To achieve a high availability setup (HA), you can deploy multiple independent instances of FastNetMon and feed the same traffic to them. In this case, you need to use the same configuration for all instances to keep their behaviour the same. We suggest using similar hardware if you can afford it.
Additionally, if you have multiple network devices which can generate traffic telemetry for the same traffic (sFlow, Netflow, IPFIX and others), you can use different sources of traffic information to handle the case where one device misbehaves and can’t export traffic information to FastNetMon. For example, you have sFlow from switches and Netflow from the router, and they see the same traffic. In this case, you can feed traffic from the switch to the first instance of FastNetMon and feed traffic from the router to another instance. In this case, both instances will see traffic using different sources and detect attacks.
Usually, network equipment (routers or switches) can support streaming to multiple Netflow/sFlow collectors. Even if it does not support this option, we have a guide about traffic duplication with external tool.
If you use BGP diversion/blackhole, you can establish an independent session with all your routers from all FastNetMon instances. Routers can handle duplicate announces very well.
If you use any kind of API integration, you need to add more checks in notify scripts to avoid duplicate calls for the same event generated by different instances.
As an example, you can implement it in the following way:
- 00:00:01: FastNetMon #1 detected attack to 10.0.0.1/32
- 00:00:02: FastNetMon #1 triggered and executed script which created notification in the CRM system
- 00:00:03: FastNetMon #2 detected attack to 10.0.0.1/32
- 00:00:04: FastNetMon #2 discovered that a notification was sent recently and suppress any additional actions