Most FlowTraq deployments are centered on a single pool of data for ease of analysis, with user access controlled by access level and user filters. However, some environments require full multi-tenancy either for internal or external customers who cannot be permitted to see or analyze data outside the data they produce or are assigned. Partitions can be thought of as FlowTraqs-within-FlowTraq: users within a partition have full access to FlowTraq functionality, but only for their own data. (The exception to this access is for items with system-wide implications, such as configuring alerts or administering system settings) FlowTraq partitions enable strict sectioning of data, with flow sources and users assigned to individual partitions, each with an assigned number, called a customer ID (CID). Every FlowTraq install has a single super-partition (CID 0).
The partition page is accessed via the Users option under the Administration menu on the left-hand side of any FlowTraq page. A partition may have one or more of each of the following:
- Name
Although each partition is internally identified by a customer ID and a globally unique ID (GUID), a name may be assigned for ease of reference.
- Exporters
IP addresses and CIDR blocks corresponding to exporting devices (routers, software flow exporters, etc) can be assigned to individual partitions, so that all flows from those devices are visible within that partition.
![[Note]](../common/images/admon/note.png)
Note Exporter selection can be overridden by valid GUIDs embedded in individual flow records.
- Netblocks
Each partition can be configured with a set of netblocks that are defined as "internal" to that partition, enabling the use of the
INTfilter. This is a tag applied to individual sessions: changes in the partition netblocks apply only to new sessions.- Users
Users created in or moved to a partition can only see traffic in that partition (with the exception of the Main partition; see below for details). Admin users in a non-main partition are Partition Administrators, and can only create and delete users in their own partition.
Administrative users have the ability to alter these parameters, and retrieve partition GUIDs, via the Actions menu in the upper-right corner of the partition box.
Every FlowTraq install has one partition configured by default, CID 0, or the Main partition. Users in this special partition can see and (with admin access) administrate all partitions within FlowTraq, according to optional traffic group and partition-level access control set by administrative users.
Administrative users in the Main partition can create or destroy partitions, create and delete users in any partition, can move users among partitions, and can configure alerting on all data.
![[Important]](../common/images/admon/important.png) | Important |
|---|---|
New users authenticating through LDAP will be created in the CID 0 partition immediately upon login. |
Each partition has a space defined as internal to it, for use with specialized filtering using the INT shorthand. Select Add Netblock from the Actions menu for the desired partition. Enter one CIDR block at a time, to be added to the Internal Netblocks list.
| Important |
|---|---|
Tagging is performed on an ongoing basis, not in retrospect. Changes to the internal blocks -- including initial setup -- apply only to new flows. This ensures that in the future historical queries can be performed on "internal at the time" sessions even as network configuration evolves. Sessions that are ongoing during a configuration change will retain their original assignment. |
There are two ways to assign new flow records to a specific partition. First, and most common, is to configure the partition to claim flows from exporters in a given CIDR block. Select Add Exporter from the Actions menu for the desired destination partition. Add an individual Exporter IP address or a CIDR block covering all the devices from which that partition may receive flows.
| Important |
|---|---|
Exporters cannot be shared among partitions. It is critical for predictable operation that there be no overlap among exporter netblock assignments. If NATting results in two exporters sharing an IP address, they must be assigned to the same partition. |
| Important |
|---|---|
As with internal netblocks, flows are assigned to a partition on first update after the exporter is assigned to (or removed from) a partition, and are not assigned retroactively. To ensure smooth operation, configure partition assignment as soon as possible after configuring the exporters. |
The second method for assigning flows is to embed the GUID of the selected partition in the flows themselves. Currently, this can only be done using the FlowTraq Flow Exporter using the -guid switch.
To manage partitions, use the ftgroup command. Administrative credentials in the CID 0 (Main) partition are required to create, or modify partitions.
You must specify a FlowTraq Server to connect to and supply login details.
In addition to the connection and login parameters, ftgroup accepts the following parameters:
Table 4.1. Partition Management Parameters
| Parameter | Description |
|---|---|
-cid CID
| Select the partition (CID) to apply commands to, where needed. |
-cidguiadd
| Create a new partition with an auto-assigned GUID. Use -cid to select a CID number. |
-cgguidel GUID
| Delete selected partition, which must be completely empty of users. Partition deletion should be done sparingly: Because FlowTraq can accommodate over ten thousand unique CIDs, it is not necessary to recycle unused numbers. (See note below table) |
-cgexpadd IP
| Add the IP address of an exporter to the partition selected with the -cid switch. All new flows from the cumulative list of exporter netblocks will be assigned to the selected partition. |
-cgexpdel IP
| Remove an exporter from the partition by IP address. Note that previously-tagged flows will not be affected. |
-cginadd CIDR
| Add the specified netblock to the internal network list for this partition. Future flows involving this netblock will be tagged 'internal' for use with the INT filter element. |
-cgindel CIDR
| Remove the specified netblock from the internal network list for this partition. Future flows involving this netblock will not be tagged 'internal'; does not affect historic data. |
-cglist
| List all information about all visible partitions; if used with -cid switch, list information about the selected partition. |
-suggestcid
| Returns a unique unused CID and GUID pair for use with -cgguiadd. |
| Important |
|---|---|
Deleting a partition does not delete flows from that partition, nor does it remove the tags. New partitions with a recycled CID may in some circumstances be able to see those flows. If a partition is no longer in use, but still has a historical flow record, it is recommended to remove all exporter netblocks from it and leave the partition in place until its flows are aged out. |
| Note |
|---|---|
Partitions containing users cannot be deleted in order to avoid 'stranding' users. By the same token, users cannot be added to a non-existent partition. |
