Skip to main content
Version: Next

Visitors by Country Monitor (10040 / 20040)

Description

This Module identifies external hosts communicating with internal (local) peers, and reports them with their geographical locations.

This Module uses an IPv4 address blocks to geographical locations mapping database to find geographical locations of the connecting hosts. There are two GeoIP databases supported in this Module:

MaxMind URL (default):

note

Starting from January 1 2020 you need to register with MaxMind to get FREE GeoLite2 database. Please see https://dev.maxmind.com/geoip/geoip2/geolite2/ for more details.

  1. Register at https://dev.maxmind.com/geoip/geoip2/geolite2/
  2. Login, go to Manage License Keys on the left navigation bar
  3. Press Generate new license key button
  4. Select "No" answering this question " Will this key be used for GeoIP Update?"

Once you register and generate your new license key, replace "YOUR_LICENSE_KEY" with it in URL field of EDFN Agent: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip

IP2Location URL (optional): http://www.ip2location.com/download/?token=&file=DB1LITE

Note: You need to get the token by registering at www.ip2location.com

Use External Data Feeder for NFO component for initial load and periodic updates of this list.

The list of local subnets is used to identify traffic direction. Default subnets are:

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

In inbound traffic report source IPv4 addresses are IPv4 addresses of hosts in geographic localities, and the destination IPv4 addresses are IPv4 address of internal hosts.

In outbound traffic report source IPv4 addresses are IPv4 addresses of internal hosts, and destination IPv4 addresses are IPv4 addresses of hosts in outbound geographic localities.

Parameters

Parameter NameDescriptionComments
N - number of reported conversations for each countryThe number of top consolidated flows reported for each country. They are reported in the descending order by traffic volumemin = 0, max = 100000, default = 50 (0 indicates all flows are reported)
Enable(1) or disable (0) reporting flow denied eventsIf set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reporteddefault = 1
Data Collection Interval, secModule logic execution intervalmin = 10 sec, max = 600 sec, default = 30 sec
List of local subnetsList of the subnets’ IPv4 addresses and masks (CIDR notation)

e.g. 67.202.0.0,18; 72.44.32.0,24

default = 10.0.0.0,8; 172.16.0.0,12; and 192.168.0.0,16

IPv4 address block and country codeMapping of country codes to IP addresses blocksThis list is updated by External Data Feeder for NFO, which uses the MaxMind GeoLite Country database as a source

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow Fields

Information Element (IE)IE idIE size, BDescription
sourceIPv4Address84The IPv4 source address in the IP packet header
destinationIPv4Address124The IPv4 destination address in the IP packet header

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20040"
exp_ipNetFlow exporter IPv4 address<IPv4_address>
src_ipSource host IPV4 address<IPv4_address>
dest_ipDestination host IPv4 address<IPv4_address>
directionTraffic direction<string>: egress | ingress
ccCountry codeISO-3166-1 Alpha 2 country code (a two-character country designation, e.g. US)
flow_countNumber of flows<number>
bytesBytes total (Traffic)<number>
t_intObservation time interval, msec<number>