Network Traffic Collection
This page shows all the traffic captured by sFlow, NetFlow and Promiscuous method by your configured Edge Device. You can create or update Business Services by using the filtering option. The three options provided are: filter by Network Traffic, Addresses and URL.
- FireScope system is capable of collecting NetFlow as well as SFlow traffic. The user can choose the collector of their choice and configure it to point to the desired Edge Device.
- For SFlow traffic collection, we recommend using Host SFlow collector from http://sflow.net/.
- Network URL’s are only available when Promiscuous Mode has been enabled.
To create or update Service Group by Network Traffic
- Click on Configuration > Service Dependency > Network Traffic. Network Traffic page will be displayed.
Note: You can view the Network Traffic either in List view or Map view. List view is the default View.
- Select the preferred view by clicking on the drop down list in the upper right hand corner of the screen.
- Select the Business Service Rule method to be used to discover services and dependencies.
- Enter Source IP(s) or a CIDR netblock
- Enter Target IP(s) or a CIDR netblock
- Enter the Port used by your application.
Note: You can enter a series of ports separated by commas or a range.
- Select either Create New Service Group or Update Existing Service Group.
- Select a Service Group from the drop down list to up date existing Service Group or Enter a name to create a new Service Group. Example below
Network Traffic Matching Filter List View
Network Traffic Matching Filter Map View
Create or update Service Group by Network Traffic Address List View
- Select the the option Define by Address from the Set Business Service Rules drop down box.
- You can filter by entering Source IP and/or Source Port. Click on filter button.
Note: You can enter Source IP or DNS.
Network Traffic – Filter by Address – List View
Network Traffic – Filter by Address – Map View
Network URL page shows all the Network URL collected on your configured Edge devices with details such as IPs of websites, number of Clients connected to each website and their Port. You can create Business services based on URL filter. This is one of the ways to start mapping services.
Note: Network URL’s are only available when Promiscuous Mode has been enabled.To create Business Services
- Click on Configuration > Service Dependency > Network URL. Network URL page will be displayed.
- Click on the Add sign next to the URL to add URLs to the Select URLs and port from below box.
Note: You can select multiple URL’s.
- You can edit the URLs by clicking on the Edit as Tags button.
- Next, select one option from the drop down list Create New Service Group or Update Existing Service Group .
- You can filter Network traffic by URLs by clicking on the link, network traffic page will be displayed.
- To add more URLs click on ADD URL button.
- Click on the Filter button to filter the newly added URLs. See Network Traffic for more information.
Create New Service Group
- Enter a Name for Service Group.
- Next click on the Create button. New Service Group is created.
Update Existing Service Group
- Select an existing Service Group from the drop down list and click on the Update button.
Here you can view Network Traffic data collected on your configured edge devices grouped by Network Destinations.
- Click on Configuration > Service Dependency > Network Destination. Network Destination page will be displayed.
- Set Business Service Rule: Set Business Service Rule method to be used to discover services and dependencies for the selected Service Group.
- Starting IP/DNS: Enter the source IP to filter Network Traffic by, enter a IP or DNS.
- Port: Enter the Source Port to filter Network Traffic by. Enter a port number
- Select option: Select one option from the drop down list.
- Create New Service Group: Enter new Service Group name and click on the Create button.
- Update Existing Service Group: Select a Service Group from the drop down list.
Amazon VPC Flow Logs
Setting up AWS Flow Logs for Dependency Mapping
The following guide is designed to aid in setting up VPC Flow logs from your AWS environment to your FireScope Edge VM. These flow logs are blended with local netflow/sflow records to identify persistent connectivity between compute resources that indicate service dependencies.
High Level Overview of Setup of AWS Flow Logs for each VPC:
- Every 15 minutes to 30 minutes they send flow data to a target
- Logs are sent to S3 and the lambda has a trigger for it.
- Lambda feature executes code to send those flow logs to Edge device, port 2200
Create a Lambda Function
- Follow the process described at http://docs.aws.amazon.com/lambda/la...-function.html to create a Lambda Function called flowLogsFunction
- Log into Amazon AWS. Sign in page will be displayed.
- Enter your credentials and click on Sign In. AWS Services page will be displayed.
- Click on Lambda in the Compute section.
- Click on the flowLogsFunction link.
- Download the jar file from to your local PC.
- Click the Upload link and select that jar file.
- Click on Environment Variable to expand this section.
- Create a edge_device_ip environment variable to be the IP address that points to the edge device being used for this connection.
Notes: More info on Environment variables.
- Click on the Save button on the top of the page.
Note: Don’t click on Save and test because there are no Amazon tests for this Lambda.
Create VPC Flow Log on AWS
- Click on the Console Home link in the upper left hand corner.
- On the Console Home page, click on the VPC link under the Networking & Content Delivery section
- Under You are using the following Amazon VPC resources in the XXX region:, click on 1 VPC
- Select a VPC. Click on the Flow Logs tab
- Click on Create Flow Log and select the following options:
Destination Log Group: flowLogsGroup
Note: You can get more information on flow logs basics on AWS
Verify that the Lambda function is sending flow logs
- Click on the Console Home link. Click on Cloud Watch which is in the Management Tools section
- Click on Logs on the left hand section of the page.
- Click on /aws/lambda/flowLogsFunction under Log Groups. Wait until the Last Event Time reflects a recent log file update time. This could take up to to 30 minutes.
- Once a recent log file update is shown, click on the update and verify that it has a log entry that says, Send Complete and one that says Result=[Success]
Verify that the database is receiving flows
Note: You may want to wait for at least two of these cycles before testing since the Edge VM caches flows until the configured Traffic Sampling Frequency (Administration menu > Edge Devices > Global Network Traffic Settings link).
- Log on to your instance of FireScope SDDM/SPM.
- Navigate to Configuration > Service Dependency > Network Traffic (Explore Network Traffic in FireScope SDDM).
- Enter the IP of a compute resource in AWS in either the source or target IP field, and click Filter. You should see records of connectivity.
What is Amazon VPC? http://docs.aws.amazon.com/AmazonVPC...roduction.html
VPC Flow Logs – Log and View network Traffic Flows
VPC Flow Logs:
Convert VPC flow logs to IPFIX and stream to FlowTraq: