Learn how to change the frequency and aggregation of NetFlow data for real-time or long-term.

NOTE: Network Segmentation will change default aggregation rules.

Data Collection Tuning - IP Aggregation/Consolidation

Tailoring the Netflow Auditor long-term trending solutions for your environment is easy with the Data Collection Tuning capabilities built into Netflow Auditor. The data tuning options provide a flexible way to aggregate the information you want to store and control the size of the database to better suit your environment. This enables the user to alter the settings in Netflow Auditor between high granularity/large database; and lower granularity/smaller database solutions.

For example, if an organization is primarily concerned with root-cause discovery they may wish to maintain high granularity for as long as possible, if, however they are primarily concerned with capacity planning then a long-term low granularity configuration option would be desirable.

There are three main steps to assigning Data Collection Tuning to your Netflow Auditor system.

Step 1 - Define Rules
Define IP, Port and ASN Rules as required using the Config Rules menu in Data Collection Tuning.

Step 2 - Define Rule Policies and Rule Policy Groups
Rule policies are a grouping together of rule definitions (IP, Port or ASN) into a single policy to form a rule policy grouping. Rule policy groupings can also control the length of time that data is collected as well as rules to aggregate to a lower Rule Policy when database records reach a pre-determined threshold. This policy grouping enables the flexibility of using multiple rules to control the Data Collection and ensures that the data collection process is matched to the performance capabilities of the server.

Step 3 - Assign Rule Policies Groups to Device Groups
Each Rule Policy Group is applied to an individual Device Group from the Configuration/Management/Devices/Device Group menu. This provides the flexibility to define data collection to different Device Groups such as Gateways and LAN and or WAN routers or switches.

Rule Definitions

IP Rules
Raw netflow data provides the full source and destination IP address for every network conversation passing through the NetFlow collection point. This raw netflow information is maintained within Netflow Auditor Real-Time and NetFlow Auditor products by default. Standard configuration in Netflow Auditor Long-Term (Optional in Netflow Auditor Real-Time) is an aggregation policy designed to reduce the size of the database for long-term trending information.

The IP Rule Definition screen enables full customization of the aggregation of IP address within Netflow Auditor Real-Time and Netflow Auditor Long-Term.

View, Modify, or Add IP Rule Definitions
Select Configuration/Data Collection Tuning/Config Rules/IP Rule from the Netflow Auditor Menu.

The IP Rules currently configured in your system are now listed.

To view or modify an IP Rule definition, simply double click on the IP Rule in order to progress to the IP Rule Definition screen.

To add a new IP Rule Definition, click Add then fill in the Name and Description fields and click Confirm. Then double click on the newly added IP Rule in order to progress to the IP Rule Definition screen.

The following image shows the standard IP Rule Definition screen for the Long-Term IP Rule

Rule Policy
The rule policy screen is accessed by navigating through the Netflow Auditor menu, Configuration/Data Collection Tuning/Rule Policy.
Rule policy is the primary function used to control what type of data and how much data is stored within the Netflow Auditor or NetFlow Auditor database.

Thresholds are set to automatically step up or down through individual rules as defined in the Rule Policy Definition screen. To view the Rule Policy Definition screen simply double click on the individual Rule Policy.

Rule Policy Definition
Rule policy definiton is a list of Rules made up of a combination of IP, Port and ASN rules. This list of Rules descends in order of Optimal (Highest Granularity) through different stages of customized data tuning rules. These settings are used by Netflow Auditor to automatically control the amount of records saved in the Netflow Auditor Database during high traffic volume such as that experienced in a DOS attack. Thresholds for stepping through the individual rules can be modified using the Rule Policy screen.