cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 18

What we're working on...

Please see this blog post:  

0 Kudos
35 Replies
Level 13

any word on NBAR support?

many users are also requesting this

http://thwack.solarwinds.com/message/36593#36593

http://thwack.solarwinds.com/message/103488#103488

http://thwack.solarwinds.com/message/38672#38672

http://thwack.solarwinds.com/message/10171#10171

0 Kudos

Hello,

NBAR is definitely being considered here at SolarWinds, I really appreciate the fact that you brought this up on the forum again. It is has been long discussed and is currently the #1 most voted feature request in the Idea's and Feature Request section. Your feedback is valued and we are listening. The requests for NBAR support have certainly become more frequent. Please make sure that you visit the linked section above and up-vote existing or create new idea's / features requests.

-Jacob

0 Kudos
Level 7

Is there expected to some type of Netflow Alertting capability, so that we could be alerted. For example if  there were 5 top talkers from an interface exceeding a certain pertage of bandwidth. I would like that to be able to trigger

0 Kudos

In 3.7, you can configure a bandwidth utilization alert that includes Top Talker details.    The ability to trigger on Top Talkers specifically is something high on our list of enhancements.

0 Kudos
Level 7

I see in the long term enhancements BGP AS Aware Netflow what about the full features of flow-aggregation and aggregration by prefix/source-dst/AS hte whole suite of options from the ip flow-aggregation command line.  It would be invaluable when doing load sharing on dual attached ISP's and figuring out route-maps and policies for egress and ingress flows.

0 Kudos

I see in the long term enhancements BGP AS Aware Netflow what about the full features of flow-aggregation and aggregration by prefix/source-dst/AS hte whole suite of options from the ip flow-aggregation command line.  It would be invaluable when doing load sharing on dual attached ISP's and figuring out route-maps and policies for egress and ingress flows.

Great, thanks for the feedback.    To address the use-case you described, what specific things would have to be visible in NTA charts and reports?   We're likely going to have to pick and choose to reduce scope, so any help in prioritizing would be really helpful.

thanks,

0 Kudos

I sort of envision an "Top Talkers" view by AS and/or prefix.  Much like like the network address groups.  It would be ideal to see flows on an interface and visibility into the AS_PATH. Our goal is traffic engineering (TE).  We need be able to use netflow data to adjust routing anouncements and set local preferences, and prepends all in an effort to achieve optimal load sharing. Obviously this is not an exact science and true load balancing in BGP is a myth but 60/40 should be obtainable.  Today I am forced to use the CLI and netflow on the router directly with aggregration cache etc.  Moving this into NTA would be perfect.

Thanks

0 Kudos
Level 13

Chris,

I'm trying to build applications for my traffic.  Examples include Exchange, which often is between two high ports, so I need to filter on destination or source of my Exchange servers.  O can't seem to build applications with multiple expressions.

I want to categorize http traffic on-net from that offnet.  So I want to see all traffic with a source AND destination within my company subnets.  All other traffic should be categorized at http.  What happens if rules overlap?  Which rules win out? 

I'd love to see firewall type rule base to create these categories.

0 Kudos



I'm trying to build applications for my traffic.  Examples include Exchange, which often is between two high ports, so I need to filter on destination or source of my Exchange servers.  O can't seem to build applications with multiple expressions.

I want to categorize http traffic on-net from that offnet.  So I want to see all traffic with a source AND destination within my company subnets.  All other traffic should be categorized at http.  What happens if rules overlap?  Which rules win out? 

I'd love to see firewall type rule base to create these categories.



I want to make sure I'm capturing this requirement correctly.  

So, if you could create an advanced rule with the following logic:

Exchange Application Definition

Source:  Company Subnet    Port: High Exchange Port 1

Destination:  Company Subnet   Port:  High Exchange Port 2

Protocol: TCP

Then, you could meet your requirements?

0 Kudos

I'll give some examples:

Exchange:
Source or Destination of the Exchange servers, which is a group of 6 specific IP addresses
Port: Random High Port

Mission Valley Video:
Source OR destination of video camera IP address. AND
Port: http

ERP Application:
source ORdestination of ERP web servers AND
port: http

On-Net Web Applications
Source:Company Subnet AND Destination: Company Subnet AND
port: http

Internet Web Application
Any other http that does not "hit" on any previous rule.

In it's present form, there is no  NOT construct.  No way to do explicit ANDs or ORs.

After trying to build the http rules I described, large amounts of http traffic was listed as unmonitored. 

Now I can tell you the way Scrutinizer handles it, the rules set DOES NOT allow overlapping rules.  So if I created a rule for a specific IP address, I couldn't create another rule with the whole subnet, since the IP address overlaps.  So you have to define an IP range just before, and just after the specific IP address.  That doesn't really work well either.

0 Kudos

Thanks, this is exactly the clarification I needed.  For internal folks, this is being tracked as FB#12386.

If there are others interested in advanced application definition capabilities as described by smartd, please chime in to help prioritize.

0 Kudos

If there are others interested in advanced application definition capabilities as described by smartd, please chime in to help prioritize.

Jumping in late here, but add me to the list of people interested in more advanced application definition and reporting.

Take smartd's example of Exchange traffic, for instance.  Due to the large amount of DCOM/RPC traffic occurring on random high ports (thank you for doing that in every app, Microsoft), it's very hard to quantify how much bandwidth the application consumes per site and in total for a large distributed environment with multiple data centers.

However, this can be done quite easily with a tool that collects Cisco NBAR data, since there are PDLMs for Exchange RPC traffic.

Since there's no real NBAR module in Orion, I would hope that the NBAR information Cisco's adding to the NetFlow PDUs will be added as a means of classification in future versions of NTA.

Jesse Litton
LyondellBasell
Houston, TX

0 Kudos



If there are others interested in advanced application definition capabilities as described by smartd, please chime in to help prioritize.



I am quite interested in this as well.  I've got many custom HTTP apps that I'd like to classify and can't seem to get the rule definitions right.

Thanks!

~CJ

0 Kudos

I am also late to the conversation, but my current report (NetFlow conversations) is annoying me slightly.


 


What I’d like to see are excludes for IP’s in conversation reports based on a custom property.  


 


You can’t use current custom properties to exclude nodes in the NetFlow data, which I assume is an issue with the SQL joins.


 


What I’d like to see is a custom yes/no that I can use with the NetFlow endpoints. That would let me easily exclude my automation systems. (Or whatever) I want the data, but we don’t need that 8G per day on the reports going to the Boss. We know the automation systems and protocols pump a lot of Gb in their area already, but it’s a pain to exclude it in the reports.

0 Kudos

Chris,

Does the new beta do anything with advanced application definitions?  If they do, I'd like to kick the tires.

0 Kudos

Nothing in the beta for this release.   Just to clarify, this is advanced application definition functionality you were looking for:

===from your earlier post===========

I'll give some examples:

Exchange:
Source or Destination of the Exchange servers, which is a group of 6 specific IP addresses
Port: Random High Port

Mission Valley Video:
Source OR destination of video camera IP address. AND
Port: http

ERP Application:
source ORdestination of ERP web servers AND
port: http

On-Net Web Applications
Source:Company Subnet AND Destination: Company Subnet AND
port: http

Internet Web Application
Any other http that does not "hit" on any previous rule.

In it's present form, there is no  NOT construct.  No way to do explicit ANDs or ORs.

After trying to build the http rules I described, large amounts of http traffic was listed as unmonitored. 

Now I can tell you the way Scrutinizer handles it, the rules set DOES NOT allow overlapping rules.  So if I created a rule for a specific IP address, I couldn't create another rule with the whole subnet, since the IP address overlaps.  So you have to define an IP range just before, and just after the specific IP address.  That doesn't really work well either.

0 Kudos

Right,

 If I had nothing more than the ability to both ingress and egress addresses in a single rule would be helpful.  If people aren’t defining their internal applications in Netflow, are they just using the default protocols?  Upon showing anyone NTA, the first question asked is “Can you show how much ERP traffic there is?

 

Example:

All http traffic from:   Any source to IP 1.2.3.4 with port 80  OR  IP 1.2.3.4 to any destination on port 80.  A check box that enable the reciprocal rule would be a quick way to handle this.

0 Kudos

Sorry if this is a repeat request..

 

But it would be good to have:

 

Top XX for Node group X

Top XX for Node group Y

Top XX for All Nodes

 

I have a very distributed network, and there are times i want to track things across all my nodes, or specific subsets. For example, I have 5 loadbalanced firewalls that generate flow data.  Trying to aggregate the traffic patterns of a particular IP is an arduous task as I have to manually compile all the data myself.  Yes, report writer could do that.  But report writer has no fancy graphs to deliver to management.  They like eyecandy. I like simplicity 🙂

0 Kudos

Chris,

I started testing Plixer's Scrutinizer.  I like the graph of both inbound and outbound on one graph.  The reason I installed it was to test it's ability to build applications.  While much more powerful than NTA, it still has limits.

Doesn't anyone want to build custom applications definitions so that NTA graphs show company applications instead of general protocols?  I wouldn't think this is a unique requirement.

0 Kudos
Level 7

Chris,

We can limit user access to certain IP subnet ranges, however those IP ranges are based on the IPs of NetFlow sources(Nodes).   How about the ability to limit access based on endpoint subnets?  

 

Example:

Marketing:    10.2.0.0/24

Sales:           10.4.0.0/24

Accounting:  10.6.0.0/24

 

So the sales manager could log into NTA and see info on all 10.4.0.0/24 PCs no matter what router, switch, or VLAN the flows came from.  Because the user access filtering/limiting would be based on endpoint IPs.

0 Kudos