Network Policy Engine
Netify DPI - Network Policy Engine
This document provides details on how to use the Netify DPI Network Policies Engine to identify Layer 7 application/protocol traffic using native Layer 3 network tools.
to read the Network Policies Overview document!
The Netify Network Policy Engine makes it possible to to use a wide variety existing Linux tools to manage and identify Layer 7 network traffic:
- tc - traffic control
- ip rule - multiWAN routing policies
- iptables/nftables - firewalling and audit trails
- any custom tools using ipsets or firewall marks
Netify Policy Configuration
The two primary configuration types used by Netify's Network Policy Engine are described in the table below:
| Type | Description |
|---|---|
| ipset | Creates and maintains an IP set for given detection |
| mark | Marks traffic for a given detection |
The adjacent configuration shows two simple examples.
- Rule #1 - All streaming media detections (Netflix, YouTube, etc.) will be maintained in an IP set
- Rule #2 - All BitTorrent traffic will be marked with the specified mark
For quick reference, you can find the tags (e.g. streaming-media and bittorrent in the example configuration) used in the detection rules here:
{
"version": "1.0",
"rules": [
{
"type": "ipset",
"application_category": "streaming-media"
},
{
"type": "mark",
"protocol": "bittorrent",
"mark": 3
},
]
}
Policies in Action
# ipset list
...
Name: NFA4_APPCAT_STREAMING_MEDIA
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 1200
Size in memory: 352
References: 2
Number of entries: 2
Members:
45.57.90.1,tcp:443,192.168.1.169 timeout 1195
54.160.93.182,tcp:443,192.168.1.169 timeout 1195
Netify Agent
Getting Started
Integration
Netify Tools
Netify DPI Alternatives
Integration and Custom Solutions
Do you have any questions about integration, APIs or custom development?
Contact Us