Solutions at a Glance

The table below shows which Modules need to be enabled to turn on NetFlow Optimizer specific solutions.
Amazon AWS VPC Flow Logs Module Set
Module Name (nfc_id)                                               
Description
​AWS Top Traffic Monitor (20267)​
This Module reports EC2 instances and hosts with the most traffic. It enriches IP addresses with EC2 names, VPC names, and AWS regions.
​AWS VPC Flow logs (20201)​
This Module reports Amazon VPC Flow Logs ingested from CloudWatch (using Kinesis or CWL API) or S3 translating them one-to-one.
Microsoft  Azure NSG Flow Logs
Module Name (nfc_id)                                              
Description
 Azure Top Traffic Monitor (20467)​
This Module reports Azure Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, Virtual Network names, and regions.
​Azure NSG Flow Logs​
This Module reports Azure NSG Flow Logs ingested from Microsoft Azure Cloud translating them one-to-one.
Google Cloud VPC Flow Logs Module Set
Module Name (nfc_id)                                              
Description
​GCP Top Traffic Monitor (20367)​
This Module reports Google Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, VPC names, and regions.
​GCP VPC Flow Logs (20301)​
This Module reports GCP VPC Flow Logs ingested from Google Cloud translating them one-to-one.
Network Conversations Monitor
Module Name (nfc_id)                                                                                          
Description
​Network Conversations Monitor (20062)​
This Module reports consolidated network conversations. Optionally it stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields. It also calculates and reports conversation duration, e.g. TCP session duration.
Network Traffic and Devices Monitor Module Set
Module Name (nfc_id)                                    
Description
​Network Subnets Monitor (20011)​
Reports top bandwidth consumers for each monitored subnet.
​TCP Health Monitor (20060)​
This Module reports TCP Health by detecting top hosts with the most TCP Resets.
​Top Connections Monitor (20063)​
This Module identifies hosts with the most connections.
​Top Pairs Monitor (20064)​
This Module reports top Host Pairs network conversations.
​CBQoS Monitor (20065)​
This Module reports traffic for all DSCP bits combinations (QoS).
​Traffic by Autonomous Systems (20066)​
This Module reports traffic by all Autonomous Systems (AS).
​Top Traffic Monitor (20067)​
This Module identifies hosts with the most traffic.
​Top Packets Monitor (20068)​
This Module identifies hosts with the most packets.
Enhanced Traffic Monitor
Module Name (nfc_id)                                              
Description
​Top Traffic Monitor Geo Country (20967)​
This Module identifies hosts with the most traffic  and reports Reputation and Geo locations of source and destination hosts at Country level.
Enhanced Traffic Monitor 2
Module Name (nfc_id)                                               
Description
​Top Traffic Monitor Geo City (20867)​
This Module identifies hosts with the most traffic  and reports Reputation and Geo locations of source and destination hosts at City level. It also reports TCP session duration.
Security Module Set
Module Name (nfc_id)                                                  
Description
​Visitors by Country (Hosts GeoIP) (20040)​
This Module identifies hosts with most traffic, and reports them with their geographical locations.
​Botnet C&C Traffic Monitor (20050)​
This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list is published by Emerging Threats (http://www.emergingthreats.net/).
​Custom Threat lists Monitor (20051)​
This Module enables you to setup your own threat lists, public or private, and report traffic originated from or directed to the malicious hosts in these threat lists.
​Host Reputation Monitor (20052)​
This Module uses a host reputation database from Alienvault (https://cybersecurity.att.com/) to report communications with malicious peers.
​Threat Feeds Traffic Monitor (20053)​
This Module monitors traffic originated from known threat lists (published by Dshield.org) specified as IP blocks, list of domains, or IP addresses.
Email Module Set
Module Name (nfc_id)                                    
Description
​Outbound Mail Spammers Monitor (20025)​
This Module detects internal hosts infected with spam malware.
​Inbound Mail Spammers Monitor (20026)​
This Module detects external hosts sending excessive email traffic to your organization.
​Unauthorized Mail Servers Monitor (20027)​
This Module detects internal hosts running unauthorized mail servers.
​Rejected Emails Monitor (20028)​
This Module detects external hosts sending emails rejected by internal mail servers.
Services Monitor Module Set
Module Name (nfc_id)                                           
Description
​DNS Monitor (20004, 20005)​
This Module monitors DNS servers and DNS traffic.
​Asset Access Monitor (20014)​
This Module monitors traffic to selected services and matches communications to a list of authorized peers.
​Services Performance Monitor (20017)​
This Module monitors services performance characteristics.
Cisco AnyConnect Traffic Monitor
Module Name (nfc_id)                          
Description
​Cisco AnyConnect Top Traffic Monitor (20567)​
This Module reports Cisco AnyConnect NVM Flow Logs with logged user information.
Cisco AVC Module Set
Module Name (nfc_id)                                    
Description
​Cisco AVC Top Applications Monitor (20434)​
This Module provides a list of most active applications by traffic.
​Cisco AVC Bandwidth Consumption Monitor (20435)​
This Module provides a list of most active applications and users by traffic, including source and destination IP addresses.
Cisco ASA Module Set
Module Name (nfc_id)
Description
​Top Bandwidth Consumers for Cisco ASA (20018)​
This Module provides a list of top network bandwidth consumers operating on the internal network.
​Top Traffic Destinations for Cisco ASA (20019)​
This Module provides a list of most popular destinations measured by the traffic.
​Top Policy Violators for Cisco ASA (20020)​
This Module provides a list of firewall policies violators.
​Top Hosts with most Connections for Cisco ASA (20021)​
This Module provides top N (by the number of connections) consumers (users).
Palo Alto Networks Module Set
Module Name (nfc_id)
Description
​Top Bandwidth Consumers for Palo Alto Networks Firewall (20030)​
This Module provides a list of top network bandwidth consumers operating on the internal network.
​Top Traffic Destinations for Palo Alto Networks Firewall (20031)​
This Module provides a list of top network bandwidth destinations.
​Hosts with Most Policy Violations for Palo Alto Networks Firewall (20032)​
This Module provides a list of top firewall policies violators.
​Most Active Hosts for Palo Alto Networks Firewall (20033)​
This Module provides a list of most active hosts by the number of initiated connections.
​Bandwidth Consumption per Application for Palo Alto Networks Firewall (20034)​
This Module provides a list of most active applications by traffic.
​Bandwidth Consumption per Application/User for Palo Alto Networks (20035)​
This Module provides a list of most active applications and users by traffic, including source and destination IP addresses.
​Top Applications Traffic Monitor (20036)​
This Module reports hosts for top Applications by bandwidth.
​Top Applications Host Pairs Monitor (20037)​
This Module reports top Host Pairs network conversations for top Applications by bandwidth.
VMware Module Set
Module Name (nfc_id)                                        
Description
​Top Host VM:Host Pairs (20164)​
This Module reports top network conversations in VM environment.
​Top VM:Host Traffic Monitor (20167)​
This Module identifies VMs with the most traffic.
Micro-segmentation Analytics
Module Name (nfc_id)                                                   
Description
​Micro-segmentation Top Pairs Monitor (20264)​
This Module is used for analyzing “east-west” and “north-south” traffic and provides information for micro-segmentation planning.
NSX Distributed Firewall Monitoring Module Set
Module Name (nfc_id)
Description
​Top Bandwidth Consumers for NSX Distributed Firewall (20118)​
This Module provides a list of top network bandwidth consumers operating on the internal network.
​Top Traffic Destinations for NSX Distributed Firewall (20119)​
This Module provides a list of most popular destinations measured by the traffic.
​Top Policy Violators for NSX Distributed Firewall (20120)​
This Module provides a list of firewall policies violators.
​Top Hosts with most Connections for NSX Distributed Firewall (20121)​
This Module provides top N (by the number of connections) consumers (users).
Utilities Module Set
Module Name (nfc_id)                                                       
Description
​Sampling Monitor (20002)​
This Module reports NetFlow sampling information.
​SNMP Information Monitor (20003)​
This Module reports SNMP information.
​SNMP Custom OID Sets Monitor (20103)​
This Module enables you to build OID sets for SNMP polling and reporting, using built-in SNMP polling service (supports SNMP v2c and v3).
​SNMP Traps Monitor (20700)​
This Module enables you to report SNMP traps using built-in SNMP service (supports SNMP v2c and v3).

How to Use this Guide

Modules Specifications

Last updated 1 week ago

Module Name (nfc_id)	Description
AWS Top Traffic Monitor (20267)	This Module reports EC2 instances and hosts with the most traffic. It enriches IP addresses with EC2 names, VPC names, and AWS regions.
AWS VPC Flow logs (20201)	This Module reports Amazon VPC Flow Logs ingested from CloudWatch (using Kinesis or CWL API) or S3 translating them one-to-one.

Module Name (nfc_id)	Description
Azure Top Traffic Monitor (20467)	This Module reports Azure Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, Virtual Network names, and regions.
Azure NSG Flow Logs	This Module reports Azure NSG Flow Logs ingested from Microsoft Azure Cloud translating them one-to-one.

Module Name (nfc_id)	Description
GCP Top Traffic Monitor (20367)	This Module reports Google Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, VPC names, and regions.
GCP VPC Flow Logs (20301)	This Module reports GCP VPC Flow Logs ingested from Google Cloud translating them one-to-one.

Module Name (nfc_id)	Description
Network Conversations Monitor (20062)	This Module reports consolidated network conversations. Optionally it stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields. It also calculates and reports conversation duration, e.g. TCP session duration.

Module Name (nfc_id)	Description
Network Subnets Monitor (20011)	Reports top bandwidth consumers for each monitored subnet.
TCP Health Monitor (20060)	This Module reports TCP Health by detecting top hosts with the most TCP Resets.
Top Connections Monitor (20063)	This Module identifies hosts with the most connections.
Top Pairs Monitor (20064)	This Module reports top Host Pairs network conversations.
CBQoS Monitor (20065)	This Module reports traffic for all DSCP bits combinations (QoS).
Traffic by Autonomous Systems (20066)	This Module reports traffic by all Autonomous Systems (AS).
Top Traffic Monitor (20067)	This Module identifies hosts with the most traffic.
Top Packets Monitor (20068)	This Module identifies hosts with the most packets.

Module Name (nfc_id)	Description
Top Traffic Monitor Geo Country (20967)	This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at Country level.

Module Name (nfc_id)	Description
Top Traffic Monitor Geo City (20867)	This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at City level. It also reports TCP session duration.

Module Name (nfc_id)	Description
Visitors by Country (Hosts GeoIP) (20040)	This Module identifies hosts with most traffic, and reports them with their geographical locations.
Botnet C&C Traffic Monitor (20050)	This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list is published by Emerging Threats (http://www.emergingthreats.net/).
Custom Threat lists Monitor (20051)	This Module enables you to setup your own threat lists, public or private, and report traffic originated from or directed to the malicious hosts in these threat lists.
Host Reputation Monitor (20052)	This Module uses a host reputation database from Alienvault (https://cybersecurity.att.com/) to report communications with malicious peers.
Threat Feeds Traffic Monitor (20053)	This Module monitors traffic originated from known threat lists (published by Dshield.org) specified as IP blocks, list of domains, or IP addresses.

Module Name (nfc_id)	Description
Outbound Mail Spammers Monitor (20025)	This Module detects internal hosts infected with spam malware.
Inbound Mail Spammers Monitor (20026)	This Module detects external hosts sending excessive email traffic to your organization.
Unauthorized Mail Servers Monitor (20027)	This Module detects internal hosts running unauthorized mail servers.
Rejected Emails Monitor (20028)	This Module detects external hosts sending emails rejected by internal mail servers.

Module Name (nfc_id)	Description
DNS Monitor (20004, 20005)	This Module monitors DNS servers and DNS traffic.
Asset Access Monitor (20014)	This Module monitors traffic to selected services and matches communications to a list of authorized peers.
Services Performance Monitor (20017)	This Module monitors services performance characteristics.

Module Name (nfc_id)	Description
Cisco AnyConnect Top Traffic Monitor (20567)	This Module reports Cisco AnyConnect NVM Flow Logs with logged user information.

Module Name (nfc_id)	Description
Cisco AVC Top Applications Monitor (20434)	This Module provides a list of most active applications by traffic.
Cisco AVC Bandwidth Consumption Monitor (20435)	This Module provides a list of most active applications and users by traffic, including source and destination IP addresses.

Module Name (nfc_id)	Description
Top Bandwidth Consumers for Cisco ASA (20018)	This Module provides a list of top network bandwidth consumers operating on the internal network.
Top Traffic Destinations for Cisco ASA (20019)	This Module provides a list of most popular destinations measured by the traffic.
Top Policy Violators for Cisco ASA (20020)	This Module provides a list of firewall policies violators.
Top Hosts with most Connections for Cisco ASA (20021)	This Module provides top N (by the number of connections) consumers (users).

Module Name (nfc_id)	Description
Top Bandwidth Consumers for Palo Alto Networks Firewall (20030)	This Module provides a list of top network bandwidth consumers operating on the internal network.
Top Traffic Destinations for Palo Alto Networks Firewall (20031)	This Module provides a list of top network bandwidth destinations.
Hosts with Most Policy Violations for Palo Alto Networks Firewall (20032)	This Module provides a list of top firewall policies violators.
Most Active Hosts for Palo Alto Networks Firewall (20033)	This Module provides a list of most active hosts by the number of initiated connections.
Bandwidth Consumption per Application for Palo Alto Networks Firewall (20034)	This Module provides a list of most active applications by traffic.
Bandwidth Consumption per Application/User for Palo Alto Networks (20035)	This Module provides a list of most active applications and users by traffic, including source and destination IP addresses.
Top Applications Traffic Monitor (20036)	This Module reports hosts for top Applications by bandwidth.
Top Applications Host Pairs Monitor (20037)	This Module reports top Host Pairs network conversations for top Applications by bandwidth.

Module Name (nfc_id)	Description
Top Host VM:Host Pairs (20164)	This Module reports top network conversations in VM environment.
Top VM:Host Traffic Monitor (20167)	This Module identifies VMs with the most traffic.

Module Name (nfc_id)	Description
Micro-segmentation Top Pairs Monitor (20264)	This Module is used for analyzing “east-west” and “north-south” traffic and provides information for micro-segmentation planning.

Module Name (nfc_id)	Description
Top Bandwidth Consumers for NSX Distributed Firewall (20118)	This Module provides a list of top network bandwidth consumers operating on the internal network.
Top Traffic Destinations for NSX Distributed Firewall (20119)	This Module provides a list of most popular destinations measured by the traffic.
Top Policy Violators for NSX Distributed Firewall (20120)	This Module provides a list of firewall policies violators.
Top Hosts with most Connections for NSX Distributed Firewall (20121)	This Module provides top N (by the number of connections) consumers (users).

Module Name (nfc_id)	Description
Sampling Monitor (20002)	This Module reports NetFlow sampling information.
SNMP Information Monitor (20003)	This Module reports SNMP information.
SNMP Custom OID Sets Monitor (20103)	This Module enables you to build OID sets for SNMP polling and reporting, using built-in SNMP polling service (supports SNMP v2c and v3).
SNMP Traps Monitor (20700)	This Module enables you to report SNMP traps using built-in SNMP service (supports SNMP v2c and v3).