FastNetMon was originally built as a tool to automatically inject BGP announces when an event (traffic spike, DoS, DDoS) happens in your network using network telemetry. Naturally, network telemetry is not required for all varieties of cases, and FastNetMon can use any external source of information to announce/withdraw BGP announces.
In FastNetMon, we have solid support for BGP Unicast v4 and BGP Flow Spec protocols tested with all major vendors with a clear and flexible API and command line interface.
We offer an official plugin which can read data from different data sources (HTTP, HTTPS, S3-compatible storage) and create BGP announces from this feed with custom communities.
We offer solid monitoring options for this plugin:
- SNMP traps when the data source fails to provide data
- SNMP traps when some issue happens during BGP announce/withdraw process
- SNMP heartbeat to confirm that the plugin works fine
- Prometheus endpoint, which exports very precise metrics about each action
Our integration can sync up to hundreds of thousands of IP addresses specified as /32 without any issues.
Synchronisation implementations:
- When FastNetMon detects a new host in the data source, it creates BGP announces for it with a specified community
- When FastNetMon detects a known (and already announced) host, then we ignore it
- When a host known by FastNetMon (and announced) disappears from the dataset, we withdraw it from BGP
- A special option can be used to withdraw all announces
To begin, you need to download the integration tool from this link.
To use BGP Manager, you will need to configure BGP Unicast, https://fastnetmon.com/docs-fnm-advanced/fastnetmon-bgp-unicast-configuration/ and then enable FastNetMon API: https://fastnetmon.com/docs-fnm-advanced/advanced-api/
You need to create a configuration for daemon in /etc/bgp_manager.json
Example configuration:
{
"region": "eu-west-1",
"access_key": "secret",
"secret_key": "secret",
"ping_check": false,
"ping_bucket_name": "ping-bucket-name",
"ping_bucket_key" : "ping.txt",
"iplist_bucket_name": "test-blocklist",
"iplist_bucket_key": "iplist.txt",
"execute_hmac_validation": false,
"checksum_secret_key": "aaa",
"api_user": "admin",
"api_password": "your_password_replace_it",
"api_host": "127.0.0.1",
"api_port": 10007,
"debug": false,
"daemon_mode": true,
"prometheus": false,
"prometheus_host": ":9725",
"run_delay": 5,
"log_path": "/tmp/bgp_manager.log",
"snmp_traps": false,
"snmp_host": "127.0.0.1",
"snmp_port": 162,
"snmp_community": "public",
"snmp_timeout": 5,
"snmp_retries": 2,
"snmp_global_alert_value": ".1.3.6.1.4.1.2021.251.1",
"snmp_global_clear_value": ".1.3.6.1.4.1.2021.251.2",
"snmp_fastnetmon_alert_value": ".1.3.6.1.4.1.2021.252.1",
"snmp_fastnetmon_clear_value": ".1.3.6.1.4.1.2021.252.2",
"snmp_s3_alert_value": ".1.3.6.1.4.1.2021.253.1",
"snmp_s3_clear_value": ".1.3.6.1.4.1.2021.253.2",
"snmp_heartbeat_value": ".1.3.6.1.4.1.2021.254.1",
"snmp_heartbeat_frequency": 15
}
You will need to change your FastNetMon API password: api_password, then you will need to adjust S3 region and S3 access credentials:
"region": "eu-west-1", "access_key": "secret", "secret_key": "secret",
Finally, you will need to specify the bucket and file name which has block list in text format:
"iplist_bucket_name": "test-blocklist", "iplist_bucket_key": "iplist.txt",
We expect that IP block list has only IP addresses (not prefixes) and they’re delimited by newlines.
To run this script, please execute the following commands:
chmod +x bgp_manager ./bgp_manager -configuration_path /etc/bgp_manager.json
This tool runs as a daemon, and it will sync blocked hosts from S3 bucket with BGP daemon.
By default, it will write a log file to /tmp/bgp_manager.log
You can specify a custom BGP configuration for hosts blocked in the following way:
sudo fcli set main gobgp_announce_remote_host enable sudo fcli set main gobgp_next_hop_remote_host 1.0.0.0 sudo fcli set main gobgp_community_remote_host 65001:669 sudo fcli commit
You can check list of blocked host in the following way:
sudo fcli show remote_blackhole
We have added support to read feed from a file, and it can be activated in the following way:
{
"data_sources": {
"file": true
},
"iplist_path": "/tmp/blocklist",
"flush_list_option": false,
"flush_list_value": "1.2.3.4",
"api_user": "admin",
"api_password": "your_password_replace_it",
"api_host": "127.0.0.1",
"api_port": 10007,
"debug": false,
"daemon_mode": true,
"prometheus": false,
"prometheus_host": ":9725",
"run_delay": 5,
"log_path": "/tmp/bgp_manager.log",
}
You need to put a list of newline-separated IP addresses to file available from iplist_path.