donthomas

For the benefits that NetFlow provide, the cost of a license upgrade should be fine, right?

cevangelou‌‌ Solarwind NTA can process NetFlow data only if all required fields are present in the flows. The fields from "match interface input" and "collect interface output" are needed for NTA to generate reports but because your flows from your output flow monitor does not have the two fields, NTA would not process…

I have edited the commands in the blog. Thank you for confirming this for me.

That usually happens when the template for processing the flows has not yet reached NTA or the template that reached NTA is not a valid one. Do you still get the error?

cevangelou‌ I meant, can you try this config: flow record FLOW-RECORD-1 match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets…

Hail QoS [extraaa wide grin]

But we are still left with ports like 80 and 8080 that has to be open as a business requirement. That still leaves us vulnerable. In addition to closing unused ports, restricting access, DMZ zones, and all other traditional methods, adoption of traffic analysis to detect anomalies should increase.

The metamorphosis oif NetFlow has been interesting - started off as a packet switching technology, becomes a accounting technology, and is now transforming into a security technology. The last part can happen faster when good tools become available for NetFlow based NBA and enterprises begin to experiment and then adopt.…

Ha ha.. looove it when we have answers...

Heads around me are alarmed because I am staring at me screen and laughing incessantly. How I wish I could give out additional points for humor. 

Whoops! It was supposed to be ip flow monitor "monitor name" and instead I somehow ended up typing ip flow monitor name NetFlow-to-Orion input. And in a flow record, you can collect either the 64 bit or the 32 bit counters for packets and bytes. The optional "long" command sets the flow record to collect 64 bit counters…

10MB... is that all? Does that mean I cant email that movieeeee!!!

IT fun never stops.. A user who joined today asked if the company allows employees to carry their additional monitor (a 24 inch dell monitor!) home with the laptop!

jkump.. Great..A good thing about Cisco is that they keep coming out with new performance monitoring technologies.. take a look at medianet and Cisco PfR too. You may find them useful.

SolarWinds NTA needs those two fields to know which interface the NetFlow stats has to be associates to. Without interface info, it would be like having information about an IP conversation's source and destination and what it was, but with no information about the switching or routing device it passed through. Such flow…

That reminds me.. not an user joke, but when I was in tech support. While everyone else were exiting the office after an earthquake, there was one colleague who was on a call and patiently asked his customer: "May I place this call on hold for a couple of minutes. I think the building I am in has been hit by an earthquake…

30 years must have given you a treasure trove of stories.

Ah yes - I remember that one too - I connected a wireless keyboard and now I cant go online. This despite the fact that the user was able to the web address in the address bar.

Yes, the information contained in NetFlow data is enormous - a tool would be the best way to go about it. But even then, whatever is reported by default and a good usage of custom report creators should be able to aid with security analysis. Many of the current set of tools are still in its nascent stage or are quite…

Agreed. Users use those systems.

cevangelou @emoore's issue was a license issue - the Cisco 3850 needs either an IP Base or IP Services Base license from Cisco to support Flexible NetFlow (FNF) export.

Did you know, you can expand your existing lab using GNS3. GNS3 How to connect to real equipment - YouTube GNS3 - How to connect GNS3 to a real router or switch and to the internet - YouTube

One new message and its an application problem!

I would say the interest in telnet is not because everyone uses it but because many admins just forget to disable it or change the default credentials associated with it.

Ah yes - portable devices. When all the security at the front door are looking for intruders, the employee walks in with the malware. Hey BYOD, you left that backdoor open!

I think I have found an answer here. cevangelou can you check this: If you apply a flow monitor in the input direction: * Use the match keyword and use the input interface as a key field. * Use the collect keyword and use the output interface as a collect field. This field will be present in the exported records but with a…

But with sFlow based sampling, NTA automatically determines the sampling rate and calculates the right traffic. If you are seeing issues, can you get us the pcap? Looking to purchase NTA, but it's not accounting for Netflow sample rate

cevangelou Can you try without the "match flow direction" command in the flow record?

Network is where I guess the signs of a breach first appear. There is no perfect hack - there are always signs. We just need to find it.