FastNetMon Advanced quick start


In this document we could help you to setup FastNetMon in sFlow, Netflow / IPFIX or mirror mode. To start this step you should have installed FastNetMon.


First of all, you need to start fcli configuration toolkit

Common steps

You need to finish these steps for all available capture methods (sFlow, NetFlow, IPFIX, Mirror).

Please enumerate all your networks in CIDR form:

We need this information to properly detect traffic’s direction.

If you need DDoS detection for IPv6 protocol, please check this guide.

If you have big number of networks and they change frequently we have options to read network list directly from BGP peering connection, please try this guide.

For networks with more than 1 million of hosts we suggest using alternative traffic calculation approach.

Enable traffic capture

How to check that it’s working?

First of all, you could check traffic counters

In normal case you should see non zero counters for incoming and outgoing traffic.

Total traffic counter types:

  • Other traffic – “nor source nor destination is known to be part of our list of networks”. Also, it may be a non-IP (for example, ARP) traffic too
  • Internal traffic – traffic where source and destination both belong to your list of networks. FastNetMon does not trigger DDoS alerts for such traffic at all

You could check load per subnet

For top 10 hosts in your network use this command

To get traffic for specific host use this command:

Attack threshold configuration

As example we will block hosts which are receiving more than 100 Mbps:

Also, FastNetMon can calculate total traffic for all hosts in specified hostgroup.

Enable ban actions for global host group

Enable ban actions globally

Also, I recommend to enable pcap dump collection for attacks

And finally commit changes

Then you could check blocks for hosts which exceeds this threshold

To unblock host you need to use UUID from previous command and issue following command:

FastNetMon offers many threshold types, please check this guide to get more details.

By default, FastNetMon checks only incoming traffic but you can easily enable attack detection for outgoing traffic too:

Custom thresholds for different networks

By default, FastNetMon uses same “global” thresholds for all hosts in your networks. But you can create any number of hostgroups (literally, groups of networks) with custom thresholds and FastNetMon will use custom thresholds for different parts of your network.

To create new group:

Detection mode

FastNetMon can work in two modes:

  • Blackhole mode, in this mode FastNetMon blocks attacked host using BGP Blackhole
  • BGP Flow spec mode, in this mode FastNetMon can isolate only malicious traffic and filter out it using your routers

Please check this article to understand differences between these modes.


FastNetMon can do variety of actions when it detects attack.

BGP configuration