Netflow Integration: Overview

Updated at March 15th, 2025

+ More

Table of Contents

What is Netflow, and What are Netflow Endpoints? Creating a Netflow Endpoint Creating a Netflow Endpoint with Whitelist mode Configuring your Delivery Agent

This feature is currently in Beta availability. If you are interested in getting early access to the feature for the purposes of testing, please reach out to your Regional Account Manager to inquire about joining the Beta.

What is Netflow, and What are Netflow Endpoints?

Netflow is a catch-all term for a process originally developed by Cisco to respond to a need to gather information on a network's traffic flow and volume. This technology was further developed by the Internet Engineering Task Force (IETF) to become "Internet Protocol Flow Information eXport" or "IPFIX". Netflow works by capturing data from Netflow Endpoints and submitting that data to a Netflow Collector.

Sonar acts as a software-based Netflow Collector and serves to store the data sent to your instance by the Netflow Endpoints. Many network devices support Netflow, or some variant of it (e.g., IPFIX.) While there are a few variants, this documentation will refer to Netflow generally – just be aware that this endpoint supports Netflow version v1, v5, v7, v9, and IPFIX.

Supporting Netflow in Sonar is simple. You configure a Netflow endpoint in Sonar and specify the IP addresses you wish to allow Netflow data to be delivered from. You then configure your device to deliver Netflow data to Sonar, and Sonar will begin matching the IP addresses in the flows to your customers and storing data usage for them.

Creating a Netflow Endpoint

To create a new Netflow Endpoint, perform the below steps:

Navigate to Settings → Networking → Netflow Endpoints, and then click on Create Netflow Endpoint:
Next, supply a name to the Endpoint and select whether it will operate in Whitelist Mode:

If the Whitelist Mode option is enabled, you must build up a list of allowed subnets using the Create Netflow Whitelist action. Only data originating from or destined for IPs in the whitelist will be recorded when Whitelist is enabled. Wherever possible, you should disable this option and only deliver from a point where the data sent can all be used. Enabling whitelisting requires the Sonar Netflow parser to evaluate each unique source or destination IP twice – once to see if it fits into the whitelist, and once to see if it is legitimate customer traffic. This will cause Netflow parsing to take longer and may cause performance issues with very large data sets. You can help minimize this by either disabling whitelisting or keeping your list of whitelisted networks minimal.

With the Endpoint created, select Create Netflow Allowed Subnet:

This will open the creation modal for adding an allowed subnet to send Sonar Netflow traffic for data collection:

Each subnet that will be sending data to this Endpoint will need to be added as an allowed subnet first.

Creating a Netflow Endpoint with Whitelist mode

Whitelist mode is not currently available to all customers.

When creating a Netflow Endpoint, and you'd like to use Whitelist mode, the steps are very similar to the overall creation.

Navigate to Settings -> Networking -> Netflow Endpoints, and then click on Create Netflow Endpoint:
Next, with the Create Netflow Endpoint modal open, enter your endpoint name and ensure Whitelist Mode is checked:
With the Endpoint created, click on the Create Netflow Whitelist action button:
With the Create Netflow Whitelist modal open, enter one of the subnets you'd like to whitelist:

To maximize Netflow performance when using Whitelist Mode, it's recommended to keep your whitelisted subnets manageable. For example, listing multiple /24 subnets is less efficient than listing 192.168.0.0/16

Configuring your Delivery Agent

Each device that can deliver Netflow is configured differently, but please see below for a quick tutorial on a MikroTik router.

As the Netflow target traffic is UDP, it is also very important that you ensure processing rules are in place to prioritize the traffic and avoid any drops; this will assist in making sure the most accurate accounting information is available within your Sonar instance.

First, open the IP menu and click on Traffic Flow.

If the MikroTik memory allows you to adjust the Cache Entries, it's recommended to set this to either 16M or 32M.

If you only wish to collect data from certain interfaces (for example, if you have a single customer-facing interface), then select the appropriate interfaces in the Interfaces section. If this router handles a lot of traffic, you should limit the reporting interfaces to lessen the load on your router and your Sonar instance.

The Cache entries option controls the number of flows that can be in the router's memory simultaneously. If you have a high quantity of traffic, you should increase this – just be aware that it will increase memory consumption on your router. The values for Active/Inactive Flow Timeouts reflected in the above screenshot are the recommended settings.

Now click the Targets button and then the + button. When a Netflow Endpoint is configured in Sonar, a unique hostname is generated for your instance. To complete your Netflow setup, you'll need to perform a nslookup on the generated hostname:

nslookup [#####].sonarflow.net

Once that's done, enter the address of the Netflow Endpoint in the Dst. Address field, and the port you were provided when the Netflow Endpoint was created in Sonar in the Port field. Set the Version field to 5 and click OK:

After a few minutes, you will see data usage for your customers begin to tabulate on their accounts in Sonar.

It is critically important that you ensure your Netflow delivery device is set up for NTP. Sonar trusts the timestamps coming from your Netflow device, and will discard any timestamps in the future. Therefore, if you are not set up for NTP, you may miss data, or write data usage in the wrong time period.

flow analysis incorporation