09.12.2017

FastNetMon Advanced configuration options

af_packet

NameTypeDefault valueDescription
mirror_afpacketboolfalseEnable capture from mirror port using AF_PACKET capture engine
interfacesstring_list[ ]Interfaces list for traffic capture
mirror_af_packet_samplingboolfalseEnables sampling for mirror mode offloaded on kernel / driver level
mirror_af_packet_socket_statsboolfalseEnables capture socket performance statistics
mirror_af_packet_disable_multithreadingboolfalseDisables multi thread processing and handles all traffic using single thread
mirror_af_packet_fanout_modestring“cpu”Fanout mode. Algorithm to spread load over threads
mirror_af_packet_sampling_ratepositive_integer_without_zero100Sampling rate for AF_PACKET
afpacket_strict_cpu_affinityboolfalseEnables strict CPU affinity and binds traffic capture threads to fixed logical CPUs
af_packet_read_packet_length_from_ip_headerboolfalseBy default, FastNetMon reads packet length from the wire. But it can use information from IP header when you enable this option

api

NameTypeDefault valueDescription
enable_apibooltrueEnable internal FastNetMon API. It’s mandatory for fcli and public web API
api_hostnumeric_ipv4_host“127.0.0.1”Internal API host for listening
api_portnumeric_ipv4_port50052Internal API port for listening

ban_management

NameTypeDefault valueDescription
enable_banboolfalseCompletely enable or disable all ban actions
enable_ban_hostgroupboolfalseCompletely enable or disable all ban for total traffic per hostgroup
enable_ban_remote_outgoingboolfalseEnable blocking for remote hosts in outgoing direction
enable_ban_remote_incomingboolfalseEnable blocking for remote hosts in incoming direction
do_not_ban_incomingboolfalseCompletely disables ban for incoming traffic
do_not_ban_outgoingbooltrueCompletely disables ban for outgoing traffic
keep_blocked_hosts_during_restartboolfalseSaves list of blocked hosts on shutdown and restores it on startup
enable_ban_ipv6boolfalseCompletely enable or disable all ban actions for IPv6 traffic
unban_enabledbooltrueWe will try to unban blocked IPs after this time expires
ban_timepositive_integer_without_zero1900How long we should keep an IP in blocked state. Zero value is prohibited here.
unban_only_if_attack_finishedbooltrueCheck if the attack is still active, before triggering an unblock callback with this option. If the attack is still active, check each run of the unblock watchdog
gobgp_flow_spec_announcesboolfalseAnnounce flow spec rules to block only melicious traffic. Use only if you have BGP Flowspec capable routers
flow_spec_unban_enabledbooltrueWe will try to withdraw flow spec rule when blocking time expires
flow_spec_ban_timepositive_integer_without_zero1900How long we should flow spec keep rule in announces. Zero value is prohibited here.
collect_attack_pcap_dumpsboolfalseThis option enables pcap collection for attack’s traffic dump. Works only for mirror and sFlow modes
collect_simple_attack_dumpsboolfalseCollect simple attack dumps which include information from attack’s sample. Works for all capture engines
ban_details_records_countpositive_integer_without_zero500How many packets will be collected from attack’s traffic. Please decrease this value if you are using sampled capture protocols
unban_total_hostgroup_enabledbooltrueWe will try to unban blocked hostgroup after specified amount of time
ban_time_total_hostgrouppositive_integer_without_zero1900How long we should keep hostgroup in blocked state. Zero value is prohibited here.

bgp

NameTypeDefault valueDescription
gobgpboolfalseEnable BGP daemon integration
gobgp_router_idstring“”Router ID to override default configuration
gobgp_next_hopnumeric_ipv4_host“0.0.0.0”Next hop value for BGP unicast IPv4 announces
gobgp_next_hop_remote_hostnumeric_ipv4_host“0.0.0.0”Next hop value for BGP unicast remote host IPv4 announces
gobgp_announce_hostbooltrueAnnounce /32 host itself with BGP
gobgp_announce_whole_subnetboolfalseAnnounce origin subnet of IP address
gobgp_announce_whole_subnet_force_custom_prefix_lengthboolfalseEnables override for subnet announce
gobgp_announce_whole_subnet_custom_prefix_lengthpositive_integer_without_zero24Prefix length to override default one
gobgp_announce_whole_subnet_force_custom_ipv6_prefix_lengthboolfalseEnables override for IPv6 subnet announce
gobgp_announce_whole_subnet_custom_ipv6_prefix_lengthpositive_integer_without_zero24IPv6 prefix length to override default one
gobgp_announce_remote_hostboolfalseAnnounce remote /32 host itself with BGP
gobgp_community_hoststring“65001:668”BGP community for outgoing host announces. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535).
gobgp_community_subnetstring“65001:667”BGP community for outgoing subnet announces. Here you can add community string for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535).
gobgp_community_remote_hoststring“65001:669”BGP community for outgoing remote host announces. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535).
gobgp_ipv6boolfalseEnable BGP actions for IPv6 traffic
gobgp_next_hop_ipv6string“100::1”Next hop value for BGP unicast IPv6 announces
gobgp_announce_host_ipv6booltrueAnnounce /128 host itself with BGP
gobgp_announce_whole_subnet_ipv6boolfalseIPv6 prefix subnet, that will be announced
gobgp_community_host_ipv6string“65001:668”BGP community for outgoing host announces for IPv6 protocol. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535).
gobgp_community_subnet_ipv6string“65001:667”BGP community for outgoing subnet announces for IPv6 protocol. Here you can add community string for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535).
gobgp_flow_spec_default_actionstring“discard”Default action for flow spec rules. You could specify discard or rate-limit here
gobgp_flow_spec_rate_limit_valuepositive_integer_without_zero1024For rate-limit action you could specify rate
gobgp_modern_configuration_formatboolfalseSwitches to upstream configuration format
flow_spec_tcp_options_use_match_bitboolfalseEnables force match bit in outgoing BGP Flow Spec announces about TCP flags
flow_spec_fragmentation_options_use_match_bitboolfalseEnables force match bit in outgoing BGP Flow Spec announces about fragmentation
flow_spec_do_not_process_length_fieldboolfalseDisables processing for length field completely. Use it if your device produces incorrect information about packet’s length
flow_spec_do_not_process_source_address_fieldboolfalseDisables processing for source address field completely. Use it if you experience attacks from big number of IP addresses
flow_spec_execute_validationbooltrueWith this option we check that source and destination addresses in flow spec rule specified from fcli or web API belongs to our ranges
do_not_withdraw_unicast_announces_on_restartboolfalseDisables automatic withdrawal of BGP Unicast announces
do_not_withdraw_flow_spec_announces_on_restartboolfalseDisables automatic withdrawal of BGP Flow Spec announces

clickhouse_metrics

NameTypeDefault valueDescription
clickhouse_metricsboolfalseExport traffic speed mertrics to ClickHouse
clickhouse_metrics_databasestring“fastnetmon”Database for ClickHouse traffic metrics
clickhouse_metrics_usernamestring“default”Username for ClickHouse metrics
clickhouse_metrics_passwordstring“”Password for ClickHouse metrics
clickhouse_metrics_hostnumeric_ipv4_host“127.0.0.1”Server address for ClickHouse metric
clickhouse_metrics_portnumeric_ipv4_port9000ClickHouse server port
clickhouse_metrics_push_periodpositive_integer_without_zero1Delay for run ClickHouse push thread
clickhouse_metrics_per_protocol_countersboolfalseEnables export for per protocol counters to Clickhouse

email_notification

NameTypeDefault valueDescription
email_notifications_enabledboolfalseEnable email notifications
email_notifications_hoststring“smtp.gmail.com”Hostname of SMTP server
email_notifications_portnumeric_ipv4_port587Port of SMTP server used for email notifications
email_notifications_tlsbooltrueEnable TLS for your SMTP server
email_notifications_authbooltrueEnable auth for your SMTP server
email_notifications_auth_methodstring“”Auth method for SMTP authorization. Used only when auth enabled
email_notifications_usernamestring“fastnetmon@yourdomain.com”Username for SMTP authorization
email_notifications_passwordstring“super-secret-password”Password for SMTP authorization
email_notifications_fromstring“fastnetmon@yourdomain.com”Email address for FROM field
email_notifications_recipientsstring_list[ ]Email notification recipients
email_notifications_hide_flow_spec_rulesboolfalseHide flow spec rules from email
email_notifications_add_simple_packet_dumpbooltrueAdd simple packet dump to email
email_subject_blackhole_blockstring“FastNetMon blocked host {{ ip }}”Subject template for email notification about blocked host
email_subject_blackhole_unblockstring“FastNetMon unblocked host {{ ip }}”Subject template for email notification about unblocked host
email_subject_partial_blockstring“FastNetMon partially blocked traffic for host {{ ip }}”Subject template for email notification about partially blocked host

graphite

NameTypeDefault valueDescription
graphiteboolfalseEnabled metrics export to Graphite
graphite_hostnumeric_ipv4_host“127.0.0.1”Graphite server address
graphite_portnumeric_ipv4_port2003Graphite server port
graphite_prefixstring“fastnetmon”Default prefix for Graphite metrics
graphite_push_periodpositive_integer_without_zero1Delay for run Graphite push thread

influxdb

NameTypeDefault valueDescription
influxdb_kafkaboolfalseEnables traffic metrics export to Influxdb over Kafka
influxdb_kafka_brokersstring_list[ ]Kafka brokers for InfluxDB export
influxdb_kafka_topicstring“fastnetmon”Topic name for Kafka InfluxDB instance
influxdb_kafka_partitionerstring“consistent”Partitioner between available partitions
influxdbboolfalseEnabled traffic metrics export to Influxdb
influxdb_databasestring“fastnetmon”Database for InfluxDB data
influxdb_hostnumeric_ipv4_host“127.0.0.1”InfluxDB server address (IP or domain name)
influxdb_portnumeric_ipv4_port8086InfluxDB server port
influxdb_custom_tagsboolfalseAdds custom tag to InfluxDB export data
influxdb_tag_namestring“node”Custom tag name
influxdb_tag_valuestring“master”Custom tag value
influxdb_tags_tablestring_string_mapCustom tags in key / value format
influxdb_skip_host_countersboolfalseSkip export for host counters to reduce load on InfluxDB server
influxdb_push_host_ipv6_countersboolfalseEnable pushing per host IPv6 counters to InfluxDB
influxdb_userstring“fastnetmon”Username for InfluxDB
influxdb_passwordstring“fastnetmon”Password for InfluxDB
influxdb_authboolfalseEnable authorization for InfluxDB
influxdb_export_system_countersbooltrueExport system counters
influxdb_per_protocol_countersboolfalseEnables export for per protocol counters to InfluxDB
influxdb_attack_notificationboolfalseEnables attack notifications in Grafana
influxdb_push_periodpositive_integer_without_zero1Delay for run InfluxDB push thread

logging

NameTypeDefault valueDescription
logging_levelstring“info”Configures logging level
logging_local_syslog_loggingboolfalseEnable this option if you want to send logs to local syslog facility
logging_remote_syslog_loggingboolfalseEnable this option if you want to send logs to a remote syslog server using UDP proto
logging_remote_syslog_servernumeric_ipv4_host“10.10.10.10”This is the IPv4 address of your syslog server. You can specify the address you need
logging_remote_syslog_portnumeric_ipv4_port514Remote syslog server port

netflow

NameTypeDefault valueDescription
netflowboolfalseEnable Netflow capture. We support Netflow v5, v9 and IPFIX (10)
netflow_multi_thread_processingboolfalseEnables multi thread processing for each Netflow port
netflow_threads_per_portpositive_integer_without_zero1Number of threads per Netflow port
netflow_portsnumeric_ipv4_port_list[ 2055 ]Netflow collector port. It’s possible to specify multiple ports here
netflow_hoststring“0.0.0.0”Netflow collector host. To bind to all interfaces for all protocols: not possible yet. To bind to all interfaces for a specific protocol: :: or 0.0.0.0. To bind to localhost for a specific protocol: ::1 or 127.0.0.1.
netflow_custom_sampling_ratio_enableboolfalseNetflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio. Here you could specify a sampling ratio for all this agents. For Netflow v5 we extract sampling ratio from packets directly and this option not used.
netflow_ignore_sampling_rate_from_deviceboolfalseIgnores sampling rate announces from device. For Netflow v9 and IPFIX only
netflow_sampling_ratiopositive_integer_without_zero1NetFlow 9 or IPFIX sampling rate used at agent side. Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio. Here you could specify a sampling ratio for all this agents. For NetFlow v5 we extract sampling ratio from packets directly and this option not used.
netflow_templates_cachebooltrueCache Netflow v9 or IPFIX data templates on disk

network_management

NameTypeDefault valueDescription
networks_listcidr_networks_list[ ]Please specify all IPv4 and IPv6 networks which belong to you
aggregate_networks_listboolfalseExecute safe aggregation and remove nested networks from networks_list
networks_whitelistcidr_networks_list[ ]All ban actions will be disabled for your hosts in these networks. Use with attention!
networks_whitelist_remotecidr_networks_list[ ]We will skip traffic to/from these remote networks completely from processing
monitor_local_ip_addressesboolfalseAdd local IP addresses and aliases to networks_list

notify_script

NameTypeDefault valueDescription
notify_script_hostgroup_enabledboolfalseEnable script call in case of blocking for hostgroup total thresholds
notify_script_hostgroup_pathfile“/etc/fastnetmon/scripts/notify_about_attack.sh”Path to notify script for hostgroup level blocks
notify_script_enabledboolfalseEnable script call in case of blocking, unban and attack_details actions
notify_script_pathfile“/etc/fastnetmon/scripts/notify_about_attack.sh”Path to notify script. This script executed for ban, unban and attack detail collection
notify_script_pass_detailsbooltrueWith this option, we will pass additional attack details to the stdin of notify script. Works only when format is text
notify_script_formatstring“text”Specifies format used for notify script: text or JSON

prometheus

NameTypeDefault valueDescription
prometheusboolfalseEnable Prometheus metrics endpoint
prometheus_hostnumeric_ipv4_host“127.0.0.1”Prometheus metrics address
prometheus_portnumeric_ipv4_port9209Prometheus metrics port

redis

NameTypeDefault valueDescription
redis_enabledboolfalseEnables attack’s export to Redis
redis_hostnumeric_ipv4_host“127.0.0.1”Redis server host
redis_portnumeric_ipv4_port6379Redis server port
redis_prefixstring“fastnetmon”Prefix for all Redis keys

sflow

NameTypeDefault valueDescription
sflowboolfalseEnables sFlow capture engine. We support only sFlow v5
sflow_portsnumeric_ipv4_port_list[ 6343 ]Ports list for sFlow collector. It’s possible to specify multiple ports here
sflow_hostnumeric_ipv4_host“0.0.0.0”sFlow collector default host. Here you can specify the IP address of the listen interface. If default is used, all interfaces will be listen.
sflow_track_sampling_rateboolfalseEnables tracking for sFlow sampling rate for all exporting entities (devices, line cards)
sflow_use_new_generation_parserboolfalseEnable new improved packet parser (experimental)

system

NameTypeDefault valueDescription
cache_pathfile“/var/cache/fastnetmon”Path to folder used for cache
asn_lookupboolfalseEnable ASN mapping database to execute ASN lookup for IP. You could use it to lookup ASN for particular IP
pid_pathfile“/var/run/fastnetmon.pid”Path to pid file for checking case if another copy of tool is running, it’s useful when you run multiple instances of tool
api_host_counters_max_hosts_in_responsepositive_integer_without_zero100Max number of hosts in show host_counters output
system_userstring“fastnetmon”Run FastNetMon daemon from particular system user
system_groupstring“fastnetmon”Run FastNetMon daemon from particular system group
drop_root_permissionsboolfalseTry to run from non-root user. Not supported for mirror capture
license_use_port_443booltrueUse port 443 instead for license server connections

tera_flow

NameTypeDefault valueDescription
tera_flowboolfalseReceive information in Tera Flow format from the network
tera_flow_portsnumeric_ipv4_port_list[ 4200 ]Tera Flow collector port. It’s possible to specify multiple ports here
tera_flow_hoststring“0.0.0.0”Tera Flow collector host. To bind to all interfaces for all protocols: not possible yet. To bind to all interfaces for a specific protocol: :: or 0.0.0.0. To bind to localhost for a specific protocol: ::1 or 127.0.0.1.

traffic_calculation_management

NameTypeDefault valueDescription
process_incoming_trafficbooltrueEnables or disables processing for incoming traffic
process_outgoing_trafficbooltrueEnables or disables processing for outgoing traffic
process_ipv6_trafficboolfalseEnables processing for IPv6 traffic
flexible_traffic_calculationbooltrueUse hash based structure for traffic processing instead of pre-allocated counters
enable_connection_trackingboolfalseEnable traffic state tracking. If you interested in flow per second rates, please enable it. Be careful, it may increase CPU usage significantly
remote_host_trackingboolfalseCompletely enable or disable bandwidth calculation for remote hosts
connection_tracking_skip_portsboolfalseDisables port processing for connection tracking
enable_subnet_countersbooltrueEnable traffic counters for all networks in networks_list
enable_total_hostgroup_countersboolfalseEnable traffic counters for total per hostgroups traffic
build_total_hostgroups_from_per_host_hostgroupsboolfalseAllows using per-host hostgroups for building total hostgroups
dump_other_trafficboolfalseDump all traffic which belongs to other class to log. Only for debugging reasons. It significantly degrades performance
dump_all_trafficboolfalseDump all traffic to log. Only for debugging reasons. It significantly degrades performance
speed_calculation_delaypositive_integer_without_zero1This value control how often we run speed recalculation function. Please do not use this unless support suggested this to you
average_calculation_timepositive_integer_without_zero5We use average values for traffic speed to certain IP and calculates average over this time slice
average_calculation_time_for_subnetspositive_integer_without_zero5We use average values for traffic speed for subnet and calculates average over this time slice
average_calculation_time_for_hostgroupspositive_integer_without_zero5We use average values for traffic speed for hostgroups total and calculates average over this time slice
ipv6_automatic_data_cleanupboolfalseEnables logic which removes old entries from IPv6 data counters
ipv6_automatic_data_cleanup_thresholdpositive_integer_without_zero300We will remove all entries which exceed this age in seconds
ipv6_automatic_data_cleanup_delaypositive_integer_without_zero300How often we will run cleanup logic
ipv4_automatic_data_cleanupboolfalseEnables logic which removes old entries from IPv4 data counters
ipv4_automatic_data_cleanup_thresholdpositive_integer_without_zero300We will remove all entries which exceed this age in seconds
ipv4_automatic_data_cleanup_delaypositive_integer_without_zero300How often we will run cleanup logic

traffic_db

NameTypeDefault valueDescription
traffic_dbboolfalseEnable traffic export to persistent traffic database
traffic_db_hostnumeric_ipv4_host“127.0.0.1”Traffic DB server address
traffic_db_portnumeric_ipv4_port8100Traffic DB server port
traffic_db_sampling_ratepositive_integer_without_zero512Sampling rate for mirored traffic for traffic_db export

web_api

NameTypeDefault valueDescription
web_api_hostnumeric_ipv4_host“127.0.0.1”Web API host for listening
web_api_portnumeric_ipv4_port10007Web API port for listening
web_api_loginstring“admin”Login for web API
web_api_passwordstring“”Password for web API

web_callback

NameTypeDefault valueDescription
web_callback_enabledboolfalseFastNetMon could call external script with http or https protocol and pass attack’s short attack details (uuid) in JSON format
web_callback_urlstring“http://127.0.0.1:8080/attack/notify”We could call this script in case of blackhole ban and unban and for partial (flow spec) block action and pass details with JSON inside POST query

xdp

NameTypeDefault valueDescription
mirror_xdpboolfalseEnable capture from mirror port using AF_XDP capture engine
force_native_mode_xdpboolfalseRequires native XDP support from driver
zero_copy_xdpboolfalseEnable zero copy mode for XDP. Requires native support from driver (force_native_mode_xdp)
poll_mode_xdpboolfalseUse poll system call to process incoming packets
xdp_set_promiscboolfalseSet promisc flag on interface autoamtically
xdp_extract_tunnel_trafficboolfalseEnables code which strips external level for GRE tunnels
interfaces_xdpstring_list[ ]Interfaces list for traffic capture using XDP
microcode_xdp_pathstring“/etc/fastnetmon/xdp_kernel.o”You can specify custom path to microcode

hostgroups_configuration

NameTypeDefault valueDescription
namestring“global”Name of host group
parent_namestring“”Parent host group name
descriptionstring“This is default group for all hosts”Human-friendly name for this group
calculation_methodstring“per_host”Traffic calculation method for host group: total or per_host (or empty value)
networkscidr_networks_list[ ]List of networks which belong to this group
enable_banboolfalseEnable ban actions for hosts in this group
ban_for_ppsboolfalseShould we block host in this group if it exceeds packet per second threshold?
ban_for_bandwidthboolfalseShould we block host in this group if it exceeds bandwidth threshold?
ban_for_flowsboolfalseShould we block host in this group if it exceeds flows threshold?
threshold_ppspositive_integer_without_zero20000Packet per second traffic to/from this host should exceed this value
threshold_mbpspositive_integer_without_zero1000Bandwidth to/from this host should exceed this value
threshold_flowspositive_integer_without_zero3500Flow per second speed to/from this host should exceed this value
ban_for_tcp_bandwidthboolfalseBlock hosts in group for TCP bandwidth threshold?
ban_for_udp_bandwidthboolfalseBlock hosts in group for UDP bandwidth threshold?
ban_for_icmp_bandwidthboolfalseBlock hosts in group for ICMP bandwidth threshold?
ban_for_tcp_ppsboolfalseShould we block host in this group if it exceeds packet per second threshold for TCP?
ban_for_udp_ppsboolfalseShould we block host in this group if it exceeds packet per second threshold for UDP?
ban_for_icmp_ppsboolfalseShould we block host in this group if it exceeds packet per second threshold for ICMP?
threshold_tcp_mbpspositive_integer_without_zero1000TCP bandwidth to/from this host should exceed this value
threshold_udp_mbpspositive_integer_without_zero1000UDP bandwidth to/from this host should exceed this value
threshold_icmp_mbpspositive_integer_without_zero1000ICMP bandwidth to/from this host should exceed this value
threshold_tcp_ppspositive_integer_without_zero100000TCP packet per second traffic to/from this host should exceed this value
threshold_udp_ppspositive_integer_without_zero100000UDP packet per second traffic to/from this host should exceed this value
threshold_icmp_ppspositive_integer_without_zero100000ICMP packet per second traffic to/from this host should exceed this value
ban_for_tcp_syn_ppsboolfalseBlock hosts in group for TCP SYN packets per second threshold
threshold_tcp_syn_ppspositive_integer_without_zero1000TCP SYN pps to/from this host should exceed this value
ban_for_tcp_syn_bandwidthboolfalseBlock hosts in group for TCP SYN packets per second threshold
threshold_tcp_syn_mbpspositive_integer_without_zero1000TCP SYN bandwidth to/from this host should exceed this value

bgp_configuration

NameTypeDefault valueDescription
namestring“connection_main_router”System name for this connection
descriptionstring“Connection to main Router at NOC”Human-friendly name for this connection
local_asnpositive_integer_without_zero123456Local ASN number
local_addressnumeric_ipv4_host“10.11.22.33”Local address for BGP connection
remote_asnpositive_integer_without_zero9002Remote autonomous system number
remote_addressnumeric_ipv4_host“10.11.22.1”Remote IP address of BGP peer
multihopbooltrueEnable BGP multihop option
md5_authboolfalseEnable md5 auth for BGP session
md5_auth_passwordstring“”md5 password for BGP session
ipv4_unicastbooltrueEnable IPv4 unicast for this peering connection
ipv6_unicastboolfalseEnable IPv6 unicast for this peering connection
ipv4_flowspecboolfalseEnable IPv4 Flow Spec / RFC 5575 for this peering connection
ipv6_flowspecboolfalseEnable IPv6 Flow Spec / RFC 5575 for this peering connection
activeboolfalseYou could enable or disable this peer with this option