Brief
fcli is a simplest way to configure FastNetMon in convenient network operations approach. You could use TAB for options auto completion. Please run this tool only with root permissions or with sudo, please use only following syntax:
sudo fcli
Overview
We have three configuration categories:
- main – toolkit wide options
- bgp – BGP configuration options
- hostgroup – custom threshold configurations for different networks
For getting option value you could use following form:
show <category> <option_name>
If you want to change string or integer value you could use following form:
set <category> <option_name> value
For boolean fields we are using slightly different approach:
set <category> <option_name> (disable|enable)
If you want to add new value to list (networks_list for example) you could use:
set <category> <option_name> new_value
If you want to remove element from list option, please use this approach instead:
delete <category> <option_name> value_for_remove
Also you could retireve configuration options for whole category with this approach:
show <category_name>
After making any configuration changes you need to apply them by restarting FastNetmon daemon with commit command. This command just restarts daemon and it re-reads whole configuration again:
commit
If you use not standard port and host for API you could specify them using environment variables:
API_PORT=46551 API_HOST=127.0.0.7 sudo -E -i fcli
You can change FastNetMon API internal port that way:
sudo fcli set main api_host ::1 sudo fcli commit
Blackhole management
Block host:
set blackhole 11.22.33.44
Example output: Ban executed
Show blocked hosts:
show blackhole
Example output:
11.22.33.44/32 312e3232-2e33-332e-3434-000000000000
Unblock host:
delete blackhole 312e3232-2e33-332e-3434-000000000000
Example output: Disabled correctly
Flow spec rules management
Apply new rule:
set flowspec '{ "source_prefix": "4.0.0.0/24", "destination_prefix": "127.0.0.0/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "rate-limit", "action": { "rate": 1024 } }'
List flow spec rules
show flowspec
Example output:
{ "source_prefix": "4.0.0.0\/24", "destination_prefix": "127.0.0.0\/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "rate-limit", "action": { "rate": 1024 } } c58b3558-e3ea-4202-b104-33d59587e283
Delete flow spec announce
delete blackhole 312e3232-2e33-332e-3434-000000000000
Example output: Disabled correctly
Get system counters
show system_counters
Example output:
our_ipv6_packets 0 total_unparsed_packets_speed 0 total_unparsed_packets 0 speed_recalculation_time_seconds 0 speed_recalculation_time_microseconds 407
Get total traffic counters
show total_traffic_counters
Example output:
incoming traffic 0 incoming traffic 0 outgoing traffic 0 outgoing traffic 0 internal traffic 0 internal traffic 0 other traffic 0 other traffic 0
Interfaces management
Get interfaces list
show interfaces
Example output:
em2
Get per subnet counters
Get counters for all subnets in networks list.
show network_counters incoming packets
Example output:
11.22.33.0/24 in packets: 0 out packets: 0 in mbps: 0 out mbps: 0
You could use following sort options here: bytes, packets, incoming or outgoing.
Get per host counters
Get top 10 hosts by specified traffic type (packets, bytes, flows) in specific direction (incoming, outgoing) from your network.
show host_counters flows incoming
You could use following sort options here: bytes, flows, packets, incoming or outgoing. Also, you could increase number of hosts in output with environment variable:
sudo HOST_COUNTERS_MAX_HOSTS=40 -i fcli
You can increase number of hosts via API but it will need more changes. Please edit this file: /lib/systemd/system/fastnetmon_web_api.service to following content:
[Unit] Description=FastNetMon Advanced web API gateway After=network.target remote-fs.target [Service] Type=simple Environment=HTTP_API_MODE=on Environment=HOST_COUNTERS_MAX_HOSTS=40 ExecStart=/opt/fastnetmon/app/bin/fcli Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target
After that, please apply changes:
sudo systemctl daemon-reload sudo systemctl restart fastnetmon_web_api
Unfortunately, after upgrade FastNetMon will reset these values to default and you will need to apply them again.
Enable or disable traffic capture
With this command you could enable or disable traffic capture with deep analytics. You could trigger it manually if you are sure that you are under attack.
set traffic_capture 11.22.33.44
Disable:
delete traffic_capture 11.22.33.44
List all host groups:
show hostgroup
show certain host group
show hostgroup my_group
Create new host group with name “new_group”
set hostgroup new_group
Delete host group with name:
delete hostgroup new_group
Check option value for cerain host group
show hostgroup global networks
Set option for certain host group:
show hostgroup host_group_name networks
Lookup host group for specified IP address
show ip_hostgroup 11.22.33.44
White lists
We have two kinds of whitelists. Local whitelist. Use only for your own hosts:
sudo fcli set main networks_whitelist 11.22.33.44/32
Remote whitelist. You could use it for remote hosts outside of your networks:
sudo fcli set main networks_whitelist_remote 11.22.33.44/32
FastNetMon will completely discard all traffic from these IPs and will not count it for per host, per network or per hostgroup counters.
When FastNetMon discards traffic which matches this list it increments following system counters:
sudo fcli show system_counters |grep total_remote_whitelisted_packets_packets
Can I whitelist arbitrary traffic from FastNetMon?
FastNetMon can whitelist any traffic from processing using rich set of rules. You can check syntax here (these rules do not use section “actions”).
Please add whitelist rules into file /etc/fastnetmon/whitelist_rules.dat. Please add single rule per line.
For example:
{ "destination_ports": [ 443 ], "protocols": [ "udp" ] } { "source_ports": [ 443 ], "protocols": [ "udp" ] }
FastNetMon will track such packets using counter total_flowspec_whitelist_packets (sudo fcli show system_counters).
This traffic will be completely discarded from processing and completely ignored. Be very careful with this option because it may cause issues with DDoS detection.
Please note that FastNetMon checks these rules linearly one-by-one and large number of rules can easily degrade FastNetMon performance. Please do not use more then 10 rules.
How I could remove all networks from networks_list?
for i in `sudo fcli show main networks_list`;do sudo fcli delete main networks_list $i;done
How could I remove all host groups?
for i in `sudo fcli show hostgroup|egrep "^name"|awk '{print $2}'`;do sudo fcli delete hostgroup $i;done
Adding big number of networks
If you have text file with all networks in CIDR format like this:
22.33.44.55/29 44.66.11.66/27
You can add all of them this way:
for i in `cat list`; do sudo fcli set hostgroup group_name networks $i;done
After executing this script, please commit changes:
sudo fcli commit
If you have duplicating networks, FastNetMon will ignore duplicates and report error this way:
Command returned error: This option is already exists
Feel free to ignore such warnings.
How to account internal traffic as outgoing or incoming?
If packet or flow has source and destination IPs in your networks list then it will be accounted as “internal”.
If you prefer to count internal traffic as incoming you can use this flag:
sudo fcli set main override_internal_traffic_as_incoming true sudo fcli commit
If you prefer to count internal traffic as outgoing you can use this flag:
sudo fcli set main override_internal_traffic_as_outgoing true sudo fcli commit
Please note that override_internal_traffic_as_incoming and override_internal_traffic_as_outgoing are mutually exclusive.
FastNetMon does not provide capability to count internal as both incoming and outgoing in same time due to technological limitations in design. If you want to see it changed, please subscribe and vote for this feature request.