8 Replies Latest reply on Oct 24, 2013 8:41 AM by jeffnorton

    Report on Internet (outside) originated traffic



      I was presented with an odd request by management.


      We are looking at changing internet service providers & they want a report that will show what outside traffic is coming towards us (not return from inside originated requests).

      We have several pools of real world internet addresses (DMZ etc..) & we need a firm grasp on what internet facing resources will need to either be re-ip'd or have DNS changes so that when we move to a new carrier all of our outside facing resources are still available.


      If anyone knows of a canned report or is willing to assist with creation of a custom report I would greatly appreciate the input.


      Thank you

        • Re: Report on Internet (outside) originated traffic

          This isn't really a function of NPM -- it doesn't capture flow data. that's a function of NTA.

          look at enabling netflow on your border router and pointing it at NTA... that can show some interesting traffic patterns.


          Also, who really owns the IP addresses you are using?

          If you own your own IP addresses [i.e. you have been allocated them directly by ARIN] then it's a small matter of you simply creating a new BGP peering with the new ISP and you don't need to renumber.

          If you are using provider-provided IP addresses then you're going to have to renumber averything, so the answer is every ip address we've been assigned by our provider.

          • Re: Report on Internet (outside) originated traffic

            That data is going to be more easily gathered from Netflow off your border firewalls/routers. Or if you're just looking to see what addresses respond to requests (providing you allow ICMP) then IPAM will show your used address space.

              • Re: Report on Internet (outside) originated traffic


                Yes we have NPM & NTA.


                We have several addresses that point to devices in the DMZ & others servers.

                The problem is, there appears not to be a clear & conclusive list of what external ip addresses are active & what they point to inside here.

                That's why my boss asked me to figure out a way to use whatever resource within SolarWinds (reports, NTA , syslogs etc...) which can capture or display data from a 30 day period & by so doing, show us what is active (from the outside coming in).


                So far I have been hitting a brick wall in my own efforts to figure out how to filter traffic based on its origination source.


                  • Re: Report on Internet (outside) originated traffic

                    Hi There,

                    We develop a product called LANGuardian and some of our customers use it for situations like the ones you describe. Something to show who\what is hitting hosted services. LANGuardian uses a DPI engine to capture flow and application info from network traffic. It does not age data so you would be able to look at records over a 30 day period.


                    As it integrates with Orion you can retain the SolarWinds products as your main frontend. You can see an example of this on our online demo which is available at this link. Just use guest as the logon.The reports on the right (inbound and outbound) use filters to focus on traffic coming into and out of a network. You can use whatever filter you like.


                    Hope this helps



                • Re: Report on Internet (outside) originated traffic

                  Hi -


                  If you know the IP range of your public addresses, then a very quick and dirty way of finding out what is "live" is to perform a NESSUS scan from another location. At the very least, this will give you an idea of what IPs are responding, what ports are open etc. and will even give you a rough idea of what OS the IP is running (although this isn't always too accurate!).


                  Once you know which IP addresses are live, then you can match with what you know about your internal servers and work from there. You may even find you've got servers open to the Internet that shouldn't be :-)




                  • Re: Report on Internet (outside) originated traffic

                    You can also check your firewall/internet edge router inbound rules. You should have NAT/PAT translations for public access to your DMZ or internal network. The translated rules will give you not only the public IPs in use but also the mapped internal IPs and the TCP/UDP port numbers.

                    Solarwinds has FSM that can help as well.

                    • Re: Report on Internet (outside) originated traffic

                      All you really need to do is get your firewall team to assign a fixed NAT address for your Orion server that will do the polling for devices on the internet side of the firewall.  Then they need to open snmp, icmp, as well as telnet and ssh if you are using NCM.  Once that's done you need to get the data team to configure these devices for SNMP with an access list that only allows the Orion poller to access the devices with snmp, icmp, telnet, ssh.  From that point on, these devices look just like any other device.  What I've done for my security team is created and SNMP cheat sheet that shows all the require snmp configs and access list for devices inside the firewalls and outside the firewalls.  I then created polices in NCM to check all devices for these required configs.  That way the engineers know what to put in and I check just in case they forgot.