16 Replies Latest reply on Apr 27, 2010 10:46 AM by Andy McBride

    Feature Request - Netflow alerts

    Donald_Francis

      I could see where having the ability to generate netflow alerts could be very handy especially in the security realm or just to know fo example that 1 person is hogging up an entire circuit.

        • Re: Feature Request - Netflow alerts
          chris.lapoint

          I agree.  I can definitely see the benefits on the security side of knowing that traffic related to a specific application/virus has been detected and alerting on this.   This is something we're looking at although it's not going to make the release we're currently working on.

          For the performance side of things, how would you want to setup those alerts?    For example, is the primary use-case to alert if a single endpoint (IP address) consumes more than X% of bandwidth on an interface?   Or would you want this based on applications?  

          If there are others that have NetFlow alerting use-cases, please chime in!

            • Re: Feature Request - Netflow alerts
              Donald_Francis

              Both of those to be honest.  Endpoint alerting would be more of special use whereas application  would be more general use. 

               

              For example I could see alerting on a netflow source because let's say it is in the middle east and we want to know when they start doing a lot of filesharing or P2P traffic because it would mean a virus.

              In fact virus detection I think would be the biggest reason to do this.  If you started to see 445 all over the place you would know something was up for example.

                • Re: Feature Request - Netflow alerts
                  chris.lapoint

                  Ok, great feedback.    We were focusing our initial efforts on alerting if a particular application showed up on a NetFlow source, so it's sound like our prioritization is in the right place.   This helps because threshold-based alerting on NetFlow traffic statistics is a lot more complicated.

                    • Re: Feature Request - Netflow alerts

                      Thanks Donald for your valid feature request.

                      I too agree that it very much essential to have application level and port level alerting.

                      I would like to summarize the requirement:

                      1) Alert Based on incoming/outging traffic

                      2) Alert Based on incoming+outgoing traffic ( this gives exactly how much BW used at that point)

                      3) Alert Based on Application

                      4) Alert Based on IP/Endpoint

                      5) Ability add multiple interfaces from different routers while creating alert.

                      Hope this will help.

                       

                      Thanks

                      Jeeth

                      Project Manager

                  • Re: Feature Request - Netflow alerts
                    ErikInHell

                    I am glad to see Netflow alerts are being worked on, as I was looking to put some up today.  I will share an example of the type of alerts I'd like to see.

                    My company just started to install VoiP across our network.  To increase our bandwidth without adding new circuits, we decided to move from a proxy server and force internet traffic out the local firewalls of our remote locations.  We are monitoring this traffic with a separate application.

                    Three months after moving people off the proxy, I am still seeing requests across the private lines connecting the remote locations to the data center.  I would like to have a flexible enough alert system that I can program alerts based on specific traffic or IPs.  If someone is trying to connect to the proxy, I want to know.

                    I would also like to see alerts for VoiP traffic based on error thresholds, jitter thresholds, or traffic alerts when server traffic across the links spikes.  I also like the idea I read earlier in the thread about alerting when Netflow detects a rise in the usage of a certain port, for virus detection.

                      • Re: Feature Request - Netflow alerts
                        jswan


                        I would also like to see alerts for VoiP traffic based on error thresholds, jitter thresholds, or traffic alerts when server traffic across the links spikes.  I also like the idea I read earlier in the thread about alerting when Netflow detects a rise in the usage of a certain port, for virus detection.

                         



                        I agree with you on the alerting feature requirement. However, I thought I'd point out that NetFlow doesn't track information like jitter or errors. You can alert on errors easily in the regular NPM featureset, and you can alert on jitter either by using the IP SLA module or by building your own UnDPs that poll IP SLA jitter operations on your routers.

                    • Re: Feature Request - Netflow alerts
                      bbusbey

                      Good Luck, I asked for this 3 years ago:

                      Re: Alerts and Advanced Alerts