SolarWinds NetFlow Traffic Analyzer (NTA) is a multi-purpose tool useful for a wide range of bandwidth monitoring and management purposes. It integrates with SolarWinds Network Performance Monitor (NPM) to provide a comprehensive network monitoring tool.
NTA collects two kinds of data: interface-level flow data and Class Based Quality of Service data. It then looks at the performance data NPM collects from SNMP and WMI sources and combines the two data streams to produce one set of data you can analyze and examine. This data can be processed into graphs and reports, so you can have complete visibility into your network, in both a historical sense and in terms of its current status.
Features
Now let’s look at the key features of NTA. Network Traffic Analyzer has several utilities to help with network traffic monitoring, each of which has a special function and key focus regarding network flows.
Bandwidth monitoring
Monitor bandwidth use by application, protocol, and IP address group. View both IPv4 and IPv6 flow records. Monitor Cisco NetFlow, Juniper J-Flow, sFlow, Huawei NetStream, and IPFIX flow data identifying the applications and protocols consuming the most bandwidth.
Application traffic alerting
Get alerted if application traffic suddenly increases, decreases, or disappears completely. Be able to quickly act if there’s an unusual change in application traffic. You can also set alerts to be notified if a device stops sending flow data, so you can efficiently remediate the problem.
Network traffic analysis
Analyze network traffic patterns over months, days, or minutes by drilling down into any network element. NetFlow Traffic Analyzer collects traffic data, correlates it into a useable format, and presents it to the user in a web-based interface for monitoring network traffic.
Performance analysis dashboard
PerfStack™ cross-stack network data correlation. Accelerate identification of root cause by dragging-and-dropping network performance metrics on a common timeline for immediate visual correlation across all your network data and NetFlow analytics.
Advanced application recognition
Identify which applications and categories consume the most bandwidth for better network traffic visibility with NBAR2 support. Cisco NBAR2 support gives you visibility into HTTP (port 80) and HTTPS (port 443) traffic without the need for additional probes, spanning ports, etc.
Customizable network traffic reports
Create, schedule, and deliver in-depth network traffic analysis and bandwidth reports with just a few clicks. Don’t spend money on additional bandwidth if it’s not needed. NetFlow software can help you review historical data to identify peak bandwidth usage and adjust policies for better management.
WLC traffic monitoring
Monitor Wireless LAN Controller traffic to keep tabs on applications and clients utilizing bandwidth on your wireless network. In today’s mobile world, it’s important to keep your wireless network running smoothly. With WLC network traffic analysis, you can easily see what’s using your wireless bandwidth.
Cisco Meraki wireless monitoring
View traffic data on Cisco Meraki interfaces. Visualize the traffic flows on your Cisco Meraki MX and Z series interfaces for better monitoring of the bandwidth use in your Cisco Meraki wireless environment.
CBQoS policy optimization
Measure the effectiveness of pre- and post-policy traffic levels per class map to determine if QoS policies are working as planned. If your business relies on VoIP, e-commerce, or other cloud-based applications, the NetFlow analyzer software will help confirm that prioritized traffic passes smoothly through the network.
Malicious or malformed traffic flow identification
Increase security with visibility into malicious or malformed traffic with port 0 monitoring. TCP/UDP monitoring of port 0 traffic highlights any flows directed to port 0 so you can quickly identify intrusive traffic.
Benefits
- Identifies which users, applications, and protocols are consuming the most network
bandwidth and highlights the IP addresses of the top talkers on the network - Monitors network traffic by capturing flow data from network devices, including
Cisco® NetFlow v5 or v9, Juniper® J-Flow, IPFIX, and sFlow® - Maps the traffic arriving from designated ports, source IPs, destination IPs, and even
protocols, to application names you can easily recognize - Delivers an instant alert notification, including a list of top talkers, when an interface
exceeds its utilization threshold - Performs Class-Based Quality of Service (CBQoS) monitoring to ensure that your
traffic prioritization policies are effective - Enables you to quickly drill-down into traffic on specific network elements, using
multiple views to get the perspective you’re looking for - Generates network traffic reports with just a few clicks
- Facilitates investigation of fault, performance, and configuration issues thanks to
complete integration with Orion NPM and Orion NCM
New features and improvements in NTA
Release date: November 5, 2019
These release notes describe the new features, improvements, and fixed issues in NetFlow Traffic Analyzer 2019.4. They also provide information about upgrades and describe workarounds for known issues.
New features and improvements in NTA 2019.4
NTA 2019.4 offers the following new features and improvements compared to previous releases of NTA.
Process flow data from Meraki MX devices
As of NTA 2019.4, you can view flow data from Cisco Meraki MX devices. The data are associated with SNMP-managed interfaces from NPM. Certain devices use different Interface IDs when polled by SNMP and different Interface IDs in NetFlow. Due to this discrepancy, traffic cannot be correctly bound to the interface. This issue is solved by mapping between Flow Interface ID and SNMP Interface ID.
- You must have Meraki firmware version MX 14.7 or later to get the correct bytes values. SolarWinds NTA supports flow processing for earlier versions and it will not block outdated firmware, but NTA will display incorrect traffic volumes for the bytes counter.
- You must have Meraki firmware version 15.13 or later to get correct packet values. Earlier versions of Meraki MX show an incorrect packet number, as the counter is not providing increments but total values with each flow.
- For Huawei and Alcatel devices, the flow must be processed on the same polling engine where SNMP data are polled.
- After changing the polling engine, mapping is generated for the new polling engine but kept on the old one. The mapping for the node is removed from all polling engines on cleanup (by default, every 60 minutes) when you disable the node through NetFlow Sources.
- Starting with Meraki MX 15.14 or later, the interface mapping is corrected and the feature will be disabled automatically on the NTA side, or you can disable it manually through NTA Settings.
To start monitoring data from Cisco Meraki MX devices, you must add the device to SolarWinds NPM and configure it to export flows to the Main or Additional Polling Engine. The mapping is generated automatically when NTA receives the first flow traffic from the relevant Meraki device. Mapping is kept in the Orion database in separate tables for each polling engine. Mapping is valid until you manage the node, enable flow processing, and the NetFlow Service receives flow data.
Enable or disable the Meraki MX mapping feature
You can enable the Meraki mapping feature through NTA Settings in the Orion Web Console. If you are monitoring devices running Meraki firmware version MX 15.14 or later, you can disable the mapping feature completely.
- In the Orion Web Console, click Settings > All Settings.
- Under Product Specific Settings, click NTA Settings.
- Under NetFlow Management, select Process flow data from Meraki MX 15.13 and earlier to enable the feature, and clear the option to disable it.
- SolarWinds NTA uses autodetection per device for new Meraki firmware. Processing therefore works correctly with Meraki firmware 15.14 or later and this option enabled.
- If you disable this option through NTA Settings, the changes are global for all devices.
- If you have devices with Meraki firmware MX 15.13 or later, you see data on the wrong intefaces.
Flow Sources Management and CBQoS Polling Management pages
This section provides procedures for adding and deleting flow sources and selecting CBQoS-enabled devices for monitoring.
If NPM is monitoring network devices that are configured to export flow data, and if automatic addition of flow sources is enabled in NTA Settings, NTA automatically detects and adds the flow sources under NetFlow Sources.
Access the Flow Sources Management page and select interfaces for NetFlow monitoring
- Click Settings > All Settings.
- Under Product Specific Settings, click NTA Settings.
- Click Flow Sources Management.
This page provides a list of flow-enabled nodes and interfaces.If you do not see any NetFlow sources, confirm that the following is true for your configuration:- NetFlow devices must be configured to send NetFlow data to the NTA collector. Devices and interfaces must be managed by SolarWinds NPM before they can be recognized in SolarWinds NTA.
- Confirm that the SolarWinds NetFlow Service starts in Windows Services.
- Use the Filters to find the devices to display.
- Use the Search function to filter the list further.
- Select nodes and interfaces for NetFlow monitoring.
- Click Store traffic.
Access the CBQoS Polling Management page and select interfaces for CBQoS monitoring
- Click Settings > All Settings.
- Under Product Specific Settings, click NTA Settings.
- Click CBQoS polling Management.This page provides a list of all nodes and interfaces in SolarWinds NPM.CBQoS-enabled devices must be configured to allow CBQoS polling. Devices and interfaces must be managed by SolarWinds NPM before they can be recognized in SolarWinds NTA.
- Use the Filters to find the devices to display.
- Use the Search function to filter the list further.
- Select nodes and interfaces for CBQoS monitoring.
- Click Enable.
New features and improvements in Orion Platform 2019.4
Orion Platform 2019.4 offers new features and improvements compared to previous releases of Orion Platform.
Native SolarWinds Service Desk Integration
Generate Service Desk incidents from Orion Alerts.
You can integrate Orion Platform products with the following IT Service Management solutions:
- ServiceNow® (Orion Platform 2016.1 or later)
- SolarWinds Service Desk (starting with Orion Platform 2019.4)
Integrating an alerting solution with the Orion Platform means that triggering an alert in the Orion Platform creates a new incident in the integrated alerting instance and vice versa.
Configure the integration
To make the integration of the Orion Platform and your alerting system work, complete the following steps.
Step 1: Set up the system to integrate with the Orion Platform.
- ServiceNow
- SolarWinds Service Desk
Step 2: Create an instance for the system in the Orion Platform.
Step 3: Configure Orion Platform alerts to create an incident (ServiceNow or SolarWinds Service Desk) as the alert action.
Configure the instance
-
- Log in to the Orion Web Console using an account with administrator rights.
- Click Settings > All Settings, and then click Manage Alert Integration Instances.
- Click Add Instance and select your instance type.
- To add a ServiceNow instance, select Service now, and complete the configuration.
- To add a ServiceDesk instance, select Service Desk, and complete the configuration.
The new instance displays on the Manage Alert Integration Instances page. You can now use Create ServiceNow Incident or Create SolarWinds Service Desk incident as an alert action.Operational states
Once you configure the integration, you can go to Settings > Manage Alert Integrations and view a list of all integrated instances.
Operational states describe how the integration of your alerting system and the Orion Platform works:
- Enabled: new or updated alerts in the Orion Web Console create or update incidents in the integrated instance, and the other way around.
- Restricted: incidents in the integrated instances are updated and closed. Changes in Orion are reflected in the integrated instance (ServiceNow or SolarWinds Service Desk), and the other way around, but no new incidents are created.
- Restricted by system: applies only to ServiceNow. If the number of ServiceNow incidents created in a five-minute period reaches 100, the instance is automatically switched to Restricted state.
- Disabled: incidents cannot be created and updated in the integrated instance based on Orion Platform alerts.
Orion Maps enhancements
Entity Library enhancements
- Filter and refine your entity list based on any property.
- Bulk-select entities to add them to the canvas.
- Quickly identify contextual relationships through the entity library without leaving the editor.
Bulk Administration
- Multi-select from the canvas to move or delete multiple objects in groups.
- Undo and redo options within the Editor.
Custom Images
- Add custom images and backgrounds to enhance the map.
Manual Topology Connections
- Define topology between any two entities directly from the Map Editor.
Customizable map refresh rate
- From the Advanced Configuration Settings, specify the map refresh rate – in minutes – for the Orion Maps Viewer and Widgets.
Orion Maps are a troubleshooting feature that displays a map of physical and logical relationships between entities monitored by the Orion Platform products you have installed. Orion Maps help you quickly isolate and identify critical health and performance issues.
Orion Map types
Auto-generated Orion Maps
Orion Maps automatically generate contextual maps that display critical relationships for monitored entities in the Orion Platform. Go to an entity details page and click the Map subview to display a map of relationships relevant for the entity.
Custom Orion Maps
Starting with Orion Platform 2019.2, you can create custom Orion Maps. Select entities to map and the Orion Maps feature displays physical and logical relationships between them. You can add the custom map on any Orion Web Console view using the Orion Map widget.
Auto-generated Orion Maps
The auto-generated Orion Maps open in the Orion Web Console as a subview and display both physical and logical relationships between entities.
Auto-generated Orion Maps are created without any user intervention: entities are added or removed as changes occur in the environment.
To access auto-generated Orion Maps, go to an entity Details view and click the Map subview in the menu on the left.
1 | Map icon: Click the icon to view the Orion Map. |
2 | Canvas: Displays the map of relationships of the entity. |
3 | Seed object: The entity whose relationships the map displays. This is the entity from which you accessed the map.
The color or the ring around the entity signifies the entity health, based on thresholds set for the entity. For more details about an entity on the map, click the entity. The map adjusts accordingly and details about the entity are displayed in the Inspector Panel (7). |
4 | Healthy topology connection: For topology connections, the line width represents the interface bandwidth. T
|
5 | Metric pill: By default, it displays the outbound traffic and percent utilization. If polled values for the metric exceed the threshold, the pill displays errors and discards.Hover over the metric pill to show which metric it displays. |
6 | Connection with issues: The color signifies that a threshold has been exceeded. Yellow means warning and red signifies a critical threshold.
Click the connection to see details in the Inspector Panel (8). |
7 | Tools to adjust the map: Zoom in, zoom out, pan, or change layout. |
8 | Inspector Panel: Displays details about the entity or connection selected on the map, according to the active navigation bar.
When you open the Map from an entity details page, the Inspector Panel only displays the entity name, IP, vendor, and machine type.
|
9 | Related: Click this button to display entities related to the selected entity in the Inspector Panel: descendants, ancestors, and dependencies.
To add a related entity to the map, select the check box in front of the entity, and click Apply. |
10 | Connected: Click this button to display entities connected to the selected entity by a protocol-based relationship or actual data flow, such as topology (NPM) or Application Dependency Connections (SAM), in the Inspector Panel.
To add a connected entity to the map, select the check box in front of the entity, and click Apply. |
11 | Alerts: Click this button to display a list of active alerts associated with the entity in the Inspector Panel. |
12 | Recommendations (only with VMAN): If you have VMAN installed, this section presents recommendations for the entity. |
Custom Orion Maps
Starting with Orion Platform 2019.2, you can create Orion Maps either based on the auto-generated maps, or from scratch.
- Maps summary view
- Edit Mode
- View Mode
- Orion Map widget
View a list of maps, create maps, and edit maps from the Maps view
To access Orion Maps created by users, click My Dashboards > Orion Maps in the Home section.
1 | List of maps: Review available Orion Maps. By default, the list shows maps created by you. If you have Administrator rights, you can display Orion Maps created by other users (4).
Click a map name to view the map (View mode). |
2 | Button bar: Create a new map, or select a map in the list (1) and edit or delete it. |
3 | Sort, filter, and search controls: Use the filter and search options to find Orion Maps. Sort maps by name, time since last update, or creation date. |
4 | All Users: Toggle to display all maps or only maps created by you. This toggle is available only to administrators. |
Add entities or adjust connections in Edit mode
Edit mode is where you create or edit maps. To enter Edit mode:
- On the Maps view, select a map and click Edit.
- In View mode, click More > Edit.
1 | Entity Library: Drag entities from the library to the canvas. | ||||||||||||||||||||||||||||||
2 | Canvas: Place entities in the correct position. If there are relationships between entities on the map, the connections are automatically added to the map as well. | ||||||||||||||||||||||||||||||
3 | Button bar: Save the map or use commands in the More menu, such as create a new map, save the map under another name, delete the map, or switch to View mode. | ||||||||||||||||||||||||||||||
4 | Map controls: Zoom in, zoom out, and center and adjust the map to the view.
|
View popups and display details on mapped entities in View mode
View mode displays a full screen view of user-created maps for easy troubleshooting and investigation.
1 | Entity: Click an entity to display details in the Inspector Panel. | ||||||
2 | Inspector Panel: Displays details about the entity or connection selected on the map.
In the View mode, you cannot add related entities to the map. Entities in the Inspector Panel do not have check boxes. This is only available from the auto-generated map subviews. |
||||||
3 | Popup: Hover over an entity to see additional details.
You can also execute commands from the command menu, such as go to details view, edit the entity, mute alerts for the entity, or unmanage the entity. |
||||||
4 | Button bar: Click Share to copy the map address to the clipboard, click More > Edit to switch to Edit mode. | ||||||
5 | Map controls:
|
Orion Map widget
When you create a custom Orion Map, you can add it to a view in the Orion Map widget.
Click an entity on the map to go to the entity details view.
Hover over an entity to display a popover, or to run commands for the entity from the Commands drop-down.
What can you do with Orion Maps?
- View details for entities on mapped entities, such as the Map Summary, connected entities, dependent entities, related alerts, or VMAN recommendations
- View connections between displayed entities, such as topology connections, application dependency connections, or Orion dependency connections
- Customize the auto-generated maps, such as add/remove related entities, create a group from mapped entities
- Adjust the auto-generated map by zooming in, zooming out, or panning
- Create a custom Orion Map, add entities, adjust their position, and save the map
- Add the Orion Map to your views as a widget
- Create a custom alert based on the Orion Maps entity
- Send mapped objects via email as a report and send the Orion Map as a PDF
System Requirements
NetFlow Traffic Analyzer 2019.4 System Requirements
Polling engine requirements
The following requirements ensure the scalability benefits of SolarWinds NTA:
Type | Requirements |
---|---|
Operating system | Microsoft Windows Server 2016
Microsoft Windows Server 2019 |
SolarWinds NPM | Version 2019.4
SolarWinds NTA requires an appropriate SolarWinds NPM version hosted on the same server. |
Databases | NTA and Orion Platform use two databases – the Orion database and the NTA SQL Flow Storage database. The Orion database stores SolarWinds Orion configuration data and all collected performance and syslog data. The NTA Flow Storage database is where SolarWinds NTA stores your flow data.
The NTA SQL Flow Storage database requires an instance of Microsoft SQL Server 2016 SP1 or later. Both databases can be collocated on one SQL server. In case you decide to use separate SQL servers for the Orion database and the NTA SQL Flow Storage database, the Orion database requires Microsoft SQL Server 2014 and later. A connection to Orion SQL database is required because CBQoS data and some additional low level details are still stored in Orion SQL database. |
SQL server requirements
SolarWinds NTA 4.4 and later utilizes two SQL databases:
- The Orion database
- The NTA SQL Flow Storage database
SolarWinds supports both the Orion database and the NTA SQL Flow Storage database in the same SQL server instance, as long as that instance is SQL Server 2016 SP1 or later. See sections below for Orion database requirements and the NTA SQL Flow Storage database requirements.
You cannot install Orion Platform products on the same server as SolarWinds Access Rights Manager (ARM).
NTA Flow Storage database requirements
- SolarWinds NTA requires SQL Server 2016 SP1 or later to run the NTA SQL Flow Storage database.
- For production environments, SolarWinds recommends using the Standard or Enterprise edition of the SQL server for the NTA SQL Flow Storage database.
Deploying the NTA Flow Storage database on SQL Server 2016 SP1 Express is not recommended in a production environment due to performance and other limitations. For more information about SQL server Express, see Editions and supported features of SQL Server 2016 (© 2017 Microsoft, available at https://docs.microsoft.com, obtained on February 20th, 2018). - SolarWinds supports both the Orion database and the NTA SQL Flow Storage database in the same SQL server instance, as long as that instance is SQL Server 2016 SP1 or later.
Orion database requirements
The table below lists software and hardware requirements for your SolarWinds Orion database server using SolarWinds NPM license levels.
- Multiple SolarWinds Orion server installations using the same database are not supported.
- If you install on a virtual machine, you must maintain your SQL Server database on a separate, physical drive.
Requirements | SL100, SL250, SL500 | SL2000 | SLX |
---|---|---|---|
SQL server | SolarWinds supports Express, Standard, or Enterprise versions of the following:
SolarWinds strongly recommends using the 64-bit version of SQL Server.
|
||
SQL Server collation |
We support CI database on an CS SQL Server. We do not support case-sensitive databases. |
||
CPU speed | Quad core processor or better | Dual quad core processor or better | Dual quad core processor or better |
Hard drive space | 20 GB minimum
40 GB recommended |
50 GB minimum
100 GB recommended |
100 GB minimum
400 GB recommended SolarWinds recommends the following configuration:
|
Per Windows standards, some common files may need to be installed on the same drive as your server operating system. You may want to move or expand the Windows or SQL temporary directories. |
|||
Memory | SL100
8 GB minimum 16 GB recommended |
16 GB minimum
64 GB recommended |
64 GB minimum
128 GB recommended |
SL250 &SL500
8 GB minimum 16 GB recommended |
|||
Authentication | Either mixed-mode or Windows authentication. If you require SQL authentication, you must enable mixed mode on your SQL server. | ||
Other software | If you are managing your SolarWinds Orion database, SolarWinds recommends you install the SQL Server Management Studio component.
The Installation wizard installs the following required x86 components if they are not found on your Orion database server:
|
Cloud instance requirements for the NTA SQL Flow Storage database in Azure
Instance Details | Medium (SL2000) | Large (SLX) |
---|---|---|
Instance type | D12_v2 | D15_v2 |
CPU | 4 CPU | 16 CPU |
RAM | 30.5 GB RAM | 122 GB RAM |
Disk | System SSD 80 GB (included in D12_v2) + Data Azure Storage Disk Volume 500 GB (8 GB for every received sustained 1000 Flows/s with 30-days retention period) | System SSD 320 GB (included in D12_v2) + Data Azure Storage Disk Volume 2.5 TB (2.5 TB is Flow Storage, 300k FPS with 30-days retention, Azure Storage Disk with Provisioned IOPS recommended) |
Virtual machine requirements
SolarWinds NTA may be installed on VMware Virtual Machines and Microsoft Virtual Servers if the following conditions are met in your virtual environment:
- Each virtual machine needs to meet the SolarWinds NPM requirements for virtual machines.
- Each installation of NPM should have its own dedicated network interface controller.
SolarWinds NPM uses SNMP to monitor your network. SNMP traffic is generally assigned low priority, and thus you can experience gaps in monitoring data.
Port requirements
The following table lists ports that SolarWinds NetFlow Traffic Analyzer uses to communicate with other devices and servers.
Port | Protocol | Service/Process | Direction | Description |
---|---|---|---|---|
80 | TCP | World Wide Web Publishing Service | Bidirectional | Port used for web console and any other web servers. |
137 | UDP | NetBIOS | Outbound | Port for outbound traffic if NetBIOS name resolution is turned on.
When NTA is trying to resolve the NetBIOS names of servers in their conversations, you may find a large amount of outbound UDP 137 traffic from the NTA collector to a number of external addresses. You can confirm the traffic by using the Flow Navigator to match the outbound connections to existing conversations. This is normal behavior when NetBIOS is enabled. An easy way to demonstrate the behavior is to disable NetBIOS in NTA and watch all outbound connections terminate. |
161 | UDP
TCP |
SolarWinds Job Engine v2 | Outbound | Port used for sending and receiving SNMP information, including polling CBQoS-enabled devices. |
1433 | TCP | SolarWinds NetFlow Service
SolarWinds NetFlow Storage Service |
Outbound | Port used for communication between the NetFlow Service and the existing SQL server. |
1434 | UDP | SolarWinds NetFlow Service
SolarWinds NetFlow Storage Service SQL Browse Service |
Outbound | The port used for communication between the NetFlow Service and the Orion database. This port is required only if your SQL Server is configured to use dynamic ports. |
2055 | UDP | SolarWinds NetFlow Service | Inbound | Port for receiving flows on any SolarWinds NTA collector. |
5671 | TCP | RabbitMQ | Bidirectional | Rabbit MQ messaging. |
17777 | TCP | SolarWinds Information Service | Bidirectional | Port for sending and receiving traffic between SolarWinds NPM and other Orion Modules.
Port used for communication between remote Flow Storage Database and NTA Main Poller. |
17778 | HTTPS and TCP | SolarWinds Information Service | Bidirectional | Open to access the SolarWinds Information Service API and agent communication. |
17791 | TCP | SolarWinds Agent | Bidirectional | Open for agent communication on any SolarWinds Orion server running Windows Server 2016. |
Device-specific | Any port required by a specific device. |