Traffic Sensors
A Traffic Sensor is a Docker-based agent you deploy on a Linux host inside your network. It monitors live network traffic in real time: either by sniffing a network interface directly, by receiving syslog input from network devices, or both simultaneously.
For every IP it observes, the Traffic Sensor checks the IP's score against two types of thresholds:
Alert Threshold: if an IP's score meets this value, the sensor fires an IP-Alert. This is purely informational and does not result in any blocking action. It can be used to detect and monitor potentially malicious traffic without banning it.
Block Threshold: defined per blocklist. If an IP's score exceeds the block threshold of a blocklist the sensor contributes to, the sensor sends a block recommendation to the Arbiter for that specific blocklist. The Arbiter validates the recommendation and, if confirmed, adds the IP to the blocklist.
This means a Traffic Sensor can be configured purely for monitoring (alert threshold only, no blocklist contributions), purely for enforcement, or both.
The sensor also sends a regular heartbeat to NxtFireGuard. If the heartbeat stops, any configured Uptime Notification Groups will alert you so you can investigate.
Adding a Traffic Sensor
Adding a Traffic Sensor is a six-step process:
- Go to Traffic Sensors under Data Ingestion in the sidebar and click + Add Sensor.
- Step 1: Name: Enter a descriptive name for the sensor.
- Step 2: Traffic Sensor Settings: Choose the input methods this sensor should use. You can enable Sniff Traffic (interface sniffing), Run Syslog (receive syslog from network devices), or both.
- Step 3: Private Blocklists: Select which of your private blocklists this sensor should contribute to. Each blocklist has its own block threshold: the sensor will send block recommendations to the Arbiter when an IP exceeds that threshold.
- Step 4: Whitelists: Optionally apply whitelists to this sensor. IPs matching a whitelist will be excluded from monitoring entirely.
- Step 5: Alert Threshold: Set the IP score value at which the sensor fires an IP-Alert. This threshold is independent of any block thresholds.
- Step 6: Uptime Notification Groups: Assign notification groups to alert you if the sensor experiences health issues. Click Create Traffic Sensor to finish.
After creation, open the sensor via Edit to access the setup instructions by clicking View Instructions. The instructions include all required configuration values specific to your sensor instance.
Rate Limits
Your subscription tier enforces the following rate limits per Traffic Sensor:
| Limit | Basic | Starter | Standard | Enterprise |
|---|---|---|---|---|
| IP-Alerts / second | 5 | 25 | 50 | Custom |
| Block recommendations / second | 2 | 10 | 25 | Custom |
The sensor automatically queues and retries rate-limited requests: they will eventually be processed but may be delayed. If you consistently hit these limits, consider upgrading your subscription tier.
Managing Traffic Sensors
Editing a sensor: click Edit on any sensor card to update its name, alert threshold, input method toggles (Sniff Traffic / Run Syslog), private blocklist contributions, whitelists, and uptime notification groups. The Edit panel also gives access to the Auth Secret, Heartbeat Identifier, and View Instructions.
Deleting a sensor: click Delete Traffic Sensor inside the Edit panel. Stop and remove the Docker container on the host before deleting to avoid orphaned processes.
If you need help, reach out via the contact form.