Firewall Packet Flow Data

Starting with pfSense Plus software version 24.03 the firewall can directly export NetFlow v5 and IPFIX traffic flow data to one or more collectors using the pflow(4) feature in PF. The data is collected directly from firewall states and does not require a separate daemon, service, or add-on package.

Note

pfSense® Plus software version 24.03 or later is required to use the Packet Flow Data feature. This feature is not available on pfSense CE Software.

As this is a function of the firewall, this feature is located at Firewall > Packet Flow Data.

Flows can be tracked by default or only for specific rules, so the user has the flexibility to control the scope of exported data.

The feature supports up to 16 different export configurations to send data to multiple collectors and/or using different data formats.

Note

As this feature relies upon data from firewall states to function, it requires the firewall rules to keep state to generate that data. This is the default behavior, so it is unlikely to be a blocking issue for most users.

Warning

Packet Flow Data changes only happen for new states created after the feature has been activated or deactivated. When activating the feature, states that already exist will not start sending data, only new connections will. Similarly, when deactivating the feature, old states may continue to trigger export data.

Rebooting the device or resetting the states after changing the configuration will ensure that all states are handled appropriately.

Global Packet Flow Options

There are two options available on the main Packet Flow Data configuration page at Firewall > Packet Flow Data:

Enables Packet Flow Data Tracking and Exporting:

This option loads the required kernel module for pflow(4) and configures the packet flow data exporters in the OS.

This option must be checked for the firewall to export flow data.

Enable Packet Flow tracking on all rules by default:

When checked, all firewall rules will track packet flow data for new states by default. This can be overridden on a per-rule basis if necessary.

When unchecked, nothing is tracked by default and flow tracking must be enabled on each firewall rule manually.

See also

For information on managing Packet Flow Data in firewall rules, see Packet Flow Data.

Packet Flow Exporters

Under the global options section the page contains a list of current exporter configurations.

The list displays the configuration properties of each current entry. Also on each line are several indicators and action icons:

  • At the start of a line is a checkmark. If it’s dark, the entry is enabled. If It’s light, the entry is disabled. Clicking the checkmark icon will toggle the entry between enabled and disabled states.

    The text color for the entire line changes to a lighter shade for disabled entries as well.

  • fa-pencil - Edits the current entry

  • fa-clone - Duplicates the current entry

  • fa-trash-can - Deletes the current entry after a confirmation prompt.

Under the list is an fa-plus Add button to create new entries. This button is hidden when the list is full.

Exporter Options

Exporter entries define remote hosts capable of receiving and processing packet flow data (e.g. NetFlow or IPFIX). Up to 16 distinct exporters can be defined.

When creating or editing an exporter entry, the following options are available:

Description:

Some text describing this entry (e.g. Collector host name, purpose, etc).

Enable:

A checkbox which controls whether or not the exporter is active.

When checked, the firewall will export packet flow data to this host. When unchecked, this host is ignored.

Source IP Address:

A drop-down menu containing local interfaces, VIPs, and other valid traffic sources. If the collector expects flow data packets to come from a specific source address, select it in this list.

If the destination is over a VPN, this likely should either be set to the corresponding VPN interface or another local interface.

Source Port:

Source port for packet flow export. Leave blank to use a random port (default).

Warning

This port must not already be in use anywhere on the firewall, including other exporters.

If this option is set, the Source IP Address must also be set to a specific value.

Destination IP Address:

IP address (IPv4 or IPv6) of the remote flow collector host, e.g.: 192.168.100.100 or fd00:abcd::1.

This outer transport can be either IPv4 or IPv6 no matter which Flow Protocol is active, but the address family must match the Source IP Address. For example, if the Destination IP address is set to an IPv6 address, the selected Source IP Address entry must also have an IPv6 address.

Destination Port:

Destination port on the collector where it is listening for packet flow data.

Leave blank to use the default port, 2055.

Flow Protocol:

Format for packet flow data. Currently supports two formats, NetFlow v5 and IPFIX.

NetFlow v5:

NetFlow v5 is more widely compatible with collectors but is more limited in the type of traffic it supports in flow data.

Note

The NetFlow v5 specification does not support IPv6. To track IPv6 flows, use IPFIX instead.

IPFIX:

IPFIX supports IPv6 flow data, but is not supported by all collectors.

This protocol also includes RFC 8158 NAT44 flow information which can be utilized for centralized logging of NAT translation data.

Consult the documentation for the collector to determine which formats it supports.

Observation Domain:

Observation Domain for flows to this exporter. This is an unsigned non-zero 32-bit integer (1-4294967295). Not all collectors support or honor this value, but it can be used to allow a collector to identify flows from devices in similar roles or locations.

Leave blank to use the default of 1.

Packet Flow Data Example Configuration

This is a brief example of configuring the Packet Flow Data feature to export all flow data to a collector at on LAN at an address of 10.1.2.3 with otherwise default settings.

  • Navigate to Firewall > Packet Flow Data

  • Check Enable Packet Flow Data Tracking and Exporting

  • Check Enable Packet Flow tracking on all rules by default

  • Click Save

  • Click fa-plus Add to create a new exporter

  • Configure the settings as described in Exporter Options:

    Description:

    Local NetFlow Collector

    Enable:

    Checked

    Source IP Address:

    LAN

    Source Port:

    Empty

    Destination IP Address:

    10.1.2.3

    Destination Port:

    Empty

    Flow Protocol:

    IPFIX

    Observation Domain:

    Empty

  • Click Save

  • Click Apply Changes

At this point, new states will begin exporting flow data.