Sophos XG firewalls support NetFlow v5. You can export all the parameters of v5.
You can add up to five separate NetFlow servers.
These instructions assume:
- The date, time, and time zone are correctly set on the firewall.
- You have admin access to the Sophos XG web admin console.
- The IP address of your Auvik collector is known.
If you have a shared collector and want to ensure that it receives netflow data to enable TrafficInsights, you will need to add the source IP address as a /32 in order for Auvik to register the flows from that specific address in the TrafficInsights portal. There may be some delay for the shared collector to receive the data after the change.
Note: Even if that source IP address is already being scanned, you must add a /32 targeting only the source IP address, due to some limitations, the collector can’t tell if it should be sent to site A or B.
Configure NetFlow
- Log into the firewall’s web admin console.
- Navigate to System > Administration.
- Select NetFlow from the top navigation panel.
- Click on the + sign to create a new row.
- In the Server Name field, enter a recognizable name for the Auvik collector.
- In the Netflow Server IP/Domain field, enter the Auvik collector IP address.
- In the Netflow Server Port field, enter the port number you’d like to use. Choose from any of these ports: 2055, 2056, 4432, 4739, 6343, 9995, or 9996.
Note that Sophos XG devices will only collect NetFlow from firewall rules that are logged. So if it’s not already enabled, you’ll need to ensure the Log Firewall Traffic option is enabled for all rules that are passing traffic.