Flow Export Configuration Guide
Reference configurations and Jinja2 templates for sending NetFlow, sFlow, and IPFIX to WhiteOwl Networks.
Collector defaults:
- Host:
{{ collector_ip }}(your WhiteOwl probe/collector IP) - Port:
2055(NetFlow v5/v9/IPFIX),6343(sFlow) - Protocol: UDP
Table of Contents
- Cisco IOS / IOS XE
- Cisco IOS XE — Flexible NetFlow
- Cisco Catalyst 9000 (IOS XE)
- Cisco Nexus 9000 / 7000 (NX-OS)
- Cisco Nexus 9000 — sFlow
- Cisco ASR 9000 (IOS XR)
- Cisco ASA — NSEL
- Juniper MX — JFlow/IPFIX
- Juniper EX/QFX — sFlow
- Arista EOS — sFlow
- Arista EOS — IPFIX (Hardware Flow Tracking)
- FortiGate / FortiOS
- Palo Alto Networks (PAN-OS)
- pfSense / OPNsense
- MikroTik RouterOS
- HP / Aruba ProCurve
- VMware vSphere Distributed Switch
Cisco IOS / IOS XE
Traditional NetFlow v5/v9 — supported on most IOS routers (ISR, ASR 1000, 4000).
Manual Configuration
! Enable CEF (required)
ip cef
! Configure export destination
ip flow-export destination <COLLECTOR_IP> 2055
ip flow-export version 9
ip flow-export source <SOURCE_INTERFACE>
! Enable on each interface
interface <INTERFACE>
ip flow ingress
ip flow egress
! Verify
show ip flow export
show ip cache flow
Jinja2 Template — cisco_ios_netflow.j2
{# Cisco IOS / IOS XE — Traditional NetFlow v9 #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
source_interface - e.g. Loopback0
interfaces - list of interface names
active_timeout - seconds, default 60
inactive_timeout - seconds, default 15
#}
ip cef
ip flow-export destination {{ collector_ip }} {{ collector_port | default(2055) }}
ip flow-export version 9
ip flow-export source {{ source_interface }}
ip flow-cache timeout active {{ active_timeout | default(60) }}
ip flow-cache timeout inactive {{ inactive_timeout | default(15) }}
{% for iface in interfaces %}
interface {{ iface }}
ip flow ingress
ip flow egress
{% endfor %}
Cisco IOS XE — Flexible NetFlow
Preferred approach for IOS XE 16.x and later. Supports IPv4, IPv6, and custom records.
Manual Configuration
! Step 1: Define flow exporter
flow exporter WHITEOWL-EXPORTER
destination <COLLECTOR_IP>
transport udp 2055
export-protocol netflow-v9
source <SOURCE_INTERFACE>
template data timeout 60
! Step 2: Define flow record (IPv4)
flow record WHITEOWL-RECORD-V4
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match interface input
match interface output
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
! Step 3: Define flow monitor
flow monitor WHITEOWL-MONITOR
exporter WHITEOWL-EXPORTER
record WHITEOWL-RECORD-V4
cache timeout active 60
cache timeout inactive 15
! Step 4: Apply to interfaces
interface <INTERFACE>
ip flow monitor WHITEOWL-MONITOR input
ip flow monitor WHITEOWL-MONITOR output
! Verify
show flow exporter WHITEOWL-EXPORTER statistics
show flow monitor WHITEOWL-MONITOR cache
Jinja2 Template — cisco_ios_xe_fnf.j2
{# Cisco IOS XE — Flexible NetFlow v9/IPFIX #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
source_interface - e.g. Loopback0
interfaces - list of interface names
export_protocol - netflow-v9 or ipfix (default: netflow-v9)
active_timeout - seconds, default 60
inactive_timeout - seconds, default 15
enable_ipv6 - bool, adds IPv6 flow record (default: false)
#}
flow exporter WHITEOWL-EXPORTER
destination {{ collector_ip }}
transport udp {{ collector_port | default(2055) }}
export-protocol {{ export_protocol | default('netflow-v9') }}
source {{ source_interface }}
template data timeout 60
flow record WHITEOWL-RECORD-V4
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match interface input
match interface output
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
{% if enable_ipv6 | default(false) %}
flow record WHITEOWL-RECORD-V6
match ipv6 source address
match ipv6 destination address
match ipv6 protocol
match transport source-port
match transport destination-port
match interface input
match interface output
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
{% endif %}
flow monitor WHITEOWL-MONITOR-V4
exporter WHITEOWL-EXPORTER
record WHITEOWL-RECORD-V4
cache timeout active {{ active_timeout | default(60) }}
cache timeout inactive {{ inactive_timeout | default(15) }}
{% if enable_ipv6 | default(false) %}
flow monitor WHITEOWL-MONITOR-V6
exporter WHITEOWL-EXPORTER
record WHITEOWL-RECORD-V6
cache timeout active {{ active_timeout | default(60) }}
cache timeout inactive {{ inactive_timeout | default(15) }}
{% endif %}
{% for iface in interfaces %}
interface {{ iface }}
ip flow monitor WHITEOWL-MONITOR-V4 input
ip flow monitor WHITEOWL-MONITOR-V4 output
{% if enable_ipv6 | default(false) %}
ipv6 flow monitor WHITEOWL-MONITOR-V6 input
ipv6 flow monitor WHITEOWL-MONITOR-V6 output
{% endif %}
{% endfor %}
Cisco Catalyst 9000 (IOS XE)
Same Flexible NetFlow as IOS XE above. Additional notes for Catalyst 9300/9400/9500:
! Enable DNA Advantage license or equivalent for full FNF support
! Catalyst 9000 does not support FNF on the management port (Gig0/0)
! Use the same FNF config as IOS XE above
! Apply to access/trunk ports only — not port-channel members directly
! Verify hardware offload
show platform software fed switch active fnf flows
Note: The
ip flow monitorcommand applies to Layer 3 interfaces and SVIs. For Layer 2 access ports, apply to the SVI for the VLAN.
Cisco Nexus 9000 / 7000 (NX-OS)
Manual Configuration
! Enable feature
feature netflow
! Define exporter
flow exporter WHITEOWL-EXPORTER
destination <COLLECTOR_IP>
transport udp 2055
source <SOURCE_INTERFACE>
version 9
template data timeout 60
! Define record
flow record WHITEOWL-RECORD
match ipv4 source address
match ipv4 destination address
match ip protocol
match transport source-port
match transport destination-port
match interface input
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
! Optional: sampler (recommended for high-traffic environments)
sampler WHITEOWL-SAMPLER
mode 1 out-of 1024
! Define monitor
flow monitor WHITEOWL-MONITOR
exporter WHITEOWL-EXPORTER
record WHITEOWL-RECORD
cache timeout active 60
cache timeout inactive 15
! Apply to interfaces
interface <INTERFACE>
ip flow monitor WHITEOWL-MONITOR input
ip flow monitor WHITEOWL-MONITOR output
! Verify
show flow exporter WHITEOWL-EXPORTER statistics
show flow monitor WHITEOWL-MONITOR cache
Jinja2 Template — cisco_nexus_netflow.j2
{# Cisco Nexus 9000/7000 NX-OS — Flexible NetFlow v9 #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
source_interface - e.g. loopback0
interfaces - list of interface names
sample_rate - e.g. 1024 means 1 in 1024 packets (0 = disabled)
active_timeout - seconds, default 60
inactive_timeout - seconds, default 15
#}
feature netflow
flow exporter WHITEOWL-EXPORTER
destination {{ collector_ip }}
transport udp {{ collector_port | default(2055) }}
source {{ source_interface }}
version 9
template data timeout 60
flow record WHITEOWL-RECORD
match ipv4 source address
match ipv4 destination address
match ip protocol
match transport source-port
match transport destination-port
match interface input
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
{% if sample_rate is defined and sample_rate > 0 %}
sampler WHITEOWL-SAMPLER
mode 1 out-of {{ sample_rate }}
{% endif %}
flow monitor WHITEOWL-MONITOR
exporter WHITEOWL-EXPORTER
record WHITEOWL-RECORD
cache timeout active {{ active_timeout | default(60) }}
cache timeout inactive {{ inactive_timeout | default(15) }}
{% for iface in interfaces %}
interface {{ iface }}
ip flow monitor WHITEOWL-MONITOR input
{% if enable_egress | default(false) %}
ip flow monitor WHITEOWL-MONITOR output
{% endif %}
{% if sample_rate is defined and sample_rate > 0 %}
ip flow monitor WHITEOWL-MONITOR sampler WHITEOWL-SAMPLER input
{% endif %}
{% endfor %}
Cisco Nexus 9000 — sFlow
Nexus 9000/3000 supports sFlow as an alternative to NetFlow.
feature sflow
sflow sampling-rate 4096
sflow max-sampled-size 256
sflow counter-poll-interval 20
sflow collector-ip <COLLECTOR_IP> vrf management
sflow collector-port 6343
sflow agent-ip <ROUTER_LOOPBACK_IP>
! Apply to interfaces
sflow data-source interface ethernet 1/1
sflow data-source interface ethernet 1/2
Jinja2 Template — cisco_nexus_sflow.j2
{# Cisco Nexus 9000/3000 NX-OS — sFlow #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 6343
agent_ip - router loopback/mgmt IP
vrf - VRF for collector reachability, default: management
sampling_rate - 1 in N packets, must be power of 2 (4096, 8192, etc.)
poll_interval - counter poll interval seconds, default 20
interfaces - list of interface names
#}
feature sflow
sflow sampling-rate {{ sampling_rate | default(4096) }}
sflow max-sampled-size 256
sflow counter-poll-interval {{ poll_interval | default(20) }}
sflow collector-ip {{ collector_ip }} vrf {{ vrf | default('management') }}
sflow collector-port {{ collector_port | default(6343) }}
sflow agent-ip {{ agent_ip }}
{% for iface in interfaces %}
sflow data-source interface {{ iface }}
{% endfor %}
Cisco ASR 9000 (IOS XR)
Manual Configuration
! Define exporter map
flow exporter-map WHITEOWL-EXPORTER
version v9
template data timeout 60
!
transport udp 2055
source Loopback0
destination <COLLECTOR_IP>
! Define monitor map
flow monitor-map WHITEOWL-MONITOR
record ipv4
exporter WHITEOWL-EXPORTER
cache entries 65536
cache timeout active 60
cache timeout inactive 15
! Define sampler map
sampler-map WHITEOWL-SAMPLER
random 1 out-of 1000
! Apply to interface
interface GigabitEthernet0/0/0/0
flow ipv4 monitor WHITEOWL-MONITOR sampler WHITEOWL-SAMPLER ingress
flow ipv4 monitor WHITEOWL-MONITOR sampler WHITEOWL-SAMPLER egress
! Verify
show flow monitor-map WHITEOWL-MONITOR
show flow exporter-map WHITEOWL-EXPORTER
Jinja2 Template — cisco_asr9k_netflow.j2
{# Cisco ASR 9000 IOS XR — NetFlow v9/IPFIX #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
source_interface - e.g. Loopback0
interfaces - list of interface names
sample_rate - 1 in N packets, default 1000
active_timeout - seconds, default 60
inactive_timeout - seconds, default 15
export_version - v9 or ipfix, default v9
#}
flow exporter-map WHITEOWL-EXPORTER
version {{ export_version | default('v9') }}
template data timeout 60
!
transport udp {{ collector_port | default(2055) }}
source {{ source_interface }}
destination {{ collector_ip }}
flow monitor-map WHITEOWL-MONITOR
record ipv4
exporter WHITEOWL-EXPORTER
cache entries 65536
cache timeout active {{ active_timeout | default(60) }}
cache timeout inactive {{ inactive_timeout | default(15) }}
sampler-map WHITEOWL-SAMPLER
random 1 out-of {{ sample_rate | default(1000) }}
{% for iface in interfaces %}
interface {{ iface }}
flow ipv4 monitor WHITEOWL-MONITOR sampler WHITEOWL-SAMPLER ingress
flow ipv4 monitor WHITEOWL-MONITOR sampler WHITEOWL-SAMPLER egress
{% endfor %}
Cisco ASA — NSEL
Cisco ASA exports NetFlow Security Event Logging (NSEL) — a superset of NetFlow v9 that includes firewall session events (CREATE, TEARDOWN, DENIED).
! Define collector
logging flow-export-syslogs enable
policy-map global_policy
class class-default
flow-export event-type all destination <COLLECTOR_IP>
! Alternative: direct NetFlow config
flow-export destination inside <COLLECTOR_IP> 2055
flow-export template timeout-rate 1
flow-export delay flow-create 0
! Verify
show flow-export counters
Note: ASA NSEL uses NetFlow v9 format but with Cisco-proprietary element IDs for session events. WhiteOwl will decode standard fields (src/dst IP, port, protocol, bytes, packets). Firewall-specific fields (reason codes, user identity) require custom enrichment.
Juniper MX — JFlow/IPFIX
Juniper calls their NetFlow implementation JFlow. NetFlow v9 is recommended over IPFIX for JFlow because IPFIX exports cumulative counters rather than delta counters.
Manual Configuration
# Step 1: Define IPFIX/v9 template
set services flow-monitoring version9 template WHITEOWL-V9 flow-active-timeout 60
set services flow-monitoring version9 template WHITEOWL-V9 flow-inactive-timeout 15
set services flow-monitoring version9 template WHITEOWL-V9 template-refresh-rate seconds 60
set services flow-monitoring version9 template WHITEOWL-V9 option-refresh-rate seconds 120
set services flow-monitoring version9 template WHITEOWL-V9 ipv4-template
# Optional: IPv6 template
set services flow-monitoring version9 template WHITEOWL-V9-IPV6 ipv6-template
# Step 2: Increase flow table size (default 1K is too small)
set chassis fpc 0 sampling-instance WHITEOWL-SAMPLING
set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 2048
set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 1024
# Step 3: Configure sampling instance
set forwarding-options sampling instance WHITEOWL-SAMPLING input rate 1024
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output flow-server <COLLECTOR_IP> port 2055
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output flow-server <COLLECTOR_IP> source-address <ROUTER_IP>
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output flow-server <COLLECTOR_IP> version9 template WHITEOWL-V9
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output inline-jflow source-address <ROUTER_IP>
# Optional: IPv6 sampling
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet6 output flow-server <COLLECTOR_IP> port 2055
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet6 output flow-server <COLLECTOR_IP> version9 template WHITEOWL-V9-IPV6
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet6 output inline-jflow source-address <ROUTER_IP>
# Step 4: Enable sampling on interfaces
set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output
# Verify
run show services accounting flow inline-jflow fpc-slot 0
run show services accounting status inline-jflow fpc-slot 0
Jinja2 Template — juniper_mx_jflow.j2
{# Juniper MX — JFlow NetFlow v9 (inline-jflow) #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
router_ip - source IP for exports (typically loopback)
fpc_slot - FPC slot number, default 0
sample_rate - 1 in N packets, default 1024
active_timeout - seconds, default 60
inactive_timeout - seconds, default 15
template_refresh - seconds, default 60
interfaces - list of interface names (e.g. ge-0/0/0.0)
enable_ipv6 - bool, default false
#}
set services flow-monitoring version9 template WHITEOWL-V9 flow-active-timeout {{ active_timeout | default(60) }}
set services flow-monitoring version9 template WHITEOWL-V9 flow-inactive-timeout {{ inactive_timeout | default(15) }}
set services flow-monitoring version9 template WHITEOWL-V9 template-refresh-rate seconds {{ template_refresh | default(60) }}
set services flow-monitoring version9 template WHITEOWL-V9 option-refresh-rate seconds 120
set services flow-monitoring version9 template WHITEOWL-V9 ipv4-template
{% if enable_ipv6 | default(false) %}
set services flow-monitoring version9 template WHITEOWL-V9-IPV6 flow-active-timeout {{ active_timeout | default(60) }}
set services flow-monitoring version9 template WHITEOWL-V9-IPV6 flow-inactive-timeout {{ inactive_timeout | default(15) }}
set services flow-monitoring version9 template WHITEOWL-V9-IPV6 template-refresh-rate seconds {{ template_refresh | default(60) }}
set services flow-monitoring version9 template WHITEOWL-V9-IPV6 ipv6-template
{% endif %}
set chassis fpc {{ fpc_slot | default(0) }} sampling-instance WHITEOWL-SAMPLING
set chassis fpc {{ fpc_slot | default(0) }} inline-services flow-table-size ipv4-flow-table-size 2048
{% if enable_ipv6 | default(false) %}
set chassis fpc {{ fpc_slot | default(0) }} inline-services flow-table-size ipv6-flow-table-size 1024
{% endif %}
set forwarding-options sampling instance WHITEOWL-SAMPLING input rate {{ sample_rate | default(1024) }}
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output flow-server {{ collector_ip }} port {{ collector_port | default(2055) }}
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output flow-server {{ collector_ip }} source-address {{ router_ip }}
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output flow-server {{ collector_ip }} no-local-dump
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output flow-server {{ collector_ip }} version9 template WHITEOWL-V9
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet output inline-jflow source-address {{ router_ip }}
{% if enable_ipv6 | default(false) %}
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet6 output flow-server {{ collector_ip }} port {{ collector_port | default(2055) }}
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet6 output flow-server {{ collector_ip }} source-address {{ router_ip }}
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet6 output flow-server {{ collector_ip }} version9 template WHITEOWL-V9-IPV6
set forwarding-options sampling instance WHITEOWL-SAMPLING family inet6 output inline-jflow source-address {{ router_ip }}
{% endif %}
{% for iface in interfaces %}
set interfaces {{ iface }} family inet sampling input
set interfaces {{ iface }} family inet sampling output
{% if enable_ipv6 | default(false) %}
set interfaces {{ iface }} family inet6 sampling input
set interfaces {{ iface }} family inet6 sampling output
{% endif %}
{% endfor %}
Juniper EX/QFX — sFlow
EX Series switches (EX2300, EX3400, EX4300, EX4600) and QFX Series use sFlow rather than JFlow.
Manual Configuration
# Global sFlow config
set protocols sflow agent-id <SWITCH_MGMT_IP>
set protocols sflow collector <COLLECTOR_IP> udp-port 6343
set protocols sflow polling-interval 20
set protocols sflow sample-rate ingress 1000
set protocols sflow sample-rate egress 1000
# Apply to interfaces
set protocols sflow interfaces ge-0/0/0.0
set protocols sflow interfaces ge-0/0/1.0
# Verify
run show sflow
run show sflow collector
run show sflow interface
Jinja2 Template — juniper_ex_sflow.j2
{# Juniper EX/QFX — sFlow #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 6343
agent_id - switch management IP
polling_interval - seconds, default 20
sample_rate - 1 in N packets, default 1000
interfaces - list of interface names (e.g. ge-0/0/0.0)
#}
set protocols sflow agent-id {{ agent_id }}
set protocols sflow collector {{ collector_ip }} udp-port {{ collector_port | default(6343) }}
set protocols sflow polling-interval {{ polling_interval | default(20) }}
set protocols sflow sample-rate ingress {{ sample_rate | default(1000) }}
set protocols sflow sample-rate egress {{ sample_rate | default(1000) }}
{% for iface in interfaces %}
set protocols sflow interfaces {{ iface }}
{% endfor %}
Arista EOS — sFlow
Manual Configuration
! Global sFlow config
sflow run
sflow destination <COLLECTOR_IP>
sflow source <SOURCE_IP_OR_INTERFACE>
sflow polling-interval 60
sflow sample 16384
! Enable on specific interfaces (optional — enabled globally by default when sflow run is set)
interface Ethernet1
sflow enable
! Verify
show sflow detail
show sflow interfaces
Note: The
sflow sample dangerous <rate>command allows rates below 16384 but may impact performance on high-traffic interfaces.
Jinja2 Template — arista_eos_sflow.j2
{# Arista EOS — sFlow #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 6343
source_ip - source IP for sFlow exports
polling_interval - seconds, default 60
sample_rate - 1 in N packets, default 16384
interfaces - optional list; if empty, sFlow enabled globally on all ports
#}
sflow destination {{ collector_ip }} {% if collector_port is defined %}{{ collector_port }}{% endif %}
sflow source {{ source_ip }}
sflow polling-interval {{ polling_interval | default(60) }}
sflow sample {{ sample_rate | default(16384) }}
sflow run
{% if interfaces is defined and interfaces | length > 0 %}
{% for iface in interfaces %}
interface {{ iface }}
sflow enable
{% endfor %}
{% endif %}
Arista EOS — IPFIX (Hardware Flow Tracking)
For platforms supporting IPFIX (7280, 7500, 7800, DCS-7170B series — EOS 4.25+).
Manual Configuration
! Enable IP routing for IPFIX export
ip routing
! Define a loopback as source
interface Loopback0
ip address <SOURCE_IP>/32
! Define flow tracker
flow tracking hardware
tracker WHITEOWL-TRACKER
record export on inactive timeout 60000
record export on interval 30000
!
exporter WHITEOWL-EXPORTER
local interface Loopback0
template interval 5000
collector <COLLECTOR_IP>
no shutdown
! Apply to interfaces
interface Ethernet1
flow tracker hardware WHITEOWL-TRACKER
no shutdown
! Verify
show flow tracking hardware
show flow tracking hardware tracker WHITEOWL-TRACKER
Jinja2 Template — arista_eos_ipfix.j2
{# Arista EOS — Hardware IPFIX Flow Tracking #}
{# Variables:
collector_ip - IP of WhiteOwl collector
source_interface - loopback interface name, e.g. Loopback0
source_ip - IP on the loopback
active_timeout_ms - milliseconds, default 30000
inactive_timeout_ms - milliseconds, default 60000
template_interval_ms - milliseconds, default 5000
interfaces - list of interface names to track
#}
ip routing
interface {{ source_interface }}
ip address {{ source_ip }}/32
flow tracking hardware
tracker WHITEOWL-TRACKER
record export on inactive timeout {{ inactive_timeout_ms | default(60000) }}
record export on interval {{ active_timeout_ms | default(30000) }}
!
exporter WHITEOWL-EXPORTER
local interface {{ source_interface }}
template interval {{ template_interval_ms | default(5000) }}
collector {{ collector_ip }}
no shutdown
{% for iface in interfaces %}
interface {{ iface }}
flow tracker hardware WHITEOWL-TRACKER
no shutdown
{% endfor %}
FortiGate / FortiOS
Supported from FortiOS 5.2+. Exports NetFlow v9. Note: sampling is not supported with NetFlow on FortiGate; use sFlow if sampling is needed.
Manual Configuration
# Global NetFlow config (FortiOS 7.2.8+ / 7.4.2+)
config system netflow
set active-flow-timeout 60
set inactive-flow-timeout 15
set template-tx-timeout 1800
set template-tx-counter 20
config collectors
edit 1
set collector-ip <COLLECTOR_IP>
set collector-port 2055
set source-ip <FORTIGATE_INTERFACE_IP>
set interface-select-method auto
next
end
end
# Enable on each interface
config system interface
edit "wan1"
set netflow-sampler both
next
edit "internal"
set netflow-sampler both
next
end
# Verify
diagnose test application sflowd 3
diagnose test application sflowd 4
Note: On FortiOS 5.x–7.2.7 the config structure is slightly different — use
set collector-ipandset source-ipdirectly underconfig system netflowwithout theconfig collectorssub-block.
Jinja2 Template — fortigate_netflow.j2
{# FortiGate FortiOS — NetFlow v9 (7.2.8+ / 7.4.2+ syntax) #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
source_ip - FortiGate interface IP for export source
active_timeout - seconds, default 60
inactive_timeout - seconds, default 15
interfaces - list of FortiGate interface names
sampler_direction - both | tx | rx (default: both)
#}
config system netflow
set active-flow-timeout {{ active_timeout | default(60) }}
set inactive-flow-timeout {{ inactive_timeout | default(15) }}
set template-tx-timeout 1800
set template-tx-counter 20
config collectors
edit 1
set collector-ip {{ collector_ip }}
set collector-port {{ collector_port | default(2055) }}
set source-ip {{ source_ip }}
set interface-select-method auto
next
end
end
{% for iface in interfaces %}
config system interface
edit "{{ iface }}"
set netflow-sampler {{ sampler_direction | default('both') }}
next
end
{% endfor %}
Palo Alto Networks (PAN-OS)
PAN-OS exports NetFlow v9, including App-ID and User-ID fields when PAN-OS specific field types are enabled.
Manual Configuration
Via Web GUI: Device > Server Profiles > NetFlow
# CLI equivalent (set commands)
set deviceconfig system netflow-setting collector-list <COLLECTOR_NAME> collector <COLLECTOR_IP>
set deviceconfig system netflow-setting collector-list <COLLECTOR_NAME> port 2055
set deviceconfig system netflow-setting collector-list <COLLECTOR_NAME> template-refresh-rate 5
set deviceconfig system netflow-setting collector-list <COLLECTOR_NAME> active-timeout 1
set deviceconfig system netflow-setting collector-list <COLLECTOR_NAME> pan-os-field-types yes
Then assign to each interface via Web GUI: Network > Interfaces > [Interface] > NetFlow Profile
Key settings:
- Template Refresh Rate: 5 minutes / 20 packets recommended
- Active Timeout: 1 minute
- PAN-OS Field Types: Enable to export App-ID (application names) and User-ID in NetFlow records — provides layer 7 visibility beyond port-based detection
Jinja2 Template — paloalto_netflow.j2
{# Palo Alto Networks PAN-OS — NetFlow v9 #}
{# Note: Full config requires GUI for interface assignment. #}
{# This template generates CLI set commands for the server profile. #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
profile_name - name of the NetFlow server profile
template_refresh_rate - minutes, default 5
active_timeout - minutes, default 1
enable_pan_fields - bool, exports App-ID and User-ID (default: true)
interfaces - list of interface names to assign profile to
#}
set deviceconfig setting netflow-setting collector-list {{ profile_name | default('WhiteOwl') }} collector {{ collector_ip }}
set deviceconfig setting netflow-setting collector-list {{ profile_name | default('WhiteOwl') }} port {{ collector_port | default(2055) }}
set deviceconfig setting netflow-setting collector-list {{ profile_name | default('WhiteOwl') }} template-refresh-rate {{ template_refresh_rate | default(5) }}
set deviceconfig setting netflow-setting collector-list {{ profile_name | default('WhiteOwl') }} active-timeout {{ active_timeout | default(1) }}
{% if enable_pan_fields | default(true) %}
set deviceconfig setting netflow-setting collector-list {{ profile_name | default('WhiteOwl') }} pan-os-field-types yes
{% endif %}
{# Interface assignment (ethernet interfaces) #}
{% for iface in interfaces %}
set network interface ethernet {{ iface }} layer3 netflow-profile {{ profile_name | default('WhiteOwl') }}
{% endfor %}
pfSense / OPNsense
pfSense Plus 24.03+ — Native Packet Flow Data (pflow)
Navigate to Firewall > Packet Flow Data in the GUI.
# No CLI config needed for pfSense Plus 24.03+
# Via GUI: Firewall > Packet Flow Data
# - Add Exporter: IP = <COLLECTOR_IP>, Port = 2055, Format = IPFIX
# - Enable: checked
# - Source address: WAN or LAN interface IP
# Note: Use IPFIX for IPv6 support — NetFlow v5 is IPv4 only
pfSense CE / Older — pfflowd package
# Install pfflowd via: System > Package Manager
# Configure via: Services > pfflowd
# - Host: <COLLECTOR_IP>
# - Port: 2055
# - NetFlow version: 5 or 9
OPNsense — Softflowd
# Install via: System > Firmware > Plugins > os-softflowd
# Configure via: Services > Softflowd
# - Interface: WAN (or ALL)
# - Host: <COLLECTOR_IP>
# - Port: 2055
# - NetFlow version: 9
# - Max flows: 8192
Jinja2 Template — pfsense_pflow.j2
{# pfSense Plus 24.03+ — pflow configuration (XML config.xml fragment) #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
format - netflow5 | ipfix (use ipfix for IPv6)
source_iface - interface name, e.g. igb0
#}
<pflow>
<enabled>1</enabled>
<exporters>
<exporter>
<enabled>1</enabled>
<destination>{{ collector_ip }}</destination>
<port>{{ collector_port | default(2055) }}</port>
<protocol>{{ format | default('ipfix') }}</protocol>
<source>{{ source_iface | default('') }}</source>
</exporter>
</exporters>
</pflow>
MikroTik RouterOS
MikroTik supports NetFlow v5 and v9 via the ip traffic-flow subsystem.
Manual Configuration
# Enable traffic flow
/ip traffic-flow
set enabled=yes interfaces=all active-flow-timeout=1m inactive-flow-timeout=15s
# Set targets (collectors)
/ip traffic-flow target
add dst-address=<COLLECTOR_IP> port=2055 version=9
# Verify
/ip traffic-flow print
/ip traffic-flow target print
Note: MikroTik RouterOS v7+ supports IPFIX. For v6.x, use NetFlow v9.
Jinja2 Template — mikrotik_netflow.j2
{# MikroTik RouterOS — NetFlow v9 #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
interfaces - comma-separated list or 'all', default: all
active_timeout - e.g. 1m, default 1m
inactive_timeout - e.g. 15s, default 15s
version - 5, 9, or ipfix (default: 9)
#}
/ip traffic-flow
set enabled=yes interfaces={{ interfaces | default('all') }} active-flow-timeout={{ active_timeout | default('1m') }} inactive-flow-timeout={{ inactive_timeout | default('15s') }}
/ip traffic-flow target
add dst-address={{ collector_ip }} port={{ collector_port | default(2055) }} version={{ version | default(9) }}
HP / Aruba ProCurve
HP ProCurve and Aruba switches (2920, 3810, 5400, 6200 series) support sFlow.
Manual Configuration
# Global sFlow config
sflow 1 destination <COLLECTOR_IP> dest-port 6343
sflow 1 sampling <INTERFACE> 1000
sflow 1 polling <INTERFACE> 20
# Or enable on all ports
sflow 1 sampling all 1000
sflow 1 polling all 20
# Verify
show sflow 1
show sflow 1 statistics
Jinja2 Template — hp_procurve_sflow.j2
{# HP / Aruba ProCurve — sFlow #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 6343
instance - sFlow instance ID, default 1
sample_rate - 1 in N packets, default 1000
polling_interval - seconds, default 20
interfaces - list of interface names, or use 'all'
#}
sflow {{ instance | default(1) }} destination {{ collector_ip }} dest-port {{ collector_port | default(6343) }}
{% if interfaces is defined and interfaces | length > 0 %}
{% for iface in interfaces %}
sflow {{ instance | default(1) }} sampling {{ iface }} {{ sample_rate | default(1000) }}
sflow {{ instance | default(1) }} polling {{ iface }} {{ polling_interval | default(20) }}
{% endfor %}
{% else %}
sflow {{ instance | default(1) }} sampling all {{ sample_rate | default(1000) }}
sflow {{ instance | default(1) }} polling all {{ polling_interval | default(20) }}
{% endif %}
VMware vSphere Distributed Switch
VMware vDS supports NetFlow (IPFIX) export directly from the distributed switch, providing visibility into east-west VM traffic.
Manual Configuration
Via vSphere Client:
Networking > vSphere Distributed Switch > Configure > NetFlow- Set Collector IP and Port
- Set Active Flow Timeout and Idle Flow Timeout
- Apply to port groups:
Port Group > Edit Settings > Monitoring > NetFlow: Enabled
# PowerCLI equivalent
$vds = Get-VDSwitch -Name "dvSwitch"
$netflowConfig = New-Object VMware.Vim.VMwareDistributedVirtualSwitchVmwareHealthCheckConfig
$spec = New-Object VMware.Vim.DVSConfigSpec
$spec.description = $vds.ExtensionData.Config.Description
$spec.ipfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.ipfixConfig.collectorIpAddress = "<COLLECTOR_IP>"
$spec.ipfixConfig.collectorPort = 2055
$spec.ipfixConfig.activeFlowTimeout = 60
$spec.ipfixConfig.idleFlowTimeout = 15
$spec.ipfixConfig.samplingRate = 0 # 0 = all traffic
$spec.configVersion = $vds.ExtensionData.Config.ConfigVersion
$vds.ExtensionData.ReconfigureDvs_Task($spec)
Jinja2 Template — vmware_vds_netflow.j2
{# VMware vSphere Distributed Switch — NetFlow/IPFIX (PowerCLI) #}
{# Variables:
collector_ip - IP of WhiteOwl collector
collector_port - default 2055
vds_name - name of the distributed switch
active_timeout - seconds, default 60
idle_timeout - seconds, default 15
sampling_rate - 0 = all traffic, N = 1 in N packets
port_groups - list of port group names to enable NetFlow on
#}
# Connect to vCenter first: Connect-VIServer -Server <vcenter_ip>
$vds = Get-VDSwitch -Name "{{ vds_name }}"
$spec = New-Object VMware.Vim.DVSConfigSpec
$spec.ipfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.ipfixConfig.collectorIpAddress = "{{ collector_ip }}"
$spec.ipfixConfig.collectorPort = {{ collector_port | default(2055) }}
$spec.ipfixConfig.activeFlowTimeout = {{ active_timeout | default(60) }}
$spec.ipfixConfig.idleFlowTimeout = {{ idle_timeout | default(15) }}
$spec.ipfixConfig.samplingRate = {{ sampling_rate | default(0) }}
$spec.configVersion = $vds.ExtensionData.Config.ConfigVersion
$vds.ExtensionData.ReconfigureDvs_Task($spec)
{% for pg in port_groups %}
$pg = Get-VDPortgroup -Name "{{ pg }}" -VDSwitch $vds
$pgSpec = New-Object VMware.Vim.DVPortgroupConfigSpec
$pgSpec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$pgSpec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$pgSpec.defaultPortConfig.ipfixEnabled.value = $true
$pgSpec.defaultPortConfig.ipfixEnabled.inherited = $false
$pgSpec.configVersion = $pg.ExtensionData.Config.ConfigVersion
$pg.ExtensionData.ReconfigureDVPortgroup_Task($pgSpec)
{% endfor %}
Quick Reference
| Vendor | Platform | Protocol | Port | Notes |
|---|---|---|---|---|
| Cisco | IOS / IOS XE | NetFlow v5/v9 | 2055 | Use FNF on XE 16.x+ |
| Cisco | Catalyst 9000 | NetFlow v9 | 2055 | Same as IOS XE FNF |
| Cisco | Nexus 9000/7000 | NetFlow v9 | 2055 | NX-OS Flexible NetFlow |
| Cisco | Nexus 9000/3000 | sFlow v5 | 6343 | Alt to NetFlow |
| Cisco | ASR 9000 | NetFlow v9/IPFIX | 2055 | IOS XR exporter-map |
| Cisco | ASA | NSEL (NetFlow v9) | 2055 | Includes firewall events |
| Juniper | MX Series | JFlow v9 | 2055 | Use v9 not IPFIX |
| Juniper | EX/QFX | sFlow v5 | 6343 | Inline sFlow on QFX |
| Arista | EOS (all) | sFlow v5 | 6343 | Default, widely supported |
| Arista | EOS 4.25+ | IPFIX | 2055/4739 | Hardware flow tracker |
| Fortinet | FortiGate | NetFlow v9 | 2055 | No sampling support |
| Palo Alto | PAN-OS | NetFlow v9 | 2055 | Enable PAN-OS fields for App-ID |
| pfSense | Plus 24.03+ | IPFIX / v5 | 2055 | Native pflow, GUI only |
| pfSense | CE / older | NetFlow v9 | 2055 | pfflowd package |
| MikroTik | RouterOS | NetFlow v9 | 2055 | IPFIX on v7+ |
| HP/Aruba | ProCurve | sFlow v5 | 6343 | 2920, 3810, 5400, 6200 |
| VMware | vDS | IPFIX | 2055 | Requires vDS — not vSS |