Deployment Types
There are several key factors to consider that will determine the type of NFO deployment in your environment:
- The amount of NetFlow data you'd like to process from your network devices on premises
- The number of data centers or geographical locations of your offices with network equipment you'd like to monitor
- Whether you have on prem, cloud, or hybrid environments
- In case of cloud or hybrid environments, whether you want to collect VPC Flow logs to monitor your entire infrastructure
- Location of your SIEM (on prem or in the cloud) and other systems you'd like to store flow data for full fidelity or compliance
To learn more about NFO High Availability, see High Availability Deployment.
Single Instance Deployment
In this scenario, one instance of NetFlow Optimizer handles all flow data processing, enrichment, and SNMP polling. A single-instance deployment can be useful for evaluation purposes and might be sufficient to serve the needs of small to medium size organizations.
Distributed Deployment on Premises
Consider this scenario if you have multiple data centers or remote offices, or if you'd like to apply different rules (NFO configurations) to different group of devices (e.g. collect all flows from edge devices, and only top traffic from internal switches). In these scenarios you may still choose to receive flow data in a central SIEM or in a SIEM deployed in your cloud.
You may also choose the following scenario.
In this deployment, you dedicate one NFO instance as a central point for collecting flows from all your network devices. This instance is configured in Repeater mode, with optional full fidelity flow data recording. The NFO Repeater functionality allows you to retransmit the original flow data to other destinations, specifically other NFO instances. This setup enables flows from certain devices (e.g., routers and firewalls) to be sent to NFO instance 2, where NFO Logic Modules with configurations for routers and firewalls are enabled. Likewise, flows from other devices (e.g., switches, VDS) are sent to NFO instance 3, where NFO Logic Modules suitable for processing flows from switches are enabled.
Distributed Deployment in Hybrid Environment
Consider this scenario if you have your own data center with SIEM installed on premises, and you'd like to collect flows from your physical devices and VPC Flow logs from your cloud.
If your SIEM is running in the cloud, here is an example of recommended deployment.