IPFix

Push

Synopsis

Creates an IPFix collector that accepts flow data over UDP connections. Supports High-Volume collection with multiple worker processes and configurable buffer sizes.

Schema

- id: <numeric>
  name: <string>
  description: <string>
  type: ipfix
  tags: <string[]>
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    address: <string>
    port: <numeric>
    reuse: <boolean>
    buffer_size: <numeric>
    stats_frequency: <numeric>

Configuration

The following are the minimum requirements to define the device.

Device

Field	Required	Default	Description
`id`	Y		Unique identifier
`name`	Y		Device name
`description`	N	-	Optional description
`type`	Y		Must be `ipfix`
`tags`	N	-	Optional tags
`pipelines`	N	-	Optional pre-processor pipelines
`status`	N	`true`	Enable/disable the device

Network

Field	Required	Default	Description
`address`	N	`"0.0.0.0"`	Listen address
`port`	N	`4739`	Listen port
`reuse`	N	`true`	Enable socket address reuse

Performance

Field	Required	Default	Description
`buffer_size`	N	`9000`	Network read buffer size in bytes
`stats_frequency`	N	`300`	Statistics collection interval in seconds

Advanced Features

The following are unique features that Director offers.

Multiple Workers

When reuse is enabled, the collector automatically scales to use multiple workers based on available CPU cores. Each worker maintains its own UDP listener, processes flows independently, and writes to a dedicated queue file.

Flows

The collector supports template management for NetFlow v9/IPFix, application identification, port-based protocol mapping, flow state tracking, and statistical aggregation.

Examples

The following are commonly used configuration types.

Basic

The minimum required configuration using defaults:

Create a simple IPFix collector...

- id: 1
  name: basic_ipfix
  type: ipfix
  properties:
    port: 4739

High-Volume

Performance can be enhanced for high volumes:

Optimizing for high message volumes...

- id: 2
  name: performant_ipfix
  type: ipfix
  properties:
    address: "0.0.0.0"
    port: 4739
    reuse: true
    buffer_size: 32768

note

When reuse is enabled, the collector automatically scales up to use all available CPU cores.

Multiple Flows

Multiple flow types can be collected through a single device:

Collecting multiple flow types...

- id: 3
  name: multi_flow
  type: ipfix
  properties:
    address: "0.0.0.0"
    port: 4739
    reuse: true
    buffer_size: 16384
    stats_frequency: 60

warning

Each flow type requires its own port. Ensure no port conflicts exist between different collectors.

Application Protocols

The collector supports application-based identification, TCP port mapping, and UDP port mapping. The definition files for these respectively are placed in three locations under <vm_root>:

/user/definitions/app-definitions-{device-id}.csv (device-specific)
/user/definitions/app-definitions.csv (user-defined)
/package/definitions/app-definitions.csv (system defaults)

warning

Definition files must be in CSV format with exactly two columns per row.

The contents of these files are:

app-definitions.csv:

SSH,Secure Shell
RDP,Remote Desktop
HTTP,Web Browsing
HTTPS,Secure Web

tcp-definitions.csv:

22,SSH
3389,RDP
80,HTTP
443,HTTPS

udp-definitions.csv:

53,DNS
67,DHCP
123,NTP
161,SNMP

note

The collector will fall back on the system defaults if the custom definition files are not found.

Using application identification...

- id: 4
  name: app_aware_ipfix
  type: ipfix
  properties:
    port: 4739
    reuse: true
    buffer_size: 16384

Synopsis​

Schema​

Configuration​

Device​

Network​

Performance​

Advanced Features​

Multiple Workers​

Flows​

Examples​

Basic​

High-Volume​

Multiple Flows​

Application Protocols​