Flow Sensor¶

Many routers and switches can collect IP traffic statistics and periodically export them in form of flow records to Flow Sensor. Since the flow protocol already performs pre-aggregation of traffic data, the flow data sent to Flow Sensor is much smaller than the monitored traffic, and this makes the Flow Sensor a good option for monitoring remote or high-traffic networks. The advantages and disadvantages of flow-based monitoring are listed in the Choosing a Method of Traffic Monitoring and DDoS Detection section.

For detailed instructions on how to enable NetFlow, sFlow or IPFIX on your network device, please consult its documentation. Appendix 2 lists some configuration examples for a few Cisco IOS, CatOS, and Juniper devices.

To add a Flow Sensor, click the [+] button from the title bar of the Configuration » Components panel. To modify an existing Flow Sensor, go to Configuration » Components and click its name.

● Sensor Name – A short name to help you identify the Flow Sensor

● Reports Visibility – Toggles the visibility inside Reports » Devices

● Device Group – Optional description used used to group up components (e.g. by location or role). It can be used to restrict the access of Guest accounts

● Sensor Server – The server that runs the Flow Sensor. The configuration of servers is described in the Configuration » Servers chapter. If this is not the Console server, follow NFS configuration for remote servers to make the raw flow data visible in the UI

● Listener IP:Port – The IP address (IPv4 or IPv6) of the network interface that receives the flow packets, and the destination port

● Flow Exporter IP – IP address of the flow exporter (router, switch, probe). Usually, it is the loopback address of the router. For sFlow exporters, enter the IP that sends flow packets, not the Agent IP

● SNMP Settings – Click the button on the right side of the Flow Exporter IP field. You must enable SNMP on the flow exporter to allow Console to automatically extract interface information. When SNMP settings are not configured, you must manually enter the SNMP index, speed, etc. for each interface

● Flow Exporter TZ – Set the time offset between the time zone (TZ) of the Flow Sensor server and the time zone of the flow exporter. Running NTP on both devices to keep their clocks synchronized is a critical requirement

● Flow Protocol – Flow protocol used by the flow exporter: NetFlow, IPFIX or sFlow

● Flows Timeout (s) – Some flow exporters (e.g. Juniper MX) maintain the start time of flows that were already exported. If this is the case then you need to set here the same flow active/inactive timeout value (in seconds) as the one defined in the flow exporter’s configuration

● Sensor License – The license type allocated to the Flow Sensor. Wanguard provides all features; Wansight does not provide traffic anomaly detection and reaction

● Flow Collector – When enabled, flow data is stored in a space-efficient binary format. LZO is the fastest. BZ2 offers the best compression rate but it’s 30 times slower than LZO. LZ4 offers a compromise between speed and efficiency. Flow records can be queried in Reports » Tools » Flows

● IP Zone – Flow Sensor needs an IP Zone from which to learn the monitored network’s boundaries and to extract per-subnet settings. For more information about IP Zones consult the dedicated chapter: Configuration » Network & Policy » IP Zone

● Repeater IP:Port – An embedded packet repeater can send all incoming flows to another flow collector or host. To use this optional feature enter the IP of the other flow collector and a port of your choice

● IP Validation – This option can be used to distinguish the direction of traffic or to ignore certain flows:

○ Off – Flow Sensor examines all flows and the traffic direction is established by the interface

○ On – Flow Sensor examines the flows that have the source IP and/or the destination IP inside the selected IP Zone. This is the recommended setting for most setups

○ Strict – Flow Sensor examines the flows that have either the source IP or the destination IP inside the IP Zone

○ Exclusive – Flow Sensor examines the flows that have the destination IP inside the IP Zone

● IP Validation Options – Set the Log Invalidated Flows field to Periodically if you want to see in the event log the percentage of invalidated flows and 10 flows failing validation, once every 10 ticks

● AS Validation – Flows from BGP-enabled routers can contain the source and destination Autonomous System number (ASN). In most configurations if the AS number is set to 0 then the IP address belongs to your network. This rarely-used option is used for establishing traffic direction. AS validation has three choices:

○ Off – Disables AS validation

○ On – Flow Sensor examines only the flows that have the source ASN and/or the destination ASN inside the local AS list (defined below)

○ Strict – Flow Sensor examines only the flows that have either the source ASN or the destination ASN inside the local AS list (defined below)

● AS Validation Options – When AS Validation is enabled, you can enter all your AS numbers (separated by space) into the Local AS List field. Set the Log Invalidated Flows field to Periodically if you want to see in the event log the percentage of invalidated flows and 10 flows failing validation, once every 10 ticks

● Granularity – Low values increase the accuracy of Sensor graphs, at the expense of increasing the RAM usage

● Sampling (1/N) – Enter the sampling rate configured on the flow exporter, or “1” when no sampling rate is configured. For NetFlow v9 and sFlow the value entered here is ignored because the flow protocol automatically adjusts the sampling rate. To force a particular sampling value, enter it as a negative value

● Monitored Interfaces – List of interfaces that should be monitored. To avoid producing duplicate flow entries, add only upstream interfaces

○ SNMP Index – The interfaces are internally identifiable only by their SNMP indexes. Enter the index manually, or configure SNMP settings

○ Interface Name – A short description used to identify the monitored interface. Descriptions longer than 10 characters clutter some reports

○ Interface Color – The color used in graphs for the interface. The default color is a random one, which can be changed by clicking the drop-down menu

○ Traffic Direction – Direction of traffic entering the interface, relative to your network:

• “Auto” – When selected, the direction of traffic is established by IP and/or AS Validation alone. This is the recommended setting in most cases

• “Upstream” – Set for upstream interfaces, e.g. peering interfaces, interfaces connected to the Internet

• “Downstream” – Set for downstream interfaces, e.g. customer interfaces, interfaces connected to your network

• “Null” – Traffic to Null interfaces is discarded by the router and should be ignored

○ Stats Engine – Collects various traffic tops and AS (Autonomous System) data:

• “Basic” – Enables tops for Internal IPs, IP protocols, versions and TCP/UDP ports. It adds a very small performance penalty

• “Extended” (recommended) – Enables all tops from “Basic” as well as tops and graphs for autonomous systems and countries, but slightly increases the CPU usage. When the router does not export AS information in flows (e.g. non-BGP router), Flow Sensor uses an internal GeoIP database to obtain AS data. Live stats for autonomous systems and countries may not be very accurate

• “Full” – Enables all tops from “Extended” as well as tops for external IPs (IPs not included in the IP Zone), but increases the RAM usage several times over, especially during spoofed attacks. Live stats for autonomous systems and countries are very accurate. Set the value to “Extended”, unless you know what you’re doing. Only this option permits the detection of threshold violations for external IPs

○ Stats Engine Options – When Stats Engine is set to “Extended” or “Full”, you can click the button next to it. To enable Transit AS tops and graphs, enter the path to an existing BGP Dump File exported by BGPd in MTR format, and the IPv4 and optionally IPv6 address of the BGP router

○ Link Speed In & Link Speed Out – Enter the speed (bandwidth, capacity) of the interface. The values are used for percentage-based reports and percentage-based bits/s thresholds

● Comments – Comments about the Flow Sensor can be saved here. These observations are not visible elsewhere

To start the Flow Sensor, click the small button displayed next to its name in Configuration » Components. Ensure that the Flow Sensor starts correctly by watching the event log (details in the Configuration » Schedulers » Event Reporting section).

If the Flow Sensor starts without errors, but you can’t see any data collected by it in Reports » Devices » Overview after more than 5 minutes, follow the troubleshooting guide below.

15.1. Flow Sensor Troubleshooting¶

✔ Look for warnings or errors produced by the Flow Sensor in the event log (details in the Configuration » Schedulers » Event Reporting section)
✔ Check if you have correctly configured the Flow Sensor. Each configuration parameter is described in the previous section
✔ Ensure that the server is receiving flow packets on the configured Listener IP:Port by executing on the server the following commmand:

[root@localhost ~]# tcpdump -i <interface_eth0_p1p1_etc> -n -c 100 host <flow_exporter_ip> and udp and port <destination_port>

✔ Verify if the local firewall permits the Flow Sensor to receive flow packets:

[root@localhost ~]# iptables -L -n -v && iptables -t raw -L -n -v

✔ Ensure that the clocks of the server and of the flow exporter are synchronized with NTP, preferably to the same NTP server. When both devices don’t reside in the same time zone, adjust the Time Settings parameter accordingly. To verify if the server is synchroninized by NTP, execute:

[root@localhost ~]# ntpq -p || chronyc tracking

✔ When you add interfaces with the Traffic Direction parameter set to “Auto”, make sure that the IP Zone you have selected contains all your IP blocks because IP Validation and/or AS Validation will be used to establish traffic direction. To capture a sample of flows failing validation in the event log, set the Log Invalidated Flows parameter to “Periodically”

✔ In order to provide fast and up-to-date traffic statistics, the Flow Sensor accepts only flows describing traffic from the last 5 minutes. All flows aged and exported with a delay exceeding 300 seconds are ignored, and the event log contains the warning “Received flow <starting/ending> <X> seconds ago”.

● When the warnings refer to the starting time, make sure that the clocks between the server and the router are synchronized, the flow exporter is properly configured, and the time zone is correctly set. Some routers (e.g. Juniper MX) maintain the start time of flows even after exporting them, so in this case you will need to set the Flow Timeout parameter in the Flow Sensor Configuration window to the same value as configured on the router (usually 30 seconds).
● When the warnings refer to the ending time, make sure that the clocks are synchronized, the time zone is correctly set, the flow exporter is properly configured, and the PFC PIC is not overloaded (on Juniper in particular).
● You can double-check whether the time of the Flow Sensor and the start/end time of flows differ by more than 300 seconds. In Reports » Tools » Flows » Flow Records, select any interface of the Flow Sensor, set Display to Extended, and generate a listing for the last 5 minutes:
◦ Column “Received Time” indicates the time when the Flow Sensor received the flow packet, according to the clock of the server
◦ Column “Start Time” indicates the time when the flow started, according to the clock of the flow exporter
◦ Column “Stop Time” indicates the time when the flow ended, according to the clock of the flow exporter
● Flow Sensor does not misinterpret the start/end time of flows. Some flow exporters are known to have bugs, limitations or inconsistencies regarding flow aging and stamping flow packets with the correct time. In this case, contact your vendor to make sure that the flow exporter is correctly configured, it runs the latest firmware, and it is able to expire flows in under 5 minutes. In some cases, a router reboot fixes the issue.
● In some JunOS versions there is a flow export rate limit with a default of 1k pps, which leads to flow aging errors. To raise the limit to 40k pps you need to execute:

set forwarding-options sampling instance NETFLOW family inet output inline-jflow flow-export-rate 40

● Some Cisco IOS XE devices do not export flows using NetFlow version 5, in under 5 minutes, even when configured to do so. In this case, switch to using Flexible NetFlow
✔ If you don’t see traffic on some/all of your monitored interfaces but you see in Reports » Devices » Overview that the Flow Sensor is receiving flows, you need to check if you have correctly configured the flow exporter to send flows to the server for each of the monitored interfaces. To list all interfaces that send flows, go to  Reports » Tools » Flows » Flow Tops, select any Flow Sensor interface, set Top Type to “Any Interface”, check “Include Unmonitored Ifs” in the Display Options selector, and generate a top for the last 10 minutes. The column “In/Out If” lists the SNMP index of every interface that exports flows, even if it wasn’t configured as a monitored interface in the Flow Sensor configuration
✔ If you see statistics for a single traffic direction (inbound or outbound), go to Reports » Tools » Flows » Flow Records, and generate a listing for the last 10 minutes. If all your IPs are listed in a single column, check the flow exporter’s configuration and feature list. Not all devices can export flows in both directions (e.g. some Brocade equipment generates only inbound sFlow) or with the same interface SNMP index
✔ The traffic readings of the Flow Sensor may differ from the SNMP Sensor or from other SNMP-based monitoring tools. Flow Sensor counts In/Out traffic as traffic entering/exiting the IP Zone (when IP Validation is enabled), unlike SNMP tools that count In/Out traffic as traffic entering/exiting the interface. You can double-check the traffic readings of a Flow Sensor by configuring an SNMP Sensor to monitor the same flow exporter (see the Configuration » Components » SNMP Sensor section)
✔ If the Flow Sensor does not show the correct statistics after upgrading the router’s firmware, the SNMP index of the interfaces could have changed. In this case, adjust the SNMP indexes for the monitored interfaces manually, or redefine them
✔ If the traffic is too low after upgrading to JunOS 15.1F2 or 16.1R1, execute:

set chassis fpc inline-services flow-table-size ipv4-flow-table-size 15

✔ To troubleshoot Sensor graph or IP graph issues, follow the Graphs Troubleshooting guide
✔ Event log warning “Sensor frozen for X seconds. Restarting the collector” is generated in two cases: when the flow packets are very scarce (1 every few tens of seconds), or when the Flow Sensor doesn’t have enough CPU and I/O resources to complete analyzing the traffic. In this case, use a physical server instead of a VM, or decrease the IP graphs and accounting data that needs to be collected
✔ Event log error “License key not compatible with the existing server” can be fixed by sending the string from  Configuration » Servers » [Flow Sensor server] » Hardware Key to sales@andrisoft.com
✔ Flow Sensor may crash during spoofed attacks for not having enough RAM when a monitored interface has the Stats Engine parameter set to “Full”. It is highly recommended to set the Stats Engine parameter to “Extended” instead of “Full” on systems with low amounts of RAM
✔ Make sure you are running the latest version of the software by checking Help » Software Updates