Key Capabilities and Features of Banyan's Netagent

  • Updated on Jun 17, 2021

This article describes features that are only available in the Banyan Enterprise edition.
This article describes features - Host Agent mode, DoS protection, StatsD metrics, Service Tunnel capability - that are currently in early preview. Contact your account team to enable these features for your organization and for further assistance.

Netagent is the core component of Banyan’s Access Tier. It is a light-weight identity-aware cloud-managed proxy written in Golang, that runs on Linux servers. Netagent is designed to be similar in deployment to open-source proxies such as Nginx, but is focused on Zero Trust security functionality.


The internal modules that comprise the Netagent are depicted in the diagram below:

Netagent functions primarily as a reverse proxy, intercepting traffic on specified ports on a Linux server. By default Netagent intercepts traffic on the following ports:

  • 443/tcp - for web services, accessed via a browser
  • 8443/tcp - for infrastructure services, accessed via the Banyan App
  • 51820/udp - for service tunnels, that enable network access

Netagent leverages various Linux kernel functionality to manage and forward traffic, including:

  • iptables
  • conntrack
  • wireguard

Note that Netagent is delivered as a Linux package (and NOT a Virtual Appliance), so it can be easily orchestrated in many varieties of cloud-native deployments.

Supported Linux Distros

The Netagent binary can be installed on Virtual or Physical 64-bit Linux Servers.

Officially Supported: the following distros are supported, when run with an officially released kernel:

  • Amazon-Linux (2011.09-2018.03) and Amazon-Linux-2
  • CentOS 7.x and RHEL 7.x
  • Ubuntu 16.04+

Support Deprecated: the following Linux distros are no longer supported:

  • CentOS 6.x
  • Ubuntu 12.04, 14.04

If you’re running an unsupported distro or a custom kernel, please contact us for tailored installation instructions.

Netagent Features

Health Check, Logs, Metrics

Operations teams can use Netagent’s built-in logs and metrics capabilities to set up high-availability configurations and detailed monitoring.

  • Health Check - When functioning correctly, Netagent listens on a TCP port (default: 9998). Monitoring tools can establish a connection to the health check port to confirm Netagent health.
  • Logs - Netagent saves logs to both console and file; you can manage the log level via the Netagent Configuration. To change the location (default: /var/log/banyan/netagent.log), set the environment variable LOGFILENAME. You can also similarly configure syslog daemon to gather Netagent logs.
  • Metrics - Netagent uses the statsd format to aggregate and summarize its metrics. Once you set the Netagent Configuration to emit to your statsd daemon, you can start collecting Netagent metrics including: tx/rx bytes, http response code, http response time, unauthorized attempts, error counts, etc. Metrics are emitted per service id.

Denial of Service (DoS) Protection using the BadActor Module

Because is is deployed internet-facing scenarios, Netagent has built-in DoS protection capability. The DoS capability can be enabled via Netagent Configuration, bad_actor parameter. The DoS functionality is similar to tools such SSHGuard and Fail2ban.

The DoS feature detects clients that continually make unauthorized accesses to services, and labels them as “bad actors”. If a bad actor surpasses the configured unauthorized request threshold (set by the infraction_count), Netagent automatically sets a firewall rule to ignore their traffic (via IP address) temporarily (accordingly to sentence_time), thereby placing them in a “jail”.

Host Agent Mode

In some scenarios, you may wish to deploy the Netagent directly on hosts on which you run workloads, instead of as a gateway. We call this the Host Agent mode.

When Netagent runs in Host Agent mode, it has some additional capabilities, including:

  • network visibility into all host networking
  • auto-discovery of workloads (processes and Docker containers)
  • automatic interception of service traffic
  • forward proxy to upgrade service communications to MTLS