Getting Started Guide: NFO
This guide will walk you through the essential steps to get NFO up and running, enabling you to monitor and analyze your network traffic. You'll learn how to set up flow data inputs, outputs to various destinations, and configure NFO Modules to process your flow data effectively.
Prerequisites
Operating System
NFO could be deployed on most Linux ODs (Linux kernel 2.17+), and Windows (Server 2012 R2 onwards).
Hadware or VM
These are the minimum requirements for an NFO deployment (virtual machine or physical server):
- 2 physical CPU cores or 4 vCPU at 2Ghz or greater speed per core
- 8GB RAM
- 20GB disk space
Supported Browsers
You can use one of the following browsers to connect to the NFO Web user interface.
- Mozilla Firefox 38.0 and up
- Safari 6.0, 7.0
- Google Chrome 34.0 and 43.0 and up
- IE10, IE11, and MS Edge
Required Network Ports
The following network ports must be accessible.
Port | Description |
---|---|
8443/TCP | NetFlow Optimizer GUI |
9995/UDP | NetFlow/IPFIX Ingestion (plus all ports for ingestion as necessary) |
161/UDP and 162/UDP | SNMP polling and SNMP traps |
9001/TCP | Configuration Data Base, port is opened on loopback interface 127.0.0.1 |
20047/TCP and 20048/TCP | NetFlow Optimizer internal services, ports are opened on loopback interface 127.0.0.1 |
20047/UDP and 20048/UDP | NetFlow Optimizer outputs for Kafka, OpenSearch, etc., ports are opened on four loopback interfaces 127.17.0.1 - 127.17.0.4 |
Installation
You should install and run NFO as as root for Linux and administrator for Windows.
Download the latest version of NetFlow Optimizer at: https://www.netflowlogic.com/downloads/
To install NFO on your platform, visit NFO Installation Guide.
Upon successful installation a message will display indicating that the NetFlow Optimizer installation has been successfully completed.
Log in to NetFlow Optimizer at https://<nfo-host>:8443
where NFO‑host is the IP address or host name of the NFO server, apply license, and continue configuration.
Configuration
Add Inputs
By default NetFlow Optimizer is preconfigured with one active data input UDP port number 9995
. You may change it or add additional ports. For more information on inputs, including configuration for ingesting cloud flow logs, visit Configure Inputs.
Add Outputs
You may add up to sixteen output destinations, specifying the format and the kind of data to be sent to each destination. For more information on outputs, visit Configure Outputs.
Configure NetFlow Processing Modules
By default, NetFlow Optimizer comes preconfigured with one enabled module, the Top Traffic Monitor
. Alternatively, you can enable the Network Conversation Monitor
.
Which Module to Choose: Top Traffic Monitor or Network Conversations Monitor
This section explains the difference between these two Modules.
Overview of Modules
- Top Traffic Monitor Module: This module is primarily designed to identify and report on hosts that generate the most traffic across a network. It consolidates NetFlow records by grouping data such as IP addresses, ports, and protocols, providing insights into high-traffic hosts over configurable intervals.
- Network Conversations Monitor Module: Focused more on the bidirectional aspects of network traffic, this module captures and reports detailed network conversations. It enriches data with additional context, such as application details and user IDs, making it invaluable for in-depth network behavior analysis and security monitoring.
Key Features Comparison
Feature | Top Traffic Monitor Module | Network Conversations Monitor Module |
---|---|---|
Primary Function | Consolidation of uni-directional flows reporting high-traffic host data. | Detailed reporting of consolidated bi-directional network conversations. |
Volume Reduction Options | Data collection interval for flow consolidation, Top N by volume, deduplication, ignoring client ports. | All Top Traffic Monitor options, plus bi-directional option, conversation duration, many enrichment options. |
Data Collection Focus | Volume of traffic by hosts. Enrichment is limited to DNS names. | Contextual details of conversations, including applications, VM names, users, cyber security reputation, etc. |
Deduplication Feature | Optional, avoids data redundancy by selecting authoritative NetFlow exporter. | Same as Top Traffic Monitor. |
Output Details | Fixed format. | Ability to select the fields to be reported. |
Conclusion
Choosing between the Top Traffic Monitor and Network Conversations Monitor depends largely on the specific needs of an organization’s network management and security protocols. While the Top Traffic Monitor provides a broad overview of traffic loads, the Network Conversations Monitor offers a granular view of network interactions, making it a key tool for detailed analytics and security purposes.
SNMP Polling and Traps
NetFlow Optimizer comes with flexible support for SNMP polling and Traps. To learn more, visit Getting Started Guide: SNMP Polling.
Deployment Scenarios
There are several key factors to consider that will determine the type of NFO deployment in your environment:
- The amount of NetFlow data you'd like to process from your network devices on premises
- The number of data centers or geographical locations of your offices with network equipment you'd like to monitor
- Whether you have on prem, cloud, or hybrid environments
- In case of cloud or hybrid environments, whether you want to collect VPC Flow logs to monitor your entire infrastructure
- Location of your SIEM (on prem or in the cloud) and other systems you'd like to store flow data for full fidelity or compliance
For details on deployment scenarios, including distributed and cloud environments, please refer to the NFO Deployment Guide.
High Avaiability
To learn more about NFO High Availability, see High Availability Deployment.
Conclusion
Now that you've set up NetFlow Optimizer (NFO), you're ready to enhance your network's visibility and security. Keep exploring its features to fully adapt it to your network's needs.