Modules Guide
The Modules Guide is a comprehensive technical reference for the intelligence layer of NetFlow Optimizer. While the NFO Engine handles the high-performance ingestion of flows, Modules provide the analytical logic required to turn those flows into actionable security and operational insights.
Overview: Modules and Converters
NFO uses a modular architecture to process telemetry. This allows you to enable only the specific intelligence your environment requires, optimizing system resources.
- Modules: These are the "brains" of the operation. A module analyzes incoming flow data, applies statistical models or external context (like Threat Intel or User Identity), and generates an enriched event.
- Converters: Converters work in tandem with modules to format the resulting data for specific destinations. They ensure that the output is perfectly structured for platforms like Splunk, Microsoft Sentinel, or generic JSON/Syslog collectors.
How to Use This Guide
Each module documented in this guide includes the following technical details to help you deploy and integrate NFO effectively:
- Functionality: A detailed explanation of the module’s logic and use cases.
- Configuration Parameters: A reference for tuning thresholds, intervals, and enrichment in-memory databases within the NFO Web UI.
- Output Fields: A complete schema of the fields added to the enriched flow, essential for building dashboards and detection rules in your SIEM.
Current Solutions Portfolio
NFO solutions are built on a foundation of high-performance monitoring, enriched with specialized security and contextual modules.
Foundation: Unified Flow Analytics
NFO offers two primary modules for baseline flow processing, allowing you to choose the level of granularity and enrichment required for your visibility goals:
- Network Conversations Monitor (10062): ⭐ Primary Module. The recommended foundation for deep visibility and security analytics. It reconstructs bidirectional "conversations" by stitching forward and reverse flows, provides massive volume reduction, and supports full enrichment (User ID, Application, Threat Intel, etc.). It is the ideal choice for ingesting NetFlow, IPFIX, sFlow, and Cloud Flow Logs (AWS, Azure, GCP).
- Top Traffic Monitor (10067): ⭐ Primary Module. Optimized for high-performance consolidation of unidirectional flows. This module is designed for bandwidth management and "Top N" reporting where limited enrichment (primarily DNS/FQDN) is sufficient. It is particularly effective for high-volume environments that require essential traffic metrics with minimal processing overhead.
Key Features Comparison
| Feature | Top Traffic Monitor (10067) | Network Conversations Monitor (10062) |
|---|---|---|
| Primary Function | Consolidation of uni-directional flows reporting high-traffic host data. | Detailed reporting of consolidated bi-directional network conversations. |
| Volume Reduction Options | Data collection interval for flow consolidation, Top N by volume, deduplication, ignoring client ports. | All Top Traffic Monitor options, plus bi-directional option, conversation duration, many enrichment options. |
| Data Collection Focus | Volume of traffic by hosts. Enrichment is limited to DNS names. | Contextual details of conversations, including applications, VM names, users, cyber security reputation, etc. |
| Deduplication Feature | Optional, avoids data redundancy by selecting authoritative NetFlow exporter. | Same as Top Traffic Monitor. |
| Output Details | Fixed format. | Ability to select the fields to be reported. |
Conclusion
Choosing between the Top Traffic Monitor and Network Conversations Monitor depends largely on the specific needs of an organization’s network management and security protocols. While the Top Traffic Monitor provides a broad overview of traffic loads, the Network Conversations Monitor offers a granular view of network interactions, making it a key tool for detailed analytics and security purposes.
Module Reference Table
| Category | Recommended Module | Primary Benefit |
|---|---|---|
| Flow Foundation (Sessions) | Network Conversations Monitor (10062) | ⭐ Primary. Bidirectional flow stitching, Cloud Flow support, and full enrichment. |
| Flow Foundation (Traffic) | Top Traffic Monitor (10067) | ⭐ Primary. High-performance consolidation of unidirectional flows for Top N reporting. |
| Performance & Health | TCP Health Monitor (10060) | Identifies potential network or application issues by tracking hosts with high TCP Resets. |
| DNS Monitoring | DNS Service Monitor (10004) | Monitors DNS server health and performance metrics based on traffic. |
| DNS Monitoring | DNS Users Monitor (10005) | Tracks DNS requestors to identify top users and potential exfiltration. |
| Policy & QoS | CBQoS Monitor (10065) | Reports traffic distribution across all DSCP bit combinations to validate QoS policies. |
| Network Visibility | Network Subnets Monitor (10011) | Reports top bandwidth consumers specifically organized by monitored subnets. |
| VPN Visibility | Cisco AnyConnect Top Traffic (10567) | Specialized reporting for Cisco AnyConnect NVM flow logs, including logged-in user data. |
| Service Intelligence | Services Performance (10017) | Monitors specific service characteristics (latency, response times) at the flow level. |
| Access Control | Asset Access Monitor (10014) | Matches communication against authorized peer lists to identify unauthorized access. |
Infrastructure & Device Telemetry (SNMP)
Beyond flow data, NFO includes a dedicated SNMP service for health and performance monitoring of your network hardware. These modules should be used for device-level visibility where flow data does not provide hardware metrics like CPU or interface errors.
| Module Name | ID | Primary Use Case |
|---|---|---|
| SNMP Information Monitor (10003) | Standard polling of device info, interface status, and interface metrics. | |
| SNMP Custom OID Monitor (10103) | Build custom OID sets for vendor-specific polling (e.g., environmental sensors). | |
| SNMP Traps Monitor (10700) | Passive reception and conversion of hardware alerts into Syslog/JSON events. | |
| Auto-discovery Reporter (10701) | Reports results of the built-in SNMP auto-discovery process, including the list of discovered devices and their logical connections. |
Legacy Modules & Migration Guide
As NFO has evolved, we have consolidated dozens of vendor-specific and cloud-specific modules into our Unified Flow Analytics engine. This consolidation provides superior performance, bidirectional stitching, and a standardized data schema across your entire infrastructure.
The Migration Path
If you are currently using any of the modules listed below, we recommend migrating to the Network Conversations Monitor (10062) or Top Traffic Monitor (10067). These primary modules now handle all functionality previously found in specialized collectors.
Detailed specifications for deprecated modules are maintained in our v2.11.2 Documentation Archive. Clicking a legacy ID below will take you to that version's technical reference.
| Legacy / Deprecated Module Set | Affected Module IDs | Recommended Migration Path |
|---|---|---|
| Network Traffic & Devices | 20063, 20064, 20066, 20068 | Top Traffic Monitor (20067) |
| Amazon AWS VPC Flow Logs | 20267, 20201 | Network Conversations (20062) |
| Microsoft Azure NSG Flow Logs | 20467, 20401 | Network Conversations (20062) |
| Google Cloud VPC Flow Logs | 20367, 20301 | Network Conversations (20062) |
| Cisco ASA Monitoring | 20018 - 20021 | Network Conversations (20062) |
| Palo Alto Networks Monitoring | 20030 - 20037 | Network Conversations (20062) |
| Cisco AVC (App Visibility) | 20434 - 20435 | Network Conversations (20062) |
| VMware / NSX Monitoring | 20164 - 20167, 20118, 20264 | Network Conversations (20062) |
| Email Analytics (Legacy) | 20025 - 20028 | Network Conversations (10062) |
Why Migrate?
- Significant Cost Reduction: Migrating eliminates data overlap. Several deprecated modules often reported the same telemetry in different formats; moving to a single primary module prevents redundant data ingestion and reduces SIEM licensing costs.
- Advanced Volume Reduction: Modules 10062 and 10067 offer superior deduplication and aggregation logic compared to legacy sets, further lowering your storage footprint.
- Bidirectional Intelligence: Legacy modules often reported unidirectional "halves" of a conversation. Network Conversations (10062) stitches them into a single, complete bidirectional record.
- Unified Schema: Ensuring your data is compatible with the latest NetFlow Logic Apps for Splunk, Microsoft Sentinel, and Elastic.
How to Migrate
- Identify: Check your NFO Web UI for modules marked with a Deprecated warning.
- Enable Primary: Enable Module 10062 (for full enrichment and bidirectional logs) or Module 10067 (for high-volume traffic summaries).
- Validate: Confirm the new data is reaching your SIEM and meets your reporting requirements.
- Disable Legacy: To prevent duplicate data reporting and save system resources, disable the legacy module immediately after validation.