Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure a Rule Using Flow Sensor

With the flow ingest settings complete, you can now create a rule using flow as the sensor.

This example rule includes three elements:

  • A flow sensor that uses the NetFlow v10 IPv4 template

  • Six fields capturing data of interest

  • A trigger that indicates when traffic flow is higher or lower than expected

Note:

See the usage notes at the end of this section for more detail on what has been configured.

  1. Click Configuration > Rules in the left-navigation bar.
  2. On the Rules page, click the + Add Rule button.

    The Rules page refreshes to show a nearly empty rule on the right part of the page.

  3. In the top row of the rule window, leave the topic set as external and set the rule name that appears after the slash (/). In this example, it is periodic-aggregation-flow-rule.
  4. Add a description and synopsis if you wish.
  5. Click the + Add Sensor button and enter the following parameters in the Sensors tab:
    Configuration interface for a sensor setup with tabs for Sensors, Fields, Vectors, Variables, Functions, Triggers, Rule Properties. Sensor name is ipv4-flow-sensor, type is Flow, template is hb-ipfix-ipv4-template. Buttons for Add Sensor and Delete ipv4-flow-sensor.
  6. Now move to the Fields tab, click the + Add Field button and enter the following parameters to configure the first field, source-ipv4-address:
    Configuration interface for a field in a data processing system with tabs for Sensors, Fields, Vectors, etc. Field named source-ipv4-address with description Source IPv4 address. Field type is string. Toggle enabled to add to rule key. Ingest type set to Sensor with sensor ipv4-flow-sensor and path sourceIPv4Address. Zero suppression toggle disabled. Empty data if missing field. Add Expression button and Delete Source-IPv4-Address button present.
  7. Click the + Add Field button again and enter the following parameters to configure the second field, destination-ipv4-address:
    Configuration interface for a field in a data system with tabs for Sensors, Fields, and more. Field is destination-ipv4-address, type string, added to rule key with sensor ipv4-flow-sensor, path destinationIpv4Address. Zero suppression off. Option to add expression or delete the field.
  8. Click the + Add Field button again and enter the following parameters to configure the third field, sensor-traffic-count:
    User interface for configuring fields in a network tool. Editing sensor-traffic-count field. Details: Field Name sensor-traffic-count, Description Sensor octet count for IPv4 traffic measurement, Field Type integer, Ingest type Sensor, Sensor ipv4-flow-sensor, Path octetDeltaCount. Options for zero suppression, filtering expressions, and delete button visible.
  9. Click the + Add Field button again and enter the following parameters to configure the fourth field, total-traffic-count:
    Configuration interface for defining field total-traffic-count in data system. Field type: integer. Ingest type: Formula. Formula: Sum of sensor-traffic-count. Time range: 10s. Tabs include Sensors, Fields, Vectors, Variables, Functions, Triggers, Rule Properties. Delete button available for total-traffic-count.
  10. Click the + Add Field button again and enter the following parameters to configure the fifth field, traffic-count-maximum:
    Configuration interface for defining a field in a software app with tabs for different sections. The Fields tab is selected, showing fields like source-ipv4-address and traffic-count-maximum. Right panel configures traffic-count-maximum with type integer, constant value traffic-count-max, and options for rule key. Buttons for deleting traffic-count-maximum and adding fields are available.
  11. Click the + Add Field button once more and enter the following parameters to configure the sixth field, traffic-count-minimum:
    Configuration interface for defining fields with tabs for Sensors, Fields, Vectors, and more. Field configuration panel shows traffic-count-minimum as an integer.
  12. As the last step for the fields configuration, set the field aggregation time-range value to 10s:
    User interface for data monitoring with a 10-second field aggregation range. Fields tab is selected among options like Sensors, Vectors, and Functions.
  13. Now move to the Variables tab, click the + ADD VARIABLE button and create the traffic-count-max and traffic-count-min variables that are the constants for the traffic-count-maximum and traffic-count-minimum fields, respectively.
    User interface showing variable management for network traffic monitoring, with tabs and variable details including traffic-count-max, type Integer, default value 10000.
    Note:

    Only the definition for the traffic-count-max is shown graphically. Choose an appropriate Default Value when configuring both traffic-count-max and traffic-count-min variables. The value shown above is for testing purposes only and may not be appropriate for your network.

  14. Now move to the Triggers tab, click the + Add trigger button and enter the following parameters to configure a trigger called traffic-measurement-trigger:
    Configuration interface for setting up a trigger named traffic-measurement-trigger. Checks conditions every 90 seconds. Options to disable alert deduplication, specify conditions, and add actions. Buttons for adding or deleting the trigger.
    Configuration interface for setting traffic-measurement-trigger. Evaluates every 90 seconds. Checks if $total-traffic-count is less than $traffic-count-minimum. Alert color is yellow. Message: Total traffic count is below normal. Current total traffic count is $total-traffic-count.
    Configuration interface for setting up a traffic-measurement-trigger with 90-second frequency. Alert deduplication is off. Terms include traffic-abnormal-gr, traffic-abnormal-ls, and default-term. No conditions in WHEN section. THEN section: color green, message indicates normal traffic, evaluate next term off.
  15. At the upper right of the window, click the Save & Deploy button.

Usage Notes:

  • Sensor Tab:

    • The sensor name ipv4-flow-sensor is user-defined

    • The sensor type is flow

    • The sensor uses the predefined template hb-ipfix-ipv4-template

  • Variables Tab:

    • The variables traffic-count-max and traffic-count-min are statically configured integers. In this case the values represent Bytes per second

    • These values are referenced in fields traffic-count-maximum and traffic-count-minimum and provide a reference point to compare against the total-traffic-count field

  • Fields Tab:

    • Six fields are defined; some fields are used in the trigger settings while one field is referenced within another field

    • The field names are user-defined fields (UDF)

    • Fields source-ipv4-address, destination-ipv4-address, and sensor-traffic-count are extracting information from the flow sensor input

    • Path values for these fields identify specific values from the NetFlow messages, using naming according to IPFIX Information Elements

    • Fields source-ipv4-address and destination-ipv4-address have the Add to rule key setting enabled, indicating that this field should be shown as a searchable key for this rule on the device health pages

    • Field total-traffic-count - sums the IPv4 packet count from the sensor-traffic-count field every 10 seconds

    • The fields traffic-count-maximum and traffic-count-minimum are simply fixed values; the values are derived from the variables defined above

    • Field aggregation time-range - typically set to a value higher (longer) than individual field time range settings with the aim of reducing the frequency of information being sent to the database

  • Triggers Tab:

    • The trigger name traffic-measurement-trigger is user-defined.

    • frequency 90s - Paragon Insights compares traffic counts every 90 seconds

    • In the term traffic-abnormal-gr:

      • When $total-traffic-count (the periodic count of incoming IPv4 traffic) is greater than $traffic-count-maximum (2500 Bps), show red and the message: “Total traffic count is above normal. Current total traffic count is : $total-traffic-count”.

    • In the term traffic-abnormal-ls:

      • When $total-traffic-count (the periodic count of incoming IPv4 traffic) is less than $traffic-count-minimum (500 Bps), show yellow and the message: “Total traffic count is below normal. Current total traffic count is : $total-traffic-count”.

    • In the term default-term:

    • Otherwise, show green and the message: “Total traffic count is normal. Current total traffic count is : $total-traffic-count”.

Related Documentation