***************************************
Configuring Netflow for Stealthwatch
***************************************

================================================================================
1. Create a flow record to specify the type of Data that needs to be collected.
===================================================================

flow record ABC-RECORD
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport destination-port
 match transport source-port
 match interface input
 match flow direction
 collect routing source as
 collect routing destination as
 collect ipv4 dscp
 collect ipv4 source prefix
 collect ipv4 source mask
 collect application name
 collect application http url
 collect application http host

===================================================================
2. Create a Flow Exporter
===================================================================

flow exporter ABC-EXP
 destination 192.1.12.200
 source Gig1
 transport udp 2055
 export-protocol ipfix
 template timeout 30

===================================================================
3. Create a Flow Monitor
===================================================================

flow monitor ABC-MON
 exporter ABC-EXP
 record ABC-RECORD

===================================================================
4. Configure the Interface for Flow Collector
===================================================================

Interface Gig 1
 ip flow monior ABC-MON input
 ip flow monior ABC-MON output
 ip nbar protocol-discovery

***************************************
AMP Overview
***************************************

-> Protects the network/endpoints from Malware attached to files.
-> This can be implemented by installing the agent on the Endpoint (Client PC) or by defining a File Policy on the Firewall.
-> The File Policy on the Firewall does not protect the network from East West attacks.
-> Once a file is receied on a endpoint, it checks against the Cloud Database (AMP Cloud).
-> It will get 3 responses for the file. They are:
	-> Clean - The file doesn't not contain threats
	-> Known Bad/Malicious - The file contains a malicious Malware
	-> Unknown - The Malware does not have a footprint in the AMP DB
-> Based on licensing, you can integrate the AMP DB with Threat Grid, which acts as a Sandbox and can determine the content of the file after it tries to take action.
-> Based on the results of the Sandboxing, the Threat Grid Database can be updated and a new disposition can be sent to the Endpoint.
-> You can also choose to have a private AMP cloud that can be installed as an On-Prem Solution along with the Threat Grid Sandboxing capability.