Solutions at a Glance
The table below shows which Modules need to be enabled to turn on NetFlow Optimizer specific solutions.
Network Conversations Monitor (⭐ Primary Module)
The Network Conversations module is one of the main processing engines in NFO. It provides a comprehensive, centralized view of all network activity and is designed to handle all major flow formats, including standard NetFlow, IPFIX, sFlow, and native Cloud Flow Logs (AWS, Azure, GCP, Oracle). This module is the recommended foundation for all new flow data processing and reporting.
| Module Name (nfc_id) | Description |
|---|---|
| Network Conversations Monitor (20062) | This Module reports consolidated network conversations. Optionally it stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields. It also calculates and reports conversation duration, direction (inbound / outbound), state (Begun, Continues, Ended), action (Accepted / Rejected), etc. ⭐ Primary volume reduction Module for bidirectional flows. This Module will be packaged in Unified Flow Analytics Module Set. |
Network Traffic and Devices Monitor Module Set (⚠️ Partially Deprecated)
The Top Traffic Monitor Module is a primary volume reduction module that consolidates unidirectional flow records into aggregated flow events, significantly reducing data volume for cost reduction in downstream SIEMs. You have the flexibility to report all consolidated flows for analysis or focus only on the Top N most significant conversations based on customizable metrics.
Several Modules in this set will be ⚠️ DEPRECATED or ℹ️ Legacy Module in a future NFO release.
| Module Name (nfc_id) | Description |
|---|---|
| Network Subnets Monitor (20011) | Reports top bandwidth consumers for each monitored subnet. (ℹ️ Legacy Module) |
| TCP Health Monitor (20060) | This Module reports TCP Health by detecting top hosts with the most TCP Resets. (ℹ️ Legacy Module) |
| Top Connections Monitor (20063) | This Module identifies hosts with the most connections. (⚠️ DEPRECATED) |
| Top Pairs Monitor (20064) | This Module reports top Host Pairs network conversations. (⚠️ DEPRECATED) |
| CBQoS Monitor (20065) | This Module reports traffic for all DSCP bits combinations (QoS). (ℹ️ Legacy Module) |
| Traffic by Autonomous Systems (20066) | This Module reports traffic by all Autonomous Systems (AS). (⚠️ DEPRECATED) |
| Top Traffic Monitor (20067) | This Module identifies hosts with the most traffic. ⭐ Primary volume reduction Module for unidirectional flows. This Module will be packaged in Unified Flow Analytics Module Set. |
| Top Packets Monitor (20068) | This Module identifies hosts with the most packets. (⚠️ DEPRECATED) |
Cisco AnyConnect Traffic Monitor
| Module Name (nfc_id) | Description |
|---|---|
| Cisco AnyConnect Top Traffic Monitor (20567) | This Module reports Cisco AnyConnect NVM Flow Logs with logged user information. (ℹ️ Legacy Module) |
Utilities Module Set
This Module Set will be split into two Module Sets in a future NFO release.
| Module Name (nfc_id) | Description |
|---|---|
| Sampling Monitor (20002) | This Module reports NetFlow sampling information. (ℹ️ Legacy Module) |
| SNMP Information Monitor (20003) | This Module reports SNMP information. This Module will be packaged in Infrastructure Telemetry Module Set. |
| SNMP Custom OID Sets Monitor (20103) | This Module enables you to build OID sets for SNMP polling and reporting, using built-in SNMP polling service (supports SNMP v2c and v3). This Module will be packaged in Infrastructure Telemetry Module Set. |
| SNMP Traps Monitor (20700) | This Module enables you to report SNMP traps using built-in SNMP service (supports SNMP v2c and v3). This Module will be packaged in Infrastructure Telemetry Module Set. |
| Auto-discovery Reporter (20701/20702) | This Module reports auto-discovered devices and connections between devices. This Module will be packaged in Infrastructure Telemetry Module Set. |
Services Monitor Module Set
These Modules will be packaged Legacy Module Set.
| Module Name (nfc_id) | Description |
|---|---|
| DNS Service Monitor (20004) | This Module monitors DNS servers and reports DNS server statistics based on DNS traffic. |
| DNS Users Monitor (20005) | This Module monitors DNS users and reports DNS usage statistics based on DNS traffic. |
| Asset Access Monitor (20014) | This Module monitors traffic to selected services and matches communications to a list of authorized peers. |
| Services Performance Monitor (20017) | This Module monitors services performance characteristics. |
Amazon AWS VPC Flow Logs Module Set (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| AWS Top Traffic Monitor (20267) | This Module reports EC2 instances and hosts with the most traffic. It enriches IP addresses with EC2 names, VPC names, and AWS regions. |
| AWS VPC Flow logs (20201) | This Module reports Amazon VPC Flow Logs ingested from CloudWatch (using Kinesis or CWL API) or S3 translating them one-to-one. |
Microsoft Azure NSG Flow Logs (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Azure Top Traffic Monitor (20467) | This Module reports Azure Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, Virtual Network names, and regions. |
| Azure NSG Flow Logs (20401) | This Module reports Azure NSG Flow Logs ingested from Microsoft Azure Cloud translating them one-to-one. |
Google Cloud VPC Flow Logs Module Set (⚠️ Deprecated)�
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| GCP Top Traffic Monitor (20367) | This Module reports Google Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, VPC names, and regions. |
| GCP VPC Flow Logs (20301) | This Module reports GCP VPC Flow Logs ingested from Google Cloud translating them one-to-one. |
Enhanced Traffic Monitor (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Top Traffic Monitor Geo Country (20967) | This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at Country level. |
Enhanced Traffic Monitor 2 (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Top Traffic Monitor Geo City (20867) | This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at City level. It also reports TCP session duration. |
Security Module Set (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Visitors by Country (Hosts GeoIP) (20040) | This Module identifies hosts with most traffic, and reports them with their geographical locations. |
| Botnet C&C Traffic Monitor (20050) | This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list is published by Emerging Threats (http://www.emergingthreats.net/). |
| Custom Threat lists Monitor (20051) | This Module enables you to setup your own threat lists, public or private, and report traffic originated from or directed to the malicious hosts in these threat lists. |
| Host Reputation Monitor (20052) | This Module uses a host reputation database from Alienvault (https://cybersecurity.att.com/) to report communications with malicious peers. |
| Threat Feeds Traffic Monitor (20053) | This Module monitors traffic originated from known threat lists (published by Dshield.org) specified as IP blocks, list of domains, or IP addresses. |
Email Module Set (⚠️ Deprecated)
This Module Set will be retired in a future NFO release.
| Module Name (nfc_id) | Description |
|---|---|
| Outbound Mail Spammers Monitor (20025) | This Module detects internal hosts infected with spam malware. |
| Inbound Mail Spammers Monitor (20026) | This Module detects external hosts sending excessive email traffic to your organization. |
| Unauthorized Mail Servers Monitor (20027) | This Module detects internal hosts running unauthorized mail servers. |
| Rejected Emails Monitor (20028) | This Module detects external hosts sending emails rejected by internal mail servers. |
Cisco AVC Module Set (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Cisco AVC Top Applications Monitor (20434) | This Module provides a list of most active applications by traffic. |
| Cisco AVC Bandwidth Consumption Monitor (20435) | This Module provides a list of most active applications and users by traffic, including source and destination IP addresses. |
Cisco ASA Module Set (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Top Bandwidth Consumers for Cisco ASA (20018) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
| Top Traffic Destinations for Cisco ASA (20019) | This Module provides a list of most popular destinations measured by the traffic. |
| Top Policy Violators for Cisco ASA (20020) | This Module provides a list of firewall policies violators. |
| Top Hosts with most Connections for Cisco ASA (20021) | This Module provides top N (by the number of connections) consumers (users). |
Palo Alto Networks Module Set (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Top Bandwidth Consumers for Palo Alto Networks Firewall (20030) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
| Top Traffic Destinations for Palo Alto Networks Firewall (20031) | This Module provides a list of top network bandwidth destinations. |
| Hosts with Most Policy Violations for Palo Alto Networks Firewall (20032) | This Module provides a list of top firewall policies violators. |
| Most Active Hosts for Palo Alto Networks Firewall (20033) | This Module provides a list of most active hosts by the number of initiated connections. |
| Bandwidth Consumption per Application for Palo Alto Networks Firewall (20034) | This Module provides a list of most active applications by traffic. |
| Bandwidth Consumption per Application/User for Palo Alto Networks (20035) | This Module provides a list of most active applications and users by traffic, including source and destination IP addresses. |
| Top Applications Traffic Monitor (20036) | This Module reports hosts for top Applications by bandwidth. |
| Top Applications Host Pairs Monitor (20037) | This Module reports top Host Pairs network conversations for top Applications by bandwidth. |
VMware Module Set (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Top Host VM:Host Pairs (20164) | This Module reports top network conversations in VM environment. |
| Top VM:Host Traffic Monitor (20167) | This Module identifies VMs with the most traffic. |
Micro-segmentation Analytics (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Micro-segmentation Top Pairs Monitor (20264) | This Module is used for analyzing “east-west” and “north-south” traffic and provides information for micro-segmentation planning. |
NSX Distributed Firewall Monitoring Module Set (⚠️ Deprecated)
This Module Set will be retired in a future NFO release. Its functionality is now fully integrated into the Network Conversations module. Action Required: Please disable this module and migrate your configurations to Network Conversations to eliminate duplicate data reporting to your SIEM or IT Ops system.
| Module Name (nfc_id) | Description |
|---|---|
| Top Bandwidth Consumers for NSX Distributed Firewall (20118) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
| Top Traffic Destinations for NSX Distributed Firewall (20119) | This Module provides a list of most popular destinations measured by the traffic. |
| Top Policy Violators for NSX Distributed Firewall (20120) | This Module provides a list of firewall policies violators. |
| Top Hosts with most Connections for NSX Distributed Firewall (20121) | This Module provides top N (by the number of connections) consumers (users). |