Discovery

    1. What all protocols needed to add a device?
      To add a device via discovery, Netflow analyzer requires SNMP credentials and Telnet/SSH access to the device.
      Note : device will be automatically added if NetFlow Analyzer receives Flow from a device.

    2. Do I need multiple credentials to add a device?

      Yes, NetFlow analyzer uses SNMP to discover the interfaces and Telnet/SSH to execute the commands for flow export.

    3. What should I do if I find errors in the executed output screen?

      In case of errors in executed output screen,

      1. Click the Back button and edit the configlet with the correct commands.
      2. Click Execute to execute the edited configlets.
      Note: If there are wrong commands in default configlets contact support our support team at netflowanalyzer-support@mangeengine.com

    Settings

    1. What is raw data?
      Every flow received from the router is stored as raw data. This contains in-depth information about the data packet passing through the device like port number, tcp flag, next hop etc. Since the data is huge NetFlow analyzer stores the raw data up to one month, which can be extended using High-Perf add-on.

    2. What will I miss if I don't store raw data?

      Any report generated in Netflow Analyzer for less than 2 hours will be from raw data (if available). Raw data contains every conversation for the selected time period with application t raffic, DSCP, etc.
      If raw data is not available , NetFlow Analyzer generates reports from aggregated where the data is aggregated for top N records of applications , DSCP and conversation.
      If you don't store raw data, you'll miss real-time reporting.

    3. Which are the reports generated from raw storage?

      Forensics report is generated from raw data.

      Any traffic, application, source, destination, DSCP, conversation reports for less than 2 hours is generated from raw data (If available)

    4. How to calculate the disk space required for raw storage?

      HDD space required (in Bytes) = Raw Data Storage Period in hours * (150 Bytes * 3600 seconds * Flows Per Second).

      • Raw Data Storage Period in hours : You can find this in settings > storage settings > raw data settings
      • Flows Per Second : You can find this in the system performance dashboard
    5. How to manage raw storage between devices?

      In the settings page, you have an option to select the devices for which you need to enable raw storage.

    6. Is it possible to store raw data in external server?
    7. Yes, Using High-Perf add-on we can store raw data in remote server up to 1 year. For that you need to purchase add-on license.

    8. Is it possible to store raw data in MSSQL database ?
      Yes, if the default database is MSSQL, raw data is also stored in MSSQL database.

    9. How long can we store raw data?

      By default raw data can be stored for 1 month. Using Hi-Perf add-on you can store upto 1 year.

    10. How can I customize the data storage pattern?

      You have an option to customize your data storage settings from NetFlow Settings. By default, raw data in NetFlow Analyzer is set as OFF and aggregated data as ON. You also have a option to customize:

      1. Data retention time

      2. Top N record for Aggregated data

      3. Number of devices for raw data

      4. Email alert option for high data storage.
    11. What is aggregated data? How is it calculated in NetFlow Analyzer?

      The aggregated data is stored based on top "N' records of the applications and conversations for every 10 minute interval and is further aggregated in a timely manner. Aggregated data can be stored forever in the database. The aggregation mechanism will happen simultaneously at the back-end along with the raw data storage. Flow data aggregation is done to avoid high disk usage without impacting the reporting and performance. The aggregated data on NetFlow Analyzer is used for historical reporting, capacity planning and trend analysis. The following explanation will help you to understand how Application data on NetFlow Analyzer is aggregated and stored in various tables. Older data is repeatedly rolled up into less granular times (10 minute, 1 hour, 6 hour, 24 hour and weekly). The top 'N' records of application based on octet value is stored for every 10 minute interval. As time goes, this data is further aggregated to an hourly table, similarly to 6 hours, daily and weekly tables.

    12. What is the purpose of one minute storage?
      Apart from the raw data and aggregated data, NetFlow Analyzer stores 1 minute traffic data which is used for real time reporting . The traffic report generated for any time period which is less than 24 hour is generated with 1 minute granularity which gives a detail picture of every minute IN and OUT Traffic.

    13. How much disk space will it occupy?

      It requires free disk space of 25 MB to store one year of one minute traffic data for each interface.

    14. What is the system requirement for High Perf?

      faq-highpersysreq

    15. What is offline and online in High Perf?

      • Offline : High Perf reporting engine is OFF
      • Online: High Perf reporting engine is ON
    16. Do I need an extra license for High Perf?
      Yes, High Perf is an add-on for Netflow Analyzer.

    17. Can I have High Perf installed on a remote server?
      Yes, High perf can be installed in the local/remote server.

    18. What is the user account needed for the configuration of High Perf?
      You need Administrator account of installed windows/linux server.

    19. When do I need a High Perf reporting engine?
      High Perf reporting engine is required,

      • To store Raw data of NetFlow analyzer on the remote server
      • To store raw data more than a month
      • To enable DPI add-on
    20. What is deep packet inspection?
      Deep Packet Inspection (DPI) is a process to know what is being received and transmitted by a network device. It is the most accurate technique to monitor and analyze the application problems and regulate traffic in the best suitable way. With DPI’s packet level analysis, it is easy to make decisions on capacity planning and achieve better network performance and management. DPI helps determine the root cause for performance related issues with the complete traffic picture (both network and application) in a single view.

    21. What all information you can see with DPI?
      As Initial phase, ManageEngine has introduced analysis for TCP packets even though it captures all packets. Rest will be supported in the future. Using the DPI , we can calculate Application Response Time (ART), Network Response Time (NRT), url's used and traffic utilization (productive\non-productive).
      With these reports a network administrator can have a clear picture of what is consuming the bandwidth at what time and so, he can regulate it cost efficiently.
      In DPI we get information about ART,NRT and URL
      NRT : Network Response Time is the time difference between TCP_SYN packet and its ACK (acknowledgement)
      ART : Application Response Time is the time difference between TCP_DATA packet and its ACK (acknowledgement flag)
      URL : URL details in data packets.

    22. Do I need an additional license for DPI?
      Yes, DPI requires an add-on license.

    23. Do I need an additional database for DPI?
      Yes, DPI works with High Perf's database only (Local/Remote)

    24. What all reports can be generated using DPI?
      To access reports from UI, navigate to Reports > DPI.
      Here we have 2 types, Online/Offline reports. Online reports are generated from embedded in-built database. You can also have the packets captured in PCAP format and generate reports for the same. ManageEngine DPI reports are based on time and criteria. DPI reports are mainly concentrated on 3 metrics URL, NRT, ART.
      Offline Reports
      We also have offline reports where you can save the captured packets (in PCAP format) separately and generate the same reports.

    25. What is the web server port?
      Webserver port is the GUI hosted Port number. To access NetFlow analyzer GUI, http://<serverip>:<webserverport>/
      The default port is 8060.

    26. What is the listener port?
      The port number on which NetFlow Analyzer listen for the UDP flow packets.
      The default port is 9996 for ManageEngine NetFlow analyzer.

    27. How many web server ports can be added?
      Only 1 webserver port will be hosted. It can be <http> or <https>.

    28. How many listener ports can be added?
      You can add 5 listener ports using comma.

    29. Do I need a service/server restart?
      Yes, changes in the port number requires a product restart.

    30. Why do I see Interface name as Ifindex-1,2,3 etc.
      NetFlow Analyzer discovers the interfaces with the interface-index from the flow packets received. If SNMP is updated for the device, the interface names are resolved with respect to Name/ Description / Alias of the interfaces.
      If the interfaces names are not resolved using SNMP, NetFlow Analyzer displays Interface Indexs as Names Eg: Ifindex-10.

    31. Why should I set interface speed?
      NetFlow Analyzer collects flow packets and update the volume of traffic in bytes for the respective interfaces. With this volume, Speed and Utilization are calculated within the product. For utilization calculation, the bandwidth capacity plays a vital role. 

    32. What is sampling rate?
      Sampling can be configured on the device to export sampled flows and the same value can be applied here to get correct reports.

    33. Why do we need an ESP/GRE filter?
      Data transfer over VPN tunnel are more common now are days. The tunnel traffic is encrypted at the entry and decrypted at the exit.
      From NetFlow point of view, the traffic going in the device is different from traffic coming out because the packet are encrypted.
      All NetFlow based reporting tools will show the actual traffic before encryption and the same will be again classified as ESP Traffic after encryption. This leads double counting on traffic for the edge tunnel interfaces with wrong bandwidth calculations.
      To avoid the above scenario, Netflow Analyzer behaves smartly by excluding ESP/GRE application traffic for the tunnel device.

    34. Why do I have to add access control filter for the dropped traffic?
      When a access-list is added in the device, the corresponding traffic is dropped in the router. In the flow exported, OUT interface will be index 0 for the dropped traffic. NetFlow Analyzer by default do not show the dropped traffic, but still the IN traffic information from the incoming interface is accounted. If such interfaces are added to Access-Control filter, this dropped traffic information will be filtered.

    35. Do I have to apply suppression filter for my WAN optimizer?
      Yes, When a traffic passes through a device, say it enters interface A and exits through interface B. NetFlow Analyzer, will assume that whatever flows enter interface A will exit through interface B. This is not the case when it comes to WAN optimization devices, which compress the packets going out. To avoid wrong data to be shown in the OUT interface of WAN optimization devices, output suppression should be enabled for LAN facing interface of WAN Optimizer.

    36. What is Inventory Updater?

      The Inventory Updater creates tasks in which device details like device name, interface name, speed and interface status are fetched using snmp at user specified time.

    37. What actions can you perform on an Inventory Updater?

      The following actions can be performed:

      1. Adding an updater
      2. Editing an updater
      3. Deleting an updater
      4. Enabling/Disabling an updater
    38. How do you select the interfaces to be added in an updater?

      To select all the interfaces, click the All interfaces check box. To select a particular interface or a set of interfaces, click on Modify Selection and select the interfaces you want to add.

    39. What details can you fetch using the Inventory Updater?

      You can fetch devices details like the router name, interface name, interface speed and interface status.

    40. Is it possible to schedule the updates?

      Yes, you can schedule it on a one time, hourly, daily, weekly or monthly basis.

    41. What can you configure under Data Units settings?

      Data unit calculation allows you to choose the units of conversion from Bytes > KB > MB > GB > TB.

    42. What are the available units of measurements? What is the default value?

      Data unit settings give you the option to set the measurement units as per industry standards. It can either be set to 1000 Bytes (SI standard) or 1024 Bytes (IEC standard). The value is set to 1000 by default.

    43. Explain the Automatic option in Data Units settings?

      NetFlow Analyzer automatically selects the unit based on the minimum and maximum values in the Speed/Volume graphs.

    44. How many decimal places will be displayed in the reports?

      You have the option to choose 2 or 3 digits to be displayed following the decimal point in the IN and OUT traffic values in the reports.

    45. Can I upgrade to the Enterprise edition directly from the Standalone UI?

      Yes, NetFlow analyzer's Distributed Monitoring feature allows users to upgrade to Enterprise Edition on a single-click.

    46. Can the direct Essential to Enterprise conversion be reversed?

      No, the process is irreversible.

    47. Is it possible to add or delete AS Number?

      No, we cannot add or delete AS number. However, It is possible to edit AS name and the Organisation name.

    48. Do we need any additional configuration to view Autonomous System information in NetFlow Analyzer?

      Yes, you need to enable BGP routing in the device to send AS information to NetFlow Anlayzer. To view the AS view information, enable AS data collection under storage settings.

    HighPerf Reporting Engine

    1. Why should you have HighPerf Reporting Engine?

    HighPerf Reporting Engine has a complete set of unique benefits that it offers. Some of them are:

    • Increased raw data storage capacity
    • Instant report generation for bulky data volumes
    • Columnar database
    • Improved data compression techniques
    • Raw data availability for a much longer duration<.
    • Better analytics in reports
    • Better capacity planning reports

    2. Will HighPerf Reporting Engine affect the performance of NetFlow Analyzer?

    As long as the HighPerf Reporting Engine runs on a dedicated remote machine, it does not affect the performance of NetFlow Analyzer.

    3. How does HighPerf Reporting Engine enhance the capabilities of NetFlow Analyzer?

    NetFlow Analyzer is primarily an analytical tool. The flow data is collected from the devices, analyzed and it generates analytical reports based on collected data. The availability of raw data is of critical importance to the generating reports. With HighPerf Reporting Engine, raw data can be made available up to a period of 6 months. This repository of raw data can help in better analytics. These reports help in getting much better insights about the traffic statistics in your network.

    4. What are the recommended settings and system requirements for HighPerf Reporting Engine?

    Flow Rate Configuration with HighPerf 
    (1 month raw data storage)
    Configuration with HighPerf
    (3 months raw data storage)
    Configuration with HighPerf
    (6 months raw data storage)
    Configuration with HighPerf
    (12 months raw data storage)
    Less than 2500  3.2 GHz Quad Core RAM : 12 GB 
    Hard Disk 512 GB (IPV4 alone) 
    Hard Disk 770GB (IPV4 and IPV6)
    3.2 GHz Quad Core RAM : 14 GB 
    Hard Disk 1.5 TB (IPV4 alone) 
    Hard Disk 2.3TB (IPV4 and IPV6)
    3.2 GHz Quad Core RAM : 14 GB 
    Hard Disk 3 TB (IPV4 alone) 
    Hard Disk 4.6TB (IPV4 and IPV6)
    3.2 GHz Quad Core RAM : 14 GB 
    Hard Disk 6 TB (IPV4 alone) 
    Hard Disk 9.1TB (IPV4 and IPV6)

    Above 2500 and  

    below 5000 

    2X2.4GHz Quad Core RAM : 14 GB 
    Hard Disk 1TB (IPV4 alone) 
    Hard Disk 1.5 TB (IPV4 and IPV6)
    2X2.4 GHz Quad Core RAM : 16 GB
    Hard Disk 3 TB (IPV4 alone) 
    Hard Disk 4.5 TB (IPV4 and IPV6)
    2X2.4 GHz Quad Core RAM : 18 GB 
    Hard Disk 6 TB (IPV4 alone) 
    Hard Disk 9 TB  (IPV4 and IPV6)
    2X2.4 GHz Quad Core RAM : 22GB 
    Hard Disk 12 TB (IPV4 alone) 
    Hard Disk 18 TB (IPV4 and IPV6)

    Above 5000 and

    below 10000 

    2X3.2 GHz Quad Core RAM : 24 GB
    Hard Disk 2TB (IPV4 alone) 
    Hard Disk 3 TB (IPV4 and IPV6)
    2X3.2 GHz Quad Core RAM : 28 GB
    Hard Disk 6 TB (IPV4 alone)
    Hard Disk 9 TB (IPV4 and IPV6)
    2X3.2 GHz Quad Core RAM : 28 GB
    Hard Disk 12 TB (IPV4 alone) 
    Hard Disk 18 TB (IPV4 and IPV6)
    2X3.2 GHz Quad Core RAM : 36GB 
    Hard Disk 24 TB (IPV4 alone) 
    Hard Disk 36 TB (IPV4 and IPV6)

    100k

    2X3.2 GHz Quad Core RAM : 44 GB
    Hard Disk 700GB/Day (IPV4 alone) 
    Hard Disk 1TB/Day (IPV4 and IPV6)
    [High IOPS]
    2X3.2 GHz Quad Core RAM : 48+ GB
    Hard Disk 700GB/Day (IPV4 alone) 
    Hard Disk 1TB/Day (IPV4 and IPV6) 
    [High IOPS]
    2X3.2 GHz Quad Core RAM : 48+ GB
    Hard Disk 700GB/Day (IPV4 alone) 
    Hard Disk 1TB/Day (IPV4 and IPV6) 
    [High IOPS]
    2X3.2 GHz Quad Core RAM : 48+ GB 
    Hard Disk 700GB/Day (IPV4 alone) 
    Hard Disk 1TB/Day(IPV4 and IPV6) 
    [High IOPS]
     

    Note: We highly recommend users to install NetFlow Analyzer and HighPerf Reporting Engine on the same machine for maximizing the performance of both. A dedicated separate machine is recommended for installing and running HighPerf Reporting Engine

    5. What is the installation procedure for HighPerf Reporting Engine?

    Please download our installation guide from here.

    6. What are the options to download the HighPerf Reporting Engine?

    HighPerf Reporting Engine had to be downloaded as a separate installation. When this module is installed in a remote machine as a server, it requires to be installed in the main machine as a 'client' to be able to generate reports etc.

    7. What are the options of installing the HighPerf Reporting Engine as a separate add-on?

    There are 3 modes of installing the HighPerf Reporting Engine:

    1. Full installation - DB server + client
      Please choose this option to install the HighPerf add-on in the NetFlow Analyzer server itself. This option requires NetFlow Analyzer home folder. Example, C:\ManageEngine\NetFlow
    2. HighPerf DB server
      Please select this option to install HighPerf DB Server on a remote machine connectivity to the NetFlow Analyzer Server. Requires HighPerf DB Client to be installed on the NetFlow Analyzer Server. This option is highly RECOMMENDED when flow rate is high [greater than 1000 flows/second]
    3. HighPerf DB client
      Please select this option to install High-Perf DB Client in NetFlow Analyzer server. This option requires NetFlow Analyzer home folder. Ex: C:\ManageEngine\NetFlow

    8. Which build numbers support HighPerf Reporting Engine add-on?

    The HighPerf Reporting Engine add-on is supported from NetFlow Analyzer 9800 onwards. Users of the earlier versions need to upgrade to the latest version of NetFlow Analyzer to be able to use the Highperf Reporting Engine add-on.

    9. What type of servers support HighPerf Reporting Engine?

    HighPerf Reporting Engine is supported in 64-bit servers alone. It cannot be run on 32-bit servers.

    10. Are High Performance Reporting Engine and HighPerf Reporting Engine different?

    No, they are the same thing. High Performance Reporting Engine is abbreviated as HighPerf Reporting Engine.

    Mapping

    1. What all information you need to map a custom application?
      To map a custom application, provide application name, port number and protocol (mandatory). You can also associate IP address/ IP network / IP range if needed.

    2. Can I map an application with server details?

      Yes, you can create a mapping for corresponding port and protocol along with IP details.

    3. Can I create a custom DSCP name?

      Yes, you can create a custom DSCP name for the existing code points. Please visit the link to know more about DSCP mapping.

    4. Is it mandatory to create topsite map to know the URL traffic?

      Yes, the created topsite details alone will be displayed.

    5. Does Netflow Analyzer have some inbuilt mapping like google, youtube. etc.?
      We do not have predefined site map as of now. We are working on it.

    6. How is Top site different from Application mapping?
      With Application Mapping you can map applications with port, and protocol along with IP range. It allows you to scan your network based on IP ranges, and discover all applications and servers.
      Top Sites gives a list of applications contributing to the traffic. For mapping top sites, you have to provide the site name, application name, and IP range.

    Network Mapping

    1. What is needed to create your network map?
      Add at least two devices in the maps tab and link the two devices to create a network map.

    2. Will I able to see link status from the map?
      Yes, the link status can be understood with the color change, click on the device icon for device details.

    3. Can I see the map in big screen and know if my link is down?
      Yes, Maps can be displayed in the big screen and the color of the link changes with respect to the status.

    Grouping

    1. What is the purpose of device group?
      Device group allows administrators to effectively manage the users by limiting access to all devices.

    2. Can I see the combined devices traffic for a created group?

      No, device group doesn't show the combined traffic. To view combined traffic, Interface groups can be created.

    3. How does the device group help in effective user management?

      You can create device groups and associate to the users, so that the respective users will have access to the specific groups only.

    4. How can I generate reports for device group?

      Reports for device groups can be generated using Report Profile under reports tab.

    5. What is the purpose of an interface group?

      Interface group allows you to see the combined traffic of multiple interfaces of same device or different devices. Say for example: if there are 2 wan routers (primary and secondary) which works in load sharing mode, you can create an interface group with respective WAN facing interfaces of both the routers. You can monitor the combined traffic of WAN interfaces and generate reports.

    6. Where can I see reports for the interface group?
      Navigate to Inventory > Groups > Interface group (in the left pane) > select the group name and expand it. You can see the snapshot page for interface group. To generate report, click on menu icon (green square on top right).

    7. Can I schedule a report for the interface group?

      Yes, you can schedule all reports for interface group from the reports tab.

    8. Can I group multiple interfaces of different devices?

      Yes, you can group multiple interfaces of different devices.

    9. Can we associate an interface group to a bill plans?

      Yes, you can associate an interface group to a bill plan under Reports > Billing. Click on the edit icon next to the Bill Plan and click Next. Here you can select the interface group name and click save to associate to the bill plan.

    10. Can we generate alerts for the interface group?
      Yes, you can generate alerts for the interface group from Settings > NetFlow > Alert Profile. Create a new alert profile / click on the existing alert profile and select the interface groups to be associated and save.

    11. What is the purpose of IP group?
      IP group allows you to monitor a specific traffic for the criteria proided. You can create a IP group based on IP details/ protocol/port/DSCP , include/exclude and associate to one or many interfaces to monitor the corresponding traffic.

    12. How can I generate reports for the IP group?

      Yes, you can generate reports for the IP group from the IP group snapshot page. Navigate to Inventory > Groups > IP group (in the left pane) > select the group name and expand it. You can see the snapshot page for IP group. To generate report, click on menu icon (green square on top right).

    13. Do we have an option to exclude a criteria for IP group?

      Yes, you have an option to exclude a criteria for IP group. Also combination of include and exclude is available. For example, you can include 192.168.0.0/16 and exclude 192.168.100.100.

    14. Can I schedule a report for the IP group?

      Yes, you can schedule a report for the IP group from the reports tab.

    15. Can I associate multiple interfaces for an IP group?
      Yes, you can associate multiple interfaces for an IP group.

    16. Can we associate an IP group to a bill plan?
      Yes, you can associate an IP group to a bill plan under Reports > Billing. Click on the edit icon next to the Bill Plan and click Next. Here you can select the IP group name and click save to associate to the bill plan.

    17. Can we generate alerts from the IP group?

      Yes, you can generate alerts for the IP group from Settings > NetFlow > Alert Profile. Create a new alert profile / click on the existing alert profile and select the IP groups to be associated and save.

    18. Can I get a single report for all IP groups?

      Yes, you can generate a IPgroup consolidated report to see all the IP group IN & OUT in a single report.

    19. Where can I see the application group traffic?

      Navigate to Interface / Interface group / IP group snapshot page (Inventory > Interface/IP group/Interface group), select Application tab, scroll down to see the application group traffic.

    20. Where can I see the DSCP group traffic?
      Navigate to Interface/IP group/interface group snapshot (inventory > interface/IP group/Interface group ) page, select QoS tab, select DSCP group from the "DSCP" drop-down.

    21. What is the purpose of Access Point group?
      It is possible to create an Access Point group to view the combined traffic usage by multiple APs. Access Points group can used to categorize the traffic by location, site, user-type etc.

    22. How can I generate reports for Access Point grouping?
      It is possible to generate reports for AP group from Inventory > Groups. You can view the traffic by real-time graph, Clients, SSIDs, Application, QoS and conversation for a particular AP group. You also have an option to create and view the reports under dashboard for the associated across access point group. The report can be scheduled or can be exported as PDF or CSV.

    23. What is the purpose of SSID group?
      SSID groups are created to view the combined traffic usage by multiple SSIDs. SSIDs group can be used to categorize the traffic by location, site, user-type, Access Points etc.

    24. How can I generate reports for SSID grouping?
      It is possible to generate reports for AP group from Inventory > Groups. You can view the traffic by real-time graph, Clients, Access Points, Application, QoS and conversation for a particular SSID group. You also have an option to create and view the reports under dashboard for the associated across SSID group. The report can be scheduled or can be exported as PDF or CSV.

    Alerts

    1. Will link down alert generated if flows are not received?
      Yes, you have an option to get alerts if there is no flows received for 15 minutes from any monitored device.

    2. Is it possible to enable link down alert for selected interfaces alone ?

      Yes, it is customizable. Navigate to Settings > NetFlow > Alert Profile. Click on "Link down" alert and edit the interfaces and click on Update.

    3. What are the different criteria you can provide in creating an alert profile?

      Thresholds can be set for Interface\IP group\Interface Group on IN \OUT \Combined (With business hour filter) for greater than \ less than based on Volume\Utilization\Speed\Packets with severity Attention\Trouble\Critical.

    4. Can a report be generated for an alarm?

      Yes, Last hour report will be generated and emailed with attachment if raw data is available.

    5. Can I generate alerts for groups?

      Yes, alerts for IP group and interface group can be generated.

    6. Can I customize alert notifications?

      Yes, alert messages can be customized (provide link to email customization)

    7. Can alerts be forwarded to an external monitoring system?

      Yes, A SNMP trap can be generated from netflow server and sent to corresponding NMS server.

    8. Can multiple severity set for different threshold values?
      Yes, multiple severity can be set for different threshold values.

    9. Can I log tickets for alerts?
      Yes, you can choose to log an alert as an SDP ticket under Alerts Profiles once you configure the ServiceDesk Plus add-on.

    NBAR/CBQoS:

    1. How long can you retain Cisco CBQoS & NBAR data? Disk space for storage of NBAR/CBQoS?

      NBAR and CBQoS data can be stored for a max of 1 year. You will require a free disk space of 360 MB to store NBAR data and 180 MB to store CBQoS data for a year per interface.

    2. What is NBAR?

      Network Based Application Recognition is a Cisco feature to know the application traffic passing through the device. It requires a additional license from Cisco and add-on license from NetFlow Analyzer. In NetFlow Analyzer applications are categorized based on port and protocol. There are some applications which use dynamic ports (ex:skype). These applications can be catogorized by NBAR add-on.

    3. What is CBQoS?
      Classed Based Quality of Service is an add-on in Netflow Analyzer. It helps to analyze if the policy in the device is effective.
      You can see the pre-policy and post-policy traffic, Amount of traffic drop due to applied policy and, Parent policy and child policy tree view.

    4. What is the minimum and maximum polling interval for NBAR & CBQoS?
      MIN : 5 min Max : 1 hour

    5. Do I need additional license for NBAR & CBQoS?

      Yes, CBQoS and NBAR are add-ons for NetFlow analyzer.

    6. Is NBAR & CBQoS supported on non-Cisco devices?

      No, CBQoS and NBAR are supported only on Cisco devices.

    7. Do I need an additional license for NBAR & CBQoS from the vendor?

      NBAR : Yes
      CBQoS : No

    Attacks/ASAM

    1. What is ASAM?
      ASAM is a flow based network security analytics module that helps detect and classify network intrusions. It offers intelligence to detect a broad spectrum of external and internal security threats. Using the "Continuous Stream Mining Engine" technology, ASAM analyzes flow packets in real time and matches predefined problem events. Thus, it offers continuous overall assessment of network security.

    2. Do I need an additional license for ASAM?
      No, ASAM is available by default in the Enterprise edition.

    License Management

    1. Licensing is based on devices or interfaces?
      NetFlow analyzer is based on number of interfaces you wish to monitor.

    2. What is the difference between manage, unmanage & new interfaces?

      Manage : Counted for license
      UnManage: Not counted for license
      New Interfaces: Receiving flows but do not have license to manage, so data is not collected.

    3. I enabled flow on 2 interfaces but I can see all the interfaces in the Inventory.

      Yes, Netflow Analyzer finds the other interface from the incoming flow packet. With this information both the interfaces can be discovered. Like wise all the interfaces that has communication with the netflow enabled interfaces are discovered.

      Note: We recommend to enable netflow on all available layer 3 interfaces of the device to provide accurate reporting. Interfaces you do not want to monitor can be unmanaged from license management.

    4. If interface is deleted and readded, can I see the old data?

      Yes, if a interface is deleted from Netflow Analyzer it will get added automatically if server receives flow from the interface. Old data will be available if it was managed earlier.

    5. How do I retrieve a deleted interface?
      If you delete an interface but want to add it again, please contact our support team netflowanalyzer-support@manageengine.com

    6. Should I unmanage or delete an interface if I don't want to monitor.

      You can unmanage the interface if you do not want to monitor.

    7. Licensing is based on WLC or Access Points?

      Licensing is based on number of access points you wish to monitor.

    8. What is the difference between manage, unmanage & new APs?
      Manage : Counted for license
      UnManage: Not counted for license
      New Access Points: Receiving flows but do not have license to manage, so data is not collected.

    9. If an access point is deleted and readded, can I see the old data?
      Yes, if access point is deleted from Netflow Analyzer it will get added automatically if server receives flow for the access point. Old data will be available if it was managed earlier.

    10. Licensing is based on interface or device?
      Licensing is based on number of interfaces for which ASAM is enabled in user interface.

    11. I'm monitoring 4 interfaces in a device but I need ASAM for 2. Is it possible?

      Yes, ASAM license is customizable. Navigate to Settings > NetFlow > Attacks License Management and Enable/Disable interfaces.

    Reports

    1. What is available in search report?
      Search report generated is from aggregated data which is based on top N records. You can generate search report by clicking on Reports tab. You can select the interfaces for which you want to generate report, specify different criteria and time period. This report is more helpful when you need to analyze specific information going back in time. Since it is generated from aggregated data, it can give historic information.

    2. Can I generate a report for multiple criteria?
      Yes, you can set multiple criteria to view specific traffic.

    3. What are the maximum criteria that can be added in search report?
      You can set max of 3 criteria to generate a report.

    4. Can I generate a report for customized time?
      Yes, reports can be generated for any period, provided data is available.

    5. Can I export the reports?
      Yes, there is an option to export the report to email, csv & pdf .

    6. Is it possible to save the search criteria or generated reports?
      Yes, generated reports can be exported and saved in either of the above formats. The criteria can not be saved for future use. Instead, you can use report profiles to achieve this.

    7. What do I see in the report profile?
      Device specific reports can be viewed in Report profile.

    8. Is there an option to include all and exclude one criteria in report?
      Yes, you can create multiple filters with include and exclude criteria to drill down to specific view.

    9. What all reports are available for a device in Report Profile?
      Application, Conversation, Source, Destination, Conversation Network, QoS and DSCP reports are available.

    10. Can we schedule the report profile to email?
      Report profiles can be scheduled and reports can be emailed.

    11. Can I use multiple data points?
      Yes, one min, and five min data points are available.

    12. What are data points in Consolidated report?
      Data points are the granularity of the report generated.

    13. Can I generate a forensics report for multiple criteria?
      Yes, forensics report can be generate based on multiple criteria.

    14. What are the maximum number of criteria that can be added in forensics report?
      You can add up to 3 criteria to view specific traffic.

    15. Can I generate a forensics report for a customized time period?
      Yes, Forensics Reports can be generated for custom time period (provided Raw data is available).

    16. Where do I see AS reports?

      To see the AS information navigate to corresponding device snapshot page and under AS view you can expand it to download as pdf, csv or send as e-mail.

    17. Can I export the forensics reports?
      Yes, Forensics report can be exported to pdf, csv or emailed.

    18. How is flow rate calculated for active conversations in the forensics report?

      Flow Rate is calculated as follows:
    19. flowratecalc

    20. What is the percentile used for billing?
      Billing uses the 95th percentile calculation since 95th percentile is an averaging method, which is less volatile than actual usage.

    21. What are the different types of billing option?
      There are two different billing types in NetFlow Analyzer. The bills can be generated based on speed or volume.

    22. Is it possible to generate an on-demand bill plan?
      Bills can be generated on demand. By clicking on "OnDemand" for a particular bill plan in the bill plan list, a bill can be generated for the time period from the beginning of the billing cycle to the current date.

    23. Is it possible to associate a bill to a particular email address?
      It is possible to send a bill report to a particular or multiple email address. The option is available in the "Bill schedule details". Multiple mail IDs should be separated by comma "," The email subject can also be customized as per the user requirement.

    24. Do I have an option to customize currency?
      Yes, you can select the currency for an individual bill plans from the drop-down box and enter the cost.

    25. What are the reports available with billing?
      Once the bill is generated, you can view the bills under "Generated reports". This will show the complete bill details and you can drill-down to see the usage by each interface or group.

    26. How does 95th percentile billing works?
      The 95th percentile is a widely used mathematical calculation to evaluate the regular and sustained use of a network connection. The 95th percentile says that 95% of the time, the usage is at or below a certain amount. Thus 5% of the samples may be bursting above this rate. Select one of the two options from the drop-down box. Selecting "In & Out merge" will merge the In and Out values and calculate the 95 percentile value. Selecting "In & Out separate" will calculate 95th percentile value of IN and 95th percentile value of OUT separately and the higher of the two is considered. This is calculated using 5 minutes average data points.

    27. Can I add tax or additional fees to bill plan?
      Yes, you can add tax, one-time charges or any surcharge to your bill plans. The charges can be either a fixed value, or percentage.

    28. What can I infer by generating protocol distribution report?
      Protocol Distribution report lets you to view the information on top protocol utilizing the bandwidth from Interface, Interface Group or IP group.

    29. What is the data point granularity in capacity planning report?
      Capacity planning reports can be generated with one min, and five min data point granularity.

    30. How to define weekends in NetFlow Analyzer?
      By default, Saturday & Sunday are set as weekends. Please contact Support@netflowanalyzer.com to customize Weekends. 

    31. Is it possible to set business hours for capacity planning report?
      Yes, Business hour filters can be set to filter non-productive information. 

    32. What is additional information I can see in Capacity Planning?
      You can view the application Growth and Traffic trend in Capacity planning reports.

    33. What types of reports can be scheduled?
      All reports except Forencis report can be scheduled .

    34. Consolidated, Traffic, Capacity Planning, Application, Source, Source Network, Destination, Destination Network, QoS, Conversation, Conversation Network, Report Profiles, Compare, Custom, Multicast, Medianet, NBAR, and CBQoS reports can be scheduled on a Daily, weekly and monthly basis.
    35. Can I schedule reports for Business hours?
      Yes, Business hour filters can be applied in scheduled reports.

    36. What are the different types of Compare report?
      1. Compare same interface/IPgroup for multiple time intervals.
      2. Compare multiple interface/IPgroup for same time interval.

    37. On what algorithm is the forecast report generated?
      A time series can be forecast using statistics or machine learning. NetFlow Analyzer employs techniques like autocorrelation, seasonality trend loss decomposition and regression to forecast reports.

    38. What is the accuracy of the forecast reports?
      To generate one week's forecast report with 80% accuracy, historical data should be available for at least 28 days. The granularity and accuracy of the forecast will vary based on the available data.

    39. What are the possible error messages that might show up while generating the report?

      • Atleast 5 past instances are required / No data
        A minimum of 5 data instances are required to generate a forecast report. Newly configured devices might not have sufficient data to forecast future trends.
      • 5 Instance   Error No Data
      • business hour alerts - Start time is greater than the end time
        While applying Business Hour Filter, the user must ensure that the start time  precedes the end time.
      • Error Start Time
      • Too many values missing and hence, inappropriate to forecast!
        When the service is down, the available data might be insufficient to generate forecast.
      • Error Missing Values
    40. Can the forecast report be generated for custom time periods?
      No, the data can be forecasted only for the following pre-defined set of time periods - 7 days / 15 days / 1 month / 3 months / 6 months / 1 year.

    41. What is the function of show history button?
      The show history when enabled depicts the past trends based on which the report has been generated. For example, to generate forecast for the next 7 days, the past 35 days data would be graphically depicted to the users.

    42. What can I infer by generating Inventory Report? 
      Inventory report shows the consolidated information of the Interfaces, Interface groups, IP groups, Access Points, Access Point groups and SSID groups with the IN and OUT bandwidth utilization based on Speed, Volume or Utilization.

    43. When is the violation report generated?
      A violation report is generated only when the selected criteria are violated while generating the inventory report. These criteria violations can be viewed by clicking on the graph icon which appears in the generated report.

    44. What is the need for defining criteria in Inventory report?
      By defining criteria, users can view filtered reports based on the selected criteria, and violation report in case of any criteria violations. This helps in gaining better visibility over their bandwidth utilization with more intuitive reports.