jswan

Comments

  • Create an IP Address Group in NetFlow Settings, then use that to refine your search in Traffic Builder. You can put non-contiguous address blocks into the same address group.
    in 1 Source addy to many destinations Comment by jswan November 2011
  • Do you have the C3KX-SM-10G module in the 3750-X? It's required for NetFlow export in that platform. I don't know of a way to mirror traffic to a router purely for NetFlow export purposes, but if you search for "nProbe" on the forums you'll find a bunch of information on the same technique using a generic server running…
    in Netflow on Cisco 3750-X IP BASE... but net flow exporter commands not working? Comment by jswan March 2012
  • Can you put the flow database on a VM? It doesn't need to be a physical server. From what I've seen the CPU utilization is pretty low once you get away from writing flows to SQL Server.
    in Data is not available NTA issue Comment by jswan March 2014
  • I don't have a NTA install handy to test, but I think you should be able to just define an IP Address Group, then do a source/destination IP Address Group query in Flow Navigator.
    in Filter Interface Traffic Based On Subnet Comment by jswan August 2014
  • Quick things to check: * Make sure your nodes are exporting NetFlow from the same interface that's monitored by NPM. * Make sure you're exporting to UDP port 2055. * Run a packet capture on the NTA receiver and verify that you see flow packets arriving on port 2055.
    in NTA 4 question Comment by jswan January 2014
  • I wrote a blog post a while back explaining why NetFlow v5 isn't a good way of doing web usage tracking: http://unroutable.blogspot.com/2012/04/why-netflow-isnt-web-usage-tracker.html There are many flow exporter products now available that use IPFIX to export HTTP host header data to a flow collector, but NTA doesn't yet…
    in What does "Please enter a valid domain" mean? Comment by jswan December 2013
  • Your flow config looks right. Do you have all the relevant interfaces monitored in NPM and added to the NetFlow settings? It was not intuitively obvious to me that unmonitored interfaces don't show up in NTA even if the router is exporting flow data for them.
    in Not capturing flow data from the interfaces I need data from... Comment by jswan February 2010
  • The ASA uses a proprietary version of NetFlow v9 called "NSEL", or NetFlow Security Event Logging. I have never set this up with Solarwinds NTA, but I found this document that might help you: SolarWinds Knowledge Base :: Configuring Cisco ASA devices for use with Orion NTA
    in Netflow Comment by jswan January 2014
  • I figured this out: 1) in the "Edit" window for the custom object resource, click "Select Orion Object" 2) in the "Select a Network Object" pop-up window, change the "show only" menu to "Interfaces". This is the key point I was missing before. 3) Select the interface from the right side pane. This is a horrible UI choice…
    in custom summaries & interface resources Comment by jswan December 2010
  • Think about the traffic patterns: NetFlow is stateless and unidirectional (i.e., receive only). If you configure your firewall to accept UDP 2055 traffic inbound only (with no outbound traffic permitted), you'd have to hypothesize a mechanism by which an attacker could exploit the box over that port without ever receiving…
    in Downsides to opening 2055 to the world for NTA? Comment by jswan March 2014
  • Does the router show it with "show ip cache flow"? You can filter for ESP with this command: sh ip cache flow | i _32_.+ If it's in the NetFlow cache but not being exported, I'd open a TAC case.
    in Generating NetFlow from ESP traffic Comment by jswan November 2011
Avatar