By default NetFlow Optimizer is preconfigured with one Module enabled -- Network Traffic and Device Monitor: 10067 Top Traffic Monitor. You may enable / disable the entire set or each Module by clicking on /
To add or update a Module, click on ‘Upload’ button .
To configure Module parameters expand Module set and click on its’ name.
N – number of reported hosts
The number of top hosts reported per NetFlow exporter, min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Enable(1) or disable (0) reporting by authoritative exporters only
This parameter enabled de-duplication. If traffic between two hosts traverses several network devices, flow records about the same flow is received from each NetFlow exporters. If this option enabled, for each flow an authoritative flow exporter is selected, and flows records from other exporters are not reported. (1 – de-duplication is enabled, 0 – de-duplication is disabled)
Data collection interval, sec
Module logic execution interval, min = 5 sec, max = 86400 sec, default = 300 sec. During this time bytes and packets are summed up in in-memory database by source IP, destination IP, ports, and protocol. At the end of data collection interval the list of consolidated flows is sorted by bytes, and only top N records (1st parameter) are converted to syslog and reported.
See NetFlow Optimizer User Guide for more information on other Modules functionality and configuration.
This section contains watch list parameters. Watch lists are created and updated when the corresponding Module is configured.
Some watchlist are created and mainatained manually (e.g. Monitored subnet IPv4 address and subnet mask for Module 10011: Network Subnets Monitor), and some can be automatically loaded and updated via External Data Feeder for NFO (e.g. Known malicious hosts list for Module 10052: Host Reputation Monitor).