Brief

fcli is a simplest way to configure FastNetMon in convenient network operations approach. You could use TAB for options auto completion. Please run this tool only with root permissions or with sudo, please use only following syntax:

sudo fcli

Overview

We have three configuration categories:

  • main – toolkit wide options
  • bgp – BGP configuration options
  • hostgroup – custom threshold configurations for different networks

For getting option value you could use following form:

show <category> <option_name>

If you want to change string or integer value you could use following form:

set <category> <option_name> value

For boolean fields we are using slightly different approach:

set <category> <option_name> (disable|enable)

If you want to add new value to list (networks_list for example) you could use:

set <category> <option_name> new_value

If you want to remove element from list option, please use this approach instead:

delete <category> <option_name> value_for_remove

Also you could retrieve configuration options for whole category with this approach:

show <category_name>

After making any configuration changes you need to apply them by restarting FastNetmon daemon with commit command. This command just restarts daemon and it re-reads whole configuration again:

commit

If you use not standard port and host for API you could specify them using environment variables:

API_PORT=46551 API_HOST=127.0.0.7 sudo -E -i fcli

You can change FastNetMon API internal port that way:

sudo fcli set main api_host ::1
sudo fcli commit

Blackhole management

Block host:

set blackhole 11.22.33.44

Example output: Ban executed

Show blocked hosts:

show blackhole

Example output:

11.22.33.44/32 312e3232-2e33-332e-3434-000000000000

Unblock host:

delete blackhole 312e3232-2e33-332e-3434-000000000000

Example output: Disabled correctly

Flow spec rules management

Apply new rule:

set flowspec '{ "source_prefix": "4.0.0.0/24", "destination_prefix": "127.0.0.0/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "rate-limit", "action": { "rate": 1024 } }'

List flow spec rules

show  flowspec

Example output:

{ "source_prefix": "4.0.0.0\/24", "destination_prefix": "127.0.0.0\/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "rate-limit", "action": { "rate": 1024 } } c58b3558-e3ea-4202-b104-33d59587e283

Delete flow spec announce

delete blackhole 312e3232-2e33-332e-3434-000000000000

Example output: Disabled correctly

Get system counters

show system_counters

Example output:

our_ipv6_packets                       0
total_unparsed_packets_speed           0
total_unparsed_packets                 0
speed_recalculation_time_seconds       0
speed_recalculation_time_microseconds  407

Get total traffic counters

show total_traffic_counters

Example output:

incoming traffic   0
incoming traffic   0
outgoing traffic   0
outgoing traffic   0
internal traffic   0
internal traffic   0
other traffic      0
other traffic      0

Interfaces management

Get interfaces list

show interfaces

Example output:

em2

Get per subnet counters

Get counters for all subnets in networks list.

show network_counters incoming packets

Example output:

11.22.33.0/24      in packets: 0 out packets: 0 in mbps: 0 out mbps: 0

You could use following sort options here: bytes, packets, incoming or outgoing.

Get per host counters

Get top 10 hosts by specified traffic type (packets, bytes, flows) in specific direction (incoming, outgoing) from your network.

show host_counters flows incoming

You could use following sort options here: bytes, flows, packets, incoming or outgoing. Also, you could increase number of hosts in output with environment variable:

sudo HOST_COUNTERS_MAX_HOSTS=40 -i fcli

You can increase number of hosts via API but it will need more changes. Please edit this file: /lib/systemd/system/fastnetmon_web_api.service to following content:

[Unit]
Description=FastNetMon Advanced web API gateway
After=network.target remote-fs.target

[Service]
Type=simple
Environment=HTTP_API_MODE=on
Environment=HOST_COUNTERS_MAX_HOSTS=40
ExecStart=/opt/fastnetmon/app/bin/fcli
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

After that, please apply changes:

sudo systemctl daemon-reload
sudo systemctl restart fastnetmon_web_api

Unfortunately, after upgrade FastNetMon will reset these values to default and you will need to apply them again.

Enable or disable traffic capture

With this command you could enable or disable traffic capture with deep analytics. You could trigger it manually if you are sure that you are under attack.

set traffic_capture 11.22.33.44

Disable:

delete traffic_capture 11.22.33.44

List all host groups:

show hostgroup

show certain host group

show hostgroup my_group

Create new host group with name “new_group”

set hostgroup new_group

Delete host group with name:

delete hostgroup new_group

Check option value for certain host group

show hostgroup global networks

Set option for certain host group:

show hostgroup host_group_name networks

Lookup host group for specified IP address

show ip_hostgroup 11.22.33.44

White lists

We have two kinds of whitelists. Local whitelist. Use only for your own hosts:

sudo fcli set main networks_whitelist 11.22.33.44/32

Remote whitelist. You could use it for remote hosts outside of your networks:

sudo fcli set main networks_whitelist_remote 11.22.33.44/32

FastNetMon will completely discard all traffic from these IPs and will not count it for per host, per network or per hostgroup counters.

When FastNetMon discards traffic which matches this list it increments following system counters:

sudo fcli show system_counters |grep total_remote_whitelisted_packets_packets 

Can I whitelist arbitrary traffic from FastNetMon?

FastNetMon can whitelist any traffic from processing using rich set of rules. You can check syntax here (these rules do not use section “actions”).

Please add whitelist rules into file /etc/fastnetmon/whitelist_rules.dat. Please add single rule per line.

For example:

{ "destination_ports": [ 443 ], "protocols": [ "udp" ] } { "source_ports": [ 443 ], "protocols": [ "udp" ] }

FastNetMon will track such packets using counter total_flowspec_whitelist_packets (sudo fcli show system_counters).

This traffic will be completely discarded from processing and completely ignored. Be very careful with this option because it may cause issues with DDoS detection.

Please note that FastNetMon checks these rules linearly one-by-one and large number of rules can easily degrade FastNetMon performance. Please do not use more then 10 rules.

How I could remove all networks from networks_list?

for i in `sudo fcli show main networks_list`;do sudo fcli delete main networks_list $i;done

How could I remove all host groups?

for i in `sudo fcli show hostgroup|egrep "^name"|awk '{print $2}'`;do sudo fcli delete hostgroup $i;done

Adding big number of networks

If you have text file with all networks in CIDR format like this:

22.33.44.55/29
44.66.11.66/27

You can add all of them this way:

for i in `cat list`; do sudo fcli set hostgroup group_name networks $i;done

After executing this script, please commit changes:

sudo fcli commit

If you have duplicating networks, FastNetMon will ignore duplicates and report error this way:

Command returned error: This option is already exists

Feel free to ignore such warnings.

How to account internal traffic as outgoing or incoming?

If packet or flow has source and destination IPs in your networks list then it will be accounted as “internal”.

If you prefer to count internal traffic as incoming you can use this flag:

sudo fcli set main override_internal_traffic_as_incoming true
sudo fcli commit

If you prefer to count internal traffic as outgoing you can use this flag:

sudo fcli set main  override_internal_traffic_as_outgoing true
sudo fcli commit

Please note that override_internal_traffic_as_incoming and override_internal_traffic_as_outgoing are mutually exclusive.

FastNetMon does not provide capability to count internal as both incoming and outgoing in same time due to technological limitations in design. If you want to see it changed, please subscribe and vote for this feature request.

24/7 Tech Support

support@fastnetmon.com

Email Us

sales@fastnetmon.com