Getting the initial settings right

Free training on NetFlow Analyzer: Part I

Welcome to a free training onNetFlow Analyzer!

Can you hear me? Can you see the presentation?

Please confirm by commenting in the chat panel.

TrainerPiyushreeNetFlow Analyzer product expert

Part I:

Getting the initial settings right

Agenda

• Exporting flows

• Traffic grouping

• Application mapping

• Threshold based alerting

• Customize traffic monitoring

• Knowledge base and best practices

Minimum system requirements

2.4 GHz quad-coreprocessor, or

equivalent

4GB RAM 50GB storage Windows/LinuxPostgreSQL/MSSQL

These specifications only apply when raw data is turned off and the flow rate is below 3,000 flows/sec. Requirements will vary with different settings.

Initial setup

Set up flow export Viewing & customizing bandwidth graphs

Configuring alerts

Step1 Step 2 Step 3

Step 1: Configuring flow export from interfaces

NetFlow sFlow J-Flow

IP FIX NetStream AppFlow

Where and how do you send flows?

Ways of exporting flows to NetFlow Analyzer:

i. Manual configuration ii. Using Network Configuration Manager

Ports to be considered:• Server port: NetFlow Analyzer's web server port• Listener port: Port on which NetFlow Analyzer

receives flows• Both ports are configurable

Using Network Configuration Manager

Benefits of using Network Configuration Manager:

• No need to write commands

• Predefined configlets

• Export flows from multiple interfaces in bulk

• Backup and restore configurations for devices

• Create new configlets

Apply credentials

Select interfaces

Export flow

Add devices

Creating/modifying a configlet

• In Network Configuration Manager, go

to Settings > Configlets. Add a new

configlet by creating a custom template.

• Select devices and enter flow

configuration commands.

• Execute the new configlet.

Devices supported by NetFlow Analyzer

https://www.manageengine.com/products/netflow/supported-devices.html

Common challenges faced after exporting flows

#1. NetFlow Analyzer shows "No Data Available" in graphs, even after I've configured flows.

Solution: Two possibilities

1. The device is not configured correctly for exporting flows.

2. A firewall or access list is blocking the UDP port.

• Check if flows are received with the help of Wireshark.

• Yes- Check for windows firewall/IP tables for any restrictions and template timeout to 60 seconds.

• No- Correct the configuration by setting the active timeout to 60 seconds.

#2. I've added five interfaces. Why is one of my interfaces, "Interface Gi0/1," not listed in NetFlow Analyzer?

Solution:

The particular interface isn't configured for exporting flows.

• Use Wireshark to check if it can receive flows from that interface.

• If yes, create an inbound exception in Windows Firewall or IP tables.

• If no, an external firewall may be blocking the UDP port.

Step 2: View traffic details from Inventory

Inventory

Flow analysis

Config management

IP SLA

Packet analysis

Traffic overviewReal-time traffic

graphs

Inventory: Flow Analysis

Traffic overview

Device

Device groups

Lay 4 & 7 apps DSCP-based QoS

Wireless LAN controllers

Interface

IP / interface group

Snapshot summary Device traffic details:• Traffic speed

• Associated interfaces by speed,

volume and utilization

• Top applications and protocols

• Top QoS

• Top Source, destination and

conversation

• AS traffic

Group traffic details:• Traffic by speed, volume, utilization

and packets

• Associated applications and

protocols

• DSCP QoS traffic

• Source, destination and conversation

Application traffic details:

• Traffic usage by volume

• Associated interfaces

QoS traffic details:

• Traffic usage by volume

• Associated interfaces

WLC traffic details:• Controller traffic by speed, volume

and packets

• Associated access points

• Application traffic

• DSCP QoS traffic

• Conversation details with Client IPs

and SSIDs

Interface traffic details:• Traffic by speed, volume, utilization

and packets

• Top applications and protocols

• Top Source, destination and

conversation by geo-location,

network and DNS name

• Top QoS traffic by DSCP and TOS

• SNMP/FNF NBAR, CBQoS

• Multicast report

• Medianet by volume, RTT, packet loss

• AVC

Tips to enhance visibility into your traffic

My interfaces are named "IfIndex1" and "IfIndex2." How can I view the actual name of devices and interfaces?

Solution: Three options

• Fetch name from router with

SNMP

1. Create SNMP credential

v1/v2/v2 from discovery

2. Associate SNMP credentials

3. Edit device

• Fetch the DNS name.

• Enter your own name.

My interface utilization says it's above 100 percent. How do I set the correct value?

Solution: Three possibilities

1. The speed is incorrect.

2. [OR] time sync problem.

3. [OR] GRE/ESP tunneling through

the device is double counted

• Set the proper IN and OUT speed in bytes. Go to Inventory > Select Interfaces > Set Speed.

• Make sure the device time and NFAtime is in sync

• Check flow filters

Most of the applications are listed as "_App". How do I map those applications and also add my own applications?

Solution:

Application mapping for _App

• Interface >Application > _App >

Show port.

• Map application and define IP

address/ IP network/ IP range.

Application mapping for own apps

• Settings> netflow> mapping >

add

Traffic grouping

Branches

VLANRelated appsNetwork subnet

Department

Sort traffic usage by groups

Types of groups

Device

Interface

IP

Application

DSCP

Benefits of creating groups:

• Monitor combined bandwidth usage to get better picture of traffic consumption.

• Provide access to operators based on groups.

• Provide better visibility to improve troubleshooting.

Scenarios: Creating groups

How do I check traffic usage by department (e.g. Finance & HR)?

Solution

Create a device or IP group for

each department.

• Combine devices under a

department to create groups.

• Generate group reports.

• Other option: branches

How do I monitor combined traffic for VLAN?

Solution

An un-routed VLAN will not send traffic like

an interface, but NetFlow Analyzer will

discover its associated interfaces.

• Create an Interface Group that

includes all of the VLAN's

interfaces to monitor the

cumulative traffic.

• Other option: failover, load

balancing, port channeling, and

aggregation.

How do I manage each of my customers' traffic ?

Solution

Create IP groups for each customer.

• Combine IPs to create groups.

• Generate group reports.

• Group based on IP range, network,

monitoring between sites.

• Other option: between sites and

department

How do I view business critical traffic and see how much bandwidth is used?

Solution

Create application groups.

• Combine apps to create a group.

• Find total utilization for each

group.

• Pull combined traffic reports.

Simplified and customizable Inventory

Edit configurationCustom filters/sort

Custom views Custom search

Filter up to the last 30 days Create device group Create device/interface/app group Inventory search

Set speed Set SNMP Zoom in graphs Generate instant reports

New in v12

Unmanage/delete device Add to Network Configuration Manager

Table/list/status viewConfigure NBAR & CBQoS

Service policy & ACL Clear alarm/add note

Various device-specific custom options

New in v12

How do I view traffic for any particular time when there is network congestion?

Solution

Custom time intervals.

• Go to Sort by Time > Custom.

• Set your time interval

Step 3: Alerting

Link down Link overutilized

Threshold violation Link slow

Alert Profiles

Preconfigured alerts: • Link down • No flow

Threshold based alerts • IP range, IP address or IP network• Based on port/protocol range• Based on application• Based on DSCP

I want to get alerted when the interface is over utilized in a WAN link?

Solution

• Set a threshold alert for

overutilized links.

• Provide a threshold value.

• Set up email/SMS notifications.

Thresholds based on multiple conditions

Select source Select criteria Define threshold Save alert profile

Alerts specific to below violation:• Utilization• Volume• Speed• Packets

Alert severity levels:• Critical• Trouble• Attention

How do I set up notifications?

Types of notifications:• Email• SMS• Trigger SNMP trap

• Modify an alarm's description.• Get reports via email. New in v12

Step 1: Configure mail server settings.

Step 2: Set threshold.

Step 3: Provide an email address or phone number.

Step 4: Save alert.

Basic and server settings

Mail server

User management

SMS server Rebranding

Snapshot setting

Self-monitoring

REST API Server settings

System timezone settings

Admin Settings

Storage Mapping Grouping

Flow filters NBAR/CBQoS polling License mgmt

Summary

Set up flow export

#1. Data not available#2. Interfaces not listed

Viewing & customizing bandwidth graphs

#1. Fetch device/interface name#2. Utilization above 100%#3. Map unknown applications#4. Show DNS name #5. Categorize traffic groups#6. Customize time filter

Configuring alerts

#1. Set interface overutilized alert#2. Link down

Step1 Step 2 Step 3

Upcoming training on Dec 13th

Part II: Diagnosing and troubleshooting traffic issues faster

• Alarms• Customizing data storage • Troubleshooting with forensics • Reporting and automation • Capacity planning • Traffic shaping • Customizing dashboards • Usage-based billing

Need more help?

youtube.com/netflowanalyzertechvideos

help.netflowanalyzer.com

forums.manageengine.com/netflowanalyzer

netflowanalyzer-support@manageengine.com

+1 (888) 720-9500 / +1 (408) 916 - 9400

Q & A

Thank you!Piyushree

piyushree.n@zohocorp.com