Flow Table Reporting

Navigate to Diagnostics > Flow Table Reporting to create a flow table report. These reports contain information on the traffic flows that pass through Threat Defender.

cognitix Threat Defender tracks flows to enforce rules and to monitor network traffic.

The size of the flow table depends on the memory available in your system. For example, on small systems with 8GB RAM it can hold around 80,000 entries. As each entry represents a flow, 80,000 concurrent flows are possible.

Entries in the table may timeout and are removed after a certain period of time. Currently, the following timeouts exist:

  • 1 hour (3600 s) for:

    • established TCP flows

    • NETFLOW/IPFIX flows

  • 2 minutes (120 s) for:

    • TCP flows closed by one party

    • bidirectional UDP flows as well as QUIC flows

    • flows being intercepted by Threat Defender (having triggered a policy with a drop or reject action)

  • 5 seconds for:

    • TCP flows closed by both parties

    • connectionless flows, such as unidirectional UDP

When a timeout expires, the corresponding flow is removed from the table. Therefore, any new data on this flow is considered a new flow.

Warning

When the flow table is full, Threat Defender does no longer accept any new flows.

Click the Generate Anonymized Core Flow Table Report button to create an anonymized flow table report that contains no IP addresses.

Click the Generate Plain Core Flow Table Report button to create a plain flow table report that includes IP addresses.

The table displays the latest flow table report with its creation date, an automatically generated filename, and the file size.

With the download_icon icon in the last table column, you can download the flow table report to your file system.

Note

Older flow table reports are overwritten when a new report is created.

Additional References:

For further information on the content of flow table reports, see Flow Table Reports in the appendix.