Activate the NetFlow Collector - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide


Ingesting records from external sources requires a Cortex XDR Pro per GB license.

To receive NetFlow flow records from an external source, you must first set up the NetFlow Collector applet on a Broker VM within your network. NetFlow versions 5, 9, and IPFIX are supported.

To increase the log ingestion rate, you can add additional CPUs to the Broker VM. The NetFlow Collector listens for flow records on specific ports either from any, or from specific IP addresses.

After the NetFlow Collector is activated, the NetFlow Exporter sends flow records to the NetFlow Collector, which receives, stores, and pre-processes that data for later analysis.

The following setups are required to meet your performance needs.

  • 4 CPUs for up to 50K flows per second (FPS).

  • 8 CPUs for up to 100K FPS.


Since multiple network devices can send data to a single NetFlow Collector, we recommend that you configure a maximum of 50 NetFlow Collectors per Broker VM applet, with a maximum aggregated rate of approximately 50K flows per second (FPS) to maintain system performance.

Configure the Broker VM before setting up the NetFlow Collector applet.

Activate the NetFlow Collector.

  1. Select SettingsConfigurationsData BrokerBroker VMs.

  2. In either the Brokers tab or the Clusters tab, locate your Broker VM.

  3. You can either right-click the Broker VM and select Add AppNetFlow Collector, or hover in the APPS column, and select AddNetFlow Collector.

  4. Click +Add New.

  5. Configure your NetFlow Collector.

    1. Define General Settings.

      • UDP Port—Specify the number of the UDP port on which the NetFlow Collector listens for flow records (default 2055).

        This port number must match the UDP port number in the NetFlow exporter device. The rules for each port are evaluated, line by line, on a first match basis. Cortex XDR discards logs for non-configured flow records without an “Any” rule.


        Since Cortex XDR reserves some port numbers, it is best to select a port number that is not in the range of 0-1024 (except for 514), in the range of 63000-65000 or has one of the following values: 4369, 5671, 5672, 5986, 6379, 8000, 8888, 9100, 15672, or 28672.

    2. Define Custom Settings.

      • Source Network—Specify the IP address or a Classless Inter-Domain Routing (CIDR) of the source network device that sends the flow records to Cortex XDR . Leave the field empty to receive data from any device on the specified port (default). If you do not specify an IP address or a CIDR, Cortex XDR can receive data from any source IP address or CIDR that transmits via the specified port. If IP addresses overlap in multiple rows in the Source Network field, such as in the first row and in the second row, the NetFlow Collector captures the IP address in the first row.

      • Vendor and Product—Specify a particular vendor and product to be associated with each dataset entry or leave the default IP Flow setting.

        The Vendor and Product values are used to define the name of your Cortex Query Language (XQL) dataset <Vendor>_<Product>_raw. If you do not define a vendor or product, Cortex XDR uses the default values with the resulting dataset name ip_flow_ip_flow_raw. Consider changing the default values in order to uniquely identify the source network device.

        After each configuration, select blue-arrow.png to save your changes and then select Done to update the NetFlow Collector with your settings.

  6. (Optional) Make additional changes to the NetFlow Collector data sources.

    • You can make additional changes to the Port by right-clicking the applicable UDP port and selecting the following.

      • Edit—To change the UDP Port, Source Network, Vendor, or Product defined.

      • Remove—To delete a Port.

    • You can make additional changes to the Source Network by right-clicking on the Source Network value.


      The options available change, according to the set Source Network value.

      • Edit—To change the UDP Port, Source Network, Vendor, or Product defined.

      • Remove—To delete a Port.

      • Copy entire row—To copy the Source Network, Product, and Vendor information.

      • Open IP ViewTo view network operations and to view any open incidents on this IP within a defined period. This option is only available when the Source Network value is a specific IP address or CIDR.

      • Open in Quick Launcher—To search for information using the Quick Launcher shortcut . This option is only available when the Source Network value is a specific IP address or CIDR.

    • To prioritize the order of the NetFlow formats listed for the configured data source, drag and drop the rows to change their order.

  7. Activate the NetFlow collector applet.

    After successful activation, the APPS field displays NetFlow with a green dot indicating a successful connection.

  8. (Optional) To view NetFlow Collector metrics, hover over the NetFlow connection in the APPS field for your Broker VM.

    Cortex XDR displays the following information:

    • Connectivity Status—Whether the applet is connected to Cortex XDR.

    • Logs Received and Logs Sent—Number of logs that the applet received and sent per second over the last 24 hours. If there are more logs received than sent, this can indicate a connectivity issue.

    • Resources—Displays the amount of CPU, Memory, and Disk space the applet uses.

  9. Manage the NetFlow Collector.

    After you activate the NetFlow Collector, you can make additional changes. To modify a configuration, hover over the NetFlow connection in the APPS column to display the NetFlow Collector settings, and select:

    • Configure to redefine the NetFlow Collector configurations.

    • Deactivate to disable the NetFlow Collector.

    You can also Ingest NetFlow Flow Records as Datasets.