Please see this blog post:
Chris,
First, great work on all the apps and additions you guys are doing to Solarwinds. This app has really grown up over the years, and this Thwack community has REALLY helped the growth. Keep up the great work.
I have a question about netflow and Packeteer. The packeteers have a specific type of netflow they can do and I was wondering if you had any plans to support this? Their software (IntelligenceCenter) isn't very good, and we'd love to be able to use Solarwinds for this. I haven't seen much discussion about it on Thwack, so I just thought I'd check.
Thanks, and keep up the great work.
--Ron
Thanks Chris!!
When is the next version expected as CB QOS is not working in our environment and they have advised me that this should be fixed in the next release
Is all these features part of the next release which is 3.6?
Chandru
When will 3.6 be available ? We were invited to test the beta release, but did not get any specifics of when available. On the download portal, our new licenses are there for 3.6, but the download button does not work.
Same here (download button doesn't work).
Dave.
juan and dave, please send me an email and I'll send you a direct link to the download.
Using NTA with Force 10 S50N and S25N switches and sFlow. Love it. Would like to see a report that shows all protocols seen and the amount of utilization assigned to each. I'm sure I can create this but haven't figured out how to yet. Also would then like to be able to click on a protocol and see a list of the top hosts sending/receiving that protocol.
We're glad you're loving NTA. Hopefully there will be more to love very soon with the NTA 3.6 release. It includes the ability to see percent utilization on top talker graphs. Here's what's coming in that version:
A feature we would LOVE to see (we use this daily on our LanCope StealthWatch appliance that I want NTA to replace), is the ability to see the AD user name associated with a flow. In other words, IP x.y.z.a went to cnn.com and user Jsmith is associated with x.y.z.a.
Chris-
Would love to see a world map with known locations of IPs that are not private shown. Raffael Marty discusses this in his book applied security visualization.
http://raffy.ch/blog/
You could make the dots larger or smaller based on amount of traffic associated with each. Top XX would be very useful and having Google Maps be the map source would be great also.
Visualization is key. Pie charts and line graphs are nice but this is what I'm looking for:
http://chrislee.dhs.org/projects/visualfirewall.html
I second this request.
Would love to see a world map with known locations of IPs that are not private shown. Raffael Marty discusses this in his book applied security visualization.http://raffy.ch/blog/You could make the dots larger or smaller based on amount of traffic associated with each. Top XX would be very useful and having Google Maps be the map source would be great also.Visualization is key. Pie charts and line graphs are nice but this is what I'm looking for:http://chrislee.dhs.org/projects/visualfirewall.html
Chris, what is the problem you're trying to solve with this type of visualization? Is it a security management or a network management use-case?
how about huawei netstream? any plans to integrate this?
those interested in support for Huawei Netstream should post here
We can limit user access to certain IP subnet ranges, however those IP ranges are based on the IPs of NetFlow sources(Nodes). How about the ability to limit access based on endpoint subnets?
Example:
Marketing: 10.2.0.0/24
Sales: 10.4.0.0/24
Accounting: 10.6.0.0/24
So the sales manager could log into NTA and see info on all 10.4.0.0/24 PCs no matter what router, switch, or VLAN the flows came from. Because the user access filtering/limiting would be based on endpoint IPs.
We can limit user access to certain IP subnet ranges, however those IP ranges are based on the IPs of NetFlow sources(Nodes). How about the ability to limit access based on endpoint subnets? Example:Marketing: 10.2.0.0/24Sales: 10.4.0.0/24Accounting: 10.6.0.0/24 So the sales manager could log into NTA and see info on all 10.4.0.0/24 PCs no matter what router, switch, or VLAN the flows came from. Because the user access filtering/limiting would be based on endpoint IPs.
If you know the primary NetFlow source for each of the subnets, you can do something like the following:
1. Create IP Address Groups that map to each of the departmental subnets
2. Create Traffic Builder View for each IP Address Group
3. Add the Traffic Builder View URLs for each subnet to a Web Links resource
4. Create custom view for each department user that shows the links to the appropriate Traffic Builder View URLs
Having said that, I agree this is less than ideal. I've captured this as a feature request.
I'm trying to build applications for my traffic. Examples include Exchange, which often is between two high ports, so I need to filter on destination or source of my Exchange servers. O can't seem to build applications with multiple expressions.
I want to categorize http traffic on-net from that offnet. So I want to see all traffic with a source AND destination within my company subnets. All other traffic should be categorized at http. What happens if rules overlap? Which rules win out?
I'd love to see firewall type rule base to create these categories.
I started testing Plixer's Scrutinizer. I like the graph of both inbound and outbound on one graph. The reason I installed it was to test it's ability to build applications. While much more powerful than NTA, it still has limits.
Doesn't anyone want to build custom applications definitions so that NTA graphs show company applications instead of general protocols? I wouldn't think this is a unique requirement.
I'm trying to build applications for my traffic. Examples include Exchange, which often is between two high ports, so I need to filter on destination or source of my Exchange servers. O can't seem to build applications with multiple expressions.I want to categorize http traffic on-net from that offnet. So I want to see all traffic with a source AND destination within my company subnets. All other traffic should be categorized at http. What happens if rules overlap? Which rules win out? I'd love to see firewall type rule base to create these categories.
I want to make sure I'm capturing this requirement correctly.
So, if you could create an advanced rule with the following logic:
Exchange Application Definition
Source: Company Subnet Port: High Exchange Port 1
Destination: Company Subnet Port: High Exchange Port 2
Protocol: TCP
Then, you could meet your requirements?
I'll give some examples:
Exchange:Source or Destination of the Exchange servers, which is a group of 6 specific IP addressesPort: Random High Port
Mission Valley Video:Source OR destination of video camera IP address. ANDPort: http
ERP Application:source ORdestination of ERP web servers ANDport: http
On-Net Web ApplicationsSource:Company Subnet AND Destination: Company Subnet ANDport: http
Internet Web ApplicationAny other http that does not "hit" on any previous rule.
In it's present form, there is no NOT construct. No way to do explicit ANDs or ORs.
After trying to build the http rules I described, large amounts of http traffic was listed as unmonitored.
Now I can tell you the way Scrutinizer handles it, the rules set DOES NOT allow overlapping rules. So if I created a rule for a specific IP address, I couldn't create another rule with the whole subnet, since the IP address overlaps. So you have to define an IP range just before, and just after the specific IP address. That doesn't really work well either.
Thanks, this is exactly the clarification I needed. For internal folks, this is being tracked as FB#12386.
If there are others interested in advanced application definition capabilities as described by smartd, please chime in to help prioritize.
Not sure if this is still an issue for you or not.... We have our packeteers sending netflow information right into Solarwinds now. You can configure it to use netflow, V5, and it seems to work. In the packeteer it's in the setup tab, and then Flow detail records.
I see in the long term enhancements BGP AS Aware Netflow what about the full features of flow-aggregation and aggregration by prefix/source-dst/AS hte whole suite of options from the ip flow-aggregation command line. It would be invaluable when doing load sharing on dual attached ISP's and figuring out route-maps and policies for egress and ingress flows.
Great, thanks for the feedback. To address the use-case you described, what specific things would have to be visible in NTA charts and reports? We're likely going to have to pick and choose to reduce scope, so any help in prioritizing would be really helpful.
thanks,
I sort of envision an "Top Talkers" view by AS and/or prefix. Much like like the network address groups. It would be ideal to see flows on an interface and visibility into the AS_PATH. Our goal is traffic engineering (TE). We need be able to use netflow data to adjust routing anouncements and set local preferences, and prepends all in an effort to achieve optimal load sharing. Obviously this is not an exact science and true load balancing in BGP is a myth but 60/40 should be obtainable. Today I am forced to use the CLI and netflow on the router directly with aggregration cache etc. Moving this into NTA would be perfect.
Thanks
Is there expected to some type of Netflow Alertting capability, so that we could be alerted. For example if there were 5 top talkers from an interface exceeding a certain pertage of bandwidth. I would like that to be able to trigger
In 3.7, you can configure a bandwidth utilization alert that includes Top Talker details. The ability to trigger on Top Talkers specifically is something high on our list of enhancements.
