Flowmon ADS in ISP environment
- Last Updated: May 1, 2026
- 4 minute read
- Flowmon Products
- Flowmon Anomaly Detection System
- Documentation
This document explores deployment scenarios showing how Internet Service Providers (ISPs) use the Progress Flowmon Anomaly Detection System (ADS) to monitor their network infrastructure using Network Detection & Response. It also provides recommendations for configuring detection methods to optimize performance and achieve the best results in an ISP environment.
Monitoring north-south traffic
The first use case collects network telemetry flow (NetFlow/IPFIX) before Carrier-grade NAT (CGNAT) to monitor north-south traffic. In this scenario, Flowmon ADS reports suspicious activity leaving or trying to enter your network.
Monitoring east-west traffic
The second use case exports network telemetry flow from core switches or routers to monitor east-west traffic. Flowmon ADS reports suspicious activity occurring within your monitored network (such as datacenters, offices, and so on).
Network telemetry sources
You can use both flow-enabled network devices and/or Flowmon Probes as data sources. The probes are dedicated flow exporters that connect passively to your network at core and edge points. They provide unsampled flow data and visibility into commonly used application protocols, adding valuable attributes like DNS, HTTPS SNI, TLS, network performance metrics, and other data for both operational and security monitoring.
Note that Flowmon ADS offers limited functionality when you use sampling or sFlow (sampled Flow). Also, to meet regulatory compliance requirements, your ISP might need to collect unsampled flow data.
Impact of network telemetry quality on detection
You can use flow-enabled network devices (such as routers) as data sources for Flowmon ADS. However, the quality of exported flow data might vary and affect detection quality. For best results, provide the system with high-quality flow data that includes correct timestamps and all attributes, including TCP flags.
Flowmon ADS requires bidirectional flow for detection. The system creates bidirectional flows (biflows) from unidirectional flows through flow pairing (joining two opposite flows in a similar time range). Flowmon ADS alerts you when it cannot pair flows. If this happens, check the quality of third-party flow data, particularly the flow start time.
Most detection methods work with standard flow data from flow-enabled network devices. However, some methods require additional attributes provided by Flowmon Probe. For more information about detection methods and third-party flow data, see the Detection Methods and 3rd Party Flow Data documentation.
Detection in Flowmon ADS
Flowmon ADS includes many built-in detection methods that focus on different network anomalies and issues. Some detection methods work better for detecting suspicious traffic going outside or inside your network (North-South), while others excel at detection inside your network (East-West). For accurate detection, separate your traffic into several groups and use them in detection method instances. Each instance will develop accurate baselines and learn behavioral patterns for its assigned traffic group. This separation can be based on subscription speed or traffic similarities. For example, group by datacenters, B2B, fiber, wireless, or xDSL, because each group likely has different behavior patterns.
In Flowmon ADS, you can achieve this by configuring Data Feeds, Filters, and Method Instances. Consult the User Guide for more information on configuration. In short, Data Feeds represent flow data sources (logical network segments or individual monitoring points in the network), Filters define logical network topology using IP addresses (for example, DNS servers, network segments like DMZ, DC, and so on), and Method Instances represent specific settings of the detection methods (related to the assigned Data Feed and Filter).
Recommended configuration of detection methods
Based on experience with tuning Flowmon ADS detection in ISP environments, here are recommendations for detection method usage and configuration in multiple scenarios:
North-South and East-West detection
| Detection Method (name and code) | Recommendation |
|---|---|
| Behavior anomaly (ANOMALY) | Use for general anomalies for all groups. |
| Flow-based behavior patterns (BPATTERN) | Use for all groups. |
| Communication with blacklisted hosts (BLACKLIST) | “AttackerActivities” is recommended to only be used only for (for example) internal LAN traffic, otherwise a lot of events will be detected as the communication of blacklisted hosts from the outside is common. |
| Target hosts/ports anomaly (DIVCOM) | Use for all groups. |
| Denial of service attack (DOS) | Use for all groups. Adjust the sensitivity in the method instance configuration based on the number of detections. |
| DNS query volume anomaly (DNSQUERY) | Split detection per group using method instances and set the MinimalQueryLimit parameter to 9999 and the Multiplicator to 6. Adjust based on the number of detections. |
| Peers geographical distribution anomaly (GEODIST) | Increase MinimalTransfer parameter to at least 100MB. |
| Web form authentication attack (HTTPDICT) | Change MinimalPerClient parameter to 500 and MinimalPageSize to 3000. |
| Communication partners anomalies (PEERS) | Use primarily for servers that provide services in your network, such as DNS and DHCP. |
| RDP attack (RDPDICT) | Can be used as a single method instance with all data. |
| Amplified denial of service attack (REFLECTDOS) | Can be used as a single method instance with all data. |
| Port scanning (SCANS) | Limit to ports of interest such as 443, 80, 22, and others. |
| SMTP anomaly (SMTPANOMALY) | Set the MinimalMailLimit parameter to 150 and the Multiplicator to 5. |
| SSH attack (SSHDICT) | Can be used as a single method instance with all data. |
East-West detection
| Detection Method (name and code) | Recommendation |
|---|---|
| New or alien device (ALIENDEV) | Use in segments (configured either in filter or in the Monitoring Centre Profile) like DC where IP changes are not common. |
| DHCP anomaly (DHCPANOMALY) | Use in segments where DHCP is running and the service is provided by your server. |
| Direct Internet communication (DIRINET) | Use in segments like internal network where Proxy usage is enforced. |
| DNS traffic anomaly (DNSANOMALY) | Use in segments where you expect only certain DNS servers to be used. |
| Service not available (SRVNA) | Use in segment with internal services. |
East-West detection with flows provided by Flowmon Probes
| Detection Method (name and code) | Recommendation |
|---|---|
| Network address translation (NATDET) | Use on segments where you do not expect NAT (for example, offices). |
| Random domain name (RANDOMDOMAIN) | Use for all groups. |
Consider using other detection methods based on specific behaviors you would like to monitor in your network. Otherwise, turn the methods off if they do not provide valid results. The general recommendation is to start with a couple of detection methods and tune them to get good results. Otherwise (when enabling everything at once) you might experience events overload.