Enabling and Configuring Modules
By default NetFlow Optimizer is preconfigured with one Module enabled -- Network Traffic and Device Monitor: 10067 Top Traffic Monitor. You may enable / disable the entire set or each Module by clicking on /
To add or update a Module, click on ‘Upload’ button .
To configure Module parameters expand Module set and click on its’ name.
Configure Top Traffic Monitor Module Parameters
|N – number of reported hosts||The number of top hosts reported per NetFlow exporter, min = 0, max =100000, default = 50 (0 indicates all hosts are reported)|
|Enable(1) or disable (0) reporting by authoritative exporters only||This parameter enables de-duplication. If traffic between two hosts traverses several network devices, flow records about the same flow is received from each NetFlow exporters. If this option enabled, for each flow an authoritative flow exporter is selected, and flows records from other exporters are not reported. (1 – de-duplication is enabled, 0 – de-duplication is disabled)|
|Enable(1) or disable (0) reporting client port||If set to 1, the ephemeral client port number is reported. If set to 0, client port number is not taken into account when consolidating flow records, and reported as 0|
|Enable(1) or disable (0) multiplying by sampling rate||If set to 1, when *flow is sampled (e.g. sFlow, sampled NetFlow/IPFIX), the sampling rate is used to multiply bytes and packets to report total traffic as statistical approximation. Please note that NetFlow Analytics for Splunk App factors sampling on Splunk side, and this parameter should be set to 0|
|Default sampler rate||If sampling information is not available, use this rate to multiply bytes and packets to report total traffic as statistical approximation|
|Enable (1) or disable (0) reporting flow denied events||If set to 1, denied or rejected flows are reported. If set to 0, only allowed or accepted flows are reported. default - 1|
Data Consolidation Parameter
|Data collection interval, sec||Module logic execution interval, min = 5 sec, max = 86400 sec, default= 300 sec. During this time bytes and packets are summed up in in-memory database by source IP, destination IP, ports, and protocol. At the end of data collection interval the list of consolidated flows is sorted by bytes, and only top N records (1st parameter) are converted to syslog or JSON and reported|
Data Sets and Enrichment Parameters
|List of known server destination port numbers||List of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one with a smaller port number. This parameter is ignored for unidirectional flows.|
This parameter is pre-loaded with values from: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
See NetFlow Optimizer User Guide for more information on other Modules functionality and configuration.