Netify DPI - Network Policy Engine

This document provides details on how to use the Netify DPI Network Policies Engine to identify Layer 7 application/protocol traffic using native Layer 3 network tools.

Before getting started, please take 5 minutes
to read the Network Policies Overview document!

The Netify Network Policy Engine makes it possible to to use a wide variety existing Linux tools to manage and identify Layer 7 network traffic:

  • tc - traffic control
  • ip rule - multiWAN routing policies
  • iptables/nftables - firewalling and audit trails
  • any custom tools using ipsets or firewall marks
Netify Network Policy Engine

Netify Policy Configuration

The two primary configuration types used by Netify's Network Policy Engine are described in the table below:

Type Description
ipset Creates and maintains an IP set for given detection
mark Marks traffic for a given detection

The adjacent configuration shows two simple examples.

  • Rule #1 - All streaming media detections (Netflix, YouTube, etc.) will be maintained in an IP set
  • Rule #2 - All BitTorrent traffic will be marked with the specified mark

For quick reference, you can find the tags (e.g. streaming-media and bittorrent in the example configuration) used in the detection rules here:

{
  "version": "1.0",
  "rules": [
    {
        "type": "ipset",
        "application_category": "streaming-media"
    },
    {
        "type": "mark",
        "protocol": "bittorrent",
        "mark": 3
    },
  ]
}

Policies in Action

# ipset list
...

Name: NFA4_APPCAT_STREAMING_MEDIA
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 1200
Size in memory: 352
References: 2
Number of entries: 2
Members:
45.57.90.1,tcp:443,192.168.1.169 timeout 1195
54.160.93.182,tcp:443,192.168.1.169 timeout 1195

Integration and Custom Solutions

Do you have any questions about integration, APIs or custom development?

Contact Us