FastNetMon supports many different implementations of standard Netflow protocol:
- Netflow v5
- Netflow v9
- Netflow Lite
- Inline monitoring services
You can enable Netflow plugin this way:
sudo fcli set main netflow enable
Specify port for Netflow capture (2055 is default port for Netflow protocol). You may add multiple ports if you prefer:
sudo fcli set main netflow_ports 2055
Then specify interface for listening (0.0.0.0 is default):
sudo fcli set main netflow_host 0.0.0.0
To listen on IPv4 and IPv6 protocols on same port you need to set host to following value:
sudo fcli set main netflow_host :: sudo fcli commit
If your run any kind of firewall on your network or on server with FastNetMon itself you will need to allow traffic over ports you’ve added towards machine with FastNetMon.
FastNetMon could automatically extract sampling rate from Netflow v5, v9 and IPFIX but in some rare cases you should specify it explicitly
sudo fcli set main netflow_sampling_ratio 1 sudo fcli set main netflow_custom_sampling_ratio_enable enable
The most important part of Netflow / IPFIX configuration is flow timeout setup. If you do not configure active and inactive flow timeouts correctly then FastNetMon will not be able to calculate bandwidth correctly and traffic measurements will be wrong and it will lead to incorrect attack detection.
As safe default we recommend setting active and inactive flow timeout for routers to 30 seconds. We do not recommend setting timeouts to very low values as it may overload router’s CPU.
In addition to flow timeout setup on router side you need to adjust average_calculation_time value on FastNetMon side. This value must exceed both active and inactive flow timeouts by few seconds.
In case of standard setup with both active and inactive timeouts set to 30 seconds we can recommend setting it to 45:
sudo fcli set main average_calculation_time 45 sudo fcli commit
To simplify flow duration configuration we have official guides for multiple popular vendors below.
You can confirm that router uses correct flow duration using this command
sudo fcli show system_counters|grep duration
Apply changes and restart daemon:
sudo fcli commit
After this steps you need to configure Netflow / IPFIX on agent’s side (switch, router, server) to configured port.
If you run Juniper MX, Cisco ASR 9000, Cisco NSC 5500 based routers we recommend using modern protocols such us IPFIX 315 and Inline Monitoring services as both of them offer best detection speed and provide excellent traffic bandwidth calculation accuracy. You may find detailed configuration guide here. Othwerwise please follow guide below.
We have detailed guides for following vendors:
If you operate many devices which export Netflow or IPFIX you may need better visibility about which device actually exports traffic to FastNetMon. To implement it you will need to enable this flag:
sudo fcli set main netflow_count_packets_per_device true sudo fcli commit
And then you will be able to see counter about number of UDP packets received from each device using these commands:
sudo fcli show netflow9_packets_per_device sudo fcli show netflow5_packets_per_device sudo fcli show ipfix_packets_per_device