Solutions at a Glance
The table below shows which Modules need to be enabled to turn on NetFlow Optimizer specific solutions.
Amazon AWS VPC Flow Logs Module Set
Module Name (nfc_id) | Description |
---|---|
AWS Top Traffic Monitor (20267) | This Module reports EC2 instances and hosts with the most traffic. It enriches IP addresses with EC2 names, VPC names, and AWS regions. |
AWS VPC Flow logs (20201) | This Module reports Amazon VPC Flow Logs ingested from CloudWatch (using Kinesis or CWL API) or S3 translating them one-to-one. |
Microsoft Azure NSG Flow Logs
Module Name (nfc_id) | Description |
---|---|
Azure Top Traffic Monitor (20467) | This Module reports Azure Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, Virtual Network names, and regions. |
Azure NSG Flow Logs | This Module reports Azure NSG Flow Logs ingested from Microsoft Azure Cloud translating them one-to-one. |
Google Cloud VPC Flow Logs Module Set
Module Name (nfc_id) | Description |
---|---|
GCP Top Traffic Monitor (20367) | This Module reports Google Cloud VM and hosts with the most traffic. It enriches IP addresses with VM names, VPC names, and regions. |
GCP VPC Flow Logs (20301) | This Module reports GCP VPC Flow Logs ingested from Google Cloud translating them one-to-one. |
Network Conversations Monitor
Module Name (nfc_id) | Description |
---|---|
Network Conversations Monitor (20062) | This Module reports consolidated network conversations. Optionally it stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields. It also calculates and reports conversation duration, direction (inbound / outbound), state (Begun, Continues, Ended), action (Accepted / Rejected), etc. |
Network Traffic and Devices Monitor Module Set
Module Name (nfc_id) | Description |
---|---|
Network Subnets Monitor (20011) | Reports top bandwidth consumers for each monitored subnet. |
TCP Health Monitor (20060) | This Module reports TCP Health by detecting top hosts with the most TCP Resets. |
Top Connections Monitor (20063) | This Module identifies hosts with the most connections. |
Top Pairs Monitor (20064) | This Module reports top Host Pairs network conversations. |
CBQoS Monitor (20065) | This Module reports traffic for all DSCP bits combinations (QoS). |
Traffic by Autonomous Systems (20066) | This Module reports traffic by all Autonomous Systems (AS). |
Top Traffic Monitor (20067) | This Module identifies hosts with the most traffic. |
Top Packets Monitor (20068) | This Module identifies hosts with the most packets. |
Enhanced Traffic Monitor
Module Name (nfc_id) | Description |
---|---|
Top Traffic Monitor Geo Country (20967) | This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at Country level. |
Enhanced Traffic Monitor 2
Module Name (nfc_id) | Description |
---|---|
Top Traffic Monitor Geo City (20867) | This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts at City level. It also reports TCP session duration. |
Security Module Set
Module Name (nfc_id) | Description |
---|---|
Visitors by Country (Hosts GeoIP) (20040) | This Module identifies hosts with most traffic, and reports them with their geographical locations. |
Botnet C&C Traffic Monitor (20050) | This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list is published by Emerging Threats (http://www.emergingthreats.net/). |
Custom Threat lists Monitor (20051) | This Module enables you to setup your own threat lists, public or private, and report traffic originated from or directed to the malicious hosts in these threat lists. |
Host Reputation Monitor (20052) | This Module uses a host reputation database from Alienvault (https://cybersecurity.att.com/) to report communications with malicious peers. |
Threat Feeds Traffic Monitor (20053) | This Module monitors traffic originated from known threat lists (published by Dshield.org) specified as IP blocks, list of domains, or IP addresses. |
Email Module Set
Module Name (nfc_id) | Description |
---|---|
Outbound Mail Spammers Monitor (20025) | This Module detects internal hosts infected with spam malware. |
Inbound Mail Spammers Monitor (20026) | This Module detects external hosts sending excessive email traffic to your organization. |
Unauthorized Mail Servers Monitor (20027) | This Module detects internal hosts running unauthorized mail servers. |
Rejected Emails Monitor (20028) | This Module detects external hosts sending emails rejected by internal mail servers. |
Services Monitor Module Set
Module Name (nfc_id) | Description |
---|---|
DNS Service Monitor (20004) | This Module monitors DNS servers and reports DNS server statistics based on DNS traffic. |
DNS Users Monitor (20005) | This Module monitors DNS users and reports DNS usage statistics based on DNS traffic. |
Asset Access Monitor (20014) | This Module monitors traffic to selected services and matches communications to a list of authorized peers. |
Services Performance Monitor (20017) | This Module monitors services performance characteristics. |
Cisco AnyConnect Traffic Monitor
Module Name (nfc_id) | Description |
---|---|
Cisco AnyConnect Top Traffic Monitor (20567) | This Module reports Cisco AnyConnect NVM Flow Logs with logged user information. |
Cisco AVC Module Set
Module Name (nfc_id) | Description |
---|---|
Cisco AVC Top Applications Monitor (20434) | This Module provides a list of most active applications by traffic. |
Cisco AVC Bandwidth Consumption Monitor (20435) | This Module provides a list of most active applications and users by traffic, including source and destination IP addresses. |
Cisco ASA Module Set
Module Name (nfc_id) | Description |
---|---|
Top Bandwidth Consumers for Cisco ASA (20018) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
Top Traffic Destinations for Cisco ASA (20019) | This Module provides a list of most popular destinations measured by the traffic. |
Top Policy Violators for Cisco ASA (20020) | This Module provides a list of firewall policies violators. |
Top Hosts with most Connections for Cisco ASA (20021) | This Module provides top N (by the number of connections) consumers (users). |
Palo Alto Networks Module Set
Module Name (nfc_id) | Description |
---|---|
Top Bandwidth Consumers for Palo Alto Networks Firewall (20030) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
Top Traffic Destinations for Palo Alto Networks Firewall (20031) | This Module provides a list of top network bandwidth destinations. |
Hosts with Most Policy Violations for Palo Alto Networks Firewall (20032) | This Module provides a list of top firewall policies violators. |
Most Active Hosts for Palo Alto Networks Firewall (20033) | This Module provides a list of most active hosts by the number of initiated connections. |
Bandwidth Consumption per Application for Palo Alto Networks Firewall (20034) | This Module provides a list of most active applications by traffic. |
Bandwidth Consumption per Application/User for Palo Alto Networks (20035) | This Module provides a list of most active applications and users by traffic, including source and destination IP addresses. |
Top Applications Traffic Monitor (20036) | This Module reports hosts for top Applications by bandwidth. |
Top Applications Host Pairs Monitor (20037) | This Module reports top Host Pairs network conversations for top Applications by bandwidth. |
VMware Module Set
Module Name (nfc_id) | Description |
---|---|
Top Host VM:Host Pairs (20164) | This Module reports top network conversations in VM environment. |
Top VM:Host Traffic Monitor (20167) | This Module identifies VMs with the most traffic. |
Micro-segmentation Analytics
Module Name (nfc_id) | Description |
---|---|
Micro-segmentation Top Pairs Monitor (20264) | This Module is used for analyzing “east-west” and “north-south” traffic and provides information for micro-segmentation planning. |
NSX Distributed Firewall Monitoring Module Set
Module Name (nfc_id) | Description |
---|---|
Top Bandwidth Consumers for NSX Distributed Firewall (20118) | This Module provides a list of top network bandwidth consumers operating on the internal network. |
Top Traffic Destinations for NSX Distributed Firewall (20119) | This Module provides a list of most popular destinations measured by the traffic. |
Top Policy Violators for NSX Distributed Firewall (20120) | This Module provides a list of firewall policies violators. |
Top Hosts with most Connections for NSX Distributed Firewall (20121) | This Module provides top N (by the number of connections) consumers (users). |
Utilities Module Set
Module Name (nfc_id) | Description |
---|---|
Sampling Monitor (20002) | This Module reports NetFlow sampling information. |
SNMP Information Monitor (20003) | This Module reports SNMP information. |
SNMP Custom OID Sets Monitor (20103) | This Module enables you to build OID sets for SNMP polling and reporting, using built-in SNMP polling service (supports SNMP v2c and v3). |
SNMP Traps Monitor (20700) | This Module enables you to report SNMP traps using built-in SNMP service (supports SNMP v2c and v3). |
Auto-discovery Reporter (20701/20702) | This Module reports auto-discovered devices and connections between devices. |