Add option to create thresholds based on arbitrary traffic types
complete
F
FastNetMon
You can find details about allowed field values below.
- name - name of traffic rule, will be used as prefix for all metrics related with the same rule, must be lowercase: latin letters, digits or _ symbol.
- active - flag which enables rule, when set to false FastNetMon will ignore it. Useful to temporarily deactivate rule without removing it
- description - description, can be any
- source_ports - allows positive integer from 0 to 65535, this field may be empty which means "any source port". May have multiple ports (up to 10) and all ports will be evaluated using "OR" for packet matching
- destination_ports - allows positive integers from 0 to 65535, this field may be empty which means "any destination port". May have multiple ports (up to 10) and all ports will be evaluated using "OR" for packet matching
- packet_lengths - allows positive integers from 0 to 65535 (we allow such large values to accomodate jumbo datagrams and long flows), this field may be empty which means "any length". May have multiple lengths (up to 10) and all ports will be evaluated using "OR" for packet matching
- protocols - may carry protocol name (lowercase, IANA compliant) or protocol number (0..255). This field may be empty which means "any protocol". May have multiple protocols (up to 10) and all ports will be evaluated using "OR" for packet matching. I've attached a list of well known protocol names as we use them. Our idea was to allow using well known protocol names such as tcp, udp, gre but have an option to encode any protocol with a number.
- fragmentation_flags - can be set dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment or can be empty. We do not recommend using this field as IPFIX / Netflow do not allow fragmentation encoding.
- tcp_flags - can be empty or syn / ack / fin / urgent / push / rst. We do support only exact matches when a single flag is set, there is no support for multi matching (i.e. syn + ack).
F
FastNetMon
complete
F
FastNetMon
We're happy to announce that we added complete flexible thresholds support in 2.0.311: https://github.com/FastNetMon/fastnetmon-advanced-releases/releases/tag/v2.0.311
You just need to follow instructions from this article to enable it.
F
FastNetMon
We just finished QA for flexible thresholds management APIs and database schemas. You can manage flexible thresholds for hostgroups in the current version of FastNetMon 2.0.304.
We have following types of values for every single dynamic threshold:
incoming_flows_enable: false
incoming_flows_value: 0
incoming_mbits_enable: false
incoming_mbits_value: 0
incoming_packets_enable: false
incoming_packets_value: 0
name: dns
outgoing_flows_enable: false
outgoing_flows_value: 0
outgoing_mbits_enable: false
outgoing_mbits_value: 0
outgoing_packets_enable: false
outgoing_packets_value: 0
We keep
_flows_
fields just for the future, we have no technical ability to implement them in the current version of FastNetMon. mbits and packet thresholds of course will be supported completely.The very same limit applies as for traffic_rules, we allow only 16 per hostgroup.
Name of flexible thresholds must match the name of traffic_rule and can include only lower latin letters, digits or _ symbol.
Creation of dynamic threshold.
To add new flexible threshold from fcli:
sudo fcli set hostgroup flex flexible_thresholds http
API command for same operation:
curl -X PUT -u admin:xxx http://127.0.0.1:10007/hostgroup/xxxyyy/flexible_thresholds/dns
{"success":true,"error_text":""}
In case of duplicate name you will receive error:
{"success":false,"error_text":"Flexible threshold with same name already exists: dns"}
Read dynamic threshold.
To show specific flexible thresholds we have multiple fcli commands.
Show all flexible thresholds for specific hostgroup:
sudo fcli show hostgroup xxxyyy flexible_thresholds
API command for same operation:
curl -X GET -u admin:xxx http://127.0.0.1:10007/hostgroup/xxxyyy/flexible_thresholds
{"success":true,"error_text":"","values":[{"name":"http","incoming_mbits_enable":false,"outgoing_mbits_enable":false,"incoming_mbits_value":0,"outgoing_mbits_value":0,"incoming_packets_enable":false,"outgoing_packets_enable":false,"incoming_packets_value":0,"outgoing_packets_value":0,"incoming_flows_enable":false,"outgoing_flows_enable":false,"incoming_flows_value":0,"outgoing_flows_value":0},{"name":"dns","incoming_mbits_enable":false,"outgoing_mbits_enable":false,"incoming_mbits_value":0,"outgoing_mbits_value":0,"incoming_packets_enable":false,"outgoing_packets_enable":false,"incoming_packets_value":0,"outgoing_packets_value":0,"incoming_flows_enable":false,"outgoing_flows_enable":false,"incoming_flows_value":0,"outgoing_flows_value":0}]}
To show specific flexible threshold for some hostgroup you can use command:
sudo fcli show hostgroup xxxyyy flexible_thresholds dns
API command for same operation:
curl -X GET -u admin:xxx http://127.0.0.1:10007/hostgroup/xxxyyy/flexible_thresholds/dns
{"success":true,"error_text":"","value":{"name":"dns","incoming_mbits_enable":false,"outgoing_mbits_enable":false,"incoming_mbits_value":0,"outgoing_mbits_value":0,"incoming_packets_enable":false,"outgoing_packets_enable":false,"incoming_packets_value":0,"outgoing_packets_value":0,"incoming_flows_enable":false,"outgoing_flows_enable":false,"incoming_flows_value":0,"outgoing_flows_value":0}}
In case of unknown flexible threshold you will see error message:
{"success":false,"error_text":"We do not have elements with specified name for your query"}
To show specific value for specific flexible thresholds in specific hostgroup you can use command:
sudo fcli show hostgroup xxxyyy flexible_thresholds dns incoming_flows_value
API command for same operation:
curl -X GET -u admin:xxx http://127.0.0.1:10007/hostgroup/xxxyyy/flexible_thresholds/dns/outgoing_flows_value
{"success":true,"error_text":"","value":"0"}
Delete of dynamic threshold.
Dynamic threshold removal:
sudo fcli delete hostgroup flex flexible_thresholds http
API command for same operation:
curl -X DELETE -u admin:xxx http://127.0.0.1:10007/hostgroup/xxxyyy/flexible_thresholds/dns
{"success":true,"error_text":""}
Update dynamic threshold.
Edit of any dynamic threshold field:
sudo fcli set hostgroup xxxyyy flexible_thresholds dns incoming_mbits_enable true
sudo fcli set hostgroup xxxyyy flexible_thresholds dns incoming_mbits_value 100
API command for same operation:
curl -X PUT -u admin:xxx http://127.0.0.1:10007/hostgroup/xxxyyy/flexible_thresholds/dns/incoming_mbits_enable/true
{"success":true,"error_text":""}
curl -X PUT -u admin:xxx http://127.0.0.1:10007/hostgroup/xxxyyy/flexible_thresholds/dns/incoming_mbits_value/500
{"success":true,"error_text":""}
F
FastNetMon
We've made great progress and version 2.0.302 includes option to track arbitrary types of traffic using traffic rules.
To enable it you will need to set:
sudo fcli set main flexible_thresholds true
Then you will need to create traffic rules:
sudo fcli set traffic_rule new_rule
And fill their fields that way:
sudo fcli show traffic_rule
active: true
description:
destination_ports:
fragmentation_flags:
name: dns
packet_lengths:
protocols: udp
source_ports: 53
tcp_flags:
active: true
description:
destination_ports:
fragmentation_flags:
name: gre
packet_lengths:
protocols: gre
source_ports:
tcp_flags:
active: true
description:
destination_ports:
fragmentation_flags:
name: tcp_custom
packet_lengths:
protocols: tcp
source_ports:
tcp_flags:
After that you will see them in output for show single_host_counters:
sudo fcli show single_host_counters 1.2.3.4
dns_in_bytes 0
dns_in_packets 0
dns_out_bytes 0
dns_out_packets 0
gre_in_bytes 0
gre_in_packets 0
gre_out_bytes 0
gre_out_packets 0
Also we support export into InfluxDB: https://grafana.com/grafana/dashboards/16102 and https://grafana.com/grafana/dashboards/16104
A
Andrew Yager
Equally, it may be less desirable to block on certain ports (e.g. 443/80) than other ports.