Visitors by Country Monitor (10040 / 20040)

Description

This Module identifies external hosts communicating with internal (local) peers, and reports them with their geographical locations.
This Module uses an IPv4 address blocks to geographical locations mapping database to find geographical locations of the connecting hosts. There are two GeoIP databases supported in this Module:
MaxMind URL (default):
Starting from January 1 2020 you need to register with MaxMind to get FREE GeoLite2 database. Please see https://dev.maxmind.com/geoip/geoip2/geolite2/ for more details.
    2.
    Login, go to Manage License Keys on the left navigation bar
    3.
    Press Generate new license key button
    4.
    Select "No" answering this question " Will this key be used for GeoIP Update?"
Once you register and generate your new license key, replace "YOUR_LICENSE_KEY" with it in URL field of EDFN Agent: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
Note: You need to get the token by registering at www.ip2location.com
Use External Data Feeder for NFO component for initial load and periodic updates of this list.
The list of local subnets is used to identify traffic direction. Default subnets are: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
In inbound traffic report source IPv4 addresses are IPv4 addresses of hosts in geographic localities, and the destination IPv4 addresses are IPv4 address of internal hosts.
In outbound traffic report source IPv4 addresses are IPv4 addresses of internal hosts, and destination IPv4 addresses are IPv4 addresses of hosts in outbound geographic localities.

Parameters

Parameter Name
Description
Comments
N - number of reported conversations for each country
The number of top consolidated flows reported for each country. They are reported in the descending order by traffic volume
min = 0, max = 100000, default = 50 (0 indicates all flows are reported)
Enable(1) or disable (0) reporting flow denied events
If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported
default = 1
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 600 sec, default = 30 sec
List of local subnets
List of the subnets’ IPv4 addresses and masks (CIDR notation)
e.g. 67.202.0.0,18; 72.44.32.0,24
default = 10.0.0.0,8; 172.16.0.0,12; and 192.168.0.0,16
IPv4 address block and country code
Mapping of country codes to IP addresses blocks
This list is updated by External Data Feeder for NFO, which uses the MaxMind GeoLite Country database as a source

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow Fields

Information Element (IE)
IE id
IE size, B
Description
sourceIPv4Address
8
4
The IPv4 source address in the IP packet header
destinationIPv4Address
12
4
The IPv4 destination address in the IP packet header

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20040"
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
src_ip
Source host IPV4 address
<IPv4_address>
dest_ip
Destination host IPv4 address
<IPv4_address>
direction
Traffic direction
<string>: egress | ingress
cc
Country code
ISO-3166-1 Alpha 2 country code (a two-character country designation, e.g. US)
flow_count
Number of flows
<number>
bytes
Bytes total (Traffic)
<number>
t_int
Observation time interval, msec
<number>
Last modified 3mo ago