Visitors by Country Monitor (10040 / 20040)
Description
This Module identifies external hosts communicating with internal (local) peers, and reports them with their geographical locations.
This Module uses an IPv4 address blocks to geographical locations mapping database to find geographical locations of the connecting hosts. There are two GeoIP databases supported in this Module:
MaxMind URL (default):
Starting from January 1 2020 you need to register with MaxMind to get FREE GeoLite2 database. Please see https://dev.maxmind.com/geoip/geoip2/geolite2/ for more details.
- Register at https://dev.maxmind.com/geoip/geoip2/geolite2/
- Login, go to Manage License Keys on the left navigation bar
- Press Generate new license key button
- Select "No" answering this question " Will this key be used for GeoIP Update?"
Once you register and generate your new license key, replace "YOUR_LICENSE_KEY" with it in URL field of EDFN Agent: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
IP2Location URL (optional): http://www.ip2location.com/download/?token=&file=DB1LITE
Note: You need to get the token by registering at www.ip2location.com
Use External Data Feeder for NFO component for initial load and periodic updates of this list.
The list of local subnets is used to identify traffic direction. Default subnets are:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
In inbound traffic report source IPv4 addresses are IPv4 addresses of hosts in geographic localities, and the destination IPv4 addresses are IPv4 address of internal hosts.
In outbound traffic report source IPv4 addresses are IPv4 addresses of internal hosts, and destination IPv4 addresses are IPv4 addresses of hosts in outbound geographic localities.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| N - number of reported conversations for each country | The number of top consolidated flows reported for each country. They are reported in the descending order by traffic volume | min = 0, max = 100000, default = 50 (0 indicates all flows are reported) |
| Enable(1) or disable (0) reporting flow denied events | If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported | default = 1 |
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 600 sec, default = 30 sec |
| List of local subnets | List of the subnets’ IPv4 addresses and masks (CIDR notation) | e.g. 67.202.0.0,18; 72.44.32.0,24 default = 10.0.0.0,8; 172.16.0.0,12; and 192.168.0.0,16 |
| IPv4 address block and country code | Mapping of country codes to IP addresses blocks | This list is updated by External Data Feeder for NFO, which uses the MaxMind GeoLite Country database as a source |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20040" |
| exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
| src_ip | Source host IPV4 address | <IPv4_address> |
| dest_ip | Destination host IPv4 address | <IPv4_address> |
| direction | Traffic direction | <string>: egress | ingress |
| cc | Country code | ISO-3166-1 Alpha 2 country code (a two-character country designation, e.g. US) |
| flow_count | Number of flows | <number> |
| bytes | Bytes total (Traffic) | <number> |
| t_int | Observation time interval, msec | <number> |