Comprehensive user manual for NetFlow Auditor Standard and Enterprise Editions.

NetFlow Auditor - Some key features

FeatureSupportNetFlow Auditor
Web based GUIYesClient Browser Requirements

The client PC must have the following installed:
Firefox, Chrome or Internet Explorer supporting SVG/HTML5.

viewtopic.php?f=28&t=19
User/group dependant viewsYesNetFlow Auditor provides 3 user group roles; Administration, Operation and Customers. An Administration user has full privileges on all data and on all screens, no extra authorization is needed. An Operational user is limited by the Devices he is authorized to analyze. A Customer user is only able to generate analysis subject to the limitation of specified interfaces and/or accounts. Where Accounts correlate to preconfigured IP Allocations or AS Numbers. IP allocations can be IPv4 or IPv6. The User can be Authenticated with SSO using LDAP.

viewtopic.php?f=30&t=197

viewtopic.php?f=36&t=190
Pie-chart, bar chart and table data presentationYesChart Type
The icons to the right of the chart allow different chart types to be displayed for the Forensics report criteria.

Available Chart types are:
• Line Time Chart - Displays a comparative line chart of all elements
• Stacked Area Time Chart - Displays an aggregated line chart of all elements
• 3D Bar Chart - Displays a comparative total of the data.
• Bar Chart - Displays a comparative total of the data.
• 3D Stacked Bar Chart - Displays a stacked view of graphs with 2 dimensions.
• Stacked Bar Chart - Displays a stacked view of graphs with 2 dimensions.
• 3D Pie Chart - Displays a comparative total of the data.
• Pie Chart - Displays a comparative total of the data. Table Data
the grid column item with a single left-click will add the item value as a criteria and drill down to the flow detail.

The grid allows the grid line record to launch popup menu by means of a right-click to drill down when the chart is hidden by the Image Image graph hide/show icon.

As you drill into the graphs the criteria will be inherited for each period highlighted or chart or grid item selected.

viewtopic.php?f=30&t=211
Customisable home page per userYesEach User can change their own defaults including time zone and landing pages.

Each user can also have their own Report/Alerting screens and Report Repository.

viewtopic.php?f=30&t=197

viewtopic.php?f=30&t=202
Archiving of real-time dataYesReal-Time - Real-time analytics for QoS, performance optimization, compliance and root-cause discovery.
Real-Time provides enhanced troubleshooting and forensic capabilities for today’s complex networks.

Long-Term - Historical trending for capacity planning, traffic accounting and service level analysis.
Long-Term trending processing provides a robust fully automated end-to-end Network knowledge base to enable you to baseline, plan and profile the use of any element within your network. Long-Term trending equips management with the knowledge to better understand IT resource and network usage enabling an organization to maximize operational efficiency.

viewtopic.php?f=30&t=245
Recording of all flow data (not just TopN), in at least 1 minute resolutionYesNetFlow Auditor specializes in providing full collection and full archival where its required and practical. Our ability to retain granular data for full compliance data retention is unsurpassed in the market place today. Comprehensive statistics screen available for per minute per device collection qualification.

viewtopic.php?f=30&t=245
Must be able to keep recorded data indefinitely (storage dependant)YesAuditor creates the long-term and the real-time data bases simultaneously. Granularity of real-time and long-term data can be changed to suit your needs.

Real-time is all NetFlow fields, one minute granularity. Typically the real-time is used for trouble shooting, forensics, alerting, threat detection, etc. The default retention for real-time is 7 days. The default retention for long-term is 12 months. You may retain real-time and long-term data for as long as you like, subject to disk storage.

viewtopic.php?f=64&t=163
Must support NetFlow, IPFIX, sFlow, jFlow, cFlow, Nortel IPFIX, NetStream, Flexible NetFlowYesFull Support of all flow protocols including NetFlow, IPFIX, sFlow, jFlow, cFlow, Nortel IPFIX, NetStream, Flexible NetFlow and Cisco ASA, Cisco WLC, DNS Flows, Ixea Flows, Ipv6, NBAR, Nexus. Additional support for Mac Address and MPLS determination.
Must be able to analyze NSEL data from Cisco ASAYesFull support of all NSEL data and unique cross-sectional analytics.

Default ASA reports on menu or create your own mix of fields using the custom filter and save templates:

Flow ID, XLate Detail,
AAA UserName: Summary, Top X per Y: Flow Initiator, Application, Talkers, Flow Detail
Event: Summary Top X per Y: Ext Event, Flow Detail
Ingress ACL: Full ID, Name ID, Entry ID, Flow Detail, Top X per Y: Event, UserName, Application
Egress ACL: Full ID, Name ID, Entry ID, Flow Detail, Top X per Y: Event, UserName, Application
Flow Initiator: Summary, Top X per Y: Application, Firewall Event, UserName
Application: Summary, Top X per Y: UserName, Firewall Event, Ingress ACL, Egress ACL
Access to reports using customizable URLs (user dependent)YesForensics reports are driven by parameters which can be defined in the "Custom Forensics" screen.

Most of the Period and Criteria parameters are compatible with Multiviews and Visualization allowing drill down between them.
Drill-down analysis in created reportsYesThe drill-down functionality of NetFlow Auditor gives the user single point analysis of traffic from the charting applet. All charts can be analyzed through the drill-down menu by using the right-click button of the mouse.

viewtopic.php?f=30&t=27
Reports can be exported to CSV, XML, HTML or PDFYesA Forensics scheduled report can be created as CSV, HTML or PDF format report.
A Multiview scheduled report can be created as CSV and PDF format.

viewtopic.php?f=30&t=202
Must support bidirectonal reporting (bidirectional flows)YesComprehensive bidirectional reporting including ability to deduplicate data in series and multiple ingress/egress on same device.

We enable deduplication by default but some reports specifically don’t warrant it however it can be enabled/disabled on a per report basis and where desired saved to a template or scheduled report.

There are 3 kinds of deduplication that we do:

1) When devices are in series.
2) When ingress and egress is enabled on a single device at the same time
3) Both 1 and 2

Where ingress and egress is enabled on a single device then the exporter must support the flow direction field which in Cisco/IPFIX land is a v9/Flexible netflow/IPFIX field. We have options on how traffic should be reported in the default case or on a case by case report. For example when you are studying data moving into a traffic compression device like a WAAS then understanding the egress is beneficial and when studying the uncompressed side ingress is beneficial.

viewforum.php?f=74

viewtopic.php?f=74&t=182
Can be installed on both Windows and Linux based OSYesInstallation Note: NetFlow Auditor for Windows
Linux CentOS Installation
Linux RedHat Installation
NetFlow Auditor Enterprise Installation Instructions
NetFlow Auditor Linux Installation Instructions

NetFlow Auditor Windows Installation Instructions

viewforum.php?f=28
Supports SNMPv3YesNetflow Auditor provides the ability to use SNMPv3 for Device queries as well as communication with trap servers providing a true end-to-end encrypted process.

viewtopic.php?f=30&t=257
Definition of alarms for exceeding custom threshold or baseline valuesYesMost comprehensive threshold and baselining capability available in flow based analytics today.

Statistical baselines are learned for each measurement profile: Standard Deviations, Averages, Minimums and Maximums.

Current and previous Intelligent Baseline Network Behavior Anomaly Detection Alerts (Baseline Alert or IB-NBAD) can be viewed from the Alerts Screen.


The alerts where the majority of baselines have been breached over the last period selected will show at the top of the alert page.

viewtopic.php?f=30&t=226
Saving of custom filters used when creating reportsYesForensics reports are driven by parameters which can be defined in the "Custom Forensics" screen.

Most of the Period and Criteria parameters are compatible with Multiviews and Visualization allowing drill down between them.

viewtopic.php?f=30&t=228
Supports sending an alarm as SNMP trapYesNetFlow Auditor traps can be setup to notify a SNMP Trap Server using snmp v1,v2c or v3. The contents of the trap also contain the nature of the issue. Comprehensive ticketing system will be available Q1 2015.

viewtopic.php?f=30&t=257
Can handle up to 40000 flows per secondYesCustomers can generally expect NetFlow Auditor to handle between 9M to 20M/minute on a single server running in top 5000 flows per minute per device archival mode and between 1M to 5M per minute running in Full archival mode. Actual performance depends on the type of flows, the flow variance and environment and system hardware provided and operating system and configurations.

viewtopic.php?f=30&t=245

viewtopic.php?f=36&t=246.
Supports both Mozilla Firefox and MS IE 8YesClient Browser Requirements

The client PC must have the following installed:
Firefox, Chrome or Internet Explorer supporting SVG/HTML5.

viewtopic.php?f=28&t=19
Supports Cisco Nexus and HP ProCurve switchesYesFull Support of all flow protocols including NetFlow, IPFIX, sFlow, jFlow, cFlow, Nortel IPFIX, NetStream, Flexible NetFlow and Cisco ASA, Cisco WLC, DNS Flows, Ixea Flows, Ipv6, NBAR, Nexus. Additional support for Mac Address and MPLS determination.
Can create full flow forensics reportsYeshttp://www.netflowauditor.com/#Visibility

Unrivaled network visibility

NetFlow Auditor provides visibility of every network conversation and scales beyond any other product in the industry.

NetFlow Auditor can perform analysis on any combination of data fields simultaneously (e.g. usage, packets, flows, packet size, utilization, etc) and sort data by any field. Effectively measure usage, trending patterns, baselines, averages, peaks and troughs, and standard deviations.

Packet Size analysis: Provides a detailed view of network traffic by packet sizes. Use this information to optimize VoIP traffic as well as to identify packet size anomalies.

Count analysis: Count records as part of a result to quickly identify excessive flows or change. Any record combination can be counted, e.g. counting all internal IP's with number of IP or Port conversations enables quick identification of Port Scanners, P2P users, DoS attacks or other multi threaded conversations. Identify long lasting flows or conversations.

Deviation analysis: Analyze traffic patterns by standard deviation to identify what aspects have changed the most in a specific period, e.g. knowing what application has changed the most in the last 2 hours can lead to early detection of issues. Identify Worms, increasing flows or data floods.

Bi-directional analysis: Show forward and reverse conversations and In vs. Out conversations to quickly identify which side of the conversation is responsible for traffic usage/flows.

Baseline analysis: Short term and long term comparative analysis can be performed on any and every element. For example, interface, subnets, protocols, traffic between endpoints, IP, Location, Application or a combination thereof for a particular period compared against a previous period. Comparative analysis of each element across the time line gives the ability to identify which element caused the change and when. Baseline Alerting can then be activated to learn baselines for every hour for every weekday and alert on anomalies outside thresholds or standard deviations away from the norm.
Percentile analysis: Short term and long term percentile analysis can be calculated. For Billing or Security. A percentile analysis of a threshold event will provide an indication of change. This can be set in conjunction with Baseline analysis.

Cross section analysis: Stacked graphs enable comparison of any two network traffic parameters. As an example, A stacked bar QoS analysis can graphically show the details of each application running within every class of service.

Custom Group analysis: IP addresses can be grouped by Location, Customer, Application and Services. Network traffic detail can now be categorized in logical groups for reporting, billing and capacity planning.
Both can be installed on the OS and exists as an applianceYesLinux 6.5 / Windows
Can work both as a standalone product or as a part of another productYeshttp://www.netflowauditor.com/forum/viewtopic.php?f=30&t=202

Forensics reports are driven by parameters which can be defined in the "Custom Forensics" screen.
Sends out alarm for suspicious network activity (port scans, attacks, worms or P2P traffic)YesNetFlow Auditor's real-time engine is also an intuitive intelligent agent that learns and builds a baseline of the traffic flows occurring on any network and can alert network management on bursts, scans and peer-to-peer (P2P) traffic.

The level of granularity and the ability to drill into the traffic is unprecedented with every flow being stored for every minute up to disk space availability.

NetFlow Auditor collection and threshold alerting options can be extended to focus deeper on security needs with a complete Intrusion Detection (IDS) and security and information event management (SIEM) system.

NetFlow Auditor learns network behaviors and provides unparalleled network data intelligence providing enhanced security and intrusion detection. Behavior detection quickly identifies network anomalies and working together with the in-built analytical tools allow total visibility helping to eliminate network blindspots to resolve security and performance issues across business services and applications, dramatically reducing the risk of data leakage and potential business downtime.

Multiple Baselines are learned for each Detection profile. A Minimum of 11424 Intelligent Baseline Statistics are learned for each Monitored Traffic Item. (4 Statistical baselines for each of the 17 Measurement Profiles for each hour for each weekday).

Measurement Profiles include Flows, bps, pps, packets, packet size , bytes, counts, TCP Flags + Congestion Flags.

viewtopic.php?f=30&t=226
Definition of alarms based on user created filtersYesA Traffic analysis in Forensics can be saved as an Intelligent Baseline Network Behavior Anomaly Detection Alert. (Baseline Alert or IB-NBAD)

viewtopic.php?f=30&t=217

A traffic analysis in Forensics can be saved as a Threshold Alert.

viewtopic.php?f=30&t=216
Can identifiy QoS configuration problemsYesQoS analysis - A network provider can change QoS markings to make it more difficult to conduct DoS attacks. QoS policies can help to reduce the effects of Dos and DDoS traffic floods and keep key applications available during attacks. The first step in deploying QoS is to profile applications to determine what constitutes a normal versus an abnormal flow.

Standard QoS Reports incude: ToS, ToS Precedence, DSCP, PHB, PHB Class, Top X per Y: Application / ToS, Application / DSCP, Application / PHB, Lower Port / ToS, Interface / ToS, PHB Class / Day, PHB Class / Hour

viewtopic.php?f=74&t=187
Customizable number of elements in reportsYesForensics allows a maximum of 12 raw netflow fields and more when using correlated field combinations, and allows counting of one or more of the fields.

Forensics reports are driven by parameters which can be defined in the "Custom Forensics" screen.

Most of the Period and Criteria parameters are compatible with Multiviews and Visualization allowing drill down between them.

viewtopic.php?f=30&t=228
Allows changing alarm priority while alarm is still activeYesThe "Alerts" screen allows maintenance operations on the existing Baseline Alerts.

viewtopic.php?f=30&t=226
Sending reports by e-mailYesThe easiest way is to build the report you want on the screen and then click the “Save” button at the top of the screen. Or you can prepare your report structure in the Custom Filter and click “Save” either way is fine. Tip: Sometimes just to speed up you can go directly to the Custom Filter especially if the data size is huge and all the flows (NetFlow Auditor Professional/Enterprise) are being archived.

From the Template/Report/Alert Definition screen you can then choose to create a Template, Scheduled Report, Standard Alert or Anomaly Detection Baseline Alert (if licensed for AD)

viewtopic.php?f=72&t=173
Definition of custom applications (by port, protocol, IP address,...) that will be recognized and shown in reportsYesNetFlow Auditor Application Mapping (NAAM)

Adds intelligent network classification to network infrastructure using Network-Based Application Recognition (NBAR) principles.

Traffic can be classified in order of precedence according to groups of known ports & protocols. Provides smallest unit classification. Does not require NBAR but if available NBAR provides deep packet inspection.

Deep Packet inspection on the router.

Allows traffic to be classified according to groups of protocols, port and ipv4/ipv6 addresses, ASN and ToS and categories and sub-categories of traffic and special flags such as p2p, encrypted or tunneled.

Can look into the payload and classify according to the payload content such as transaction identified, message type or similar. E.g identifying p2p traffic running on Port 80.

Simply configure NBAR to send its specialized Netflow template to NetFlow Auditor. Auditor will learn any new profiles and will add them to existing Application Mappings. Default Mappings are already provided for all Layers.

NBAR/NBAR2

NetFlow Auditor Next Generation NetFlow Analyzer fully supports NBAR2 also known as Next Generation Network-Based Application Recognition (NBAR).

NBAR2 is adopted as a Cisco cross platform protocol classification mechanism. It supports 1000 + applications and sub-classifications, and Cisco adds/provides new signatures and signatures updates through monthly released protocol packs.

Advanced Classification Techniques: NBAR2 leverage classification techniques from SCE, which allow classification of IPv4, IPv6 and v6 transition techniques. NBAR2 can classify evasive applications like Bittorrent, eDonkey, Skype and Tor, as well as business applications like ms-lync, cloud applications such as office-365, and also mobile applications such as facetime, etc. using advanced classification techniques.

Field Extraction Support: It provides the mechanism to extract pre-defined fields from packet headers, which can be exported via Flexible NetFlow (FNF) for reporting.

http://www.netflowauditor.com/forum/viewtop ... =249&p=234
Supports flow collection for at least 5 devicesYesCorrelation and analysis of feeds from multiple appliances. Stand-alone, Cluster or Hierarchy Mode. Number of Devices / Interfaces and archival limits and license tiering are controlled by license key.

http://www.netflowauditor.com/licenseinfo.php
Can it provide billing info on customer traffic usage to be sent to our billing system (billing info API)?YesThe API is used to control the Provisioning of Services.

Manages adds and changes to the Account and Cost Centres together with their associated includes and excluded IP-ranges.

Fits into existing Billing systems allowing NetFlow Auditor to manage the counting and a 3rd Part system to manage the billing and own the Primary Chart of Accounts.
We need to give each of our customers a web-based report view but of course they’re only allowed to see their network info (based on IP address block, ASN etc.).YesNetFlow Auditor provides 3 user group roles; Administration, Operation and Customers. An Administration user has full privileges on all data and on all screens, no extra authorization is needed. An Operational user is limited by the Devices he is authorized to analyze.

A Customer user is only able to generate analysis subject to the limitation of specified interfaces and/or accounts. Where Accounts correlate to preconfigured IP Allocations or AS Numbers. IP allocations can be IPv4 or IPv6. The User can be Authenticated with SSO using LDAP.

viewtopic.php?f=30&t=197

viewtopic.php?f=36&t=190

cron