search box or select an option from the Type or Zone drop-down lists to find an interface quickly. - To select all interfaces, select the checkbox adjacent to the Interface Name text box.
- To monitor outbound traffic generated by the Firebox, select Firebox.
- Click Save.
You can also configure NetFlow from the Policy Manager by going to Setup > NetFlow.
From there, enter a configuration GUI that presents the same options that you had via the steps that we went through from the web UI.
That is it, configuration complete!
Efficient traffic management requires usable and relevant information from all points on the network. Collecting flows from your WatchGuard firewall will provide additional network observation points, and an efficient means to identify inappropriate behavior, problems, and discrepancies. In addition, the ability to drill down to particular traffic specifics make security forensics and incident response using flows an invaluable tool for charting the health of your network.
Have you been looking for NetFlow visibility from your firewall, but were always told that the vendor did not support it? Download Scrutinizer, and give us a call, we can help you get the configuration set up.
