Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC
NSEL messages can be sent to any one of the SECs you have onboarded to your tenant. These instructions refer to this section of the macro:
flow-export destination {{interface}} {{SEC_IPv4_address}} {{SEC_NetFlow_port}}
flow-export template timeout-rate {{timeout_rate_in_mins}}
flow-export delay flow-create {{delay_flow_create_rate_in_secs}}
flow-export active refresh-interval {{refresh_interval_in_mins}}
Procedure
Step 1 | The flow-export destination command defines the collector to which the NetFlow packets are sent. In this case, you are sending them to an SEC. Fill in the fields for these parameters:
|
Step 2 | The flow-export template timeout-rate command specifies the interval at which template records are sent to all configured output destinations.
|
Step 3 | The flow-export delay flow-create command delays the sending of flow-create events by the specified number of seconds. This value matches the recommended Active Timeout value and reduces the number of flow events exported from the Secure Firewall Cloud Native. At that rate, expect NSEL events to first appear in CDO at the close of a connection or within 55 seconds of the creation of the connection, whichever happens earlier. If this command is not configured, there is no delay, and the flow-create event is exported as soon as the flow is created.
|
Step 4 | The flow-export active refresh-interval command defines the frequency that status updates for long-lived flows will be sent from Secure Firewall Cloud Native. Valid values are from 1-60 minutes. In the Flow Update Interval field, configuring the flow-export active refresh-interval to be at least 5 seconds more than the flow-export delay flow-create interval prevents flow-update events from appearing before flow-creation events.
|