In today’s complex network environments, flow data (such as IPFIX or NetFlow) is essential for security monitoring, traffic analysis, and network forensics. Many organizations rely on Security Information and Event Management (SIEM) platforms to collect and analyse this data. However, not all network devices natively support IPFIX, leading to challenges in log collection.
This blog details our journey in finding a reliable method to export IPFIX data to a SIEM, evaluating multiple firewall and network devices before settling on a Linux-based solution using PMACCT and NFPROBE.
1. The Challenge: Finding a Reliable IPFIX Exporter
Our goal was straightforward: export IPFIX data from network devices to a SIEM. However, we quickly discovered that many enterprise firewalls and routers either:
- Only supported NetFlow v9 (an older standard).
- Required complex licensing or configurations.
- Lacked clear documentation on IPFIX support.
This led us to test several major vendors:
Products Investigated
Sophos XG Firewall
- Supports: NetFlow v9.
- Limitation: No native IPFIX support.
- Verdict: Not suitable for IPFIX export.
Juniper vSRX
- Supports: IPFIX (but with licensing constraints).
- Limitation: Complex setup, unclear documentation.
- Verdict: Possible but not ideal for quick deployment.
Palo Alto Firewall V11
- Supports: NetFlow v9 by default.
- Limitation: No IPFIX support in current versions.
- Verdict: Not an option for IPFIX needs.
Fortigate v7.x
- Supports: NetFlow v9.
- Limitation: No IPFIX support.
- Verdict: Another dead end.
Conclusion: Since hardware firewalls and routers didn’t meet our IPFIX requirements, we turned to a software-based solution.
2. The Solution: PMACCT + NFPROBE on Linux
After evaluating hardware limitations, we chose:
- PMACCT: A powerful flow collector, analyzer, and exporter.
- NFPROBE: A plugin that enables IPFIX generation and export.
Why This Approach?
- Flexibility: Works on any Linux system.
- IPFIX Support: Built-in, no licensing hurdles.
- SIEM Integration: Easily exports to UDP-based collectors.
3. Environment Setup
Requirements
- OS: Ubuntu 22.04+ (tested on Ubuntu 24.04).
- SIEM: Must accept IPFIX over UDP (default port 4739).
Installation & Configuration
- Install PMACCT & NFPROBE:
sudo apt update
sudo apt install pmacct nprobe - Configure PMACCT for IPFIX Export:
# /etc/pmacct/pmacct.conf
daemonize: false
plugins: nfprobe
nfprobe_receiver: 192.168.40.124:4739 # SIEM IP
nfprobe_version: 10 # IPFIX - Start the Service:
sudo systemctl start pmacct
4. Validation & Results
After setup, we confirmed successful IPFIX export:
plaintext
Ipfix [192.168.40.222]:54116 <> [192.168.40.124]:4739 proto:17 pkts:10 bytes:3792
Key Observations:
- Reliable Export: No drops, consistent flow data.
- SIEM Compatibility: Logs ingested without issues.
- Low Resource Usage: Minimal CPU/memory impact.
5. Conclusion: Why This Approach Works Best
While major firewalls like Sophos XG, Juniper vSRX, Palo Alto, and Fortigate have limitations with IPFIX, a Linux-based PMACCT+NFPROBE setup provides:
- Full IPFIX Support (No vendor restrictions).
- Easy Deployment (No complex licensing).
- Scalability (Works across cloud, on-prem, or hybrid).
For security teams needing IPFIX exports to a SIEM, this method is a robust, cost-effective solution.
Final Thoughts
Have you faced similar challenges with IPFIX? Did you find alternative solutions? Share your experiences below!
About Loginsoft
For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.
Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.
In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.
Interested to learn more? Let’s start a conversation.
