Help Index Home > File > Configure

Traffic Sentinel Configuration

For first-time configuration steps, please see Getting Started.

The structure of the configuration is described in this Overview.

Additional, less frequently used customization options are described on the Configure>Extra page.

Configuration Sections


Configuration Hierarchy




CIDRs are used to associate end-hosts with a Group. A CIDR is specified by an Address and the number of Mask Bits associated with the subnet mask. These do not have to match the subnets used by your routers, and they may overlap with each other too. For example, you might create a group "all" with the CIDR "" in it, and then a separate group with the smaller CIDR "". When assigning addresses to groups, the smallest enclosing CIDR is used. Grouping hosts in this way is useful when defining security rules (see Signatures>Configure), or when displaying traffic (seeTraffic>Circles).

Agent Range

An agent range describes a range of IP addresses that contain network devices to monitor.



Interfaces only need to be specified if particular settings are to be applied to the interface, such as custom thresholds. Otherwise interfaces will be automatically discovered.

Hierarchy Settings

The following settings can be applied at any level in the configuration hierarchy.


A threshold setting applies a threshold to an interface metric. Specify the Metric and a Limit, or value of the metric that will trigger the threshold. The Minutes over Threshold and Total Minutes settings are used to specify a duration over which the metric must exceed the limit before an alert is generated. For example, if Minutes over Limit was set to 5 and Total Minutes was set to 10 then an alert would result if the limit were exceeded 5 minutes in any 10 minute interval. The Min. ifSpeed and Max. ifSpeed are used to limit the scope of the threshold to only links with particilar speeds. The threshold will only be applied to interfaces that fall in the specified speed range. This allows different threshold settings to be applied depending on the interface speed. Finally, the Enable flag can be used to Disable or Enable a particular threshold.


An SNMP setting controls how the server will use SNMP to talk to the agents. The Read Community is used when scanning for agents in an Address Range. It is also used when polling counters or reading agent configuration. The Write Community is used when performing SNMP-SET operations. If a Write Community is not provided, the Read Community will be used for both GET and SET operations. Finally, the Enable flag can be used to Disable or Enable SNMP access to agents. SNMP is used to get interface names, agent information, and to poll counters from non-sFlow devices. Disabling SNMP is only recommended in situations where there is no interest in managing the device.

The settings User, Auth. Protocol, Auth Password, Priv. Protocol, and Priv. Password are only necessary if SNMPv3 is used.


The sampling setting specifies the packet sampling rate that will be used when configuring an agent using the sFlow (or XRMON) MIB. The Sampling Rate determines the fraction of packets sampled. For example, a value of 100 would mean that, on average, 1 in every 100 packets would be sampled. The Min. ifSpeed and Max. ifSpeed settings allow different sampling rates to be set for interfaces depending on their speeds. An interface will match the first entry for which the condition Min <= ifSpeed < Max is satisfied. Generally, larger Sampling Rate settings are used for faster interfaces. The default settings are usually adequate and provide a useful guide when manually configuring sampling using the CLI.

If sFlow has been configured on the agent using its CLI then this parameter will have no effect. The sampling rate configured on the agent will be adopted and will override any setting made here.

Similarly, if the agent is sending IPFIX, NetFlow or LFAP flow records, then the packet sampling rate being used on the agent will usually be indicated in a field in the data packets. In that case also, the sampling rate configured on the agent will be adopted.

If the agent is not using packet sampling at all, and is sending flow-records generated from every packet, then the sampling rate setting configured here will be applied. It is applied so that the results are equivalent to that packet sampling rate being applied on the agent prior to the flow-cache.

If the agent is using packet sampling but is not indicating the sampling rate in the data packets, then you must follow these steps:

  1. Add a special sampling entry just for this agent.
  2. Match the sampling rate setting to the one being used on the agent.
  3. Edit the XML configuration directly to add:
    as an extra parameter in that <sampling> section.