Why Cluster-Wide Detection Matters
A Proxmox cluster typically runs 3-20 nodes, each hosting dozens of VMs and containers. An attack on one node's guest can saturate that node's uplink, but the attacker might also target guests across multiple nodes simultaneously, or shift targets between nodes to evade per-node detection.
Without cluster-wide visibility, you are blind to these patterns. You might mitigate an attack on node 1 only to discover the same attacker pivoted to node 3. With ftagent on every node and a centralized dashboard, you see the full picture.
Deployment
Install ftagent on each Proxmox node. The fastest approach is a simple loop:
# From any machine with SSH access to all nodes: for node in pve1 pve2 pve3 pve4; do ssh root@$node "pip install ftagent && ftagent --setup --token YOUR_TOKEN --name $node" done
Each node registers itself in the Flowtriq dashboard with its hostname. Within minutes, you have per-node traffic metrics, baselines, and detection active across the cluster.
Alternatively, if you manage Proxmox nodes with Ansible:
# ansible playbook: deploy-ftagent.yml
- hosts: proxmox_nodes
become: true
tasks:
- name: Install ftagent
pip:
name: ftagent
state: latest
- name: Configure ftagent
command: >
ftagent --setup
--token {{ ftagent_deploy_token }}
--name {{ inventory_hostname }}
args:
creates: /etc/ftagent/config.yml
- name: Enable and start ftagent
systemd:
name: ftagent
state: started
enabled: true
Centralized Dashboard View
Once all nodes report in, the Flowtriq dashboard shows:
- Fleet overview: All Proxmox nodes with current PPS, bandwidth, and health status
- Active incidents: Any ongoing attacks across any node, with target IP, attack type, and severity
- Node comparison: Side-by-side traffic graphs for spotting anomalies that affect multiple nodes
- Incident history: Full attack log across the cluster with filtering by node, date, severity, and attack type
This is the view you want when you are on call. At a glance, you see whether your cluster is healthy or under attack, which node is affected, and whether mitigation is active.
Per-Node Mitigation
Each ftagent instance operates independently for mitigation. When an attack is detected on node 2, the agent on node 2 deploys iptables rules on node 2. The other nodes are unaffected.
This independence is important for resilience. If one node becomes unreachable (heavy attack saturating its link), the agents on other nodes continue operating. There is no single point of failure in the detection architecture.
For attacks that require upstream mitigation (BGP FlowSpec, RTBH), the agent on the affected node triggers the escalation. You can configure shared escalation policies so that the same BGP speaker is used regardless of which node detects the attack.
Alert Configuration for Clusters
Configure alerting at the cluster level to avoid alert fatigue:
- One Slack/Discord channel for all nodes: All agents send to the same webhook. Each alert includes the node name so you know which node is affected.
- PagerDuty with deduplication: If the same attack targets multiple nodes (carpet bombing), Flowtriq deduplicates alerts into a single PagerDuty incident.
- Per-node email alerts: Send node-specific alerts to different team members if you have per-node responsibility.
VM Live Migration and Detection
When you live-migrate a VM from one Proxmox node to another, the traffic for that VM moves to the new node. ftagent on the new node sees the additional traffic and incorporates it into its baseline. The agent on the old node sees the traffic decrease.
If the VM has a registered IP in Flowtriq, the IP mapping should be updated to reflect the new node. The Flowtriq API supports this, or you can configure it through the dashboard. Future versions of the Proxmox addon will handle this automatically via Proxmox's migration hooks.
FAQ
How much does cluster monitoring cost?
Flowtriq pricing is per-node at $9.99/month. A 5-node Proxmox cluster costs $49.95/month for full detection and mitigation across all nodes. No per-VM or per-container charges.
Does ftagent monitor Ceph/Corosync cluster traffic?
ftagent monitors the interface you configure (typically the public-facing vmbr0). Ceph storage traffic typically runs on a separate network (e.g., vmbr1). You can configure the agent to monitor multiple interfaces if needed.
Can I use this for a homelab Proxmox setup?
Yes. Flowtriq's 14-day free trial works for any cluster size. After the trial, per-node pricing makes it affordable even for small homelab clusters.
Protect your Proxmox cluster. Install ftagent on each node and have cluster-wide DDoS detection in minutes. $9.99/node/month. Start your free 14-day trial.