- 18 Jul 2023
- 6 Minutes to read
- Print
- DarkLight
- PDF
Netreo Intro Guide – Part 4 Advanced Topics
- Updated on 18 Jul 2023
- 6 Minutes to read
- Print
- DarkLight
- PDF
This is part 4 of the Intro Guide. See part 3 here.
Threshold Checks
Netreo static threshold checks are a way of monitoring the values of the statistics collected by Netreo from a specific device (cpu and memory usage, bandwidth, etc.). They can report on occurrences of both high and low utilization, and even on a deviation from previous utilization (anomaly, see below). It is important to understand that a Netreo threshold check does not simply monitor a static threshold value; it’s a complete monitoring tool with many options and capabilities.
Threshold checks can be configured with two alarm states: WARNING and CRITICAL. You can set static values for either state, or one or the other. You also have the option of configuring the check to monitor for high and/or low values.
WARNING states indicate that a resource has exceeded its normal range of acceptable values (high or low), but has not yet hit critical usage levels.
CRITICAL states indicate that a resource’s usage has exceeded critical levels, which could create serious problems and should be addressed immediately.
Both WARNING and CRITICAL alarms display on the Netreo dashboards, but only CRITICAL alarms open incidents.
See the threshold check entry for a thorough explanation of how threshold checks work and how to configure them.
Threshold Anomaly Checks
Netreo has the ability to monitor not only static performance threshold values, but dynamically-adjusting values, as well. These dynamic thresholds are called "anomaly checks" in Netreo and are built into the standard static threshold check.
An anomaly check watches the performance of a specific statistic over a user-defined period of time. It comes to understand what "normal" performance for that period looks like, and can then alert you to anomalous behavior. Because it looks at a statistic over time, it can adapt to gradual changes in performance that constitute a new normal (unlike a static performance threshold which only ever cares whether or not the statistic exceeds a single static value at any given moment).
Just like a static threshold check, anomaly checks offer two alarm states: WARNING and CRITICAL (as above).
See the threshold check entry for a thorough explanation of how threshold anomaly checks work and how to configure them.
Application Monitoring
Netreo can monitor the availability and performance of applications and services running on your managed devices through the use of subtypes. Subtypes can be applied to a device based on it device type so that Netreo knows that additional information can be collected from that device and how it should be done.
Requirements for monitoring specific applications can vary widely, but a few applications which are often mission-critical that you should consider monitoring at the application level include SQL (MSSQL, Oracle, MySQL), web applications (including shared or cloud-hosted applications), email (locally hosted or cloud-based), and DNS.
Firewall Notes
- SQL: Netreo will require SQL access to the server in question. MSSQL is often on the default port of TCP/1433. Oracle uses a complex series of ports, documented here. MySQL is often on port TCP/3306.
- Web/Cloud: Port TCP/80 or TCP/443, or occasionally a custom port.
- Email: SMTP on port TCP/25, TCP/587, or TCP/465; and IMAP on port TCP/143 or TCP/993.
- DNS: Port UDP/53
Application Response Time (ART) Monitoring
Netreo has two checks for monitoring application response times, the WebART check for web applications and the email application check for email applications. Both use a form of synthetic monitoring to check the availability of their respective applications and benchmark their performance.
The Application Performance dashboards for these checks display detailed performance data and breakdowns for each synthetic step in the check, as well as overall application status and total response times. Business workflows can be associated with each check, so that the status of their member devices will be displayed along with the check data, allowing you to look for correlations between device issues and network traffic problems.
There are no WebART or email application checks included by default in Netreo, so you will have to manually add any checks that you want included in your monitoring plan.
NetFlow
Netreo supports NetFlow (version 5 or 9), sFlow and IPFIX export from devices for traffic and protocol analysis and volume information. Flow export technologies such as these cause network devices (typically layer 3 devices like routers) to send “accounting level” information to Netreo (which includes source and destination address, port, protocol, and volume data) for reporting purposes, in order to provide deeper performance information.
NetFlow is a push technology and cannot be controlled from within Netreo. So, in order for it to work correctly, NetFlow must be properly configured by you, on each of the devices in your network from which you want Netreo to receive data. When configuring flow technologies such as these, the goal is to configure the fewest number of exporters possible while still insuring that Netreo can collect data on all the required traffic. To help avoid duplicate flow data in hub and spoke networks, configure all devices to send data only on the inbound or outbound interfaces, not both. However, for full mesh networks, it may be necessary to configure flow on both the inbound and outbound interfaces to prevent missed data. Netreo automatically detects and processes duplicate flows to avoid creating incorrect traffic counts, but this can use excessive resources if over-configured. The correct steps to properly configure NetFlow on your particular devices are outside the scope of the Netreo documentation. Therefore, it is highly recommended that you consult with your router or other device manufacturer to determine and understand these steps.
Once properly configured, NetFlow data is used to populate the "Traffic" widget on the Consolidated Dashboard, and can be associated with WebART checks and displayed alongside their application performance data to aid in troubleshooting.
General Recommendations
- Use NetFlow Version 5 or greater.
- Configure NetFlow to export to the host address of Netreo using port UDP/2055.
- Configure sFlow to export to the host address of Netreo using port UDP/2056.
- Netreo uses subnet information to correlate traffic with source/destination sites, so ensure that you have configured or detected the required subnets in Netreo.
- Avoid creating duplicate flow reporting by configuring flow on the minimum number of interfaces possible to get the information your need.
- Configure NetFlow on all of the outbound interfaces or all of the inbound interfaces only of layer 3 devices whenever possible.
Netreo supports multiple versions of NetFlow, including IPFIX, and by default is configured on port UDP/2055 originating from the device—but the port number can vary by environment.
See NetFlow Monitoring for more information.
Reports
Netreo is capable of many complex and in-depth reports, many of which are beyond the scope of this introductory guide. However, the Netreo Built-In Reports page has a good selection of basic reports that you can look at, with brief accompanying explanations. Netreo can also be instructed to send specific reports on a one-time or repeating schedule. To open the Built-In Reports page, select Reports > Built-In from the main menu.
The Netreo Mobile App
Integrating your Netreo appliance with the Netreo Cloud enables several exciting features, such as:
- Mobile app integration - You can install the free Netreo mobile app on your iOS or Android device, and view and acknowledge incidents from anywhere. You can also receive push notifications for any alerts generated by Netreo.
- Cloud Heartbeat - If your Netreo appliance loses connectivity to the Netreo Cloud, your mobile device will receive a push notification, allowing you to be alerted even if your Internet links or firewalls have all failed.