To achieve high availability setup (HA), you can deploy multiple independent instances of FastNetMon and feed same traffic to them. In this case, you need to use same configuration for all instances to keep their behaviour same. We suggest using similar hardware if you can afford it.
Also, if you have multiple network devices which can generate traffic telemetry for same traffic (sFlow, Netflow, IPFIX and others) then you can use different sources of traffic information to handle case when one device misbehaved and can’t export traffic information to FastNetMon. For example, you have sFlow from switches and Netflow from router and they see same traffic. In this case, you can feed traffic from switch to first instance of FastNetMon and feed traffic from router to another instance. In this case, both instances will see traffic using different sources and detects attacks.
Usually, network equipment (routers or switches) can support streaming to multiple Netflow/sFlow collectors. Even if it does not support this option, we have guide about traffic duplication with external tool.
If you use BGP diversion/blackhole you can establish independent session with all your routers from all FastNetMon instances. Routers can handle duplicated announces very well.
If you use any kind of API integration, you need to add more checks in notify scripts to avoid duplicate calls about same event generated by different instances.
For example, you can implement it this way:
- 00:00:01: FastNetMon #1 detected attack to 10.0.0.1/32
- 00:00:02: FastNetMon #1 triggered and executed script which created notification in CRM system
- 00:00:03: FastNetMon #2 detected attack to 10.0.0.1/32
- 00:00:04: FastNetMon #2 discovered that notification was sent recently and suppress any additional actions