Netify Netify logo Contact Us
Products Resources Documentation Blog Sign In

Agent Settings

Agent settings in Netify v5 control the core behavior of the DPI engine, resource allocation, flow tracking, and performance tuning. These configuration options allow you to optimize the agent for your specific deployment environment and performance requirements.

Whether you are deploying on embedded systems with limited resources, high-throughput gateway deployments, or dedicated analysis appliances, proper configuration of these settings is critical to achieving optimal DPI accuracy and performance. This reference documents all available configuration parameters, their default values, and guidance on when to adjust them.

You can make custom configuration changes to the Netify agent by modifying Netify's main profile configuration file, /etc/netifyd/profiles.d/10-default.conf . Changes made to this file remain persistent across reboots and upgrades.

Optimizations

Core Dumps

The netifyd_enable_coredumps should be set to no on production systems. On test or development systems, enabling core dumps can help identify stability issues that may later appear in production.

  • Core dumps do not include debug symbols unless a special debug build is in use (i.e., binaries are not stripped).
  • As a result, core dumps generated from standard production packages are of limited value for root cause analysis.
  • For meaningful debugging, contact Netify Support for custom debug packages and libraries.

Serial Numbers

The path_uuid_serial field can be a regular file, containing a unique string, however this case is rarely used since the string must be exactly 32 bytes in length. More often, an integrator will add the path to an executable file that extracts the unique value. As an executable script, any length (providing enough entropy) can be used. Two examples are listed below: 

[netifyd]
...
path_uuid_serial = /usr/share/netifyd/get-serial.sh

Script Example 1 - Activation Key in File

Terminal - Netify
× 
#/bin/sh
if [ -f /var/distro/activation ]; then
    cat /var/distro/activation
else
    echo '-'
fi

Script Example 2 - Using Hardware Serial as Key

Terminal - Netify
× 
#/bin/sh
dmidecode -s system-uuid

Netifyd - Main Configuration

The main configuration file only uses one section name by default, that being netifyd , identified by: 

[netifyd]

profile

string

Configuration profile to load from /etc/netifyd/profiles.d

Default
/etc/netifyd/profiles.d/00-default.conf

path_state_volatile

string

Where to store 'volatile' data (temporary state files). The value for this attribute can be referenced throughout this configuration file using the ${path_state_volatile} variable.

Default
/var/run/netifyd

path_state_persistent

string

Where to store 'persistent' data (configuration files). The value for this attribute can be referenced throughout this configuration file using the ${path_state_persistent} variable.

Default
/etc/netifyd

path_pid_file

string

Where to save our PID for: netifyd --status.

Default
${path_state_volatile}/netifyd.pid

path_shared_data

string

Path to shared data files

Default
/usr/share/netifyd

enable_coredumps

string

Controls whether core dump files are saved when the Netify agent or one of its plugins terminates unexpectedly (for example, due to a segmentation fault).

Default
no
Options
yes, no

path_license_manager

string

Path to License Manager Library

Default
$\{path_plugin_libdir\}/libnetify-plm.so

auto_informatics

string

Enable automatic Netify Informatics integration. This option is intended to be managed exclusively by the --enable/disable-informatics command-line parameters

Default
no
Options
yes, no

Netifyd

The netifyd section is identified by:

[netifyd]

auto_flow_expiry

string

When set to yes, TCP flows will not be tracked until a SYN+ACK has been captured.

Default
yes
Options
yes, no

auto_flow_expiry

integer

The number of 'buckets' the main flow map will be divided into. the default is adequate for up to 5,000 flows. Increasing this value will reduce the chances of flow map lock contention on systems that track a large number of flows.

Default
128

max_capture_length

integer

The maximum number of bytes to capture (copy) per packet. Reducing this may be appropriate for embedded systems. Reducing this value too much will result in less accurate application/protocol detection. The maximum value is 65535, which is also the default.

Default
65535

max_detection_pkts

integer

The maximum number of packets to inspect per flow. This is a performance tuning option for embedded systems. Reducing this value too much will result in less accurate application/protocol detection, specifically TLS. Generally, a safe range for adequate detection accuracy would be between 15 - 25 packets.

Default
32

max_flows

integer

The maximum number of flows to track at any given moment. When this value has been reached, new flows will stop being tracked until old flows expire. This option can be used to conserve memory on embedded systems, or to set an upper safety limit to guard against DDoS attacks or network scanning tools.

Default
0

soft_dissectors

yes

Soft-dissectors are flow expressions defined in the application signatures configuration file (usually in /etc/netifyd/netify-apps.conf). For debugging or for embedded systems with very limited resources, it may be helpful to disable Soft-dissectors.

Options
yes, no

syn_scan_protection

yes, no

Don't track TCP flows until a SYN+ACK has been captured. This option can offer protection against network scanners and has the alternative benefit of not tracking already established TCP flows when the Agent is first started.

Default
no

ttl_idle_flow

integer

How long to wait (in seconds) until an idle flow is scheduled for expiry. This time-to-live (TTL) applies to all non-TCP flows.

Default
30

ttl_idle_tcp_flow

integer

How long to wait (in seconds) until an idle TCP flow is scheduled for expiry.

Default
300

update_interval

integer

How often (in seconds) to process the global flow maps. Flow statistics are made available, idle flows are expired, and other house-keeping is performed during this update period. The default of 15s is appropriate in most cases.

Default
15

use_getifaddrs

boolean

Periodically call getifaddrs(3) to update the associated IP addresses of each capture source, where applicable. This option is primarily intended for non-Linux systems where an on-demand system like Netlink is non available. Should be enabled for FreeBSD and variants.

Default
Options
true, false

path_server_socket

string

Local command/control socket. Receive commands and control messages on a local UNIX socket.

Default
${path_state_volatile}/netifyd.sock

path_uuid_serial

string

The path to a script that returns a unique UUID for the agent. When set, this UUID will be sent in addition to the Agent UUID as a means of uniquely identifying the agent.

Capture Defaults

The capture-defaults section is identified by:

[capture-defaults]

capture_type

string

Default capture method for -I and -E command-line options.

Default
pcap
Options
pcap, tpv3

read_timeout

integer

# Packet capture timeout value (milliseconds). How long reads from PCAP or TPv3 capture sources will wait for packet data before being cancelled and retrying. The default value of 500ms is appropriate in almost all cases.

Default
500

Threads

The threads section is identified by:

[threads]

capture_base

integer

Base CPU ID to start capture threads from.

Default
0

detection_base

integer

Base CPU ID to start detection threads from.

Default
0

detection_cores

integer

Number of detection cores to start.

Default
1

Flow Hash Cache

The flow-hash-cache section is identified by:

[flow-hash-cache]

enable

string

Enable flow hash caching.

Default
yes
Options
yes, no

save

string

Enable flow hash cache persistence during restarts.

Default
persistent

cache_size

integer

Limits the maximum size of the flow hash cache (in bytes).

Default
1000

DNS Hint Cache

The DNS Hint Cache (DHC) in the Netify Agent is a feature that is designed to aid or improve flow detection when protocol metadata may be lacking, for example, TLS without SNI.

The DHC system processes DNS responses. It stores the returned IP address and the associated domain name in a configurable LRU (least-recently used) cache. During the flow detection phase, if the flow remains unclassified, a look-up is performed in the DHC for the remote IP address. If a match is found, the associated domain name is used to improve application detection.

This cache is optionally saved to disk on exit (enabled by default) which will be reloaded on start-up, priming the cache. The DHC is saved as a CSV file. When save is set to persistent, the default location is /etc/netifyd/dns-cache.csv .

The DNS hint cache section is identified by:

[dns-hint-cache]

enable

string

Enable DNS hint caching.

Default
yes
Options
yes, no

save

string

Enable DNS hint cache persistence during restarts.

Default
persistent

cache_size

integer

Limits the maximum size of the flow hash cache (in bytes).

Default
1000

partial_lookups

string

If set to yes, the Netify agent will apply DNS cache hinting only when a hostname is not extracted from the protocol. The practical implications of setting this field to yes typically results in slightly lower application classification rates.Unknown applications that use a Content Delivery Network or CDN to deliver content such as Cloudflare, Fastly etc. will no longer be classified as the CDN. The potential upside is fewer false positive rates due to shared IP usage across applications.

Default
no
Options
no, yes

Netify API

Netify API is an optional RESTful API endpoint owned and maintained by eGloo Inc. for:

  • enabling application signature and category updates
  • enabling Netify Informatics
  • automating tracking/audit for OEM integrations

The Netify API section is identified by: 

[netify-api]

enable

boolean

By default, Netify API is disabled and will not connect to any resource outside of your network.

Default
false
Options
true, false

update_tick

integer

Number of seconds between API check-ins.

Default
30

update_interval

integer

Number of seconds between API updates. An API update checks for things like a new application signature file.

Default
86400

tls_verify

true, false

Validate certificate - this should always be set to true or be undefined, except possibly in developer environments.

Default
true

vendor

string

Vendor code.

Default
N/A - Please contact us for OEM details

Protocols

The protocols section name is: 

[protocols]

all

string

Enabling and disabling Protocol dissection can be an effective way to manage CPU resources.

Default
include
Options
include, exclude

Privacy

The privacy section name is: 

[privacy_filter]

For information on Netify's privacy settings, please refer to the Privacy Settings section of the documentation.