What all protocols needed to add a device?
To add a device via discovery, Netflow analyzer requires SNMP credentials and Telnet/SSH access to the device.
Note : device will be automatically added if NetFlow Analyzer receives Flow from a device.
Yes, NetFlow analyzer uses SNMP to discover the interfaces and Telnet/SSH to execute the commands for flow export.
In case of errors in executed output screen,
What is raw data?
Every flow received from the router is stored as raw data. This contains in-depth information about the data packet passing through the device like port number, tcp flag, next hop etc. Since the data is huge NetFlow analyzer stores raw data up to one week, which can be extended using High-Perf add-on.
Any report generated in Netflow Analyzer for less than 2 hours will be from raw data (if available). Raw data contains every conversation for the selected time period with application t raffic, DSCP, etc.
If raw data is not available , NetFlow Analyzer generates reports from aggregated where the data is aggregated for top N records of applications , DSCP and conversation.
If you don't store raw data, you'll miss real-time reporting.
Forensics report is generated from raw data.
Any traffic, application, source, destination, DSCP, conversation reports for less than 2 hours is generated from raw data (If available)
HDD space required (in Bytes) = Raw Data Storage Period in hours * (150 Bytes * 3600 seconds * Flows Per Second).
In the settings page, you have an option to select the devices for which you need to enable raw storage.
By default raw data can be stored for 1 month. Using Hi-Perf add-on you can store upto 1 year.
You have an option to customize your data storage settings from NetFlow Settings. By default, raw data in NetFlow Analyzer is set as OFF and aggregated data as ON. You also have a option to customize:
The aggregated data is stored based on top "N' records of the applications and conversations for every 10 minute interval and is further aggregated in a timely manner. Aggregated data can be stored forever in the database. The aggregation mechanism will happen simultaneously at the back-end along with the raw data storage. Flow data aggregation is done to avoid high disk usage without impacting the reporting and performance. The aggregated data on NetFlow Analyzer is used for historical reporting, capacity planning and trend analysis. The following explanation will help you to understand how Application data on NetFlow Analyzer is aggregated and stored in various tables. Older data is repeatedly rolled up into less granular times (10 minute, 1 hour, 6 hour, 24 hour and weekly). The top 'N' records of application based on octet value is stored for every 10 minute interval. As time goes, this data is further aggregated to an hourly table, similarly to 6 hours, daily and weekly tables.
What is the purpose of one minute storage?
Apart from the raw data and aggregated data, NetFlow Analyzer stores 1 minute traffic data which is used for real time reporting . The traffic report generated for any time period which is less than 24 hour is generated with 1 minute granularity which gives a detail picture of every minute IN and OUT Traffic.
It requires free disk space of 25 MB to store one year of one minute traffic data for each interface.
What is deep packet inspection?
Deep Packet Inspection (DPI) is a process to know what is being received and transmitted by a network device. It is the most accurate technique to monitor and analyze the application problems and regulate traffic in the best suitable way. With DPI’s packet level analysis, it is easy to make decisions on capacity planning and achieve better network performance and management. DPI helps determine the root cause for performance related issues with the complete traffic picture (both network and application) in a single view.
What all information you can see with DPI?
As Initial phase, ManageEngine has introduced analysis for TCP packets even though it captures all packets. Rest will be supported in the future. Using the DPI , we can calculate Application Response Time (ART), Network Response Time (NRT), url's used and traffic utilization (productive\non-productive).
With these reports a network administrator can have a clear picture of what is consuming the bandwidth at what time and so, he can regulate it cost efficiently.
In DPI we get information about ART,NRT and URL
NRT : Network Response Time is the time difference between TCP_SYN packet and its ACK (acknowledgement)
ART : Application Response Time is the time difference between TCP_DATA packet and its ACK (acknowledgement flag)
URL : URL details in data packets.
What all reports can be generated using DPI?
To access reports from UI, navigate to Reports > DPI.
Here we have 2 types, Online/Offline reports. Online reports are generated from embedded in-built database. You can also have the packets captured in PCAP format and generate reports for the same. ManageEngine DPI reports are based on time and criteria. DPI reports are mainly concentrated on 3 metrics URL, NRT, ART.
We also have offline reports where you can save the captured packets (in PCAP format) separately and generate the same reports.
Why do I see Interface name as Ifindex-1,2,3 etc.
NetFlow Analyzer discovers the interfaces with the interface-index from the flow packets received. If SNMP is updated for the device, the interface names are resolved with respect to Name/ Description / Alias of the interfaces.
If the interfaces names are not resolved using SNMP, NetFlow Analyzer displays Interface Indexs as Names Eg: Ifindex-10.
Why should I set interface speed?
NetFlow Analyzer collects flow packets and update the volume of traffic in bytes for the respective interfaces. With this volume, Speed and Utilization are calculated within the product. For utilization calculation, the bandwidth capacity plays a vital role.
What types of reports can be scheduled?
All reports except Forencis report can be scheduled.
Consolidated, Traffic, Capacity Planning, Application, Source, Source Network, Destination, Destination Network, QoS, Conversation, Conversation Network, Compare, Custom, Inventory, Multicast, Medianet, Protocol Distribution, NBAR2 Application, Http host, QoS Stats, QoS Drops, ART, ART Client, ART Server, NBAR, and CBQoS reports can be scheduled once or on a daily, weekly and monthly basis.
Can the schedule settings be customized based upon the report?
Yes, Apart from the default settings, users can also customize the settings (Resolve DNS, Traffic graph and QoS) of specific scheduled reports.
Why do we need an ESP/GRE filter?
Data transfer over VPN tunnel are more common now are days. The tunnel traffic is encrypted at the entry and decrypted at the exit.
From NetFlow point of view, the traffic going in the device is different from traffic coming out because the packet are encrypted.
All NetFlow based reporting tools will show the actual traffic before encryption and the same will be again classified as ESP Traffic after encryption. This leads double counting on traffic for the edge tunnel interfaces with wrong bandwidth calculations.
To avoid the above scenario, Netflow Analyzer behaves smartly by excluding ESP/GRE application traffic for the tunnel device.
Why do I have to add access control filter for the dropped traffic?
When a access-list is added in the device, the corresponding traffic is dropped in the router. In the flow exported, OUT interface will be index 0 for the dropped traffic. NetFlow Analyzer by default do not show the dropped traffic, but still the IN traffic information from the incoming interface is accounted. If such interfaces are added to Access-Control filter, this dropped traffic information will be filtered.
Do I have to apply suppression filter for my WAN optimizer?
Yes, When a traffic passes through a device, say it enters interface A and exits through interface B. NetFlow Analyzer, will assume that whatever flows enter interface A will exit through interface B. This is not the case when it comes to WAN optimization devices, which compress the packets going out. To avoid wrong data to be shown in the OUT interface of WAN optimization devices, output suppression should be enabled for LAN facing interface of WAN Optimizer.
The Inventory Updater creates tasks in which device details like device name, interface name, speed and interface status are fetched using snmp at user specified time.
The following actions can be performed:
To select all the interfaces, click the All interfaces check box. To select a particular interface or a set of interfaces, click on Modify Selection and select the interfaces you want to add.
You can fetch devices details like the router name, interface name, interface speed and interface status.
Yes, you can schedule it on a one time, hourly, daily, weekly or monthly basis.
Data unit calculation allows you to configure Data unit calculation method(SI or IEC standard), Speed Unit, Volume Unit, Decimal places(2 or 3 digits), and Percentile Value(90th, 95th, 99th percentile values).
Data Unit settings give you the option to set the measurement units as per industry standards. It can either be set to 1000 Bytes (SI standard) or 1024 Bytes (IEC standard). The value is set to 1000 by default.
NetFlow Analyzer automatically selects the unit based on the minimum and maximum values in the Speed/Volume graphs.
You have the option to choose 2 or 3 digits to be displayed following the decimal point in the IN and OUT traffic values in the reports.
Yes, NetFlow analyzer's Distributed Monitoring feature allows users to upgrade to Enterprise Edition on a single-click.
No, the process is irreversible.
No, we cannot add or delete AS number. However, It is possible to edit AS name and the Organisation name.
API requests from NFA would be: (NFA supports only 1000 interfaces per server)
Navigate toSettings> Discovery> Export Cloud Flow. Flow in the NFA, and discover the VPC flows again to find the recently added VPC's in the list of available interfaces.
Navigate to Settings> Discovery> Export Cloud Flow. Flow in the NFA, and discover the VPC flows again, click on the selected interfaces to temporarily stop the export flow logs.
NFA is capable of using "proxy" or "no proxy" to connect to AWS. Click here, to understand how NFA's proxy server setting works.
What should be done if NetFlow Analyzer's protocol is changed after installing NetFlow Generator?
If NetFlow Analyzer's protocol is changed from http to https or vice versa , the NetFlow Generator status gets down.
Solution: Now go to NetFlow Generator installation folder, navigate to NetFlowGenerator/conf/NFG/Conf.properties file and edit IS_HTTPS property value as true if NetFlow Analyzer is running in https protocol or false if NetFlow Analyzer is running in http protocol. Now restart the NetFlow Generator service.
What will happen when the IP address of the NetFlow Generator server changes?
If the server IP where the NetFlow Generator is installed changes, then the NetFlow Generator will get added as a new device in NetFlow Analyzer.
When NetFlow Generator's IP changes, NetFlow Generator's IP is changed automatically in NetFlow Analyzer settings, and the NetFlow Generator flow is added as a new device.
Can I add more than one NetFlow Generators in the same server?
No, if a new NetFlow Generator is installed again in the same server, the data dump will continue only in the already discovered interface.
What should I do if I get the error "not able to install winpcap"?
Troubleshooting: Check the control panel if npcap has already been installed.
Solution: Uninstall npcap, install Winpcap, and restart NetFlow Generator. Now the flow export should work.
What all information you need to map a custom application?
To map a custom application, provide application name, port number and protocol (mandatory). You can also associate IP address/ IP network / IP range if needed.
Yes, you can create a mapping for corresponding port and protocol along with IP details.
Yes, you can create a custom DSCP name for the existing code points. Please visit the link to know more about DSCP mapping.
Yes, the created topsite details alone will be displayed.
How is Top site different from Application mapping?
With Application Mapping you can map applications with port, and protocol along with IP range. It allows you to scan your network based on IP ranges, and discover all applications and servers.
Top Sites gives a list of applications contributing to the traffic. For mapping top sites, you have to provide the site name, application name, and IP range.
No, device group doesn't show the combined traffic. To view combined traffic, Interface groups can be created.
You can create device groups and associate to the users, so that the respective users will have access to the specific groups only.
Reports for device groups can be generated using Report Profile under reports tab.
'ALL DEVICES GROUP' is a default group that includes all devices and it cannot be edited.
What is the purpose of an interface group?
Interface group allows you to see the combined traffic of multiple interfaces of same device or different devices. Say for example: if there are 2 wan routers (primary and secondary) which works in load sharing mode, you can create an interface group with respective WAN facing interfaces of both the routers. You can monitor the combined traffic of WAN interfaces and generate reports.
Where can I see reports for the interface group?
Navigate to Inventory > Groups > Interface group (in the left pane) > select the group name and expand it. You can see the snapshot page for interface group. To generate report, click on menu icon (green square on top right).
Yes, you can schedule all reports for interface group from the reports tab.
Yes, you can group multiple interfaces of different devices.
Yes, you can associate an interface group to a bill plan under Reports > Billing. Click on the edit icon next to the Bill Plan and click Next. Here you can select the interface group name and click save to associate to the bill plan.
Can we generate alerts for the interface group?
Yes, you can generate alerts for the interface group from Settings > NetFlow > Alert Profile. Create a new alert profile / click on the existing alert profile and select the interface groups to be associated and save.
What is the purpose of IP group?
IP group allows you to monitor a specific traffic for the criteria proided. You can create a IP group based on IP details/ protocol/port/DSCP , include/exclude and associate to one or many interfaces to monitor the corresponding traffic.
Yes, you can generate reports for the IP group from the IP group snapshot page. Navigate to Inventory > Groups > IP group (in the left pane) > select the group name and expand it. You can see the snapshot page for IP group. To generate report, click on menu icon (green square on top right).
Yes, you have an option to exclude a criteria for IP group. Also combination of include and exclude is available. For example, you can include 192.168.0.0/16 and exclude 192.168.100.100.
Yes, you can schedule a report for the IP group from the reports tab.
Can we associate an IP group to a bill plan?
Yes, you can associate an IP group to a bill plan under Reports > Billing. Click on the edit icon next to the Bill Plan and click Next. Here you can select the IP group name and click save to associate to the bill plan.
Yes, you can generate alerts for the IP group from Settings > NetFlow > Alert Profile. Create a new alert profile / click on the existing alert profile and select the IP groups to be associated and save.
Yes, you can generate a IPgroup consolidated report to see all the IP group IN & OUT in a single report.
Navigate to Interface / Interface group / IP group snapshot page (Inventory > Interface/IP group/Interface group), select Application tab, scroll down to see the application group traffic.
Where can I see the DSCP group traffic?
Navigate to Interface/IP group/interface group snapshot (inventory > interface/IP group/Interface group ) page, select QoS tab, select DSCP group from the "DSCP" drop-down.
What is the purpose of Access Point group?
It is possible to create an Access Point group to view the combined traffic usage by multiple APs. Access Points group can used to categorize the traffic by location, site, user-type etc.
How can I generate reports for Access Point grouping?
It is possible to generate reports for AP group from Inventory > Groups. You can view the traffic by real-time graph, Clients, SSIDs, Application, QoS and conversation for a particular AP group. You also have an option to create and view the reports under dashboard for the associated across access point group. The report can be scheduled or can be exported as PDF or CSV.
What is the purpose of SSID group?
SSID groups are created to view the combined traffic usage by multiple SSIDs. SSIDs group can be used to categorize the traffic by location, site, user-type, Access Points etc.
How can I generate reports for SSID grouping?
It is possible to generate reports for AP group from Inventory > Groups. You can view the traffic by real-time graph, Clients, Access Points, Application, QoS and conversation for a particular SSID group. You also have an option to create and view the reports under dashboard for the associated across SSID group. The report can be scheduled or can be exported as PDF or CSV.
Yes, it is customizable. Navigate to Settings > NetFlow > Alert Profiles > Real-time. Click on "Link down" alert and edit the interfaces and click on Update.
Real-time and Aggregated alert profiles.
A Real-time alerts are generated when the volume/utilization threshold is violated a given number of times in a particular time period.
An Aggregated alert is set based on the number of occurrences and is generated when the threshold per minute is violated more than the given number of times.
Thresholds can be set for Interface\IP group\Interface Group on IN \OUT \Combined (With business hour filter) for greater than \ less than based on Volume\Utilization\Speed\Packets with severity Attention\Trouble\Critical.
Can Aggregated alarms be generated for more than one source?
Aggregated alert profiles can be generated for one or more interfaces, interface groups, access points, access point groups, and SSID groups.
Can alarms be generated for custom time periods?
Aggregated alert profiles can be created for Custom and Periodic time periods.
Custom: Users can select both the Start and End time and date.
Periodic: Users can select both the Start End time and the frequency of time intervals for the alerts.
When is the Aggregated alarm raised if the criteria is set for alarms to be generated less than a certain volume?
When the alert criteria is set to be raised for less than a certain volume in a given time frame, say, less than 100MB between 12 am(Start date) to 12 am(End date), the alarm will be raised at the end of the given time period, i.e, 12 am(End date). In case the volume exceeds the given limit(100MB in this case), the alarm is raised immediately.
Yes, Last hour report will be generated and emailed with attachment if raw data is available.
Yes, alerts for IP group and interface group can be generated.
Yes, alert messages can be customized (provide link to email customization)
Yes, A SNMP trap can be generated from netflow server and sent to corresponding NMS server.
NBAR and CBQoS data can be stored for a max of 1 year. You will require a free disk space of 360 MB to store NBAR data and 180 MB to store CBQoS data for a year per interface.
Network Based Application Recognition is a Cisco feature to know the application traffic passing through the device. It requires a additional license from Cisco and add-on license from NetFlow Analyzer. In NetFlow Analyzer applications are categorized based on port and protocol. There are some applications which use dynamic ports (ex:skype). These applications can be catogorized by NBAR add-on.
What is CBQoS?
Classed Based Quality of Service is an add-on in Netflow Analyzer. It helps to analyze if the policy in the device is effective.
You can see the pre-policy and post-policy traffic, Amount of traffic drop due to applied policy and, Parent policy and child policy tree view.
Yes, CBQoS and NBAR are add-ons for NetFlow analyzer.
No, CBQoS and NBAR are supported only on Cisco devices.
NBAR : Yes
CBQoS : No
What is ASAM?
ASAM is a flow based network security analytics module that helps detect and classify network intrusions. It offers intelligence to detect a broad spectrum of external and internal security threats. Using the "Continuous Stream Mining Engine" technology, ASAM analyzes flow packets in real time and matches predefined problem events. Thus, it offers continuous overall assessment of network security.
Do I need an additional license for ASAM?
No, ASAM is available by default in the Enterprise edition.
Manage : Counted for license
UnManage: Not counted for license
New Interfaces: Receiving flows but do not have license to manage, so data is not collected.
Yes, Netflow Analyzer finds the other interface from the incoming flow packet. With this information both the interfaces can be discovered. Like wise all the interfaces that has communication with the netflow enabled interfaces are discovered.
Note: We recommend to enable netflow on all available layer 3 interfaces of the device to provide accurate reporting. Interfaces you do not want to monitor can be unmanaged from license management.
Yes, if a interface is deleted from Netflow Analyzer it will get added automatically if server receives flow from the interface. Old data will be available if it was managed earlier.
You can unmanage the interface if you do not want to monitor.
Licensing is based on number of access points you wish to monitor.
What is the difference between manage, unmanage & new APs?
Manage : Counted for license
UnManage: Not counted for license
New Access Points: Receiving flows but do not have license to manage, so data is not collected.
If an access point is deleted and readded, can I see the old data?
Yes, if access point is deleted from Netflow Analyzer it will get added automatically if server receives flow for the access point. Old data will be available if it was managed earlier.
Yes, ASAM license is customizable. Navigate to Settings > NetFlow > Attacks License Management and Enable/Disable interfaces.
What is available in search report?
Search report generated is from aggregated data which is based on top N records. You can generate search report by clicking on Reports tab. You can select the interfaces for which you want to generate report, specify different criteria and time period. This report is more helpful when you need to analyze specific information going back in time. Since it is generated from aggregated data, it can give historic information.
Is it possible to save the search criteria or generated reports?
Yes, generated reports can be exported and saved in either of the above formats. The criteria can not be saved for future use. Instead, you can use report profiles to achieve this.
To see the AS information navigate to corresponding device snapshot page and under AS view you can expand it to download as pdf, csv or send as e-mail.
What is the percentile used for billing?
Billing uses the 95th percentile calculation by default since 95th percentile is an averaging method, which is less volatile than actual usage. However, the option to calculate the billing percentile based on 90th, 85th, 80th, or 75th percentile is available.
Is it possible to generate an on-demand bill plan?
Bills can be generated on demand. By clicking on "OnDemand" for a particular bill plan in the bill plan list, a bill can be generated for the time period from the beginning of the billing cycle to the current date.
Is it possible to associate a bill to a particular email address?
It is possible to send a bill report to a particular or multiple email address. The option is available in the "Bill schedule details". Multiple mail IDs should be separated by comma "," The email subject can also be customized as per the user requirement.
What are the reports available with billing?
Once the bill is generated, you can view the bills under "Generated reports". This will show the complete bill details and you can drill-down to see the usage by each interface or group.
How does 95th percentile billing works?
The 95th percentile is a widely used mathematical calculation to evaluate the regular and sustained use of a network connection. The 95th percentile says that 95% of the time, the usage is at or below a certain amount. Thus 5% of the samples may be bursting above this rate. Select one of the two options from the drop-down box. Selecting "In & Out merge" will merge the In and Out values and calculate the 95 percentile value. Selecting "In & Out separate" will calculate 95th percentile value of IN and 95th percentile value of OUT separately and the higher of the two is considered. This is calculated using 5 minutes average data points.
What can I infer by generating protocol distribution report?
Protocol Distribution report lets you to view the information on top protocol utilizing the bandwidth from Interface, Interface Group or IP group.
On what algorithm is the forecast report generated?
A time series can be forecast using statistics or machine learning. NetFlow Analyzer employs techniques like autocorrelation, seasonality trend loss decomposition and regression to forecast reports.
What is the accuracy of the forecast reports?
To generate one week's forecast report with 80% accuracy, historical data should be available for at least 28 days. The granularity and accuracy of the forecast will vary based on the available data.
Can the forecast report be generated for custom time periods?
No, the data can be forecasted only for the following pre-defined set of time periods - 7 days / 15 days / 1 month / 3 months / 6 months / 1 year.
What is the function of show history button?
The show history when enabled depicts the past trends based on which the report has been generated. For example, to generate forecast for the next 7 days, the past 35 days data would be graphically depicted to the users.
How does NetFlow Analyzer select the top applications?
NetFlow Analyzer chooses the "Top 5 Applications" and the applications displayed under "Custom applications" based on usage from the last 7 days.
What can I infer by generating Inventory Report?
Inventory report shows the consolidated information of the Interfaces, Interface groups, IP groups, Access Points, Access Point groups and SSID groups with the IN and OUT bandwidth utilization based on Speed, Volume or Utilization.
When is the violation report generated?
A violation report is generated only when the selected criteria are violated while generating the inventory report. These criteria violations can be viewed by clicking on the graph icon which appears in the generated report.
What is the need for defining criteria in Inventory report?
By defining criteria, users can view filtered reports based on the selected criteria, and violation report in case of any criteria violations. This helps in gaining better visibility over their bandwidth utilization with more intuitive reports.
Why is the percentile value displayed as “-“?
The percentile value displayed as “-“ when there is unavailability of data. The 90th percentile requires a minimum of 10 data points, 95th percentile requires a minimum of 20 data points, and 99th percentile requires a minimum of 100 data points to generate IN and OUT traffic data.
HighPerf add-on has a complete set of unique benefits that it offers. Some of them are:
NetFlow Analyzer is primarily an analytical tool. The flow data is collected from the devices, analyzed and it generates analytical reports based on collected data. The availability of raw data is of critical importance to the generating reports. With HighPerf add-on, raw data can be made available up to a period of 6 months. This repository of raw data can help in better analytics. These reports help in getting much better insights about the traffic statistics in your network.
|Rate of Flow/Second||Processor||RAM||Raw Data(Optional)|
|0-10k||8 cores/16 threads or higher.
3.5 GHz or above.
|10 - 25k||8 cores/16 threads or higher.
3.5 GHz or above.
|25 - 50k||8 cores/16 threads or higher.
3.5 GHz or above.
|24 GB or HIgher||500GB/day|
|50 - 75k||16 cores/32 threads or higher.
3.5 GHz or above.
|32 GB or Higher||750GB/day|
|75 - 100k||16 cores/32 threads or higher.
3.5 GHz or above.
|32 GB or HIgher||1000GB/day|
Please download our installation guide from here.
The HighPerf add-on is supported on build number 12.5.447 or above. Users of the earlier versions need to upgrade to the latest version of NetFlow Analyzer to be able to use the HighPerf add-on add-on.
HighPerf add-on is supported in 64-bit servers alone. It cannot be run on 32-bit servers.
No, they are the same thing. High Performance Reporting Engine is abbreviated as HighPerf add-on.
Yes, High Perf is an add-on for Netflow Analyzer.