In many cases it may be useful to calculate total traffic for number of prefixes and make custom actions when it reaches specified value.
You can enable it this way:
sudo fcli set main enable_total_hostgroup_counters enable
To use this feature, you have to create global total hostgroup. All trafic without custom hostgroup will be accounted in this hostgroup.
sudo fcli set hostgroup global_total sudo fcli set hostgroup global_total calculation_method total
You also can create any number of custom hostgroups which can consist any number of networks this way:
sudo fcli set hostgroup servers sudo fcli set hostgroup servers calculation_method total sudo fcli set hostgroup servers networks 192.168.1.0/24 sudo fcli set hostgroup servers networks 10.10.1.2/16 sudo fcli commit
Please be aware that each specific prefix can be added only once for all total hostgroups. If you add same prefix multiple for two different hostgroups it will be assigned only to one of them randomly.
Also, we have dashboard to graph this traffic from InfluxDB in Grafana.
You can debug per hostgroup traffic using following fcli command:
sudo fcli show hostgroup_counters_total
To avoid data duplication between per_host hostgroups and total hostgroups we offer option to create total hostgroups for each per_host hostgroup:
sudo fcli set main build_total_hostgroups_from_per_host_hostgroups enable
For all total hostgroups we have field “parent_name” which specifies hostgroup name which should be used as parent. In this context “parent” means that the current group will use networks list from parent group. It’s a useful option when you have the same networks list for per-host and for total hostgroups.
You can set it this way:
sudo fcli set hostgroup client1 parent_name client1_per_host
To configure automated attack detection using total traffic to hostgroup, please follow to this guide.