This guide outlines procedure to forward NetFlow records from Sophos XG Firewall to Log Collector.
NetFlow is a network protocol that enables you to monitor bandwidth usage and traffic flow.
If you add a NetFlow server to Sophos Firewall, it sends the NetFlow records of source, destination, and traffic volume to the NetFlow server.
The records help you identify the protocols, policies, interfaces, and users consuming high bandwidth.
You can use data analysis tools, such as Open Source Data Analyzer and PRTG to generate reports from the NetFlow records.
Sophos XG firewalls support NetFlow v5. You can export all the parameters of v5.
Log into the firewall’s web admin console.
Navigate to System > Administration.
Select NetFlow from the top navigation panel.
Click on the + sign to create a new row.
In the Server Name field, enter a recognizable name for the Log collector.
In the NetFlow Server IP/Domain field, enter the Log collector IP address.
In the NetFlow Server Port field, enter the port number provided.
Note :
Sophos XG devices will only collect NetFlow from firewall rules that are logged.
So if it’s not already enabled, you’ll need to ensure the Log Firewall Traffic option is enabled for all rules that are passing traffic.
** Below procedure is applicable only if Traffic logging is not enabled.
Enable firewall traffic logs:
Go to Firewall > Edit Firewall Rule to view the status of logging and security policies.
Enable logging of firewall traffic from Log Traffic section. It ensures that traffic passing through the Firewall rule has been logged and can be viewed from Log Viewer.
We recommend you enable logging for all firewall rules.
