Solved: Re: Cisco Secure network Analytics - NVM module

aleksta9826435 · ‎01-29-2025

Hello

Is everyone here having experience with the NVM-module, that Is possible to have within the Secure Client?
How does SNA handles large amount of NVM-flows? Lets say between 5K -> 10K clients.

Ideally Is It worth setting up a dedicated Flow Collector for this? Or could NVM flows be sent to a flow collector that also handles other telemetry data?

And my last thing. Custom Events + other Core Events, could those be applied to NVM telemetry?

Thanks

David Salter · ‎01-31-2025

This alarm can often indicate a flow export configuration issue on the exporter. It's not a performance issue on the Flow Collector.

View solution in original post

David Salter · ‎01-29-2025

NVM needs to be processed by a collector processing NetFlow from the same address ranges. NVM adds telemetry to the 'core' telemetry that feeds the analytics engine.
Based on our experience with NVM since introducing support, a typical endpoint generates 1fps so having 5k-10k endpoints adds around 5k-10k fps to the load being processed by a Flow Collector. A single Flow Collector 4200 appliance can typically process up to 120k fps, the 5200 can process up to 240k fps.

aleksta9826435 · ‎01-29-2025

Thanks for this information.

I'm receiving today around 30K FPS from L3 units. This Netflow telemetry Is coming In through one flow collector.

Would you recommend setting up one more flow collector for the NVM? Or could my single Flow collector both handle the L3 units + the NVM?

"NVM adds telemetry to the 'core' telemetry that feeds the analytics engine"
So what do you mean by this? Will the "Analytics" function also analyze the NVM telemetry?

One more thing. Sorry.
Do you know If the "Analytics" function In SNA I cloud based? I'm unable to find any Cisco documentation regarding this.
When I enabled It nothing says that It Is a cloud function, just that It will consume hardware resources etc.

Thanks

David Salter · ‎01-29-2025

If you could share the spec of your Flow Collector I can give you an idea of potential capacity.
Aside from the optional Threat Feed that the SMC pulls updates to identify connections to known C&C networks, Botnets and TOR entry/exit nodes, the analytics are built into the Flow Collector. I can recommend the Security Event and Alarm Cataegories document at https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_5_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf .

If you have Data Store, the additional Analytics being enabled were originally developed for Secure Cloud Analytics (now part of Cisco XDR), and again these are on the box, there's no data being sent to the cloud.

There are no NVM specific behaviors being detected today, the additional telemetry from NVM is added to reports to aid investigation.

aleksta9826435 · ‎01-29-2025

I'm running an on-prem deployment. With one flow collector, one data-store + one manager.

My Flow Collector Is demensioned with,
8vCPU
64GB RAM
200GB storage

So It should handle 100,000 internal hosts fine. Thats alot more then what I've.

Been looking at that documentation but I find It hard to start.

Perfect! Thanks for the answer about the "Analytics" function.

Okey I see. Is there any news when NVM specifik behaviours will be happening?
Would be great If the NVM telemetry data Is visibile under "Investigate" --> "Flow Search".

Thanks

David Salter · ‎01-29-2025

Don't forget that all training (including scheduled classes) are available via https://https://learnsecureanalytics.cisco.com/. Much of the content is self-paced and divided into short sessions.

I don't have anything around roadmap for NVM specific behaviors, by all means reach out to me via davsalte@cisco.com if this is a critical feature so I can connect you with our Product Management team.

aleksta9826435 · ‎01-29-2025

I see.

Been there and completed some "foundational courses". But I will look mer into If there's anything NVM related.

Would be great If you could ge me some ideas. I shared my Flow Collectors specs abowe.
" If you could share the spec of your Flow Collector I can give you an idea of potential capacity. "

I'll have that In mind.

Thanks

David Salter · ‎01-29-2025

Based on recommended configurations your config has a potential storage bottleneck if you are monitoring more than 25k internal hosts.

aleksta9826435 · ‎01-29-2025

Sorry, I wrote wrong on the dimensions. I have 400 GB disk allocated.
Supports up to 100.000 internal hosts.

Is It possible in the UI to see how many internal hosts my SNA monitors?
Under "Investigate" -> "Hosts" --> It says a bit 2K hosts.

David Salter · ‎01-30-2025

The number of internal hosts is the number in brackets next to Inside Hosts in the report you referred to. This relies on all address space being used internally being included in the definition of the 'Catch All' Host Group as this group defines the internal address space being monitored by SNA.

aleksta9826435 · ‎01-30-2025

I see.

But around 2K Is very very far away from 100.00K hosts that my Flow Collector can inspect/analyze.

Seen some weird log messages In my flow collector recently,
"flow collector longest export exceeded"

Seems like It is related to high volume traffic or performance issues on the flow collector. Which Is weird due to above.

Maybe I'll should open a TAC for this.

David Salter · ‎01-31-2025

This alarm can often indicate a flow export configuration issue on the exporter. It's not a performance issue on the Flow Collector.