Solutions at a Glance
The table below shows which Modules need to be enabled to turn on NetFlow Optimizer specific solutions.
Amazon AWS VPC Flow Logs Module Set
| Module Name (nfc_id) | Description |
|---|---|
| AWS Top Traffic Monitor (20267) | This Module reports EC2 instances and hosts with the most traffic. It enriches IP addresses with EC2 names, VPC names, and AWS regions. |
| AWS VPC Flow logs (20201) | This Module reports Amazon VPC Flow Logs ingested from CloudWatch (using Kinesis or CWL API) or S3 translating them one-to-one. |
Microsoft Azure NSG Flow Logs
| Module Name (nfc_id) | Description |
|---|---|
| Azure Top Traffic Monitor (20467) | This Module reports Azure Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, Virtual Network names, and regions. |
| Azure NSG Flow Logs | This Module reports Azure NSG Flow Logs ingested from Microsoft Azure Cloud translating them one-to-one. |
Google Cloud VPC Flow Logs Module Set
| Module Name (nfc_id) | Description |
|---|---|
| GCP Top Traffic Monitor (20367) | This Module reports Google Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, VPC names, and regions. |
| GCP VPC Flow Logs (20301) | This Module reports GCP VPC Flow Logs ingested from Google Cloud translating them one-to-one. |
Network Conversations Monitor
| Module Name (nfc_id) | Description |
|---|---|
| Network Conversations Monitor (20062) | This Module reports consolidated network conversations. Optionally it stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields. It also calculates and reports conversation duration, direction (inbound / outbound), state (Begun, Continues, Ended), action (Accepted / Rejected), etc. |
Network Traffic and Devices Monitor Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Network Subnets Monitor (20011) | Reports top bandwidth consumers for each monitored subnet. |
| TCP Health Monitor (20060) | This Module reports TCP Health by detecting top hosts with the most TCP Resets. |
| Top Connections Monitor (20063) | This Module identifies hosts with the most connections. |
| Top Pairs Monitor (20064) | This Module reports top Host Pairs network conversations. |
| CBQoS Monitor (20065) | This Module reports traffic for all DSCP bits combinations (QoS). |
| Traffic by Autonomous Systems (20066) | This Module reports traffic by all Autonomous Systems (AS). |
| Top Traffic Monitor (20067) | This Module identifies hosts with the most traffic. |
| Top Packets Monitor (20068) | This Module identifies hosts with the most packets. |
Enhanced Traffic Monitor
| Module Name (nfc_id) | Description |
|---|---|
| Top Traffic Monitor Geo Country (20967) | This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at Country level. |
Enhanced Traffic Monitor 2
| Module Name (nfc_id) | Description |
|---|---|
| Top Traffic Monitor Geo City (20867) | This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at City level. It also reports TCP session duration. |
Security Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Visitors by Country (Hosts GeoIP) (20040) | This Module identifies hosts with most traffic, and reports them with their geographical locations. |
| Botnet C&C Traffic Monitor (20050) | This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list is published by Emerging Threats (http://www.emergingthreats.net/). |
| Custom Threat lists Monitor (20051) | This Module enables you to setup your own threat lists, public or private, and report traffic originated from or directed to the malicious hosts in these threat lists. |
| Host Reputation Monitor (20052) | This Module uses a host reputation database from Alienvault (https://cybersecurity.att.com/) to report communications with malicious peers. |
| Threat Feeds Traffic Monitor (20053) | This Module monitors traffic originated from known threat lists (published by Dshield.org) specified as IP blocks, list of domains, or IP addresses. |
Email Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Outbound Mail Spammers Monitor (20025) | This Module detects internal hosts infected with spam malware. |
| Inbound Mail Spammers Monitor (20026) | This Module detects external hosts sending excessive email traffic to your organization. |
| Unauthorized Mail Servers Monitor (20027) | This Module detects internal hosts running unauthorized mail servers. |
| Rejected Emails Monitor (20028) | This Module detects external hosts sending emails rejected by internal mail servers. |
Services Monitor Module Set
| Module Name (nfc_id) | Description |
|---|---|
| DNS Service Monitor (20004) | This Module monitors DNS servers and reports DNS server statistics based on DNS traffic. |
| DNS Users Monitor (20005) | This Module monitors DNS users and reports DNS usage statistics based on DNS traffic. |
| Asset Access Monitor (20014) | This Module monitors traffic to selected services and matches communications to a list of authorized peers. |
| Services Performance Monitor (20017) | This Module monitors services performance characteristics. |
Cisco AnyConnect Traffic Monitor
| Module Name (nfc_id) | Description |
|---|---|
| Cisco AnyConnect Top Traffic Monitor (20567) | This Module reports Cisco AnyConnect NVM Flow Logs with logged user information. |
Cisco AVC Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Cisco AVC Top Applications Monitor (20434) | This Module provides a list of most active applications by traffic. |
| Cisco AVC Bandwidth Consumption Monitor (20435) | This Module provides a list of most active applications and users by traffic, including source and destination IP addresses. |
Cisco ASA Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Top Bandwidth Consumers for Cisco ASA (20018) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
| Top Traffic Destinations for Cisco ASA (20019) | This Module provides a list of most popular destinations measured by the traffic. |
| Top Policy Violators for Cisco ASA (20020) | This Module provides a list of firewall policies violators. |
| Top Hosts with most Connections for Cisco ASA (20021) | This Module provides top N (by the number of connections) consumers (users). |
Palo Alto Networks Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Top Bandwidth Consumers for Palo Alto Networks Firewall (20030) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
| Top Traffic Destinations for Palo Alto Networks Firewall (20031) | This Module provides a list of top network bandwidth destinations. |
| Hosts with Most Policy Violations for Palo Alto Networks Firewall (20032) | This Module provides a list of top firewall policies violators. |
| Most Active Hosts for Palo Alto Networks Firewall (20033) | This Module provides a list of most active hosts by the number of initiated connections. |
| Bandwidth Consumption per Application for Palo Alto Networks Firewall (20034) | This Module provides a list of most active applications by traffic. |
| Bandwidth Consumption per Application/User for Palo Alto Networks (20035) | This Module provides a list of most active applications and users by traffic, including source and destination IP addresses. |
| Top Applications Traffic Monitor (20036) | This Module reports hosts for top Applications by bandwidth. |
| Top Applications Host Pairs Monitor (20037) | This Module reports top Host Pairs network conversations for top Applications by bandwidth. |
VMware Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Top Host VM:Host Pairs (20164) | This Module reports top network conversations in VM environment. |
| Top VM:Host Traffic Monitor (20167) | This Module identifies VMs with the most traffic. |
Micro-segmentation Analytics
| Module Name (nfc_id) | Description |
|---|---|
| Micro-segmentation Top Pairs Monitor (20264) | This Module is used for analyzing “east-west” and “north-south” traffic and provides information for micro-segmentation planning. |
NSX Distributed Firewall Monitoring Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Top Bandwidth Consumers for NSX Distributed Firewall (20118) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
| Top Traffic Destinations for NSX Distributed Firewall (20119) | This Module provides a list of most popular destinations measured by the traffic. |
| Top Policy Violators for NSX Distributed Firewall (20120) | This Module provides a list of firewall policies violators. |
| Top Hosts with most Connections for NSX Distributed Firewall (20121) | This Module provides top N (by the number of connections) consumers (users). |
Utilities Module Set
| Module Name (nfc_id) | Description |
|---|---|
| Sampling Monitor (20002) | This Module reports NetFlow sampling information. |
| SNMP Information Monitor (20003) | This Module reports SNMP information. |
| SNMP Custom OID Sets Monitor (20103) | This Module enables you to build OID sets for SNMP polling and reporting, using built-in SNMP polling service (supports SNMP v2c and v3). |
| SNMP Traps Monitor (20700) | This Module enables you to report SNMP traps using built-in SNMP service (supports SNMP v2c and v3). |