Is there a way to export prism central's network flow data?

Question

Per the following articlesEnable Nutanix Flow article (Opens in new window or tab) is outdated and is only applicable to older version (Prism Central 5.6).	Official Nutanix Flow Network Security (formerly Flow Microsegmentation) article (Opens in new window or tab) is applicable to a newer version 6.6 but it doesn't explain how to send Network Flow data remotely	Enhance Application Security with Nutanix Flow and Check Point CloudGuard article (Opens in new window or tab) focuses more on application security that are running on Nutanix	Nutanix NetFlow configuration article (Opens in new window or tab) says that Nutanix does not support NetFlow/sFlow out-of-the-box at the moment. Instead, they use an external module https://github.com/sflow/host-sflow/ (Opens in new window or tab) which involves altering production systemsit’s impossible to send network data to a remote server. Since it’s possible in VMware I had an impression that the same can be achieved in Nutanix. I can either use direct data pipe or RestAPI.

bbbburns · Answer

Hello! Recent versions of Nutanix AHV support several methods to send network flow data to a remote source.

The first mechanism is to use Nutanix Security Central, supported since AOS 5.18. This configures an IPFIX exporter on every AHV host, and provisions a Security Central collector VM that receives this IPFIX data. You can find more information about Security Central here in the Nutanix Bible. https://www.nutanixbible.com/12b-book-of-network-services-security-central.html

I like the Security Central mechanism because it’s included if you’re already using Flow Network Security, and it does threat detection, alerting, querying, CSV export, and even helps with security planning.

If you’re looking for an on-premises option instead, then you can use this IPFIX collector built into AHV and configurable starting with AOS 6.6, configured by Prism Central, to send data to up to five external collectors of your choice.

The API to configure the IPFIX exporter yourself is here: https://developers.nutanix.com/api-reference?namespace=networking&version=v4.0.b1

https://{pc-ip}:9440/api/networking/v4.0.b1/config/ipfix-exporters

You’d want to create an IPFIX exporter, and then decide if the scope is PC or PE. With PC scope, the UUID of the PC cluster is passed and all connected AHV clusters will send their IPFIX to your desired target. With PE scope, the UUID of specific clusters is passed. You can see that this is a list of up to 64 PCs or PEs respectively.

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded