stibi · Staff Software Test Engineer

Hi, I would not use SQL directly as Flow Storage DB is does not include information like node or interface names. Instead I would recommend to use SWQL (https://github.com/solarwinds/OrionSDK/tree/master/Samples). This is similar to SQL and it will automatically merge data from multiple databases together. To get familiar…

Hi, If I am understanding this correctly then the data plane are the logical interfaces types like VLAN, Tunnels, subinterfaces and so on. Based on the page https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/firewall-interface-identifiers-in-snmp-managers-and-netflow-collectors the collector needs to…

Hi, What you are describing is done automatically when you access NetFlow Node Details view. Other options that I know of are: - You can try to use view limitation. This will limit the data on the whole view based on the selected limitation. - Use Custom Object Resource on any view you want... as Object Type select node…

Hi rajasekar, For NTA it does not matter that management interface can't be used for NetFlow export. Just select another interface and make sure that you have checked/enabled option "Allow matching nodes by another IP Address." on NTA settings page. Some mentions about the 5200 and 7000 series are also on…

Hi, First step would be to check that the flows are incoming to the server. I think that WireShark is the best tool to check that. Let the WireShark collect the traffic on the polling engine. Then stop the collection and just filter the traffic based on port: udp.port == 2055. Now the WireShark usually does not…

For the first part. Its true that we will combine such flows into single record, but still the port selection mechanism is same and only one port number is used. This single port of course have ingress and egress traffic. For the second part. I am sorry this was my mistake the 0 values are used for any traffic that does…

Hi, I have prepared report for Top 10 Countries, but this can be done also differently. Option 1: Import the report that I attached here and create scheduler for it. Option 2: Create scheduler job without report. You can specify view with the resource itself to be saved on the disk or it can be send to your e-mail address.…

Hi wluther, some of the devices sends flows where input and output interface have values 0 (usually in broadcast or multicast traffic). Best way to verify this would be capture the traffic from the device in Wireshark and look for flows where both interfaces have value 0. If that is the case, you can ether ignore the…

Hi, The 0 ingress/egress values shoudn't influence the order of IP addresses. The reason why this is happening is FlowsByConversation entity. It is on the background sorting the IP addresses. Original SourceIP/Hostname might be returned as DestinationIP/Hostname because of that sorting. Here is example how the entities…

Hi, NTA tables are referencing Orion.NetFlow.IPAddressGroups table. The mapping to between segments and ip group ID is done automatically on background. Usage example: SELECT T1.SourceIPGroup.Name, T1.DestinationIPGroup.IPAddressGroupID FROM Orion.NetFlow.Flows AS T1 WHERE T1.SourceIPGroup.Enabled = 1 Petr

The events should be displayed only once per interface after NTA service starts. If that is not the case and the events are appearing constantly I would go with opening ticket on support.

Hi Andrew, I am afraid that IP addresses that were not sending any data is not possible to include in the report (in your example 10.0.193.2). For that I think would be necessary to provide for example some temporary table, but that is not possible in SWQL For the performance problem I think this is caused by using…

Hi ckwasnicki, ApplicationID acts as the source port, correct, with additional information? It does not act as source port. Neither port or ApplicationID have direction, because from Flows we take only lesser port number which we uses for processing. How does one interpret ApplicationID that equals 0? In NTA we do not have…

Hi cscoengineer, First of all I would recommend using different entities as the entities that have suffix 'Top' or 'Detail' are used for specific resources. Instead you can use Orion.NetFlow.Flows or any other Orion.NetFlow.FlowsBy entity. Changing the entity will also simplifies relative time that you want to accomplish.…

Hi, NTA 4.1.1 uses unified installer for all main server, additional poller and additional web. The decision what will be installed depend on what NPM installation you have on the machine. Petr

Hi sotheris, Unfortunately alerting based on NetFlow traffic is not yet supported by NTA. I can help with creation of the report, but can you provide me with mode detailed information about what you want to see in the report (for example it can contain: Node names, Source Country name, Destination Country name, Total…

Hi, I wouldn't recommend using the ConversationsDetailReport entity as it is used for the specific resources. The filter "NSF:C:1000000001 - 25524900001" is not range, it means that you want to see conversation between specific IP addresses in this case 1.000.000.001 and 255.249.000.001. I would recommend using…

Hi, to get unique visitors to Endpoint details resource will really require to open feature request. You can get rid of the chart by pressing edit button on the resource and then as "Resource style" select "No Chart". This will let only legend displayed. Hope this helps, Petr

Hi, Please ensure that you have configured only the command 'ip flow ingress' or 'ip flow egress' on the interfaces if you use both of them the traffic gets duplicated.

Hi, I believe that this is normal. The single flow record includes information about input and output interface. So if you configure to monitor flows only from one interface on the router, the flows collected will usually have information also about other interfaces that does not have flow monitoring enabled. NTA then…

Hi, this is most probably caused by hostname with special characters. You can check tool-tips on chart to see if any hostname have some characters out of range [a-Z,0-9]. You can rid of the error by renaming the hostname in NTA or in windows hosts file. 

Hi, NTA does not have such functionality, but this should be doable with Web Reporting and scheduler. I have created report based on Top 100 Applications report that will get data from NTA with 10 minutes intervals for previous day. I have attached this report here so you can import it and test it. With report scheduler…

Hi, In NTA 4.4.0 you will not receive the picture. Just a link and attached PDF in the email. Anyway the username and password are no longer used in the macro. New macro looks like this: ${SQL:SELECT Macro FROM NetFlowAlertMacros WHERE ID='InWebMailInterfaceDetailsLink'}

Hi, Traffic In and Traffic Out are obtained from device itself (handled by NPM) and not from NetFlow. Can you navigate to NPM interface detail page and check that device is polled correctly. Thank you, Petr

Hi mesverrum, Unfortunately the information about NTA DB server is not accessible via SWQL.

Hi, Can you confirm by using WireShark that there is really no traffic incoming from IP 192.168.200.1? If there is really none... do you remember what flow version was the device sending? I am asking because only think that comes in mind that could cause this would be stored flow templates that are read during service…

Hi, Since NTA is showing more traffic than NPM I would focus on device configuration. First of all make sure that you have setup on device interface to export only ingress or egress traffic. If you are monitoring both of them the traffic would be duplicated as explained here: Double traffic? Correctly only one of them…

Hi, I have found following: Symptoms of known Issue The Netflow.exe service (local FSDB) or SolarWinds.Netflow.Fastbit.Server.Service.exe (remote FSDB) keeps bouncing or stops. This is caused by a corrupt –update.zip file. If this file is 0KB it is corrupt. Issue 1) Examples errors can be found in FastbitService.log ERROR…

Hi, You can use Flow Navigator on NTA views to filter the result displayed in NTA resources. Just expand Flow Navigator from the left side of screen and navigate to Domains section. Set you filter from include to exclude and specify your domains you want to filter out. In the end you can save this also as view, so after…

Hi Hock, you can add columns to the any report, including hostname column to Top XX Endpoints report. Just edit Top 50 Endpoints - Last 24 Hours report, then in 'Custom table' click on 'Edit table'. This will redirect you to page where you can specify columns displayed in report so just add Hostname column to that report.…