cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
parinya.ekparin
parinya.ekparin
Level 7
Report Inappropriate Content
Message 1 of 10
‎01-23-2013 08:14 AM

What kind of network flow does McAfee SIEM support?

Jump to solution

What kind of network flow does McAfee SIEM support?

Refer to device support list I got from local SE (last update on November 2012), McAfee SIEM support following network flow:

  • Netflow (using NitroFlow NetFlow Collector)
  • Citrix AppFlow (it said "custom" but I have no idea what's the customization required?)
  • IP Fix (again "custom" what kind of custom needed?)
  • sFlow (using NitroFlow NetFlow Collector)

Here are my questions

  1. How about Juniper J-Flow & rFlow? Does McAfee SIEM support them?
  2. Are there any limitations regarding network flow collecting? e.g. licensing, performance or even need dedicated port on receiver.
  3. Does one flow count as 1 EPS?

Best regards,

Parinya

0 Kudos
Reply
1 Solution

Accepted Solutions
bsoldato
bsoldato
Level 8
Report Inappropriate Content
Message 5 of 10
‎01-25-2013 06:41 AM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Parinya,

IPFIX and Appflow are both code based parsers which is what is meant by custom. These will work out of the box with McAfee ESM 9.0 and above. Also, please note there is a more up to date device list that I issued this month. It typically takes a few weeks for the website to be updated. What SE did you work with to obtain the list? I will have him/her provide it to you.

Brian

0 Kudos
Reply
9 Replies
siemchris
McAfee Employee siemchris
McAfee Employee
Report Inappropriate Content
Message 2 of 10
‎01-23-2013 12:29 PM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Hi Parinya

For the question regarding IPFix and Citrix AppFlow I see from the documentation that we do currently support IPFIX. I would recommend a PER if you need Citrix AppFlow. We also supoprt Generic Netflow v5 v7 v9 and sFlow v5.

We do not currently support j-Flow or rFlow. A PER is the best option if you need support for them - https://mcafee.acceptondemand.com/index.jsp

For licensing questions I would check with your SE as they are the best people for that information. You do need to configure a port on the interface for the flows as shown below.

I assume you are asking if one flow counts as 1 EPS so you can do some capacity planning? I dont have that information handy but I will see what I can find.

Chris

FlowPorts.JPG

0 Kudos
Reply
siemchris
McAfee Employee siemchris
McAfee Employee
Report Inappropriate Content
Message 3 of 10
‎01-23-2013 01:30 PM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Hi Parinya

As an update, when the router or switch sends the flow information to us each flow record will count as one EPS.

Regards


Chris

0 Kudos
Reply
parinya.ekparin
parinya.ekparin
Level 7
Report Inappropriate Content
Message 4 of 10
‎01-24-2013 04:01 PM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Hi Chris,

Thank you very much. For information.

For IPFIX & AppFlow, I saw them in the "McAfee SIEM Vendor Device Support_Nov_2012" got from local SE. I think it's quite up-to-date more than one available on the McAfee web site. Nevertheless, those ones are stated as "Custom" in parser field. So I don't what kind of customation needed.

Regards,

Parinya

0 Kudos
Reply
bsoldato
bsoldato
Level 8
Report Inappropriate Content
Message 5 of 10
‎01-25-2013 06:41 AM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Parinya,

IPFIX and Appflow are both code based parsers which is what is meant by custom. These will work out of the box with McAfee ESM 9.0 and above. Also, please note there is a more up to date device list that I issued this month. It typically takes a few weeks for the website to be updated. What SE did you work with to obtain the list? I will have him/her provide it to you.

Brian

0 Kudos
Reply
Highlighted
parinya.ekparin
parinya.ekparin
Level 7
Report Inappropriate Content
Message 6 of 10
‎01-25-2013 09:13 AM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Dear Brian,

Thank you very much for useful information.

I'm work closely with following Nithipat N., Sutee C. and Puriwat S.

I think they got document from Mark, Singapore SE.

Best regards,

Parinya

0 Kudos
Reply
bperez
bperez
Level 10
Report Inappropriate Content
Message 7 of 10
‎12-12-2013 10:12 AM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Im trying to send netflow traffic from Vmware VSwitches, but i dont see any flow in the receiver data source, is compatible with Vmware Netflow?

Regards!

Bernardo.

0 Kudos
Reply
mmuz
mmuz
Level 7
Report Inappropriate Content
Message 8 of 10
‎12-16-2013 12:38 AM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Bernardo, SIEM supports Netflow v 5, 7 and 9. From what I've found VMware exports in v5, so it should work fine assuming proper configuration on both ends. Are you aware that flows are only visible in 'Flow views', not in most other predefined dashboards?

Regards,

Marcin

0 Kudos
Reply
bperez
bperez
Level 10
Report Inappropriate Content
Message 9 of 10
‎12-16-2013 08:19 AM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Hi Marcin,

Thanks for you response, i have one data collector of type Netflow, and i see traffic from the virtual switch, but i dont see any traffic in graphs:

The Data Collector IP is: 192.168.201.218

The Vswitch IP is: 192.168.201.219

Netflow port is: 9993

netflow data source.png

vswitch netflow.png

tcpdump.png

dashboard.png

Any Suggestion?

Regards!

El mensaje fue editado por: bperez on 16/12/13 10:22:36 AM CST
0 Kudos
Reply
mmuz
mmuz
Level 7
Report Inappropriate Content
Message 10 of 10
‎12-19-2013 11:15 PM

Re: What kind of network flow does McAfee SIEM support?

Jump to solution

Bernardo,

In netflow data source's properties - you should set 192.168.201.219 as it's address. The Receiver's firewall drops all the packets, as the source's IP is set improperly. You can verify it:

iptables -nvL

I hope it helps

Regards,

Marcin

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator