NetFlow, sFlow & IPFIX Analyzer and Collector for Wanguard and Wansight

OVERVIEW: The Flow Sensor component of Wanguard and Wansight is a fully-featured flow-based traffic analyzer and collector that supports NetFlow version 5, 7 and v9; sFlow version 4 and 5; and IPFix. At its core, Flow Sensor contains a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses in real time. Sophisticated statistical algorithms integrate traffic data to build an accurate and detailed picture of real-time and historical traffic flows across the network.

  • Contains a completely scalable IP traffic analysis engine able to monitor, in real time, tens of thousands of IPv4 and IPv6 addresses and ranges
  • Management and reporting through an advanced web-based Console with a unified, holistic presentation
  • Detects all bandwidth-related traffic anomalies (when used with a Wanguard license) such as:
    • Distributed Denial of Service (DDoS) attacks, unknown volumetric DoS attacks
    • NTP amplification attacks, generic UDP floods, ICMP floods, SMURF attacks
    • SYN floods, TCP/UDP port 0, LOIC, peer-to-peer attacks
    • Scans and worms sending traffic to illegal or unallocated addresses, missing traffic to/from critical services
  • Per-endpoint flexible threat reaction options (when used with a Wanguard license), such as:
    • Activate on-premise DDoS attack mitigation with Wanguard Filter
    • Send remotely-triggered BGP blackhole announcements (RTBH) using FlowSpec (RFC 5575) or null-routing communities
    • Send BGP off-/on-ramp traffic diversion announcements to on-premise / on-cloud DDoS mitigation services
    • Email alerts with user-defined dynamic templates
    • Send custom Syslog messages to remote log servers or SIEM systems
    • Extend the built-in capabilities by executing custom scripts with access to an easy-to-use API exposing 80+ internal parameters
  • Provides traffic accounting reports and per-IP, subnet or IP group graphs for each of the following traffic decoders (classes): total, tcp, tcp+syn, tcp+rst, tcp+ack, tcp+syn+ack, tcp-null, udp, icmp, other, bad, flows, flows+syn, http, https, ssl, mail, dns, sip, ntp, rdp, snmp, ssh, ipsec, ssdp, facebook, youtube, netflix, hulu. Supports custom decoders
  • Generates tops and graphs for talkers, external IPs, IP groups, autonomous systems, transit autonomous systems (based on BGP MTR files), countries (based on GeoIP), TCP or UDP ports, IP protocols, and more
  • Users can save individual flows for forensic investigation, network-wide situational awareness and to aid network troubleshooting. Flows can easily be searched, filtered, sorted and exported
  • Can compute bidirectional and aggregate flows after IP protocol, IP address, IPv4/IPv6 address with custom netmask, TCP/UDP port, VLAN label, AS number, BGP next/previous AS, SNMP interface numbers, next hop, MAC address, ToS, MPLS, and more
  • Set the short-term accuracy of bandwidth graphs between 30 seconds and 10 minutes. Set the long-term accuracy to any number of years
  • Deploy any number of instances across the network
  • Easy and non-disruptive installation on commodity hardware
  • The most affordable NetFlow ®, sFlow ® and IPFIX monitoring tool on the market

Flow Technology*:
  • Cisco NetFlow version 5, 7 or 9
  • jFlow
  • Cflowd from Juniper and Alcatel
  • NetStream from Huawei
  • FlowMon
  • sFlow version 4 or 5
Capacity / Flow Sensor Instance: 1 flow exporter with tens of 10 GbE interfaces
DDoS Detection Time: ≤ flow export time + 5 seconds
IP Graphing Accuracy: ≥ 60 seconds
Traffic Validation Options: IP classes, Interfaces, AS Numbers, Ingress/Egress
* Many entry-level and most enterprise-level routers and switches are able to export IP traffic information as flow records using one of the supported flow technologies.

Architecture: 64-bit (x86), VMs not recommended
CPU: 2.0 GHz dual-core Xeon
Network Cards: 1 x Gigabit Ethernet
Operating System*: Red Hat / CentOS 6 or 7; Debian 6, 7, 8 or 9; Ubuntu Server 12, 14 or 16; OpenSUSE 13
Disk Space: 15 GB (including OS)
 * Other Linux distributions may work but have not yet been tested.

Flow Sensor does not have a limit on the number of interfaces it can monitor or a limit of how many flows per second it can process.
Each Flow Sensor can process the flows of a single flow exporter. A server with enough RAM can run tens of Flow Sensors.
When the Flow Collector feature is enabled, Flow Sensor stores all received flows on the local disk in a compressed binary format.

You can download and try Flow Sensor for 30 days by requesting an evaluation license.
You can purchase Flow Sensor licenses through the online store.
Frequently asked questions are answered in the User Guide and Knowledge Base.
If you need any further information, do not hesitate to contact us.