Detecting Backup Traffic During Working Hours With Flow Alerting
Backup is a network-intensive operation, and network traffic has physical constraints. If you time it poorly, backup can lead to significant network slowdown, resulting in performance issues for the whole server infrastructure. To alleviate this, backup operations should be performed during days and hours with low traffic (during holidays or at night) so as to leave enough bandwidth for more urgent tasks.
In order to do this, you first need to identify the backup traffic that goes through the network when it is not supposed to. Once the origin of such traffic is discovered, appropriate measures can be taken to fix the problem.
Once the network congestion problems are detected and resolved on time, users and clients can use the network uninterrupted by system administration tasks.
The SevOne 5.6 platform – along with Cisco iOS NetFlow – can achieve this goal.
1. Make sure your SevOne installation is configured to Allow NetFlow traffic. This can be achieved by going to Administration -> Flow Configuration -> Flow Rules. On the interface, make sure all rules have Allow permission.
2. Setup SevOne as a NetFlow collector in your network and make sure you start to receive NetFlow traffic by going to Administration -> Flow Configuration -> Flow Interface Manager. You should see a non-zero number in Total Flows column for the routers. Also, make sure you allow all directions.
3. Now we have to create a Filter for backup traffic. Let’s assume your backup machines have the following subnet: 192.168.254.0 and you are using rsync on port 873 for your daily backups. Create a new filter from Applications -> FlowFalcon Reports -> Filters section.
Under the filters section add a rule for the port:
- Field: Application Port
- Boolean: Is
- Operator: Equal To
- Value: 873
Add another rule for subnet:
- Field: Application IP
- Boolean: Is
- Operator: Mask
- Value: 192.168.254.0
- AND: 255.255.255.0
Click Save Filter As New and choose a name for your filter e.g. Backup Ops.
Your filter should look like this:
4. Now we can create alert policy from Events -> Configuration -> Policy Browser -> New Policy.
- Technology Type: Flow
It allows you to enter NetFlow-specific settings
- Name: Backup During Working Hours
The name of our new Policy
- Aggregated view: Top Conversations and Direction
That aggregated view contains Client IP, Application IP and Bandwidth
- Filter: Backup Ops
Only traffic from / to backup subnet
- Direction: Any
All backup or restore operations from backup subnet
- Schedule: Choose the hours when you don’t want backup to occur
- Email: Add the e-mails of the users you want to be notified e.g. email@example.com
General Settings should look like this:
Click on Trigger Condition and create a trigger condition with the following settings:
- Fields: Bandwidth
- Aggregation: Total
- Comparison: Is Greater Than
Then click Save As New to save your new policy. You’re all set.
Now, when a backup action occurs during the working hours, the SevOne platform will trigger an alert, and you will receive email notification.
Visit our Flow Monitoring page for complete details on our reporting capabilities.