I am having trouble configuring J-Flow sensors for my Juniper SRX-210 firewall. When I define a J-Flow sensor I can specify an "interface" which according to the terse documentation must be expressed simply as "a number". What number?
I did an auto-discovery on the device, and while RMON sensors were auto-configured (and numbered 1-28), there are also an RMON Port Numbers which was picked up (509 to 536 in my case). These are RMON sensors but the port numbers agree with the SNMP Interface number. The interfaces that were picked up all correspond to physical interfaces, not logical interfaces. The SRX series allows the configuration of "logical interfaces" numbered st0.0, st0.1 etc. that are then used in routing rules for VPN tunnels. They also have SNMP interface numbers assigned. One physical interface can have multiple logical st0.x logical interfaces defined. I know the SNMP interface numbers for all interfaces - logical and physical.
So which numbers do I use for a J-Flow sensor to specify the interface? A sequential # beginning with 1 corresponding to the # assigned to the auto-discovered RMON sendor, an SNMP interface number, or something else? Also can I track the SRX VPN tunnel logical interfaces at all?
Article Comments
Isn't there any more specific information you can provide? For example in general would an interface number as reported by an SNMP walk be the one that is reported via J-Flow (or NetFlow for another brand of device) be the one that is used in the filter? What about the case when a router's configuration identifies the interface as a string (as in the SRX product)? Or what about sequential numbers starting with one? Are there any diagnostic tools avaiable to look at the 'raw' J-Flow data to see what it's reporting? I find it hard to believe that otherwise all I can try to do is use random numbers to see if anything happens.
May, 2014 - Permalink
The vendor of the jflow-sending device really should be able to provide specific information here. Sometimes the indexes from SNMP Counters do match the interface-numbers in flow-packets, but not all the time. This really depends on the device.
May, 2014 - Permalink
Hi ehavemann,
Did you find any luck in figuring out jflow on SRX devices with PRTG ?
Regards
Nov, 2014 - Permalink
Funny, I am coming back to this issue and while googling for answers I came back to my own original post. The answer to your question is NO, I have not been able to figure out the Interface issue.
Let me restate my question. I am not asking for what specific number to type into the filter whose syntax is "Interface[###]". I am asking what is the General concept used to define the interface # for any brand of router for the purposes of a flow filter. Is the concept a sequential # starting at 1? Is it the SNMP # reported by PRTG when it probes the device (regardliess of which brand of router)?
And if I were to create log file of all traffic and look at it, will I find the interface numbers in the log file?
Nov, 2014 - Permalink
PRTG can only re-act to the interface number in the flow packets. Therefore the definition happens on the router. That means the question of the general concept behind the interface numbers in flows is a question for the vendor(s) of the routers & switches.
J-flow-Sensors do not allow Stream Logs as of now I'm afraid, so this won't tell the interface number.
Nov, 2014 - Permalink
It turns out that on the Juniper SRX routers the SNMP index is the correct one to use. The CLI command "show interfaces" will provide for each configured interface a "SNMP if Index". These are also the same interface numbers as the ones revealed during the automatic initial scan of the router performed by PRTG. All of the "SNMP RMON Port ###" sensors correspond to the number you need to provide in the "Interface[###]" filters when setting up J-Flow.
Nov, 2014 - Permalink
you can see interface numbers by creating a custom top list and put check marks in the inbound/outbound interface. We have a lot of Juniper and it seems to key off the SNMP IfIndex of the logical interface.
Sep, 2015 - Permalink
There is a SRX jFlow configuration sample in the following link: http://chimera.labs.oreilly.com/books/1234000001633/ch05.html#system_services_operation_on_the_srx
Hope this will help.
May, 2016 - Permalink
Hello,
thank you very much for your KB-Post. Unfortunately, we do not know the interface number for the filter. We can't say which exact number the device sends in its Jflow-Packets. That will be a question for the vendor of the device actually.
best regards.
Apr, 2014 - Permalink