Administrator s Guide

Transcription

1 Centralized Reporting Solutions REPORTING SonicWALL Scrutinizer SonicWALL Scrutinizer 9.0 Administrator s Guide SonicWALL Analyzer 7.0 Administrator s Guide 1

2 NetFlow, IPFIX and sflow Analyzer

3

4 Table of Contents Welcome to the Scrutinizer Manual... 1 Overview... 1 Admin Tab... 3 Admin Tab... 3 Overview... 3 Admin Tab... 7 Overview... 7 SNMP Device View Vitals Main View Overview Alarms Tab Alarms Tab Overview Configuring Alarm Conditions Flow Analytics Flow Analytics Overview Maps Tab Maps Main View Overview Map Connections Overview Map Settings Overview Map Groups Overview Map Objects Overview Flash Maps Overview Map Status Overview Device Overview Overview Status Tab Status Tab Overview iii

5 Scrutinizer v7 Manual System Access Denied Backups Overview Database Connection Failure Overview Distributed Collectors Overview Language Translations Overview Systrax Troubleshooting Getting Started Guide Web Server Port Overview Index iv

6 Welcome to the Scrutinizer Manual Overview Welcome to the on-line manual. Click Here for help troubleshooting. You can also get this manual in.pdf format. You will find the latest updates to the manual online. There are also online webcasts which give quick overviews (i.e. 2-5 minutes each) of specific features. IMPORTANT: Don't struggle, contact support! Adobe Flash Player. Copyright(c) Adobe Systems Incorporated. All Rights Reserved. Patents pending in the United States and other countries. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries. Please reference the End User License Agreement for more information on using Adobe Flash Player in Scrutinizer. 1

7

8 Admin Tab Admin Tab Overview The Settings page is primarily left to the administrators. Settings: Alarm Notifications: enable additional system alarms Data History: Specify how long each flow interval is saved. Historical 1 Min Avg: Saves 100% of all flows received. Make sure the server has enough disk space to save significant quantities of the raw flows. The 1 minute intervals consume the most disk space as it is not aggregated and flows are in raw format. Historical 5 minute - 1 week Avg: These intervals only save the specified Maximum Conversations after aggregation per interval. Maximum Conversations: Used when creating large intervals (e.g. 5 minute) from prior intervals (e.g. 1 minute). All flows are aggregated together per router. The top 10,000 (default) based on bytes are saved. Denika Connections: integration with Denika SNMP Performance Trender for SNMP details to represent link status. Server: Necessary for on demand and scheduled ed reports. Make sure the test is successful. Flow Analytics: configure advanced algorithms (e.g. DDoS, Nefarious Activity, etc.) LDAP Credentials: The web interface has the capability of integrating with Mircrosoft Active Directory so that users can simply log in to the web interface by using their windows domain authentication. When a user logs in for the first time, a new account is created in Scrutinizer and given Guest access by default. The Scrutinizer administrator can then grant that user further reaching capabilities if desired. Requirements for LDAP integration: 1) The name or IP Address of the LDAP server 2) An account with one of the following permissions to the LDAP server: a. Account Operators (must also be a member of Distributed COM Users for remote WMI Access) b. Administrators c. Domain Admins d. Enterprise Admins 3) The account chosen must have WMI Read access to \root\directory\ldap Instructions to Integrate Scrutinizer with LDAP: There is a wizard utility which makes the process easier. To activate LDAP configuration wizard: 1) Open a command prompt on the server 2) Change directories to the \scrutinizer\bin\ directory 3) Run scrut_util ldapwizard and follow the instructions 3

9 Scrutinizer v7 Manual 4) Enter the IP or Hostname of LDAP server 5) Enter LDAP Binding Account Username: 6) Enter LDAP Binding Account Password, then verify by retyping 7) Is it configured to use LDAPS or LDAP over SSL? Answer y or n 8) If successful, the wizard returns LDAP configurations that will be saved to the database. The next step is to use a typical account to test connectivity 9) Enter a Username of a LDAP account that will be used to log into the Scrutinizer Web Interface 10) Enter a password and then verify by retyping 11) If successful, the wizard will display the success of the connection and update the configuration Users should now be able to log in to the web interface with their LDAP account. If unsuccessful, contact support. Licensing:Enter the license key for Flow Analytics and or the Service Provider module Flow Analytics Mailinizer Service Provider Module Mapping Configuration: Customization for both Flash and Google maps (e.g. connections, text boxes, etc.). Learn more about mapping. Proxy Configuration: Setup the server to work with a proxy server Syslog Notifications: Configure the syslog server, port and priority System Preferences: Other options Definitions: 3rd Party Integration: Create links to 3rd party applications and pass variables in URLs Applications: Setup and modify applications using ranges of ports and IP addresses. This feature is useful for properly labeling in house applications. Autonomous Systems: Setup and modify Autonomous Systems that are shipped with the software. Device Details: Displays the SNMP details of the devices sending flows. Allows custom device and interface names to be defined which override the defaults. Notice that in and out speeds can be configured. Host Names: Setup and modify known hosts. Use this option to statically assign host names to IP addresses that will not age out. It can also be used to label subnets in the Subnet report types. There are three Resolve DNS options: 1. Current - has been or attempted to be resolved already (will expire in whatever days are set in the serverprefs) 2. Queued - ready to be resolved by the resolver. User can set it to queued to force a DNS resolve again on the host. 3. Never - a permanent address that was manually added by the user. Users can make names permanent by switching this to never. It s not purged. Languages: use this interface to update languages or create new translations. 4

10 Admin Tab Manage Exporters: Details on the devices sending flows. Options include: Listener Ports are listed in the top left: These ports change color: Per Device: Green: all devices sending flows on that port are active and sending flows. Click on the port to view the vitals. Yellow: one or more devices has recently stopped sending flows. Click on the port to view the vitals. Red: all devices once sending to this port have stopped. Click on the port to view the vitals. Delete: This check box can be used to remove the device from the Status tab device tree. The device will be rediscovered immediately if the collector is still receiving flows from the device. Also, templates and interfaces from devices that stop sending flows are aged out. Icons: Status: tells if the device is currently receiving flows (i.e. green) or not receiving flows (i.e. red). Device Details: click to view the Device Details. Configure NetFlow Via SNMP: Use the wizard to re-configure the NetFlow exporting on the device. Current protocol exclusions: Specify which protocols will be dropped for collector, selected device or selected interface on a selected device. Visit the Device View for more details and to learn about Protocol Exclusions per device/interface. Click on the edit icon to modify the default name used for the device. Credentials: Select a community string to use on this device. Status: Modify status from Active (accept flows) to Inactive (drop all flows from device). NOTE: the flows are still being received but, are being ignored by Scrutinizer (i.e. not saved). Update SNMP: force an immediate SNMP query for Device Details. Checking this off ensures that the Device Details will be updated every night automatically. MIB Import: Manage SNMP MIB files that have been compiled for SNMP traps Notification Manager: Configure notifications to be applied to Policies in the Alarms tab Policy Manager: List all of the Policies that are configured for the Alarms Tab SNMP Credentials: Configure the SNMP Credentials used on each flow exporter. SNMP v1, v2 and v3 are supported. Type of Service (ToS): Configure the ToS and DSCP values displayed in the reports. Be sure to Define the "ToS Family" under System Preferences. Well Known Ports: define port names. In the Well Known Ports report, the following logic is used: Which port is lower the source port or the destination port If the source port is lower and defined, use this as the well known port else, use the destination port if defined as the wellknown port else, display the lower port as the wellknown port 5

11 Scrutinizer v7 Manual Security: User Groups: Specifies what a Group login account can access. Limited to 10 Group accounts without a Service Provider license key. Some permissions require further explanation: Device Status: Grants permission to see the status of the device (i.e. Flow exporter). Device icons appear blue in maps if the Device Group permission is granted without this permission. Mailinizer devices show up here. Interface Statistics: Grants permission to see the statistics of an interface. Mailinizer does not show up here. Device Groups: Grants permission to see a Group (i.e. map). Devices (i.e. Flow Exporters) appear blue and interfaces black unless permission is granted in Device Status and Interface Statistics. User Accounts: Configure login preferences for individual accounts. User Accounts must be a member of one or more User Groups. By default, they are placed in a default (e.g. Guest) User Group. Permissions are inherited by all User Groups a User Account is a member of. Reports: Report Folders: Manage Saved Report Folders found in the Status tab under saved reports. Notice the Membership drop down box: Folders: Select a folder and add or remove reports from it. Reports: Select a report and add or remove folders it can be found in. RSS Feeds: There are four built-in RSS feeds available in Scrutinizer. Each can be configured to display either 5, 10, or 25 feed items. The "Custom Reports" feed contains a list of quick links to reports you have saved within Scrutinizer. The "Recent Alarms" feed contains the most recent alarms Scrutinizer has logged. The "Top Interfaces" feed displays utilization statistics from your busiest interfaces. The "Vitals" feed contains the current Scrutinizer server vitals. These feeds are disabled by default, but can be activated by clicking the red icon. After activating a feed, refresh the page and follow your browser's instructions for subscribing to an RSS feed (generally an orange "broadcast" icon that will appear near your address bar). The direct URLs for the four feeds (when active) are: /rss/reports.xml /rss/alarms.xml /rss/interfaces.xml /rss/vitals.xml Scheduled Reports: Manage Scheduled Reports, delete, etc. Top Saved Syslogs: The top devices sending syslogs. Top Syslog Orphans: The top devices sending syslogs that don't match policies. Vitals: View vital information on how well the server is handling the NetFlow and sflow volume. More details can be found in the Vitals Tab. NetFlow Help: 6

12 Admin Tab Activating NetFlow, J-Flow, sflow, NetStream, IPFIX, etc. Admin Tab Overview The Settings page is primarily left to the administrators. Settings: Alarm Notifications: enable additional system alarms Data History: Specify how long each flow interval is saved. Historical 1 Min Avg: Saves 100% of all flows received. Make sure the server has enough disk space to save significant quantities of the raw flows. The 1 minute intervals consume the most disk space as it is not aggregated and flows are in raw format. Historical 5 minute - 1 week Avg: These intervals only save the specified Maximum Conversations after aggregation per interval. Maximum Conversations: Used when creating large intervals (e.g. 5 minute) from prior intervals (e.g. 1 minute). All flows are aggregated together per router. The top 10,000 (default) based on bytes are saved. Denika Connections: integration with Denika SNMP Performance Trender for SNMP details to represent link status. Server: Necessary for on demand and scheduled ed reports. Make sure the test is successful. Flow Analytics: configure advanced algorithms (e.g. DDoS, Nefarious Activity, etc.) LDAP Credentials: The web interface has the capability of integrating with Mircrosoft Active Directory so that users can simply log in to the web interface by using their windows domain authentication. When a user logs in for the first time, a new account is created in Scrutinizer and given Guest access by default. The Scrutinizer administrator can then grant that user further reaching capabilities if desired. Requirements for LDAP integration: 1) The name or IP Address of the LDAP server 2) An account with one of the following permissions to the LDAP server: a. Account Operators (must also be a member of Distributed COM Users for remote WMI Access) b. Administrators c. Domain Admins d. Enterprise Admins 3) The account chosen must have WMI Read access to \root\directory\ldap Instructions to Integrate Scrutinizer with LDAP: There is a wizard utility which makes the process easier. To activate LDAP configuration wizard: 1) Open a command prompt on the server 2) Change directories to the \scrutinizer\bin\ directory 3) Run scrut_util ldapwizard and follow the instructions 7

13 Scrutinizer v7 Manual 4) Enter the IP or Hostname of LDAP server 5) Enter LDAP Binding Account Username: 6) Enter LDAP Binding Account Password, then verify by retyping 7) Is it configured to use LDAPS or LDAP over SSL? Answer y or n 8) If successful, the wizard returns LDAP configurations that will be saved to the database. The next step is to use a typical account to test connectivity 9) Enter a Username of a LDAP account that will be used to log into the Scrutinizer Web Interface 10) Enter a password and then verify by retyping 11) If successful, the wizard will display the success of the connection and update the configuration Users should now be able to log in to the web interface with their LDAP account. If unsuccessful, contact support. Licensing:Enter the license key for Flow Analytics and or the Service Provider module Flow Analytics Mailinizer Service Provider Module Mapping Configuration: Customization for both Flash and Google maps (e.g. connections, text boxes, etc.). Learn more about mapping. Proxy Configuration: Setup the server to work with a proxy server Syslog Notifications: Configure the syslog server, port and priority System Preferences: Other options Definitions: 3rd Party Integration: Create links to 3rd party applications and pass variables in URLs Applications: Setup and modify applications using ranges of ports and IP addresses. This feature is useful for properly labeling in house applications. Autonomous Systems: Setup and modify Autonomous Systems that are shipped with the software. Device Details: Displays the SNMP details of the devices sending flows. Allows custom device and interface names to be defined which override the defaults. Notice that in and out speeds can be configured. Host Names: Setup and modify known hosts. Use this option to statically assign host names to IP addresses that will not age out. It can also be used to label subnets in the Subnet report types. There are three Resolve DNS options: 1. Current - has been or attempted to be resolved already (will expire in whatever days are set in the serverprefs) 2. Queued - ready to be resolved by the resolver. User can set it to queued to force a DNS resolve again on the host. 3. Never - a permanent address that was manually added by the user. Users can make names permanent by switching this to never. It s not purged. Languages: use this interface to update languages or create new translations. 8

14 Admin Tab Manage Exporters: Details on the devices sending flows. Options include: Listener Ports are listed in the top left: These ports change color: Per Device: Green: all devices sending flows on that port are active and sending flows. Click on the port to view the vitals. Yellow: one or more devices has recently stopped sending flows. Click on the port to view the vitals. Red: all devices once sending to this port have stopped. Click on the port to view the vitals. Delete: This check box can be used to remove the device from the Status tab device tree. The device will be rediscovered immediately if the collector is still receiving flows from the device. Also, templates and interfaces from devices that stop sending flows are aged out. Icons: Status: tells if the device is currently receiving flows (i.e. green) or not receiving flows (i.e. red). Device Details: click to view the Device Details. Configure NetFlow Via SNMP: Use the wizard to re-configure the NetFlow exporting on the device. Current protocol exclusions: Specify which protocols will be dropped for collector, selected device or selected interface on a selected device. Visit the Device View for more details and to learn about Protocol Exclusions per device/interface. Click on the edit icon to modify the default name used for the device. Credentials: Select a community string to use on this device. Status: Modify status from Active (accept flows) to Inactive (drop all flows from device). NOTE: the flows are still being received but, are being ignored by Scrutinizer (i.e. not saved). Update SNMP: force an immediate SNMP query for Device Details. Checking this off ensures that the Device Details will be updated every night automatically. MIB Import: Manage SNMP MIB files that have been compiled for SNMP traps Notification Manager: Configure notifications to be applied to Policies in the Alarms tab Policy Manager: List all of the Policies that are configured for the Alarms Tab SNMP Credentials: Configure the SNMP Credentials used on each flow exporter. SNMP v1, v2 and v3 are supported. Type of Service (ToS): Configure the ToS and DSCP values displayed in the reports. Be sure to Define the "ToS Family" under System Preferences. Well Known Ports: define port names. In the Well Known Ports report, the following logic is used: Which port is lower the source port or the destination port If the source port is lower and defined, use this as the well known port else, use the destination port if defined as the wellknown port else, display the lower port as the wellknown port 9

15 Scrutinizer v7 Manual Security: User Groups: Specifies what a Group login account can access. Limited to 10 Group accounts without a Service Provider license key. Some permissions require further explanation: Device Status: Grants permission to see the status of the device (i.e. Flow exporter). Device icons appear blue in maps if the Device Group permission is granted without this permission. Mailinizer devices show up here. Interface Statistics: Grants permission to see the statistics of an interface. Mailinizer does not show up here. Device Groups: Grants permission to see a Group (i.e. map). Devices (i.e. Flow Exporters) appear blue and interfaces black unless permission is granted in Device Status and Interface Statistics. User Accounts: Configure login preferences for individual accounts. User Accounts must be a member of one or more User Groups. By default, they are placed in a default (e.g. Guest) User Group. Permissions are inherited by all User Groups a User Account is a member of. Reports: Report Folders: Manage Saved Report Folders found in the Status tab under saved reports. Notice the Membership drop down box: Folders: Select a folder and add or remove reports from it. Reports: Select a report and add or remove folders it can be found in. RSS Feeds: There are four built-in RSS feeds available in Scrutinizer. Each can be configured to display either 5, 10, or 25 feed items. The "Custom Reports" feed contains a list of quick links to reports you have saved within Scrutinizer. The "Recent Alarms" feed contains the most recent alarms Scrutinizer has logged. The "Top Interfaces" feed displays utilization statistics from your busiest interfaces. The "Vitals" feed contains the current Scrutinizer server vitals. These feeds are disabled by default, but can be activated by clicking the red icon. After activating a feed, refresh the page and follow your browser's instructions for subscribing to an RSS feed (generally an orange "broadcast" icon that will appear near your address bar). The direct URLs for the four feeds (when active) are: /rss/reports.xml /rss/alarms.xml /rss/interfaces.xml /rss/vitals.xml Scheduled Reports: Manage Scheduled Reports, delete, etc. Top Saved Syslogs: The top devices sending syslogs. Top Syslog Orphans: The top devices sending syslogs that don't match policies. Vitals: View vital information on how well the server is handling the NetFlow and sflow volume. More details can be found in the Vitals Tab. NetFlow Help: 10

16 Admin Tab Activating NetFlow, J-Flow, sflow, NetStream, IPFIX, etc. SNMP Device View Using this interface, selected interfaces can be hidden from the reporting GUI. The SNMP community string used to communicate with the device can be altered. Notice at the top: there is a drop down box with all the flow sending devices. Under the devices is a drop down box to select the SNMP community string/credential for the selected device. Next to the community string is a check box for SNMP Enabled. If SNMP Enabled is checked, the Watcher Service will attempt to poll and update SNMP information for the device. By default, the automatic SNMP discovery occurs once a night. The user can disable the automatic SNMP capability by unchecking "Auto SNMP Update" from the Admin Tab, Settings -> System Preferences. There are several columns displayed for each interface on the NetFlow capable router/switch. Some of them include: Instance Custom Description: A custom interface name can be entered. ifalias ifname ifdescr ifspeed: Custom speeds can be specified both inbound and outbound per interface. Direction: tells us if NetFlow is collected INGRESS, EGRESS or BOTH on this interface. Scrutinizer will attempt to build the drop down boxes based on whether or not the following information is available in this order: Instance and Custom Name Instance, ifalias and ifdescr Instance, ifdescr and ifname Instance and ifdescr Instance This interface relies on devices that support the SNMP standard MIB II. SNMP Enterprise MIBs may require 3rd party software or customized scripts to correlate the enterprise instances to match the MIB II instances. If SNMP is not available, the collector will look for an interface names option template. Some vendors export an interface names option template using NetFlow or IPFIX. This option template contains the names of the interfaces. In Cisco IOS v 12.4(2)T or greater, the command is: Router(config)# ip flow-export interface-names SonicWALL and other vendors export a similar options template. If the Custom Description is filled in, it will over ride the use of the SNMP descriptions. This is also true when the Custom (Mb) is filled in, they will over ride the use of the SNMP ifspeed. Enter a 0 in the Custom (Bits) ifspeed to force the Status tab to display the interface in bits in lieu of % utilization. If any updates are applied to a router or switch, be sure to go back to the device interface and run an update by clicking on the Update button else, the default evening update will take effect. Direction: Displays how the flows are collected and reported on for the interface. Values are INGRESS, EGRESS or BOTH and are not updated until the collector is restarted. If Direction is unset '-' this means NetFlow is not exporting for this interface. If the interface row is white then the interface number and traffic values are inferred from NetFlow exported from another interface. If the interface row is gray then the interface number was discovered via SNMP and there will be no traffic values. 11

17 Scrutinizer v7 Manual Protocol Exclusions are performed to avoid traffic from being counted twice on a given interface. Generally over reporting is caused by VPNs or tunnel traffic. Exclusions can be made per exporter (e.g. router, switch, etc.) or per interface per exporter. They can also be excluded globally across all exporters. Click on the (-) icon to launch the Protocol Exclusions modal. VERY IMPORTANT By default, the flow collector nightly SNMP polls the switches and routers it is receiving flows from. This software was engineered to be a passive collection tool with minimal SNMP requirements. The best way to update the SNMP information including the information on the interfaces is to click on the "Update" button. NetFlow v9 option templates can be used in place of SNMP to gather interface names and speeds. Vitals Main View Overview The Vitals page provides insight on the health of the server that is receiving the flows (e.g. CPU, Memory usage, Hard drive space available, etc.). CPU: Average CPU utilization for the computer the NetFlow Collector is installed on. Avail Mem: Available Memory displays how much memory is being consumed by all programs on the computer. It is not specific to NetFlows being captured. NOTE: The flow collector will continue to grab memory depending on the size of the memory bucket it requires to save data and it will not shrink unless the machine is rebooted. This is not a memory leak. Avail HDD: Available Hard Drive displays the amount of disk space that is available. After an initial period of a few weeks/months, this should stabilize providing that the volume of NetFlow stays about the same. This statistic is best viewed by clicking on the trend. A historical report will pop up providing a better idea on how long the disk storage will hold out. Datagrams: Average Datagrams per second in a 5 minute interval trend. Flows: Average Flows per second in a 5 minute interval trend: This is a measure of the number of conversations being observed. Each Netflow packet (i.e. UDP datagram) sent can contain information on as many as 30 flows. MFSN: Missed Flow sequence Numbers. This is an aggregate across all flows sending devices. At the top of the page, click on individual ports to get an MFSN report per listening port and per device exporting flows. Syslogs Received: The average number of syslogs received per second. Syslogs Processed: The average number of syslogs processed per second. Connections: Tracks the number of connections that are being opened on the MySQL server. Excessive connections results in reduced performance. NOTE: other applications sharing the same mysql will cause this number to increase. DB Queries: Tracks the number of queries made to MySQL. The more queries indicates heavier load to the MySQL server. Generally there will be spikes at intervals of 5 minutes, 30 minutes, 2 hours, 12 hour intervals, etc. This indicates the rolling up of statistics done by the stored procedures. This vital is important to watch if the NetFlow collector is sharing the MySQL server with other applications. KRR: Key Read Requests - The number of requests to read a key block from the cache. A high number requested means the server is busy. KWR: Key Write Requests - The number of requests to write a key block to the cache. A high number of requests means the server is busy. Cached Queries: The query cache stores the select query and the resulting data that was sent to the client. If an identical statement is received later, the server 12

18 Admin Tab retrieves the results from the query cache rather than requesting the data again from the database. The query cache is shared across all database connections, which means the results generated by one connection can be utilized by another connection. For more information, please reference the MySQL Documentation. Cached Memory: The total amount of memory available to query caching. Contact support if you find that your query cache is presently under 1 MB. For more information, please reference the MySQL Documentation. Threads: Threads are useful to help pass data back and forth between Scrutinizer and the database engine. The MySQL Server currently manages whether or not to utilize the configured amount of threads. For more information, please reference the MySQL Documentation. KBU: Key Buffers Used - indicates how much of the allocated key buffers are being utilized. If this vital begins to consistently hit 100%, it indicates that there is not enough memory allocated. Scrutinizer will compensate by utilizing swap on the disk. This can cause additional delay retrieving data due to increased disk I/O. On larger implementations, this can cause performance to degrade quickly. Users can adjust the amount of memory allocated to the key buffers by modifying the \scrutinizer\mysql\my.ini file and adjusting the key_buffer_size setting. A general rule of thumb is to allocate as much RAM to the key buffer as you can, up to a maximum of 25% of system RAM (e.g. 1GB on a 4GB system). This is about the ideal setting for systems that read heavily from keys. If you allocate too much memory, you risk seeing further degradation of performance because the system has to use virtual memory for the key buffer. Listener Ports The flow collector can listen on multiple ports simultaneously. The defaults are 2055, 2056, 4432, 4739, 9995, 9996 and 6343 however, more can be added. Click on the different listener ports to view total packet rate per port. Click on any trend for a daily, weekly, monthly and year trend. 13

19

20 Alarms Tab Alarms Tab Overview The Alarms tab lists alarms that are determined locally or received via syslog, or SNMP trap from distributed flow collectors. The Alarms tab maintains two primary tables: History: As the messages come in, they are run past the Policy Manager. If the message violates a policy, it can be saved to the history table and may end up being posted to the alarms table which is also known as the Bulletin Board. Orphans: Messages that don't match a policy become orphans and are saved to this table. Drop Down Arrow: The drop down arrow menu displays a menu listing options in two categories: Overview: Bulletin Board: lists the current outstanding alarms that should be cleared. Messages do not appear in the Bulletin Board unless a Policy is violated. Refresh: Refresh the Bulletin Board OK: Click on check boxes and click the 'OK' button to clear entries in the Bulletin Board Customize: Select which columns are displayed in the Bulletin Board Orphans: View the Orphans that didn't violate policies New Board: Create a new Bulletin Board Policy Manager: Create a new policy. Usually Policies are created via clicking on an Orphan first Drop down box: Per Policy: Displays Policies, the corresponding violation count, violators and other columns selected Per Violator: Displays the Unique Index (UI) for hosts violating multiple policies Search: Search the Bulletin Board for specific data Advanced Filters: Used to search the Bulletin Board using multiple criteria Threats Overview: Displays the Policies and the corresponding violations in the last 5 minutes, last hour, all in history Clicking on the column headers in the Bulletin Board will cause a sort routine. Click on a Policy name to see all of the messages that violated the Policy from all hosts. To see messages from a specific host for the desired policy, click on an individual host in the Violations column. Orphans: Lists the messages that did not violate policies. Click on an orphan to create a policy. Refresh: Refresh the list of Orphans that have not violated a policy. Delete: Check off policies and click 'OK' to delete them Bulletin Board: View the Bulletin Board Search: Search the Orphans table for specific data Advanced Filters: Used to search the Orphans using multiple criteria Threats: Lists the threats detected by Flow Analytics. Displays the Policies and the corresponding violations in the last 5 minutes, last hour, all in history. Notification Queue: Lists the last 24 hours of notifications that were sent or currently in queue and waiting for execution. Reporting: Search History Table: Searches the history tables for matching data. Top Syslog Orphans: Searches the orphan table for matching data. This report identifies syslog senders, priorities, and severities that are being received, but that are not being caught by policies. Report Manager: View, manage and execute the Saved Reports. 15

21 Scrutinizer v7 Manual Top Syslog Senders: Display the top syslog senders Configuring Alarm Conditions Most administrators will want notifications from Scrutinizer for one or more of the following reasons: To set inbound thresholds on saved reports To get notified for threats detected by the one or more of the Network Behavioral Analysis Algorithms in Flow Analytics To get notified if the poller detects that an Object in a map is no longer responding 16

22 Flow Analytics Flow Analytics Overview Flow Analytics (i.e. FA) is the commercial add on to Scrutinizer. FA brings the following additional features to Scrutinizer: Functions as a Network Behavior Analysis system by constantly monitoring all flows for behaviors that could be compromising the health of the network (networks scans, illegal applications, P2P, etc.). It interrogates every flow from every host from selected flow exporting devices for suspicious patterns and anomalies. All flows across selected flow sending devices are monitored at all times. Performs the NetFlow aggregations so that data can be saved beyond 24 hours. Scrutinizer drops data every night just after midnight. Flow Analytics 'FA' does the archiving for Scrutinizer. Numerous additional reports that provide more detailed information on the flows received. DNS is run constantly to help with performance in the front end. Without Flow Analytics, Scrutinizer performs DNS resolutions on the as needed. DNS entries will age out as configured in the Admin tab -> Settings -> System Preferences. This feature will place additional load on the server. Be careful when enabling it. Performs threshold watches for saved reports. FA can monitor for nearly any combination of flow characteristics and export a syslog if a match or a high/low threshold is reached. Contact your vendor for the "NetFlow Challenge" document which outlines what is and isn't free. FA Navigation The navigation for FA is via gadgets in the MyView tab. The primary gadget "Flow Analytics Configuration" should be added to MyView. At the top, it displays the overall time to run all algorithms and the total count of violations across all algorithms. Name: This is the name of the algorithm that is checking for abnormal behaviors. Time: This is the amount of time the algorithm takes to run across all selected routers/switches. Count: This is the number of violations found the last time the algorithm ran. Click on the trend to view graphs for longer time periods. Time exceeded: Algorithms that exceed the configured run time will be cancelled. Algorithms and Gadgets FA Algorithms may or may not include gadgets. Some algorithms are enabled by default. Others need to have selected flow exporting devices added to them. A few algorithms need to have thresholds configured or modified from the defaults. FA Gadgets that can be added to MyView: Custom Filters: Saved reports that are run constantly and compared to acceptable thresholds. Exclude Hosts: Exclude hosts from selected algorithms to help prevent false positives. Some hosts will constantly violate the threshold of certain algorithms. This interface helps prevent false 17

23 Scrutinizer v7 Manual positive alarms by allowing selected hosts (i.e. IP addresses) to be excluded from violating one or more algorithms. The "Exclude Hosts" gadget 'scrut_fa_exclusions.cgi' is not necessary in MyView as it is bested utilized as a popup. Flow Analytics Configuration: The overall status of all algorithms and the total runtime and count of violations across all algorithms. Algorithms can be ordered alphabetically or by order of execution. LEDs in this gadget are as follows (refresh the gadget in the upper right corner): o o o o o Yellow - incomplete run (time limit caused the algorithm not to run during the last cycle) Lite Green - successfully completed on the last run Gray - disabled Trend - actively executing the algorithm Dark Green - successfully completed on the current run Flow Analytics Run Time Thresholds: The time given to each algorithm to run. Some algorithms need more time to run depending on the number of flow exporting devices included. Network Volume: The scale of the traffic traversing through the core network. It lists the volume of unique traffic on the network for the last 5 minute Vs. last 30 hours. Only include a few core routers/switches. Select Flow Devices: Select the flow exporting devices that each algorithm will run against. Enter text and click 'Filter' to find specific devices. Click the 'Clear' button to remove the filter and display all devices. Some algorithms are run against all tables created by flow exporting devices while others are only run against one or two tables (e.g. routers). The "Select Flow Devices" gadget 'scrut_fa_devices.cgi' can be added to MyView however it is not necessary because it is best utilized as a popup. Top Subnets and IP Violation: Define the subnets allowed on the network and Scrutinizer will notify for any flow that occurs outside of these ranges. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Threats Overview: Gives Network Administrators an idea on the frequency that each Flow Analytics algorithm is being violated. The colors indicate the frequency within each time interval: Last 5 min, Last Hour and All. Top Applications: Top Applications on the network. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Top Conversations: Top Conversations across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Top Countries: Top Countries across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Top Domains: Top Domains across selected flow exporting devices. Top Flows: Top Flow sending end systems across selected flow exporting devices. Top Hosts: Top Hosts sending data across selected flow exporting devices. It is also responsible for executing the Unfinished Flows Violation algorithm. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Top Networks: Top IP Subnets across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Top Protocols: Top Transport Layer Protocols across selected flow exporting devices. Alarms trigger for protocols that appear that haven't been approved. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Top Well Known Ports: Top ports be they the source or destination port. NOTE: Some include algorithms that should only run against core routers/switches. Watch the Flow Analytics Overall Status gadgets for algorithms that need more time to run. 18

24 Flow Analytics Setting Up Flow Analytics (FA): FA algorithms run sequentially. By default, they do not run against any NetFlow exporters until the NetFlow exporters are added to the selected algorithms. To add routers to algorithm, visit MyView > Configure Flow Analytics > Flow Analytics Configuration (Gadget): IMPORTANT NOTES: Click on the + icon at the top for "Flow Analytics Overall Status" and uncheck "Disable all". A license key is necessary for evaluation. Expand an algorithm by clicking on the + icon Uncheck Disable Click on the number (e.g. 0) below the blue router icon. This will bring up the "Devices in Flow Analytics" gadget which is also displayed on this page. See IMPORTANT NOTES below. Click on the number (e.g. 0) below the two people icon. This will bring up the "Flow Analytics Exclusions" gadget which is also displayed on this page. Use this window to include hosts to be excluded from selected algorithms. It is generally easier to add them from the Alarms tab once they violate an alarm. Continue selecting Algorithms and adding NetFlow exporters as outlined below. All algorithms are intended to be run against non internet border routers (i.e. internal NetFlow exporters). Add only a few routers to a few algorithms initially and start off slowly. Pay attention to the Vitals of the server. After minutes add few more routers to selected algorithms and slowly ramp up the FA deployment. FA has only 300 seconds (i.e. 5 minutes) to finish all enabled algorithms. If it can't finish in 300 seconds, it will stop where it is and start over. All algorithms must finish within 5 minutes as the process repeats every 5 minutes. Optimize performance by paying attention to the Time each algorithm takes to run as well as the overall time shown at the very top of the Flow Analytics Configuration gadget. FA Algorithms that don't include Gadgets: Be sure to exclude certain hosts from select algorithms to avoid false positives. This can easily be done from the alarms tab as well by clicking on the host. The interface will prompt for the exclude confirmation. Breach Attempts Violation: Looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack. A typical scenario would be a dictionary attack on an SSH server. The default threshold is 100. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Custom Reports Thresholds: Any saved reports that have an inbound threshold are executed sequentially by this algorithm. Clicking on the name of this algorithm in the Flow Analytics Overview gadget, will launch the Custom Filters gadget. DDoS Violation: Identifies a Distributed Denial of Service attack such as those that can be launched by a BOTNET. Visit Admin -> Settings -> Flow Analytics to set the threshold. DNS Violation: Alerts when a host initiates an excessive number of DNS queries. This can help to identify hosts that may be infected with a mailer worm or other issues that require an inordinate number DNS lookups. The default threshold is 100. FIN Scan: The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking. The default threshold is 100 and the minimum that can be set is

25 Scrutinizer v7 Manual ICMP Destination Unreachable: This is a message that comes back from the router to the requesting host stating that it doesn't have a route to the destination network of the target host. The default threshold is 100 and the minimum that can be set is 20. ICMP Port Unreachable Algorithm: This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host. The default threshold is 100 and the minimum that can be set is 20. Internet Threats: This algorithm goes out to an Internet site every hour and downloads an updated list of known hosts that end systems on the network should not be communicating with. Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic. This list is updated by several Internet Service Providers. The default threshold minimum that can be set is 1. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Multicast Traffic Violation: Any multicast traffic that exceeds the threshold that isn't excluded will violate this algorithm. The default threshold is 1,000,000 and the minimum that can be set is 100,000. Nefarious Activity Violation: Looks for hosts communicating with many hosts with a low number of flows. An example would be a port 80 scan of an entire subnet. Visit Admin -> Settings -> Flow Analytics to set the threshold. NULL Scan: The null scan turns off all flags, creating a lack of TCP flags that should never occur. Peer to peer: P2P (includes BitTorrent) connections are monitored by this algorithm. The default threshold is 100 and the minimum that can be set is 100. RST/ACK: RST/ACK packets are connection denials that come back from destinations to the originating hosts. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20. Print servers can cause false positives with this algorithm and often need to be excluded. SYN scan/flood: SYN packets are sent out in an attempt to make a network connection with a target host. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20. Unfinished Flows Violation: Executed by the Top Flows Algorithm, helps identify hosts that have a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured applications on a host. The default threshold is 100 and a minimum threshold can also be configured. Visit Admin -> Settings -> Flow Analytics to set the threshold. XMAS Tree scan: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte ( ), much like the lights of a Christmas tree. IMPORTANT NOTE: Hosts can easily be excluded from certain algorithms by clicking on the IP address in the Alarm Tab. This will popup the Exclude Hosts table where the IP address can then be excluded from other algorithms as well. Optimizing FA Flow Analytics can be optimized in several different ways: 1. Modify the number of flow exporting devices included in the algorithm 2. Disable selected Algorithms 3. Utilize a second or third copy of Scrutinizer with FA. 4. Contact your vendor to learn about the minimum hardware requirements. 20

26 Maps Tab Maps Main View Overview The Mapping options are primarily utilized by administrators to display all or a portion of the network topology. Right mouse button on the background of a Flash map (i.e. not Google map) and toggle between Edit mode and View mode to rearrange the icons. Be sure to be in View mode when saving. Don't forget to save the position of the icons. A default map per login account can be selected under Admin -> Security -> User Accounts. Click on the Configure button to configure the maps. There are several types of images used in the maps: Objects: come in four formats. Backgrounds: can be added to the maps. Links Status: can be read about here. The device icon color is based on the Fault Index (FI) value in CrossCheck and the corresponding color thresholds. The link color between devices can be based on utilization between the devices. Click on the link to bring up a flow report for the connection. IMPORTANT: Click on the map and then use the right mouse button to bring up a menu of options. Map Connections Overview Connections between objects: A Connection between any two objects can be created using this interface. Selecting a From Device which is sending flows will cause the Interface drop-down box to fill in with the corresponding flow interfaces available. Selecting a Group or Icon From object results in an empty Interface drop-down box. Check off "Display all interfaces in this group" to fill in the Interface drop-down box with all interfaces from devices in the group. You can also select "Connect with black line" to connect to the To Object. Click the Connect button and the connection will be displayed in the window below. IMPORTANT: When creating connections for a Google map, a device name might be followed by (Needs GPS coordinates - Go to Objects Tab). Devices in a Google Map Group will not appear until they are given GPS coordinates or an address using the Objects tab. Links Status comes in 3 formats: Flow link: are links representing flow capable interfaces. 21

27 Scrutinizer v7 Manual o o o Link colors can be green, yellow, orange or red and are based on settings configured in the Admin Tab -> Settings -> System Preferences. Links are blue if there is no bandwidth statement for the interface. Links are dashed gray if flows are not received within the last five minutes from the interface. Click on a link to bring up the current flow information. Black line: is a static link between two devices. It is not clickable and doesn't provide a status. SNMP: links can be inserted into the maps using a third party package called Denika SNMP Performance Trender. Links can change color based on a threshold setting of any SNMP OID counter. Click on a link to bring up the SNMP trend. Additional Notes on Links: Label: displays the percent utilization or the bits received in the last average interval. Set the "average interval" under Admin tab ->Settings -> System Preferences "Status/Link Average". The default is 5 minutes. ALT tag: over the Label displays the full interface description. Arrow: on the link reflects highest utilization direction. Clicking: on the link will bring up the default user preference report on the link for the last few minutes (5 minutes by default) in one minute intervals. Outbound or Inbound traffic is displayed depending on the direction of the arrow when clicked. Denika Integration: Denika can be integrated in the maps. Devices can be connected twice with two separate links to represent both: utilization and latency between devices (e.g. CBQoS, IP SLA, etc.) Click on the Denika links to bring up trends. Denika links change color just like the flow utilization links. Denika can be installed on the same machine as the NetFlow collector, however for performance reasons it is often installed on a separate machine. Visit the Admin Tab -> Settings -> Denika/Logalot if Denika is installed on a separate machine. Once Denika is integrated, the check box option will be enabled. Check off "Connect with Denika Report" then enter a filter and click on the 'Filter' button to find the desired report. Notice the "Color Change" options automatically fill in with threshold suggestions for each selected report. This only occurs if Denika has collected enough data. Click on the Denika icon to view the current trend of the selected report. After confirming, click on the "Connect" button. Contact your vendor to download and try this free integration! Map Settings Overview The Map Settings are used to set defaults for all maps: Google Maps: o Zoom Level: set when using the option "Save Zoom & Position" in a Google map. By default, Google maps auto scale to fit all icons on the map. This option overrides Auto with a favorite position on the map. To undo the Save Level, select 'Auto' and click 'Save'. 22