cancel
Showing results for 
Search instead for 
Did you mean: 

What we're working on for NTA post 2019.4 (November 27th, 2019)

With our 2019.4 release, we've delivered flow support for Meraki MX/Z series security and SD-WAN devices, enabling application traffic flow visibility on each interface. We've also re-designed and implemented separate pages for managing flow sources, and the collection of CBQoS statistics - simplifying the navigation, and adding filtering and search capabilities to support larger scale implementations. We've also significantly improved our web performance and responsiveness.

You can learn more about this latest version of NTA here: INTRODUCING THE NETFLOW TRAFFIC ANALYZER 2019.4 RELEASE

We're hard at work building the next iteration of NTA now.  Here's a view into what we're working on:

NTA

  • Reconcile flow volumes for nodes - In certain configurations, interface flow traffic can be incorrectly counted through nodes. We're working on detecting and reconciling flow volumes for the node to more clearly show utilization.
  • Add endpoints to Flow Alerts - Filter application flow alerts to precisely specify traffic sourced from or destined to endpoints or IP groups. Alerts can be applied to interfaces or nodes, filtered to endpoints or groups, and configured for application traffic thresholds.
  • Share IP group definitions with IPAM - Support the use of IP groups created by IPAM in NTA, and improve the IP group creation experience in NTA. This will improve support for custom application definitions, and for flow alerts.
  • Improve support for vSphere distributed vSwitch - Incorporate IPFIX flow data from the dvSwitch and support presentation of the conversations.

Orion Platform improvements

  • UI performance optimizations - Faster and more responsive web UI
  • Centralized upgrades - pre-stage upgrades for reduced downtime

Learn more about the Orion Platform improvements here: The Orion Platform

jreves

Tags (1)
Comments

Has there been any headway into the utilization of NBAR2 on the NTA platform? This is a huge con in the weighting of this product versus its competitors.

The current beta 2 of NTA 4.2 is supporting this...

Better application traffic visibility - NTA 4.2 Beta using NBAR2

Any updates on adding IPv6 support? https://thwack.solarwinds.com/ideas/1052#comment-234006

This will be particularly useful to my organization.

Please:

-improve alerting using NTA data and including NTA data into alerts (ie-Top 10 apps, conversations, for a given alert)

-improve out of the box reporting with NTA

-way to include NTA stats inside tool tips.  Raally the requirement is easier ways of following a flow through different points in the network

thanks!

Looking for improved and updated ESX virtual switch support, Cisco FabricPath, and AWS vpcflow logs

we need IPv6 Support ! 😉

+1

Indeed. Way past time for this. IPV6 is mandatory on some subnets and internet facing on federal sites.

Thanks for the requests.  I'd encourage you to up the request here if you haven't done so already;

Jeff

Can you expand on the Database Enhancements please.

Does this impact the role of the Flow Storage DB server?

What are the tangible benefits?

Mark Roberts

Prosperon - UK SolarWinds Partners

Installation | Consultancy | Training | Licenses

facebook_icon.jpglinkedin.pngblogger.pngtwitter-icon.jpg 

m_roberts​ I can't go into great detail, but yes this will impact the role of the FSDB.  We are working on leveraging Microsoft SQL 2016 as the new datastore for Netflow.  There will be many benefits to making this move, which I will highlight as we get closer to the release.

glad to hear that as I'm installing fast ssd sql server 2016 server right now.

Anything I should do to prepare it for columstore indexes/nta? Use always on or not? Etc etc 

Make sure you use 2016 SP1, as it supports the columnstore feature set in all versions (not just Enterprise), including Express

Hock​ - What problem are you trying to solve with that feature request?   Is it just cool, or would that help you troubleshoot something in your network?

Connection per sec/min is useful to troubleshoot abnormality in the application as well as for general capacity planning. For example, the usual traffic is x connnections per min/hour/day, if it spike or drop by a lot, you will know that something is going on. On multiple circuits running the same application, it can be use to track the loading on each circuit.

Got it, thanks for the additional information.

What is the status about NTA Alerts?

     It would very nice that we could create an alert if we see that a specific server or service is using all the bandwidth on a specific router.

I would like to see improvements done to the Flow Navigator specifically to the Absolute Time Period where we can further filter out the data from non-business hours. I would like to be able to pull the data from a specific time period but only business hours e.g. 05/01/2017-06/01/2017 - Monday through Friday only - 9:00AM CST - 5:00PM CST only.

would be great to see both source and destination ports when netflow is sending them, not just one or the other depending on which one NTA's logic decides to store.  based on  recent case I opened, here is what is happening with the netflow record:

If both ports are monitored the lower is stored and the other is stored as “0” and tagged as random high.
If only one is monitored the monitored port is stored regardless if it is higher or lower the other is stored as “0” and tagged as random high.
If neither is monitored the lower is stored ( shows the port in unmonitored ports resource) and the other is stored as “0” and tagged as random high.

In other words, regardless of whether the application/port is monitored, only one value will be stored for each conversation rather than discrete source and destination ports.

This makes no sense.  You get both data values from the flow record...what advantage is there to massaging that into something other value and/or dropping part of the flow record?  If you store a 0 instead of the true value, you still are storing some number of bits of data...you save nothing, and you eat up cycles evaluating and changing the value based on the flow record contents.  Truly perplexing but was a bitter pill to swallow recently when I could not pull a conversation report log for my managers from NTA...but could when I started reporting the same exact netflow records over to a trial version of lancope.  It didn't take them long to pull the purchase records of what we spend renewing licenses on NTA each year compared to what Lancope costs.  It would be short sighted to change because LC doesn't do all that NTA does.  But the incomplete data storage didn't sit well and...in the end I don't get to make these decisions.  Just store both values as you get them.  what's so difficult about that?  

Hi jeff.stewart

Can you confirm weather this will make it in vNext?

I export flows from my vswitches to NTA today.  The hardest part is setting it up right in EXSi.

This is good I'm about to install a new Orion instance with SQL Server 2016 and SP1 slipstreamed in.

I see

  • Database Enhancements
    • Support for Microsoft SQL 2016 using Columnstore Indexes.

Does this mean that the new NTA version will run on a SQL database instead of the current database?

That's exactly what we're working on. If you'd like to get your hands on our current beta code and give it a spin, you can enroll in the NTA 4.4 Beta Program here:

  

Enrollment Page for the NTA 4.4 Beta: https://thwack.solarwinds.com/thwack-beta.jspa?groupID=1008

Is SQL 2016 a requirement for the upgrade or will one be able to maintain the fastbit server and upgrade?

We would like the TLS 1.2 Support but may not be ready for the SQL 2016 DB.

Some Solarwinds products are no longer compatible with SQL versions earlier than 2016 (NTA, for example).  SQL 2016 adds new, more powerful, more efficient functionality, and Solarwinds products are designed to leverage it, and are dependent on it.

What are some of the requirements for the sql nta database?

Since Solarwinds SQL requirements are changing, I recommend you contact either Solarwinds Technical Support or you Solarwinds Sales Engineer and talk with them about your plans.

ecklerwr1​ Do you have any write ups or documentation that you followed to set that up?

This new version of NTA is going back to using MS SQL Server after having us use this noSQL database for the past few versions.  My big question is do we need two SQL Servers now or just one will suffice for Orion DB and the Flow DB?  This is going to be pretty new for all of us.

Are there any updates on this? I am about to stand-up a new NAM environment and am interested to know when we can expect a RC on 4.4. I do not want to stand-up a new NTA environment with Fastbit just to migrate to SQL a few months later. Any input is valued.

vispetto

Tony, we have you covered!  RC2 of NTA 4.4 should already be visible in your customer portal, and you can join the discussion about the RC bits in the NTA RC forum: https://thwack.solarwinds.com/groups/orion-netflow-traffic-analyzer-release-candidate

You'll need an instance of MSSQL 2016 SP1 or later to host your flow database.

joer

Thank you!

Not yet but we are going with two SQL Server 2016SP1 for Orion and the flow database.  I suppose we could try just one but I already have enough elements and APE's that I'm afraid all the flows are going to slow down the Orion database too much and made the UI performance worse than it already can be sometimes.

Bill, we'll be interested to understand how this performs for you.  Do you have a timeline to install yet?

joer

1. Need special Endpoint traffic alerts

2. Needs special Conversation traffic alerts

3. Traffic alarms that require special applications

We'd get use out of alerts that tell us when ANY app consumes more than X percent of a WAN link or interface.

We provide free Guest Wireless at most of our 100 hospitals & clinics, and it's a continual challenge to know when specific complaints of medical application slowness are caused by WAN congestion caused by Guests streaming Internet content.

Even BETTER would be the ability to recognize protocols (Netflow --> NBAR2  --> Latest Protocol Pack) when the traffic is passing through a CAPWAP tunnel across a router to a central wireless controller.  I liken that to having the ability to decrypt encrypted flows and re-encrypt them as they pass through a firewall.  We REALLY are in the dark about how much CAPWAP traffic is business-related for medical use versus how much is for personal (customer or employee) entertainment.

rschroeder​, I agree that configurable NTA alerts would be beneficial in any network environment. But in you case, coulnd't you solve the problem in one of many ways instead of relying on alerts to tell you when there is an issue? I'm not trying to be a dick here, just trying to help, so hear me out.

Assuming you have separate SSIDs for guest and internal wireless networks and some sort of QoS policy on the WAN, you could do one of the following:

1) FlexConnect / locally switch internal traffic and continue to CAPWAP encapsulate the guest. That way WAN QoS can prioritize internal wireless traffic which and prevent slowness. Or alternatively you could configure QoS to take all CAPWAP traffic (which is now guest-only) and rate-limit it, or give it lower priority so it will never use the full bandwidth when there is competing traffic.

2) Apply QoS settings per WLAN on the WLC. Set production WLAN to Gold and guest to Bronze / best effort. This would give less priority to guest traffic on each AP.

3) Use NBAR and QoS settings on the WLC to rate-limit or block internet streaming altogether. I know this is a solution that requires politics and approval.

3) Set a bandwidth limit on the WLC for Guest WLAN or set a bandwidth limit per wireless client on the guest network.

I'm just trying to say that an alert won't fix your problem.

FlexConnect isn't an option for us since there are no locally-provided services at each site.  We considered it, but when we realized we have nothing "at" a site (beyond Internet and WAN access) that is useful to users, FlexConnect stopped being a valid solution.

QoS settings per WLAN aren't a solution either because corporate management has dictated that Guest wireless services are mission critical to operations.  And to reach that level of importance, critical personnel installed key devices in the Guest VLANs--devices that corporate security would not OK being on the internal SSID's.  And then those key personnel got those apps & devices defined as "mission critical".  While I tend to focus on Guest Wireless "wasting" bandwidth and AP resources (CPU and RAM) for personal entertainment, the fact remains that other traffic uses those same AP's while on the Guest SSID's, and we can't rate limit the Guest because of them.  It's a big SNAFU that seems to be an immovable object, and I fight it daily.

NBAR and QoS can't be used to set block/rate limit Internet utilization on the Guest network because virtually all of the destinations are defined as "mission critical".

Limiting bandwidth on Guest isn't a viable option either, due to the above limitations.  Those folks really shot us in our collective feet when they demanded devices that the organization won't support from a security stand point, and installed services or relied on services in places like Youtube, etc.  Yes, sometimes my world isn't ideal.

Thanks for the ideas, but having an appropriate set of alerts COULD give me the ammo to start working over targets, softening them up for being relieved of their "mission critical" status.  If only I knew the right info, had the right stats showing those unsupported sites/devices were negatively impacting other corporate resources and customers' experiences . . .

Any additional deep packet inspection functionality being built into NTA?  My understanding is current Solarwinds DPI is more based on timing of packets in the flows.  Our network architect is looking for more info on your DPI capability in NTA as he is comparing it to our other Netflow tool.

thanks in advance

We are looking into a flow solution where i currently work, we need the ability to handle 600k/flows per second? Is SolarWinds looking into expanding NTA to handle these large environments?

We're always interested in understanding what drives scale, and how we can better meet those requirements.  Tim, would you be interested in a talking with me about your environment and your drivers?

All this love for Palo.... this is a GREAT MOVE for SolarWinds!

Agreed. Love the palo alto work!

  • Flow monitoring for the NTA host – see traffic to/from the server where NTA is installed

Will the above resolve having to enable/configure IPFIX  on my network devices in order to see a granulary view of network spikes?

NTA 4.4.0 - Network Spike Culprits

rgnetmon​, no this is a different feature.  The intent of this feature is to provide for immediate flow monitoring from the local server interface where NTA is installed - in other words, to add the server interface as a source of flow data.

For customers just trying out NTA, this will supply an immediate data source that will allow them to explore the tool, and visualize traffic in their own network. Flow data from the Orion server interface will give them visibility into the network management traffic that is originating and destined to their network management server.

jreves

Any insights how is this going to be delivered? I.e., through the SolarWinds Agent or by using another app? My assumption is that an add-on/module will capture traffic and transform to NetFlow v5/9 (NBAR2? ) packets.

We haven't finalized how we'll deliver this. I would love to talk with you directly about what you'd like to see, and how you would use this functionality.  Can we set up some time to discuss?

jreves

Version history
Revision #:
1 of 1
Last update:
‎04-02-2015 02:28 AM