Netify Netify logo Contact Us
Products Resources Documentation Blog Sign In

Netify Intelligence Plugin

The Netify Intelligence Plugin adds advanced analytics to the Netify Agent and serves as a core building block for a cybersecurity dashboard. It incorporates cyber risk indicators and applies additional heuristics alongside stateful flow inspection to analyze traffic. The plugin also provides event-driven insights and supports secondary flow inspection for more context-aware network monitoring.

In addition, the plugin is designed to work hand-in-hand with firewalls and QoS via the Flow Actions plugin.

The Intelligence plugin requires Netify Agent v5.2 or later.

License

The Netify Intelligence plugin is a proprietary plugin requiring a license. Please contact us for details.

Installation

Netify plugins are distributed through the same packaging workflow as the Netify Agent, allowing for a consistent installation experience using standard package manager syntax. While pre-compiled binaries are readily available for x86_64 architectures via our public mirrors, support for ARM, MIPS, and other specialized architectures is available upon request. Please contact us for details.

Step 1 - Select your installation target:

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo apt-get update
sudo apt-get -y install curl gnupg2
sudo curl https://download.netify.ai/5/debian/netify-archive-keyring.gpg -o /usr/share/keyrings/netify-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/netify-archive-keyring.gpg] http://download.netify.ai/5/debian/12/ /' | sudo tee /etc/apt/sources.list.d/netify.list

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo apt update
sudo apt install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo apt-get update
sudo apt-get -y install curl gnupg2
sudo curl https://download.netify.ai/5/debian/netify-archive-keyring.gpg -o /usr/share/keyrings/netify-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/netify-archive-keyring.gpg] http://download.netify.ai/5/debian/11/ /' | sudo tee /etc/apt/sources.list.d/netify.list

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo apt update
sudo apt install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo apt-get update
sudo apt-get -y install curl gnupg2
sudo curl https://download.netify.ai/5/debian/netify-archive-keyring.gpg -o /usr/share/keyrings/netify-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/netify-archive-keyring.gpg] http://download.netify.ai/5/debian/10/ /' | sudo tee /etc/apt/sources.list.d/netify.list

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo apt update
sudo apt install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo apt-get update
sudo apt-get -y install curl gnupg2
sudo curl https://download.netify.ai/5/ubuntu/netify-archive-keyring.gpg -o /usr/share/keyrings/netify-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/netify-archive-keyring.gpg] http://download.netify.ai/5/ubuntu/noble/ /' | sudo tee /etc/apt/sources.list.d/netify.list

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo apt update
sudo apt install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo apt-get update
sudo apt-get -y install curl gnupg2
sudo curl https://download.netify.ai/5/ubuntu/netify-archive-keyring.gpg -o /usr/share/keyrings/netify-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/netify-archive-keyring.gpg] http://download.netify.ai/5/ubuntu/jammy/ /' | sudo tee /etc/apt/sources.list.d/netify.list

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo apt update
sudo apt install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo apt-get update
sudo apt-get -y install curl gnupg2
curl -fsSL https://download.netify.ai/5/ubuntu/apt-gpg-key-netify.asc | sudo apt-key add -
echo 'deb http://download.netify.ai/5/ubuntu/focal/ /' | sudo tee /etc/apt/sources.list.d/netify.list

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo apt update
sudo apt install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/24.10/x86' >> /etc/opkg/customfeeds.conf

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
opkg update
opkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/23.05/x86' >> /etc/opkg/customfeeds.conf

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
opkg update
opkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/22.03/x86' >> /etc/opkg/customfeeds.conf

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
opkg update
opkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/21.02/x86' >> /etc/opkg/customfeeds.conf

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
opkg update
opkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
wget http://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify http://download.netify.ai/5/openwrt/19.07/x86' >> /etc/opkg/customfeeds.conf

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
opkg update
opkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo rpm --import https://download.netify.ai/5/opensuse/15.6/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/opensuse/netify.repo -o /etc/zypp/repos.d/repo-netify.repo

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo zypper update
sudo zypper install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo rpm --import https://download.netify.ai/5/opensuse/15.5/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/opensuse/netify.repo -o /etc/zypp/repos.d/repo-netify.repo

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo zypper update
sudo zypper install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo rpm --import https://download.netify.ai/5/almalinux/9/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/almalinux/9/netify.repo -o /etc/yum.repos.d/netify.repo

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo yum update
sudo yum install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo rpm --import https://download.netify.ai/5/almalinux/8/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/almalinux/8/netify.repo -o /etc/yum.repos.d/netify.repo

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo yum update
sudo yum install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo rpm --import http://download.netify.ai/5/rockylinux/9/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/rockylinux/9/netify.repo -o /etc/yum.repos.d/netify.repo

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo yum update
sudo yum install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
sudo rpm --import http://download.netify.ai/5/rockylinux/8/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/rockylinux/8/netify.repo -o /etc/yum.repos.d/netify.repo

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
sudo yum update
sudo yum install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/opnsense/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF >  /usr/local/etc/pkg/repos/Netify.conf
Netify: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
  url: "https://download.netify.ai/5/opnsense/25.7",
  signature_type: "fingerprints",
  mirror_type: "http",
  priority: 11,
  enabled: yes
}
EOF

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
pkg update
pkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/opnsense/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF >  /usr/local/etc/pkg/repos/Netify.conf
Netify: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
  url: "https://download.netify.ai/5/opnsense/24.7",
  signature_type: "fingerprints",
  mirror_type: "http",
  priority: 11,
  enabled: yes
}
EOF

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
pkg update
pkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/freebsd/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF >  /usr/local/etc/pkg/repos/Netify.conf
Netify: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
  url: "https://download.netify.ai/5/freebsd/15.0",
  signature_type: "fingerprints",
  mirror_type: "http",
  priority: 11,
  enabled: yes
}
EOF

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
pkg update
pkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/freebsd/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF >  /usr/local/etc/pkg/repos/Netify.conf
Netify: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
  url: "https://download.netify.ai/5/freebsd/14.0",
  signature_type: "fingerprints",
  mirror_type: "http",
  priority: 11,
  enabled: yes
}
EOF

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
pkg update
pkg install netify-proc-intel

Step 2 - Add Netify's package signing key and repository:

Terminal - Netify
× 
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/freebsd/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF >  /usr/local/etc/pkg/repos/Netify.conf
Netify: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
  url: "https://download.netify.ai/5/freebsd/14.0",
  signature_type: "fingerprints",
  mirror_type: "http",
  priority: 11,
  enabled: yes
}
EOF

Step 3 - Install Netify Intelligence:

Terminal - Netify
× 
pkg update
pkg install netify-proc-intel

Setup

To use the Netify Intelligence plugin, ensure your license.json includes the netify-proc-intel entitlement.

All plugins are disabled by default, and the Netify Intelligence plugin is no different. Use netifyd's --enable-plugin and --disable-plugin flags to enable or disable the plugin.

Terminal - Netify
× 
netifyd --enable-plugin proc-intel  # Enables loader
netifyd --disable-plugin proc-intel # Disables loader

For orchestration tools or manual setup, you can also directly update configuration file in the plugins.d subdirectory and set enable to yes.

See the advanced configuration section for details on instantiating multiple instances of the plugin.

Terminal - Netify
× 
$ cat 10-netify-proc-intel.conf
[proc-intel]
enable = yes
plugin_library = /usr/lib64/libnetify-proc-intel.so.0.0.0
conf_filename = ${path_state_persistent}/netify-proc-intel.json

AI Integration

For AI integration and machine learning models, the Netify Intelligence Configuration JSON schema is available for reference.

Configuration

The Intelligence plugin configuration is flexible and able to support a wide range of environments. For example, a manufacturing facility may enforce strict cybersecurity policies where self-signed TLS certificates are never permitted. In contrast, a prosumer environment might allow self-signed certificates on the local network while blocking them on the public Internet.

The configuration documentation is broken into three sections

  • Configuration defaults
  • Sink/Telemetry configuration
  • Indicator configuration

Configuration Defaults

The first section - indicator_defaults - of the netify-proc-intel.json configuration file provides defaults to establish some baseline settings for the engine.

Unless otherwise directed by the Netify engineering team, the default event_filter should remain unchanged.

The sink.flow_metadata property determines the default telemetry format. For detailed guidance on configuring telemetry and interpreting the three available formats, refer to the Intelligence telemetry documentation.

sink.flow_metadata

string

The default flow metadata format for telemetry.

event_filter

string

The default event types for performing the analysis.

Options:
dpi_new dpi_update dpi_complete flow_new flow_stats flow_expiring flow_expired
dpi_new
Generated when the flow enters DPI analysis.
dpi_update
Generated when a mid-stream DPI update occurs.
dpi_complete
Generated when the DPI analysis is complete.
flow_new
Generated after the first packet of a new flow has been processed.
flow_stats
Generated for every active flow at each interval.
flow_expiring
Generated when a flow is about to expire.
flow_expired
Generated when a flow has expired.

Defaults: netify-proc-intel.json

{
  "indicator_defaults": {
    "sink": {
      "flow_metadata": "full"
    },
    "event_filter": [
      "dpi_complete"
    ]
  },
  ...
}

Sink/Telemetry Configuration

The second section of the configuration defines sink (output) targets for exporting telemetry. Intelligence data is delivered through a Sink Plugin: log, socket, message queue, etc. While this model is flexible, it can be easy to misconfigure without a clear understanding of how the pieces relate. This section explains how sink targets, plugins, and channels work together.

Sink Targets

The sink_targets object in the Intelligence configuration defines where telemetry is sent and how it is delivered.

Each entry represents a named output target. A single intelligence indicator can send data to multiple sinks, but in the example shown, only one sink is configured: telemetry.

Sink Shortcut - First-Level Key

The key telemetry is a sink shortcut - an internal identifier of your choosing used by indicators in netify-proc-intel.json to reference this output. It does not need to match any external configuration, but it must be unique within sink_targets .

Sinks Configuration - Overview

"sink_targets": {
  "telemetry": {
    "sink": "sink-log",
    "channels": {
      "intel": {
        "enabled": true,
        "dispatch_flags": [
          "format_json"
        ]
      }
    }
  }
},

Sink Plugin Mapping

The sink property specifies which sink plugin to use. Its value must match the corresponding plugin loader section name exactly. Here is the example for the log plugin:

Terminal - Netify
× 
$ cat /etc/netifyd/plugins.d/10-netify-sink-log.conf
[sink-log]
enable = yes
plugin_library = /usr/lib64/libnetify-sink-log.so.0.0.0
conf_filename = ${path_state_persistent}/netify-sink-log.json

Here we can see that the section name [sink-log] matches the sink used in the Intelligence configuration. The presence of this sink configuration file indicates that the plugin has been installed, and the enable = yes setting confirms that it is currently enabled.

This mapping is critical: if the names do not match, the Intelligence engine will not be able to deliver data to the sink.

Channels

Sink output channels provide a way to separate different types of telemetry into different output targets. For example, you can send:

  • Aggregator data to /tmp/netify-aggregate-x
  • Interface statistics to /tmp/netify-interface-stats-x
  • Intelligence detections to /tmp/netify-intelligence-x

The flow_metadata property can be fine-tuned to meet your telemetry needs. The Intelligence telemetry documentation has more information on the available formats.

Refer to the relevant Sink Plugin configuration for channel configuration details.

Sink Log Config: /etc/netifyd/netify-sink-log.json

{
    "overwrite": false,
    "log_path": "/tmp",
    "channels": {
        "intel": {
            "overwrite": true,
            "log_path": "/tmp",
            "log_name": "netify-intel-"
        }
    }
}

Indicator Configuration

The last section of the configuration is the list of indicators . Before diving into details of the overall configuration, let's zoom in on one example: the tls_cert_self_signed_remote indicator.

Indicators are elements within the Intelligence plugin that evaluate real-time network flows to detect patterns, assess risks, and identify actionable insights.

The indicator_driver is the underlying engine in the Netify Agent used to detect network intelligence. In our example, we have the tls_cert_self_signed driver to trigger on any network flow using a TLS self-signed certificate. You can find the list and descriptions of all these drivers on the Network Intelligence catalog page.

Example Indicator

"tls_cert_self_signed_remote": {
  "criteria": {
    "flow_expr": "other_type == other_remote;"
  },
  "indicator_driver": "tls_cert_self_signed",
  "proc_targets": [ "proc-nfa" ],
  "sink_targets": [ "telemetry" ]
},

In this example, we also use a flow expression in the criteria property to refine the detection. In this case, we are only triggering our indicator on Internet-bound flows. In the full example below, you will see an additional indicator using the same tls_cert_self_signed driver. In that case, we are only triggering the indicator on local network flows. By creating the two indicators (Internet-bound vs. local), we can implement two different network policies: drop Internet-bound self-signed flows while allowing local network self-signed flows.

The sink_targets property is configured to send the detection information to our selected Sink output for storing the incident. The proc_targets property is configured to send the detection information into the Flow Actions plugin to block the connection in the firewall.

Configuration Template

This template is a good place to start for your configuration. The key changes that you will want to consider:

Defaults

The flow_metadata property can be fine-tuned to meet your telemetry needs. The Intelligence telemetry documentation has more information on the available formats.

Sink Targets

You will need to set up and configure a sink/output of your choosing. Change the sink to match your settings. You can change the intel channel name to match your environment.

Indicators

If you have the flow actions plugin configured for firewall and QoS, you can use the proc_targets entry to send data. This makes it possible to use intelligence detections in flow expressions. If you do not use flow actions, please remove all the proc_targets entries.

Once you are familiar with the Intelligence plugin, feel free to fine-tune the various indicators to meet your requirements. 

{
  "indicator_defaults": {
    "sink": {
      "flow_metadata": "full"
    },
    "event_filter": [
      "dpi_complete"
    ]
  },
  "sink_targets": {
    "telemetry": {
      "sink": "sink-mqtt",
      "channels": {
        "intel": {
          "enabled": true,
          "dispatch_flags": [
            "format_json"
          ]
        }
      }
    }
  },
  "indicators": {
    "credentials_cleartext": {
      "enabled": true,
      "indicator_driver": "credentials_cleartext",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "crypto_application": {
      "enabled": true,
      "indicator_driver": "crypto_application",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "crypto_protocol": {
      "enabled": true,
      "indicator_driver": "crypto_protocol",
      "criteria": {
        "min_bytes": 200,
        "flow_expr": "!detection_guessed;"
      },
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "crypto_server": {
      "enabled": true,
      "indicator_driver": "crypto_server",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "doh_scanner": {
      "enabled": true,
      "indicator_driver": "doh_scanner",
      "query": "google.com",
      "routes": [
        "/dns-query",
        "/"
      ],
      "timeout": 5,
      "cache_size_positive": 1000,
      "cache_size_negative": 1000,
      "cache_path_positive": "${path_state_persistent}/doh-positive.csv",
      "cache_path_negative": "${path_state_persistent}/doh-negative.csv",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "dox_server": {
      "enabled": true,
      "indicator_driver": "dox_server",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "protocol_insecure": {
      "enabled": true,
      "indicator_driver": "protocol_insecure",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tls_cipher_score": {
      "enabled": true,
      "indicator_driver": "tls_cipher_score",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tls_cert_expired": {
      "enabled": true,
      "indicator_driver": "tls_cert_expired",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tls_cert_mismatch": {
      "enabled": true,
      "indicator_driver": "tls_cert_mismatch",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tls_cert_validity_too_long": {
      "enabled": true,
      "indicator_driver": "tls_cert_validity_too_long",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tls_cert_self_signed_local": {
      "enabled": true,
      "criteria": {
        "flow_expr": "other_type != other_remote;"
      },
      "indicator_driver": "tls_cert_self_signed",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tls_cert_self_signed_remote": {
      "enabled": true,
      "criteria": {
        "flow_expr": "other_type == other_remote;"
      },
      "indicator_driver": "tls_cert_self_signed",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tor_bridge": {
      "enabled": true,
      "indicator_driver": "tor_bridge",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tor_exit": {
      "enabled": true,
      "indicator_driver": "tor_exit",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "tor_relay": {
      "enabled": true,
      "indicator_driver": "tor_relay",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "vpn_application_business": {
      "enabled": true,
      "indicator_driver": "vpn_application_business",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "vpn_application_consumer": {
      "enabled": true,
      "indicator_driver": "vpn_application_consumer",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "vpn_protocol": {
      "enabled": true,
      "indicator_driver": "vpn_protocol",
      "criteria": {
        "flow_expr": "application != 'netify.3gpp-network';"
      },
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    },
    "vpn_server_consumer": {
      "enabled": true,
      "indicator_driver": "vpn_server_consumer",
      "proc_targets": [ "proc-nfa" ],
      "sink_targets": [ "telemetry" ]
    }
  }
}