Frequently Asked Questions
Why I need to monitor NetFlow?
NetFlow-based analytics brings valuable information that helps you understand your network and arms you with actionable intelligence. It provides data for deeper drill-down analysis and allows to identify:
- Security risks and internal threats, which could be missed by firewalls and other IDS systems;
- Anomalous traffic;
- Network bottlenecks which need reconfiguration;
- Applications, users, and protocols that consume most of network bandwidth.
Is NetFlow Optimizer (NFO) a NetFlow collector?
No. NFO is a powerful real-time processing engine for any type of flow data, including NetFlow, sFlow, J-Flow, and IPFIX. It optimizes flow data for volume and relevancy and converts it into a format easy to ingest by log visualization tools and SIEM systems.
What performance can I expect from a single NFO instance?
Depending on the hardware specification a single NFO instance is capable of processing up to 1,000,000 flows per second without a single drop.
I have a distributed network and need to install several NFO instances. Do I need separate licenses for that?
No. NFO License is based on the aggregate *flow rate you want to process, and a single license is required for any number of NFO instances.
I am planning to use NFO with NetFlow Analytics for Splunk. Do I need a separate license for that?
No. NetFlow Analytics for Splunk App and Add-on are free and no separate license is required.
Can I use NFO to reduce amount of flow data sent to Splunk for visualization?
Yes. NFO’s flow consolidation feature allows up to 90% reduction in data volume sent for visualization and analysis, with no loss of accuracy.
Can I use NFO to monitor the health of my TCP traffic?
With NFO, you can instantly identify hosts and network devices issuing most TCP resets. This pinpoints the source of the problem, thus reducing time to resolution.
Sometimes I notice surges of bandwidth consumption on our corporate network. Can you help me to determine the source?
NFO identifies top bandwidth users – both devices, users, protocols, and in some cases applications.
We are running Software Defined Data Center (SDDC) and need ability to monitor how network conversations traverse the virtual and physical network. Do you have a solution?
Yes. With NFO and V2P Network Visibility for Splunk App you can trace and troubleshoot connectivity issues by seeing VMs affected by physical network outages, and viewing physical switches and routers on path of communicating VMs
Can I use NFO to determine inappropriate use of my company’s network infrastructure?
Yes. NFO enables you to look at network bandwidth consumption by each individual end point. You can easily identify an employee who is watching Netflix or using any other entertainment service during working hours.
Can I use NFO for network capacity planning?
NFO shows what parts of the network are overloaded and which parts are underutilized, thereby allowing the customer to reroute traffic so as to make efficient use of existing hardware.
Some of my apps is are slow to respond and few are not accessible at all. Can you help me to determine why are my apps not performing well?
NFO can help you identify bottlenecks and network equipment malfunctions.
We need to collect flows from all of our network devices (HP and Arista switches, Cisco and Juniper routers, Palo Alto Networks and Cisco firewalls), but traditional NetFlow collectors and SIEM systems charge by volume. Can I use NFO to save on these costs?
NFO’s unique consolidation capability enables up to 90% reduction in volume without losing accuracy.
We are large service provider and we need to reprogram our edge devices so our game users get better performance while costing us less. Do you have a solution?
NFO takes Autonomous System paths from the customer’s edge devices (e.g. Juniper routers). You can use this information to understand the routing of traffic from data centers to your customers. Then you can pick the least cost routing software to optimize for higher speed and lower cost.
Sometimes we have to fulfill requests for information from various law enforcement agencies on certain user activities and their geographical location. Can NFO help me?
NFO’s Geo IP location *flow enrichment capability allows to capture and report information about network users and their geographical location, down to a city level.
Can NFO help me identify overloaded network interfaces?
Yes. NFO enables identification of overloaded network interfaces and identification of applications that are consuming a significant portion of the bandwidth (so the customer can move the application to a different part of the network to reduce the number of hops between its users and the application).
I need to know what users from which domain names are using my network. Does NFO provide this information?
Yes. NFO provides *flow enrichment with information, such as user identities, domain names, and Geo IP at the time flow records are processed. This approach assures the accuracy of the IP addresses and the information linked to each address.
Can I use NFO to improve the security posture of my network and identify potential threats?
When your internal hosts communicate with outside peers, NFO detects and reports suspicious traffic using a number of threat feeds. It enriches flow data with external host reputation, such as “Scanning Host”, “Botnet C&C”, “Malware Domain”, etc. The Cyber Threat Statistics dashboard shows malicious traffic counters, GeoIP information, source/destination details and traffic direction.
Can I use NFO to identify instances of data exfiltration?
Yes. NFO provides the ability to identify unusually large data transfers. It can help you prevent cases when someone is exporting a large volume of your engineering data, and also someone downloading significant data to a laptop, putting it on a flash drive, and walking out of the building with it.
Can I use NFO to reduce false positives in DDOS attack detection?
Yes. NetFlow Logic’s DDoS Detector is designed to improve your existing incident response plan. Advanced analytics engine used by DDoS Detector can reduce False Positive alerting by 90%.