Showing results for 
Search instead for 
Did you mean: 
Create Post

Better Traffic Visibility with NetFlow Traffic Analyzer Version 4.6

Product Manager

In our latest release of NetFlow Traffic Analyzer (NTA), we’re focusing on features that deliver expanded visibility, and flexible evaluation and deployment options. For the first time, NTA is providing a significant contribution to our Network Insight™ feature for Palo Alto firewalls.

Also, in this release, we’re adding support for IPv6 flow records, and enhancing our filtering to display IPv4 only, IPv6, or both types of traffic.

For evaluation customers—and for current customers upgrading—we’ll automatically configure a local source of NetFlow data on the local server. This will provide an immediate source of data for evaluation installations and a comprehensive source of information for traffic sourced or destined to the primary poller.

Finally, we’re fully supporting the deployment of NTA into Azure, using the native Azure SQL Database service to host the flow database. This builds upon our existing support for deployment in AWS, using the native RDS service.

We’ll explain an important upcoming change in the upgrade process, and how to plan for it.

Traffic Visibility by Policy

In this release, NTA is contributing to our latest Network Insight through an integration with Network Configuration Manager (NCM). Users of SolarWinds NCM with Palo Alto firewalls will see top traffic conversations by security policy on the NCM Policy Details page. Examining traffic by policy helps answer the question, "Who might be affected as I make changes to my security policies?"

Let's look at how we find this view.  We'll start at the Node Details page for this firewall:Screen Shot 2019-05-05 at 11.46.15 AM.png

We'll use the slide-out menu in this view to select "Policies." This will take us to a list view of all the policies configured for zones on this device.

Screen Shot 2019-05-05 at 11.51.32 AM.png

Selecting a policy from this list brings us to the Policy Details page:

Screen Shot 2019-05-05 at 11.16.08 AM.png

Policies define security controls between zones configured on the firewall. For a Palo Alto firewall, a zone can include one or more interfaces. So, in this view, we're looking at all the conversations based on applications defined in the policy.

It's a very different way of looking at conversations; this isn't a view of all traffic through a node or an interface. Rather, it's a view that relates to the policy definition, so the endpoints in these conversations are running over the applications on which your security rules are based.

The mechanism here is filtering; we’re looking at application traffic that references the application IDs in your security policy. So, the endpoints in those conversations may be from any zone where you’re using this policy.

For an administrator considering changes at the policy level, this is a valuable tool to understand how those rules apply immediately to production services and what kinds of impacts changes to them will have.

For this feature, you'll need both NCM and NTA. NTA, of course, requires Network Performance Monitor (NPM). NCM provides us the configuration information that includes the policy definition and the applications definitions. NTA reads application IDs from the flow records we receive from the Palo Alto firewall, and correlates those with the policy configuration to generate this view. With NTA, you can also easily navigate to more conventional node or interface views of the traffic traversing the firewall, and we integrate traffic information seamlessly into the Node Details page in NPM as well.

IPv6 Traffic Visibility

This release offers comprehensive visibility in mixed IPv4 and IPv6 environments, and the flexibility to isolate TopN views in each of these protocols. While deployment of IPv6 has not been aggressive as some originally predicted, it's gaining some significant traction in the public sector, large-scale distribution operations, universities, and companies working with IoT infrastructures. Our latest release consumes NetFlow v9 and IPFIX flow templates for IPv6 traffic and stores those records along with the IPv4 flow records we support today. Let's see what the NTA summary page looks like.

Screen Shot 2019-05-05 at 11.58.04 AM.png

You'll notice some IPv6 conversations, and some IPv6 endpoints in the TopN views. This view gives you complete visibility into the traffic driving your utilization in a mixed IPv4 and IPv6 environment. We've also added new filters, both on the dashboard and in the flow navigator.

Screen Shot 2019-05-05 at 12.02.09 PM.png

These filters give you the flexibility to examine how traffic running over each version drives utilization, and which conversations are dependent on different configurations within the infrastructure.

The Orion® Platform—and NTA—already support installation on dual-stack IPv4 and IPv6 servers. You can receive these flow records on either an IPv4 or IPv6 interface, depending on how your server is connected.

IPv6 changes how we think about the security model. This visibility gives us a perspective on how our security polices act on IPv4 and IPv6 traffic to permit or deny conversations. In that sense, it's a valuable tool to confirm your traffic is compliant with your security policies.

Local Source of NetFlow

This release will automatically add a new source of NetFlow data to your NTA main poller. This new source is a composite of physical network interfaces on your Orion main poller represented as a special type of virtual interface: Local NetFlow Source. This new source of flow information gives you unprecedented visibility into the traffic that originates on or arrives to the Orion server. You can use this to answer questions about your network and system management traffic trends. "How much SNMP traffic does my monitoring generate? What volumes and frequencies of flow traffic do I receive, and from where? How much DNS traffic does my management platform drive, and to where?"

Let's see what this looks like.

Screen Shot 2019-05-05 at 12.24.16 PM.png

Selecting the "Local NetFlow Source" interface and drilling into it, here's the view.

Screen Shot 2019-05-05 at 12.27.40 PM.png

You can manage this source of traffic the same way you manage any other source of flow data: by selecting the "Manage Sources" link in the NetFlow Sources resource.

Screen Shot 2019-05-05 at 12.31.29 PM.png

You can enable or disable the Local NetFlow Source here to include or exclude traffic from this source.

For brand-new installations of NTA, this new source will be created and enabled by default. If you’re working with an evaluation copy of the NTA application, this will give you immediate live data in the product that's personal to your network. It's a great way to introduce your colleagues to new versions or evaluate new releases without having to reconfigure your network devices to send flow records to this instance.

If you’re upgrading NTA, this source will be created but will not be enabled by default. We'll respect your existing configuration and give you the flexibility to make the choice about whether you'd like to include this traffic in your current view. Disabling this source completely shuts down capture of traffic on the local interfaces.

Creating this interface consumes a single node license for both NPM and NTA. If you would prefer not to use a node license for local NetFlow source, you can completely delete this interface to release the license. You cannot, however, add this interface back later.

Azure Deployment

Finally, we've been working to ensure users deploying into Azure can make use of the native Azure SQL Database service for both the common Orion database and the SQL NTA database. You'll be able to specify Azure SQL Database to build both of these databases during installation, in much the same way as you build in existing SQL instances today. We're supporting additional choices to help lower operational costs and expand your deployment flexibility.

To take advantage of this option, you’ll enter the connection string for your Azure SQL Database instance much the same way you enter any other connection string in the Configuration Wizard.


Changes in the Upgrade Process Are Coming

If you’re upgrading to NTA 4.6 from an older version of the product, you’ll once again see a familiar option to defer your NTA upgrade and remain on a version that doesn’t require SQL 2016 or later for the flow database.

In the past three releases of NTA (4.4, 4.5, and 4.6), we’ve included a pre-flight check in the upgrade dialog to allow customers to defer the upgrade and retain (or upgrade to) NTA version 4.2.3, the latest version that supports flow storage in the FastBit database. This in turn allowed updates to the Orion Core and other product modules without requiring an NTA upgrade. 

In the next release of NTA, this option will no longer be available. An upgrade to the next release of NTA after 4.6 will require a SQL 2016 or later database (or appropriate AWS RDS or Azure SQL option) to complete the upgrade.

A modern version of SQL supports columnstore technology, which provides significant performance and scale benefits for NTA. We’re building on this technology in every new release to drive better performance and a better user experience.

You should plan now for your next upgrade to deploy a SQL 2016 or later instance for flow storage. Refer to the NTA System Requirements documentation for supported options.

How Do I Get This Goodness?

For NTA, you can find the latest release in your Customer Portal. Remember, we also have a terrific complementary set of free NetFlow tools in the Flow Tool Bundle, including Flow Replicator, Flow Generator, and Flow Configurator.

To see all the features of Network Insight for Palo Alto, you’ll want to have several modules installed and working together.

  • Network Performance Monitor discovers and polls your Palo Alto firewall and retrieves and displays your site-to-site VPN and GlobalProtect client VPN connection information.
  • Network Configuration Manager collects your device configuration and provides a list of your security policies for zone-to-zone communication. This module tracks configuration changes over time and provides context for policies spanning multiple devices.
  • NetFlow Traffic Analyzer collects flow data from the firewall and maps the traffic to policies in the Policy Details page. You can also view traffic through the firewall or through specific interfaces.
  • User Device Tracker collects directly connected devices and provides a history of connections to the ports on the device.

You can demo these products individually or install/upgrade from any installer available in your Customer Portal.

Post your questions and experiences in theNetFlow Traffic Analyzer community forum!

Level 20

We love our netflow and nbar!

Level 13

Really looking forward to seeing the Palo integration once we get NTA upgraded here.

Level 20

Same here...

Level 9

Finally more insight on palo alto devices.

About the Author
Experienced Product Manager and technology pragmatist. Much of my professional background has been IT network operations for large enterprise companies, or for MSPs. I've worked as a tools architect, designing network monitoring systems. I've also worked in software development as a product owner and functional architect. I'm a flow nerd, and my peers have pressured me into writing poetry about network traffic flow. I'm a private pilot, and a drone pilot and builder.