Setting up Flow Analytics

FA algorithms are executed sequentially. Most of them do not run until one or more NetFlow exporters are added to the individual algorithms.

To add exporters to an algorithm, visit Admin > Settings > Flow Analytics Configuration and click on an algorithm name listed in the table.

At the top of the Flow Analytics Configuration table, it displays the overall time to run all algorithms and the total count of violations across all algorithms.

FA configuration columns

  • Down Arrow Menu: This action menu provides several options:
    • Modify the Exporters this Algorithm runs against: Many algorithms do not need to run against all exporters. Visit the Algorithm strategy page to learn more about types of flows to send to each algorithm.
    • Modify the Hosts Excluded from violating this Algorithm: Use this utility to exclude IP addresses and portions of hostnames that are triggering false positives.
    • View the Run Time Trend for this Algorithm: View a report that displays how long the algorithm takes the run each time it is executed.
    • View the Violation Count Trend for this Algorithm: View a report that indicates how frequently the algorithm is triggering for a matching event.
  • Mouse over columns to learn what they do.
  • Round Icon: This icon indicates the status of the algorithm using different colors. Mouse over the icon and the tool tip that appears will explain the status.
  • Name: This is the name of the algorithm that is checking for abnormal behaviors. Click on the algorithm name to modify the settings, apply exporters or change the exclusions for the algorithm.
  • Time: This is the amount of time the algorithm takes to run across all selected routers/switches.
  • Count: This is the number of violations found the last time the algorithm ran. Click on the number to view graphs for longer time periods.
  • Time exceeded: Algorithms that exceed the configured run time will be cancelled.
  • Add only a few routers to a few algorithms initially and start off slowly. Pay attention to the Vitals of the server. After 15-30 minutes add a few more routers to selected algorithms and slowly ramp up the FA deployment.
  • FA has only 300 seconds (i.e. 5 minutes) to finish all enabled algorithms. If it can’t finish in 300 seconds, it will stop where it is and start over. All algorithms must finish within 5 minutes as the process repeats every 5 minutes. Optimize performance by paying attention to the time each algorithm takes to run as well as the overall time shown at the very top of the Flow Analytics Configuration gadget.

Optimizing Flow Analytics

Flow Analytics can be optimized in several different ways:

  • Modify the number of flow exporting devices included in the algorithm.
  • Disable selected algorithms.
  • Utilize a second or third copy of Scrutinizer with FA.
  • Contact your vendor to learn about the minimum hardware requirements.

Excluding from algorithms

In an effort to reduce the false positives triggered by algorithms, IP addresses and portions of host names can be excluded from them. This feature can be found by visiting Admin tab > Settings > Flow Analytics Exclusions. Most exclusions are added when viewing an individual event for an alarm.

Exclusion Types

There are two ways to exclude hosts from triggering algorithms.

IP Address: Exclude one or more IP addresses from an individual
algorithm by:
  • IP address
  • IP range
  • IP subnet
  • Child: A child group is defined in IP Groups.

Reverse DNS Name: A portion of or all of a DNS resolved name can be entered.Entries are created when false positives occur. Use this interface to manage all of the entries.

Visit the Alarms tab and drill in on an alarm to see the individual events. To add an exclusion, click the Down Arrow Menu icon on the far left and select:

  • Exclude IP x.x.x.x from this algorithm
  • Exclude a portion of the reverse DNS name from this algorithm

The user can then use this interface to manage all of the the entries that will be made over time.