NetFlow Integrator Standard

Size: px
Start display at page:

Download "NetFlow Integrator Standard"

Transcription

1 NetFlow Integrator Standard User Guide Version (Build ) February 2016 Copyright NetFlow Logic Corporation. All rights reserved. Patents Pending.

2 Contents About this Guide... 3 Introduction... 3 What Are Modules and Converters?... 3 How NFI Updater Works... 5 How to Use this Guide... 5 Solutions at a Glance... 6 Modules Specifications... 8 Network Traffic and Devices Monitoring... 8 Top Traffic Monitor (10067 / 20067)... 8 Top Host Pairs (10064 / 20064) Top Connections Monitor (10063 / 20063) Top Packets Monitor (10068 / 20068) Network Subnets Monitor (10011 / 20011) TCP Health (10060 / 20060) Traffic by CBQoS (10065 / 20065) Traffic by Autonomous Systems (10066 / 20066) Enhanced Traffic Monitor Top Traffic Monitor (10967 / 20967) Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper Network Bandwidth Consumption Monitor (10964 / 20964) Security Hosts Geographical Location Monitor (10040 / 20040) Botnet Command and Control Traffic Monitor (10050 / 20050) APT1 Monitor (10051 / 20051) Host Reputation Monitor (10052 / 20052) Threat Feeds Monitor (10053 / 20053) Outbound Mail Spammers Monitor (10025 / 20025) Inbound Mail Spammers Monitor (10026 / 20026) Unauthorized Mail Servers Monitor (10027 / 20027) Rejected s Monitor (10028 / 20028) Services Monitor DNS Monitor (10004 / 20004, 20005) Asset Access Monitor (10014 / 20014) Services Performance Monitor (10017 / 20017) Cisco ASA Devices Monitoring Top Bandwidth Consumers for Cisco ASA (10018 / 20018) Top Traffic Destinations for Cisco ASA (10019 / 20019) Top Policy Violators for Cisco ASA (10020 / 20020) Top Hosts with most Connections for Cisco ASA (10021 / 20021) Palo Alto Networks Devices Monitoring Top Bandwidth Consumers for Palo Alto Networks (10030 / 20030) Top Traffic Destinations for Palo Alto Networks (10031 / 20031) Hosts with Most Policy Violations for Palo Alto Networks (10032 / 20032) NetFlow Integrator Standard User Guide NetFlow Logic Confidential 1

3 Most Active Hosts for Palo Alto Networks (10033 / 20033) Bandwidth Consumption per Application for Palo Alto Networks (10034 / 20034) Bandwidth Consumption per Application and Users for Palo Alto Networks (10035 / 20035) VMware Top VM:Host Pairs (10164 / 20164) Top VM Traffic Monitor (10167 / 20167) Utilities Sampling Monitor (10002 / 20002) SNMP Information Monitor (10003 / 20003) Special Converters Original Flow Data (20001) sflow Data (20800, 20900) FDR Packeteer-2 Flow Data (20010) Appendix NetFlow v5 - NetFlow v9 Field Types Mapping Modules NetFlow for Splunk App X-Reference NetFlow Integrator Standard User Guide NetFlow Logic Confidential 2

4 About this Guide Introduction Use this document to learn about NetFlow Integrator s Modules and Converters, Updater, and Services, their functionality, inputs, outputs, and configuration parameters. NetFlow Integrator (NFI) is a software-only processing engine for network flow data (NetFlow, IPFIX, sflow, etc.). It is not a NetFlow collector. NetFlow Integrator accepts network flow data from network devices (routers, switches, firewalls), applies map-reduce algorithms to the data to extract the information needed to address desired use cases, converts the processed data to syslog (or other formats such as JSON), then sends that useful information to your visualization platform or SIEM (e.g. VMware vrealize Log Insight, VMware vrealize Operations, or Splunk Enterprise). By enabling appropriate Modules and Converters, you turn on specific functionality within NetFlow Integrator. For example, you can monitor: your network conversations and hosts behavior your network devices your network traffic reported by Cisco ASA NetFlow Secure Event Logging (NSEL) And many other use cases are expressed via the Modules. What Are Modules and Converters? NetFlow data is notoriously voluminous. Traditionally, all NetFlow records generated by network devices are captured and stored for further interpretation. This exact process of capturing all NetFlow records, without understanding the significance of information contained in the records data, creates tremendous storage and data analysis problems. A mid-range 20Gb device in a large office can process tens of thousands of network exchanges per second, which results in a hundred thousand NetFlow records per second. Assuming that each NetFlow record is 100 bytes long, storing data at this rate it would take 8.6TB of disk space every day. Even a smaller switch, router or firewall that processes 10 times less network connections produces 860GB of flow data every day. NetFlow Integrator Modules and Converters are designed to provide solutions for specific use cases and at the same time reduce the amount of data (without losing information veracity) that needs to be stored by orders of magnitude. The Modules and Converters are packaged into Module Set packages. Each Module consists of one or more content-based rules and one or more time-based triggers (called Data Collection Interval ). Converters provide mechanisms for translating information emitted by the Modules into a format suitable for further processing. Please see Solutions at a Glance section below for more details. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 3

5 Let us consider a typical example: a network administrator would like to know how the bandwidth of his Cisco ASA firewall is consumed. This is not possible using traditional Cisco ASA logging because setting logging at the Informational level severely impacts device performance. A better approach is to use Cisco ASA NetFlow Secure Event Logging (NSEL) but the sheer volume of NSEL data may overwhelm traditional NetFlow collectors. This is when NetFlow Integrator s Modules mechanism comes to the rescue. The diagram below shows how data reduction is implemented in the Top Bandwidth Consumers Module. This Module employs an in-memory Map-Shuffle-Reduce algorithm. To report top 50 bandwidth consumers, the Module sums up bytes by source IP -- processing every single flow record over a short period of time (e.g. 30 seconds) (Map), then the data is sorted by accumulated bytes (Shuffle), and finally the top 50 records are retrieved (Reduce), converted to syslog, and sent to a SIEM system (e.g. Splunk). Thus this Module processes thousands of flow records per second, and reports only top 50 bandwidth consumers every 30 seconds, which are typically responsible for 98%-99% of all traffic. NFI Modules use cases are not limited to NetFlow Consolidation. Another diagram below shows how security oriented NFI module reports all malicious network conversation based on threat lists. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 4

6 How NFI Updater Works NFI Updater is a remote component which serves as a knowledge base of information outside of the NetFlow domain. Its task is to provide NetFlow Integrator with information generally unavailable in the data streams supplied by NetFlow/IPFIX exporters. How to Use this Guide Updater is comprised of a Platform and a collection of Agents each of which is designed to obtain information of a certain kind. The Platform provides a common interface for the Agents configuration and data exchange and serves as a conduit for delivering information collected by the Agents to the NetFlow Integrator. Typically Updater is installed on a separate server with access to the internet. The Modules Specification section contains detailed descriptions of the Modules. Modules are numbered from Each Converter produces its own type of syslog message, identified by a special field: nfc_id. For example, Top Bandwidth Consumers for Cisco ASA (10018/20018) Module has the corresponding Converter The syslog message produced by this Converter is identified by the field nfc_id = All Modules are configurable. Parameters to specify the granularity and the amount of consolidated flow data to be sent out are described at the end of each Module specification. For example, Data Collection Interval, sec sets the interval for the Module time trigger. Top N parameter specifies the number of records (usually per exporter) to be converted and sent out. Other parameters may specify a list of IP addresses, or subnets, or ports, depending on the use case of the Module. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 5

7 Solutions at a Glance The table below shows which Modules need to be enabled to turn on NetFlow Integrator specific solutions and corresponding Splunk application menu. Module Set (package) Module (AppMod id / syslog id) Network Traffic and Devices Monitor (network_monitor) Network Subnets Monitor (10011 / 20011) TCP Health (10060 / 20060) Top Connections Monitor (10063 / 20063) Top Host Pairs (10064 / 20064) Traffic by CBQoS (10065 / 20065) Traffic by Autonomous Systems (10066 / 20066) Top Traffic Monitor (10067 / 20067) Top Packets Monitor (10068 / 20068) Reports top bandwidth consumers for each monitored subnet This Module reports TCP Health by detecting top hosts with the most TCP Resets This Module identifies hosts with the most connections This Module reports top Host Pairs network conversations This Module reports traffic for all DSCP bits combinations (QoS) This Module reports traffic by all Autonomous Systems (AS) This Module identifies hosts with the most traffic This Module identifies hosts with the most packets Enhanced Traffic Monitor (network_monitor) Top Traffic Monitor (10967 / 20967) Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper Network Bandwidth Consumption Monitor (10964 / 20964) Security (security) Hosts Geographical Location Monitor (10040 / 20040) Botnet Command and Control Traffic Monitor (10050 / 20050) APT1 Monitor (10051 / 20051) 1 Peer by Reputation Monitor (10052 / 20052) Threat Feeds Monitor (10053 / 20053) ( _monitor) This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts This Module reports network bandwidth consumption by pairs of network users per application kind per PacketShaper instance. This Module identifies hosts with most traffic, and reports them with their geographical locations This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts This Module monitors traffic originated from known APT1 hosts and IP blocks identified in Mandiant APT1 report. This Module uses a host reputation database from Alienvault ( to report communications with malicious peers This Module monitors traffic originated from known threat lists specified as IP blocks, list of domains, or IP addresses. 1 Mandiant APT1 report was published in 2013 and has not been updated since this time. This Module is obsolete and no longer supported. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 6

8 Outbound Mail Spammers Monitor (10025 / 20025) Inbound Mail Spammers Monitor (10026 / 20026) Unauthorized Mail Servers Monitor (10027 / 20027) Rejected s Monitor (10028 / 20028) Services Monitor (services_monitor) DNS Monitor (10004 / 20004, 20005) Asset Access Monitor (10014 / 20014) Services Performance Monitor (10017 / 20017) This Module detects internal hosts infected with spam malware This Module detects external hosts sending excessive traffic to your organization This Module detects internal hosts running unauthorized mail servers This Module detects external hosts sending s rejected by internal mail servers This Module monitors DNS servers and DNS traffic This Module monitors traffic to selected services and matches communications to a list of authorized peers This Module monitors services performance characteristics Cisco ASA (cisco_asa) Top Bandwidth Consumers for Cisco ASA (10018 / 20018) Top Traffic Destinations for Cisco ASA (10019 / 20019) Top Policy Violators for Cisco ASA (10020 / 20020) Top Hosts with most Connections for Cisco ASA (10021 / 20021) This Module provides a list of top network bandwidth consumers operating on the internal network This Module provides a list of most popular destinations measured by the traffic This Module provides a list of firewall policies violators This Module provides top N (by the number of connections) consumers (users) Palo Alto Networks (panw_monitor) Top Bandwidth Consumers for Palo Alto Networks (10030 / 20030) Top Traffic Destinations for Palo Alto Networks (10031 / 20031) Hosts with Most Policy Violations for Palo Alto Networks (10032 / 20032) Most Active Hosts for Palo Alto Networks (10033 / 20033) Bandwidth Consumption per Application for Palo Alto Networks (10034 / 20034) Bandwidth Consumption per Application and Users for Palo Alto Networks (10035 / 20035) This Module provides a list of top network bandwidth consumers operating on the internal network This Module provides a list of top network bandwidth destinations This Module provides a list of top firewall policies violators This Module provides a list of most active hosts by the number of initiated connections This Module provides a list of most active applications by traffic This Module provides a list of most active applications and users by traffic VMware (vmware) Top VM:Host Pairs (10164 / 20164) Top VM Traffic Monitor (10167 / 20167) This Module reports top network conversations in VM environment This Module identifies VMs with the most traffic Utilities (service_rules) Sampling Monitor (10002 / 20002) SNMP Information Monitor (10003 / 20003) This Module reports NetFlow sampling information This Module reports SNMP information NetFlow Integrator Standard User Guide NetFlow Logic Confidential 7

9 Modules Specifications Network Traffic and Devices Monitoring All Modules report information in syslog key=value pairs format, as shown below. Top Traffic Monitor (10067 / 20067) This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol Input interface Output interface This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header IPv4 destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourceipv6address The IPv6 source address in the IP packet header IPv6 destinationipv6address The IPv6 destination address in the IP packet header NetFlow Integrator Standard User Guide NetFlow Logic Confidential 8

10 Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 2 12 Source port number src_port <string>, included when FQDN is on 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host] 2 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 2 Host name field is optional and included only if FQDN Service is enabled NetFlow Integrator Standard User Guide NetFlow Logic Confidential 9

11 No Field Key Comments 25 Percent of Total (bytes) percent_of_total <decimal>, e.g % is Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = , NetFlow exporter default = 50 Top Host Pairs (10064 / 20064) This Module reports top Host Pairs network conversations. In contract to Module which reports consolidated unidirectional flows, this Module stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields. Server destination port: Source port of client hosts is not reported, and ignored while consolidating client-server communications. Destination port of server hosts is reported. The Module determines which host is a client and which is a server as follows: a server sends more traffic (bytes) than a client. This logic can be overridden by specifying the list in List of known server destination port numbers parameter. Deduplication: optionally the module can report host pairs only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections for each host pair is considered authoritative, and host pair conversations reported by all other exporters are discarded. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header IPv4 destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourceipv6address The IPv6 source address in the IP packet header IPv6 NetFlow Integrator Standard User Guide NetFlow Logic Confidential 10

12 Information Element (IE) IE id IE size, B destinationipv6address The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Transport Protocol ( TCP = 6, UDP = 17) protocol 7 Server IP address dest_ip <IPv4_address> 8 Server IPv6 address dest_ip6 <IPv6_address> 9 Server host name [dest_host] 3 10 Server port number [dest_port] 4 <string>, included when FQDN is on 11 Client IP address src_ip <IPv4_address> 12 Client IPv6 address src_ip6 <IPv6_address> 13 Client host name [src_host] 3 14 Packets from client to server packets_in 15 Layer 3 bytes from client to server bytes_in 16 Packets from server to client packets_out 17 Layer 3 bytes from server to client bytes_out 18 Layer 3 bytes in both directions bytes 19 Number of flows flow_count 20 Percent of Total (bytes) (Client + Server) percent_of_total 21 Flow Sampler ID [flow_smpl_id] 22 Observation time interval, msec t_int <string>, included when FQDN is on <decimal>, e.g % is Host name field is optional and included only if FQDN Service is enabled 4 Server destination port is optional NetFlow Integrator Standard User Guide NetFlow Logic Confidential 11

13 Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported host pairs The number of top host pairs reported min = 1, max = , per NetFlow exporter default = 50 List of server destination ports to be used to determine which host is a client List of known server destination and which is a server. If the list is port numbers empty, the server is the one sending e.g. 53, 80, 443 more traffic than receiving Enable(1) or disable (0) reporting by server port Enable(1) or disable (0) reporting by authoritative exporters only If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field will be omitted If set to 1, the Module reports host pairs only from authoritative exporters Top Connections Monitor (10063 / 20063) default = 1 default = 0 This Module identifies hosts with the most connections. It consolidates NetFlow records over a period of time (Module execution interval) which all have the same combination of the following fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol Input interface Output interface This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header IPv4 destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourceipv6address The IPv6 source address in the IP packet header IPv6 destinationipv6address The IPv6 destination address in the IP packet header NetFlow Integrator Standard User Guide NetFlow Logic Confidential 12

14 Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 5 12 Source port number src_port <string>, included when FQDN is on 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host] 5 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 5 Host name field is optional and included only if FQDN Service is enabled NetFlow Integrator Standard User Guide NetFlow Logic Confidential 13

15 No Field Key Comments 25 Percent of Total (flow_count) percent_of_total <decimal>, e.g % is Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = , default NetFlow exporter = 50 Top Packets Monitor (10068 / 20068) This Module identifies hosts with the most packets. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol Input interface Output interface This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header IPv4 destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourceipv6address The IPv6 source address in the IP packet header IPv6 destinationipv6address The IPv6 destination address in the IP packet header NetFlow Integrator Standard User Guide NetFlow Logic Confidential 14

16 Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 6 12 Source port number src_port <string>, included when FQDN is on 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host] 6 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 6 Host name field is optional and included only if FQDN Service is enabled NetFlow Integrator Standard User Guide NetFlow Logic Confidential 15

17 No Field Key Comments 25 Percent of Total (packets) percent_of_total <decimal>, e.g % is Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = , NetFlow exporter default = 50 Network Subnets Monitor (10011 / 20011) This Module reports top bandwidth consumers for each monitored subnet. This information is provided per NetFlow exporter and monitored subnet. Input NetFlow v5, v9, IPFIX, and Cisco ASA NSEL. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address or The IPv4 or IPv6 source address in the IP packet 8 or 27 4 or 16 sourceipv6address header destinationipv4address or The IPv4 or IPv6 destination address in the IP packet 12 or 28 4 or 16 destinationipv6address header The value of the protocol number in the IP packet protocolidentifier 4 1 header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 Subnet IPv4 subnet <IPv4_address> NetFlow Integrator Standard User Guide NetFlow Logic Confidential 16

18 No Field Key Comments 7 Subnet IPv6 subnet <IPv6_address> 8 Mask mask 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Transport Protocol ( TCP = 6, UDP = 17) protocol 12 Bytes Out (Traffic) bytes_out 13 Bytes In (Traffic) bytes_in 14 Packets Out count packets_out 15 Packets In count packets_in 16 Number of flows flow_count < number> 17 Percent of Total Traffic of the Source Host within Subnet percent_of_total 18 Observation time interval, msec t_int Parameters <decimal>, e.g % is Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 600 sec, default = 30 sec Monitored subnet IPv4 address and subnet mask List of the watched subnets IPv4 addresses and masks (CIDR notation) e.g / 18; / 24 Monitored subnet IPv6 address List of the watched subnets IPv6 and subnet mask addresses and masks (CIDR notation) e.g. 2620:0:2d0:200::7/24 N number of reported hosts Top N (number of reported hosts per min = 1, max = , subnet) default = 50 TCP Health (10060 / 20060) This Module reports TCP Health by detecting top hosts with the most TCP Resets. Top hosts are defined by percent of TCP resets to the total number of Resets for definitive NetFlow exporter or by percent of TCP resets to the total number of host s connections. This information is provided by a definitive NetFlow exporter. Input NetFlow v5, v9, IPFIX, and Palo Alto Networks NetFlow v9. sflow and sampled NetFlow are specifically excluded from processing by this Module. Cisco ASA NSEL is not supported by this Module as it does not have TCP flags. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 17

19 Syslog message fields - Hosts No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= Source host IPv4 address src_ip <IPv4_address> 6 Source host IPv6 address src_ip6 <IPv6_address> 7 Source host name [src_host] 7 8 Count of Resets reset_count 9 10 Percent of the total number of resets sent by source host Percent of the resets to the total number of the source host connections total_share local_share <string>, included when FQDN is on 11 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N - reporting threshold in percent min = 0 %, max = 100 %, % of Total Resets of total resets number default = 10 % N - reporting threshold in percent min = 0 %, max = 100 %, of resets to the number of host % of Resets to local host connections default = 50 % connections Traffic by CBQoS (10065 / 20065) This Module reports traffic for all DSCP bits combinations (QoS). This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Palo Alto Networks NetFlow v9. 7 Host name field is optional and included only if FQDN Service is enabled NetFlow Integrator Standard User Guide NetFlow Logic Confidential 18

20 Required NetFlow fields Information Element (IE) IE id IE size, B octetdeltacount 1 4 or 8 The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. packetdeltacount 2 4 or 8 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 Transport Protocol ( TCP = 6, UDP = 17) protocol 7 Inbound IP type of service src_tos 8 Outbound IP type of service dest_tos 9 Packets received in the QoS class flows packets_in Total number of Layer 3 bytes received in the QoS class flows Number of flows received in the QoS class flows Percent of Total (bytes) of all bytes received by the exporter bytes_in flow_count percent_of_total 13 Flow Sampler ID [flow_smpl_id] 14 Observation time interval, msec t_int <decimal>, e.g % is Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec NetFlow Integrator Standard User Guide NetFlow Logic Confidential 19

21 Traffic by Autonomous Systems (10066 / 20066) This Module reports traffic by all Autonomous Systems (AS). This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX. Required NetFlow fields Information Element (IE) IE id IE size, B octetdeltacount 1 4 or 8 The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. packetdeltacount 2 4 or 8 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 Source AS src_asn 7 Destination AS dest_asn 8 9 Total number of Layer 3 bytes in the packets of the flow received (IPv4) Total number of Layer 3 bytes in the packets of the flow received (IPv6) bytes bytes6 10 Packets in the flow received (IPv4) packets 11 Packets in the flow received (IPv6) packets6 12 Number of Flows flow_count 13 Percent of Total (bytes) percent_of_total <decimal> 14 Flow Sampler ID [flow_smpl_id] 15 Observation time interval, msec t_int NetFlow Integrator Standard User Guide NetFlow Logic Confidential 20

22 Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top ASN pairs reported min = 1, max = , per NetFlow exporter default = 50 Enhanced Traffic Monitor This package contains an enhanced version of Top Traffic Monitor Module It reports Reputation and Geo locations of source and destination hosts. Top Traffic Monitor (10967 / 20967) This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol Input interface Output interface This information is provided per NetFlow exporter. Reputation field is provided as follows: Watch list Known malicious hosts list must be specified. The Module checks if destination IP is in this watch list; if yes, the reputation value is provided, and the rep_ip field is populated with destination IP address. If not, the source IP is checked, the reputation value is populated, and rep_ip field is populated with the source IP. Country codes for both source IP and destination IP are provided based on IPv4 address block and country code watch list. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header IPv4 destinationipv4address 12 4 The IPv4 destination address in the IP packet header NetFlow Integrator Standard User Guide NetFlow Logic Confidential 21

23 Information Element (IE) IE id IE size, B IPv6 sourceipv6address The IPv6 source address in the IP packet header destinationipv6address The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 8 12 Source port number src_port <string>, included when FQDN is on 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host] 8 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 8 Host name field is optional and included only if FQDN Service is enabled NetFlow Integrator Standard User Guide NetFlow Logic Confidential 22

24 No Field Key Comments 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (bytes) percent_of_total 26 Flow Sampler ID [flow_smpl_id] 27 Reputation: [reputation] 9 28 Reputation IP [rep_ip] 9 29 Source IP country code [src_cc] Destination IP country code [dest_cc] Observation time interval, msec t_int Parameters <decimal>, e.g % is <string>: "Unexpected Host Reputation Classifier" "Scanning Host" "Malware Domain" "Malware IP" "Spamming" "C&C" "Malicious Host" "Malware distribution" "APT" Actual IP address (source or destination) found in Reputation database ISO Alpha 2 country code (a two-character country designation, e.g. US) ISO Alpha 2 country code (a two-character country designation, e.g. US) Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = , NetFlow exporter default = 50 Known malicious hosts list List of known malicious peers AlienVault Reputation database (OTX) IPv4 address block and country code Mapping of country codes to IP addresses blocks This list is updated by NFI Updater, which uses the MaxMind GeoLite Country database as a source 9 This field is omitted if no match of source or destination IP is found in Reputation database 10 This field is omitted if no MaxMind database is setup NetFlow Integrator Standard User Guide NetFlow Logic Confidential 23

25 Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper This package contains a Module for Blue Coat PacketShaper-2 Flow Data. Network Bandwidth Consumption Monitor (10964 / 20964) This Module reports network bandwidth consumption by pairs of network users per application kind per PacketShaper instance. The Module consolidates per application kind information based on network conversations, where a network conversation is a series of network traffic exchanges between two network hosts executing that application. Network conversation attributes are user configurable and may include source and destination IP addresses and source and destination transport layer ports. Optionally, the user may provide a list of known ports by which the server side of a network conversation may be determined. In a case when a list of ports is not provided or when the ports are not present in the provided list the Module makes a best effort determination of the server side by assuming that a party which sent most traffic is the server. The Module classifies applications by the PacketShaper ClassId field found in the Packeteer-2 messages. The Module determines a corresponding application name by dereferencing a list of application names distinguished by the respective ClassId values. The user has the ability to control Module s output by specifying treatment of the input Packeteer-2 records which ClassId is not present in the PacketShaper ClassId - Application Name mapping table. Unclassified records may either be discarded or processed normally and supplied a default application name such as unknown. Input Flow records in the Blue Coat PacketShaper Packeteer-2 format. Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= PacketShaper instance IPv4 address exp_ip <IPv4_address> NetFlow Integrator Standard User Guide NetFlow Logic Confidential 24

26 20 No Field Key Comments 6 PacketShaper application ClassId class_id 7 PacketShaper application name application <string> 8 Server IPv4 address dest_ip <IPv4_address> 9 Server host name [dest_host] Server transport layer port number [dest_port] <string>, included when NFI FQDN service is enabled 11 Client IPv4 address src_ip <IPv4_address> 12 Client host name [src_host] 13 Client transport layer port number [src_port] 14 Packets sent from the client to the server packets_in 15 Layer 3 bytes from the client to the server bytes_in 16 Packets from the server to the client packets_out 17 Layer 3 bytes from the server to the client bytes_out 18 Number of observed flows flow_count 19 Percent of total traffic produced by this host pair per application during current data collection interval percent_of_total Observation time interval, msec t_int <string>, included when NFI FQDN service is enabled <floating point decimal> Parameters Parameter Name Comments Time-based Rule invocation min = 5 sec, max = 600 sec, Module reporting interval interval, sec default = 30 sec A number of unique communicating host pairs reported per application per N - The number of unique host pairs per min = 1, max = , PacketShaper instance. The application kind to report default = 50 host pairs are reported in the descending order by traffic volume. List of known server destination port numbers A list of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one sending more traffic than receiving e.g. 53, 80, Optional message fields are enclosed in square brackets NetFlow Integrator Standard User Guide NetFlow Logic Confidential 25

27 Parameter Name Comments If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field in the output Enable(1) or disable (0) reporting by the syslog message is omitted. server port Turning this parameter on or off default = 0 does not affect the number of unique host pairs output by the module. Enable(1) or disable (0) reporting by the client port If set to 1, enable traffic reporting by source port. If set to 0, src_port field the output syslog message is omitted. Turning this parameter on or off does not affect the number of unique host pairs output by the module. default = 0 List of PacketShaper ClassId values and corresponding Application names Report information for a user-defined subset of applications (1) or for all applications (0) A list of PacketShaper ClassId and Application name If set to 1, drop Packeteer-2 records with unknown ClassId. Report all network conversations otherwise. e.g. 2525, /Outbound/AOL-AIM- ICQ default = 0 Security Hosts Geographical Location Monitor (10040 / 20040) This Module identifies hosts with most traffic, and reports them with their geographical locations. This Module uses an IPv4 address blocks to geographical locations mapping database provided by MaxMind GeoLite Country - to find geographical locations of the connecting hosts. The GeoIP database contains approximately 100K entries. The GeoLite Country database update frequency is one month. A commercial version of the MaxMind GeoIP database is updated every other day. Use Updater feature of NetFlow Integrator for initial load and periodic updates of this list. Besides a GeoIP database the Module has two other optional watch lists: List of monitored localities: Alpha-2 codes per ISO ( List of watched local subnets: CIDR notation The Module is using local subnets list to resolve inbound and outbound traffic, and reports it separately (field direction=ingress or direction=egress in syslog). NetFlow Integrator Standard User Guide NetFlow Logic Confidential 26

28 In inbound traffic report the source IPv4 address is an IPv4 address of a host with most traffic in a geographic locality, and the destination IPv4 address is an IPv4 address of an internal host. In outbound traffic report the source IPv4 address is an IPv4 address of an internal host, and the destination IPv4 address is an IPv4 address of a host with most traffic in an outbound geographic locality. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9 Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Source host IPV4 address src_ip <IPv4_address> 7 Destination host IPv4 address dest_ip <IPv4_address> 8 Traffic direction direction <string>: egress ingress 9 Country code cc 10 Number of flows flow_count < number> 11 Bytes total (Traffic) bytes 12 Observation time interval, msec t_int ISO Alpha 2 country code (a two-character country designation, e.g. US) Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 600 sec, default = 30 sec List of monitored localities List of two letter country codes e.g. AQ, US, GB NetFlow Integrator Standard User Guide NetFlow Logic Confidential 27

29 Parameter Name Comments e.g / 18; List of the watched subnets IPv / 24 addresses and masks (CIDR notation) default = / 0 List of watched local subnets and hosts IPv4 address block and country code Mapping of country codes to IP addresses blocks Botnet Command and Control Traffic Monitor (10050 / 20050) This list is updated by NFI Updater, which uses the MaxMind GeoLite Country database as a source This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list of IP addresses of C&C hosts is obtained from the list published by Emerging Threats ( company: List of known C&C servers: The Module reports all communications of internal hosts with C&C list, and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable. Use Updater feature of NetFlow Integrator for initial load and periodic updates of this threat list. 12 Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourcetransportport 7 2 destinationtransportport 11 2 octetdeltacount 1 4 or 8 The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. 12 Please contact support@netflowlogic.com if you want to use your own feeds. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 28

30 Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Source host IPV4 address src_ip <IPv4_address> 7 Source port src_port 8 Destination host IPv4 address dest_ip <IPv4_address> 9 Destination port dest_port 10 Number of flows flow_count < number> 11 Bytes total (Traffic) bytes 12 Minimum bytes count of flows min_bytes 13 Maximum bytes count of flows max_bytes 14 Flow direction direction <string>: ingress or egress 15 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 300 sec, default = 30 sec Shadowserver C&C list from Known C&C hosts List of C&C IPv4 addresses Emerging Threats. This list is (ipv4_dst_addr) list updated by NFI Updater APT1 Monitor (10051 / 20051) This Module monitors traffic originated from known APT1 hosts and IP blocks identified in Mandiant APT1 report ( The Mandiant APT1 report has not been updated since This Module is obsolete and no longer supported. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 29

31 Host Reputation Monitor (10052 / 20052) This Module uses a host reputation database from Alienvault ( to report communications with malicious peers. The reputation table provides a suspicious host IPv4 address and one or more host classifications (e.g. Scanning Host, Malicious Host, Malware Domain). The host reputation database size is approximately 260K entries. The Module reports all communications of internal hosts with the hosts included in the reputation database and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable. Use Updater feature of NetFlow Integrator for initial load and periodic updates of this threat list from Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourcetransportport 7 2 destinationtransportport 11 2 octetdeltacount 1 4 or 8 Syslog message fields The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Source host IPV4 address src_ip <IPv4_address> NetFlow Integrator Standard User Guide NetFlow Logic Confidential 30

NetFlow Integrator Standard

NetFlow Integrator Standard NetFlow Integrator Standard User Guide Version 2.4.2 (Build 2.4.2.0.11) November 2015 Copyright 2012, 2013 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents About this Guide...

More information

NetFlow Optimizer. User Guide. Version (Build ) May 2017

NetFlow Optimizer. User Guide. Version (Build ) May 2017 NetFlow Optimizer User Guide Version 2.4.9 (Build 2.4.9.0.3) May 2017 Copyright 2012-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents About this Guide... 3

More information

NetFlow Optimizer. User Guide. Version (Build X) November 2017

NetFlow Optimizer. User Guide. Version (Build X) November 2017 NetFlow Optimizer User Guide Version 2.5.0 (Build 2.5.0.0.X) November 2017 Copyright 2012-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents About this Guide...

More information

Network Operations Analytics

Network Operations Analytics Network Operations Analytics Solution Guide Version 2.4.4 (Build 2.4.4.0.x) June 2016 Copyright 2012-2016 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 2 Solution

More information

NetFlow Optimizer. Overview. Version (Build ) May 2017

NetFlow Optimizer. Overview. Version (Build ) May 2017 NetFlow Optimizer Overview Version 2.4.9 (Build 2.4.9.0.3) May 2017 Copyright 2013-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents About NetFlow Optimizer...

More information

NetFlow Analytics for Splunk

NetFlow Analytics for Splunk NetFlow Analytics for Splunk User Manual Version 3.8.x May 2018 Copyright 2012-2018 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Table of Contents Introduction... 3

More information

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to

More information

FlowIntegrator. Integrating Flow Technologies with Mainstream Event Management Systems. Sasha Velednitsky

FlowIntegrator. Integrating Flow Technologies with Mainstream Event Management Systems. Sasha Velednitsky FlowIntegrator Integrating Flow Technologies with Mainstream Event Management Systems Sasha Velednitsky svelednitsky@netflowlogic.com NetFlow Logic Corporation January 2012 Problem Network infrastructure

More information

Compare Security Analytics Solutions

Compare Security Analytics Solutions Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch

More information

Trisul Network Analytics - Traffic Analyzer

Trisul Network Analytics - Traffic Analyzer Trisul Network Analytics - Traffic Analyzer Using this information the Trisul Network Analytics Netfllow for ISP solution provides information to assist the following operation groups: Network Operations

More information

V2P Network Visibility

V2P Network Visibility V2P Network Visibility Solution Guide Version 2.4.9 (Build 2.4.9.0.X) May 2017 Copyright 2012-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents Overview...

More information

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track Using NetFlow Filtering or Sampling to Select the Network Traffic to Track First Published: June 19, 2006 Last Updated: December 17, 2010 This module contains information about and instructions for selecting

More information

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors HPE Security ArcSight Connectors SmartConnector for IP Flow (NetFlow/J-Flow) Configuration Guide October 17, 2017 SmartConnector for IP Flow (NetFlow/J-Flow) October 17, 2017 Copyright 2004 2017 Hewlett

More information

Introduction to Netflow

Introduction to Netflow Introduction to Netflow Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

Using NetFlow Sampling to Select the Network Traffic to Track

Using NetFlow Sampling to Select the Network Traffic to Track Using NetFlow Sampling to Select the Network Traffic to Track This module contains information about and instructions for selecting the network traffic to track through the use of NetFlow sampling. The

More information

Zone-Based Firewall Logging Export Using NetFlow

Zone-Based Firewall Logging Export Using NetFlow Zone-Based Firewall Logging Export Using NetFlow Zone-based firewalls support the logging of messages to an external collector using NetFlow Version 9 export format. NetFlow Version 9 export format uses

More information

Implementing Access Lists and Prefix Lists

Implementing Access Lists and Prefix Lists An access control list (ACL) consists of one or more access control entries (ACE) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR softwarefeatures

More information

Network Management and Monitoring

Network Management and Monitoring Network Management and Monitoring Introduction to Netflow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

AVC Configuration. Unified Policy CLI CHAPTER

AVC Configuration. Unified Policy CLI CHAPTER CHAPTER 3 Revised: February 7, 2013, This chapter addresses AVC configuration and includes the following topics: Unified Policy CLI, page 3-1 Metric Producer Parameters, page 3-2 Reacts, page 3-2 NetFlow/IPFIX

More information

Flow Sampling for ASR1K

Flow Sampling for ASR1K LIVEACTION, INC. Flow Sampling for ASR1K CONFIGURATION LiveAction, Inc. 3500 Copyright WEST BAYSHORE 2016 LiveAction, ROAD Inc. All rights reserved. LiveAction, LiveNX, LiveUX, the LiveAction Logo and

More information

Configuring Access Rules

Configuring Access Rules Configuring Access Rules Rules > Access Rules About Access Rules Displaying Access Rules Specifying Maximum Zone-to-Zone Access Rules Changing Priority of a Rule Adding Access Rules Editing an Access Rule

More information

Using Centralized Security Reporting

Using Centralized  Security Reporting This chapter contains the following sections: Centralized Email Reporting Overview, on page 1 Setting Up Centralized Email Reporting, on page 2 Working with Email Report Data, on page 4 Understanding the

More information

Monitoring and Analysis

Monitoring and Analysis CHAPTER 3 Cisco Prime Network Analysis Module 5.1 has two types of dashboards: One type is the summary views found under the Monitor menu, and the other type is the over time views found under the Analyze

More information

Using NetFlow Sampling to Select the Network Traffic to Track

Using NetFlow Sampling to Select the Network Traffic to Track Using NetFlow Sampling to Select the Network Traffic to Track Last Updated: September 17, 2012 This module contains information about and instructions for selecting the network traffic to track through

More information

Covert channel detection using flow-data

Covert channel detection using flow-data Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using flow-data

More information

Configuring Application Visibility and Control for Cisco Flexible Netflow

Configuring Application Visibility and Control for Cisco Flexible Netflow Configuring Application Visibility and Control for Cisco Flexible Netflow First published: July 22, 2011 This guide contains information about the Cisco Application Visibility and Control feature. It also

More information

Configuring NetFlow and NetFlow Data Export

Configuring NetFlow and NetFlow Data Export Configuring NetFlow and NetFlow Data Export This module contains information about and instructions for configuring NetFlow to capture and export network traffic data. NetFlow capture and export are performed

More information

Introduction to Network Discovery and Identity

Introduction to Network Discovery and Identity The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity

More information

Monitoring the Device

Monitoring the Device The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring

More information

Detecting and Analyzing Network Threats With NetFlow

Detecting and Analyzing Network Threats With NetFlow Detecting and Analyzing Network Threats With NetFlow First Published: June 19, 2006 Last Updated: October 02, 2009 This document contains information about and instructions for detecting and analyzing

More information

Configuring AVC to Monitor MACE Metrics

Configuring AVC to Monitor MACE Metrics This feature is designed to analyze and measure network traffic for WAAS Express. Application Visibility and Control (AVC) provides visibility for various applications and the network to central network

More information

Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter CHAPTER 54 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary

More information

External Logging. Bulk Port Allocation. Restrictions for Bulk Port Allocation

External Logging. Bulk Port Allocation. Restrictions for Bulk Port Allocation External logging configures ex and logging of table entries, private bindings that are associated with a particular global IP, and to use Netflow to ex table entries., page 1 Session logging, page Syslog,

More information

Information about Network Security with ACLs

Information about Network Security with ACLs This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Finding Feature Information,

More information

Detecting and Analyzing Network Threats With NetFlow

Detecting and Analyzing Network Threats With NetFlow Detecting and Analyzing Network Threats With NetFlow This document contains information about and instructions for detecting and analyzing network threats such as denial of service attacks (DoS) through

More information

Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter CHAPTER 46 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary

More information

Introduction to Network Discovery and Identity

Introduction to Network Discovery and Identity The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, on page 1 Uses for Host, Application, and User Discovery and Identity

More information

Scrutinizer Flow Analytics

Scrutinizer Flow Analytics Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred

More information

Configuring NetFlow and NetFlow Data Export

Configuring NetFlow and NetFlow Data Export This module contains information about and instructions for configuring NetFlow to capture and export network traffic data. NetFlow capture and export are performed independently on each internetworking

More information

Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter CHAPTER 51 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary

More information

How the Internet sees you

How the Internet sees you IBM Research Zurich How the Internet sees you Demonstrating what activities most ISPs see you doing on the Internet Jeroen Massar 2010 IBM Corporation Network of networks You 2 CCC

More information

ASA Access Control. Section 3

ASA Access Control. Section 3 [ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look

More information

Configuring NetFlow. Feature History for Configuring NetFlow. Release This feature was introduced.

Configuring NetFlow. Feature History for Configuring NetFlow. Release This feature was introduced. Configuring NetFlow A NetFlow flow is a unidirectional sequence of packets that arrive on a single interface (or subinterface), and have the same values for key fields. NetFlow is useful for the following:

More information

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track Using NetFlow Filtering or Sampling to Select the Network Traffic to Track Last Updated: December 7, 2011 This module contains information about and instructions for selecting the network traffic to track

More information

FlowMonitor for WhatsUp Gold v16.3 User Guide

FlowMonitor for WhatsUp Gold v16.3 User Guide FlowMonitor for WhatsUp Gold v16.3 User Guide Contents Flow Monitor Overview Welcome to WhatsUp Gold Flow Monitor... 1 What is Flow Monitor?... 2 How does Flow Monitor work?... 2 Flow Monitor System requirements...

More information

Monitoring and Threat Detection

Monitoring and Threat Detection Monitoring and Threat Detection with Netflow Michael Belan Consulting Systems Engineer Cisco GSSO January 2017 AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What

More information

IP Multicast Traffic Measurement Method with IPFIX/PSAMP. Atsushi Kobayashi Yutaka Hirokawa Haruhiko Nishida NTT

IP Multicast Traffic Measurement Method with IPFIX/PSAMP. Atsushi Kobayashi Yutaka Hirokawa Haruhiko Nishida NTT IP Multicast Traffic Measurement Method with /PSAMP Atsushi Kobayashi Yutaka Hirokawa Haruhiko Nishida NTT 1 Outline Introduction Motivation Requirements Main requirements for measurement system in largescale

More information

Accessing SGM Data from a Web Browser

Accessing SGM Data from a Web Browser CHAPTER 7 Accessing SGM Data from a Web Browser This chapter provides information about accessing SGM data from the SGM server home page, using a Web browser. This chapter includes the following sections:

More information

Configuring Data Export for Flexible NetFlow with Flow Exporters

Configuring Data Export for Flexible NetFlow with Flow Exporters Configuring Data Export for Flexible NetFlow with Flow Exporters Last Updated: November 29, 2012 This document contains information about and instructions for configuring flow exporters to export Flexible

More information

NetFlow Traffic Analyzer

NetFlow Traffic Analyzer ADMINISTRATOR GUIDE NetFlow Traffic Analyzer Version 4.4 Last Updated: Friday, June 15, 2018 2018 SolarWinds Worldwide, LLC. All rights reserved. This document may not be reproduced by any means nor modified,

More information

SteelCentral NPM. NetProfiler, NetShark, Flow Gateway & Packet Analyzer. December 2015

SteelCentral NPM. NetProfiler, NetShark, Flow Gateway & Packet Analyzer. December 2015 SteelCentral NPM NetProfiler, NetShark, Flow Gateway & Packet Analyzer December 2015 IT Ops Network Ops App Ops DevOps LOB Unified Performance Visibility Single Performance Management Interface Real-Time,

More information

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security Pavel Minařík, Chief Technology Officer Neutral Peering Days 2018, The Hague Your customers depend on your

More information

Configuring Cisco Mediatrace

Configuring Cisco Mediatrace This chapter contains information about and instructions for configuring Cisco Mediatrace. Cisco Mediatrace enables you to isolate and troubleshoot network degradation problems for data streams. Although

More information

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration [ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a

More information

BIG-IP Local Traffic Management: Basics. Version 12.1

BIG-IP Local Traffic Management: Basics. Version 12.1 BIG-IP Local Traffic Management: Basics Version 12.1 Table of Contents Table of Contents Introduction to Local Traffic Management...7 About local traffic management...7 About the network map...7 Viewing

More information

Configuring Cisco Performance Monitor

Configuring Cisco Performance Monitor This document contains information about and instructions for configuring Cisco Performance Monitor. Finding Feature Information, page 1 Information About Cisco Performance Monitor, page 1 Restrictions

More information

Quality of Service. Understanding Quality of Service

Quality of Service. Understanding Quality of Service The following sections describe support for features on the Cisco ASR 920 Series Router. Understanding, page 1 Configuring, page 2 Global QoS Limitations, page 2 Classification, page 3 Marking, page 6

More information

This chapter describes how to configure NetFlow Data Export (NDE).

This chapter describes how to configure NetFlow Data Export (NDE). 51 CHAPTER This chapter describes how to configure NetFlow Data Export (NDE). Note For complete syntax and usage information for the commands used in this chapter, refer to these publications: The Cisco

More information

Administration of Symantec Cyber Security Services (July 2015) Sample Exam

Administration of Symantec Cyber Security Services (July 2015) Sample Exam Administration of Symantec Cyber Security Services (July 2015) Sample Exam Contents SAMPLE QUESTIONS... 1 ANSWERS... 6 Sample Questions 1. Which DeepSight Intelligence Datafeed can be used to create a

More information

NetFlow Traffic Analyzer

NetFlow Traffic Analyzer GETTING STARTED GUIDE NetFlow Traffic Analyzer Version 4.2.3 Last Updated: Wednesday, October 11, 2017 Retrieve the latest version from: https://support.solarwinds.com/success_center/netflow_traffic_analyzer_(nta)/nta_documentation

More information

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic; NetVizura NetFlow Analyzer enables you to collect, store and analyze network traffic data by utilizing Cisco NetFlow, IPFIX, NSEL, sflow and compatible netflow-like protocols. It allows you to visualize

More information

NetFlow Basics and Deployment Strategies

NetFlow Basics and Deployment Strategies NetFlow Basics and Deployment Strategies Section 1 The Need for Flow Analysis... 1 Section 2 How does NetFlow Work?... 1 The NetFlow Cache... 2 The NetFlow Data Exporter (NDE)... 4 Section 3 - The NetFlow

More information

Advanced Application Reporting USER GUIDE

Advanced Application Reporting USER GUIDE Advanced Application Reporting USER GUIDE CONTENTS 1.0 Preface: About This Document 5 2.0 Conventions 5 3.0 Chapter 1: Introducing Advanced Application Reporting 6 4.0 Features and Benefits 7 5.0 Product

More information

Internet Security: Firewall

Internet Security: Firewall Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits

More information

Configuring sflow. Information About sflow. sflow Agent. This chapter contains the following sections:

Configuring sflow. Information About sflow. sflow Agent. This chapter contains the following sections: This chapter contains the following sections: Information About sflow, page 1 Licensing Requirements, page 2 Prerequisites, page 2 Guidelines and Limitations for sflow, page 2 Default Settings for sflow,

More information

NetFlow Monitoring. NetFlow Monitoring

NetFlow Monitoring. NetFlow Monitoring , page 1 NetFlow Limitations, page 2 Creating a Flow Record Definition, page 3 Viewing Flow Record Definitions, page 4 Defining the Exporter Profile, page 4 Creating a Flow Collector, page 5 Creating a

More information

Configuring Data Export for Flexible NetFlow with Flow Exporters

Configuring Data Export for Flexible NetFlow with Flow Exporters Configuring Data Export for Flexible NetFlow with Flow Exporters Last Updated: September 4, 2012 This document contains information about and instructions for configuring flow exporters to export Flexible

More information

Traffic and Performance Visibility for Cisco Live 2010, Barcelona

Traffic and Performance Visibility for Cisco Live 2010, Barcelona Traffic and Performance Visibility for Cisco Live 2010, Barcelona Background Cisco Live is Cisco's annual premier education and training event for IT, networking, and communications professionals. Cisco

More information

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Introduction Security has an increased focus from ALL businesses, whether they

More information

BIG-IP Network Firewall: Policies and Implementations. Version 13.0

BIG-IP Network Firewall: Policies and Implementations. Version 13.0 BIG-IP Network Firewall: Policies and Implementations Version 13.0 Table of Contents Table of Contents About the Network Firewall...9 What is the BIG-IP Network Firewall?...9 About firewall modes... 9

More information

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097 Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils

More information

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097 Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Chapter 7 - Network Measurements Introduction Architecture & Mechanisms

More information

Comodo Dome Shield - Admin Guide

Comodo Dome Shield - Admin Guide rat Comodo Dome Shield Software Version 1.16 Administrator Guide Guide Version 1.16.062718 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo Dome

More information

IP Access List Overview

IP Access List Overview Access control lists (ACLs) perform packet filtering to control which packets move through a network and to where. The packet filtering provides security by helping to limit the network traffic, restrict

More information

Comodo Dome Shield. Administrator Guide Guide Version Software Version 2.4. Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Comodo Dome Shield. Administrator Guide Guide Version Software Version 2.4. Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 rat Comodo Dome Shield Software Version 2.4 Administrator Guide Guide Version 2.4.032019 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo Dome Shield...3

More information

Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00

Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00 Part Number: 5200-4710a Published: April 2018 Edition: 2 Copyright 2018 Hewlett Packard Enterprise Development LP Notices

More information

McAfee Network Security Platform 9.1

McAfee Network Security Platform 9.1 9.1.7.15-9.1.5.9 Manager-NS-series Release Notes McAfee Network Security Platform 9.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues

More information

Monitoring Data CHAPTER

Monitoring Data CHAPTER CHAPTER 4 The Monitor tab provides options for viewing various types of monitored data. There are options for: Overview of Data Collection and Data Sources, page 4-2 Viewing the Monitor Overview Charts,

More information

Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements

Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements White Paper March 5, 2011 Contents Overview... 3 NetFlow Introduction... 3 Sup2T Increased NetFlow Scalability... 6 Egress NetFlow... 7 Sampled

More information

Network Configuration Example

Network Configuration Example Network Configuration Example Configuring Active Flow Monitoring Version 9 Modified: 2017-01-18 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All

More information

IPv6 Sampled NetFlow feature was introduced. Destination-based Netflow Accounting feature was introduced.

IPv6 Sampled NetFlow feature was introduced. Destination-based Netflow Accounting feature was introduced. A NetFlow flow is a unidirectional sequence of packets that arrive on a single interface (or subinterface), and have the same values for key fields. NetFlow is useful for the following: Accounting/Billing

More information

System Requirements. Things to Consider Before You Install Foglight NMS. Host Server Hardware and Software System Requirements

System Requirements. Things to Consider Before You Install Foglight NMS. Host Server Hardware and Software System Requirements System Requirements This section contains information on the minimum system requirements for Foglight NMS. Before you can begin to download Foglight NMS, you must make sure that your computer meets the

More information

Monitoring Data CHAPTER

Monitoring Data CHAPTER CHAPTER 4 The Monitor tab provides options to view various types of monitored data. There are options for: Viewing the Monitor Overview Charts, page 4-9 Viewing Application Data, page 4-12 Viewing Voice

More information

Internet Engineering Task Force (IETF) Request for Comments: November 2012

Internet Engineering Task Force (IETF) Request for Comments: November 2012 Internet Engineering Task Force (IETF) Request for Comments: 6759 Category: Informational ISSN: 2070-1721 B. Claise P. Aitken N. Ben-Dvora Cisco Systems, Inc. November 2012 Cisco Systems Export of Application

More information

This chapter describes how to configure NetFlow Data Export (NDE).

This chapter describes how to configure NetFlow Data Export (NDE). 56 CHAPTER This chapter describes how to configure NetFlow Data Export (NDE). Note For complete syntax and usage information for the commands used in this chapter, see these publications: The Cisco IOS

More information

vrealize Operations Management Pack for NSX for vsphere 2.0

vrealize Operations Management Pack for NSX for vsphere 2.0 vrealize Operations Management Pack for NSX for vsphere 2.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.

More information

CISCO EXAM QUESTIONS & ANSWERS

CISCO EXAM QUESTIONS & ANSWERS CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco

More information

BIG-IP Analytics: Implementations. Version 13.1

BIG-IP Analytics: Implementations. Version 13.1 BIG-IP Analytics: Implementations Version 13.1 Table of Contents Table of Contents Setting Up Application Statistics Collection...5 What is Analytics?...5 About HTTP Analytics profiles... 5 Overview:

More information

General Firewall Configuration

General Firewall Configuration To adjust resources used by your firewall service you can change the sizing parameters in the General Firewall Configuration (CONFIGURATION > Configuration Tree > Box > Infrastructure Services) of the

More information

Standard Content Guide

Standard Content Guide Standard Content Guide Express Express 4.0 with CORR-Engine March 12, 2013 Copyright 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession,

More information

NetFlow and NetFlow Data Export.

NetFlow and NetFlow Data Export. Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export This module contains the minimum amount of information about and instructions necessary for configuring NetFlow to capture and

More information

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices. About NetFlow, page 1 Licensing Requirements for NetFlow, page 4 Prerequisites for NetFlow, page 4 Guidelines and Limitations

More information

Troubleshooting with Network Analysis Module

Troubleshooting with Network Analysis Module Troubleshooting with Network Analysis Module Introduction The Cisco Network Analysis Module (NAM) provides visibility into how the network is performing and how users experience the applications and services

More information

McAfee Network Security Platform 8.3

McAfee Network Security Platform 8.3 8.3.7.44-8.3.7.14 Manager-Virtual IPS Release Notes McAfee Network Security Platform 8.3 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known

More information

Centralized Policy, Virus, and Outbreak Quarantines

Centralized Policy, Virus, and Outbreak Quarantines Centralized Policy, Virus, and Outbreak Quarantines This chapter contains the following sections: Overview of Centralized Quarantines, page 1 Centralizing Policy, Virus, and Outbreak Quarantines, page

More information

Interface Utilization vs. Flow Analysis

Interface Utilization vs. Flow Analysis Interface Utilization vs. Flow Analysis Interface utilization is the calculated percentage utilization at the interface using SNMP polled data from the IF-MIB (Figure 2) and this is presented as inbound

More information

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various

More information

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall

More information

Using Diagnostic Tools

Using Diagnostic Tools Using Diagnostic Tools The Tools System Diagnostics page on the INVESTIGATE view provides several diagnostic tools that help troubleshoot various kinds of network problems and process monitors. Tech Support

More information

Internet Engineering Task Force (IETF) Request for Comments: TU Muenchen K. Ishibashi NTT. April 2011

Internet Engineering Task Force (IETF) Request for Comments: TU Muenchen K. Ishibashi NTT. April 2011 Internet Engineering Task Force (IETF) Request for Comments: 6183 Updates: 5470 Category: Informational ISSN: 2070-1721 A. Kobayashi NTT B. Claise Cisco Systems, Inc. G. Muenz TU Muenchen K. Ishibashi

More information