Testing and tuningΒΆ

To ensure that flow analytics is properly configured, testing the various definitions, settings, and enabled features is strongly recommended. This can be accomplished by checking what alarms and events are being reported in the Alarm Monitor views.

When setting up flow analytics for the first time, the following process is recommended:

  1. Navigate to Admin > Definitions > IP Groups and populate the DNS Servers, Public WiFi, Network Scanners, and SNMP Pollers groups to define basic exclusions for FA algorithms.

  2. Review the list of FA algorithms in the Admin > Alarm Monitor > Flow Analytics Configuration and disable any algorithms that are irrelevant.

  3. Define additional exclusions for individual algorithms in their configuration trays as needed.

  4. Navigate to Admin > Alarm Monitor > Security Groups and add several exporters each to the Core exporters and Edge exporters security groups.

Once the first batch of exporters has been added, review the Alarm Monitor views to verify that alarms and events are being reported correctly. Afterwards, repeat Step 4 of the process and continue checking alarms and events until all exporters have been added to security groups.

Note

  • If there are continuous or unnecessary alarms or events being reported, it may also be necessary to define additional exclusions for certain algorithms.

  • To enhance response/resolution workflows, create one or more notification profiles and associate them with the appropriate alarm policies.

Further tuning

After the initial setup and testing have been completed, flow analytics functions can be further adapted to an environments monitoring and detection requirements through global and individual algorithm settings.