Overview
The Flow Gateway receives flow data from multiple sources. It aggregates the data, deduplicates it, compresses it by 5 to 10 times, encrypts it using AES 256-bit encryption, and sends it to up to 20 NetProfiler or NetExpress appliances using a TCP-based protocol over TCP/41017. Additionally, it can forward flow data, in the format in which it is received, to up to five destinations.
Flow Gateway operation is monitored on the Overview page. The Overview page is divided into the following sections:
-
Flow Capacity Stats
-
Flow Capacity
-
Flow Capacity Usage
-
Raw Flows Processed/Over Limit
-
Reduction of Raw Flows from Deduplication
-
NetProfiler Status
-
Flow Sources
-
Flow Destinations
Flow Capacity Stats
The Flow Capacity Stats section summarizes the flow statistics based on the latest data. Flow Gateway saves the IP address of the reporting device and information the device reports about the flow for use in topology reports. It deduplicates the flow records so that flows are not counted more than once.
The "Current deduplicated flow rate" is the number of flows that were reported during the most recent minute. Each flow is counted only once, regardless of how many different network devices reported it. The deduplicated flow rate is also reported as a percent of licensed capacity and as a percent of total raw flows. "Raw flows" are flows reported by switches and routers that are sending flow data to the Flow Gateway appliance.
Flow Capacity
The Flow Capacity section reports the average, peak and minimum flow rates for both deduplicated and raw flow data for the last day and the last week. It also reports over-limit statistics. Flow data that exceeds the licensed limit for the minute during which it is received is not processed.
Flow Capacity Usage
The Flow Capacity Usage section shows how much of the licensed flow capacity is being used. Separate tabs report Overall capacity usage, Riverbed Sources, NetFlow usage. Riverbed Sources include AppResponse 11 and NetShark.
When the number of deduplicated flows approaches the license limit, the licensed limit is shown as a dashed line on the graph. If the number of deduplicated flows in a 1-minute period exceeds the license limit, flows that are over the limit are not processed. The graph shows the number of deduplicated flows that exceeded the licensed limit.
Raw Flows Processed/Over Limit
The Raw Flows Processed/Over Limit section displays the number of flows per minute that have been processed. Separate tabs report Overall flows processed, flows from Riverbed Sources processed, and NetFlow flows processed.
Processing includes collecting and storing topology information and deduplicating flow data. For example, assume that a router sends a flow record to Flow Gateway. The appliance checks to see if the flow was already reported by another device. If it was, then the appliance adds the topology information from this flow record to the record it already has for the flow.
If the flow was not reported before, the appliance checks to see if adding it would exceed the license limit for deduplicated flow records. If recording the flow would exceed the license limit, the appliance drops the flow record.
Reduction of Raw Flows from Deduplication
The Reduction of Raw Flows from Deduplication section displays the percentage by which the number of raw flows was reduced by deduplication. Separate tabs report Overall percentage of reduction, Riverbed Source percentage, and NetFlow Source percentage.
NetProfiler Status
The NetProfiler Status section displays the following information about each NetProfiler or NetExpress appliance with which the Flow Gateway is communicating:
-
IP address and the name returned by DNS, if DNS name resolution is enabled. The IP address is specified on the Configuration > Profilers page.
-
NetProfiler or NetExpress name as specified in the Hostname field of the Configuration > General Settings page of the NetProfiler or NetExpress appliance.
-
NetProfiler or NetExpress appliance status (OK or Offline).
-
Number of flows per minute sent to the NetProfiler or NetExpress appliance during the most recent 1-minute reporting period. This may be less than the number of packets received because the flows are deduplicated before being sent to the NetProfiler or NetExpress appliance. This flow summary can also be viewed on the NetProfiler or NetExpress.
Flow Sources
The Flow Sources section shows the addresses of the flow data sources and the types of flow data that the Flow Gateway is receiving. It also shows the number of flow records that the Flow Gateway received from the flow data source during the most recent 1-minute reporting period.
Separate tabs report the number of flow records received from Riverbed flow data sources and Non-Riverbed flow data sources.
The Non-Riverbed Flow Sources tab includes a column labeled "Slice Violation (Last Minute)." This column indicates two conditions on the flow data source device that could result in errors in packet counts:
-
The flow collector is caching NetFlow records before sending them, thereby causing them to arrive late.
-
The flow collector has an active timeout set to greater than 60 seconds.
If a flow data source stops sending data to the Flow Gateway, the number of flows reported the last time the Flow Gateway received data from the source is preserved. However, after 2 minutes, it is displayed in red to indicate that no new flows are being received.
Optionally, you can collect detailed flow data source statistics, which show how much bandwidth the flow data is consuming on the network and can provide insight in to which devices are contributing to the flow license usage on the Flow Gateway appliance. When enabled, the Flow Sources section is enhanced with the following:
- Top 10 Flow Sources section
- Riverbed/Non-Riverbed Flow Sources table – includes additional columns for total flows and flow peaks. Also, the IP address column includes links to the flow source report for the listed IP addresses. The flow source report is also available from Reports > Flow Source.
Flow Destinations
The Flow Destinations section shows the address, port number and type of flow data for each destination to which the Flow Gateway forwards flow data. It also shows the number of flow records that the Flow Gateway has forwarded to the destination during the most recent 1-minute reporting period. For NetFlow, it displays the number of flow records forwarded. For sFlow, it displays the number of sampled packets forwarded.
Additional information about the status of the Flow Gateway can be monitored on the Administration > System Information page.