Solutions at a Glance

The table below shows which Modules need to be enabled to turn on NetFlow Optimizer specific solutions.

Amazon AWS VPC Flow Logs Monitor Module Set

Module Name (nfc_id)

Description

AWS Top Traffic Monitor (20267)

This Module reports EC2 instances and hosts with the most traffic. It enriches IP addresses with EC2 names, VPC names, and AWS regions.

AWS VPC Flow logs (20201)

This Module reports Amazon VPC Flow Logs ingested from CloudWatch (using Kinesis or CWL API) or S3 translating them one-to-one.

Network Traffic and Devices Monitor Module Set

Module Name (nfc_id)

Description

Network Subnets Monitor (20011)

Reports top bandwidth consumers for each monitored subnet.

TCP Health Monitor (20060)

This Module reports TCP Health by detecting top hosts with the most TCP Resets.

Top Connections Monitor (20063)

This Module identifies hosts with the most connections.

Top Pairs Monitor (20064)

This Module reports top Host Pairs network conversations.

CBQoS Monitor (20065)

This Module reports traffic for all DSCP bits combinations (QoS).

Traffic by Autonomous Systems (20066)

This Module reports traffic by all Autonomous Systems (AS).

Top Traffic Monitor (20067)

This Module identifies hosts with the most traffic.

Top Packets Monitor (20068)

This Module identifies hosts with the most packets.

Enhanced Traffic Monitor

Module Name (nfc_id)

Description

Top Traffic Monitor Geo Country (20967)

This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at Country level.

Enhanced Traffic Monitor 2

Module Name (nfc_id)

Description

Top Traffic Monitor Geo City (20867)

This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at City level. It also reports TCP session duration.

Security Module Set

Module Name (nfc_id)

Description

Visitors by Country (Hosts GeoIP) (20040)

This Module identifies hosts with most traffic, and reports them with their geographical locations.

Botnet C&C Traffic Monitor (20050)

This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list is published by Emerging Threats (http://www.emergingthreats.net/).

Custom Threat lists Monitor (20051)

This Module enables you to setup your own threat lists, public or private, and report traffic originated from or directed to the malicious hosts in these threat lists.

Host Reputation Monitor (20052)

This Module uses a host reputation database from Alienvault (https://cybersecurity.att.com/) to report communications with malicious peers.

Threat Feeds Traffic Monitor (20053)

This Module monitors traffic originated from known threat lists (published by Dshield.org) specified as IP blocks, list of domains, or IP addresses.

Email Module Set

Module Name (nfc_id)

Description

Outbound Mail Spammers Monitor (20025)

This Module detects internal hosts infected with spam malware.

Inbound Mail Spammers Monitor (20026)

This Module detects external hosts sending excessive email traffic to your organization.

Unauthorized Mail Servers Monitor (20027)

This Module detects internal hosts running unauthorized mail servers.

Rejected Emails Monitor (20028)

This Module detects external hosts sending emails rejected by internal mail servers.

Services Monitor Module Set

Module Name (nfc_id)

Description

DNS Monitor (20004, 20005)

This Module monitors DNS servers and DNS traffic.

Asset Access Monitor (20014)

This Module monitors traffic to selected services and matches communications to a list of authorized peers.

Services Performance Monitor (20017)

This Module monitors services performance characteristics.

Cisco AVC Module Set

Module Name (nfc_id)

Description

Cisco AVC Top Applications Monitor (20434)

This Module provides a list of most active applications by traffic.

Cisco AVC Bandwidth Consumption Monitor (20435)

This Module provides a list of most active applications and users by traffic, including source and destination IP addresses.

Cisco ASA Module Set

Module Name (nfc_id)

Description

Top Bandwidth Consumers for Cisco ASA (20018)

This Module provides a list of top network bandwidth consumers operating on the internal network.

Top Traffic Destinations for Cisco ASA (20019)

This Module provides a list of most popular destinations measured by the traffic.

Top Policy Violators for Cisco ASA (20020)

This Module provides a list of firewall policies violators.

Top Hosts with most Connections for Cisco ASA (20021)

This Module provides top N (by the number of connections) consumers (users).

Palo Alto Networks Module Set

Module Name (nfc_id)

Description

Top Bandwidth Consumers for Palo Alto Networks Firewall (20030)

This Module provides a list of top network bandwidth consumers operating on the internal network.

Top Traffic Destinations for Palo Alto Networks Firewall (20031)

This Module provides a list of top network bandwidth destinations.

Hosts with Most Policy Violations for Palo Alto Networks Firewall (20032)

This Module provides a list of top firewall policies violators.

Most Active Hosts for Palo Alto Networks Firewall (20033)

This Module provides a list of most active hosts by the number of initiated connections.

Bandwidth Consumption per Application for Palo Alto Networks Firewall (20034)

This Module provides a list of most active applications by traffic.

Bandwidth Consumption per Application/User for Palo Alto Networks (20035)

This Module provides a list of most active applications and users by traffic, including source and destination IP addresses.

Top Applications Traffic Monitor (20036)

This Module reports hosts for top Applications by bandwidth.

Top Applications Host Pairs Monitor (20037)

This Module reports top Host Pairs network conversations for top Applications by bandwidth.

VMware Module Set

Module Name (nfc_id)

Description

Top Host VM:Host Pairs (20164)

This Module reports top network conversations in VM environment.

Top VM:Host Traffic Monitor (20167)

This Module identifies VMs with the most traffic.

Micro-segmentation Analytics

Module Name (nfc_id)

Description

Micro-segmentation Top Pairs Monitor (20264)

This Module is used for analyzing “east-west” and “north-south” traffic and provides information for micro-segmentation planning.

NSX Distributed Firewall Monitoring Module Set

Module Name (nfc_id)

Description

Top Bandwidth Consumers for NSX Distributed Firewall (20118)

This Module provides a list of top network bandwidth consumers operating on the internal network.

Top Traffic Destinations for NSX Distributed Firewall (20119)

This Module provides a list of most popular destinations measured by the traffic.

Top Policy Violators for NSX Distributed Firewall (20120)

This Module provides a list of firewall policies violators.

Top Hosts with most Connections for NSX Distributed Firewall (20121)

This Module provides top N (by the number of connections) consumers (users).

Utilities Module Set

Module Name (nfc_id)

Description

Sampling Monitor (20002)

This Module reports NetFlow sampling information.

SNMP Information Monitor (20003)

This Module reports SNMP information.

SNMP Custom OID Sets Monitor (20103)

This Module enables you to build OID sets for SNMP polling and reporting, using built-in SNMP polling service (supports SNMP v2c and v3).

SNMP Traps Monitor (20700)

This Module enables you to report SNMP traps using built-in SNMP service (supports SNMP v2c and v3).