Is it possible to NTA Flow alert for a single client/server pair conversation?

gwarn70

I have a request to use NTA to monitor a nightly SFTP job that runs at 4am and typically transfers ~60M of data.

The desired outcome of the alert would be to notify if that job didn't produce a minimal flow of data during that 4am window.

When I navigate to the actual SFTP conversation in NTA and hit "Create a flow alert" I cannot use the "Create Alert" button because of this error:

For traffic matching the current Flow Navigator filters:

There is no Application or NBAR2 Application selected in Flow Navigator

If I drill down on the top 10 protocols for that conversation I get to the firewall/interface, then click on the application so I can create an alert but it's just for the app on that firewall interface - no filtering on client/server conversation

For traffic matching the current Flow Navigator filters:

Included Application: SSH / SFTP (22)

Here is what this alert looks like after creating it:

LEFT JOIN
(
SELECT InterfaceID
FROM Orion.Netflow.FlowsByInterface
WHERE
(TimeStamp >= AddMinute(-6, DateTrunc('minute', GetUtcDate())) AND TimeStamp <= AddMinute(-2, DateTrunc('minute', GetUtcDate())))
AND InterfaceID IN (19174)
AND (ApplicationID IN (100016) AND ApplicationID != 0)
GROUP BY InterfaceID
HAVING NOT ((SUM(IngressBytes)*8) / (5*60)) <= 10000
) AS Flows
ON Flows.InterfaceID = Interfaces.InterfaceID
WHERE Interfaces.InterfaceID IN (19174)
AND Flows.InterfaceID IS NULL
AND Interfaces.InterfaceID NOT IN (
SELECT EntityID FROM Orion.NetObjectDownTime
WHERE EntityType = 'Orion.NPM.Interfaces'
AND DateTimeUntilNow > AddMinute(-7, DateTrunc('minute', GetUtcDate()))
AND State = 9
AND EntityID IN (19174)
)
AND Interfaces.InterfaceID IN (
SELECT InterfaceID FROM Orion.Netflow.Source
WHERE Enabled = 'True'
AND (
EngineID IS NULL OR
EngineID NOT IN (
SELECT EngineID FROM Orion.Netflow.FlowEngines
WHERE FlowCollectorKeepAlive < AddSecond(-90, GETUTCDATE()) OR
AddMinute(7, FlowCollectorStartTime) > GETUTCDATE()
)
)
)

Is there anyway to augment this or write differently to capture the 2 end nodes conversation specifically?

verwin_u

Hi @gwarn70 , 

There would be lots of possible things. NBAR is one of the possible option to monitor port 22

1. 60m of data might not reflect in your top takers. 

2. nbar is not enable is the router or switches where sftp is passing. 

3. once you able to see post22 in your top talkers (netflow or nbar), you may now create a report or alert using flow navigator

4. *you might also need to make sure which swift or router these port 22 is passing. so that you can configure the correct device for netflow and nbar sending.  

+++++++++

1. you may adjust the top taker optimization to collect and reflect all netflow data in your top talkers/top application. 
https://documentation.solarwinds.com/en/success_center/nta/content/nta-configuring-the-nta-top-talker-optimization-sw343.htm

2 you need to configure your device to send nbar data. nbar data is a much details application level netflow data. you need to configure the device to send application id in your netflow record. 

https://documentation.solarwinds.com/en/success_center/nta/content/nta-nbar2%20requirements%20for%20application%20id.htm

https://documentation.solarwinds.com/en/success_center/nta/content/nta-required-fields-sw148.htm

3. you need to make sure that port 22 appears in your talker for you to create an alert or report about it. 
https://documentation.solarwinds.com/en/success_center/nta/content/getting-started-guide/nta-use-flow-navigator-for-forensic-analysis.htm

If you need further assistance to validate the to verify the port 22 is part of your received netflow traffic, i highly recommend reaching out to our sw support geeks.