In this document, we could offer detailed description of all available configuration options in all configuration namespaces
af_packet
| Name | Type | Default value | Description |
|---|
| mirror_afpacket | bool | false | Enable capture from mirror port using AF_PACKET capture engine |
| interfaces | string_list | [ ] | Interfaces list for traffic capture |
| af_packet_extract_tunnel_traffic | bool | false | Enables for af_packet code which strips external level for GRE tunnels |
| mirror_af_packet_sampling | bool | true | Enables sampling for mirror mode offloaded on kernel / driver level |
| mirror_af_external_packet_sampling | bool | false | Enables external sampling for mirror mode when router or switch does sampling |
| mirror_af_packet_socket_stats | bool | true | Enables capture socket performance statistics |
| mirror_af_packet_disable_multithreading | bool | true | Disables multi thread processing and handles all traffic using single thread |
| mirror_af_packet_fanout_mode | string | “cpu” | Fanout mode. Algorithm to spread load over threads |
| mirror_af_packet_sampling_rate | positive_integer_with_zero | 100 | Sampling rate for AF_PACKET |
| mirror_external_af_packet_sampling_rate | positive_integer_with_zero | 100 | External sampling rate for AF_PACKET |
| mirror_af_packet_workers_number_override | bool | false | Enables logic to explicitly override number of worker processes |
| mirror_af_packet_workers_number | positive_integer_with_zero | 1 | Specifies how many worker processes we need for each interface |
| afpacket_strict_cpu_affinity | bool | false | Enables strict CPU affinity and binds traffic capture threads to fixed logical CPUs |
| af_packet_read_packet_length_from_ip_header | bool | false | By default, FastNetMon reads packet length from the wire. But it can use information from IP header when you enable this option |
ban_management
| Name | Type | Default value | Description |
|---|
| enable_ban | bool | false | Completely enable or disable all ban actions |
| enable_ban_hostgroup | bool | false | Completely enable or disable all ban for total traffic per hostgroup |
| enable_ban_remote_outgoing | bool | false | Enable blocking for remote hosts in outgoing direction |
| enable_ban_remote_incoming | bool | false | Enable blocking for remote hosts in incoming direction |
| do_not_ban_incoming | bool | false | Completely disables ban for incoming traffic |
| do_not_ban_outgoing | bool | false | Completely disables ban for outgoing traffic |
| per_direction_hostgroup_thresholds | bool | true | Changes hostgroup thresholds to be per direction. Default becomes incoming |
| flexible_thresholds | bool | false | Enables flexible thresholds logic |
| flexible_thresholds_disable_multi_alerts | bool | false | Enables compatibility mode for flexible threshold which triggers attack only using single threshold and only in single direction |
| keep_flow_spec_announces_during_restart | bool | false | Saves list of flow spec announces on shutdown and restores it on startup |
| keep_blocked_hosts_during_restart | bool | false | Saves list of blocked hosts on shutdown and restores it on startup |
| keep_blocked_hostgroups_during_restart | bool | false | Saves list of blocked hostgroups on shutdown and restores it on startup |
| enable_ban_ipv6 | bool | false | Completely enable or disable all ban actions for IPv6 traffic |
| unban_enabled | bool | true | We will try to unban blocked IPs after this time expires |
| ban_status_updates | bool | false | FastNetMon will report active attacks every X seconds |
| ban_status_delay | positive_integer_with_zero | 20 | How often FastNetMon will update external systems about active attacks |
| ban_time | positive_integer_with_zero | 771 | How long we should keep an IP in blocked state. Zero value is prohibited here. |
| unban_only_if_attack_finished | bool | true | Check if the attack is still active, before triggering an unblock callback with this option. If the attack is still active, check each run of the unblock watchdog |
| gobgp_flow_spec_announces | bool | false | Announce flow spec rules to block only malicious traffic. Use only if you have BGP Flowspec capable routers |
| gobgp_flow_spec_v6_announces | bool | false | Announce flow spec IPv6 rules to block only malicious traffic. Use only if you have BGP Flowspec capable routers |
| flow_spec_unban_enabled | bool | true | We will try to withdraw flow spec rule when blocking time expires |
| flow_spec_per_hostgroup_management | bool | false | Enables logic which enables flow spec mitigations only when they explicitly enabled for hostgroup |
| flow_spec_ban_time | positive_integer_with_zero | 1900 | How long we should flow spec keep rule in announces. Zero value is prohibited here. |
| collect_attack_pcap_dumps | bool | false | This option enables pcap collection for attack’s traffic dump. Works only for mirror and sFlow modes |
| collect_simple_attack_dumps | bool | true | Collect simple attack dumps which include information from attack’s sample. Works for all capture engines |
| ban_details_records_count | positive_integer_with_zero | 25 | How many packets will be collected from attack’s traffic. Please decrease this value if you are using sampled capture protocols |
| threshold_specific_ban_details | bool | false | In this mode FastNetMon will collect only traffic relevant to direction and type of threshold |
| do_not_cap_ban_details_records_count | bool | false | Disables logic which automatically reduces ban_details_records_count when it exceeds 100 for sFlow and Netflow |
| unban_total_hostgroup_enabled | bool | true | We will try to unban blocked hostgroup after specified amount of time |
| ban_time_total_hostgroup | positive_integer_with_zero | 675 | How long we should keep hostgroup in blocked state. Zero value is prohibited here. |
| bucket_traffic_collection_timeout | positive_integer_with_zero | 60 | How long we should wait for bucket to collect traffic after threshold was crossed |
bgp
| Name | Type | Default value | Description |
|---|
| gobgp | bool | false | Enable BGP daemon integration |
| gobgp_api_host | string | “localhost” | IP address or host to connect to GoBGP |
| gobgp_api_port | numeric_ipv4_port | 50051 | Port to connect to GoBGP |
| gobgp_bgp_listen_port | numeric_ipv4_port | 179 | BGP listen port |
| gobgp_router_id | string | “” | Router ID to override default configuration |
| gobgp_next_hop | numeric_ipv4_host | “0.0.0.0” | Next hop value for BGP unicast host and subnet IPv4 announces |
| gobgp_next_hop_host_ipv4 | numeric_ipv4_host | “0.0.0.0” | Next hop value for BGP unicast IPv4 host announces |
| gobgp_next_hop_subnet_ipv4 | numeric_ipv4_host | “0.0.0.0” | Next hop value for BGP unicast IPv4 subnet announces |
| gobgp_next_hop_remote_host | numeric_ipv4_host | “0.0.0.0” | Next hop value for BGP unicast remote host IPv4 announces |
| gobgp_do_not_manage_daemon | bool | false | Disables automatic start / restart operations for BGP daemon |
| gobgp_announce_host | bool | true | Announce /32 host itself with BGP |
| gobgp_announce_whole_subnet | bool | false | Announce origin subnet of IP address |
| gobgp_announce_whole_subnet_force_custom_prefix_length | bool | false | Enables override for subnet announce |
| gobgp_announce_whole_subnet_custom_prefix_length | positive_integer_with_zero | 24 | Prefix length to override default one |
| gobgp_announce_whole_subnet_force_custom_ipv6_prefix_length | bool | false | Enables override for IPv6 subnet announce |
| gobgp_announce_whole_subnet_custom_ipv6_prefix_length | positive_integer_with_zero | 48 | IPv6 prefix length to override default one |
| gobgp_announce_remote_host | bool | false | Announce remote /32 host itself with BGP |
| gobgp_community_host | string | “65001:668” | BGP community for outgoing host announces. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_host_ipv4 | string_list | [ ] | BGP communities for outgoing host announces. Here you can add communities strings for the host announces. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_host_ipv6 | string_list | [ ] | BGP communities for outgoing host announces. Here you can add communities strings for the host announces. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_community_subnet | string | “65001:667” | BGP community for outgoing subnet announces. Here you can add community string for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_subnet_ipv4 | string_list | [ ] | BGP communities for outgoing subnet announces. Here you can add communities strings for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_subnet_ipv6 | string_list | [ ] | BGP communities for outgoing subnet announces. Here you can add communities strings for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_community_remote_host | string | “65001:669” | BGP community for outgoing remote host announces. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_ipv6 | bool | false | Enable BGP actions for IPv6 traffic |
| gobgp_next_hop_ipv6 | string | “100::1” | Next hop value for BGP unicast IPv6 announces |
| gobgp_announce_host_ipv6 | bool | true | Announce /128 host itself with BGP |
| gobgp_announce_whole_subnet_ipv6 | bool | false | IPv6 prefix subnet, that will be announced |
| gobgp_community_host_ipv6 | string | “65001:668” | BGP community for outgoing host announces for IPv6 protocol. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_community_subnet_ipv6 | string | “65001:667” | BGP community for outgoing subnet announces for IPv6 protocol. Here you can add community string for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_flow_spec_default_action | string | “discard” | Default action for flow spec rules. You could specify accept, discard or rate-limit here |
| gobgp_flow_spec_next_hop_ipv4 | string_list | [ ] | List of IPv4 next hops |
| gobgp_flow_spec_next_hop_ipv6 | string_list | [ ] | List of IPv6 next hops |
| gobgp_flow_spec_v6_default_action | string | “discard” | Default action for flow spec rules. You could specify accept, discard or rate-limit here |
| gobgp_flow_spec_v6_rate_limit_value | positive_integer_with_zero | 1024 | For rate-limit action you could specify rate |
| gobgp_flow_spec_rate_limit_value | positive_integer_with_zero | 1024 | For rate-limit action you could specify rate |
| flow_spec_tcp_options_use_match_bit | bool | false | Enables force match bit in outgoing BGP Flow Spec announces about TCP flags |
| flow_spec_fragmentation_options_use_match_bit | bool | false | Enables force match bit in outgoing BGP Flow Spec announces about fragmentation |
| flow_spec_do_not_process_length_field | bool | false | Disables processing for length field completely. Use it if your device produces incorrect information about packet’s length |
| flow_spec_do_not_process_tcp_flags_field | bool | false | Disables processing for TCP flags field completely. You may need it if your router does not support all TCP flags in flow spec rules |
| flow_spec_do_not_process_ip_fragmentation_flags_field | bool | false | Disables processing for IP fragmentation field completely. You may need it if your router does not support all IP fragmentations flags in flow spec rules |
| flow_spec_ignore_do_not_fragment_flag | bool | false | Disables processing for do not fragment field completely. It’s useful on Arista and Extreme |
| flow_spec_do_not_process_source_address_field | bool | false | Disables processing for source address field completely. Use it if you experience attacks from big number of IP addresses |
| flow_spec_execute_validation | bool | true | With this option we check that source and destination addresses in flow spec rule specified from fcli or web API belongs to our ranges |
| do_not_withdraw_unicast_announces_on_restart | bool | false | Disables automatic withdrawal of BGP Unicast announces |
| do_not_withdraw_flow_spec_announces_on_restart | bool | false | Disables automatic withdrawal of BGP Flow Spec announces |
| gobgp_announce_hostgroup_networks | bool | false | Enable BGP announces for any network from specific hostgroup when per hostgroup aka total thresholds in use |
| gobgp_announce_hostgroup_networks_ipv4 | bool | false | Enable BGP announces for all IPv4 networks from specific hostgroup when per hostgroup aka total thresholds in use |
| gobgp_announce_hostgroup_networks_ipv6 | bool | false | Enable BGP announces for all IPv6 networks from specific hostgroup when per hostgroup aka total thresholds in use |
| gobgp_next_hop_hostgroup_networks_ipv4 | string | “0.0.0.0” | Next hop for IPv4 per hostgroup network announces |
| gobgp_next_hop_hostgroup_networks_ipv6 | string | “100::1” | Next hop for IPv6 per hostgroup network announces |
| gobgp_communities_hostgroup_networks_ipv4 | string_list | [ ] | BGP communities for IPv4 hostgroup network announces. Here you can add communities strings for the host announces. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_hostgroup_networks_ipv6 | string_list | [ ] | BGP communities for IPv6 hostgroup network announces. Here you can add communities strings for the host announces. Usage ASN:Community. ASN and community should be from 1 to 65535). |
email_notification
| Name | Type | Default value | Description |
|---|
| email_notifications_enabled | bool | false | Enable email notifications |
| email_notifications_disable_certificate_checks | bool | false | Disables TLS certificate validation completely |
| email_notifications_host | string | “smtp.gmail.com” | Hostname of SMTP server |
| email_notifications_port | numeric_ipv4_port | 587 | Port of SMTP server used for email notifications |
| email_notifications_tls | bool | true | Enable TLS for your SMTP server |
| email_notifications_auth | bool | true | Enable auth for your SMTP server |
| email_notifications_auth_method | string | “” | Auth method for SMTP authorization. Used only when auth enabled |
| email_notifications_username | string | “fastnetmon@yourdomain.com” | Username for SMTP authorization |
| email_notifications_password | string | “super-secret-password” | Password for SMTP authorization |
| email_notifications_from | string | “fastnetmon@yourdomain.com” | Email address for FROM field |
| email_notifications_recipients | string_list | [ ] | Email notification recipients |
| email_notifications_hide_flow_spec_rules | bool | false | Hide flow spec rules from email |
| email_notifications_add_simple_packet_dump | bool | true | Add simple packet dump to email |
| email_subject_blackhole_block | string | “FastNetMon blocked host {{ ip }}” | Subject template for email notification about blocked host |
| email_subject_blackhole_unblock | string | “FastNetMon unblocked host {{ ip }}” | Subject template for email notification about unblocked host |
| email_subject_partial_block | string | “FastNetMon partially blocked traffic for host {{ ip }}” | Subject template for email notification about partially blocked host |
| email_subject_partial_unblock | string | “FastNetMon partially unblocked traffic for host {{ ip }}” | Subject template for email notification about partially unblocked host |
| slack_notifications_add_simple_packet_dump | bool | true | Add simple packet dump to Slack alerts |
influxdb
| Name | Type | Default value | Description |
|---|
| influxdb_kafka | bool | false | Enables traffic metrics export to Influxdb over Kafka |
| influxdb_kafka_brokers | string_list | [ ] | Kafka brokers for InfluxDB export |
| influxdb_kafka_topic | string | “fastnetmon” | Topic name for Kafka InfluxDB instance |
| influxdb_kafka_partitioner | string | “consistent” | Partitioner between available partitions |
| influxdb | bool | false | Enabled traffic metrics export to Influxdb |
| influxdb_database | string | “fastnetmon” | Database for InfluxDB data |
| influxdb_host | string | “127.0.0.1” | InfluxDB server address (IPv4, IPv6 address or domain name) |
| influxdb_port | numeric_ipv4_port | 8086 | InfluxDB server port |
| influxdb_custom_tags | bool | false | Adds custom tag to InfluxDB export data |
| influxdb_tag_name | string | “node” | Custom tag name |
| influxdb_tag_value | string | “master” | Custom tag value |
| influxdb_tags_table | string_string_map | | Custom tags in key / value format |
| influxdb_skip_host_counters | bool | false | Skip export for host counters to reduce load on InfluxDB server |
| influxdb_push_host_ipv6_counters | bool | true | Enable pushing per host IPv6 counters to InfluxDB |
| influxdb_push_host_ipv4_flexible_counters | bool | true | Enables export of flexible per host IPv4 counters to InfluxDB |
| influxdb_push_host_ipv6_flexible_counters | bool | true | Enables export of flexible per host IPv6 counters to InfluxDB |
| influxdb_user | string | “fastnetmon” | Username for InfluxDB |
| influxdb_password | string | “fastnetmon” | Password for InfluxDB |
| influxdb_auth | bool | false | Enable authorization for InfluxDB |
| influxdb_attack_notification | bool | false | Enables attack notifications in Grafana |
| influxdb_push_period | positive_integer_with_zero | 1 | Delay for run InfluxDB push thread |
netflow
| Name | Type | Default value | Description |
|---|
| netflow | bool | false | Enable Netflow capture. We support Netflow v5, v9 and IPFIX (10) |
| netflow_count_packets_per_device | bool | false | Enable logic to count number of packets from each router |
| netflow_multi_thread_processing | bool | false | Enables multi thread processing for each Netflow port |
| netflow_threads_per_port | positive_integer_with_zero | 1 | Number of threads per Netflow port |
| netflow_multi_thread_mode | string | “” | Mode used to distribute traffic between threads |
| netflow_ports | numeric_ipv4_port_list | [ ] | Netflow collector port. It’s possible to specify multiple ports here |
| netflow_host | string | “0.0.0.0” | Netflow collector host. To bind on all interfaces for IPv4 and IPv6 use ::. To bind only on IPv4 use 0.0.0.0. To bind on localhost for IPv4 and IPv6 use ::1. To bind only on IPv4 use 127.0.0.1 |
| netflow_socket_read_mode | string | “recvfrom” | Switches logic used to read data from socket: recvfrom or recvmsg |
| netflow_rx_queue_overflow_monitoring | bool | false | Switches on logic to monitor drops on socket |
| netflow_ignore_sampling_rate_from_device | bool | false | Ignores sampling rate announces from device. For Netflow v9 and IPFIX only |
| netflow_ignore_long_duration_flow_enable | bool | false | FastNetMon will ignore flows which exceed duration specified in configuration |
| netflow_long_duration_flow_limit | positive_integer_with_zero | 1 | FastNetMon will ignore flows which exceed duration specified in this option |
| netflow_v5_per_router_sampling_rate | string_positive_integer_with_zero_map | | Custom Netflow v5 sampling rate on router basis |
| netflow_v9_per_router_sampling_rate | string_positive_integer_with_zero_map | | Custom Netflow v9 sampling rate on router basis |
| netflow_v9_read_sampling_rate_in_data_section | bool | false | Enables logic which can retrieve sampling rate when it was passed in data section. Mikrotik uses this approach |
| netflow_v9_extract_tunnel_traffic | bool | false | Enables logic for Netflow v9 code which strips external level for GRE tunnels. It works only when packet header information is present |
| ipfix_per_router_sampling_rate | string_positive_integer_with_zero_map | | Custom IPFIX sampling rate on router basis |
| ipfix_extract_tunnel_traffic | bool | false | Enables logic for IPFIX code which strips external level for GRE tunnels. It works only when packet header information is present |
| netflow_sampling_ratio | positive_integer_with_zero | 1 | Netflow 9 or IPFIX sampling rate used at agent side. Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio. Here you could specify a sampling ratio for all this agents. For Netflow v5 we extract sampling ratio from packets directly and this option not used. |
| netflow_v5_custom_sampling_ratio_enable | bool | false | This option will override netflow v5 sampling rate from packets by specified value |
| netflow_v5_sampling_ratio | positive_integer_with_zero | 1 | It will be used when netflow_v5_custom_sampling_ratio_enable set to enable |
| netflow_templates_cache | bool | true | Cache Netflow v9 or IPFIX data templates on disk |
| netflow_sampling_cache | bool | true | Cache Netflow v9 and IPFIX sampling rates on disk |
| netflow_process_only_flows_with_dropped_packets | bool | false | We will process only Netflow v9 or IPFIX with forwarding status set to dropped |
| netflow_mark_zero_next_hop_and_zero_output_as_dropped | bool | false | With this option all traffic with zero IPv4 and IPv6 addresses in next hop and zero output interface will be marked as dropped |
traffic_calculation_management
| Name | Type | Default value | Description |
|---|
| keep_traffic_counters_during_restart | bool | false | Keep all speed counters during restarts |
| process_incoming_traffic | bool | true | Enables or disables processing for incoming traffic |
| process_outgoing_traffic | bool | true | Enables or disables processing for outgoing traffic |
| override_internal_traffic_as_incoming | bool | false | Enables logic to process internal traffic as incoming |
| override_internal_traffic_as_outgoing | bool | false | Enables logic to process internal traffic as outgoing |
| process_ipv6_traffic | bool | true | Enables processing for IPv6 traffic |
| enable_connection_tracking | bool | true | Enable traffic state tracking. If you interested in flow per second rates, please enable it. Be careful, it may increase CPU usage significantly |
| remote_host_tracking | bool | false | Completely enable or disable bandwidth calculation for remote hosts |
| connection_tracking_skip_ports | bool | false | Disables port processing for connection tracking |
| enable_total_hostgroup_counters | bool | true | Enable traffic counters for total per hostgroups traffic |
| enable_interface_counters | bool | true | Enable interface counters for per interface traffic |
| enable_asn_counters | bool | true | Enable ASN counters for per ASN traffic |
| build_total_hostgroups_from_per_host_hostgroups | bool | false | Allows using per-host hostgroups for building total hostgroups |
| dump_other_traffic | bool | false | Dump all traffic which belongs to other class to log. Only for debugging reasons. It significantly degrades performance |
| dump_internal_traffic | bool | false | Dump all traffic which belongs to internal class to log. Only for debugging reasons. It significantly degrades performance |
| dump_all_traffic | bool | false | Dump all traffic to log. Only for debugging reasons. It significantly degrades performance |
| dump_all_traffic_json | bool | false | Dump all traffic to log in JSON format. Only for debugging reasons. It significantly degrades performance |
| speed_calculation_delay | positive_integer_with_zero | 1 | This value control how often we run speed recalculation function. Please do not use this unless support suggested this to you |
| average_calculation_time | positive_integer_with_zero | 5 | We use average values for traffic speed to certain IP and calculates average over this time slice |
| flow_forwarder | bool | false | Flow forwarder allows you to send traffic to remote FastNetMon |
| flow_forwarder_remote_addresses | string_list | [ ] | Flow forwarder allows you to send traffic to remote FastNetMon: protocol://host:port as protocol you can use udp or tcp |
| flow_forwarder_sampling_rate | positive_integer_with_zero | 512 | Sampling rate for mirrored traffic for Flow Forwarder export |
| ipv6_automatic_data_cleanup | bool | true | Enables logic which removes old entries from IPv6 data counters |
| ipv6_automatic_data_cleanup_threshold | positive_integer_with_zero | 300 | We will remove all entries which exceed this age in seconds |
| ipv6_automatic_data_cleanup_delay | positive_integer_with_zero | 300 | How often we will run cleanup logic |
| ipv4_automatic_data_cleanup | bool | true | Enables logic which removes old entries from IPv4 data counters |
| ipv4_automatic_data_cleanup_threshold | positive_integer_with_zero | 300 | We will remove all entries which exceed this age in seconds |
| ipv4_automatic_data_cleanup_delay | positive_integer_with_zero | 300 | How often we will run cleanup logic |
| ipv4_remote_automatic_data_cleanup | bool | true | Enables logic which removes old entries from IPv4 remote data counters |
| ipv4_remote_automatic_data_cleanup_threshold | positive_integer_with_zero | 300 | We will remove all remove IPv4 entries which exceed this age in seconds |
| ipv4_remote_automatic_data_cleanup_delay | positive_integer_with_zero | 300 | How often we will run cleanup logic for remote IPv4 records |
| traffic_buffer | bool | false | Enables or disables traffic buffer which keeps some amount of previously processed packets |
| traffic_buffer_size | positive_integer_with_zero | 100000 | Specifies number of elements in traffic_buffer for 1 second of average calculation time |
| traffic_buffer_port_mirror | bool | false | Enables or disables traffic buffer for port mirror modes. Do not enable unless sampling is enabled |
| generate_attack_traffic_samples | bool | false | Enables logic to populate statistical reports about attacks traffic. Only for vendor integrations |
| generate_attack_traffic_samples_delay | positive_integer_with_zero | 60 | How often we’re going to produce traffic reports about active attacks |
| generate_max_talkers_report | bool | false | Enables logic to track max talkers and store them into MongoDB Only for vendor integrations |
| generate_max_talkers_report_delay | positive_integer_with_zero | 300 | How often we’re going to produce reports about max talkers |
| generate_hostgroup_traffic_samples | bool | false | Enables logic to populate statistical reports about hostgroup traffic. Only for vendor integrations |
| generate_hostgroup_traffic_samples_delay | positive_integer_with_zero | 60 | How often we’re going to produce traffic reports for hostgroup traffic |
default
| Name | Type | Default value | Description |
|---|
| name | string | “global” | Name of host group |
| parent_name | string | “” | Parent host group name |
| description | string | “This is default group for all hosts” | Human-friendly name for this group |
| calculation_method | string | “per_host” | Traffic calculation method for host group: total or per_host (or empty value) |
| networks | cidr_networks_list | [ ] | List of networks which belong to this group |
| enable_ban | bool | false | Enable ban actions for hosts in this group |
| ban_for_pps | bool | false | Should we block host in this group if it exceeds packet per second threshold? |
| ban_for_bandwidth | bool | false | Should we block host in this group if it exceeds bandwidth threshold? |
| ban_for_flows | bool | false | Should we block host in this group if it exceeds flows threshold? |
| threshold_pps | positive_integer_with_zero | 100000 | Packet per second traffic to/from this host should exceed this value |
| threshold_mbps | positive_integer_with_zero | 1000 | Bandwidth to/from this host should exceed this value |
| threshold_flows | positive_integer_with_zero | 3500 | Flow per second speed to/from this host should exceed this value |
| ban_for_tcp_bandwidth | bool | false | Block hosts in group for TCP bandwidth threshold? |
| ban_for_udp_bandwidth | bool | false | Block hosts in group for UDP bandwidth threshold? |
| ban_for_icmp_bandwidth | bool | false | Block hosts in group for ICMP bandwidth threshold? |
| ban_for_tcp_pps | bool | false | Should we block host in this group if it exceeds packet per second threshold for TCP? |
| ban_for_udp_pps | bool | false | Should we block host in this group if it exceeds packet per second threshold for UDP? |
| ban_for_icmp_pps | bool | false | Should we block host in this group if it exceeds packet per second threshold for ICMP? |
| threshold_tcp_mbps | positive_integer_with_zero | 1000 | TCP bandwidth to/from this host should exceed this value |
| threshold_udp_mbps | positive_integer_with_zero | 1000 | UDP bandwidth to/from this host should exceed this value |
| threshold_icmp_mbps | positive_integer_with_zero | 1000 | ICMP bandwidth to/from this host should exceed this value |
| threshold_tcp_pps | positive_integer_with_zero | 100000 | TCP packet per second traffic to/from this host should exceed this value |
| threshold_udp_pps | positive_integer_with_zero | 100000 | UDP packet per second traffic to/from this host should exceed this value |
| threshold_icmp_pps | positive_integer_with_zero | 100000 | ICMP packet per second traffic to/from this host should exceed this value |
| ban_for_tcp_syn_pps | bool | false | Block hosts in group for TCP SYN packets per second threshold |
| threshold_tcp_syn_pps | positive_integer_with_zero | 1000 | TCP SYN pps to/from this host should exceed this value |
| ban_for_tcp_syn_bandwidth | bool | false | Block hosts in group for TCP SYN packets per second threshold |
| threshold_tcp_syn_mbps | positive_integer_with_zero | 1000 | TCP SYN bandwidth to/from this host should exceed this value |
| ban_for_ip_fragments_pps | bool | false | Block hosts in group for fragmented IP packets per second threshold |
| threshold_ip_fragments_pps | positive_integer_with_zero | 1000 | Fragmented IP pps to/from this host should exceed this value |
| ban_for_ip_fragments_bandwidth | bool | false | Block hosts in group for fragmented IP packets per second threshold |
| threshold_ip_fragments_mbps | positive_integer_with_zero | 1000 | fragmented IP bandwidth to/from this host should exceed this value |
| enable_ban_incoming | bool | false | Enable ban actions for this group for incoming traffic |
| enable_ban_outgoing | bool | false | Enable ban actions for this group for incooutgoingming traffic |
| enable_bgp_flow_spec | bool | false | Enable BGP Flow Spec for this hostgroup |
| ban_for_pps_outgoing | bool | false | Should we block host in this group if it exceeds packet per second threshold? |
| ban_for_bandwidth_outgoing | bool | false | Should we block host in this group if it exceeds bandwidth threshold? |
| ban_for_flows_outgoing | bool | false | Should we block host in this group if it exceeds flows threshold? |
| threshold_pps_outgoing | positive_integer_with_zero | 100000 | Packet per second traffic to/from this host should exceed this value |
| threshold_mbps_outgoing | positive_integer_with_zero | 1000 | Bandwidth to/from this host should exceed this value |
| threshold_flows_outgoing | positive_integer_with_zero | 3500 | Flow per second speed to/from this host should exceed this value |
| ban_for_tcp_bandwidth_outgoing | bool | false | Block hosts in group for TCP bandwidth threshold? |
| ban_for_udp_bandwidth_outgoing | bool | false | Block hosts in group for UDP bandwidth threshold? |
| ban_for_icmp_bandwidth_outgoing | bool | false | Block hosts in group for ICMP bandwidth threshold? |
| ban_for_tcp_pps_outgoing | bool | false | Should we block host in this group if it exceeds packet per second threshold for TCP? |
| ban_for_udp_pps_outgoing | bool | false | Should we block host in this group if it exceeds packet per second threshold for UDP? |
| ban_for_icmp_pps_outgoing | bool | false | Should we block host in this group if it exceeds packet per second threshold for ICMP? |
| threshold_tcp_mbps_outgoing | positive_integer_with_zero | 1000 | TCP bandwidth to/from this host should exceed this value |
| threshold_udp_mbps_outgoing | positive_integer_with_zero | 1000 | UDP bandwidth to/from this host should exceed this value |
| threshold_icmp_mbps_outgoing | positive_integer_with_zero | 1000 | ICMP bandwidth to/from this host should exceed this value |
| threshold_tcp_pps_outgoing | positive_integer_with_zero | 100000 | TCP packet per second traffic to/from this host should exceed this value |
| threshold_udp_pps_outgoing | positive_integer_with_zero | 100000 | UDP packet per second traffic to/from this host should exceed this value |
| threshold_icmp_pps_outgoing | positive_integer_with_zero | 100000 | ICMP packet per second traffic to/from this host should exceed this value |
| ban_for_tcp_syn_pps_outgoing | bool | false | Block hosts in group for TCP SYN packets per second threshold |
| threshold_tcp_syn_pps_outgoing | positive_integer_with_zero | 1000 | TCP SYN pps to/from this host should exceed this value |
| ban_for_tcp_syn_bandwidth_outgoing | bool | false | Block hosts in group for TCP SYN packets per second threshold |
| threshold_tcp_syn_mbps_outgoing | positive_integer_with_zero | 1000 | TCP SYN bandwidth to/from this host should exceed this value |
| ban_for_ip_fragments_pps_outgoing | bool | false | Block hosts in group for fragmented IP packets per second threshold |
| threshold_ip_fragments_pps_outgoing | positive_integer_with_zero | 1000 | Fragmented IP pps to/from this host should exceed this value |
| ban_for_ip_fragments_bandwidth_outgoing | bool | false | Block hosts in group for fragmented IP packets per second threshold |
| threshold_ip_fragments_mbps_outgoing | positive_integer_with_zero | 1000 | fragmented IP bandwidth to/from this host should exceed this value |
| flexible_thresholds | flexible_thresholds | “{}” | Flexible thresholds |