Hi Alessio,
There should really be nothing different in configuring NetFlow v9 being sent to QRoC or a traditional on-premise deployment. What you have said above is correct... configure PfSense to send NetFlow over to the Data Gateway. A Data Gateway should have a "default_Netflow" flow source configured to listen on UDP port 2055 by default. Send your NetFlow v9 traffic from PfSense to that and it should reach the QRoC console.
As for identifying the specific traffic you highlighted above, there isn't any documentation on all of the applications that we will attempt to identify on flows. The key thing will be to look in the "application" column, not the "protocol" column on the network activity tab. I presume a payload sample hasn't been sent by PfSense as you are only sending NetFlow data. As such the majority of the application identification will be limited to the port-based mappings defined in the /opt/qradar/conf/appid_map.conf file.
------------------------------
Dale Bowie
QRadar Flows Product Owner
IBM
------------------------------
Original Message:
Sent: Fri August 30, 2019 03:39 AM
From: Alessio Bonechi
Subject: documents netflows and track traffic based on protocol
Good morning, I need your help for two questions:
- I'm searching details or documents to configure NetFlows on QRadar on Cloud. Can you help me?
- I have installed QRoC in a test environment with:
- A physical host as Data Gateway;
- A physical host equiped with MS Windows 10 hosting 2 virtual machine:
1) A VM with PfSense working as firewall that sends flows v.9 to the Data Gateway;
2)A VM with MS Windows 7 to navigate internet trought the PfSense VM
My goal is track specific traffic based on protocol (i.e. skype, tor, etc.) but i don't have found documentation that explains how to do it. Any suggestion?
Thank's in advance.
------------------------------
Alessio Bonechi
------------------------------