35 Replies Latest reply on Mar 4, 2013 11:53 AM by jacob_beucler

    What we're working on...

    chris.lapoint

      Please see this blog post:  Orion NTA – What we’re working on…

        • Re: What we're working on...
          TinyElvis

          Chris,

          First, great work on all the apps and additions you guys are doing to Solarwinds.  This app has really grown up over the years, and this Thwack community has REALLY helped the growth.  Keep up the great work.

          I have a question about netflow and Packeteer.  The packeteers have a specific type of netflow they can do and I was wondering if you had any plans to support this?  Their software (IntelligenceCenter) isn't very good, and we'd love to be able to use Solarwinds for this.  I haven't seen much discussion about it on Thwack, so I just thought I'd check.

           

          Thanks, and keep up the great work.

           

          --Ron

            • Re: What we're working on...
              timf

              Not sure if this is still an issue for you or not....  We have our packeteers sending netflow information right into Solarwinds now.  You can configure it to use netflow, V5, and it seems to work.  In the packeteer it's in the setup tab, and then Flow detail records.

            • Re: What we're working on...

              Thanks Chris!!

              When is the next version expected as CB QOS is not working in our environment and they have advised me that this should be fixed in the next release

              Is all these features part of the next release which is 3.6?

               

              Chandru

              • Re: What we're working on...
                juan kaliente

                When will 3.6 be available ?  We were invited to test the beta release, but did not get any specifics of when available.  On the download portal, our new licenses are there for 3.6, but the download button does not work. 

                • Re: What we're working on...
                  dfollis

                  Using NTA with Force 10 S50N and S25N switches and sFlow.  Love it.  Would like to see a report that shows all protocols seen and the amount of utilization assigned to each.  I'm sure I can create this but haven't figured out how to yet.  Also would then like to be able to click on a protocol and see a list of the top hosts sending/receiving that protocol.

                  • Re: What we're working on...
                    familyofcrowes

                    A feature we would LOVE to see (we use this daily on our LanCope StealthWatch appliance that I want NTA to replace), is the ability to see the AD user name associated with a flow.  In other words, IP x.y.z.a went to cnn.com and user Jsmith is associated with x.y.z.a.

                    • Re: What we're working on...
                      dfollis

                      Chris-

                      Would love to see a world map with known locations of IPs that are not private shown.  Raffael Marty discusses this in his book applied security visualization.

                      http://raffy.ch/blog/

                      You could make the dots larger or smaller based on amount of traffic associated with each.  Top XX would be very useful and having Google Maps be the map source would be great also.

                      Visualization is key.  Pie charts and line graphs are nice but this is what I'm looking for:

                      http://chrislee.dhs.org/projects/visualfirewall.html

                      • Re: What we're working on...

                        Chris,

                        We can limit user access to certain IP subnet ranges, however those IP ranges are based on the IPs of NetFlow sources(Nodes).   How about the ability to limit access based on endpoint subnets?  

                         

                        Example:

                        Marketing:    10.2.0.0/24

                        Sales:           10.4.0.0/24

                        Accounting:  10.6.0.0/24

                         

                        So the sales manager could log into NTA and see info on all 10.4.0.0/24 PCs no matter what router, switch, or VLAN the flows came from.  Because the user access filtering/limiting would be based on endpoint IPs.

                          • Re: What we're working on...
                            chris.lapoint


                            We can limit user access to certain IP subnet ranges, however those IP ranges are based on the IPs of NetFlow sources(Nodes).   How about the ability to limit access based on endpoint subnets?  

                             

                            Example:

                            Marketing:    10.2.0.0/24

                            Sales:           10.4.0.0/24

                            Accounting:  10.6.0.0/24

                             

                            So the sales manager could log into NTA and see info on all 10.4.0.0/24 PCs no matter what router, switch, or VLAN the flows came from.  Because the user access filtering/limiting would be based on endpoint IPs.

                             



                            If you know the primary NetFlow source for each of the subnets, you can do something like the following:

                            1. Create IP Address Groups that map to each of the departmental subnets

                            2. Create Traffic Builder View for each IP Address Group

                            3. Add the Traffic Builder View URLs for each subnet to a Web Links resource

                            4. Create custom view for each department user that shows the links to the appropriate Traffic Builder View URLs

                            Having said that, I agree this is less than ideal.   I've captured this as a feature request.

                          • Re: What we're working on...
                            smartd

                            Chris,

                            I'm trying to build applications for my traffic.  Examples include Exchange, which often is between two high ports, so I need to filter on destination or source of my Exchange servers.  O can't seem to build applications with multiple expressions.

                            I want to categorize http traffic on-net from that offnet.  So I want to see all traffic with a source AND destination within my company subnets.  All other traffic should be categorized at http.  What happens if rules overlap?  Which rules win out? 

                            I'd love to see firewall type rule base to create these categories.

                              • Re: What we're working on...
                                smartd

                                Chris,

                                I started testing Plixer's Scrutinizer.  I like the graph of both inbound and outbound on one graph.  The reason I installed it was to test it's ability to build applications.  While much more powerful than NTA, it still has limits.

                                Doesn't anyone want to build custom applications definitions so that NTA graphs show company applications instead of general protocols?  I wouldn't think this is a unique requirement.

                                • Re: What we're working on...
                                  chris.lapoint


                                  I'm trying to build applications for my traffic.  Examples include Exchange, which often is between two high ports, so I need to filter on destination or source of my Exchange servers.  O can't seem to build applications with multiple expressions.

                                  I want to categorize http traffic on-net from that offnet.  So I want to see all traffic with a source AND destination within my company subnets.  All other traffic should be categorized at http.  What happens if rules overlap?  Which rules win out? 

                                  I'd love to see firewall type rule base to create these categories.

                                   



                                  I want to make sure I'm capturing this requirement correctly.  

                                  So, if you could create an advanced rule with the following logic:

                                  Exchange Application Definition

                                  Source:  Company Subnet    Port: High Exchange Port 1

                                  Destination:  Company Subnet   Port:  High Exchange Port 2

                                  Protocol: TCP

                                  Then, you could meet your requirements?

                                    • Re: What we're working on...
                                      smartd

                                      I'll give some examples:

                                      Exchange:
                                      Source or Destination of the Exchange servers, which is a group of 6 specific IP addresses
                                      Port: Random High Port

                                      Mission Valley Video:
                                      Source OR destination of video camera IP address. AND
                                      Port: http

                                      ERP Application:
                                      source ORdestination of ERP web servers AND
                                      port: http

                                      On-Net Web Applications
                                      Source:Company Subnet AND Destination: Company Subnet AND
                                      port: http

                                      Internet Web Application
                                      Any other http that does not "hit" on any previous rule.

                                      In it's present form, there is no  NOT construct.  No way to do explicit ANDs or ORs.

                                      After trying to build the http rules I described, large amounts of http traffic was listed as unmonitored. 

                                      Now I can tell you the way Scrutinizer handles it, the rules set DOES NOT allow overlapping rules.  So if I created a rule for a specific IP address, I couldn't create another rule with the whole subnet, since the IP address overlaps.  So you have to define an IP range just before, and just after the specific IP address.  That doesn't really work well either.

                                        • Re: What we're working on...
                                          chris.lapoint

                                          Thanks, this is exactly the clarification I needed.  For internal folks, this is being tracked as FB#12386.

                                          If there are others interested in advanced application definition capabilities as described by smartd, please chime in to help prioritize.

                                            • Re: What we're working on...

                                              Sorry if this is a repeat request..

                                               

                                              But it would be good to have:

                                               

                                              Top XX for Node group X

                                              Top XX for Node group Y

                                              Top XX for All Nodes

                                               

                                              I have a very distributed network, and there are times i want to track things across all my nodes, or specific subsets. For example, I have 5 loadbalanced firewalls that generate flow data.  Trying to aggregate the traffic patterns of a particular IP is an arduous task as I have to manually compile all the data myself.  Yes, report writer could do that.  But report writer has no fancy graphs to deliver to management.  They like eyecandy. I like simplicity :)

                                              • Re: What we're working on...
                                                smartd

                                                Chris,

                                                Does the new beta do anything with advanced application definitions?  If they do, I'd like to kick the tires.

                                                  • Re: What we're working on...
                                                    chris.lapoint

                                                    Nothing in the beta for this release.   Just to clarify, this is advanced application definition functionality you were looking for:

                                                    ===from your earlier post===========

                                                    I'll give some examples:

                                                    Exchange:
                                                    Source or Destination of the Exchange servers, which is a group of 6 specific IP addresses
                                                    Port: Random High Port

                                                    Mission Valley Video:
                                                    Source OR destination of video camera IP address. AND
                                                    Port: http

                                                    ERP Application:
                                                    source ORdestination of ERP web servers AND
                                                    port: http

                                                    On-Net Web Applications
                                                    Source:Company Subnet AND Destination: Company Subnet AND
                                                    port: http

                                                    Internet Web Application
                                                    Any other http that does not "hit" on any previous rule.

                                                    In it's present form, there is no  NOT construct.  No way to do explicit ANDs or ORs.

                                                    After trying to build the http rules I described, large amounts of http traffic was listed as unmonitored. 

                                                    Now I can tell you the way Scrutinizer handles it, the rules set DOES NOT allow overlapping rules.  So if I created a rule for a specific IP address, I couldn't create another rule with the whole subnet, since the IP address overlaps.  So you have to define an IP range just before, and just after the specific IP address.  That doesn't really work well either.

                                                      • Re: What we're working on...
                                                        smartd

                                                        Right,

                                                                

                                                         If I had nothing more than the ability to both ingress and egress addresses in a single rule would be helpful.  If people aren’t defining their internal applications in Netflow, are they just using the default protocols?  Upon showing anyone NTA, the first question asked is “Can you show how much ERP traffic there is?

                                                         

                                                        Example:

                                                        All http traffic from:   Any source to IP 1.2.3.4 with port 80  OR  IP 1.2.3.4 to any destination on port 80.  A check box that enable the reciprocal rule would be a quick way to handle this.

                                                    • Re: What we're working on...
                                                      jlitton

                                                      If there are others interested in advanced application definition capabilities as described by smartd, please chime in to help prioritize.

                                                      Jumping in late here, but add me to the list of people interested in more advanced application definition and reporting.

                                                      Take smartd's example of Exchange traffic, for instance.  Due to the large amount of DCOM/RPC traffic occurring on random high ports (thank you for doing that in every app, Microsoft), it's very hard to quantify how much bandwidth the application consumes per site and in total for a large distributed environment with multiple data centers.

                                                      However, this can be done quite easily with a tool that collects Cisco NBAR data, since there are PDLMs for Exchange RPC traffic.

                                                      Since there's no real NBAR module in Orion, I would hope that the NBAR information Cisco's adding to the NetFlow PDUs will be added as a means of classification in future versions of NTA.

                                                      Jesse Litton
                                                      LyondellBasell
                                                      Houston, TX

                                                        • Re: What we're working on...
                                                          Alminair

                                                          I am also late to the conversation, but my current report (NetFlow conversations) is annoying me slightly.


                                                           


                                                          What I’d like to see are excludes for IP’s in conversation reports based on a custom property.  


                                                           


                                                          You can’t use current custom properties to exclude nodes in the NetFlow data, which I assume is an issue with the SQL joins.


                                                           


                                                          What I’d like to see is a custom yes/no that I can use with the NetFlow endpoints. That would let me easily exclude my automation systems. (Or whatever) I want the data, but we don’t need that 8G per day on the reports going to the Boss. We know the automation systems and protocols pump a lot of Gb in their area already, but it’s a pain to exclude it in the reports.

                                                          • Re: What we're working on...
                                                            NetAdminCJ


                                                            If there are others interested in advanced application definition capabilities as described by smartd, please chime in to help prioritize.

                                                             



                                                            I am quite interested in this as well.  I've got many custom HTTP apps that I'd like to classify and can't seem to get the rule definitions right.

                                                            Thanks!

                                                            ~CJ

                                                  • Re: What we're working on...

                                                    I see in the long term enhancements BGP AS Aware Netflow what about the full features of flow-aggregation and aggregration by prefix/source-dst/AS hte whole suite of options from the ip flow-aggregation command line.  It would be invaluable when doing load sharing on dual attached ISP's and figuring out route-maps and policies for egress and ingress flows.

                                                      • Re: What we're working on...
                                                        chris.lapoint

                                                        I see in the long term enhancements BGP AS Aware Netflow what about the full features of flow-aggregation and aggregration by prefix/source-dst/AS hte whole suite of options from the ip flow-aggregation command line.  It would be invaluable when doing load sharing on dual attached ISP's and figuring out route-maps and policies for egress and ingress flows.

                                                        Great, thanks for the feedback.    To address the use-case you described, what specific things would have to be visible in NTA charts and reports?   We're likely going to have to pick and choose to reduce scope, so any help in prioritizing would be really helpful.

                                                        thanks,

                                                          • Re: What we're working on...

                                                            I sort of envision an "Top Talkers" view by AS and/or prefix.  Much like like the network address groups.  It would be ideal to see flows on an interface and visibility into the AS_PATH. Our goal is traffic engineering (TE).  We need be able to use netflow data to adjust routing anouncements and set local preferences, and prepends all in an effort to achieve optimal load sharing. Obviously this is not an exact science and true load balancing in BGP is a myth but 60/40 should be obtainable.  Today I am forced to use the CLI and netflow on the router directly with aggregration cache etc.  Moving this into NTA would be perfect.

                                                            Thanks

                                                        • Re: What we're working on...
                                                          donedeal

                                                          Is there expected to some type of Netflow Alertting capability, so that we could be alerted. For example if  there were 5 top talkers from an interface exceeding a certain pertage of bandwidth. I would like that to be able to trigger

                                                          • Re: What we're working on...
                                                            wanine39

                                                            any word on NBAR support?

                                                             

                                                            many users are also requesting this

                                                             

                                                            http://thwack.solarwinds.com/message/36593#36593

                                                            http://thwack.solarwinds.com/message/103488#103488

                                                            http://thwack.solarwinds.com/message/38672#38672

                                                            http://thwack.solarwinds.com/message/10171#10171

                                                             

                                                              • Re: What we're working on...
                                                                jacob_beucler

                                                                Hello,

                                                                 

                                                                NBAR is definitely being considered here at SolarWinds, I really appreciate the fact that you brought this up on the forum again. It is has been long discussed and is currently the #1 most voted feature request in the Idea's and Feature Request section. Your feedback is valued and we are listening. The requests for NBAR support have certainly become more frequent. Please make sure that you visit the linked section above and up-vote existing or create new idea's / features requests.

                                                                 

                                                                -Jacob