IBM Security QRadar

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin, 

To confirm, you are saying you can see the traffic but when you click on the record to view Flow Details the "Flow Interface" field doesn't have the expected values? If you can see the manually created flow source in the logs then that could be the one receiving the traffic. 

You may need to open a support case so that a support engineer can jump onto your system and look at your specific configuration.

Thanks,

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin, 

To confirm, you are saying you can see the traffic but when you click on the record to view Flow Details the "Flow Interface" field doesn't have the expected values? If you can see the manually created flow source in the logs then that could be the one receiving the traffic. 

You may need to open a support case so that a support engineer can jump onto your system and look at your specific configuration.

Thanks,

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin,

It's hard to tell without being able to look around your system but it may be because that IP address had already had a flow source alias created for it in the past. If we have previously seen that IP address we will use whatever alias was auto-generated for it in the past. As such, those flows may be present on your system, they just might be under a different Flow Interface name to what you would expect. You can jump into the Flow Source Alias admin screen to see if that might be the case.

Thanks,

Hey Benjamin, 

To confirm, you are saying you can see the traffic but when you click on the record to view Flow Details the "Flow Interface" field doesn't have the expected values? If you can see the manually created flow source in the logs then that could be the one receiving the traffic. 

You may need to open a support case so that a support engineer can jump onto your system and look at your specific configuration.

Thanks,

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.

Hey Benjamin,

It's hard to tell without being able to look around your system but it may be because that IP address had already had a flow source alias created for it in the past. If we have previously seen that IP address we will use whatever alias was auto-generated for it in the past. As such, those flows may be present on your system, they just might be under a different Flow Interface name to what you would expect. You can jump into the Flow Source Alias admin screen to see if that might be the case.

Thanks,

Hey Benjamin, 

To confirm, you are saying you can see the traffic but when you click on the record to view Flow Details the "Flow Interface" field doesn't have the expected values? If you can see the manually created flow source in the logs then that could be the one receiving the traffic. 

You may need to open a support case so that a support engineer can jump onto your system and look at your specific configuration.

Thanks,

Hey Benjamin,

Actually we recommend people use "Any" if they can because this also allows fragmented packets to be reassembled. You should find that after switching to Any your netstat command will work. I checked and in my environment if I choose a specific interface the netstat command returns no results - but I still receive flows - and on "Any" the command returns fine.

As such, you should be able to leave it as eno1 and once you start sending flows to port 2055 (which you can verify using the tcpdump command you mentioned earlier) you should see them in Network Activity. Or, if you want to see the netstat result try change it to Any (which may have its benefits if your exporter sends fragmented packets anyway).

Regards

Hey Benjamin!

This comment "With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP." indicates that your exporter isn't successfully sending traffic to QRadar. Check any firewalls and make sure the exporter has started sending the flow reports. 

As for your netstat command, this could be not showing any results because you have set QFlow to listen on a specific interface rather than "Any". You could try change the flow source to "Any" to see if the netstat results change, but I would focus your efforts on resolving the issue above first.

Regards

•  I have created a flow source with flow source type "Netflow/ipfix" on the interface(eno1), and deployed changes.
• While creating the NetFlow Configuration on the cisco device, i used the template specified in the qradar admin guide.
• Ran the "show flow monitor name <monitor_name> cache" on the Cisco device, and confirmed that flows are been generated for the device.
• Also confirmed that the default NetFlow port (2055) used by qradar is opened between the Cisco device and the QRadar FP.
• With tcpdump -i eno1 port 2055, I see no traffic on the qradar FP.