VMWare Netflow Collector
Lumu Virtual Appliance is capable of processing Netflow traffic in VMware, with the purpose of identifying malicious activity originating or remaining within virtual machines, allowing effective processing of lateral movement in said instances.
For more information about the benefits of Netflow monitoring, consult Netflow Collector Documentation.
Prerequisites
- vSphere 6.5 +
- Lumu Defender Subscription
- Lumu Virtual Appliance
Netflow configuration in vSphere
Activate Netflow protocol
Enable the Netflow protocol on the virtual switches you want to monitor. To do so, select DSwitch from the left-side menu and go to the Configure tab. Then, select Netflow under the Settings menu.
Inside the Netflow configuration menu, configure the following parameters only, other values can remain as default:
- Collector IP address: IP Address of the Lumu Virtual Appliance.
- Collector Port: Service port where the Lumu Virtual Appliance will receive information (default UDP 2055).
Once settings are applied, the dashboard should look as follows:
Activate data transfer to the collector
After enabling the Netflow protocol, it is necessary to configure the virtual switches to generate the flows so they can be processed by the collector. To do this, you must edit the Manage Distributed Ports. Right click DSwitch, then select Distributed Port Group > Manage Distributed Port Groups.
Subsequently, monitoring must be activated on the DSwitches as shown in the following example.
Collector activation in the Lumu Portal
Then, provide the following information:
- Name : a name for your VA Collector.
- Type : Netflow. This is the type of metadata you want this VA collector to process.
Lastly, execute the command lva-collectors-refresh on the Lumu Virtual Appliance and enter the following data as required by the wizard.
- Device type: [1] Netflow/IPFIX
- Are flows bidirectional?: [3] no
- Install Filebeat: y
- Listen netflow port: 2055
As a result, you should visualize traffic in the Lumu Portal.
Get an AI Summary
Related Articles
Introduction to Lumu Virtual Appliances
The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution that collects the network metadata of your entire enterprise and forwards it to the Lumu cloud with the lowest impact on the network operation. This document ...Sizing Guidelines for Virtual Appliances
Consult the following as a guideline for configuring your Lumu Virtual Appliances (VA) in your environment. Be aware that this may vary depending on several factors related to your network environment, such as overall latency, number of users and/or ...Configure Netflow/IPFIX Collector on Lumu Virtual Appliance
The Lumu Virtual Appliance (VA) can work alongside your current security infrastructure to provide an even better Continuous Compromise Assessment. The Lumu VA offers the option to create Collectors, a seamless way to integrate with metadata ...Lumu Virtual Appliance Collectors
To get started with Lumu Virtual Appliances, consult our Introduction to Lumu Virtual Appliances article. The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution that collects the network metadata of your entire ...Deploy Lumu VA in VMware Workstation
Lumu Virtual Appliance (VA) is a virtualized machine that provides you with all the elements required to collect network metadata to provide you with maximum visibility when it comes to identifying compromised network endpoints within your ...