ManageEngine NetFlow Analyzer

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on telegram

With the continuous growth of organizations’ networks, network traffic analysis is one of the most essential tasks involved in ensuring good network health and network security. Network traffic analysis solutions analyze all entities and metrics that make up the entire network, and provide extended visibility. In this article, I will be reviewing ManageEngine NetFlow Analyzer.

NetFlow Analyzer is a standalone flow-based bandwidth monitoring and network traffic analysis tool.

Pre-installation

For the review, I will be downloading and installing my own setup of NetFlow Analyzer. ManageEngine offers a 30-day free trial of NetFlow Analyzer (available here) that can be used to monitor up to 1,000 interfaces. There is also an online demo with pre-populated devices and data that you can check out here. This is a simple click-and-download process that doesn’t involve any long steps or even your email address. The size of both the Windows and Linux installation files for the latest edition (12.5 at the time of this review) is less than 250MB, which is a huge difference compared to the large file sizes of the product’s competitors.

Prerequisites

The basic hardware and software requirements are as follows:

  • 3.2GHz quad-core processor, or equivalent ‌
  • 6GB RAM ‌
  • 200GB storage
  • ‌PostgreSQL or MSSQL database

NetFlow Analyzer can be installed on Linux as well as Windows machines. It has to be noted that most competitors of NetFlow Analyzer, other than a few open-source tools, do not offer Linux installation.

The system specifications mentioned above are the minimum requirements and depend on the number of interfaces you want to monitor. You can find a detailed list of the supported databases and hardware as well as software specifications for various flow rates here. 

Installation and setup

For the purpose of this review, I will be installing NetFlow Analyzer as a Windows service. The installation process is pretty simple and hassle-free. All you have to do is double-click the downloaded file to start the installation. Following the instructions that appear on the installation window is a straightforward process that involves clicking Next a few times and using the default database (‌PostgreSQL) and port number.

Note: The ports to be configured while starting NetFlow Analyzer are the server port and the listener port. The server port is NetFlow Analyzer’s web server port, and the listener port is the UDP port where NetFlow Analyzer listens to or receives flows. You can configure a maximum of five listener ports. The default port is 8060, and it will be replaced by the port you have specified as the web server port during installation.

Once you have successfully installed NetFlow Analyzer, click Start > Services and start the ManageEngine NetFlow Analyzer service. Upon completion, NetFlow Analyzer automatically starts and the UI opens on http://localhost:8060.
The default username and password is “admin”.

On logging in, a pop-up with the basic steps to help get started with the product appears.

I will not be going through these steps in order for now. On closing this window, you are presented with the Dashboard, which is the page you will be taken to on successive logins. It gives you an overview of all the events in your network and is highly customizable.

Getting started

The first step to get started with NetFlow Analyzer and begin monitoring devices and interfaces is to export flows from these devices.

NetFlow Analyzer offers two ways to export flows:

  1. Predefined flow export, where the device type and configuration commands are auto-discovered
  2. Custom flow export, where users can manually enter the configuration commands

You can access the export flow page by navigating to Settings in the top-right corner. Hover your mouse over Discovery in the drop-down, then select Export Flow. Or navigate to Inventory and click the Add icon in the Devices tab. You can also go to the Export Flow page from the Getting Started page.

Devices can be identified using either the host name or IP address. NetFlow Analyzer requires both SNMP credentials and Telnet or SSH credentials. SNMP fetches the device and its interfaces, while SSH or Telnet execute the flow export commands. 

For the predefined flow export method, you can add the host name or IP address and then the SNMP credentials by clicking the add icon next to Select SNMP credentials or by selecting one of the existing SNMP credentials. Select SSH or Telnet as the protocol type. Enter the User Name, Password, Prompt, Enable Command, Enable User Name, Enable Password, and Enable Prompt.

Make sure you’ve added the correct credentials, otherwise the device might not be discovered properly. You can test the connection using a Ping Test, SNMP Test, or Telnet/SSH Test. Click Next to select the interfaces.

On this page, the source interface of the router is auto-identified. Here you can add any other interfaces you’d like to export flows from. Click Next.

The device type and the flow export configuration commands will be automatically listed on the Export Flow page. You can verify the configuration commands and edit them as needed. NetFlow Analyzer supports all major flow formats from various vendors. 

If NetFlow Analyzer doesn’t have predefined flow export commands for your particular device model, or if you want to export flows for the device manually, you can use the custom flow export method. All you have to do is type in all the credentials mentioned above and then manually enter the commands.

Once you check the configuration commands, click Execute Configlet to execute them and verify the output that appears on the screen.

Once the flow is exported successfully, you can view the added devices in the Inventory tab.

Note: NetFlow Analyzer supports major flow types such as NetFlow, sFlow, J-Flow, sFlow, and IPFIX.

Have a few devices that don’t support flows? Use NetFlow Analyzer’s NetFlow Generator tool (free download available here, does not require a separate license) to convert packets to flow packets and monitor them.

The flow export feature in NetFlow Analyzer is extremely convenient for the following reasons:

  1. You don’t have to manually enter the commands, and even if you want to, it can be done directly from the UI without going through the trouble of using a CLI interface.
  2. The configlets are predefined.
  3. You can export flows in bulk from multiple interfaces.

If you have any difficulty configuring flows, you can refer to the product’s help guide here.

Let’s look at some of the common problems I came across while exporting flows that you may face:

#1. NetFlow Analyzer shows “no data available” ‌in graphs, even after configuring flows.

This could be due to two things:

1. There was a problem while entering the credentials, so the device is not configured correctly. Revisit the commands and see if they are configured correctly. If the commands are added correctly, see the next reason.

2. A firewall or access list is blocking the UDP port. In this case, check if the flows are being received by downloading a packet capture tool. If the flows are being received, check for any restrictions in the Windows firewall or IP tables and make sure no other application is binding the listener port. If the flows are not received, check if the UDP packets are blocked by any external firewall or access list.

#2 I wanted to add only two interfaces of my router, but NetFlow Analyzer automatically added all the interfaces under that device.

NetFlow Analyzer automatically discovers all the interfaces in a device from the IN and OUT details in the flow packets collected when interfaces are configured. If this happens, you can simply select the unwanted devices and “unmanage” them.

#3 Once the devices were added, some of the interfaces were listed as ifindex instead of the interface name.

On configuring flows, the interfaces with be listed either as ifindex or the device name. If the interfaces are listed as ifindex, you can fetch the device name associating them with their corresponding SNMP credentials under Inventory.

Monitoring

Now that we have successfully configured the product and exported flow, the next step is getting real-time visibility into the traffic details of these devices and interfaces.

NetFlow Analyzer’s Inventory acts as a directory for traffic overview, providing detailed reports by device, interface, application, etc.

Once you navigate to the Inventory, you will be able to see the traffic under various categories. Find the interface you want to monitor, then click the interface to see the utilization for a selected time period, which can be changed under Settings.These graphs and data can be viewed based on speed, volume, or time as well, and you can also set the data points based on how detailed you want the graph to be.

Other features

In addition to the traffic details, NetFlow Analyzer also supports various Cisco technologies like IPSLA, WLC, NBAR, CBQoS, Medianet, and Multicast as well as a multitude of other functionalities. Here are some of the other highlights:

  1. Traffic Shaping: This feature uses ACL and Service Policy to help you configure QoS policies to prioritize your business-critical apps and block or limit access to bandwidth hogs.
  2. CBQoS: This gives a comparison of the utilization before and after you applied the Traffic Shaping policies.
  3. Reports: There are various reports, but the ones I probably use the most are the Search report, which gives you details of any specific device or interface, and the Compare report, which gives you a detailed comparison of two devices in the same time period or the same device across two different time periods.
  4. Grouping: This feature comes in handy when you want to categorize traffic or usage to monitor a specific team, department, or set of IP addresses.
  5. Mapping: This helps you map custom apps, services, and DSCPs. The product also has a new feature that lets you map usernames to IPs manually or in bulk from Active Directory data. The newly introduced Cloud Services feature is also useful when it comes to mapping internet services.
  6. Bandwidth Forecasting and Capacity Planning: These two reports help you predict future bandwidth usage based on historic data. The Capacity Planning report also comes with an application growth trend graph, which is a very interesting addition.
  1. Billing: This report helps you generate billing plans if you are an ISP, or even cross-check your own ISP’s billing plans.
  2. Forensics and ASAM: Unlike other reports, the Forensics report uses raw data to analyze network traffic patterns. This can be very useful in being proactive with identifying network issues and monitoring the top conversations in your network. The Advanced Security Analytics Module (ASAM) in NetFlow Analyzer is a security and network behavior analysis feature, which is not seen in most bandwidth monitors. I think this is one of the highlights of the product, because it’s an often-overlooked element in most network security systems.
  1. Alerts and notifications: Apart from viewing alarms via the web console, you can also set threshold-based alerts in NetFlow Analyzer to get notified via email, SMS, or chat (through integration with Slack) or even log a ticket (by integrating with ServiceDesk Plus or ServiceNow). This can be done by configuring a notification profile (Settings > NetFlow > Alert Profiles > Real-Time/aggregated > Add).
  1. Integrations: NetFlow Analyzer tightly integrates with Slack and other ManageEngine products, such as Network Configuration Manager, Applications Manager, IP Address and Switch Port Manager (OpUtils), and ServiceDesk Plus.

NetFlow Analyzer offers both iOS and Android mobile apps that are handy in monitoring alerts and utilization.

Conclusion

The product is easy to install and the flow export process is extremely simple. The UI is easy to navigate through but lacks breadcrumbs to go back to the previous screen or Next buttons to switch between devices, and this requires you to go all the way back to the main menu. While the mobile apps are handy when it comes to monitoring and receiving notifications, they do not let you perform any actions. These would be nice additions for future versions.

The licensing is based on interfaces, and the pricing is transparent. (You can check these pages for pricing information, to get a price quote, or for a free personalized demo.) You can get customized plans based on your network needs. Will you be trying out or buying NetFlow Analyzer based on this review? We would like to hear from you!

Daniele Besana

Daniele Besana

Daniele is a freelancer consultant with 15 years of experience in network security, customer support, Linux and Salsa. He worked for Juniper Networks in Netherlands, providing support and consultancy on security projects across Europe and Middle-East.

What do you think about this article?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About us

RouterFreak is a blog dedicated to professional network engineers. We
focus on network fundamentals, product/service reviews, and career advancements.

NFA

Topics

Recent Posts