Skip to main content
Version: Next

Network Flow Ingestion

NFO is a high-performance flow processing engine capable of ingesting and normalizing millions of flow records per second. It supports all industry-standard flow protocols, allowing for a vendor-agnostic view of your entire network fabric.

Supported Protocols

NFO automatically detects and processes the following flow formats:

  • NetFlow v5 & v9: The industry standard for Cisco and many other networking vendors.
  • IPFIX (NetFlow v10): The IETF standard for flow information export, used by modern firewalls (Palo Alto, Fortinet) and high-end switches.
  • sFlow: A packet-sampling technology widely used by Arista, Juniper, and white-box switching vendors.
  • J-Flow: Juniper Networks' flow implementation.

Configuring Inputs

To begin ingesting data, you must configure a Listening Port on the NFO instance. By default, NFO is configured to listen for flows on port 9555 (UDP).

Adding a New Input

  1. Navigate to Inputs in the NFO Web UI.

To change the default flow data input UDP port number or to add additional ports, follow the steps below.

  1. Mouse over and click on the ‘edit’ symbol to change the existing input port

  1. Click Save

  2. Click on the **+** sign to add additional data input ports

  3. Click Save

** Add a label to identify the source (e.g., "Core Switch Ingest").

Recommendation

For high-volume environments, it is best practice to use separate ports for different types of traffic (e.g., Port 2055 for Switches/Routers and Port 9995 for Firewalls) to simplify troubleshooting and load monitoring.

Flow Templates (IPFIX & v9)

Unlike NetFlow v5, which has a fixed format, IPFIX and NetFlow v9 use templates.

  • NFO must receive a Template FlowSet from the exporting device before it can decode the data.
  • If you see data arriving but no flows being processed, ensure your exporters are configured to send templates frequently (recommended every 1–5 minutes).

Best Practices for Exporters

To ensure the highest data quality, configure your network devices with the following settings:

SettingRecommended ValueWhy?
Active Timeout60 SecondsEnsures long-lived sessions (like file transfers) are reported every minute rather than waiting for the session to end.
Inactive Timeout15 SecondsQuickly flushes finished sessions from the device cache to the NFO instance.
Template Refresh60-300 SecondsVital for IPFIX/v9 so NFO can decode the traffic.

Verifying Ingestion

Once configured, you can verify data is arriving by checking the NFO Status page:

  • Input Rate (msg/sec): Shows the current PPS (Packets Per Second) arriving at each configured port.
  • Processing Rate (rec/sec): Shows how many flows are being successfully decoded and passed to the logic modules.