Netify Netify logo Contact Us
Products Resources Documentation Blog Sign In

Agent Settings

Agent settings in Netify v5 control the core behavior of the DPI engine, resource allocation, flow tracking, and performance tuning. These configuration options allow you to optimize the agent for your specific deployment environment and performance requirements.

Whether you are deploying on embedded systems with limited resources, high-throughput gateway deployments, or dedicated analysis appliances, proper configuration of these settings is critical to achieving optimal DPI accuracy and performance. This reference documents all available configuration parameters, their default values, and provides guidance on when to adjust them.

You can make custom configuration changes to the Netify agent by modifying Netify's main profile configuration file, /etc/netifyd/profiles.d/10-default.conf . Changes made to this file remain persistent across reboots and upgrades.

Optimizations

Core Dumps

The netifyd_enable_coredumps should be set to no on production systems. On test or development systems, enabling core dumps can help identify stability issues that may later appear in production.

  • Core dumps do not include debug symbols unless a special debug build is in use (i.e., binaries are not stripped).
  • As a result, core dumps generated from standard production packages are of limited value for root cause analysis.
  • For meaningful debugging, contact Netify Support for custom debug packages and libraries.

Serial Numbers

The path_uuid_serial field can be a regular file containing a unique string; however, this case is rarely used since the string must be exactly 32 bytes in length. More often, an integrator will provide the path to an executable file that extracts the unique value. As an executable script, any length (providing enough entropy) can be used. Two examples are listed below: 

[netifyd]
...
path_uuid_serial = /usr/share/netifyd/get-serial.sh

Script Example 1 - Activation Key in File

Terminal - Netify
× 
#/bin/sh
if [ -f /var/distro/activation ]; then
    cat /var/distro/activation
else
    echo '-'
fi

Script Example 2 - Using Hardware Serial as Key

Terminal - Netify
× 
#/bin/sh
dmidecode -s system-uuid

Netifyd - Main Configuration

The main configuration file, netifyd.conf , only uses one section name by default: [netifyd] . The settings in this file are generally used for mapping paths to the underlying operating system.

profile

string

Specifies the configuration profile to load.

Default:
/etc/netifyd/profiles.d/00-default.conf

path_state_volatile

string

Specifies the directory for storing volatile data (ephemeral files). This value can be referenced in other configuration properties using the ${path_state_volatile} variable.

Default:
/var/run/netifyd

path_state_persistent

string

Specifies the directory for storing persistent data. This value can be referenced in other configuration properties using the ${path_state_persistent} variable.

Default:
/etc/netifyd

path_pid_file

string

Specifies the path to the process ID (PID) file.

Default:
${path_state_volatile}/netifyd.pid

path_shared_data

string

Specifies the path to shared data files.

Default:
/usr/share/netifyd

path_license_manager

string

Specifies the path to the license manager library.

Default:
${path_plugin_libdir}/libnetify-plm.so

path_server_socket

string

Specifies the local Netify Agent API socket path.

Default:
${path_state_volatile}/netifyd.sock

path_uuid_serial

string

Specifies the path to a script that returns a unique custom serial for the agent.

auto_informatics

boolean-string

Specifies whether to enable automatic Netify Informatics integration. This option is intended to be managed exclusively by the --enable/disable-informatics command-line parameters.

Default:
no
Options:
yes no

Netifyd

The [netifyd] section provides several tunable parameters for optimizing performance.

user

string

Specifies user to switch to on startup.

Reference:
See running as non-root

group

string

Specifies group to switch to on startup.

Reference:
See running as non-root

auto_flow_expiry

boolean-string

Specifies the shutdown behavior for active flows. Enabling this forces an immediate expiration and purge; otherwise, the agent lingers until the flow cache is naturally cleared or a manual override (second termination signal) is triggered.

Default:
yes
Options:
yes no

enable_coredumps

string

Specifies whether core dump files are saved when the agent or one of its plugins terminates unexpectedly. This should be set to no on production systems.

Default:
no
Options:
yes no

flow_map_buckets

integer

Specifies the number of buckets into which the main flow map is divided. The default is adequate for up to 5,000 flows. Increasing this value reduces the chances of flow map lock contention on systems that track a large number of flows.

Default:
128

max_capture_length

integer

Specifies the maximum number of bytes to capture (copy) per packet. Reducing this may be appropriate for embedded systems, but reducing it too much will result in less accurate application/protocol detection. The maximum value is 65535, which is also the default.

Default:
65535

max_detection_pkts

integer

Specifies the maximum number of packets to inspect per flow. This is a performance tuning option for embedded systems. Reducing this value too much will result in less accurate application/protocol detection, specifically TLS. Generally, a safe range for adequate detection accuracy is between 15 to 25 packets.

Default:
32

max_flows

integer

Specifies the maximum number of flows to track at any given moment. When this value is reached, new flows will stop being tracked until old flows expire. This option can be used to conserve memory on embedded systems or to set an upper safety limit to guard against DDoS attacks or network scanning tools. A value of 0 disables the maximum.

Default:
0

soft_dissectors

boolean-string

Specifies whether to enable soft-dissectors, which are flow expressions defined in the application signatures file. For debugging or on embedded systems with very limited resources, it may be helpful to disable this feature.

Default:
yes
Options:
yes no

syn_scan_protection

boolean-string

Specifies whether to enable SYN scan protection. When enabled, the agent will not track TCP flows until a SYN+ACK has been captured. This option can offer protection against network scanners and has the additional benefit of not tracking already established TCP flows when the Agent is first started.

Default:
no
Options:
yes no

ttl_idle_flow

integer

Specifies the time-to-live (TTL), in seconds, before an idle non-TCP flow is scheduled for expiry.

Default:
30

ttl_idle_tcp_flow

integer

Specifies the time-to-live (TTL), in seconds, before an idle TCP flow is scheduled for expiry.

Default:
300

update_interval

integer

Specifies how often (in seconds) to process the global flow maps. Flow statistics are made available, idle flows are expired, and other housekeeping is performed during this update period. The default of 15 seconds is appropriate in most cases.

Default:
15

use_getifaddrs

boolean-string

Specifies whether to periodically call getifaddrs(3) to update the associated IP addresses of each capture source, where applicable. This option is primarily intended for non-Linux systems where an on-demand system like Netlink is not available. This setting should be enabled for FreeBSD and variants.

Default:
no
Options:
yes no

Capture Defaults

The [capture-defaults] section provides defaults when the network interface is specified via the command line instead of through network interface configuration.

capture_type

string

Specifies the default capture method for -I (--internal) and -E (--external) command-line options.

Default:
pcap
Options:
pcap tpv3

read_timeout

integer

Specifies the packet capture timeout value (milliseconds). This is how long reads from PCAP or TPv3 capture sources will wait for packet data before being cancelled and retried. The default value of 500 ms is appropriate in almost all cases.

Default:
500

Threads

The [threads] section provides tuning parameters for multithreaded support.

capture_base

integer

Specifies the base CPU ID from which to start capture threads.

detection_base

integer

Specifies the base CPU ID from which to start detection threads.

detection_cores

integer

Specifies the number of detection cores to start.

Flow Hash Cache

The [flow-hash-cache] section manages settings for the flow cache. This feature optimizes performance by caching a flow's metadata. If a flow resumes after exceeding its idle TTL (ttl_idle_flow for non-TCP or ttl_idle_tcp_flow for TCP), the system retrieves the existing hash and IDs from the cache instead of recalculating them.

enable

boolean-string

Specifies whether the flow hash cache is enabled.

Default:
yes
Options:
yes no

save

string

Specifies the flow hash cache save policy.

Default:
persistent
Options:
persistent volatile

cache_size

integer

Specifies the maximum size of the flow hash cache (in bytes).

Default:
1000

DNS Hint Cache

The [dns-hint-cache] section manages settings for the DNS hint system. The DNS Hint Cache (DHC) in the Netify Agent is a feature designed to aid or improve flow detection when protocol metadata may be lacking, for example, TLS without SNI.

The DHC system processes DNS responses. It stores the returned IP address and the associated domain name in a configurable LRU (least-recently used) cache. During the flow detection phase, if the flow remains unclassified, a look-up is performed in the DHC for the remote IP address. If a match is found, the associated domain name is used to improve application detection.

This cache is optionally saved to disk on exit and will be reloaded on start-up, priming the cache. The DHC is saved as a CSV file. When save is set to persistent, the default location is /etc/netifyd/dns-cache.csv .

enable

boolean-string

Specifies whether DNS hint caching is enabled.

Default:
yes
Options:
yes no

save

string

Specifies the DNS hint cache persistence policy for restarts.

Default:
persistent
Options:
persistent volatile

cache_size

integer

Specifies the maximum size of the DNS hint cache (in bytes).

Default:
1000

partial_lookups

boolean-string

Specifies whether the Netify agent applies DNS cache hinting only when a hostname is not extracted from the protocol. Setting this field to yes typically results in slightly lower application classification rates. Unknown applications that use a Content Delivery Network (Cloudflare, Fastly) to deliver content will no longer be classified as the CDN. The potential upside is fewer false positives due to shared IP usage across applications.

Default:
no
Options:
yes no

Netify API

The [netify-api] section manages settings for the Cloud API. The Netify Cloud API is required for the following features:

enable

boolean-string

Specifies whether the Netify API is enabled. By default, the API is disabled and will not connect to any resource outside of your network.

Default:
no
Options:
yes no

update_tick

integer

Specifies the number of seconds between API check-ins.

Default:
30

update_interval

integer

Specifies the number of seconds between API updates. An API update checks for things like a new application signature file.

Default:
86400

tls_verify

boolean-string

Specifies whether to validate the API TLS certificate. This should always be set to true, except possibly in developer or CI/CD environments.

Default:
yes
Options:
yes no

vendor

string

Specifies the vendor code.

Reference:
Please contact us for OEM details.

Protocols

The [protocols] section manages the protocol engine policies.

all

string

Specifies which protocols are enabled. This can be an effective way to manage CPU resources.

Default:
include
Options:
include exclude

Privacy

The [privacy-filter] section manages privacy policies. For more information, please refer to the Privacy Settings section of the documentation.