09.12.2017

FastNetMon cookbook

Introduction

In this document, you could find number of different useful tips about FastNetMon Advanced.

Configure FastNetMon to use external InfluxDB instance

Configure FastNetMon to send logs to remote syslog server

Upgrade FastNetMon to next stable release

And then you should apply configuration changes:

How to login into MongoDB?

How could I backup MongoDB?

How could I import backup?

Be careful! This command will overwrite current configuration with data from backup!

And ask FastNetMon to re-read new configuration:

How could I use custom host/port in fcli?

If you use not standard port and host for API you could specify them using environment variables:

Do you have replacement tool for fastnetmon_client?

Yes, we offer improved version of fastnetmon_client with IPv6 support.

I want to use custom connection details for Mongo DB.

You could create special file for fcli and fastnetmon advanced core to specify custom connection details:

And put following:

After that, please put password for mongodb_username to file /etc/fastnetmon/keychain/.mongo_fastnetmon_password.

I have very big number of networks and do not want to specify them manually

You could use Radb data for this task. You could use whois tool and make following query for 2 byte (16 bit) ASN numbers:

For 32 bit (4 byte ) ASN you could use tool to convert them into two 16 bit numbers delimited by dot: http://submit.apnic.net/cgi-bin/convert-asn.pl

Then you could use following syntax:

Then you could use aggregate tool for aggregation. It’s available in Ubuntu repositories:

How to enable ASN lookups for traffic DB?

Run this tool and fill dictionaries for ASN (please be prepared to wait 5-10 minutes):

And then reload traffic_db daemon:

Then you could check log file /var/log/fastnetmon/traffic_db.log  for line: “I found that you have ASN database. I will use it”

Could I use nfcapd or other Netflow forwarders?

Yes, you could. But all your devices should have unique source_id. Because we use agent_ip + source_id as unique identifier for templates. If you use Netflow forwarders/aggregators they replace agent’s IP by forwarder’s IP and you could hit templates conflict. Result of this conflict could be very dangerous: completely incorrect traffic processing or tool’s failures in some rare cases.

How could I select top K hosts by traffic in InfluxDB?

How could I select top K network by traffic amount in InfluxDB?

How to create host group?

To create new group:

Enable ban actions for my_new_group host group:

And then add required networks:

And finally commit changes:

I could not find traffic data in InfluxDB for particular hosts

First of all, please check that FNM sees traffic for this host. If a host has zero traffic we will not push data into InfluxDB.

If you have traffic then please check InfluxDB logs /var/log/influxdb/influxd.log for record like “WARN: 100% of max-values-per-tag limit exceeded: (100096/100000), db=fastnetmon shard=7 measurement=hosts_traffic tag=host”.

This issue could be fixed by increasing max-values-per-tag value in /etc/influxdb/influxdb.conf and InfluxDB restart:

How flow_spec_execute_validation works?

Validation includes following steps:

  • Source prefix should be exactly /32
  • Destination prefix should be exactly /32
  • Source prefix should belong to networks_list
  • Destination prefix should belong to networks_list

You could disable it this way:

How I could remove all networks from networks_list?

How could I remove all host groups?

Selective BGP blackhole or traffic diversion

Please check this guide if you need /32 or /24 announces for different host groups.

sFlow, Netflow or IPFIX traffic duplication to multiple sources

We have detailed guide about it.

How can I find time when attack information was added into MongoDB?

FastNetMon does not have information about time when it discovered attack and added it into MongoDB.

But you can use internal feature of MongoDB to retrieve this information. For example, you have this attack in MongoDB (attacks collection):

And you can extract information when this object was added this way:

And it will return timestamp object:

Can I use session on top of IPv6 addresses?

Yes, you can. Just specify IPv6 addresses for local_address and remote_address configuration options. You can announce IPv4 and IPv6 announces over peering connection on top of IPv6 addresses and you can do same on top of peering connection on IPv4 addresses.

How can I configure baseline / threshold values according to historical data?

You can use this guide as reference. Also, we have significantly improved version based on Clickhouse.

InfluxDB consumes significant amount of disk space. Can I reduce disk requirements?

Yes, you can. If you do not need per host counters you can follow this guide. If you can’t do it, you can reduce amount of stored data this way.

Can I have multi-level thresholds?

Yes, you can implement them using API. We have complete guide.

Is it possible to change configuration for traffic_db?

Yes, it’s possible. We added number of options in 2.0.84 release, please upgrade before using these options.

You need to create file /etc/fastnetmon/traffic_db.conf:

And apply changes:

Can FastNetMon export more details about bandwidth consumed by each traffic type?

Yes, FastNetMon can export more details to InfluxDB, please follow this guide to enable per protocol counters.

Do you have integration with Radware?

Yes, we have, please use this reference.

Can we use HA mode for FastNetMon to handle failure of any FastNetMon instances?

Yes, you can, we offer number of options for it.

Can I read networks lists directly from BGP session?

Yes, you can. We have proof of concept implementation for this task here

How well FastNetMon scales under real load?

We have detailed guide about it here

Adding big number of networks

If you have text file with all networks in CIDR format like this:

You can add all of them this way:

After executing this script, please commit changes:

If you have duplicating networks, FastNetMon will ignore duplicates and report error this way:

Feel free to ignore such warnings.

Do you have any deployment scenarios for FastNetMon Advanced

Yes, we have detailed guide about it.

Can you suggest best scenarios to deliver traffic information to FastNetMon over public networks?

Yes, we have detailed guide about it.

Do you have support for sampled Netflow and IPFIX?

That’s quite tricky area, please check our article about it.

Can you provide detailed algorithm used by FastNetMon for attack detection?

You can find detailed logic here