Pre-deployment

Before deploying the Plixer FlowPro appliance, review the subsections below for optimal deployment locations, recommended resource allocation, and licensing instructions.

SPAN configuration

By default, the monitor interfaces of a Plixer FlowPro appliance are set to promiscuous mode and can be connected directly to a mirrored port. This allows the appliance to be deployed in the optimal location for maximizing coverage and functionality.

../_images/SpanPorts.png

Note

  • For remote SPAN (RSPAN) configuration instruction, see this guide.

  • A 1 GB interface can be monitored using either separate SPAN interfaces for Rx/ingress and Tx/egress traffic or a single SPAN interface for both directions. Using dedicated SPANs for Rx and Tx traffic is recommended to allow for better traffic distribution and avoid potential bottlenecks. Rx and Tx SPAN interfaces can be configured as part of the Plixer FlowPro appliance’s initial setup process.

The images below show the recommended deployment locations for Plixer FlowPro based on the functions/features that will be enabled:

Plixer FlowPro (core probe functions)

../_images/FlowPro.png

APM (application performance monitoring)

../_images/APM.png

Defender (DNS and HTTP traffic monitoring)

../_images/Defender.png

Resource requirements

See below for recommended resource scaling for Plixer FlowPro virtual appliances:

CPU and RAM

Default VM configuration

Medium traffic (up to 1 Gb/s)

High traffic (up to 10 Gb/s)
8 CPU cores
8 GB RAM
6-10 CPU cores
8-18 GB RAM
10-18 CPU cores
18-34 GB RAM

Storage

Storage requirements scale with selective packet capture workloads and can be approximated using the following formula:

Capture depth * Max MTU of monitored interfaces * Expected number of source host:well-known port:destination host combinations that will be stored for the specified retention duration

The values above are stored in ~/flowpro/flowpro-settings.yaml, where:

  • Capture depth ($pcap.server_capture_depth) is the number of payload observations to be maintained per capture.

  • Retention duration ($pcap.server_ttl_hours) is the number of hours captures are stored after the last observation.

License and probe registration

Before a Plixer FlowPro appliance is deployed, it must first be licensed and registered through the Plixer Scrutinizer web interface.

Adding a license

To obtain and set up a new Plixer FlowPro license, follow these steps:

  1. Contact Plixer Technical Support and provide them with the Customer ID and Machine ID found under Admin > Plixer > Plixer FlowPro Licensing in the Plixer Scrutinizer web interface.

  2. Paste the key in the License Key field on the same page.

  3. Click Save.

After a license key has successfully been added, the page will display the number of probes supported by the license as well as registered and deployed probe counts.

Registering a new probe

After a license key has been added, the Plixer FlowPro appliance/probe can be registered as follows:

  1. Navigate to Admin > Resources > FlowPro Probes in the Plixer Scrutinizer web interface.

  2. Click the + button and enter the following details in the Add Probe tray:

    • A name to identify the probe in Plixer Scrutinizer

    • The probe’s MGMT interface IP address

    • The Plixer Scrutinizer collector to assign the probe to

  3. [Optional] Leave Default NIDS Rules enabled to import NIDS rules from open-source threat feeds for network event reporting.

  4. Click the Save button to register the probe configuration.

  5. [Optional] To deploy multiple appliances, repeat the above steps until they have all been registered.

Confirm that the probe has been correctly registered in the main FlowPro Probes view, and then proceed to deploying the hardware or virtual appliance.

Note

  • A license key and probe must be registered in Plixer Scrutinizer before the Plixer FlowPro appliance(s) is deployed. The MGMT IP address configured in Plixer Scrutinizer must also match the address assigned during the initial setup process after the appliance’s first boot.

  • If the Default NIDS Rules option is disabled, the probe will send only basic IPFIX observations, unless custom rules are manually added to the probe.

  • Plixer FlowPro APM keys can be obtained from Plixer Technical Support and entered via the probe management page. (For Plixer Scrutinizer versions below 19.6.0, the APM key will need to be entered from the Plixer FlowPro CLI.)