Couple of days back, we had an interesting conversation going on in our forums. One of our privileged ManageEngine customer wanted to have speed based alerting mechanism and gave us a real good reason to have this feature. Please find the conversation on the below link.
http://forums.manageengine.com/#Topic/49000003700030
I just wanted to check how the UI should look like and input configuration. Please share us your views and inputs to add the speed based alert feature.
Please write your technical questions to netflowanalyzer-support@manageengine.com. We are happy to assist you at any moment.
Thanks
Raj
Download | Interactive Demo | Product overview video | Twitter | Customers
This blog may need prior reading of my first blog about Flexible NetFlow. We have already discussed about the advantages of Flexible NetFlow and migration from traditional NetFlow versions to FNF. To make this transition smooth Cisco provides the option of pre-defined flow records which can be used to configure Flexible NetFlow without investing a lot of time. And as I mentioned earlier it also helps your existing NetFlow V9 collector to parse exported data. However to use Flexible NetFlow to its fullest potential or to monitor a specific network behavior, you should create your own customized records.
Let’s see how to configure Flexible NetFlow to export flow statistics. Flexible NetFlow export can be configured in three easy steps.
1. Configure the exporter
2. Configure the Flow Monitor with the pre-defined Flow Record and Flow Exporter attached to the monitor.
3. Add the Flow Monitor to the interface to monitor either ingress (input) or egress (output traffic).
1. Configuring Exporter
Flow exporter can be configured with a unique name. Multiple Flow exporter profiles can be configured. Below is the configuration to configure Flow Exporter.
flow exporter <exporter name>
destination <ip address of ME NFA>
transport udp <port number>
Example configuration:
flow exporter me_nfa_analyzer
destination 192.168.1.1
transport udp 9996
2. Flow Monitor and Flow record configuration
Flow record configuration defines the fields exported via NetFlow protocol. Flexible pre-defined flow records are based on the original NetFlow ingress or egress caches. Cisco provides a unique keyword to identify the pre-defined records and these records can associated with a Flexible NetFlow Flow record configuration. The Flexible NetFlow "netflow-original" and netflow ipv4 original-input are predefined records and these two records can be used interchangeably to export the basic key fields and time stamp fields. Flow monitors can also include packet sampling information if sampling is required.
flow monitor <monitor name>
record netflow-original
exporter <exporter name>
cache timeout active <seconds>
cache timeout inactive <seconds>
Example Configuration:
flow monitor me_nfa_monitor
record netflow-original
exporter me_nfa_analyzer
cache timeout active 60
3. Adding Flow Monitor to the interface
Flow Monitor has to be attached to a specific physical or logical interface to export flow statistics for that particular interface. Below is the configuration to attach flow monitor to a specific interface.
interface <interface name>
ip flow monitor <monitor_name> input
Example Configuration:
interface serial0/0
ip flow monitor me_nfa_monitor input
And the above configuration can be verified by "show flow monitor" command. As I mentioned earlier Flexible NetFlow has numerous advantages and has the power of supporting new performance monitoring statistics as soon as they are available. Flexible NetFlow is an evolving technology available in Cisco devices to help with visibility into how network assets are being used and the network behavior.
Please find more information on FNF here.
ManageEngine constantly studies the market and user demands to support new technologies. In fact ManageEngine NetFlow Analyzer is the first tool to support multiple bandwidth and performance monitoring technologies like NetFlow, NBAR and CBQoS in the market. And currently ManageEngine NetFlow Analyzer supports Flexible NetFlow without any issues. Please write your questions to netflowanalyzer-support@manageengine.com. We are happy to assist you at any moment.
Thanks
Raj
Download | Interactive Demo | Product overview video | Twitter | Customers
Hello,
Some of our community folks using ME NetFlow Analyzer to monitor their Juniper firewalls SSG 500 series. It supports policy based netflow/JFlow export.
Can you share us the netflow/JFlow configuration to enable NetFlow/JFlow on these firewalls?
Thanks
Raj
Flexible NetFlow is the next generation flow export technique promoted by Cisco Systems. As the word depicts it is highly flexible based on user requirements and to monitor specific network behaviour. Traditional NetFlow used a fixed seven tupple of IP information to identify a flow most of the time. Advantages of Flexible NetFlow
1. Flexibility to choose the desired export fields.
2. Reduce the number of flows and allows CPU to perform efficient routing and switching
3. Convergence of multiple accounting technologies into one accounting mechanism
Flexible NetFlow and NetFlow V9
The export protocol of choice for Flexible NetFlow is the NetFlow Version 9 export protocol, but unfortunately and to date, NetFlow Version 5 has been a much more widely used protocol because of the legacy Cisco IOS® Software images that are still around that supported the NetFlow v5 export protocol only and worked very well. However Cisco claims the future is going to be Flexible NetFlow. And believe it this migration is going to very smooth since Flexible NetFlow can also be configured to export some predefined flow records using the NetFlow Version 5 protocol format for backward compatibility. This helps your existing collectors can work with Flexible NetFlow until you find a real requirement to use additional fields offered by Flexible NetFlow.
Flexible NetFlow Configuration
Traditional NetFlow configuration is pretty much straight forward. Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export, and the new command-line interface (CLI) configuration follows the same traditional logic.In this user-defined flow records and the component structure of Flexible NetFlow make it easy to create various configurations for traffic analysis and data export on a networking device with a minimum number of configuration commands.
Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export, and the new command-line interface configuration follows the same traditional logic.
Let's see this components in detail
Flow Monitor:
A Flexible NetFlow Flow Monitor describes the NetFlow cache or information stored in the cache. The Flow Monitor contains the Flow Records or key and non-key fields within the cache. Also, part of the Flow Monitor is the Flow Exporter which contains information about the export of NetFlow information including the destination address of the NetFlow collector. The Flow Monitor includes various cache characteristics including the timers for exporting, the size of the cache and if required, the packet sampling rate.
Flow Record:
A Flow Record is a set of key and non-key NetFlow field values used to characterize flows in the NetFlow cache. Flow Records may be pre-defined for ease of use or customized and user defined. A typical pre-defined record will aggregate flow data and allow users to target common applications for NetFlow. User defined records will allow selection of specific key or non-key fields in the Flow Record. The user defined field is the key to Flexible NetFlow allowing a wide range of information to be characterized and exported by NetFlow. It is expected that different network management applications will support specific user defined and pre-defined Flow Records based on what they are monitoring (ie: security detection, traffic analysis, capacity planning).
Flow Exporter:
The Flexible NetFlow Exporter allows the user to define where the export can be sent, the type of transport for the export and properties for the export. Multiple exporters can be configured per Flow Monitor or the same exporter can be used by multiple monitors.
The following figure shows the flow monitor and it components.
In our next blog we are going to use a pre-defined (defined in IOS itself) flow record to export netflow records using Flexible Netflow. In the meanwhile if you have any queries. please write to netflowanalyzer-eesupport@manageengine.com
Thanks
Raj
Download | Interactive Demo | Product overview video
Being a niche player in the SAAS market, Zoho brings an amazing level of engineering expertise to ManageEngine in building highly secure and scalable distributed applications. And hopefully you know, Adventnet has recently changed its name to Zoho Corp and formed three divisions namely ManageEngine, Zoho, and WebNMS.
Growing network needs complicate the job of network administrators and bring in new challenges. Network Administrators need robust,cutting-edge network management tools to quickly troubleshoot network incidents and increase the network performance. However considering the economic situation, it is very important to choose the right application which can leverage on network performance management data from multiple technologies and of course at an affordable cost.
ManageEngine NetFlow Analyzer team constantly interacts with its customers, technology companies and VARS to prioritize the road map. Whenever a new technology is introduced in the product, all existing customers see an immediate value by means of simple free upgrade instead of paying a hefty price. Here the ROI includes cutting bandwidth upgrade costs due to increased visibility using ManageEngine NetFlow Analyzer, avoid unauthorized bandwidth usage and increase the efficiency of business critical applications with almost zero implementation cost.
Multiple technologies - Single Solution:
Cisco NetFlow:
Cisco's NetFlow technology exports flow records from any IOS capable routers and switches. The exported flow records contain information about protocols, ports, source, destination IP addresses and much more.
NetFlow Analyzer provides several instant reports to monitor bandwidth including top talkers, top protocols, top conversations, and more. Apart from these pre-defined bandwidth reports, NetFlow Analyzer also includes options to search for specific bandwidth usage details based on IP address, host name, protocol, and more.
Bandwidth Monitoring without Probes
NetFlow Analyzer does network bandwidth monitoring using NetFlow. NetFlow exports are collected, correlated, and analyzed to get granular details to monitor bandwidth usage across each WAN link. There is no need for hardware probes to monitor bandwidth usage. NetFlow Analyzer is an all software solution which is suitable for both Windows and Linux.
Real-time Bandwidth Monitoring
Bandwidth monitoring reports for each interface shows the current, average, and peak bandwidth usage patterns across each NetFlow-enabled interface. With these bandwidth usage statistics you can get instant visibility into how much bandwidth was used up by hosts, applications, and conversations across a specific interfaces.
Application-wise Bandwidth Distribution
To monitor bandwidth utilized by different applications, NetFlow Analyzer gives you instant visibility into which applications are using up maximum bandwidth. You can also drill down to see the top sources, destinations and conversations using the bandwidth. With such granular detail, network troubleshooting and problem resolution take far less time than with traditional tools.
Cisco NBAR:
Cisco NBAR (Network Based Application Recognition) engine runs on the IOS and does deep packet inspection to identify applications riding on regular ports. For example TCP 80 can be identified as kazza2, BitTorrent, Napster etc. The respective utilization, volume and speed can be polled through SNMP protocol over time.
NBAR reports are very useful to set the Quality of Service (CB-QoS) policies. NBAR and QoS policies can work together to prevent bandwidth stealing applications and increase the efficiency of business critical applications.
Cisco CB-QoS (Class Based - Quality of Service):
We have discussed a lot about deploying CB-QoS policies for improved network performance. You can find CB-QoS blog series in this link. Cisco CB-QoS is the simplest way to prioritize network traffic.
Having insights over pre and post policy metrics, network administrators can modify their CB-QoS policy configuration for improved performance and to avoid any impact to business critical applications due to misconfiguration.
This is why we call ManageEngine NetFlow Analyzer is a powerful traffic analysis and forensic solution for a network of any size. Try our 30 days all feature version and write your queries to netflowanalyzer-support@manageengine.com
Thanks
Raj
Couple of day’s back one of our customer wants to know the best practice to monitor the VOIP/IP Phone traffic using NetFlow Analyzer. I felt this deserves a blog really.
By default NetFlow Analyzer identifies SKINNY & SIP (port numbers 2000 & 5060) applications and show the usage with the IP address or phone involved on each and every interface. But to monitor the voice traffic as a separate entity or for a specific phone, you have two ways. Either by using the application mapping using voice gateway IP or individual IP network/range of phones with IP group.
Let’s see the options in detail.
1. Application mapping using voice gateway IP
ManageEngine NetFlow Analyzer detects applications based on the port and protocol values available in the flow records. And it is possible to add, modify and delete the port - protocol mappings from the user interface. As an added advantage NetFlow Analyzer also provides an ability to associate the IP addresses into this application mapping for precise classification. So if you create an application mapping "MyAPP" with an IP address - port - protocol match, NetFlow Analyzer starts classifying the all conversations/calls originated or designated to the mapped IP address with the defined port & protocol as “MyApp”.
Using this functionality one can create a new application mapping using the "Application Mapping" link with the voice gateway IP and port & protocol used for IP phone traffic. If you are not sure about the port and protocol, you can also use 0-65535 as a port range in the application mapping. Since this is going to be your voice gateway, mostly it deals with VOIP traffic.
This new VOIP tracking application will be shown under the application tab with the respective traffic volume and further drills down to conversation/call information.
2. Using IP groups
As a second option, it is also possible to monitor the IP phone traffic by creating an IP group. The IP groups feature lets you monitor departmental, intranet or application specific traffic exclusively. You can create IP groups based on IP addresses and/or a combination of port and protocol. You can even choose to monitor traffic from specific interfaces across different routers. After creating an IP group, you can view the top applications, top protocols, top hosts, and top conversations in this IP group alone.
Now create an IP group with a VOIP gateway or VOIP IP network or VOIP phone range. You can create as many IP groups based on your requirement. The possibility of associating the port, protocol and interface information with IP groups helps to make the classification to be more precise.
Each IP group gives you the complete traffic, application and conversation information pertained to the IP addresses or port-protocol mapping involved in the group.
Note: In both the options, ensure that the desired IP address (voice gateway IP or IP address of IP phone(s)) is visible to your router or L3 switch. So that it can be exported through the NetFlow packet.
Please write your questions to support@netflowanalyzer.com. You can download our 30 days all feature trial software from the following link.
Download:
http://www.manageengine.com/products/netflow/download.html?ab
Features:
http://www.manageengine.com/products/netflow/netflow-features.html
Live Demo:
http://demo.netflowanalyzer.com
Thanks
Raj
Hello,
First we want to thank all our customers and prospects for their help in supporting NSEL. Last week our ManageEngine NetFlow Analyzer support team was terribly busy in handling ASA customers and prospects. Most of customers who enabled ASA - NSEL, started complaining about the interface names and indices. Actually they did not match with the statistic they have reported. We have verified the code twice about handling interface indices and SNMP get. There was no change made recently for ASA.
Fortunately one of our community folk updated our forums about the Cisco bug in NSEL with a bug ID.
http://forums.manageengine.com/#Topic/49000003577055
"There is currently an ASA bug (ID:CSCtb63825) that will give you inaccurate information. The doesn't use IfTable to store interface names, so NFA may report data for an interface that is actually sourced from a different interface. Cisco has informed me that this bug has been fixed in 8.2(12), but that the release is not available yet."
Thanks
Raj
This feature can be supported on any installation of NetFlow Analyzer Professional edition Build 7600 onwards. In case you are interested in the feature, please upgrade your installation to the latest BUILD applying the service packs found here . Once you have upgraded, please email your contact details to netflowanalyzer-support@manageengine.com so that we can email you the feature pack file.
Thanks
Raj
NetFlow has abundant information which can be used to perform security analysis and detect abnormal network activities. In this blog, I am going to discuss about the complexities involved in analyzing huge set of flow records and how can we overcome this problems by using ManageEngine NetFlow Analyzer.
Network forensics can be done using the raw NetFlow data and not top N. Top N data only gives a coarse grained view of network activities and this aggregation increases the probability of missing some abnormal network activities and less intensive attacks.
Currently NetFlow Analyzer has the capability of storing raw flows to the maximum of 1month(can be configured to store for an year) for network forensics. This helps network administrators to investigate any network incidence or deviation in regular traffic patterns. "Troubleshooting Reports" from ManageEngine NetFlow Analyzer are generated from millions of raw NetFlow records to provide complete visibility over any particular conversation or an attack on the network. In addition to reporting traffic, applications and conversations, it offers valuable insights like number of conversation initiated from any source and filtering it based on a particular TCP flags or TOS bits and significantly reduces time taken to identify the root cause of any network incident.
We have known that only few of the TCP segments carry data and others are simply acknowledgements for a previously received data or a new request. Such as the popular three way handshake utilizes the SYNs and ACKs mechanism available in the TCP protocol to help complete the connection before the data is transferred.
A typical TCP-SYN worm scan sent out lot of SYN packets to vulnerable services in other hosts and tries DOS (Denial of Service).
TCP-SYN scan propagation could result in
A. The destination host is alive and running a vulnerable service on the targeted port which could lead to a DoS attack.
B. The destination host is alive and the targeted port is closed
C. No such destination host
When a worm tries to propagate, the destination addresses are typically generated at random, and normally there will be a large number of destination hosts that are not living or functional. Therefore we can expect to see a large number of SYN bits sets in the flow records associated with the worm infected host.
Let’s see how "Troubleshooting Reports" are helpful in identifying a SYN scan and infected hosts. Generally TCP-SYN worm scan analysis is effective at switch level because of the visibility of LAN IP addresses. So it is better to choose a LAN interface/port for SYN scan analysis.
1. First step is to identify the conversations with only the SYN bit set. Using ManageEngine NetFlow Analyzer, it is possible to filter out potential sources trying to contact large number of destinations with SYN bit set.
2. In the second step, we can drill down from each and every potential source to analyze the type of traffic. As you see in the below picture it seems to be a W32.Spybot.ACYR worm spreading through an un-patched windows machine using port 2967.
When a worm scans random IP addresses and ports, destinations may send out RST/ACK request if the ports are closed or not functional. With NetFlow ingress flow export, if the destination receives too many RST/ACK, it could be a worm attack on the destination.
Hope this gives an idea to use the product for typical network security analysis. Please write to netflowanalyzer-support@manageengine.com for any further clarification.
Download (30 day trial) | Interactive Demo | Product overview video
Regards,
Raj
Corp