Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Need some NetFlow questions answered

In version 3.1 there a re 2 settings:

IPs to process at a time : 500

Maximum minutes to process IPs : 15

Does this mean that Orion NetFlow will attempt to resolve x number of IP's within x minutes?
If it doesn't resolve all of the 500 IP's (above setting) in 15 minutes what does NetFlow do, roll them over?

The reason why I ask is that a security application on our server thinks it is getting hit by a UDP Port Scan due to the number of resolutions NetFlow is handling. I verified this by stopping the NetFlow service and watching the server to see if it blocked the domain controller. If NetFlow is off Orion can poll the DC, if NetFlow is running it detects it as a scan and blocks that device for a duration of time - hence giving false downs for that DC.

If I decrease the number of IP's to resolve or increase the minutes how will this impact NetFlow?

Find more posts tagged with

Accepted answers

All comments

FormerMember

Solarwinds ..... PLEASE, need an answer as soon as possible!!!!!

mcbridea

Hi Scott,

I have reached to dev and a fellow info dev friend for help this one. Stay tuned.

Andy

davidmaltby

So, if I remember this correctly, once a day, NTA service would try to resolve all the old IPs that it has that were stale (Maybe 7 days or older, I think was the default) or have never been resolved (2 days default?) Anyhow, it would send out the DNS requests in batchs of 500 at a time. After getting answers for all of them, then it would send out another 500. It would do this until they were all resolved a 15 minute duration was hit.

Hope this helps.

David

davidmaltby

Further in the past, if the count of the rows in the FlowCorrelation table was enormous, tech support would even suggest running the following T-SQL

TRUNC TABLE FlowCorrelation

This would remove all the rows from this table. As new flows come into the system, then the IP addresses for those rows would repopulate the table. Therefore, that resolution of commonly used IP addresses will get resolved quickly. Which means that old charts with IP addresses that are no longer used, would not be resolved. That is the only side-effect of running that T-SQL.

Note: Later versions of NTA did a lot to address this problem.

Thanks,

David

FormerMember

Thanks David for taking this on.

I checked our current FlowCorrelation table and it has 201812 records. I am tempted to truncate but decide later today as to wether or not to do so.

What impact to the server performance if I adjust the number of IP's or increase the time period?

GZhytar

Hi sotherls,

this settings are for cleaning up expired IP addresses from your database (IP addresses that do not below to any flows).

Regarding to your problem, possible solution could be to install NTA 3.6 where we've implemented On-Demand DNS option. It means that NTA will not resolve all IP addresses that pass through flows, but only those which displayed on a Web site. This significantly reduce load on DNS server and generally improves service and database performance.

If you can't update to 3.6 you might find useful to completely disable name resolution. To do that find file %ProgramFiles%\SolarWinds\Orion\NetFlowTrafficAnalysis\NetFlowService.exe.config and change <nameResolver enabled="true" to <nameResolver enabled="false" . Then restart NTA service. Please notice that this changes will be overridden if you repair your NTA installation.

thanks