Skip to main content
Version: 2.10.1

Key Features

This section highlights the robust capabilities of NetFlow Optimizer, providing network administrators and security professionals with advanced tools and insights. It is designed to empower organizations to harness the full potential of NetFlow data and enrich their network security and IT operations. Discover how NetFlow Optimizer can assist in optimizing network performance, enhancing security measures, and streamlining IT management. Whether you're focused on proactively monitoring network traffic or ensuring top-notch network security, these key features offer essential tools to meet your needs effectively.


NFO provides a comprehensive set of security features to help you protect your network from known and unknown threats. These features include:

Threat Detection

  • Identify both known and emerging security threats, including interactions with malicious hosts, spreading viruses, and denial-of-service attacks.

Threat Tracing

  • Trace the origins of security threats, enabling proactive measures to block potential attackers.

Data Loss Prevention

  • Detect unauthorized data exfiltration, whether bound for external sites or lateral movement within your network.

User Activity Monitoring

  • Track user activity to identify suspicious behavior and potential security threats.

Compliance Reporting

  • Generate comprehensive reports to demonstrate compliance with industry regulations.

Data Enrichment

Enhance your flow data with the valuable information:

  • Reputation: NFO uses a variety of sources to get reputation information about IP addresses and domains. This information can be used to identify malicious traffic and potential security threats.
  • User Identity: NFO can be integrated with various user identity systems, such as Microsoft AD, Azure AD, Okta, etc. This information can be used to track user behavior and flag security concerns.
  • Application: NFO can report applications by their port numbers or by their Deep Packet Inspection (DPI) signatures reported by network equipment. This information can be used to track application activity and threat detection.
  • GEO IP: Identify the geographical location of IP addresses to track traffic origins and potential security threats.

Other Security Features

  • Drill down to see which hosts are affected: Drill down to see which hosts are affected by a security threat. This can help you to quickly identify and respond to the threat.
  • Early warning DDOS attack detection: Detect DDOS attacks early on, giving you time to take action to mitigate the attack.
  • Forensic investigation: Look back in time for forensic investigation by setting a NetFlow Recorder rolling time period. This can help you to identify the root causes of security incidents and respond effectively to potential threats.


Monitoring of AWS via VPC Flow Logs

  • Ability to read VPC Flow Logs from Kinesis or CloudWatch or S3

  • Ability of supporting many AWS accounts, VPCs, and AWS regions with one NFO EC2 instance

  • Enrichment of flow records with VPC name, EC2 instance name, DNS name, and AWS region

Monitoring of Microsoft Azure NSG Flow Logs

  • Ability to read Azure NSG Flow Logs

  • Ability of supporting many Azure storage accounts, accessing NSG Flow logs via Service Principle or System-assigned Managed Identity

  • Enrichment of flow records with Virtual Network name, VM name, DNS name, and Azure region

Monitoring of Google Cloud Platform (GCP) VPC Flow Logs

  • Ability to read GCP VCP Flow Logs

  • Ability of supporting many GCP Service accounts and projects

  • Enrichment of flow records with VPC Network name, Subnetwork name, Instance name, DNS name, and GCP zone

Monitoring of Network Device Health

  • Identification of overload conditions

  • With our SNMP polling

    • CPU utilization
    • Memory utilization
    • Tracking of interface errors
    • Dropped packets counter
    • Flapping interface identification
  • Latency / Jitter

Monitoring of User Activity

  • Integration with Windows Domain Controller enables to match user IP address using login events

  • Integration with other identity systems by receiving login / logout events via syslog

Application Visibility via Flows from

  • Cisco AnyConnect or other Cisco devices generating Application Visibility Control (AVC) flows

  • Fortinet devices (e.g. FortiGate) reporting applications in IPFIX

  • Palo Alto Network devices

  • Other devices detecting applications using DPI, e.g. Cubro's Omnia

  • Any exporter based on known destination ports

Virtual Network / Physical Network Visibility

  • Pinpoints physical devices and interfaces impacting VM performance, on a Splunk dashboard

  • Reconstructs paths VM-to-VM and VM-to-host conversations over the underlying physical network

Real-time Consolidation of Any Flow Data

  • Enables customers to store and index only a fraction of volume and at the same time gain all benefits of flow information without losing accuracy

  • Deduplication: optionally report flows only from authoritative router/switch. Authoritative network device is determined as the one that sees the most flows for each communicating pair. This is recalculated every 30 seconds (by default, and could be changed), thus providing accurate information in a dynamic network environment

  • Capable to process any standard flow protocols, NetFlow v5/v9, Flexible NetFlow, NetFlow Options, IPFIX, sFlow (both data records and counter records), J-Flow, NetStream

Common Features

Unmatched Performance Utilizing Patented Technology

  • Capable of processing 1,000,000 flows per second without a single drop

  • Can process up to 350,000 flows per second with consolidation

OS Platforms

  • Linux

  • Windows

  • Amazon AMI

Enriches Flow Data with Real-time Information

  • Reverse-DNS

  • VMware vCenter VMs

  • Applications

  • User Identity

  • Security Reputation

  • GeoIP at Country or City level

  • SNMP polling

Modular Approach

  • Enables customers to enable and configure features to address their specific use cases

  • NFO is a software solution. Same code base for Windows and Linux, as well as virtual appliance

Built-in Services

  • NetFlow Recorder – enables you to look back in time. You can set rolling flow capture and replay period of time, and store flows in memory or on disk, then press <Replay> button to send these records in syslog or JSON format to your SIEM to gain complete visibility of past network traffic

  • Reverse DNS lookup – add host names to IP addresses

  • SNMP Polling and SNMP Traps support


  • Integration with Active Directory. Supports Two Factor Authentication

  • NFO can be configured via our GUI or REST API. Useful to customers with a large number of locations


  • NFO offers the flexibility to output flow data in standard syslog or JSON format.

  • It supports up to 16 output destinations, allowing configuration for different types of data distribution. For example, you can retransmit flows to a legacy flow collector while simultaneously producing analytics to be sent to your SIEM.

  • NFO integrates seamlessly with the following platforms:

    • Splunk Enterprise, Splunk Cloud, Splunk ITSI, Splunk ES, Splunk Observability Cloud
    • Sumo Logic
    • DataDog
    • SentinelOne
    • Exabeam
    • New Relic
    • Azure Blob Stoarge
    • Azure Log Analytics Workspace (Azure Monitor, Sentinel)
    • Amazon S3 Buckets
    • Amazon Open Search
    • Kafka
    • Elastic
    • VMware vRealize Log Insight