FastNetMon cookbook


In this document, you could find number of different useful tips about FastNetMon Advanced.

Configure FastNetMon to use external InfluxDB instance

Configure FastNetMon to send logs to remote syslog server

Upgrade FastNetMon to next stable release

And then you should apply configuration changes:

How can I export or import FastNetMon’s configuration from backup?

Please follow this guide

How to login into MongoDB?

How could I backup configuration?

How could I import backup?

Be careful! This command will overwrite current configuration with data from backup!

And ask FastNetMon to re-read new configuration:

How could I use custom host/port in fcli?

If you use not standard port and host for API you could specify them using environment variables:

Do you have replacement tool for fastnetmon_client?

Yes, we offer improved version of fastnetmon_client with IPv6 support.

I want to use custom connection details for Mongo DB.

You could create special file for fcli and fastnetmon advanced core to specify custom connection details:

And put following:

After that, please put password for mongodb_username to file /etc/fastnetmon/keychain/.mongo_fastnetmon_password.

I have very big number of networks and do not want to specify them manually

You could use Radb data for this task. You could use whois tool and make following query for 2 byte (16 bit) ASN numbers:

For 32 bit (4 byte ) ASN you could use tool to convert them into two 16 bit numbers delimited by dot: http://submit.apnic.net/cgi-bin/convert-asn.pl

Then you could use following syntax:

Then you could use aggregate tool for aggregation. It’s available in Ubuntu repositories:

How to enable ASN lookups for traffic DB?

Run this tool and fill dictionaries for ASN (please be prepared to wait 5-10 minutes):

And then reload traffic_db daemon:

Then you could check log file /var/log/fastnetmon/traffic_db.log  for line: “I found that you have ASN database. I will use it”

Could I use nfcapd or other Netflow forwarders?

Yes, you could. But all your devices should have unique source_id. Because we use agent_ip + source_id as unique identifier for templates. If you use Netflow forwarders/aggregators they replace agent’s IP by forwarder’s IP and you could hit templates conflict. Result of this conflict could be very dangerous: completely incorrect traffic processing or tool’s failures in some rare cases.

How could I select top K hosts by traffic in InfluxDB?

How could I select top K network by traffic amount in InfluxDB?

How to create host group?

To create new group:

Enable ban actions for my_new_group host group:

And then add required networks:

And finally commit changes:

I could not find traffic data in InfluxDB for particular hosts

First of all, please check that FNM sees traffic for this host. If a host has zero traffic we will not push data into InfluxDB.

If you have traffic then please check InfluxDB logs /var/log/influxdb/influxd.log for record like “WARN: 100% of max-values-per-tag limit exceeded: (100096/100000), db=fastnetmon shard=7 measurement=hosts_traffic tag=host”.

This issue could be fixed by increasing max-values-per-tag value in /etc/influxdb/influxdb.conf and InfluxDB restart:

How flow_spec_execute_validation works?

Validation includes following steps:

  • Source prefix should be exactly /32
  • Destination prefix should be exactly /32
  • Source prefix should belong to networks_list
  • Destination prefix should belong to networks_list

You could disable it this way:

How I could remove all networks from networks_list?

How could I remove all host groups?

Selective BGP blackhole or traffic diversion

Please check this guide if you need /32 or /24 announces for different host groups.

sFlow, Netflow or IPFIX traffic duplication to multiple sources

We have detailed guide about it.

How can I find time when attack information was added into MongoDB?

FastNetMon does not have information about time when it discovered attack and added it into MongoDB.

But you can use internal feature of MongoDB to retrieve this information. For example, you have this attack in MongoDB (attacks collection):

And you can extract information when this object was added this way:

And it will return timestamp object:

Can I use session on top of IPv6 addresses?

Yes, you can. Just specify IPv6 addresses for local_address and remote_address configuration options. You can announce IPv4 and IPv6 announces over peering connection on top of IPv6 addresses and you can do same on top of peering connection on IPv4 addresses.

How can I configure baseline / threshold values according to historical data?

You can use this guide as reference. Also, we have significantly improved version based on Clickhouse.

InfluxDB consumes significant amount of disk space. Can I reduce disk requirements?

Yes, you can. If you do not need per host counters you can follow this guide. If you can’t do it, you can reduce amount of stored data this way.

Can I have multi-level thresholds?

Yes, you can implement them using API. We have complete guide.

Is it possible to change configuration for traffic_db?

Yes, it’s possible. We added number of options in 2.0.84 release, please upgrade before using these options.

You need to create file /etc/fastnetmon/traffic_db.conf:

And apply changes:

Can FastNetMon export more details about bandwidth consumed by each traffic type?

Yes, FastNetMon can export more details to InfluxDB, please follow this guide to enable per protocol counters.

Do you have integration with Radware?

Yes, we have, please check this integration module and next version of integration (recommended for production):

Can we use HA mode for FastNetMon to handle failure of any FastNetMon instances?

Yes, you can, we offer number of options for it.

Can I read networks lists directly from BGP session?

Yes, you can. We have bundled feature for this task here

How well FastNetMon scales under real load?

We have detailed guide about it here

Adding big number of networks

If you have text file with all networks in CIDR format like this:

You can add all of them this way:

After executing this script, please commit changes:

If you have duplicating networks, FastNetMon will ignore duplicates and report error this way:

Feel free to ignore such warnings.

Do you have any deployment scenarios for FastNetMon Advanced

Yes, we have detailed guide about it.

Can you suggest best scenarios to deliver traffic information to FastNetMon over public networks?

Yes, we have detailed guide about it.

Do you have support for sampled Netflow and IPFIX?

That’s quite tricky area, please check our article about it.

Can you provide detailed algorithm used by FastNetMon for attack detection?

You can find detailed logic here

Can FastNetMon detect remote hosts which attack my network?

Yes, it can, please check this article.

Do you support AF_XDP?

Sure, we recently added support for it and you may try it using this guide.

Can I add another user for Grafana or reset password for existing users?

Generate reliable password using:

And add user:

To reset password for default user, please use “admin” instead of “support”.

Can I keep blocked hosts during FastNetMon restarts?

Yes, you can. Please use this guide.

Can I run multiple notify scripts?

Yes, of course, you can. Please use this guide.

Can I install FastNetMon without using install tool?

Yes, you can do it using our guide.

I do not see all traffic in traffic persistence database. How can I debug it?

Under significant load traffic_db could drop packets due to small UDP buffers in default Linux configuration.

You can confirm this error using netstat tool:

And check field “receive buffer errors” in output, it should increase every few seconds

To solve this issue we recommend following Linux configurations:

And add following options:

Apply changes:

After these changes please restart FastNetMon and traffic_db:

Can I whitelist arbitrary traffic from FastNetMon?

Since version 2.0.131 FastNetMon can whitelist any traffic from processing using rich set of rules. You can check syntax here (these rules do not use section “actions”).

Please add whitelist rules into file /etc/fastnetmon/whitelist_rules.dat. Please add single rule per line.

For example:

FastNetMon will track such packets using counter total_flowspec_whitelist_packets (sudo fcli show system_counters).

This traffic will be completely discarded from processing and completely ignored. Be very careful with this option because it may cause issues with DDoS detection.

Can I use InfluxDB with authentication?

Yes, from version 2.0.132 you can enable authentication in InfluxDB this way:

From InfluxDB side you have to enable auth in /etc/influxdb/influxdb.conf

Then restart daemon:

And create admin user:

Can I convert configuration from community edition to advanced?

Yes, you can, please use this guide.

How can I debug CPU issues with FastNetMon without using external monitoring tools?

You can use Telegraf and our dashboard from this guide: guide.

Can FastNetMon inject BGP announces received from external data source?

Yes, it can, please check this article.