SRX

Greetings

I'd like to use JFLOW to sample the traffic on my internet connection.  However, when doing so it only shows the traffic from the device NAT IP (public IP) and the endpoint, 

I was hoping to have a more thorough view as in seeing the source IP (internal client) and ideally the endpoint HTTP address.  The HTTP Address i know is probably not possible, but what about the source client showing as the actual source rather than the Juniper SRX Device public IP? 

I'm bumping this, does anyone have any ideas or input?  Thanks

I have my SRX100H, running  V11.4R1.6, sending NETFLOW (JFLOW) to a collector for several interfaces and VLANs.

LAN Subet 10.10.10.0/24

Netflow collector 10.10.10.10

interfaces {
    fe-0/0/0 {
        description "Connection to Internet via Zyxel ADSL Router.";
        unit 0 {
            family inet {
                sampling {
                    input;
                    output;
                }
                address 1.1.1.1/32;

            }
        }
    }

    fe-0/0/7 {
        description "Interface connected to Dell Switch";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }

    vlan {
        unit 0 {
            family inet {
                sampling {
                    input;
                    output;
                }
                address 10.10.10.254/24;
            }
        }
    }
}
forwarding-options {
    sampling {
        input {
            rate 60;
        }
        family inet {
            output {
                flow-server 10.10.10.10 {
                    port 2055;
                    version 5;
                }
            }
        }
    }
}

vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 Does this help?

Thank you JohnrBaker for the config example.  In my environment jflow does work, but only shows flows between the public NAT IP and the endpoint.  With the config you are using, does it show you the flow between the private source IP before NAT is applied? 

I see the traffic from my VLAN and my external NAT.  I changed my IP to 11.11.11.x in the interests of security.

I have a Bluecoat proxy server (10.10.10.1), which intercpets all HTTP traffic.  Here is my netflow when I went to the news.bbc.co.uk

time,start,end,source,destination,size
20/12/2011 18:28:04,20/12/2011 18:27:08,20/12/2011 18:27:08,4.26.228.254:80,11.11.11.106:16654,46
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:21372,87.249.105.58:80,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:21914,88.221.84.25:80,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:16557,88.221.84.26:80,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:16557,88.221.84.26:80,454
20/12/2011 18:28:04,20/12/2011 18:27:12,20/12/2011 18:27:12,11.11.11.106:16557,88.221.84.26:80,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:25132,88.221.84.40:80,563
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:27241,88.221.84.40:80,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:27241,88.221.84.40:80,1103
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:34,11.11.11.106:29434,88.221.84.40:80,120
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:29558,88.221.84.40:80,549
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:7823,88.221.84.40:80,513
20/12/2011 18:28:04,20/12/2011 18:27:30,20/12/2011 18:27:30,11.11.11.106:25132,88.221.84.40:80,40
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:29,11.11.11.106:29434,88.221.84.40:80,545
20/12/2011 18:28:04,20/12/2011 18:27:14,20/12/2011 18:27:14,11.11.11.106:6608,173.194.41.129:80,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:30757,209.85.229.105:80,40
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:34,11.11.11.106:31124,212.58.246.93:80,120
20/12/2011 18:28:04,20/12/2011 18:27:12,20/12/2011 18:27:12,11.11.11.106:17357,212.58.246.93:80,40
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:33,11.11.11.106:31124,212.58.246.93:80,120
20/12/2011 18:28:04,20/12/2011 18:27:33,20/12/2011 18:27:33,11.11.11.106:31124,212.58.246.93:80,975
20/12/2011 18:28:04,20/12/2011 18:27:14,20/12/2011 18:27:14,11.11.11.106:17169,212.58.246.108:80,80
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:28012,212.58.246.108:80,80
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:28012,212.58.246.108:80,936
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:61149,212.159.6.9:53,57
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,11.11.11.106:64759,212.159.6.9:53,59
20/12/2011 18:28:04,20/12/2011 18:27:37,20/12/2011 18:27:37,11.11.11.106:25732,212.159.6.9:53,62
20/12/2011 18:28:04,20/12/2011 18:27:22,20/12/2011 18:27:22,11.11.11.106:6060,212.159.13.49:53,62
20/12/2011 18:28:04,20/12/2011 18:28:01,20/12/2011 18:28:01,11.11.11.106:4269,216.45.58.170:80,40
20/12/2011 18:28:04,20/12/2011 18:28:01,20/12/2011 18:28:01,11.11.11.106:20556,216.45.58.170:80,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,87.249.105.58:80,10.10.10.1:54346,358
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:29,87.249.105.58:80,10.10.10.1:58530,44
20/12/2011 18:28:04,20/12/2011 18:27:12,20/12/2011 18:27:12,88.221.84.25:80,11.11.11.106:3637,46
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,88.221.84.26:80,10.10.10.1:50989,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,88.221.84.40:80,11.11.11.106:27241,274
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:33,88.221.84.40:80,11.11.11.106:29434,2984
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:29,88.221.84.40:80,11.11.11.106:29558,1492
20/12/2011 18:28:04,20/12/2011 18:27:12,20/12/2011 18:27:13,88.221.84.40:80,10.10.10.1:50872,592
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,88.221.84.40:80,10.10.10.1:51402,1096
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:29,88.221.84.40:80,10.10.10.1:59025,780
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:29,88.221.84.40:80,10.10.10.1:60532,2617
20/12/2011 18:28:04,20/12/2011 18:27:12,20/12/2011 18:27:12,88.221.84.40:80,10.10.10.1:51402,40
20/12/2011 18:28:04,20/12/2011 18:27:12,20/12/2011 18:27:12,10.10.10.1:50870,88.221.84.25:80,507
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,10.10.10.1:51402,88.221.84.40:80,552
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,10.10.10.1:56548,88.221.84.40:80,553
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:33,10.10.10.1:59025,88.221.84.40:80,92
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:29,10.10.10.1:59025,88.221.84.40:80,495
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:29,10.10.10.1:60532,88.221.84.40:80,46
20/12/2011 18:28:04,20/12/2011 18:27:12,20/12/2011 18:27:12,10.10.10.1:49691,212.58.246.93:80,46
20/12/2011 18:28:04,20/12/2011 18:27:22,20/12/2011 18:27:22,10.10.10.1:64276,212.159.6.10:53,62
20/12/2011 18:28:04,20/12/2011 18:28:01,20/12/2011 18:28:01,10.10.10.1:52403,216.45.58.170:80,46
20/12/2011 18:28:04,20/12/2011 18:27:12,20/12/2011 18:27:12,212.58.246.93:80,10.10.10.1:49691,1492
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:29,212.58.246.93:80,10.10.10.1:51844,40
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:33,212.58.246.93:80,10.10.10.1:51844,2984
20/12/2011 18:28:04,20/12/2011 18:27:29,20/12/2011 18:27:33,212.58.246.93:80,10.10.10.1:51844,2984
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,212.58.246.108:80,10.10.10.1:54089,212
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,212.58.246.108:80,10.10.10.1:59685,40
20/12/2011 18:28:04,20/12/2011 18:27:13,20/12/2011 18:27:13,212.58.246.108:80,10.10.10.1:59685,106
20/12/2011 18:28:04,20/12/2011 18:27:46,20/12/2011 18:27:46,212.58.246.108:80,10.10.10.1:59207,40
20/12/2011 18:28:04,20/12/2011 18:28:03,20/12/2011 18:28:03,212.159.6.10:53,10.10.10.1:57530,78
20/12/2011 18:28:04,20/12/2011 18:27:28,20/12/2011 18:27:28,212.159.13.49:53,11.11.11.106:8918,95
20/12/2011 18:28:04,20/12/2011 18:28:01,20/12/2011 18:28:01,216.45.58.170:80,10.10.10.1:60170,44
20/12/2011 18:28:04,20/12/2011 18:28:01,20/12/2011 18:28:01,216.45.58.170:80,10.10.10.1:60170,2984
20/12/2011 18:28:04,20/12/2011 18:28:02,20/12/2011 18:28:02,216.45.58.170:80,10.10.10.1:60170,1492

I'll give the configuration a shot and let you know the outcome.  Thank you. 

I've accepted the post as a solution.  It appears to have accomplished what I was looking for. 

Let me ask, have you noticed a performance hit by monitoring jflow on many interfaces? 

It appears this gives me the data I want, but also gives me a huge amount of data that I don't want.  I wish we could use jflow on a per policy basis, for example, monitor only the traffic that uses my "Internet Connection" security policy.  I guess Jflow only monitors (samples) traffic flowing through an interface, not a policy. 

There is a hit on the CPU, and you can specify the filter per interface instead of VLAN.

Have a look at  http://kb.juniper.net/InfoCenter/index?page=content&id=KB16677 for more info on netflow/jflow.

I'm actually talking about a way to monitor a specific policy, reguardless of which interface or VLAN it's using.  You know, only monitor traffic that flows between trust and untrust.