When you start the NetFlow Analyzer for the first time, you need to set NetFlow collection port before you can see traffic.
NetFlow collection port is a port on NetVizura server listening for NetFlow traffic exported by network devices. You need to set exporting port number on all your network devices to match NetFlow collection port. Default port number is 2055.
To set the NetFlow collection port:
Now is a good time to check if the system is working properly.
To do so, follow these steps:
Check the system for warnings or errors.
Click on the Show log arrow (in the bottom right corner). Any warnings or errors will be displayed as well as the instruction to resolve them.
Finally, check if the network traffic is available
Go to TopN > All Exporters tab. Network traffic should be shown on the graphs, this is a verification that the network traffic data has been collected by the NetFlow Collector and that the data has been processed by NetFlow Aggregator.
Note that it may take up to 10 minutes to see traffic from a new exporter. This is the time needed for the application to create the finest sample of traffic since one sample lasts 5 minutes and two samples are needed to draw a line on the chart.
To learn more about system settings in general, go to chapter Configuring NetFlow System. |
All other settings you do not need to set right away. However, you should get back to them once you get to know NetFlow Analyzer a little better and fine-tune the behaviour of your system. |
In addition to general network traffic (Exporters, Traffic Patterns and Subnets Sets), you can view traffic made by organization end users (domain usernames).
To setup this traffic:
Update existing or add new End User mapping rule
If you use Snare as your Syslog agent, then you can use one of the provided mapping rules. In this case, just update Source IP field, verify if rule is matching users and change status to Active. To do so, go to > Settings > NetFlow Settings > End Users.
If rule for your Syslog agent is not provided with NetVizura by default, you should create your own rule in order to successfully map users (link username with an IP address at specific time). Read more about how to setup custom End User mapping rule in the the article Configuring End Users.
Note that it may take up to 10 minutes to see traffic for a new user. This is the time needed for the application to create the finest sample of traffic since the sample lasts 5 minutes and two samples are needed to draw a line on the chart.
Specifying too broad subnet in the Source IP field might result in performance penalty. For best results consider changing Source IP to more specific value or concrete IP address. |