This community is currently in a read-only state due to a maintenance window. For more info click here

How Netflow works on ClearPass?


What is NetFlow?

In Network environment where an administrator need to know the ports being used by endpoints or network devices we can use Netflow concept.

NetFlow is a feature that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. These records are exported from the router and collected using a NetFlow collector. The NetFlow collector then processes the data to perform the traffic analysis it may be good in use-cases like: Monitors network bandwidth & traffic patterns down to the interface level, Identifies which users, applications, & protocols are consuming the most bandwidth

ClearPass Use-Case:

ClearPass however can use the Netflow information to profile and update the ports used by the devices in endpoint repository, using which we can create policy rules to allow/deny the user the network access if there is traffic from a device to a port which it is not supposed to use or vice-versa.


 ClearPass Policy Manager NetFlow Collector provides the ability to identify the open ports of a device connected to a network by analyzing the received NetFlow packets.




ClearPass would be listening to UDP port 2055 for all the Netflow traffic and it would be processing the request based on the Source as well as Destination IP and port number. After the IP and port is extracted, it would be differentiated as 'Internal' and 'External' addresses. The IP's which are present in Endpoint Repository are considered as Internal IP address and those IP's which is not present are classified as External. 

The entries classified as Internal are posted to Profiler to profile the associated endpoint and update the port number. However the IP's which are not updated in endpoint repository is flushed out as that need not be updated on ClearPass. Because in real-time network there can be tons of network packets coming from several devices and we would be filtering only the devices managed/authenticated by ClearPass or in other words having an entry in ClearPass. 



We need to configure the router/routers on the network to collect the Network Egress/Ingress traffic and send it to the Netflow Collector destination  [Which in our case is ClearPass]. 

Note: We will not be demonstrating the configuration on router in this article as it depends upon the model of network router you have. Most commonly used Cisco Catalyst Switch Netflow configuration could be found here.


ClearPass by default is programmed to receive Netflow packets on its interfaces and process it. [No additional configuration is required].

Profiling of the netflow packets are performed by Profiler master of the zone in case of a cluster, which is configurable in the GUI by navigating to Administration » Server Manager » Server Configuration on the ClearPass Policy Manager select the server which you want to mark as Profiler master and configure it as shown below:


Once an IP address is profiled with the port number, again if the same IP/port entry hits CPPM then it would be ignored as duplicate for a specific amount of time by ClearPass [by default 24 hours],  this time period can be configured to as less as 1 hour. However reducing the value to 1 hour may have affect on your server CPU depending upon the environment. This mechanism is implemented to reduce the work of the server.

You can configure the reprofile interval by navigating to Administration > Server Manager > Server Configuration and hit Cluster Wide-Parameters >> Profiler.

If the same IP with different port entry is seen in the Netflow packet, it would be considered as new entry and would be processed as normal.


If we look at the workflow in a flowchart format it would look like below:





In order to Troubleshoot, we would need to mark the Async-Network Services to Debug. You can mark the service to 'DEBUG' by navigating to Administration >> Server Manager >> Log Configuration. 

Collect the Logs from server, which can be done by navigating to  Administration » Server Manager » Server Configuration and select the server followed by clicking 'Collect Logs'. Please note if the server receiving the netflow packet and profiler master for the zone are different then you might need to collect the logs from both the server to verify. 


In the logs navigate to PolicyManagerLogs >> async-netd >> netbridge.log you can see messages like below

DEBUG [netflow] processing v5
DEBUG [netflow] processing v5

DEBUG[netflow] ip: mac: port:999 added     // All the addresses which doesnt have an entry in Endpoints are considered as External and ignored
DEBUG [netflow] ip: mac: port:55604 added
DEBUG [netflow] ip: mac: port:8080 added
DEBUG [netflow] ip: mac: port:49688 updated
DEBUG [netflow] ip: possibly external
DEBUG [netflow] ip: possibly external
DEBUG [netflow] ip: possibly external

DEBUG[netflow] post to profiler mac: ip: ports:[110 443 5431 5433]    // Posting the IP which has an entry in the endpoint to update the port numbers.

In the logs navigate to PolicyManagerLogs >> async-netd >>  deviceprofiler.log you can see the post message is processed as below:


020-05-06 18:51:35,947 DEBUG  Endpoint: {mac: 02189876d5bb, ip:, static_ip:True, hostname: admins-MacBook-Pro-4.local, mac_vendor: , device: <Computer, Apple Mac, Mac OS X>, other: <None, None, None>, conflict:False, fp: {"host": {"os_type": "Mac OS X", "mac_vendor": [""], "ports": ["110", "443", "5431", "5433"]}}, added_at: 2020-05-01 19:16:21.357180+05:30, updated_at: 2020-05-06 18:06:35.948135+05:30} loaded from tipslogdb
2020-05-06 18:51:35,947 DEBUG  Endpoint: {mac: 02189876d5bb, ip:, static_ip:True, hostname: admins-MacBook-Pro-4.local, mac_vendor: , device: <Computer, Apple Mac, Mac OS X>, other: <None, None, None>, conflict:False, fp: {"host": {"os_type": "Mac OS X", "mac_vendor": [""], "ports": ["443", "5431", "5433"]}}, added_at: 2020-05-01 19:16:21.357180+05:30, updated_at: 2020-05-06 18:06:35.948135+05:30} loaded from tipsdb
2020-05-06 18:51:35,948 DEBUG  Match ep:02189876d5bb field:<host:os_type rel:100 score:100> key:Mac OS X dev:Mac OS X
2020-05-06 18:51:35,948 DEBUG  Best match ep:02189876d5bb field:<host:os_type rel:100 score:100> device:<Computer, Apple Mac, Mac OS X> other:None
2020-05-06 18:51:35,948 DEBUG  Endpoint: 02189876d5bb profiled to <Computer, Apple Mac, Mac OS X>
2020-05-06 18:51:37,954 DEBUG  Updated endpoints: [u'02189876d5bb'] in tipsLogDb
2020-05-06 18:51:37,973 DEBUG  Updated endpoints: [u'02189876d5bb'] in tipsdb


GUI would show up the port entries as shown:

Version history
Revision #:
2 of 2
Last update:
‎08-03-2020 04:04 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: