Getting Started Guide: NFO
This guide will walk you through the essential steps to get NFO up and running, enabling you to monitor and analyze your network traffic. You'll learn how to set up flow data inputs, outputs to various destinations, and configure NFO Modules to process your flow data effectively.
Prerequisites
Operating System
NFO could be deployed on most Linux ODs (Linux kernel 2.17+), and Windows (Server 2012 R2 onwards).
Hadware or VM
These are the minimum requirements for an NFO deployment (virtual machine or physical server):
- 2 physical CPU cores or 4 vCPU at 2Ghz or greater speed per core
- 8GB RAM
- 20GB disk space
Supported Browsers
You can use one of the following browsers to connect to the NFO Web user interface.
- Mozilla Firefox 38.0 and up
- Safari 6.0, 7.0
- Google Chrome 34.0 and 43.0 and up
- IE10, IE11, and MS Edge
Required Network Ports
The following network ports must be accessible.
| Port | Description |
|---|---|
| 8443/TCP | NetFlow Optimizer GUI |
| 9995/UDP | NetFlow/IPFIX Ingestion (plus all ports for ingestion as necessary) |
| 161/UDP and 162/UDP | SNMP polling and SNMP traps |
| 9001/TCP | Configuration Data Base, port is opened on loopback interface 127.0.0.1 |
| 20047/TCP and 20048/TCP | NetFlow Optimizer internal services, ports are opened on loopback interface 127.0.0.1 |
| 20047/UDP and 20048/UDP | NetFlow Optimizer outputs for Kafka, OpenSearch, etc., ports are opened on four loopback interfaces 127.17.0.1 - 127.17.0.4 |
Installation
You should install and run NFO as as root for Linux and administrator for Windows.
Download the latest version of NetFlow Optimizer at: https://www.netflowlogic.com/downloads/
To install NFO on your platform, visit NFO Installation Guide.
Upon successful installation a message will display indicating that the NetFlow Optimizer installation has been successfully completed.
Log in to NetFlow Optimizer at https://<nfo-host>:8443 where NFO‑host is the IP address or host name of the NFO server, apply license, and continue configuration.
Configuration
Add Inputs
By default NetFlow Optimizer is preconfigured with one active data input UDP port number 9995. You may change it or add additional ports. For more information on inputs, including configuration for ingesting cloud flow logs, visit Configure Inputs.
Add Outputs
You may add up to sixteen output destinations, specifying the format and the kind of data to be sent to each destination. For more information on outputs, visit Configure Outputs.
Configure NetFlow Processing Modules
By default, NetFlow Optimizer comes preconfigured with one enabled module, the Top Traffic Monitor. Alternatively, you can enable the Network Conversation Monitor.
Which Module to Choose: Top Traffic Monitor or Network Conversations Monitor
This section explains the difference between these two Modules.
Overview of Modules
- Top Traffic Monitor Module: This module is primarily designed to identify and report on hosts that generate the most traffic across a network. It consolidates NetFlow records by grouping data such as IP addresses, ports, and protocols, providing insights into high-traffic hosts over configurable intervals.
- Network Conversations Monitor Module: Focused more on the bidirectional aspects of network traffic, this module captures and reports detailed network conversations. It enriches data with additional context, such as application details and user IDs, making it invaluable for in-depth network behavior analysis and security monitoring.
Key Features Comparison
| Feature | Top Traffic Monitor Module | Network Conversations Monitor Module |
|---|---|---|
| Primary Function | Consolidation of uni-directional flows reporting high-traffic host data. | Detailed reporting of consolidated bi-directional network conversations. |
| Volume Reduction Options | Data collection interval for flow consolidation, Top N by volume, deduplication, ignoring client ports. | All Top Traffic Monitor options, plus bi-directional option, conversation duration, many enrichment options. |
| Data Collection Focus | Volume of traffic by hosts. Enrichment is limited to DNS names. | Contextual details of conversations, including applications, VM names, users, cyber security reputation, etc. |
| Deduplication Feature | Optional, avoids data redundancy by selecting authoritative NetFlow exporter. | Same as Top Traffic Monitor. |
| Output Details | Fixed format. | Ability to select the fields to be reported. |
Conclusion
Choosing between the Top Traffic Monitor and Network Conversations Monitor depends largely on the specific needs of an organization’s network management and security protocols. While the Top Traffic Monitor provides a broad overview of traffic loads, the Network Conversations Monitor offers a granular view of network interactions, making it a key tool for detailed analytics and security purposes.
SNMP Polling and Traps
NetFlow Optimizer comes with flexible support for SNMP polling and Traps. To learn more, visit Getting Started Guide: SNMP Polling.
Deployment Scenarios
There are several key factors to consider that will determine the type of NFO deployment in your environment:
- The amount of NetFlow data you'd like to process from your network devices on premises
- The number of data centers or geographical locations of your offices with network equipment you'd like to monitor
- Whether you have on prem, cloud, or hybrid environments
- In case of cloud or hybrid environments, whether you want to collect VPC Flow logs to monitor your entire infrastructure
- Location of your SIEM (on prem or in the cloud) and other systems you'd like to store flow data for full fidelity or compliance
To learn more about NFO High Availability, see High Availability Deployment.
Single Instance Deployment
In this scenario, one instance of NetFlow Optimizer handles all flow data processing, enrichment, and SNMP polling. A single-instance deployment can be useful for evaluation purposes and might be sufficient to serve the needs of small to medium size organizations.
Distributed Deployment on Premises
Consider this scenario if you have multiple data centers or remote offices, or if you'd like to apply different rules (NFO configurations) to different group of devices (e.g. collect all flows from edge devices, and only top traffic from internal switches). In these scenarios you may still choose to receive flow data in a central SIEM or in a SIEM deployed in your cloud.
You may also choose the following scenario.
In this deployment, you dedicate one NFO instance as a central point for collecting flows from all your network devices. This instance is configured in Repeater mode, with optional full fidelity flow data recording. The NFO Repeater functionality allows you to retransmit the original flow data to other destinations, specifically other NFO instances. This setup enables flows from certain devices (e.g., routers and firewalls) to be sent to NFO instance 2, where NFO Logic Modules with configurations for routers and firewalls are enabled. Likewise, flows from other devices (e.g., switches, VDS) are sent to NFO instance 3, where NFO Logic Modules suitable for processing flows from switches are enabled.
Distributed Deployment in Hybrid Environment
Consider this scenario if you have your own data center with SIEM installed on premises, and you'd like to collect flows from your physical devices and VPC Flow logs from your cloud.
If your SIEM is running in the cloud, here is an example of recommended deployment.
Conclusion
Now that you've set up NetFlow Optimizer (NFO), you're ready to enhance your network's visibility and security. Keep exploring its features to fully adapt it to your network's needs.