FastNetMon was built as tool to automatically inject BGP announces when some event (traffic spike, DoS, DDoS) happens in your network using network telemetry. Of course network telemetry is not required for all variety of cases and FastNetMon can use any external source of information to announce/withdraw BGP announces.

In FastNetMon we have solid support for BGP Unicast v4 an BGP Flow Spec protocols tested with all major vendors with clear and flexible API and command line interface.

We offer official plugin which can read data from different date sources (http, https, S3 compatible storage) and create BGP announces from this feed with custom communities.

We offer solid monitoring options for this plugin:

  • SNMP traps when data source fails to provide data
  • SNMP traps when some issue happens during BGP announce/withdraw process
  • SNMP heartbeat to confirm that plugin works fine
  • Prometheus endpoint which exports very precise metrics about each action

Our integration can sync up to hundreds of thousands IP addresses specified as /32 without any issues.

Synchronization implementations:

  • When FastNetMon detects new host in data source it creates BGP announces for it with specified community
  • When FastNetMon detects known (and already announced) host then we ignore it
  • When some host known by FastNetMon (and announced) disappears from dataset then we withdraw it from BGP.
  • Special option can be used to withdraw all announces

First of all you need to download integration tool from this link.

To use BGP Manager you will need to configure BGP Unicast, https://fastnetmon.com/docs-fnm-advanced/fastnetmon-bgp-unicast-configuration/ and then enable FastNetMon API: https://fastnetmon.com/docs-fnm-advanced/advanced-api/

You need to create configuration for daemon in /etc/bgp_manager.json

Example configuration:

{

    "region": "eu-west-1", 
    "access_key": "secret", 
    "secret_key": "secret", 

    "ping_check": false,
    "ping_bucket_name": "ping-bucket-name",
    "ping_bucket_key" : "ping.txt",

    "iplist_bucket_name": "test-blocklist",
    "iplist_bucket_key": "iplist.txt",

    "execute_hmac_validation": false,
    "checksum_secret_key": "aaa",

    "api_user": "admin",
    "api_password": "your_password_replace_it",

    "api_host": "127.0.0.1",
    "api_port": 10007,
    "debug": false,
    "daemon_mode": true,

    "prometheus": false,
    "prometheus_host": ":9725",

    "run_delay": 5,
    "log_path": "/tmp/bgp_manager.log",

    "snmp_traps": false,
    "snmp_host": "127.0.0.1",
    "snmp_port": 162,
    "snmp_community": "public",
    "snmp_timeout": 5,
    "snmp_retries": 2,
    "snmp_global_alert_value": ".1.3.6.1.4.1.2021.251.1",
    "snmp_global_clear_value": ".1.3.6.1.4.1.2021.251.2",
    "snmp_fastnetmon_alert_value": ".1.3.6.1.4.1.2021.252.1",
    "snmp_fastnetmon_clear_value": ".1.3.6.1.4.1.2021.252.2",
    "snmp_s3_alert_value": ".1.3.6.1.4.1.2021.253.1",
    "snmp_s3_clear_value": ".1.3.6.1.4.1.2021.253.2",
    "snmp_heartbeat_value": ".1.3.6.1.4.1.2021.254.1",
    "snmp_heartbeat_frequency": 15
}

You will need to change your FastNetMon API password: api_password, then you will need to adjust S3 region and S3 access credentials:

"region": "eu-west-1", 
"access_key": "secret", 
"secret_key": "secret", 

Finally, you will need to specify bucket and file name which has block list in text format:

"iplist_bucket_name": "test-blocklist",
"iplist_bucket_key": "iplist.txt",

We expect that IP block list has only IP addresses (not prefixes) and they’re delimited by newlines. 

To run this script, please execute following commands:

chmod +x bgp_manager
./bgp_manager -configuration_path /etc/bgp_manager.json 

This tool runs as daemon and it will sync blocked hosts from S3 bucket with BGP daemon. 

By default, it will write a log file to /tmp/bgp_manager.log

You can specify custom BGP configuration for hosts blocked this way:

sudo fcli set main gobgp_announce_remote_host enable
sudo fcli set main gobgp_next_hop_remote_host 1.0.0.0
sudo fcli set main gobgp_community_remote_host 65001:669
sudo fcli commit

You can check list of blocked host this way:

sudo fcli show remote_blackhole

We have added support to read feed from file and it can be activated this way:

{
    "data_sources": {
        "file": true
    },

    "iplist_path": "/tmp/blocklist",

  
    "flush_list_option": false,
    "flush_list_value":  "1.2.3.4",

    "api_user": "admin",
    "api_password": "your_password_replace_it",
    "api_host": "127.0.0.1",
    "api_port": 10007,

    "debug": false,
    "daemon_mode": true,

    "prometheus": false,
    "prometheus_host": ":9725",

    "run_delay": 5,
    "log_path": "/tmp/bgp_manager.log",
 }

You need to put a list of newline separated IP addresses to file available from iplist_path.

24/7 Tech Support

support@fastnetmon.com

Email Us

sales@fastnetmon.com