Hello Stephane,
(C) means you have a payload in the flow, which is not achievable using Netflow (only layer 3 headers)
Regarding the zero source and destination bytes, I would check on the firewall which version of netflow is used.
Regards.
Arnaud.
------------------------------
Arnaud Chemla
Head of security consulting
Abakus Securité
------------------------------
Original Message:
Sent: Wed September 16, 2020 09:37 AM
From: Stephane Ramazani
Subject: Source and Destination Bytes show 0
I have deployed QRadar and tried to configure Flow Sources in order to receive flows coming from my Firewalls. I have configured Netflow on the Firewalls and I am using the default Netflow on Qradar and left the monitoring interface to ANY.
But the source and destination bytes are still zero with and without the (C).
Would you please assist me on this matter?
Many Thanks!!!
------------------------------
Stephane Ramazani
------------------------------