Settings

Settings

• Overview
• Main Configuration File
• Configuration Profiles
• Next Steps

Overview

You can make custom configuration changes to the Netify agent by modifying Netify's main configuration file, /etc/netifyd.conf. Changes made to this file remain persistent across reboots and upgrades.

In Netify version 5.x and later, many configuration settings were migrated to be managed as a profile that could be easily toggled, or overridden, as necessary. The default profile can be found in /etc/netifyd/profiles.d/10-default.conf

The following list represents the supported sections in this ini-style configuration file:

• netifyd
• capture-defaults
• threads
• flow-hash-cache
• dns-hint-cache
• privacy-filter
• netify-api
• protocols

Main Configuration File

The main configuration file only uses one section name by default, that being netifyd, identified by:

[netifyd]

Profile

Property	profile
Description	Configuration profile to load from /etc/netifyd/profiles.d
Type	string
Default	/etc/netifyd/profiles.d/00-default.conf

Volatile Path

Property	path_state_volatile
Description	Where to store 'volatile' data (temporary state files). The value for this attribute can be referenced throughout this configuration file using the ${path_state_volatile} variable.
Type	string
Default	/var/run/netifyd

Persistent Path

Property	path_state_persistent
Description	Where to store 'persistent' data (configuration files). The value for this attribute can be referenced throughout this configuration file using the ${path_state_persistent} variable.
Type	string
Default	/etc/netifyd

PID File

Property	path_pid_file
Description	Where to save our PID for: netifyd --status.
Type	string
Default	${path_state_volatile}/netifyd.pid

Shared Data

Property	path_shared_data
Description	Path to shared data files
Type	string
Default	/usr/share/netifyd

License Manager Library

Property	path_license_manager
Description	Path to License Manager Library
Type	string
Default	$\{path_plugin_libdir\}/libnetify-plm.so

Automatic Netify Informatics Integration

Property	auto_informatics
Description	Enable automatic Netify Informatics integration. This option is intended to be managed exclusively by the --enable/disable-informatics command-line parameters
Type	string
Options	yes, no
Default	no

Profiles

The netifyd section is identified by:

[netifyd]

Auto Flow Expiry

Property	auto_flow_expiry
Description	When set to yes, TCP flows will not be tracked until a SYN+ACK has been captured.
Type	string
Options	yes, no
Default	yes

Flow Map Buckets

Property	auto_flow_expiry
Description	The number of 'buckets' the main flow map will be divided into. the default is adequate for up to 5,000 flows. Increasing this value will reduce the chances of flow map lock contention on systems that track a large number of flows.
Type	integer
Default	128

Maximum Capture Length

Property	max_capture_length
Description	The maxiumum number of bytes to capture (copy) per packet. Reducing this may be appropriate for embedded systems. Reducing this value too much will result in less accurate application/protocol detection. The maximum value is 65535, which is also the default.
Type	integer
Default	65535

Maximum Detection Packets

Property	max_detection_pkts
Description	The maxiumum number of packets to inspect per flow. This is a performace tuning option for embedded systems. Reducing this value too much will result in less accurate application/protocol detection, specifically TLS. Generally, a safe range for adequate detection accuracy would be between 15 - 25 packets.
Type	integer
Default	32

Maximum Flows

Property	max_flows
Description	The maximum number of flows to track at any given moment. When this value has been reached, new flows will stop being tracked until old flows expire. This option can be used to conserve memory on embedded systems, or to set an upper safety limit to guard agains DDoS attacks or network scanning tools.
Type	integer
Default	0

Soft Dissectors

Property	soft_dissectors
Description	Soft-dissectors are flow expressions defined in the application signatures configuration file (usually in /etc/netifyd/netify-apps.conf). For debugging or for embedded systems with very limited resources, it may be helpful to disable Soft-dissectors.
Type	yes
Options	yes, no

SYN Scan Protection

Property	syn_scan_protection
Description	Don't track TCP flows until a SYN+ACK has been captured. This option can offer protection agains network scanners and has the alternative benefit of not tracking already established TCP flows when the Agent is first started.
Type	yes, no
Default	no

TTL Idle

Property	ttl_idle_flow
Description	How long to wait (in seconds) until an idle flow is scheduled for expiry. This time-to-live (TTL) applies to all non-TCP flows.
Type	integer
Default	30

TTL TCP Idle

Property	ttl_idle_tcp_flow
Description	How long to wait (in seconds) until an idle TCP flow is scheduled for expiry.
Type	integer
Default	300

Update Interval

Property	update_interval
Description	How often (in seconds) to process the global flow maps. Flow statistics are made available, idle flows are expired, and other house-keeping is performed during this update period. The default of 15s is appropriate in most cases.
Type	integer
Default	15

Use getifaddrs

Property	use_getifaddrs
Description	Periodically call getifaddrs(3) to update the associated IP addresses of each capture source, where applicable. This option is primarily intended for non-Linux systems where an on-demand system like Netlink is non available. Should be enabled for FreeBSD and variants.
Type	boolean
Options	true, false
Default

Server Socket Path

Property	path_server_socket
Description	Local command/control socket. Receive commands and control messages on a local UNIX socket.
Type	string
Default	${path_state_volatile}/netifyd.sock

Serial UUID Path

Property	path_uuid_serial
Description	The path to a script that returns a unique UUID for the agent. When set, this UUID will be sent in addition to the Agent UUID as a means of uniquely identifying the agent.
Type	string

The path_uuid_serial field can be a regular file, containing a unique string, however this case is rarely used since the string must be exactly 32 bytes in length. More often, an integrator will add the path to an executable file that extracts the unique value. As an executable script, any length (providing enough entropy) can be used. Two examples are listed below:

Config

[netifyd]
..
.
path_uuid_serial = /usr/share/netifyd/get-serial.sh

Script Example 1 - Activation Key in File

/usr/share/netifyd/get-serial.sh

#/bin/sh
if [ -f /var/distro/activation ]; then
    cat /var/distro/activation
else
    echo '-'
fi

Script (get-serial.sh) Example 2 - Using Hardware Serial as Key

/usr/share/netifyd/get-serial.sh

#/bin/sh
dmidecode -s system-uuid

Capture Defaults

The capture-defaults section is identified by:

[capture-defaults]

Capture Type

Property	capture_type
Description	Default capture method for -I and -E command-line options.
Type	string
Options	pcap, tpv3
Default	pcap

Read Timeout

Property	read_timeout
Description	# Packet capture timeout value (milliseconds). How long reads from PCAP or TPv3 capture sources will wait for packet data before being cancelled and retrying. The default value of 500ms is appropriate in almost all cases.
Type	integer
Default	500

Threading

The threads section is identified by:

[threads]

Capture Base

Property	capture_base
Description	Base CPU ID to start capture threads from.
Type	integer
Default	0

Detection Base

Property	detection_base
Description	Base CPU ID to start detection threads from.
Type	integer
Default	0

Detection Cores

Property	detection_cores
Description	Number of detection cores to start.
Type	integer
Default	1

Flow Hash Cache

The flow-hash-cache section is identified by:

[flow-hash-cache]

Enable

Property	enable
Description	Enable flow hash caching.
Type	string
Options	yes, no
Default	yes

Persistent

Property	save
Description	Enable flow hash cache persistence during restarts.
Type	string
Default	persistent

Flow Hash Cache Size

Property	cache_size
Description	Limits the maximum size of the flow hash cache (in bytes).
Type	integer
Default	1000

DNS Hint Cache

The DNS Hint Cache (DHC) in the Netify Agent is a feature that is designed to aid or improve flow detection when protocol metadata may be lacking, for example, TLS without SNI.

The DHC system processes DNS responses. It stores the returned IP address and the associated domain name in a configurable LRU (least-recently used) cache. During the flow detection phase, if the flow remains unclassified, a look-up is performed in the DHC for the remote IP address. If a match is found, the associated domain name is used to improve application detection.

This cache is optionally saved to disk on exit (enabled by default) which will be reloaded on start-up, priming the cache. The DHC is saved as a CSV file. When save is set to persistent, the default location is /etc/netifyd/dns-cache.csv.

The dns-hint-cache section is identified by:

[dns-hint-cache]

Enable

Property	enable
Description	Enable DNS hint caching.
Type	string
Options	yes, no
Default	yes

Persistent

Property	save
Description	Enable DNS hint cache persistence during restarts.
Type	string
Default	persistent

DNS Hint Cache Size

Property	cache_size
Description	Limits the maximum size of the flow hash cache (in bytes).
Type	integer
Default	1000

Partial Lookups

Property	partial_lookups
Description	If set to yes, the Netify agent will apply DNS cache hinting only when a hostname is not extracted from the protocol. The practical implications of setting this field to yes typically results in slightly lower application classification rates.Unknown applications that use a Content Delivery Network or CDN to deliver content such as Cloudflare, Fastly etc. will no longer be classified as the CDN. The potential upside is fewer false positive rates due to shared IP usage across applications.
Type	string
Options	no, yes
Default	no

Netify API

Netify API is an optional RESTful API endpoint owned and maintained by eGloo Inc. for:

• enabling application signature and category updates
• enabling Netify Informatics
• automating tracking/audit for OEM integrations

The Netify API section is identified by:

[netify-api]

Property	enable
Description	By default, Netify API is disabled and will not connect to any resource outside of your network.
Type	boolean
Options	true, false
Default	false

Property	update_tick
Description	Number of seconds between API check-ins.
Type	integer
Default	30

Property	update_interval
Description	Number of seconds between API updates. An API update checks for things like a new application signature file.
Type	integer
Default	86400

Property	tls_verify
Description	Validate certificate - this should always be set to true or be undefined, except possibly in developer environments.
Type	true, false
Default	true

Property	vendor
Description	Vendor code.
Type	string
Default	N/A - Please contact us for OEM details

Protocols

The protocols section name is:

[protocols]

Property	all
Description	Enabling and disabling Protocol dissection can be an effective way to manage CPU resources.
Type	string
Options	include, exclude
Default	include

Privacy

The privacy section name is:

[privacy_filter]

For information on Netify's privacy settings, please refer to the Privacy Settings section of the documentation.

Next Steps

• Application Signatures