For the question regarding IPFix and Citrix AppFlow I see from the documentation that we do currently support IPFIX. I would recommend a PER if you need Citrix AppFlow. We also supoprt Generic Netflow v5 v7 v9 and sFlow v5.
We do not currently support j-Flow or rFlow. A PER is the best option if you need support for them - https://mcafee.acceptondemand.com/index.jsp
For licensing questions I would check with your SE as they are the best people for that information. You do need to configure a port on the interface for the flows as shown below.
I assume you are asking if one flow counts as 1 EPS so you can do some capacity planning? I dont have that information handy but I will see what I can find.
As an update, when the router or switch sends the flow information to us each flow record will count as one EPS.
Thank you very much. For information.
For IPFIX & AppFlow, I saw them in the "McAfee SIEM Vendor Device Support_Nov_2012" got from local SE. I think it's quite up-to-date more than one available on the McAfee web site. Nevertheless, those ones are stated as "Custom" in parser field. So I don't what kind of customation needed.
IPFIX and Appflow are both code based parsers which is what is meant by custom. These will work out of the box with McAfee ESM 9.0 and above. Also, please note there is a more up to date device list that I issued this month. It typically takes a few weeks for the website to be updated. What SE did you work with to obtain the list? I will have him/her provide it to you.
Thank you very much for useful information.
I'm work closely with following Nithipat N., Sutee C. and Puriwat S.
I think they got document from Mark, Singapore SE.
Im trying to send netflow traffic from Vmware VSwitches, but i dont see any flow in the receiver data source, is compatible with Vmware Netflow?
Bernardo, SIEM supports Netflow v 5, 7 and 9. From what I've found VMware exports in v5, so it should work fine assuming proper configuration on both ends. Are you aware that flows are only visible in 'Flow views', not in most other predefined dashboards?
Thanks for you response, i have one data collector of type Netflow, and i see traffic from the virtual switch, but i dont see any traffic in graphs:
The Data Collector IP is: 192.168.201.218
The Vswitch IP is: 192.168.201.219
Netflow port is: 9993
In netflow data source's properties - you should set 192.168.201.219 as it's address. The Receiver's firewall drops all the packets, as the source's IP is set improperly. You can verify it:
I hope it helps