Version 9.4

Download PDF

View Table of Contents

Thank you! We will contact you soon to ask how we can improve our documentation. We appreciate your feedback.

Was this topic helpful?

Yes No

Thank you for your feedback. Can we contact you to ask follow up questions?

How can we improve?

Product Requirements

Reveal(x) Enterprise and Reveal(x) 360 only

Deploy the ExtraHop EFC 1292v NetFlow Sensor

This guide explains how to deploy the EFC 1292v NetFlow sensor virtual appliance.

The EFC 1292v is designed to connect to Reveal(x) 360 and Reveal(x) Enterprise and collect NetFlow records from your network. Packet analysis is not available.

Prerequisites

Your environment must meet the following requirements to deploy an EFC 1292v sensor:

Access to a virtual sensor (ExtraHop 1100v) on Linux KVM or VMware
An EFC 1292v product key

Deployment overview

Collecting NetFlow records requires the following configuration setup.

Deploy an ExtraHop sensor instance in Linux KVM or VMware. For more information, see Deploy an ExtraHop sensor on Linux KVM or Deploy the ExtraHop sensor with VMware.
Configure interfaces.
Configure NetFlow settings on the ExtraHop system.

Configure interfaces

Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
In the Network Settings section, click Connectivity.
In the Interfaces section, click the name of the interface you want to configure.
On the Network Settings for Interface <interface number> page, from the Interface Mode drop-down, select Management + Flow Target.
Disable all remaining interfaces, since the sensor cannot process NetFlow and wire data simultaneously:
1. In the Interfaces section, click the name of the interface you want to configure.
2. From the Interface Mode drop-down, select Disabled.
3. Repeat until all additional interfaces are disabled.
Click Save.

Configure NetFlow settings

You must configure port and network settings on the ExtraHop system before you can collect NetFlow records. Flow networks cannot be configured on Reveal(x) Enterprise systems. The ExtraHop system supports the following flow technologies: Cisco NetFlow v5/v9 and IPFIX.

You must log in as a user with System and Access Administration privileges to complete the following steps.

Configure the flow type and UDP port

Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
In the Network Settings section, click NetFlow.
In the Ports section, from the Port field, type the UDP port number.
The default port for Net Flow is 2055. You can add additional ports as needed for your environment.

Note: Port numbers must be 1024 or greater
From the Flow Type drop-down menu, select NetFlow.
Click the plus icon (+) to add the port.

Add approved networks

Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
In the Network Settings section, click NetFlow.
In the Approved Networks section, click Add Approved Network.
From the Flow Type drop-down menu, select NetFlow.
For IP address, type the IPv4 or IPv6 address.
For Network ID, type a name to identify this approved network.
Click Save.

Discover NetFlow devices

You can configure the ExtraHop system to discover NetFlow devices by adding a range of IP addresses.

Important considerations about Remote L3 Discovery:

With NetFlow, devices that represent the gateways exporting records are automatically discovered. You can configure the ExtraHop system to discover devices that are representing the IP addresses observed in NetFlow records by adding a range of IP addresses.
Exercise caution when specifying CIDR notation. A /24 subnet prefix might result in 255 new devices discovered by the ExtraHop system. A wide /16 subnet prefix might result in 65,535 new devices discovered, which might exceed your device limit.
If an IP address is removed from the Device Discovery settings, the IP address will persist in the ExtraHop system as a remote L3 device as long as there are existing active flows for that IP address or until the capture is restarted. After a restart, the device is listed as an inactive remote L3 device.

Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
In the Network Settings section, click NetFlow.

In the NetFlow Device Discovery section, type the IP address in the IP address ranges field.

You can specify one IP address or a CIDR notation, such as 192.168.0.0/24 for an IPv4 network or 2001:db8::/32 for an IPv6 network.

Important:

Every actively-communicating remote IP address that matches the CIDR block will be discovered as a single device in the ExtraHop system. Specifying wide subnet prefixes such as /16 might result in thousands of discovered devices, which might exceed your device limit.

Click the green plus icon (+) to add the IP address.

Next steps

You can add another IP address or range of IP addresses by repeating steps 3-4.

Published 2023-11-07

Documentation

Products

Differentiation

Solutions

Security Operations

Cloud-Native Security

Application Analytics

Network Performance

Customers

Community

Partners

Support

Training

Resources

More Resources

Company

Events and Information