Hi!
I’ve just setup elastiflow and started forwarding traffic flow (all interfaces) to that service.
I have a GeoIP block rule (FW Input) that rejects incoming packets outside of my country CIDR (working just fine). I can successfully see the rule working when looking at logs.
Looking at the elastiflow Threats dashboard, I see a bunch of IP’s from other countries. Looking at the traffic details, I can’t find an easy way to determine that the traffic was indeed rejected.
For some traffic the tcp flags are somewhat indicative of the action (RST, ECE]), but there’s other traffic where it’s difficult to assess what really happen (FIN, ACK, URG).
After a bit of search online, it seems that IPFIX v9 has a field named fowardingStatus, but it doesn’t seem to exist in the available fields within Traffic Flow.
Is this in the roadmap? Is there a better field for me to filter/look for? How, for the ones that have similar solutions, look at such traffic (rejected)?
Appreciate your help in advance!