Hello,

I'm trying to analyze traffic crossing an Internet exposed box (F5 Big-IP with sFlow support). There are two interfaces (to simplify it) - outside with public IP and internal with private IP address. I'd like to monitor both upstream (toward Internet) and downstream (from Internet) traffic with original IP addresses retained which appears to be problem for downstream traffic where I see destination public IP instead of private IP of the real destination.

The solution would be to filter only flows from internal interface, but sFlow sensor seems to process only ingress flows and I end up with one-directional (upstream traffic) analysis only. There are definitively data describing both ingress and egress flows sent from Big-IP box to sensor - I can see them using different tool (sFlowTrend).

Any idea is appreciated :)

Article Comments

Hello,

Depending on how you configure the flow export on your router, the Netflow sensor shows ingress or egress or both information.

Please find detailed instructions in our knowledge base: https://helpdesk.paessler.com/en/support/solutions/articles/20823


Jun, 2015 - Permalink

Hello Jochen,

thanks for reply and sorry for coming so late with my input.

You speak about NetFlow - the problem is that I cannot use NetFlow since F5 Big-IP supports sFlow only.

My configuration is following - sFlow (ingress and egress as well) on F5 Big-IP external and internal interfaces enabled. PRTG sFlow sensor is configured to process input from F5 Big-IP.

Since there is PAT involved, processing of ingress only traffic information by PRTG sFlow sensor (as it seems to be working that way) provides no information about incoming traffic destination real (private) IP addresses.

What I would like to achieve is to enable sFlow on F5 Big-IP's internal interface only and process both ingress and egress traffic information by PRTG sFlow sensor. This is possible when using NetFlow 9 (on devices supporting that, e.g. Cisco) and appropriate PRTG Netflow v9 sensor. However, it fails with sFlow sensor despite information about both ingress and egress directions from monitored box is sent to sFlow sensor.


Jun, 2015 - Permalink

Hello

I talked to our developer and he recommands to verify which interface is using ingress traffic and use this interface as include filter in the sensor settings. Therefore, it is necessary to use for each ingress and egress interface a separate sensor. Unfortunately to filter ingress and egress flows in one SFlow sensor is not possible, sorry.


Jun, 2015 - Permalink