WANGuard Platform 3.0 Lite User Manual
Contents
1. Ps ll f P 9 fe Cf i WW k WANGuard Platform Lite 3 0 vw v WANGuard Platform Lite 3 0 User Manual ANDR SOFT Copyright amp trademark notices This edition applies to version 3 0 of the licensed program WANGuard Platform Lite and to all subsequent releases and modifications until otherwise indicated in new editions Notices References in this publication to ANDRISOFT S R L products programs or services do not imply that ANDRISOFT S R L intends to make these available in all countries in which ANDRISOFT S R L operates Evaluation and verification of operation in conjunction with other products except those expressly designated by ANDRISOFT S R L are the user s responsibility ANDRISOFT S R L may have patents or pending patent applications covering subject matter in this document Supplying this document does not give you any license to these patents You can send license inquiries in writing to the ANDRISOFT S R L marketing department sales andrisoft com Copyright Acknowledgment ANDRISOFT S R L 2008 All rights reserved All rights reserved This document is copyrighted and all rights are reserved by ANDRISOFT S R L No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying and recording or by any information storage and retrieval system without the permission in writing from ANDR2. Most fields are explained on the beginning of this section For the IP Address Subnet fields use the CIDR notation To generate traffic graphs for hosts not networks select the 32 CIDR For more information about CIDR consult the Network Basics You Should Be Aware Of chapter Page 13 Check the Single IPs option if you want a different traffic graph displayed for every IP address contained in the selected subnet For example when this option is used with a 24 CIDR then 256 traffic graphs are displayed one for each IP address in the C class If the traffic graphs are not displayed check if the entered IP Address Subnet is included in the selected WANGuard Sensor s IP Zone and that the Graphing parameter for that IP class is set to Yes IP Traffic Accounting WANGuard Console can generate on demand IP traffic accounting reports for hosts subnets and IP Descriptions in your network for any time frame To generate IP traffic accounting reports select IP Traffic Accounting from the Reports menu and then select one of the two available options 47 Za WANGuard Platform Lite 3 0 User Manual AAD 5 CH E ADMIN A Logout WANGuard Platform 3 0 gt Setup e LA Help e AS Details IP Traffic Accounting 0 ER ir ubnet Q Protocols Distribution x WANGuard Sensor Graphs 18 34 10 By IP Description The first option generates IP traffic accounting reports for IPs or subnets that ha
3. f ADMIN G Logout WANGuard Platform 3 0 Jj Views e Archive Reportsw Setup t Help v WANGuard Flow Selection 18 22 24 wow WANGuard Flow Selection New WANGuard Flow Next mc v WANGuard Platform Lite 3 0 User Manual WANGuard Platform 3 0 J Viewsw Archive Reportsw 5 Setup w LI Help e WANGuard Flow Selection WANGuard Flow Configuration o WANGuard Flow Configuration Active Description IP Address Port Flow Exporter IP SNMP Community SNMP Index Description Graph Color Inbound Graph Color Outbound Action Interfaces E ingress E sococo E kcosoco ada IP Validation Off ki AS Validation Top Graph Data Path optwanguard rrds IP Zone Public IPs D Deteils Add WANGuard Flow The WANGuard Flow Configuration window contains the following fields Active WANGuard Flow is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Flow system is running then the WANGuardController daemon stops it Description A short generic description that helps you identify the WANGuard Flow system IP Address Port The IP address of the network interface that receives the flows and the po
4. Until Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface Sum Multiple Sensors Unit Bits D Graph Size 500x140 v Aggregation MAXIMUM D Generate Traffic Graphs Most fields are explained in the beginning of this section To generate IP traffic graphs using this option first select an IP Zone and then select an IP Description included in the selected IP Zone WANGuard Console will search for IP addresses and subnets that match the selected IP Description and will generate IP traffic graphs accordingly By using this option you can easily generate traffic graphs for clients departments etc with 46 p WANGuard Platform Lite 3 0 User Manual multiple subnets allocated By IP Address Subnet To generate traffic graphs for an IP address or subnet fill the form displayed below F ADMIN C Logout WANGuard Platform 3 0 J Views e Archive Reportsw 2 Setup e LA Help e Traffic Graphing by IP Subnet 18 00 57 IM IP Traffic Graphs IP Address Subnet M 32 z From 008 uy E 27 00 E 00 E Peering SPAN R12000 SPAN LAN Switch VLAN 900 NANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface H Sum Multiple Sensors Single IPs Unit Graph Size Aggregation MAXIMUM D Generate Traffic Graphs
5. If you don t have network devices that can do port mirroring you can deploy a Linux server on the main data path and WANGuard Sniff will be able to analyze the traffic flows that are routed through the server Note that the server will become a single point of failure if you don t configure VRRP Reasons to choose Port Mirroring Network TAP In line Deployment Packet sniffing comes into consideration if you can provide the higher CPU power needed by WANGuard Sniff Packet sniffing provides extremely fast and accurate traffic accounting and analysis results NetFlow Monitoring NetFlow Monitoring is the domain of networks that usually use Cisco or Huawei L3 switch or router flows These can be configured to send data streams with the network s usage data to a Linux server running WANGuard Flow How NetFlow Monitoring Works One option to measure bandwidth usage by IP Address is to use the NetFlow protocol which is especially suited for high traffic remote networks Many routers and Layer 3 switches from Cisco support this protocol as well as vendors like Huawei NetStream Juniper Extreme Networks 3COM and others Network devices with NetFlow support track the bandwidth usage of the network internally and can be configured to send pre aggregated data to a Linux server running WANGuard Flow for traffic analysis and accounting purposes A Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT Reasons to choose NetFlo
6. lgl 10 0 0 0 8 ll 192 168 0 0 16 le 192 31 0 0 16 E 1 80 95 128 0 18 iP 80 95 128 0 20 iP 80 95 129 0 24 80 95 130 0 24 H iP 81 94 128 0 20 iP 81 95 124 0 24 81 95 129 0 26 iP 88 94 122 0 26 80 95 128 1 32 on NetFlow Router LAN Interface Inbound Traffic Outbound Traffic Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total Bits 2008 10 27 0 0k 22 4k 4k 62 4M 0 0k 1 5k 5 3k 4 1M TOTAL AVG 0 0k AVG 22 4k 80 95 128 1 32 on NetFlow Router WAN Interface Inbound Traffic Outbound Traffic Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total Bits 686 1k 1 9M TOTAL AVG 0 0k AVG 80 4k SUM 5 0M SUM 10 3G AVG 0 0k AVG 75 5k SUM 5 8M SUM 14 96 E http console wanguard edit reports ip php p subnet v 80 95 128 1 32 Ai 43 p WANGuard Platform Lite 3 0 User Manual Traffic Accounting and Graphing This chapter describes how to generate advanced traffic graphs and traffic accounting reports from data collected by WANGuard Sensor systems For an easier but more limited access to traffic graphs and accounting reports you can use the Reports View Page 41 IP Traffic Graphs Setup To configure IP traffic graphs parameters select IP Graphs from the Setup menu e WANGuard Platform 3 0 J Views e Archive Reports Setup w LI H
7. top TCP ports top UDP ports and top IP protocols This tab is not available if the selected WANGuard Sensor does not have the Top option activated in its configuration IP Descriptions Section This section contains IP Description fields extracted from all existing IP Zones When you click an IP Description the right side of the Reports View will contain two tabbed areas as you can see in the screenshot below The Traffic Graphs area contains graphs with traffic parameters generated for the hosts or networks that have the selected IP Description The Traffic Accounting area contains a traffic accounting report generated for the hosts or networks that have the selected IP Description WANGuard Console 3 0 Reports View Mozilla Firefox File Edit View History Bookmarks Tools Help em v X A http console Awanguard reports php LY Google P f ADMIN gt C Logout WANGuard Platform 3 0 J Views e Archives Reports Setup e LA Help e Reports View 16 42 28 EI WANGuard Sensors v Traffic Graphs RORE Ka Peering SPAN Big R12000 SPAN Data Unit Bits zl Timeframe Last 2 Days zl Graphs Size 500x100 sl Aggregation MAXIMUM F jj LAN Switch VLAN 900 we NetFlow Router LAN Switch VLAN 900 IP Descriptions w 0 Branch Office Customer 1 WEB bits s graphs for LAN Switch VLAN 900 Corporate Network son o Customer 1 0 Customer 1 WAN o SETE H 40M o Customer 2 0 Custom
8. ANDRI SOFT The WANGuard Sensor Graphs form fields e From Until Enter the desired time frame WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding the Control key Sum Multiple Sensors If unchecked each WANGuard Sensor generates a different traffic graph If checked all selected WANGuard Sensors generate a single traffic graph that contains all traffic data Data Unit Select the traffic parameter the graph will represent o Bits The bits second throughput recorded by WANGuard Sensor o Bytes The bytes second throughput recorded by WANGuard Sensor o Packets The packets second throughput recorded by WANGuard Sensor o Ps The number of unique IP addresses detected making traffic Usually a spike in the graph means that an IP class scan was performed Only your network s IP addresses are counted o Received packets or flows For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs o Dropped packets or flows For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad W
9. In the upper side of the left section you will see a form that is used to add IP addresses and IP classes to the IP Zone Below you will see the name of the current IP Zone and the allocated IP classes tree When adding a new subnet the tree is automatically updated In the right section you will see detailed information about the selected IP class or IP address The right section will be empty if there is no IP class or IP address selected As explained in the Understanding IP Zones Inheritance section every IP Zone contains the 0 0 0 0 0 supernet To edit the 0 0 0 0 0 IP class properties select 0 0 0 0 0 from the IP classes tree WANGuard Platform 3 0 J Views e Archive Reportsw Setup e LA Help e IP Zone Selection IP Zone Configuration New IP Address Subnet Parameters for 0 0 0 0 0 Add Parameter Value Inheritance Accounting o none IP Zone VLAN 300 Graphing none Je 0 0 0 0 0 Unknown Description Unknown none Change Record Delete Record The right section will be populated with properties that apply to all IP addresses included in the selected IP class if the properties are not subsequently overwritten The Inheritance column shows from which parent IP class was the value inherited from Every IP class has the following properties Accounting If the Accounting parameter is set to Yes then WA
10. the Graphing parameter is set to Yes In the next image a new IP class named Customer Service was added Because this IP class is included in the Internal Network it is displayed under it All parameters except the Description were not modified so the values are inherited from the direct parent subnet Z ADMIN A C Logout WANGuard Platform 3 0 JViewsv Archive Reports v 5 Setup e LI Help e IP Zone Selection IP Zone Configuration 17 57 07 u Parameters for 10 0 1 0 24 Add Parameter Value Inheritance Accounting No z 0 0 0 0 0 IP Zone VLAN 900 Graphing Yes 10 0 0 0 8 iP 0 0 0 0 0 Unknown Description Customer Service none Change Record Delete Record In the image below you can see that a new subnet called Office Building was added Because the Accounting parameter was modified to Yes every IP address included in 10 0 2 0 25 will generate accounting data 26 y WANGuard Platform Lite 3 0 User Manual AAD SOFI D ADMIN d Logout x do 4 WANGuard Platform 3 0 Jj Views e Archive Reportsw Setup e t Help e _ IP Zone Selection IP Zone Configuration 17 58 50 New IP Address Subnet Parameters for 10 0 2 0 25 Parameter Value Yes DI G Office Building el 10 0 0 0 8 Internal Network In the image below you can see that
11. Graph Color Outbound E cco000 EM IP Zone VLAN 900 D Details Add WANGuard Sniff The WANGuard Sniff Configuration window contains the following fields e Active WANGuard Sniff is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Sniff system is running then the WANGuardController daemon stops it e Description A short generic description that helps you identify the WANGuard Sniff system e IP Address A unique IP address configured on the machine that must run the selected WANGuard Sniff This field is used only by the WANGuardController daemon for system identification e Network Interface This field must contain the network interface that receives the port mirrored traffic If the WANGuard Sniff server is deployed in line then it must contain the network interface that receives the traffic towards your network If the traffic is tagged with a VLAN header and you check VLAN Support then the VLAN header will be ignored If you want to split the traffic by VLANs then you must create a virtual network interface for each VLAN using the vconfig command and then add a WANGuard Sniff for each new virtual interface e e WI Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT The network interface name must use the network interface naming conventions of the Linux operating system ethO for th
12. Parameters for 0 0 0 0 0 Add Parameter Value Inheritance Accounting No none IP Zone VLAN 900 Graphing ii No v Gel 0 0 0 0 0 Unknown Description Unknown Change Record Delete Record By default the 0 0 0 0 0 supernet has Accounting and Graphing parameters set to No It is recommended not to generate traffic parameters for unknown IP addresses ae lt a WANGuard Platform Lite 3 0 User Manual f ADMIN Logout WANGuard Platform 3 0 JViewsv Archive Reportsw Setup w t Help e IP Zone Selection IP Zone Configuration 17 56 03 New IP Address Subnet Parameters for 10 0 0 0 8 Add Parameter Value Inheritance Accounting No ba 0 0 0 0 0 IP Zone VLAN 300 Graphing Yes none iP 0 0 0 0 0 Unknown Description Internal Network none ip 10 0 0 0 8 Internal Network Change Record Delete Record After adding the 10 0 0 0 8 subnet using the top left form the tree is immediately updated to contain the new IP class The Inheritance column shows what are the inherited values and from which parent IP class In the image above you can see that the Accounting value is inherited from 0 0 0 0 0 because it is the only unmodified parameter Every IP that belongs to the Internal Network will generate traffic graphs because
13. To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button o Graph Color Outbound Here you can select the color you will see on graphs as outbound egress traffic for the current interface By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button e IP Validation o Off Will disable IP Validation o On WANGuard Flow will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 O Strict WANGuard Flow will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e AS Validation Flows might contain the source and destination ASN Autonomous System Number If the ASN is set to O then the IP address belongs to your Autonomous System AS Validation has three options o Off Will disable AS Validation o On Only flows that have the source ASN and or the destination ASN set to O are analyzed O Strict Only flows that have either the source ASN or the destination ASN set to O are analyzed e Top This checkbox lets you choose if you want WANGuard Flow to sort the traffic statistics for top like a BA K WANGuard Platform Lite 3 0 User Manual visualizations It is recommended to
14. Top option collect protocols distribution data You can view this data by selecting Protocols Distribution from the Reports menu To generate Protocols Distribution graphs fill the following form 49 Vi Ae WANGuard Platform Lite 3 0 User Manual AND SOFT F ADMIN C Logout WANGuard Platform 3 0 Jj Views Archive Reportsw 2 Setup e LI Help e Protocols Distribution Graphs 18 03 53 w Protocols Distribution Graph Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface Graph Size 500x240 DI Generate Protocols Distribution Graphs All fields are explained in the previous sections WANGuard Sensor Graphs WANGuard Console can generate on demand MRTG style graphs for WANGuard Sensor traffic parameters for the selected time frame To generate WANGuard Sensor graphs you must fill the form below after selecting WANGuard Sensor Graphs from the Reports menu M WANGuard Platform 3 0 Jj Views e Archive Reportsw gt Setup e LI Help e WANGuard Sensor Graphs WANGuard Sensor Graphs Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface H Sum Multiple Sensors T Unit Packets DI Graph Size 500x140 DI Aggregation MAXIMUM v Generate Traffic Graphs 50 Z i WANGuard Platform Lite 3 0 User Manual
15. WANGuard Sniff o Inbound Outbound WANGuard Sniff will monitor both inbound and outbound traffic Using this option generates a minor performance penalty under very high loads o Inbound WANGuard Sniff will only monitor the inbound traffic e Top This checkbox lets you choose if you want WANGuard Sniff to sort the traffic statistics for top like visualizations It is recommended to leave it on because the performance penalty is extremely low e Graph Data Path This field contains the path on the WANGuard Console server where the traffic graphs data collected from the WANGuard Sniff system is stored It s safe to save multiple WANGuard Sensors graph data in the same path If you set the data path on a larger partition on RAM with tmpfs etc make sure that the wanguard user has writing privileges there e Graph Color Inbound Here you can select the color you will see on graphs as inbound traffic for the current WANGuard 30 ye WANGuard Platform Lite 3 0 User Manual AMD SOFT Sniff By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button e Graph Color Outbound Here you can select the color you will see on graphs as outbound traffic for the current WANGuard Sniff By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually selec
16. dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation Unknown packets or flows For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering e Refresh Interval Select the interval between consecutive refreshes of the graph The graph will update itself flicker free but it s best to keep the refresh interval big for low bandwidth monitoring stations Events Tab The Events Tab provides a list with the latest events recorded in the Events Log Every field is explained in the Events Log section of the Archive chapter Page 52 40 Km WANGuard Platform Lite 3 0 User Manual A METY SENF I Reports View The Reports View provides easy access to live and historical information about monitored hosts networks and network interfaces The Reports View is split vertically in two sides The left side contains three sections WANGuard Sensors IP Descriptions and IP Addresses To prevent clutter you can click each section s header to minimize or maximize the section WANGuard Sensors Section When vou click a WANGuard Sensor description or interface the right side of the Reports View will contain two tabbed areas as you can see in the screenshot below The Traffic Graphs are
17. for RedHat based Linux distributions packages http www andrisoft com download suse for SuSE based Linux distributions packages http www andrisoft com download deb for Debian based Linux distributions packages You may a try a fully functional version of WANGuard Platform Lite for 30 days You can switch to a full time registered version by applying a purchased license key Binary WANGuard Platform Lite components are packaged differently for i686 architectures 32 bit Pentium and beyond and for x86_ 64 architectures 64 bit Intel AMD processors Software Installation Software installation instructions are listed and updated on the Andrisoft website under the download links http www andrisoft com download rpmi installation for RedHat based Linux distributions http www andrisoft com download suse installation for SUSE based Linux distributions http www andrisoft com download deb installation for Debian based Linux distributions ED Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT Network Basics You Should Be Aware Of Who Should Read This Section If you are new to network administration and network monitoring read about the technical basics in this section It will help you understand how WANGuard Platform Lite works If you are already used to IP addresses and IP classes you can skip this section A Short Introduction To IP Addresses amp Classes IP Addresses In order for systems to locate each
18. reporting by consolidating the data from all WANGuard Sensor systems deployed within the network WANGuard Console Features and Benefits Consolidated real time WANGuard Sensor management and monitoring using a rich Ajax based Web 2 0 web interface IP Zones support for segmenting your network by departments clients server clusters etc Intuitive desktop applications like menu system Easy to use navigation allows to drill into the live monitoring results Graphs are always generated on the fly for live reporting Live traffic graphs are animated Integrated contextual help system Integrated web based tools that provide O O O O O AS Autonomous System information IP information reverse DNS domain URL IP range AS ISP Country ping traceroute whois IP Protocols information Subnet calculator TCP and UDP ports information The recorded data is stored in an internal SQL database that can be easily queried and referenced Authenticated access username password necessary for an unlimited number of users with different security profiles Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT How To Choose A Method Of Traffic Capturing This section explains the available methods you can use for traffic capturing Reading this chapter is strongly recommended as it will help you understand how to deploy WANGuard Sensor Supported Traffic Capturing Methods WANGuard Sensor was designed to
19. stored The Aggregation options lets you select how do you want the average values to be consolidated If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type All the above options have a direct impact on the storage space required on the WANGuard Console file system The storage space required per IP will be updated when you click the lt Change Parameters gt button If vou change the graphs parameters make sure you delete old data from the paths defined in WANGuard Sensor configurations IP Traffic Graphs WANGuard Console can generate on demand MRTG style graphs for hosts subnets and IP Descriptions in your network The time frame must be included in the biggest interval value configured in IP Traffic Graphs Setup To generate IP traffic graphs select IP Traffic Graphs from the Reports menu and then select one of the two available options f ADMIN E Logout WANGUArd Ewen 3 0 J Views e Archive w je Reports e Setup e 4 Help e AS Details IP Traffic Accounting 18 34 16 IP Traffic Graphs 0 By IP Description J Protocols Distribution Bv IP S i ubnet WANGuard Sensor Graphs D The first option generates traffic graphs for IPs or subnets that have the IP Description you select The second option generates traffic graphs for the ent
20. 192 168 0 0 16 subnet was added and placed automatically within the 0 0 0 0 0 subnet WANGuard Sensor will generate traffic graphs and will record accounting data for all IPs that belong to this subnet 9 4 WANGuard Platform 3 0 J Miewe e Archive Reportsw Setup e Help e IP Zone Selection IP Zone Configuration New IP Address Subnet IP Zone VLAN 300 iP 0 0 0 0 0 Unknown GP 10 0 0 0 8 Internal Network i iP 10 0 1 0 24 Customer Service i ie 10 0 2 0 25 Office Building 27 4 WANGuard Platform Lite 3 0 User Manual ANDI SOGI WANGuard Sensor Setup This chapter describes how to add configure and delete WANGuard Sensor systems through WANGuard Console To manage WANGuard Sensor systems you must first select the WANGuard Sensor type from the Setup menu WANGuard Platform 3 0 JViewsv Archivew Reports w Systems View W IP Graphs ld IP Zones Users M WANGuard Sensor 24 WANGuard Flow WANGuard Sniff To learn more about the differences between the two types of WANGuard Sensor please consult Chapter 2 How To Choose A Method Of Traffic Capturing Page 7 WANGuard Sniff Configuration When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networks the use of switches or r
21. 28 248 000 000 000 4 1048576 C 4096 B 16 A 268435456 240 000 000 000 E 2097152 C 8192 B 32 A 236870912 224 000 000 000 eZ 4194304 C 16384 B 64 A 1073741824 1920004 V004 ODO JA 5900006 C 327608 B 128 A 2147483648 128 000 000 0D0 0 LOFFFIZ2L6 Cy 65956 B 236 A 4294967296 000 000 000 000 EE Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT Getting Started with WANGuard Platform Lite Please read the following Basic Concepts section in order to get a clear overview of the basic premises required for the proper operation of the software Basic Concepts To understand the concepts of WANGuard Platform Lite please be aware of following phrases Menu Bar Every browser window has on top a fixed drop down menu bar used for navigation throughout the WANGuard Console The Menu Bar contains drop down menus similar with the ones used in common desktop applications Views WANGuard Console offers various ways to look at live collected data We call these Views You can switch between them by selecting the Views menu from the Menu Bar There are two different types of Views available in the Lite version e Systems View Displays a table with live information about all running WANGuard Sensor systems On the bottom section it displays tabbed live traffic graphs and events e Reports View Displays graphs and reports that contain traffic parameters collected from monitored network links IP subnets and
22. 3 0 User Manual ANDRI SOFT Traffic Monitoring and Traffic Accounting with WANGuard Platform Lite Why WANGuard Platform Lite Is Important Most businesses today rely more and more on network infrastructure So the computer network s reliability and speed are crucial for these businesses to be successful and an efficient use of the available resources must be assured The significant degradation of the services can seriously damage the businesses including loss of customers and subsequent loss of revenue For the network administrator this means that he has to ensure the network s uptime reliability speed as well as the efficient use of the existing resources Andrisoft WANGuard Platform Lite is an enterprise grade Linux based software solution that delivers the functionality NOC and IT teams need to effectively monitor their network through a single integrated package The components have been built from the ground up to be high performing reliable and secure WANGuard Platform Lite is feature rich simple to deploy and configure causing no disruption within the network What WANGuard Platform Lite Can Do For You Andrisoft WANGuard Platform Lite is an easy to use software platform that provides network traffic monitoring and accounting It allows you to quickly and easily set up and run monitoring server s for networks Using the integrated web interface with just a few mouse clicks you can view e Historic and real
23. 6 Jr ein 17 Opening WANGuard Console for the first time cccssssssssssssssssesessesessessessesessessesecsesaeseesesaesessesaesassesaesaesenaeeassanaaas 17 A First LOOK at th Systems VIC W a esccescsccercenseccesecesesexcssesseieesesceeusescdestuesusieencnsceceseraeiseckssesxsnacse atesteclactseatsaesseeeszecces 18 Managing WANGuard Console USe6 PS cccsssscscsssssssssssesecseseeseesecseseesesaesessesaesaesessecessessesaesessesaesassessesasseeaesansensasanss 18 O IP ZOOS SOU WEEN 21 Understanding P ZO ING irma a A load uh birds hui 21 BUEN ELEGE EE 21 BF ZONE SSG VOM EE 22 PACU e Nem IP e uia Nase P R ER ui 22 Changing Description Copying amp Deleting IP Zones 0000000000000 een rnrn nan nn 23 IE Zone Ree e Dr s a a eer 23 PC CONTIG torsos ie O O E NE E E EE AA A 24 EC ell e PSP p re za 25 DESCON EE 25 IP Zone Configuration ue EE 25 7 WANGuard Sensor Setup cccccccccccccccsncsncccccnnccnccncccccnnecnccnnensecnecencnnecacennensecacceacnnenaecenensenaes 28 A Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT WANGuard Sniff GOM UPA UON E 28 WANGUard Flow CONTIG UPA OM snes O O dead as Ro 32 CA OO EE 37 SCLC CS SS CORREIO E eee ER 37 Active WANGuard Sniff Systems Table 4 44 0444 000000 000000 aan rrenan KKK KKK renan Kana n nn 38 Active WANGuard Flow Systems Table errar renan nn KK KKK P KKK KK KR P KKK KKK 39 WANGuard Sensor Live Graphs Tab 40 zle pk e sera gi 40 REDONIS TE 41 WANGuard S
24. ANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation o Unknown packets or flows For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering Graph Size Select the size of the graph Aggregation Select the aggregation procedure for the graph MINIMUM MAXIMUM or AVERAGE If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type a ee 4 WANGuard Platform Lite 3 0 User Manual Archive All WANGuard Platform Lite components store traffic and operational details in a MySQL database located on the WANGuard Console server You can view the contents of the database by selecting the tables from the Archive menu e WANGuard Platform 3 0 J Views e Reports e Setup e t Help e IP Zone Selection Events Logs gt C Stats Logs gt Events Logs Events Logs contain all events generated by WANGuard Platform Lite components Each component that generates events is listed in a sub menu Each record has the f
25. IP Zones Includes a live top like network traffic visualizer supporting multiple protocols such as IPv4 TCP syn UDP ICMP as well as TCP and UDP ports More information about Views is available on the Views chapter page 37 Tables All WANGuard Platform Lite modules store traffic and operational details in a MySQL database The contents of the database is presented in WANGuard Console in form of tables with an unified look and feel Records can be queried using the top left lt Search gt button Sorting can be done by clicking the column name By default the records are sorted by the insertion time with the latest records being displayed first To prevent clutter and high loading times the records are listed on multiple pages You can navigate through the pages with the bottom navigation buttons me ye WANGuard Platform Lite 3 0 User Manual The first column on every record is populated with icons that engage actions such as viewing details about the record changing the record and deleting the record Users with Normal User privileges can only view details about records while users with Administrator privileges can view change and delete records IP Zones IP Zones are hierarchical tree like structures that contain user provided details about your network elements and segments Each WANGuard Sensor uses an IP Zone from which it extracts information such as what subnets must be monitored what subnets should generate tr
26. ISOFT S R L The information contained in this document is subject to change without notice If you find any problems in the documentation please report them to us in writing ANDRISOFT S R L will not be responsible for any loss costs or damages incurred due to the use of this documentation WANGuard Platform Lite is a SOFTWARE PRODUCT of ANDRISOFT S R L ANDRISOFT and WANGuard Platform are trademarks of ANDRISOFT S R L Other company product or service names may be trademarks or service marks of others ANDRISOFT S R L Str Lunei L30 Ap 11 300109 Timisoara Timis Romania phone 40721250246 fax 40256209738 Sales Sales andrisoft com Technical Support Support andrisoft com Website http www andrisoft com Copyright ANDRISOFT S R L 2008 All rights reserved A Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT Table of Contents 1 Traffic Monitoring and Traffic Accounting with WANGuard Platform Lite 4 Why WANGuard Platform Lite Is Important cc essessssseesesseseesesesseesesesessesaeseesesaeseesesaeeesseseesaeseseeessenneeaseanaass 4 What WANGuard Platform Lite Can Do For YOu cccssscscssessssecsesessessesseeseesecsessecesaeeessessesseesessessessecsetaesaesensaneneas 4 WANGuara Platlorim Met Ce lee CN 5 WY INS C115 OM PRAP seen sadia ag nda O PO O 5 WAN GUATO COS Ce EE 5 2 How To Choose A Method Of Traffic Capturing ccccccsecceeeeeeeee
27. NGuard Sensor records traffic accounting data for every IP address included in the selected IP class Accounting data contains the number of inbound and outbound packets and bits and averages of packets and bits rates If the Accounting parameter is set to DA us ye WANGuard Platform Lite 3 0 User Manual Inherit then the value is inherited from the parent IP class If the parameter is set to No then no accounting data is recorded Graphing If the Graphing parameter is set to Yes then WANGuard Sensor records graphing data for every IP address included in the selected IP class Graphing data contains accurate information about inbound and outbound packets second and bits second rates If the Graphing parameter is set to Inherit then the value is inherited from the parent IP class If the Graphing parameter is set to No then no graphs will be generated for the current subnet Description This parameter must contain a short description of the selected IP class or IP address If the description field is empty then the description is inherited from the parent IP class IP Zone Configuration Example In the following images you will see how IP Zone inheritance works and how you can define the monitored IP classes f ADMIN G Logout WANGuard Platform 3 0 J Views e Archive Reportsw Setup w 4 Help e IP Zone Selection IP Zone Configuration 17 53 16 New IP Address Subnet
28. Platform Lite components Every View displays text and graphical elements using the Ajax technology Web 2 0 that offers flicker free web page updates every 5 seconds To open available Views click the Views menu and then select Systems View for systems administrators or Reports View for network administrators Systems View The Systems View displays tables with the latest system information collected from active WANGuard Platform Lite components WANGuard Console 3 0 Systems View Mozilla Firefox File Edit View History Bookmarks Tools Help IS C X A https console wanguard systemstatus php LY v G Google P a Zi ADMIN Al Le M WaNGuard Platform 3 0 J Views e Archive Reportsw 5 Setupw LI Help e Systems View 11 MB 2008 10 28 13 40 51 917 20 8k 9 1k 22 MB 2008 10 28 13 45 18 1873 45 2k 14 1k 0 43 12 983 20 MB 2008 10 28 13 41 28 1595 75 5k 1 0k 35 8M 25 2M WANGuard Sensor Live Graphs Live bits s throughput graph WANGuard Sensor All WANGuard Sensors DI SL r VU r p EE z pv VT p p r A r V o Vy ud hry Data Unit 16 00 16 05 16 10 16 15 16 20 16 25 16 30 16 35 16 40 16 45 16 50 r Bits E LAN Switch VLAN 900 inbound E LAN Switch VLAN 900 outbound Ba R12000 SPAN inbound E R12000 SPAN outbound E nan D Peering SPAN inbound BE Peering SPAN outbound O NetFlow Router LAN Interface inbound a NetFlow Router LAN Interface outbound W NetFlow Router WAN Interface inbound W NetFl
29. Reports 2 Setup w LA Help e IP Zone Selection ld IP Zones Selection VLAN 900 A New IP Zone You can configure the selected IP Zone by clicking the lt Edit gt button To change the description of the selected IP Zone you must click the lt Description gt button and then provide a different description To copy the selected IP Zone you must click the lt Copy gt button A new IP Zone will be created that will have the same information and the same description with the word copy attached In some cases when you have multiple WANGuard Sensor systems you may have to create multiple IP Zones that share the same subnets Instead of recreating the same subnets for each new IPZone you can copy an existing IP Zone and modify only the subnets information To delete the selected IP Zone you must click the lt Delete gt button and then confirm the deletion IP Zone Configuration After a new IP Zone is added the IP Zone Configuration window will look like in the following image Jos Z i WANGuard Platform Lite 3 0 User Manual AND SOFT f ADMIN G Logout WANGuard Platform 3 0 J Views e Archive Reports Setup e t Help e IP Zone Selection IP Zone Configuration 17 52 54 New IP Address Subnet Ada IP Zone VLAN 900 The IP Zone configuration window is divided in two sections one on the left and one on the right
30. Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT WANGuard Sensor Live Graphs Tab The WANGuard Sensor Graphs Tab provides an animated dynamic graph that illustrates trends over time of various traffic parameters collected from WANGuard Sensor systems The right side of the tab contains three selections lists that configure the graph e WANGuard Sensor Select the WANGuard Sensor system you re interested in e Data Unit Select the traffic parameter the graph will represent O O O Bits The bits second throughput recorded by WANGuard Sensor Bytes The bytes second throughput recorded by WANGuard Sensor Packets The packets second throughput recorded by WANGuard Sensor IPs The number of unique IP addresses detected making traffic Usually a spike in the graph means that an IP class scan was performed Only your network s IP addresses are counted Received packets or flows For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs Dropped packets or flows For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows
31. a displays graphs containing traffic parameters generated by the selected WANGuard Sensor WANGuard Console 3 0 Reports View Mozilla Firefox WAMGuard Platform 3 0 J Views e Archive e Reports Setup e LI Help v Reports View WANGuard Sensors Traffic Graphs DESEEETSSS BN Peering SPAN R12000 SPAN Timeframe Last Week DI Graphs Size 700x140 v Aggregation AVERAGE DI Refresh LAN Switch VLAN 900 NetFlow Router e WAN Interface Packets LAN Interface E Packets s graph for NetFlow Router WAN Interface IP Descriptions 0 Branch Office 8 k B Corporate Network 0 Customer 1 6k 0 Customer 1 WAN 0 Customer 1 WEB 4k o Customer 2 o Customer Service f o Customers 0 DMZ a e Thu Fri Sat Sun 0 DMZ SMTP Cluster E NetFlow Router WAN Interface inbound W NetFlow Router WAN Interface outbound 0 DNS 0 Email Enterprise Services Internal Network Local Clients fo Network Eguip Office Building o Remote Clients IP Addresses w E 1 10 0 0 0 8 192 168 0 0 16 Gill 192 31 0 0 16 iP 80 95 128 0 18 81 94 128 0 20 iP 81 95 124 0 24 iP 81 95 129 0 26 88 94 122 0 26 2k IPs s graph for NetFlow Router WAN Interface Am http console wanguard edit reports sensor php v 3 2 2 sA Z WANGuard Platform Lite 3 0 User Manual The Traffic Tops area provides live statistics about top hosts talkers
32. ache flow use command ip route cache flow infer fields This series requires a Supervisor IV with a NetFlow Services daughter card to support NDE Configuring NDE on a Juniper Router Juniper supports flow exports by the routing engine sampling packet headers and aggregating them into flows Packet sampling is done by defining a firewall filter to accept and sample all traffic applying that rule to the interface and then configuring the sampling forwarding option 56 Z i WANGuard Platform Lite 3 0 User Manual AMAL SOL T interfaces ge 0 1 0 unit O family inet filter input all output all address 192 168 1 1 24 firewall filter all term all then sample accept forwarding options sampling input family inet rate 100 output cflowd 192 168 1 100 4 port 2000 version 5 57
33. affic graphs and accounting data subnets descriptions The same IP Zone may be used by different WANGuard Sensor systems Opening WANGuard Console for the first time WANGuard Console is essentially the web interface through which you will control and monitor all other components If you followed correctly the installation instructions from now on you will only need to log into WANGuard Console to manage the components To log into WANGuard Console use a compatible web browser listed at page 11 and access http lt hostname gt wanguard where lt hostname gt is the name of the machine where WANGuard Console is running If the page cannot be displayed make sure the Apache web server is running and the firewall does not block incoming traffic on port 80 If you haven t licensed WANGuard Platform Lite yet you will be asked to do so Andrisoft WANGuard Platform 3 0 Licensing Mozilla Firefox File Edit View History Bookmarks Tools Help QB G A http console wanguard add license php Add License Key Use the opt wanguard etc wanguard key file found C Enter the license key Add License Key D Licensing will be sucessful only if you have previously installed configured and started the WANGuerdController daemon You can add a license key by two methods You can either copy the wanguard key file we sent you by email in opt wanguard etc or you ca
34. arp public 473 41 html To configure TAP s or other devices that support port mirroring please consult the producer s documentation WANGuard Console System Requirements for lt 5 WANGuard Sensors Architecture x86 32 or 64 bit CPU 1 x Pentium IV 2 4 GHz Memory 500 MBytes Network Cards 1 x Fast Ethernet or Gigabit Ethernet Operating System Linux kernel 2 6 x apache 2 x php 5 mysql 5 x rrdtool 1 2 x perl 5 x Installed Packages perl rrdtool perl MailTools perl DBD MySQL ping whois traceroute telnet WANGuard Console 3 0 WANGuard Controller 3 0 Disk Space 5GB including OS additional storage when storing IP graphs data To access the web interface provided by WANGuard Console one of the following web browsers is required other should also work but have not been tested Firefox 2 0 or later Internet Explorer 6 0 or later Apple Safari 3 0 or later Konqueror 3 5 or later Opera 8 0 or later The web browser must javascript and cookies support activated Java support is not required To access the Contextual Help please install Adobe PDF Reader For the best WANGuard Console experience we highly recommend the Firefox 3 browser and a 1280x1024 pixels or higher resolution monitor 11 K WANGuard Platform Lite 3 0 User Manual Download All WANGuard Platform Lite components can be downloaded directly from the Andrisoft website http www andrisoft com download rpm
35. ask with an IP address systems can determine which portion of the IP address relates to the network and which portion relates to the host Anywhere the subnet mask has a bit set to 1 the underlying bit in the IP address is part of the network address Anywhere the subnet mask is set to O the related bit in the IP address is part of the host address The size of a network is a function of the number of bits used to identify the host portion of the address If a subnet mask shows that 8 bits are used for the host portion of the address block a maximum of 256 host addresses are available for that specific network If a subnet mask shows that 16 bits are used for the host portion of the address block a maximum of 65 536 13 Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT possible host addresses are available for use on that network An Internet Service Provider ISP will generally assign either a static IP address always the same or a dynamic address changes every time one logs on ISPs and organizations usually apply to the InterNIC for a range of IP addresses so that all clients have similar addresses There are about 4 3 billion IP addresses The class based legacy addressing scheme places heavy restrictions on the distribution of these addresses TCP IP networks are inherently router based and it takes much less overhead to keep track of a few networks than millions of them IP Classes Class A addresses always
36. assword fields are mandatory Enter unique names for users Currently there are two available access levels Roles for users e Normal User The user can access all Views generate traffic accounting and traffic graphs reports read event logs and archives but cannot view or manage WANGuard Sensor configurations nor can it add or delete users O Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT e Administrator The user has all privileges to view and manage WANGuard Platform Lite components including adding new users and changing users passwords existing users passwords are always shown encrypted The Full Name Email Title Phone Department and Company fields are optional The Events Verbosity field lets you select the minimum severity level of the events that will be displayed in the Systems View MELTDOWN Meltdown events are generated when a very serious error is detected in the system such as a hardware error CRITICAL Critical events are generated when a significant software error is detected such as a memory exhaustion ERROR Error events are caused by misconfiguration or communication errors between WANGuard Platform Lite components WARNING Warning events are generated when authentication errors occur when there are errors updating graph data files and when there are synchronization issues INFO informational events are generated when configurations are changed and when users log int
37. cted data will be centralized and available through a single web interface that you can quickly access from any location e The supported traffic monitoring methods are Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment Cisco NetFlow and Huawei NetStream e You can access various real time parameters top talkers number of IP addresses top protocols protocols distribution etc about the data flowing through router interfaces and switch ports e Provides on demand MRTG style traffic graphs for every IP address or subnet in your network for any time frame Traffic graphs accuracy can be defined between 5 seconds and 5 minutes e WANGuard Sensor is completely scalable and can monitor and generate graphs for hundreds of thousands of IP addresses e Includes a very flexible billing system for bandwidth based billing e Easy and non disruptive installation on common server hardware e The most cost effective traffic monitoring and accounting solution on the market WANGuard Console WANGuard Console provides a tightly integrated and highly graphical interactive Ajax based Web 2 0 interface for all aspects of network traffic monitoring and accounting Included in the WANGuard Console is the Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT advanced graphing engine that provides quick and easy ad hoc graphing functionality WANGuard Console offers single point management and
38. d Port Analyzer SPAN Roving Analysis Port Network TAP In line deployment In order to do traffic monitoring and accounting WANGuard Sniff inspects all network data packets passing the host server s network card including the network data packets sent by a monitoring port of a switch or router Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT How Port Mirroring Network TAP In line Deployment works It is very important to understand that WANGuard Sniff can only inspect data packets that actually flow through the network interface s of the host server In switched networks only the traffic for a specific device is sent to the device s network card If the server running WANGuard Sniff is not deployed in line it can t capture the traffic of other network components For WANGuard Sniff to analyze the traffic of other hosts in your network you must use a network TAP or a switch or router that offers a monitoring port or port mirroring configuration Switched Port Analyzer SPAN for Cisco devices Roving Analysis Port for 3Com devices In this case the network device sends a copy of data packets traveling through a port or VLAN to the monitoring port After you configure the network device install WANGuard Sensor on a Linux server and connect it to the monitoring port WANGuard Sniff will be able to analyze the whole traffic that passes through the selected port or VLAN with or without VLAN tag stripping
39. e configuration mode on the router or MSFC issue the following to start NetFlow Export First enable Cisco Express Forwarding router config ip cef router config ip cef distributed And turn on flow accounting for each input interface with the interface command interface ip route cache flow For example interface FastEthernetO ip route cache flow interface Serial2 1 ip route cache flow It is necessary to enable NetFlow on all interfaces through which traffic you are interested in will flow Now verify that the router or switch is generating flow stats try command show ip cache flow Note that for routers with distributed switching GSR s 75XX s the RP cli will only show flows that made it up to the RP To see flows on the individual linecards use the attach or if con command and issue the sh ip ca fl on each LC Enable the exports of these flows with the global commands router config ip flow export version 5 router config ip flow export destination lt ip address gt 2000 router config ip flow export source FastEthernet0 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used as an example WANGuard Flow is using NetFlow version 5 The ip flow export source command is used to set up the source IP address of the exports sent by the equipment 54 A Z yu WANGuard Platform Lite 3 0 User Manual ANDRE SOL If y
40. e first interface eth1 for the second eth0 900 for the first interface with VLAN 900 and so on e MAC Filter For WANGuard Sniff to distinguish between inbound and outbound traffic it must use at least one of the two techniques available MAC filtering or IP Validation next parameter The MAC Filter together with the Source Destination switch allows WANGuard Sniff to validate the inbound traffic and the outbound traffic The MAC Filter should contain the MAC address of the upstream router with the Source switch on or the MAC address of the downstream router with the Destination switch on The MAC address must be written using the Linux convention six groups of two hexadecimal values separated by colons e IP Validation For WANGuard Sniff to distinguish between inbound and outbound traffic it must must use at least one of the two techniques available MAC filtering previous parameter or IP Validation IP Validation parameter has three options o Off Will disable IP Validation Make sure MAC Filter is configured instead o On WANGuard Sniff will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 o Strict WANGuard Sniff will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e Direction You can configure the direction of the traffic that should be analyzed by
41. eeeeeneneceeeeeeeeneeeeeeeeeeeeneeeeees 7 Supported Traffic Capturing Er e DEE 7 Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line deployment 7 How Port Mirroring Network TAP In line Deployment works 2000000000000 een en 8 Reasons to choose Port Mirroring Network TAP In line Deplovment erre 8 NEIFIOWO o O DE 8 How NetFlow Monitoring Ke 8 Reasons to choose NetFlow Monitoring nsnannnennnennnennnsnnnsnrnnnresrrrruresrnrrsrerrnrrsrrrsrrrsnresrrrrurenenrrsrerenenne 9 Comparison between Packet Sniffing and NetFlow MOnitoring scssssssscsscsessssssesessesseseeseseeessesassessessesensesaeas 9 TC Fd Co EE 10 System e TUE 10 WANGuard Sensor System Requirements for 1 Gigabit Network Interface ii 10 WANGuard Console System Requirements for lt 5 WANGuard Sensors een 11 OW p o po BEE 12 en ECHTEN TE TE 12 4 Network Basics You Should Be Aware Off ccccccecceeeeeeeeeeeeeeeeeeeeeeeeeeeeeneeeneeneeeeeneeeeeeeeeeenenes 13 Who Should Read This SECU ONS sa sd SS ODAS nn 13 A Short Introduction To IP Addresses amp ClaSses cccssssssssssssssssssesessesessessesessessesessesseeessesesassessesassansesssensenaess 13 Jee ee 13 IP CIT a ds ce rnd ate ete em 14 eleng SI NOO ans ri a 15 5 Getting Started with WANGuard Platform TN Lite eee career cera ceanna 16 BASIC CONCODES oa GET O en oh 16 MSL E 16 EIERE 16 Ee 1
42. elp e IP Graphs Parameters M IP Graphs Parameters Graphing Interval 5 minutes DI Averages 3 v Averages Interval 5 minute s 7 day s D Intervals es 15 minute s D month s D 2 hour s v vear s v Inbound Bits a 4 Outbound Bits Data Units D Inbound Packets D Outbound Packets Minimum a 7 Aggregation Maximum D Change Parameters By default every WANGuard Sensor stores IP graphing data with 5 minutes averages for 7 days 15 minutes averages for 1 month and 2 hours averages for 1 year The default graphing interval is 5 minutes If you do not change the default parameters every IP for which you enabled graphing will require 603 kbytes of storage on the WANGuard Console s file system The Graphing Interval specifies the granularity of the graphs The highest available granularity value is 5 seconds and the lowest is 5 minutes When granularity is very high WANGuard Sensor uses more CPU the WANGuard Console system becomes more loaded and the network traffic between WANGuard Sensor and WANGuard Console is increased if the components are not installed on the same server 44 ye WANGuard Platform Lite 3 0 User Manual The Averages and Intervals values specify the granularity for old data and for how long do you want the data to be stored The Data Units options lets you select the traffic parameters that will be
43. ensors Gechon 2 2 0200 000000000 eee nenene K ceara PK rear K PKR PK arena area ceara area AEREE EnEn Enana 41 PDG lee Ee DEE 42 IP Addresses SC MOM umu esk O a 43 9 Traffic Accounting and Graphing cccccccseccneeccenecnsccneeeeeeeeeneeneeeeeeceeneeeeeeeeeeeenseeeeeeeeeeseeneeneees 44 P ul NAPS A o RR 44 P Tame ORA DIAS css 45 E VT DES ET PIO o E o da O O 46 By IP Address TEE 47 IP Traffic ACCOUNUN O PNS EOS O een ee ianba aeaiiai 47 By IP ES SC AOI EE 48 BY IF PCS SF NS MMR O ai bem O O O O 49 Proto ls Distribution En 49 WANGuard ET dE Ce EEN 50 TO PRPC q L A accuse REP M RR DR AR RAR RR 52 EV GBS OG CN 52 taS LOO RS ee ae ee ee ree 52 KR Cl MEMU eee ae RR AR E AE ee 53 ILS CANS NO assado SSD E eee 53 RESTO o Co z ain E E R 53 ICO RIA NO BEE 53 PEP tee EE 53 DUIS EC AIC LAL EE 53 ei SEF OMS uia 53 ADONE na mses cru caves OS 53 12 Appendix 1 Configuring NetFlow Data Export ccccccccceeceeeeeeeeeeeeeeeeeeeeeneneeeeeneeeeeeneeeenenes 54 Configuring NDE on an lOS DEVICE asas ea nce ener eee ee ee 54 Bclitslldet ZEIEN 55 Configuring NDE on a ECHT et EN 56 Configuring NDE on a 4000 Series SWC saicsiissccsesecassesieceesesscaeseceencensecsiezecesasusaartssebieeeeneesceceverneinesdesenaassaesieectusaciertecs 56 Configuring NDE on a Juniper Router cccsssscssssssssssssseesesssseesecseseesesesaesessesssseesecaesessesaesessesaesaesesseeassensesassensatagss 56 Z i WANGuard Platform Lite
44. er Service 0 Customers 0 0 0 DMZ Mon 00 00 Mon 12 00 Tue 00 00 0 DMZ SMTP Cluster E Inbound Maximum 7 4 Mbits s Medium 741 0 kbits s Last 0 DNS E Outbound Maximum 261 3 kbits s Medium 46 3 kbits s Last 0 EMail Enterprise Services 2 Internal Network Customer 1 WEB bits s graphs for R12000 SPAN Local Clients o Network Equip Office Building 0 Remote Clients IP Addresses E iP 10 0 0 0 8 B lip 192 168 0 0 16 Mon 00 00 Mon 12 00 Tue 00 00 tie menune pakde kenai E Inbound Maximum 42 4 Mbits s Medium 9 2 Mbits s Last ziel 80 95 128 0 18 E Outbound Maximum 9 0 Mbits s Medium 224 2 kbits s Last E 1P 81 94 128 0 20 81 95 124 0 24 NetFlow Router LAN Interface iP 1 95 129 0 26 iP 88 94 122 0 26 Customer 1 WEB bits s graphs for NetFlow Router LAN Interface 8 0 nt 6 0 M 2 0 M R12000 SPAN 6 0 M 4 0 M 2 0 M 0 0 Mon 00 00 Mon 12 00 Tue 00 00 Tue 12 00 Done Z A WANGuard Platform Lite 3 0 User Manual IP Addresses Section This section provides an IP tree that contains all subnets extracted from existing IP Zones When you click a subnet the right side of the Reports View will contain two tabbed areas as you can see in the screenshot below The Traffic Graphs area contains graphs with traffic parameters generated for the selected host or network The Traffic Accounting area contains a traffic accounting rep
45. ered IP or subnet The following fields are common for both options e From Until Enter the desired time frame e WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding the Control key e Sum Multiple Sensors If unchecked each WANGuard Sensor generates a different traffic graph If checked all selected 45 7 WANGuard Platform Lite 3 0 User Manual AAD SC T WANGuard Sensors generate a single traffic graph that contains the summed traffic data e Data Unit Enter the data unit for the traffic graph packets second bits second or bytes second If some data units are missing see the IP Traffic Graphs configuration Page 44 e Graph Size Select the graph size e Aggregation Select the aggregation procedure for the graph MINIMUM MAXIMUM or AVERAGE If some aggregation types are missing see the IP Traffic Graphs configuration Page 44 By IP Description By selecting this option you can generate traffic graphs for IPs or subnets that have the selected IP Description To generate traffic graphs using IP Descriptions fillthe form displayed below e WANGuard Platform 3 0 J Views e Archives Reportsw 2 Setup w LI Help e Traffic Graphing by IP Description Ji IP Traffic Graphs IP Zone Public IPs D IP Description Corporate Network From
46. ff process Mem The amount of memory used by the WANGuard Sniff process Started The time and date when the WANGuard Sniff process started IPs The number of unique IP addresses detected making traffic Only your network s IP addresses are counted Pkts s Inbound Outbound The packets second throughput after validation and filtering Bits s Inbound Outbound The bits second throughput after validation and filtering Received Pkts s The rate of received packets before validation and filtering Dropped Pkts s It represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation 38 ye WANGuard Platform Lite 3 0 User Manual Active WANGuard Flow Systems Table The Active WANGuard Flow Systems table displays the latest system information collected from the active WANGuard Flow systems If there are no WANGuard Flow systems configured then this table is not displayed The table has the following format Status If the active WANGuard Flow system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Flow system then a red X icon is displayed In this case make sure that WANGuard Flow is configured correctly read the Events Log and make su
47. for IP addresses and subnets that match the selected IP Description and will generate a traffic accounting report for them By using this option vou can easily generate IP traffic accounting reports for clients departments etc with multiple subnets allocated By IP Address Subnet To generate a traffic accounting report for an IP address or subnet fill the form displayed below f ADMIN C Logout WANGuard Platform 3 0 J Views e Archive Reportsw 7 Setup w t Help e Traffic Accounting by IP Subnet 18 00 29 D IP Traffic Accounting IP Address Subnet 32 From 008 July v 27 D Until 008 August D 10 D Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface a Generate Accounting Report The From Until and WANGuard Sensor s fields are explained in the beginning of this section For the IP Address Subnet fields use the CIDR notation To generate traffic accounting reports for hosts not networks select the 32 CIDR For more information about CIDR consult the Network Basics You Should Be Aware Of chapter Page 13 If the traffic accounting report is empty check if the entered IP Address Subnet is included in the selected WANGuard Sensor s IP Zone and that the Accounting parameter for that IP class is set to Yes Protocols Distribution Graphs WANGuard Sensor systems configured with the
48. have the first bit of their IP addresses set to 0 Since Class A networks have an 8 bit network mask the use of a leading zero leaves only 7 bits for the network portion of the address allowing for a maximum of 128 possible network numbers ranging from 0 0 0 0 127 0 0 0 Number 127 x x x is reserved for loopback used for internal testing on the local machine Class B addresses always have the first bit set to 1 and their second bit set to O Since Class B addresses have a 16 bit network mask the use of a leading 10 bit pattern leaves 14 bits for the network portion of the address allowing for a maximum of 16 384 networks ranging from 128 0 0 0 181 255 0 0 Class C addresses have their first two bits set to 1 and their third bit set to 0 Since Class C addresses have a 24 bit network mask this leaves 21 bits for the network portion of the address allowing for a maximum of 2 097 152 network addresses ranging from 192 0 0 0 223 255 255 0 Class D addresses are used for multicasting applications Class D addresses have their first three bits set to 1 and their fourth bit set to 0 Class D addresses are 32 bit network addresses meaning that all the values within the range of 224 0 0 0 239 255 255 255 are used to uniquely identify multicast groups There are no host addresses within the Class D address space since all the hosts within a group share the group s IP address for receiver p
49. ified VLANs rather then inter VLAN traffic use CatOS 7 2 or higher and issue the following command Switch gt enable set mls bridged flow statistics enable And enable NDE 55 A Z yu WANGuard Platform Lite 3 0 User Manual ANDRE SOL Switch gt enable set mls nde enable To see current NetFlow configuration and state issue the following commands Switch gt enable show mls nde Switch gt enable show mls debug Configuring NDE on a Native IOS Device To configure NDE use the same commands as for the IOS device In the enable mode on the Supervisor Engine issue the following to set up the NetFlow export version 5 switch config mls nde sender version 5 The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow switch config W mls aging long 8 switch config mls aging normal 4 On the Supervisor Engine 1 issue the following to put full flows into the NetFlow exports switch config mls flow ip full If you have a Supervisor Engine 2 or 720 running IOS version 12 1 13 E or higher issue the following commands instead switch config mls flow ip interface full switch config mls nde interface Configuring NDE on a 4000 Series Switch Configure the switch the same as an IOS device but instead of command ip route c
50. iper Extreme Networks Huawei 3COM and others A gt WANGuard Platform Lite 3 0 User Manual ANDRE SO T Installation WANGuard Platform Lite can be installed on common server hardware provided that the system reguirements listed later in this chapter are met If you have some basic Linux operation skills then no training is reguired for the software installation Feel free to contact our support team for any issues Installing WANGuard Platform Lite does not generate any negative side effects on your network s performance Installation and configuration may take less than an hour after that your network will be monitored immediately No baseline data gathering is reguired System Reguirements WANGuard Platform Lite 3 0 has been tested with the following Linux distributions Red Hat Enterprise Linux 5 0 commercial Linux distribution CentOS 4 0 5 0 5 1 free Red Hat Enterprise Linux based distribution OpenSuSE 10 3 free Novel Enterprise Linux based distribution Debian Linux 4 0 free community supported distribution Other distributions should work but haven t been tested yet The WANGuard Platform Lite architecture is completely scalable By installing the software on better hardware the number of monitored endpoints and networks increases All WANGuard Platform Lite components can be installed on a single server if enough resources are provided RAM CPU Disk Space Network Cards You can also install the comp
51. leave it on because the performance penalty is extremely low e Graph Data Path This field contains the path on the WANGuard Console server where the traffic graphs data collected from the WANGuard Flow system is stored It s safe to save multiple WANGuard Sensors graph data in the same path If you set the data path on a larger partition on RAM with tmpfs etc make sure that the wanguard system user has writing privileges there e IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Flow If the field has no options then you must first define an IP Zone For more information about IP Zones please read the previous chapter e Details You can use this field to store comments about the current WANGuard Flow configuration In the following configuration example WANGuard Flow monitors traffic passing the WAN and LAN interfaces it generates Top statistics and uses IP class information found in the Public IPs IP Zone WANGuard Platform 3 0 J Views e Archive Reportsw Setup e t Help e WANGuard Flow Selection WANGuard Flow Configuration W WANGuard Flow Configuration Active Iv Description NetFlow Router IP Address Port 192 168 1 100 Vom Flow Exporter IP 192 168 1 1 SNMP Community public SNMP Index Description Type Graph Color Inbound Graph Color O
52. monitor the largest enterprises with hundreds of thousands of endpoints to the smallest branch office with tens of endpoints The supported traffic capturing methods work with most switches routers firewalls and other network devices The methods are e Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP The analysis of network packets sent by a monitoring port of a switch router or network TAP The WANGuard Sensor that handles network packets is called WANGuard Sniff e NetFlow Monitoring The analysis of pre aggregated data flows sent by NetFlow or NetStream enabled routers and Layer 3 switches The WANGuard Sensor that handles NetFlow and NetStream data is called WANGuard Flow e In line Deployment The analysis of incoming and outgoing network packets that pass through a network card of an in line deployed Linux server From a software perspective this method is virtually identical with the Port Mirroring method so WANGuard Sniff is used in this scenario too Depending on your network configuration your needs and your hardware you must choose between the three methods of traffic capturing For high availability scenarios it s recommended to use in parallel more than one method of traffic capturing Please read on to further understand the differences between the supported methods of traffic capturing and the differences between WANGuard Sniff and WANGuard Flow Port Mirroring Switche
53. n paste directly the file s content in the input field The license key contains encrypted information about the licensed capabilities of the software You can upgrade to the Full version incl traffic anomalies detection amp protection or downgrade to the Lite version without traffic anomalies detection amp protection solely by changing the license key 17 ZA Be WANGuard Platform Lite 3 0 User Manual Log into WANGuard Console using the default username password combination of admin wanguard Andrisoft WANGuard Console 3 0 Login Mozilla Firefox File Edit View History Bookmarks Tools Help v ey X A E http console fwanguard fogin php ALOR SOFT WANGuard Platform Lite 3 0 Evaluation copy for TRIAL User Username Password A First Look at the Systems View Immediately after logging into WANGuard Console the layout of the Systems View will be displayed You can change the default View by editing your User preferences Because no WANGuard Sensor system was previously configured and enabled and no data was gathered the Systems View will be mostly empty More information about Views can be found in the Views chapter Page 37 You can navigate throughout WANGuard Console using the drop down menu located in the upper side of every page Managing WANGuard Console Users WANGuard Platform 3 0 JViewsv Archives Reports S
54. ng the MAC address of the upstream or downstream router If you don t populate the IP Zone with your IP classes then WANGuard Flow can only validate the traffic it captures by analyzing the ASN Keep in mind that WANGuard Platform Lite uses for subnets the CIDR notation To enter individual hosts in IP Zones you must use the 32 CIDR For more about CIDR notation you can consult Chapter 4 Network Basics You Should Be Aware Of Page 13 Inheritance One very special IP class that is defined by default in every IP Zone is the 0 0 0 0 0 IP class The 21 p WANGuard Platform Lite 3 0 User Manual k la S 0 0 0 0 0 supernet contains all private and public IP addresses available for IPv4 To ease the configuration of IP Zones every new IP class that you define inherits the properties of the closest having the biggest CIDR IP class that includes it The only IP class that does not inherit any properties is the 0 0 0 0 0 IP class because there is no other IP class that includes it WANGuard Sensor must learn from it s allocated IP Zone the properties of the IP addresses it analyzes This is why if WANGuard Sensor cannot include an IP address in the IP classes you defined it applies the properties of the 0 0 0 0 0 IP class So for unknown IP addresses the 0 0 0 0 0 properties are applied In the last section of this chapter you can see an example on how inheritance works IP Zone Selection To manage IP Zone
55. o WANGuard Console DEBUG Debug events are used only for troubleshooting purposes The Default View field lets you select what View will be displayed immediately after logging into WANGuard Console Systems View recommended for systems administrators Reports View recommended for network administrators 20 Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT IP Zones Setup This chapter describes how to create manage and understand IP Zones Understanding IP Zones IP Zones are hierarchical tree like structures that contain user provided information about any combination of the following elements a network server client or router a network link subnet or an entire network an individual Internet user or company an Internet Service Provider ISP Each WANGuard Sensor extracts from IP Zones the following information e what subnets should be monitored e what subnets should generate traffic graphs and accounting data subnets descriptions When configuring a WANGuard Sensor Page 28 you will have to select the IP Zone that will be used An IP Zone may be used by multiple WANGuard Sensor systems but a WANGuard Sensor system can use only one IP Zone An IP Zone must contain all subnets that are routed within your Autonomous System or the subnets that should be monitored If you don t populate the IP Zone with your IP classes then WANGuard Sniff can only validate the traffic it captures by analyzi
56. ollowing format System The name or description of the WANGuard Platform Lite component that generated the event Module The module or internal function that generated the event Severity Events are tagged with a severity value that describes the importance of the event Severity levels descriptions are listed in the Managing Users chapter Page 18 Event The text of the event Details Some modules provide additional information in this field Date The date and time when the notification was generated Stats Logs Statistics Logs contain traffic statistics recorded by WANGuard Platform Lite components New rows are inserted every 5 seconds so expect lots of records These logs are used only for debugging purposes and are not documented in this manual DJa Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT Help Menu Contextual Help The Contextual Help provides direct access to the WANGuard Platform Lite User Guide Depending on the context the User Guide will open at the chapter describing the active window If the Contextual Help does not work please install Adobe PDF Reader on your computer AS Information The AS Information window provides access to the Whois database RIPE ARIN APNIC that offers information about Autonomous System Numbers IP Information The IP Information windows provides details about IP addresses and domains as well as web based access to ping whois t
57. onents on multiple servers distributed across your network WANGuard Sensor System Requirements for 1 Gigabit Network Interface WANGuard Sensor WANGuard Sniff 3 0 WANGuard Flow 3 0 Architecture x86 32 or 64 bit x86 32 or 64 bit CPU 1 x Pentium IV 2 0 GHz 1 x Pentium IV 1 6 GHz Memory 500 MBytes 3 GBytes 1 x Gigabit Ethernet with NAPI support Network Cards Phone 1 x Fast Ethernet Operating System Linux 2 6 x kernel Linux 2 6 x kernel tcpdump WAN Installed Packages WANGuard Sensor 3 0 Ma 0 WANGuard Controller 3 0 Disk Space 5 GB including OS 5 GB including OS D 4 WANGuard Platform Lite 3 0 User Manual When using WANGuard Flow network devices must be configured to send NetFlow version 5 data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 54 When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networks the use of switches or routers with so called monitoring port is required For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com w
58. ort generated for the selected host or network WANGuard Console 3 0 Reports View Mozilla Firefox File Edit View History Bookmarks Tools Help Ea C X vo http console fwanguard reports php 9 Logout 4 WANGuard Platform 3 0 J Viewsw Archive Reportsw 2 Setup e t Help e Reports View 17 8721 A Traffic Graphs Traffic Accounting AS RN Peering SPAN a R12000 SPAN Timeframe Last 3 Days DI Refresh jj LAN Switch VLAN 900 e E NetFlow Router Inbound Traffic Outbound Traffic a bound Traffic Outbound Traffic oO 2 Branch Office Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total Bits fo Corporate Network 2008 10 25 0 1x 696 2k 6 0M 54 5G 0 0k 47 9k 1 4M 3 96 TOTAL AVG 0 1k AVG 696 2k sun enn SUM 54 5G AVG 0 0k AVG 47 9k SUM 1 4M SUM 3 9G 80 95 128 1 32 on R12000 SPAN WANGuard Sensors e 0 Customer 1 0 Customer 1 WAN B Customer 2 0 Customer Service Inbound Traffic Outbound Traffic Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total Bits o DNS 2008 10 25 0 1k 155 8k 674 1k o EMail 30 4k 188 0k Enterprise Services S z E 5 Internal Network B Local Clients Network Equip 317 0k 618 7k TOTAL AVG 0 1k AVG 167 7k SUM 25 4M SUM 38 2G AVG 0 1k__ AVG 560 3k SUM 23 0M SUM 137 1G IP Addresses w
59. other in a distributed environment nodes are given explicit addresses that uniquely identify the particular network the system is on and uniquely identify the system to that particular network When these two identifiers are combined the result is a globally unique address This address known as IP address as IP number or merely as IP is a code made up of numbers separated by three dots that identifies a particular computer on the Internet These addresses are actually 32 bit binary numbers consisting of the two sub addresses identifiers mentioned above which respectively identify the network and the host to the network with an imaginary boundary separating the two An IP address is as such generally shown as 4 octets of numbers from 0 255 represented in decimal form instead of binary form For example the address 168 212 226 204 represents the 32 bit binary number 10101000 11010100 11100010 11001100 The binary number is important because that will determine which class of network the IP address belongs to The Class of the address determines which part belongs to the network address and which part belongs to the node address see IP address Classes further on The location of the boundary between the network and host portions of an IP address is determined through the use of a subnet mask This is another 32 bit binary number which acts like a filter when it is applied to the 32 bit IP address By comparing a subnet m
60. our router uses the BGP protocol you can configure AS to be included in exports with command router config ip flow export version 5 peer as origin as The following commands break up flows into shorter segments 1 minute for active traffic and 30 seconds for inactive traffic Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow router config ip flow cache timeout active 1 router config ip flow cache timeout inactive 30 In enable mode you can see current NetFlow configuration and state router show ip flow export router show ip cache flow router show ip cache verbose flow Configuring NDE on a CatOS Device In privileged mode on the Supervisor Engine enable NDE switch gt enable set mls nde lt ip address gt 2000 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used only as an example Switch gt enable set mls nde version 5 The following command is required to set up flow mask to full flows Switch gt enable set mls flow full The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow Switch gt enable set mls agingtime long 8 Switch gt enable set mls agingtime 4 If you want to account all traffic within the spec
61. outers with so called monitoring port is required For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAPs or other devices that support port mirroring please consult the producer s documentation The WANGuard Sniff Selection window lets you select which WANGuard Sniff system you wish to edit or delete To add a new WANGuard Sniff system select New WANGuard Sniff and then click lt Next gt If no WANGuard Sniff system was previously configured then the WANGuard Sniff Selection form will have only the option to add a new WANGuard Sniff system WANGuard Platform 3 0 Views e Archive Reports Setup w LI Help WANGuard Sniff Selection WANGuard Sniff Selection New WANCuard Sniff Next 28 Ae WANGuard Platform Lite 3 0 User Manual ANDI SOFT F ADMIN A Logout WANGuard Platform 3 0 J Views e Archive Reportsw Setup e t Help e WANGuard Sniff Selection a WANGuard Sniff Configuration 13 28 49 WANGuard Sniff Configuration Active O Description IP Address Network Interface E VLAN Support MAC Filter Source d Destination IP Validation Direction Top Craph Data Path jo pt wa n guard rrd Graph Color Inbound E 0033CC Ez
62. ow Router WAN Interface outbound s seconds M macy a ye WANGuard Platform Lite 3 0 User Manual The refreshing of tables can be stopped by clicking the lt Pause gt button When the lt Pause gt button is clicked it will change into a lt Resume gt button that will resume the refreshing of tables when clicked The Systems View page is composed from Active Systems tables and two tabs WANGuard Sensor Live Graphs and Events Each of those elements is explained in the following sections Active WANGuard Sniff Systems Table The Active WANGuard Sniff Systems table displays the latest system information collected from the active WANGuard Sniff systems If there are no WANGuard Sniff systems configured then this table is not displayed The table has the following format Status If the active WANGuard Sniff system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Sniff system then a red X icon is displayed In this case make sure that WANGuard Sniff is configured correctly read the Events Log and make sure that the WANGuardController daemon is running on all systems WANGuard Sniff Displays the description of the WANGuard Sniff system and a colored box with the Graph Color Inbound as defined in the configuration Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Sni
63. raceroute and telnet commands IP information is contained in an internal database that contains IP ranges Country codes and Autonomous System information IP Protocols The IP Protocols window provides access to a table that contains descriptions for all available IPv4 protocols Subnet Calculator The Subnet Calculator lets you see and calculate network masks CIDR broadcast addresses number of hosts and IP ranges for subnets TCP amp UDP Ports The TCP amp UDP Ports window provides access to a table that contains name description service common servers and common clients for well known TCP and UDP port numbers About The About window provides information about the WANGuard Platform version and license You can change the license key from this window mc ee A Ae WANGuard Platform Lite 3 0 User Manual ANDRE SOFT Appendix 1 Configuring NetFlow Data Export This appendix is a brief guide to setting up the NetFlow data export NDE on Cisco and Juniper routers or intelligent Cisco Layer 2 Layer 3 Layer 4 switches If you have problems with the configuration contact your network administrator or Cisco consultant For devices that run hybrid mode on a Supervisor Engine Catalyst 65xx series it is recommended to configure IOS NDE on the MSFC card and CatOS NDE on the Supervisor Engine For more information about setting up NetFlow please visit http www cisco com go netflow Configuring NDE on an IOS Device In th
64. re that the WANGuardController daemon is running on all systems WANGuard Flow Displays the description of the WANGuard Flow system Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Flow process Mem The amount of memory used by the WANGuard Flow process Started The time and date when the WANGuard Flow process started Interface The interface description and a colored box with the Graph Color Inbound configured for the interface IPs The number of unique IP addresses detected making traffic through the interface Only your network s IP addresses are counted Pkts s Inbound Outbound The packets second throughput after validation and filtering Only the traffic passing the interface is analyzed Bits s Inbound Outbound The bits second throughput after validation and filtering Only the traffic passing the interface is analyzed Flows s The rate of flows that contain traffic passing the interface Flows Delay Because traffic data must be aggregated NetFlow devices export flows with a certain configured delay Some devices export flows much later than the configured delays and this field contains the maximum flows delay detected by WANGuard Flow WANGuard Flow cannot run with delays over 5 minutes To minimize the RAM usage and the performance of the WANGuard Flow process the flows must be exported as soon as possible DO e
65. rt as configured on the flow exporter Flow Exporter IP The IP address of the flow exporter usually the LoopbackO interface IP on the network device SNMP Community The read only SNMP community of the network device The community is used by WANGuard Console when it connects to the flow exporter to get SNMP indexes Interfaces Here you must define the network interfaces that will be monitored Each interface must contain mc c ME Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT the following information o SNMP Index The SNMP index of the interface You can click the lt gt button to allow WANGuard Console to connect to the network device using the Flow Exporter IP and SNMP Community defined earlier and to display the available interfaces and indexes o Description A short generic description used for interface identification o Type Specifies the type of the interface E ngress Traffic entering an Ingress interface also enters your network Traffic that leaves an Ingress interface leaves your network m Egress Traffic entering an Egress interface leaves your network Traffic that leaves an Egress interface enters your network m Null Traffic entering the Null interface is discarded by the router and by the WANGuard Flow o Graph Color Inbound Here you can select the color you will see on graphs as inbound ingress traffic for the current interface By default a random color will be chosen
66. s you must first select IP Zones from Setup menu You will enter the IP Zones Selection window F ADMIN C Logout WANGuard Platform 3 0 J Views e Archive Reportsw Systems View IP Graphs 17 26 39 A Users WANGuard Sensor gt The IP Zones Selection window lets you select existing IP Zones to edit change description copy or delete If no IP Zones were previously added then the form will only have the option to add a new IP Zone f ADMIN g Logout WANGuard Platform 3 0 J Views e Archive Reportsw Setup w t Help e IP Zone Selection 17 27 13 TP IP Zones Selection d New IP Zone Edit Description Copy Delete Adding a new IP Zone To add a new IP Zone you must select the New IP Zone from the IP Zone Selection form and then click lt Edit gt Then you will be asked to enter a generic description that will help you identify the new IP Zone Oo ar 4 WANGuard Platform Lite 3 0 User Manual f ADMIN E Logout WANGuard Platform 3 0 J Views e Archive vw Reportsw Setup w LI Help e IP Zone Selection IP Zone Configuration 17 35 16 New IP Zone Description Description VLAN 900 ada Changing Description Copying amp Deleting IP Zones Adding a new IP Zone will update the IP Zones Selection window W4NGuard Platform 3 0 J Views e Archive
67. t the color by pressing the lt gt button e IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Sniff If the field has no options then you must first define an IP Zone For more information about IP Zones please read the previous chapter e Details You can use this field to store comments about the current WANGuard Sniff configuration An example of a working WANGuard Sniff configuration is displayed below This WANGuard Sniff system analyzes all VLAN 900 traffic it receives on the first network interface it generates Top statistics and it will use IP class information found in the VLAN 900 IP Zone A WANGuard Platform 3 0 J Views wv Archivew Reportsw Setup e t Help e WANGuard Sniff Selection WANGuard Sniff Configuration WANGuard Sniff Configuration Active E Description LAN Switch VLAN 900 IP Address 192 168 1 100 Network Interface eth0 900 viam Support MAC Filter o Source d Destination IP Validation On z Direction Inbound amp Outbound Top Iv GraphData Path opt wanguard rrd Graph Color Inbound E 0033CC Beal Graph Color Outbound E 8CC0000 BE IP Zone configuration example Deteils Add WANGuard Sniff After a new WANGuard Sniff system is added the WANGuard Sniff Selection windo
68. time network traffic parameters about the data flowing through router interfaces and switch ports packets s bits s bytes s IPs s flows s etc e MRTG style traffic graphs and traffic accounting reports for IP addresses and subnets in your network for any time frame e Real time network traffic statistics top talkers per protocol number of IPs top protocols protocols distribution TCP and UDP ports distribution etc The recorded data is stored in an internal SQL database that can be easily queried and referenced The recorded monitoring statistics can be viewed through a rich Ajax based Web 2 0 web interface Z i WANGuard Platform Lite 3 0 User Manual ANDRI SOFT WANGuard Platform Lite Components The WANGuard Platform Lite has two main components WANGuard Sensor WANGuard Sensor is an advanced Linux based software created to do both incoming and outgoing traffic monitoring and accounting At it s core WANGuard Sensor has a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses Complex statistical algorithms integrate traffic data to build accurate and detailed picture of real time and historical traffic flows across the network WANGuard Platform Lite does not enable WANGuard Sensor s traffic anomaly detection and reaction capabilities WANGuard Sensor Features and Benefits e Any number of instances can be deployed across the network and all colle
69. urposes Class E addresses are defined as experimental and are reserved for future testing purposes They have never been documented or utilized in a standard way The WANGuard Platform Lite uses extensively throughout its components IP Addresses and IP Classes with the CIDR notation a Ae Subnet CIDR Notation WANGuard Platform Lite 3 0 User Manual CIDR Class Hosts Mask peg 1 256 C 1 CASES EE WEE 1 128 C 2 255 255 255 254 1 64 C 4 MO ae a A DE 1 32 C 8 ZOO REO e Is O 28 1 16 C 16 2551250255200 n 1 8 C 32 LIF DJs Z oka ae 26 1 4 C 64 255 255 255 192 1 2 c 128 Ps o R60 ko PEP AO 10 PRA WE 1 C 256 hee SRN o PAS po 0610 WE C 512 255 255 254 000 7 4 C 1024 LD ga DO que D2 VO ea c 2048 LILI L e EU 20 116 C 4096 AeA 99 L10000 lo 32 c 8192 LO gd DO qua 24 000 E A C 16384 ZOO wl ed Sa UDO EI 128 C 32768 Pk o Para po Jo 0010 DEE 256 C 1 B 03930 Lores 20000000 TERE 512 C 2 B 131072 299s DA 000 000 fame 1024 C 4B 262144 o to 2020004000 RE 2048 C 8 B 524288 2304248 000000 12 4096 C 16 B 1048576 LD DO EE 000 DI 8192 C 32 B 2097152 2006224000 000 10 116384 C 64 B 4194304 299192 VDO KEE 32768 C 128B 8388608 25031204000 000 8 65536 C 256B 1A 16777216 ZDI VOV UVO VDO e LSLO FZ C 312B 2 A 33554432 254 000 000 000 262144 C 1024 B 4 A 67108864 2024000 UDO ODO E 524288 C 2048 B A 1342177
70. utbound LAN Egress Null Null a Interfaces WAN Ingress EE o IP Validation WI Ingress m fecososo i E f rrcoco On e AS Validation ozz D Top Iv Graph Data Path optiwanguard rrds IP Zone Public IPs D configuration example Details Change WANGuard Flow Delete WANGuard Flow z B s ADMIN G Logout 13 26 55 E K WANGuard Platform Lite 3 0 User Manual After a new WANGuard Flow system is added the WANGuard Flow Selection window is updated If there is a green OK sign on the right of the WANGuard Flow then the WANGuard Flow is running If there is a X red sign instead then the WANGuard Flow is inactive or not running If you checked the Active switch but the WANGuard Flow is still not running you can find a description of the error in the WANGuard Flow Events Logs see Archive chapter Page 52 or in the Events Tab see Views chapter Page 40 f ADMIN A Logout WANGuard Platform 3 0 J Views wv Archive Reports v 5 Setup w t Help e WANGuard Flow Selection 18 34 20 ke WANGuard Flow Selection d NetFlow Router New WANGuard Flow Next 36 Am WANGuard Platform Lite 3 0 User Manual Views Views are WANGuard Console windows that display the latest information collected from active WANGuard
71. ve the IP Description you select The second option generates IP traffic accounting reports for the entered IP or subnet The following fields are common for both options e From Until Enter the desired time frame e WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding the Control key By IP Description By selecting this option you can generate traffic accounting reports for IPs or subnets that have the selected IP Description To generate traffic accounting reports using IP Descriptions fill the form displayed below f ADMIN A G Logout WANGuard Platform 3 0 J Views e Archive Reports Setup e LI Help Traffic Accounting by IP Description 15 18 11 IP Traffic Accounting IP Zone Public IPs D IP Description Branch Office iv From Until 2006 October v E v Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface E Generate Accounting Report Ag ye WANGuard Platform Lite 3 0 User Manual The From Until and WANGuard Sensor s fields are explained in the beginning of this section To generate traffic accounting reports using this option first select an IP Zone and then select an IP Description included in the selected IP Zone WANGuard Console will search
72. w Monitoring Because the NetFlow protocol already performs a pre aggregation of traffic data the flows of data sent to the monitoring server running WANGuard Flow is much smaller than the monitored traffic This makes NetFlow the ideal option for monitoring remote high traffic networks The downside of the NetFlow monitoring is that computing the pre aggregation of traffic data requires large amounts of RAM it has significant delays and the accuracy of traffic parameters is lower than when directly inspecting network packets Comparison between Packet Sniffing and NetFlow Monitoring The table below provides a quick comparison between the three available traffic capturing technologies The hardware requirements for each method are different The requirements are listed in the next chapter WANGuard Sensor WANGuard Sniff WANGuard Flow Port Mirroring Network TAP In line NetFlow or NetStream v 5 enabled Traffic Capturing Technology S Deployment network devices 10 GigE 10 GigE M Traffi emana aa gt 150 000 endpoints lt 100 000 endpoints Traffic Parameters Accuracy Highest 5 seconds averages High Traffic Validation Options IP Subnets MAC addresses VLANs IP Subnets Interfaces ASN Manufacturer devices supporting WANGuard Flow are Cisco Systems 1400 1600 1700 2500 2600 3600 4500 4700 AS5300 5800 7200 7500 Catalyst 4500 Catalyst 5000 6500 7600 ESR 10000 GSR 12000 Jun
73. w is updated If a By a A WANGuard Platform Lite 3 0 User Manual ANDRE SON there is a green OK sign on the right of the WANGuard Sniff then the WANGuard Sniff is running If there is a X red sign instead then the WANGuard Sniff is inactive or not running If you checked the Active switch but the WANGuard Sniff is still not running you can find a description of the error in the WANGuard Sniff Events Logs see Archive chapter Page 52 or in the Events Tab see Views chapter Page 40 e WANGuard Platform 3 0 J Views e Archive Reports w Setup w LI Help e WANGuard Sniff Selection WANGuard Sniff Selection LAN Switch VLAN 300 E New WANGuard Sniff Next WANGuard Flow Configuration When using WANGuard Flow network devices must be configured to send NetFlow version 5 data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 54 The WANGuard Flow Selection window lets you select which WANGuard Flow system you wish to edit or delete To add a new WANGuard Flow system select New WANGuard Flow and then click lt Next gt If no WANGuard Flow system was previously configured then the WANGuard Flow Selection form will have only the option to add a new WANGuard Flow system
74. ystems View IP Graphs IP Zones x WANGuard Sensor gt If you install WANGuard Console on a publicly available server you should immediately change the default password for the admin user and eventually add new users To manage WANGuard Console users you S jj WANGuard Platform Lite 3 0 User Manual must select Users from the Setup menu A list of existing users will be displayed To view additional information about a user you must click the first icon in the first column To change user passwords or to edit user details you must click the second icon in the first column To delete a user you must click the third icon in the first column 8 f ADMIN C Logout WANGuard Platform 3 0 2 Views e Archive Reports 5 Setup 4 Help e WANGuard Console Users 17 22 37 Full Name Ti Company Default View ES lt _ Add KA RK _Goto Ce Page 1 of 1 Records 1 To add a new user click the lt Add gt button Fill the following fields and click the lt Save gt button to add the new user P 8 f ADMIN C Logout WANGuard Platform 3 0 Jj Views e Archive Reportsw Setupw LI Help e WANGuard Console Users 17 24 00 Password Role Administrator Full Name Email Departament Company Events Verbosity DEBUG EJ Default View Reports View zl The Username and P
Download Pdf Manuals
Related Search