Flow Table Reporting
Navigate to Diagnostics > Flow Table Reporting to create a flow table report. These reports contain information on the traffic flows that pass through Threat Defender.
cognitix Threat Defender tracks flows to enforce rules and to monitor network traffic.
The size of the flow table depends on the memory available in your system. For example, on small systems with 8GB RAM it can hold around 80,000 entries. As each entry represents a flow, 80,000 concurrent flows are possible.
Entries in the table may timeout and are removed after a certain period of time. Currently, the following timeouts exist:
- 1 hour (3600 s) for:
established TCP flows
NETFLOW/IPFIX flows
- 2 minutes (120 s) for:
TCP flows closed by one party
bidirectional UDP flows as well as QUIC flows
flows being intercepted by Threat Defender (having triggered a policy with a drop or reject action)
- 5 seconds for:
TCP flows closed by both parties
connectionless flows, such as unidirectional UDP
When a timeout expires, the corresponding flow is removed from the table. Therefore, any new data on this flow is considered a new flow.
Warning
When the flow table is full, Threat Defender does no longer accept any new flows.
Click the Generate Anonymized Core Flow Table Report button to create an anonymized flow table report that contains no IP addresses.
Click the Generate Plain Core Flow Table Report button to create a plain flow table report that includes IP addresses.
The table displays the latest flow table report with its creation date, an automatically generated filename, and the file size.
With the icon in the last table column, you can download the flow table report to your file system.
Note
Older flow table reports are overwritten when a new report is created.
Additional References:
For further information on the content of flow table reports, see Flow Table Reports in the appendix.