In today’s complex network environments, flow data (such as IPFIX or NetFlow) is essential for security monitoring, traffic analysis, and network forensics. Many organizations rely on Security Information and Event Management (SIEM) platforms to collect and analyse this data. However, not all network devices natively support IPFIX, leading to challenges in log collection.
This blog details our journey in finding a reliable method to export IPFIX data to a SIEM, evaluating multiple firewall and network devices before settling on a Linux-based solution using PMACCT and NFPROBE.
1. The Challenge: Finding a Reliable IPFIX Exporter
Our goal was straightforward: export IPFIX data from network devices to a SIEM. However, we quickly discovered that many enterprise firewalls and routers either:
- Only supported NetFlow v9 (an older standard).
- Required complex licensing or configurations.
- Lacked clear documentation on IPFIX support.
This led us to test several major vendors:
Products Investigated
Sophos XG Firewall
- Supports: NetFlow v9.
- Limitation: No native IPFIX support.
- Verdict: Not suitable for IPFIX export.
Juniper vSRX
- Supports: IPFIX (but with licensing constraints).
- Limitation: Complex setup, unclear documentation.
- Verdict: Possible but not ideal for quick deployment.
Palo Alto Firewall V11
- Supports: NetFlow v9 by default.
- Limitation: No IPFIX support in current versions.
- Verdict: Not an option for IPFIX needs.
Fortigate v7.x
- Supports: NetFlow v9.
- Limitation: No IPFIX support.
- Verdict: Another dead end.
Conclusion: Since hardware firewalls and routers didn’t meet our IPFIX requirements, we turned to a software-based solution.
2. The Solution: PMACCT + NFPROBE on Linux
After evaluating hardware limitations, we chose:
- PMACCT: A powerful flow collector, analyzer, and exporter.
- NFPROBE: A plugin that enables IPFIX generation and export.
Why This Approach?
- Flexibility: Works on any Linux system.
- IPFIX Support: Built-in, no licensing hurdles.
- SIEM Integration: Easily exports to UDP-based collectors.
3. Environment Setup
Requirements
- OS: Ubuntu 22.04+ (tested on Ubuntu 24.04).
- SIEM: Must accept IPFIX over UDP (default port 4739).
Installation & Configuration
- Install PMACCT & NFPROBE:
sudo apt update
sudo apt install pmacct nprobe - Configure PMACCT for IPFIX Export:
# /etc/pmacct/pmacct.conf
daemonize: false
plugins: nfprobe
nfprobe_receiver: 192.168.40.124:4739 # SIEM IP
nfprobe_version: 10 # IPFIX - Start the Service:
sudo systemctl start pmacct
4. Validation & Results
After setup, we confirmed successful IPFIX export:
plaintext
Ipfix [192.168.40.222]:54116 <> [192.168.40.124]:4739 proto:17 pkts:10 bytes:3792
Key Observations:
- Reliable Export: No drops, consistent flow data.
- SIEM Compatibility: Logs ingested without issues.
- Low Resource Usage: Minimal CPU/memory impact.
5. Conclusion: Why This Approach Works Best
While major firewalls like Sophos XG, Juniper vSRX, Palo Alto, and Fortigate have limitations with IPFIX, a Linux-based PMACCT+NFPROBE setup provides:
- Full IPFIX Support (No vendor restrictions).
- Easy Deployment (No complex licensing).
- Scalability (Works across cloud, on-prem, or hybrid).
For security teams needing IPFIX exports to a SIEM, this method is a robust, cost-effective solution.
Final Thoughts
Have you faced similar challenges with IPFIX? Did you find alternative solutions? Share your experiences below!
.jpg)
.jpg)
