Flowmon

Tracking Devices and Users in Your Network

13/05/20

Is the DHCP pool wide enough? How many users are authenticated during the day? On how many devices one user is authenticated? In this article, we will demonstrate how you can check it easily with Flowmon’s improved Active Device functionality.

Working from home changed the traffic pattern in corporate networks. Network operation teams need to understand the number of devices or users in their network via VPN to ensure proper capacity and guarantee SLA. Flowmon can provide insight into viable network metrics through a feature called Active Devices.

Active Device is a built-in feature of Monitoring Center. In principle, it is a dedicated database with a summary of the information used for identifying a particular host: IP address, MAC address, User ID, VLAN, Host OS (from UserAgent in HTTP traffic), and time of the network activity. This information is extracted from the network telemetry itself. Thanks to this, we can display all devices from a given subnet or display activity information for a specific device.

One of our customers had an idea to use this functionality to check the number of IP addresses that were in use at the same time. With too many clients DHCP pool can get exhausted which leads to malfunction of VPN services to users who are trying to connect. By tracking the number of active devices (IPs) over time you are able to understand if the capacity of the DHCP pool is sufficient. At a time when most users work remotely, often in the BYOD option, more devices could be connected via VPN than the administrator assumed.

The standard approach to identify individual devices is based on the physical address (MAC address on L2). However, this approach is not helpful for the described customer’s use case. In this specific case, the source of network telemetry is FortiGate. Physical (MAC) addresses visible within flow data correspond to router interfaces as VPN traffic is decapsulated from the tunnel and traverses through the network with a physical address of the router device. This means that multiple IP addresses are visible under the same MAC address. And such is not only a situation related to VPN traffic but the general principle of network communication when routing is introduced.

To support the customer's use case, we need to change the device identification from physical address to a network address (from MAC address on L2 to IP address on L3) as the goal is to see individual IPs, not MACs.

Based on this feedback, we have extended the scope of use cases for Active Devices in Flowmon 10.3.8. From this version you can choose which parameter identifies the device in the network - MAC address (the original settings), IP address, User ID, or even combination of parameters User ID-IP address, User ID-MAC address. This setting can be found in the Configuration Center under FMC Configuration -> Active devices-> Basic Settings: Identify device by. Which option should be used depends on the specific use case and the goals you are trying to achieve. Global settings might not fill all the use cases. There is the option to override the global settings when querying the data.

FMC configuration
  • MAC address - devices are identified based on their physical address (L2). Especially useful whenFlowmon Probes receive a mirror of east-west traffic in specific L2 subnets before the traffic passes a router and physical address is changed. When a network switch is the source of the data MAC addresses are required, so you might need to check with the corresponding documentation.
  • IP address - devices are identified based on their network address (L3). Especially useful when you want to verify the number of simultaneously used addresses in the network. Alternative when MAC addresses are not exported, or traffic is monitored after it passes the router interface.
  • User ID - useful when you want to observe the number of authenticated and active users when you do not care about devices on which this user is authenticated, just active users.
  • User ID, MAC Address - similar to the previous option, user authenticated on two devices identified on L2 by MAC address will be visible two times.
  • User ID- IP Addresses – similar to the previous option, user authenticated on two devices identified on L3 by IP address will be visible two times.

How to take advantage of improved Active Devices

The best place is Flowmon Dashboard, where, to any of your tabs, you can add to any of your tabs a new widget from Active Devices like before, and now you can also adjust how devices will be identified.

New widget Flowmon

What’s more, you can show this parameter on the widget itself. So you will have the option to switch the view directly on the dashboard without the need to drill down to widget configuration. Still, you have the possibility to limit presented data to some subnet, eg. VPN clients only:

Data settings

This way, you will show the number of active IP addresses over time for VPN clients, so exactly what our use case required.

Active devices

Changes in Active Devices concept and variability of device identification is not limited to VPN related use cases. Device identification based on L3 network information (IP addresses) is beneficial for those who use flow data without L2 information or monitor backbone links where MAC addresses are limited to routers. From now on, Flowmon users can choose how to present collected network telemetry with respect to the use case or specifics of individual network segments.