Abstract
Learn more about activating a Broker VM with a NetflFlow Collector applet.
Notice
Ingesting records from external sources requires a Cortex XDR Pro per GB license.
To receive NetFlow flow records from an external source, you must first set up the NetFlow Collector applet on a Broker VM within your network. NetFlow versions 5, 9, and IPFIX are supported.
To increase the log ingestion rate, you can add additional CPUs to the Broker VM. The NetFlow Collector listens for flow records on specific ports either from any, or from specific IP addresses.
After the NetFlow Collector is activated, the NetFlow Exporter sends flow records to the NetFlow Collector, which receives, stores, and pre-processes that data for later analysis.
Select → → → .
Do one of the following:
On the Brokers tab, find the Broker VM, and in the APPS column, left-click → .
On the Clusters tab, find the Broker VM, and in the APPS column, left-click → .
Click +Add New.
Configure your NetFlow Collector.
(Optional) Make additional changes to the NetFlow Collector data sources.
You can make additional changes to the Port by right-clicking the applicable UDP port and selecting the following:
Edit: To change the UDP Port, Source Network, Vendor, or Product defined.
Remove: To delete a Port.
You can make additional changes to the Source Network by right-clicking on the Source Network value.
Note
The options available change, according to the set Source Network value.
To prioritize the order of the NetFlow formats listed for the configured data source, drag and drop the rows to change their order.
Activate the NetFlow collector applet.
After successful activation, the APPS field displays NetFlow with a green dot indicating a successful connection.
(Optional) To view NetFlow Collector metrics, left-click the NetFlow connection in the APPS field for your Broker VM.
Cortex XDR displays the following information:
Manage the NetFlow Collector.
After you activate the NetFlow Collector, you can make additional changes. To modify a configuration, left-click the NetFlow connection in the APPS column to display the NetFlow Collector settings, and select: