I have a user in a remote office that generated a lot of traffic. When digging in the amount Solarwinds shows does not match the amount my firewall logs show. Looking at the same time frame of last 24hrs.
SW netflow shows 15.9Gbytes. I'm looking at Last 24hrs, Ingress, on the remote office router MPLS interface and conversion between source/destination IP.
My firewall shows 8.1GBytes. This is looking at last 24hrs, Bytes received, filtered on source/destination address.
I'm more inclined to trust my firewall reporting at this point. Why is SW showing almost double?
Below is the config on my router for netflow/nbar. Is it because I have input and output on my interface and only need one? If so which is best and will it still show traffic for both directions?
flow record NTArec
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets
collect application name
!
!
flow exporter NTAexp
destination X.X.X.X
source GigabitEthernet0/0
transport udp 2055
template data timeout 60
option application-table timeout 60
option application-attributes timeout 300
!
!
flow monitor NTAmon
description NetFlow nbar
exporter NTAexp
cache timeout inactive 30
cache timeout active 60
record NTArec
interface GigabitEthernet0/0
description MPLS
bandwidth 10000
ip address Y.Y.Y.Y
ip flow monitor NTAmon input
ip flow monitor NTAmon output
ip flow ingress
ip flow egress
EDIT: Actually now that I looked at just NBAR, it shows 8Gbytes. So lines up with my firewall. How can I fix netflow to be more accurate?
Thanks
