Product Documentation

AppFlow

Apr 26, 2017
Which build of NetScaler supports AppFlow?
AppFlow is supported on NetScaler appliances running version 9.3 and above with nCore build.
What is the format used by AppFlow to transmit data?
AppFlow transmits information in the Internet Protocol Flow Information eXport (IPFIX) format, which is an open Internet Engineering Task Force (IETF) standard defined in RFC 5101. IPFIX (the standardized version of Cisco's NetFlow) is widely used to monitor network flow information.
What do AppFlow records contain?
AppFlow records contain standard NetFlow or IPFIX information, such as time stamps for the beginning and end of a flow, packet count, and byte count. AppFlow records also contain application-level information (such as HTTP URLs, HTTP request methods and response-status codes, server response time, and latency). IPFIX flow records are based on templates that must be sent before sending flow records.
After an upgrade to NetScaler Version 9.3 Build 48.6 Cl, why does an attempt to open a virtual server from the GUI result in the error message "The AppFlow feature is only available on Citrix Netscaler Ncore"
AppFlow is supported only on nCore appliances. When you open the virtual server configuration tab, clear the AppFlow checkbox.
What does the transaction ID in an AppFlow records contain?
A transaction ID is an unsigned 32-bit number identifying an application-level transaction. For HTTP, a transaction corresponds to a request and response pair. All flow records that correspond to this request and response pair have the same transaction ID. A typical transaction has four uniflow records. If the NetScaler generates the response by itself (served from the integrated cache or by a security policy), there might be only two flow records for the transaction.
What is an AppFlow action ?

An Appflow action is a set of collectors to which the flow records are sent if the associated AppFlow policy matches.

What commands can I run on the NetScaler appliance to verify that the AppFlow action is a hit?

The show appflow action. For example:

> show appflow action 
1)      Name: aFL-act-collector-1 
        Collectors: collector-1 
        Hits: 0 
        Action Reference Count: 2 
2)      Name: apfl-act-collector-2-and-3 
        Collectors: collector-2, collecter-3 
        Hits: 0 
        Action Reference Count: 1 
3)      Name: apfl-act-collector-1-and-3 
        Collectors: collector-1, collecter-3 
        Hits: 0 
        Action Reference Count: 1
What is an AppFlow collector?
A collector receives flow records generated by the NetScaler appliance. To be able to send flow records, you must specify at least one collector. You can specify up to four. You can remove unused collectors.
What NetScaler verison is required for using AppFlow?
Use NetScaler version 9.3.49.5 or higher, and remember that AppFlow is available in only the nCore builds.
What transport protocol does AppFlow use?
AppFlow uses UDP as the transport protocol.
What ports needs to be opened if I have a firewall in the network?
Port 4739. It is the default UDP port the AppFlow collector uses for listening on IPFIX messages. If the user changes the default port, that port should be opened on the firewall.
How can I change the default port AppFlow uses?

When you add an AppFlow collector by using the add appflowCollector command, you can specify the port to be used.

> add appflowCollector coll1 -IPAddress 
10.102.29.251 -port 8000 
 Done
What does setting clientTrafficOnly do?
NetScaler generates AppFlow records only for client-side traffic.
How many collectors can be configured at a time?

You can configure up to four AppFlow collectors at a time on the NetScaler appliance. Please note that the maximum number of collectors that can be configured on a NetScaler appliance is four.