Noction Flow Analyzer Documentation

Noction Flow Analyzer Documentation

1. Introduction

Noction Flow Analyzer (NFA) is a web-based network traffic analysis, monitoring and alerting tool. The product enables engineers to optimize their networks and applications performance, control bandwidth utilization, do the proper network capacity planning, perform detailed BGP peering analysis, improve security and minimize network incidents response time.

Noction Flow Analyzer contains a few fundamental components, which working together implement the main function of NFA – offer timely traffic flows information that is easy to interpret and analyze.

Diagram

Collector (nfaflowd) receives, analyzes and processes all traffic transiting a network.

NFAAPId represents a set of secure web services that collect data from Databases. A valid NFA user-id is required to access most of the API services. Access NFA’s frontend to manage users or configure external User Directories. NFA API uses an authentication mechanism based on authentication tokens. The token is passed as a query parameter for all API requests that require authentication.

Frontend represents a complex browser application which interacts with NFAAPId. It offers a comprehensive set of reports, graphs and flows information which can reflect the current and historical state of a network.

Databases: NFA uses two databases: MySQL (configuration) and ClickHouse (Data Mart), that act relating to the central repository which stores processing results.

NFA BGP daemon stores and keeps all routes and adds AS Path to traffic flow.

2. NFA Functionality

There are basically two methods for setting filters with peers. The first one is the loose method where no checks are performed against the RIR databases. When strict method is used, the announcements are strictly verified to conform to what is declared in the routing registries.

2.1 Collector

Collector is one of NFA’s most important components. It receives, analyzes and processes all traffic transiting the network and transfers data in a compatible mode to NFA Databases – MySQL and ClickHouse. It processes the most common types of Flow: NetFlow, sFlow, J-Flow, IPFIX, NetStream.

sFlow (6343 port) is a protocol designed for monitoring network, wireless and host devices.
Developed by the sFlow.org Consortium, this protocol is supported by a wide range of network devices, as well as routing software and network solutions. sFlow, short for “sampled flow”, is an industry-standard for packet export at Layer 2 of the OSI model. It provides the means for exporting truncated packets, together with interface counters. It’s a packet sampling for an N number of packets with all required statistical information and expedited to the destination collector. The information details taken from the packet are the headers from Layer 3 and 4 and some information about the upper layers’ data only. For example, if the HTTP protocol is present, sFlow will guarantee data confidentiality since it will not extract the information from the packet and will not collect all network sessions.

NetFlow (2055 port) is an IP network statistics protocol developed by Cisco Systems, Inc. that offers the ability to collect IP session network traffic as it enters or exits an interface. By analyzing the data that is provided by NetFlow a network administrator can determine things such as the source and destination of traffic, class of service, and the cause of congestion.
Juniper routers offer a similar feature called J-Flow which in its essence is the same Cisco NetFlow protocol.

Flow statistics are captured and stored in DB which NFA’s graphical interface subsequently offers to users as dashboards, charts, and reports with filtering, grouping and aggregation functions as well as in the form of an SQL query editor that can be used to extract the data of interest.

Network devices should be first configured to forward Flow statistics to NFA in order for it to get the initial data to operate on. NFA listens to Flow stats on the default protocol ports.
Consult section 6 of this document for the examples of Flow export configuration on common network devices.

Note: Set the frequency of Flow exports on network devices as frequent as possible. For best
results export intervals should be set to 1 min or even less.

2.2 Databases

NFA processes huge volumes of data and uses two databases to store all the related information: MySQL and ClickHouse. The accumulated information is used by other NFA components to provide a graphical view of flow parameters.

MySQL is the most popular Open Source SQL database management system, developed, distributed, and supported by Oracle Corporation. It plays the role of NFA’s system data depository which possesses configuration, dashboard, device and user information.

ClickHouse is a column-oriented database management system (DBMS) for the online analytical processing of queries (OLAP).

ClickHouse benefits:
• Extremely Fast scans that can be used for real-time queries.
• Real-time data ingestion
• Parallel processing for a single query
• Hardware efficient
• Scales well both vertically and horizontally

The most important ClickHouse tables are:
• BGP
• Database_version
• Flows1
• Flows2
• Raw
• Template_flows

Flows Tables comprise the meaningful flow data.

2.3 Frontend

NFA main page is designed to display a dashboard of choice and offer facilities to access all application features via its main menu, navigation buttons, and links.

Frontend

2.3.1 Dashboards

NFA dashboards are the specific sets of flexible and interactive visualizations, designed for quick analysis of the network traffic data and informational awareness. Dashboards consist of widgets – containers with graphical representations of specific data, which can be added, edited, positioned, deleted or modified as you like.

Dashboards

NFA allows users to set up multiple dashboards. To see a list of existing dashboards, click the All Dashboards link in the top menu.

all dashboards

Dashboards are grouped for easy access into recent, favorite and all. For each dashboard, the directory displays the following information:

Name: The name of the dashboard
Description: Dashboard user-defined description
Favorite: a state marked by a star icon
Created by: The user who created the dashboard
List of widgets: widget names used in the dashboard
Default status: the default dashboard the user lands on when logging into NFA

Creating a new dashboard

You can easily create a new dashboard in NFA from the All Dashboards directory.
Click the “CREATE NEW DASHBOARD” button at the top left corner of the directory. A pop up will appear. Provide a meaningful name and description for your dashboard. Mark if you’d prefer it to be a “Shared” (all NFA users will have access to dashboard) and/or “Favorite” dashboard. Press “Create & Switch” to continue, or “Close” to return to the directory.

Create New Dashboard

Alternatively, you can create a new dashboard by cloning an existing one in the All Dashboards directory.

clone

The clone dashboard will be automatically created along with widgets from the original dashboard and added to the directory. Edit the newly created dashboard to change its name and description.

Managing Dashboards

Access any of the dashboards you’ve created or had admin rights to. Click the padlock icon in the top menu to add, edit and delete widgets or customize the dashboard’s layout.

Managing Dashboards

Click the “Open Filters” button to apply temporary filtering conditions to all widgets displayed on a given dashboard.

Deleting a Dashboard

Click the “Delete” icon on the dashboard you’d like to get rid of in the All Dashboards directory.
You can only delete a dashboard if you created it, or if you‘ve been granted the corresponding admin rights.

2.3.2 Widgets

All network traffic information in NFA is graphically represented by widgets, which are the main dashboard elements. Widgets encompass a particular query focusing on the desired network feature. A library of widgets is maintained by NFA and allows users to reuse them across all dashboards.

widgets

Use the Add Widget function available on each dashboard to see the library of existing widgets and place the desired ones on a dashboard.

add widget

You can easily create a new widget from scratch by proceeding to Data Navigation > Data Explorer in the top menu, selecting the filtering and grouping options and subsequently saving the Data Explorer view as a new widget to the desired dashboard.

Data Navigator

Alternatively, you can create a new widget by duplicating an existing one. Click on the existing widget name to open it in Data Explorer. Make desired modifications and save it as a new widget.

2.4 Data Explorer

Data Explorer provides detailed network traffic stats in both chart (when possible) and report forms. “Group & Order“, “Filters” and “Devices” functions are available to focus or broaden attention to the desired aspects of network traffic.

Data Explorer can be accessed either from the Main Menu under “Data Navigation” section or by clicking on any widget’s header on dashboards. Any grouping and filtering criteria previously setup in widgets will auto-populate in Data Explorer.

Data Explorer takes the ensuing statistics from the DB table Flows which includes but is not limited by the following:
• Time
• IP version
• Destination and Source Address
• TOS – Type of Service
• Protocol
• Source and Destination Port
• In and Out interfaces
• Source and Destination AS
• Source and Destination VLAN
• Next Hop

NFA by default uses SUM aggregation functions over Packets and Octets flow metrics.

SUM aggregation
Data Explorer functions:

Group by – specifies how to group data.
Filters – specify only the data of interest to include in results
Devices – specify from what network devices to consider the stats
Time horizon – sets the time interval to explore
Packets depict whether Packets, Octets, bits/s metrics are aggregated and plotted on charts
Run query – runs the query and retrieves data
Save as widget – prompts for a widget to be added to the library with this exact combo of filters and group by criteria
Display as – chart type icon allows switching between different ways to plot result data

Note: Top 10 results are shown by default in Data Explorer and the subsequently created widgets. To change the default settings go to Advanced options and indicate the desired number of results to be displayed on a graph. You can also limit the number of rows to be shown in table.
Advanced Options

2.4.1 Group & Order

Grouping is one of the essential criteria to analyze data. Grouping by source or destination will indicate if the traffic is inbound or outbound, grouping by the port will highlight what amount of traffic the network has for different applications and so on. Using grouping we can specify one or more Flow attributes to be analyzed.

Grouping

2.4.2 Filters

Filters are used to constrain the analyzed data to a particular subset that matches filter criteria.
Filters can be applied while working with Dashboards or within Data Explorer. It is a very important feature as it saves time and significantly reduces the workload.

Note: NFA applies AND | OR logical operation across conditions or groups of conditions. Thus we can get various sessions like: IP address AND (port = 80 OR port = 443) when a particular server web traffic is queried.
Filters

2.4.3 Devices

NFA devices inventory accumulates information about all types of network devices being used and assigns them meaningful names. Devices can be assigned to sites/location and can further enhance the grouping and filtering capabilities available for analysis.

Note that Flow stats received by NFA and NOT matched to any configured devices will be
assigned to a default Not Named device.
Devices

Flow sources are matched to configured devices by source IP.
Once configured, Devices can be used in Data Explorer as additional filters.

2.4.4 Time Intervals

Time intervals govern how fast and how detailed the resulting data can be. When a query extends over a long time interval or checks data far in the past the results will be less granular compared to shorter and current time intervals.

Time Intervals

2.5 SQL Query Editor

Users with administrative rights can have full access to the Collected Network Knowledge through Query Editor. Users can approach tables from DB using SQL (Structured Query Language), which is the standard computer language for relational database management and data manipulation.

Query editor offers functions to:
• Edit and highlight SQL query
• Run Query to retrieve data (make sure to always set a limit on the number of records retrieved)
• Save query in a Query library
• Browse the library of Saved queries in order to start from a typical configuration
• Search for desired data within the obtained results

SQL Query

2.6 BGP Data

BGP Data is delivered as an optional add-on to Noction Flow Analyzer.

NFA overcomes the limitation of BGP support in traditional NetFlow. It employs a collection of full BGP data from BGP tables of edge routers and extracting the required BGP attributes from the tables. NFA extracts BGP attributes such as AS_PATH and matches the obtained data with a corresponding flow record. This enables NFA to see and filter on the full BGP path, not just the next hop, first three or last three AS numbers.

For Proper BGP Add-on functionality, configure iBGP session between NFA and your router(s).

Next go to Management > Inventory > Add device.

Fill out the required fields and select the device type > BGP.

device type

On the BGP Settings tab, provide the AS number, Peer Address (your router’s address) and the NFA address (NFA internal address). Hit Add Device.

BGP Settings

2.6.1 BGP Table

Use BGP Table section to see BGP data obtained from your devices. Search, filter and sort data according to your needs.

BGP Data

2.6.2 BGP Sankey Diagram

NFA offers a great way to visualize the Internet traffic routing criteria along with traffic volume using a Sankey type diagram. Its extensive filtering capabilities can provide you with a clear picture of the paths your traffic is taking, the countries regions or cities you traffic originates and terminates in, traffic volume distribution by different paths, best potential new peering candidates, and a lot more.

The list of available filters and grouping options are as follows:

  • Time
  • IP version
  • Destination and Source Address
  • TOS – Type of Service
  • Protocol
  • Source and Destination Port
  • In and Out interfaces
  • Source and Destination AS
  • Source and Destination VLAN
  • Next Hop
  • AS path
  • Device
BGP Sankey

2.7 Alerts

NFA lets you set up a robust and customizable alert system that can proactively notify you when important conditions are detected in your network traffic data. You can configure alerts based on different characteristics and parameters of your network traffic: volume changes, frequency, specific traffic type existence, duration, baseline or a complex combination of such characteristics.

2.7.1 Creating Alerts

1. Go to Alerts > My Alerts and click the “Create New Alert” button.

2. Enter a meaningful Name and Description for the Alert. Select an appropriate Priority Level: Low, High or Critical.

Alerts

3. Specify Alert Trigger Conditions by adding a single or multiple trigger Rules.

Trigger Alerts

When setting up numerous Rules with complex logic, checkmark and fill out the corresponding “Use Complex Logic” field.

Complex Logic

4. When relevant, checkmark and indicate the time interval during which the condition should exist for an Alert Notification to be sent. Alternatively, checkmark and specify the number of times an alert condition should change its state to “True” (e.g. Abnormal traffic behavior detection scenario) within a specific time interval for the Alert Notification to be sent. Proceed to Next Step.

Alert-Condition

5. On the Alert Details page, select if you’d like the alert to be activated immediately or at a later date/time. Indicate the time interval between notifications, alert reset conditions and snooze options to reduce alert fatigue.

Activate Alert

6. Indicate email(s) or Slack channel you’d like the Alert Notifications to be sent to and proceed to the Next Step.

Note:  The notification channels must be properly set up from the Management > System Notifications > Notification Channels section for users to receive alert notifications.

7. Review your Alert details, Notification Channels and Save Alert.

2.7.2 My Alerts

My Alerts section contains a list of Alerts that have been created by your NFA users. Depending on the user access level you can edit, duplicate, delete alerts or turn them on/off.

Alerts Notifications

2.7.3 Active Alerts

Active Alerts section allows you to view the triggered alert details, triggered alert date/time and allows you to reset (acknowledge) alerts.

Active Alerts
Note: When you reset (acknowledge) an alert you are taking ownership of it. This means you are aware of the conditions which triggered an alert and are taking action to solve the issue.

Follow your company’s guidelines on further actions once you acknowledge/reset a triggered alert. Acknowledged/Reset triggered alerts will be flagged with your user name and moved to the History of Alerts section.

All triggered alerts in NFA show up with UTC timestamps. This is specifically useful for teams using NFA from multiple geographical time zones.

2.7.4 History of Alerts

All triggered alerts are saved in the History of Alerts section. Use the available options to search and sort the alert incidents.

History of Alerts

3. Management

3.1 Access and Security

NFA offers IP Filtering options that provide the ability to control Portal Access. You can limit access to specific IPs or Subnets, but use caution so that you do not DENY access to yourself.

Access and Security

3.2 User Management

NFA includes a User Management function accessible under Management main menu section,
that allows the following:

  • review and filter the list of users
  • edit and delete existing user records
  • add new users
User Management
Note: User Management function is available only to users with administrative privileges.

3.3 User Profile

The user profile helps in associating characteristics with a specific user and helps to ascertain the interactive behavior of the user along with preferences. Users with administrative rights have access to and can edit any user profile. Users without admin rights have access to and can edit their user profile only.

User Profile Settings

User profile offers this function to:

  • update a user’s attributes and preferences
  • change user’s password with hints regarding password strength and confirmation mismatch.

3.4 System Notifications

3.4.1 System Notifications Overview

System notifications are used to communicate to users the state of their NFA instance and/or any of its components. They are triggered by a range of preconfigured system-level events.
The list of events that can generate notifications is provided below.
Once an NFA component is started, stopped or reconfigured it raises the following events:

  • Component Start: OK
  • Component Start: Error
  • Component Stop: OK
  • Component Stop: Error
  • Component Reconfig: OK
  • Component Reconfig: Error
  • Config Validation: OK
  • Config Validation: Error

BGPd raises the following events when BGP sessions are established/disconnected:

  • NFA BGP session Disconnected
  • NFA BGP session Established

FLOWd raises the following events when Flow Stream is Started/Stopped:

  • Flow Stream Start
  • Flow Stream Stop

3.4.2 System Notification Channels Configuration

In order for Notifications to be delivered correctly, the corresponding email or slack channel configuration shall be provided. Go to Management > System Notifications > Notification Channels.

For the email channel configuration, specify the actual Email server and Server port as well as the sender of email messages that will show in the receiver’s inbox. For Slack channel configuration, specify the Slack bot name and the Slack Webhook URL (for more details on setting up incoming webhooks visit https://api.slack.com/messaging/webhooks).

3.4.3 System Notification Subscriptions

System Notifications are sent only if a valid subscription to events has been created.

Find the list of your active subscriptions under Management > System Notifications. Search through existing subscriptions, sort, view, edit or delete them.

System Notification Subscriptions

To create a new subscription click the “Create New” button in the top right corner. A popup window will appear. Under the “Configuration” tab, provide your subscription topic and description. Choose the proper group or use the quick search option to find and checkmark the desired event(s). Hit “Next”.

new subscription

Now, under the “Details” tab, introduce the “Interval between notifications” as well as the destination email or Slack channel. Optionally, specify when to Snooze Notifications if desired and hit “Save”.

Configuration Tab

All fired events, can be found under Management > System Notifications > System Logs.

3.4.4 Notification Text Details

When a subscribed event is fired NFA will send notifications. The notification email will consist of the following:

  1. Subscription topic as specified in the subscription
  2. From email address – as configured in the email channel
  3. Time – date-time of the last event that caused the notification. In case of rate limitation, this might be older than the time of the email.
  4. Textual description of the event and any related details.
  5. Older events which have been retained due to rate limitations. Keep in mind that all past events are aggregated into a single email.

3.5 License Status

NFA is a licensed product and requires users to obtain and register their license in the application.
The license status is accessed by navigating to Management > License.

Lycence Status

License status offers:

  • information about current license status and the remaining days till its expiration
  • option to activate a license by means of an activation key

PURCHASE LICENSE redirects users to Noction’s billing system to place an order for a license.

3.6 Billing Info

To access your billing info, go to Management > Billing. The link will redirect you to the NFA Billing page. Use the credentials you’ve specified when initially requesting an NFA license to login.

3.7 NFA Version

NFA Version info is available to be able to manage the change and configuration of the application.

NFA version

4. System Requirements

 

Hardware Requirements:

  • x86_64 architecture
  • Minimum 4x core CPU (8x core CPU recommended)
  • Minimum 32GB of RAM (64GB RAM recommended; 128GB RAM – optimal)
  • Minimum 250GB SSD storage (500GB SSD storage recommended)

 

Software Requirements:

  • CentOS 7 x86_64 Minimal – Clean Install
Note: NFA will install and operate below the recommended system requirements. However, as the database size grows and if complex queries are used, this can result in slow performance.

The minimum system requirements assume default configuration. Significantly increasing the flow collection rate might cause additional load on a server, thus requiring extra memory or a larger CPU.

5. Support

Noction support team is available 24/7. Please contact our support team by emailing support@noction.com or by calling +1 (650) 903-7028.

6. Flow export configuration on network devices

Cisco XE:

The NetFlow infrastructure is based on the configuration and use of the following maps:

  • Exporter Map
  • Sampler Map
  • Flow Monitor Map

1. Exporter Map. To configure the Exporter map, you need to define the destination (flow collector), the source interface, the port used for exporting, the version of NetFlow, and the timeout rates.

router(config)# flow exporter-map EM
router(config-fem)# destination 10.1.1.5
router(config-fem)# source gi0/0
router(config-fem)# transport udp 2055
router(config-fem)# version v9
router(config-fem)# template data timeout 60
router(config-fem)# options interface-table timeout 60
router(config-fem)# exit

2. Sampler Map (defines the sample rate):

router(config)# sampler-map SM
router(config-sm)# random 1 out-of 1000
router(config)# exit

3. Flow Monitor Map. The Flow Monitor map defines the cache timeout values and associates the
exporter map with this map.

router(config)# flow monitor-map FMM
router(config-fmm)# record ipv4
router(config-fmm)# exporter EM
router(config-fmm)# cache timeout active 60
router(config-fmm)# cache timeout inactive 60
router(config-fmm)# exit

4. Apply the maps to the interfaces.Now that you have your maps defined, you need to apply the
Flow Monitor and Sampler maps to each of the provider interfaces:

router(config)# interface Gi0/0
router(config-if)# flow ipv4 monitor FMM sampler SM egress
router(config-if)# exit

Cisco XE:

flow exporter EXPORTER-1
 destination 172.16.10.2
 export-protocol netflow-v9
 transport udp 2055
 exit
!
flow record v4_r1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
!
flow monitor FLOW-MONITOR-1
 record v4_r1
 exporter EXPORTER-1
!
interface GigabitEthernet 0/0/0
 ip address 172.16.6.2 255.255.255.0
 ip flow monitor FLOW-MONITOR-1 input

Cisco IOS:

ip flow-export version 9
ip flow-export destination $NFA_IP 2055
interface $Interface_to_ISP1
 ip flow ingress
 ip flow egress

jFlow-ipfix:

chassis {
    fpc 0 {
        sampling-instance nfa-instance;
    }
}                                       
interfaces {
    xe-0/0/0 {
        unit 0 {
            family inet {
                sampling {
                    input;
                    output;
                }
            }
        }
    }
}
forwarding-options {
    sampling {
        instance {
            inst1 {
                input {
                    rate 1024;
                }
                family inet {
                    output {
                        flow-server X.X.X.X {
                            port 2055;  
                            version-ipfix {
                                template {
                                    ipfix-templatev4;
                                }
                            }
                        }
                        inline-jflow {
                            source-address Y.Y.Y.Y;
                        }
                    }
                }
            }
        }
    }
}
services {
    flow-monitoring {
        version-ipfix {
            template ipfix-templatev4 {
                flow-active-timeout 60;
                flow-inactive-timeout 60;
                template-refresh-rate {
                    seconds 60;         
                }
                ipv4-template;
            }
        }
    }
}

X.X.X.X – IP address of NFA server
Y.Y.Y.Y – source IP address of flow packets (router IP address)

jFlow-v9:

chassis {
    fpc 0 {
        sampling-instance nfa-instance;
    }
}                                       
interfaces {
    xe-0/0/0 {
        unit 0 {
            family inet {
                sampling {
                    input;
                    output;
                }
            }
        }
    }
}
forwarding-options {
    sampling {
        instance {
            nfa-instance {
                input {
                    rate 1024;
                }
                family inet {
                    output {
                        flow-server X.X.X.X {
                            port 2055;  
                            version9 {
                                template {
                                    v9-templatev4;
                                }
                            }
                        }
                        inline-jflow {
                            source-address Y.Y.Y.Y;
                        }
                    }
                }
            }
        }
    }
}
services {
    flow-monitoring {
        version9 {
            template v9-templatev4 {
                flow-active-timeout 60;
                flow-inactive-timeout 60;
                template-refresh-rate {
                    seconds 60;         
                }
                ipv4-template;
            }
        }
    }
}

X.X.X.X – IP address of NFA server
Y.Y.Y.Y – source IP address of flow packets (router IP address)

sFLOW-Arista:

!
sflow run
sflow source $SOURCE
sflow destination $DESTINATION $PORT
sflow polling-interval 10
sflow sample $SAMPLING-RATE
!

By default the global enabled sflow will export the flow from all interfaces. To disable the flow export on specific interface the #no sflow enable# is used in interface config mode #(config-if)

Mikrotik:

ip traffic-flow set interfaces=$ISP cache-entries=1M enabled=yes active-flowtimeout=5 inactive-flow-timeout=60
ip traffic-flow target set dst-address=$NFA_IP port=2055 src-address=$ROUTER_IP
version=9 v9-template-refresh=100 v9-template-timeout=300

Huawei NetStream:

1. Configure NetStream sampling

[Router] interface <$upstream_interface>
[Router-$upstream_interface] ip netstream sampler fix-packets 1200 inbound
[Router-$upstream_interface] ip netstream sampler fix-packets 1200 outbound
[Router-$upstream_interface] quit

2. Configure NetStream flow aging

[Router] ip netstream timeout active 20
[Router] ip netstream timeout inactive 100
[Router] ip netstream tcp-flag enable

2. Configure NetStream flow aging

[Router] ip netstream timeout active 20
[Router] ip netstream timeout inactive 100
[Router] ip netstream tcp-flag enable

4. Configure the version for the exported packets

[Router] ip netstream export version 9

5. Enable flow statistics collection on the interface

[Router] interface <$upstream_interface>
[Router-$upstream_interface] ip netstream inbound
[Router-$upstream_interface] ip netstream outbound
[Router-$upstream_interface] quit