WANGuard Platform 3.0 User Manual
Contents
1. E H F d Ain Ke g fm Cf i a j my a b WANGuard Lite 3 1 S Am WANGuard Lite 3 1 User Manual AMOR SOFT Copyright amp trademark notices This edition applies to version 3 1 of the licensed program WANGuard Lite and to all subsequent releases and modifications until otherwise indicated in new editions Notices References in this publication to ANDRISOFT S R L products programs or services do not imply that ANDRISOFT S R L intends to make these available in all countries in which ANDRISOFT S R L operates Evaluation and verification of operation in conjunction with other products except those expressly designated by ANDRISOFT S R L are the user s responsibility ANDRISOFT S R L may have patents or pending patent applications covering subject matter in this document Supplying this document does not give you any license to these patents You can send license inquiries in writing to the ANDRISOFT S R L marketing department sales andrisoft com Copyright Acknowledgment ANDRISOFT S R L 2008 All rights reserved All rights reserved This document is copyrighted and all rights are reserved by ANDRISOFT S R L No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying and recording or by any information storage and retrieval system without the permission in writing from ANDRISOFT S R L The information cont2. New IP Zone Edit Description Copy Delete Adding a new IP Zone To add a new IP Zone you must select the New IP Zone from the IP Zone Selection form and then click lt Edit gt Then you will be asked to enter a generic description that will help you identify the new IP Zone DD ar z ie WANGuard Lite 3 1 User Manual f ADMIN E Logout WANGuard Console 3 1 J Views w Archive Reports w Setup e t Help e IP Zone Selection IP Zone Configuration 17 35 16 New IP Zone Description Description VLAN 900 ada Changing Description Copying amp Deleting IP Zones Adding a new IP Zone will update the IP Zones Selection window A WANGuard Console 3 1 Views e Archive vw Reportsw Setup w LA Help e IP Zone Selection UN IP Zones Selection VLAN 900 o New IP Zone You can configure the selected IP Zone by clicking the lt Edit gt button To change the description of the selected IP Zone you must click the lt Description gt button and then provide a different description To copy the selected IP Zone you must click the lt Copy gt button A new IP Zone will be created that will have the same information and the same description with the word copy attached In some cases when you have multiple WANGuard Sensor systems you may have to create multiple IP Zones tha
3. about the data flowing through router interfaces and switch ports e Provides on demand MRTG style traffic graphs for any IP address or IP class in your network for any time frame Traffic graphs accuracy can be defined between 5 seconds and 10 minutes e WANGuard Sensor is completely scalable and can monitor and generate graphs for hundreds of thousands of IP addresses e Includes a very flexible billing system for bandwidth based billing e Easy and non disruptive installation on common server hardware e The most cost effective traffic monitoring and accounting solution on the market WANGuard Console WANGuard Console provides a tightly integrated and highly graphical interactive Ajax based Web 2 0 interface for all aspects of network traffic monitoring and accounting Included in the WANGuard Console is the advanced graphing engine that provides quick and easy ad hoc graphing functionality WANGuard Console offers single point management and reporting by consolidating the data from all WANGuard Sensor systems deployed within the network S Am WANGuard Lite 3 1 User Manual AMOR SOFT WANGuard Console Features and Benefits Consolidated real time WANGuard Sensor management and monitoring using a rich Ajax based Web 2 0 web interface IP Zones support for segmenting your network by departments clients server clusters etc Intuitive desktop applications like menu system Easy to use navigation allows to drill into the l
4. Setup e t4 Help e Traffic Accounting by IP Subnet 18 00 29 D IP Traffic Accounting IP Address Subnet 32 From 008 July 27 D Until 008 August D 10 D Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface a Generate Accounting Report The From Until and WANGuard Sensor s fields are explained in the beginning of this section For the IP Address Subnet fields use the CIDR notation To generate traffic accounting reports for hosts not networks select the 32 CIDR For more information about CIDR consult the Network Basics You Should Be Aware Of chapter Page 13 If the traffic accounting report is empty check if the entered IP Address Subnet is included in the selected WANGuard Sensor s IP Zone and that the Accounting parameter for that IP class is set to Yes Protocols Distribution Graphs WANGuard Sensor systems configured with the Top option collect protocols distribution data You can view this data by selecting Protocols Distribution from the Reports menu To generate Protocols Distribution graphs fill the following form 49 WANGuard Lite 3 1 User Manual ADMIN C Logout WANGuard Console 3 1 _jViewsw Archive vw Reports v Setup e LI Help e Protocols Distribution Graphs 18 03 53 2 Protocols Distribution Graph Peering SPAN R12000 SPAN LAN S
5. WANGuard Sniff Selection WANGuard Sniff Selection LAN switch vian 300 E New WANGuard Sniff Next WANGuard Flow Configuration When using WANGuard Flow network devices must be configured to send NetFlow version 5 data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 55 The WANGuard Flow Selection window lets you select which WANGuard Flow system you wish to edit or delete To add a new WANGuard Flow system select New WANGuard Flow and then click lt Next gt If no WANGuard Flow system was previously configured then the WANGuard Flow Selection form will have only the option to add a new WANGuard Flow system f ADMIN g Logout WANGuard Console 3 1 J Views e Archive vw Reports Setup t Help v WANGuard Flow Selection 18 22 24 wow WANGuard Flow Selection New WANGuard Flow Next ia A WANGuard Lite 3 1 User Manual ANDI SOFT WANGuard Console 3 1 J Viewsw Archive Reports Setup e LI Help e Reports View WANGuard Flow Selection WANGuard Flow Configuration WG WANGuard Flow Configuration Active E Description IP Address Port Flow Exporter IP SNMP Comm
6. subnet or an entire network e an individual Internet user or company e an Internet Service Provider ISP Each WANGuard Sensor extracts from IP Zones the following information e the IP classes that will be monitored e the IP classes that will generate traffic graphs and accounting data e P classes descriptions When configuring a WANGuard Sensor Page 28 you have to select the IP Zone that will be used An IP Zone may be used by multiple WANGuard Sensor systems but a WANGuard Sensor system can use only one IP Zone An IP Zone must contain the IP classes that are routed within your Autonomous System or the IP classes owned by your organization If you don t populate the IP Zone with your IP classes then WANGuard Sniff can only validate the traffic it captures by analyzing the MAC address of the upstream or downstream router If you don t populate the IP Zone with your IP classes then WANGuard Flow can only validate the traffic it captures by analyzing the ASN or the interface type Keep in mind that WANGuard Lite defines IP classes subnets using the CIDR notation To enter individual hosts in IP Zones you must use the 32 CIDR For more about CIDR notation you can consult Chapter 4 Network Basics You Should Be Aware Of Page 13 Inheritance One very special IP class that is defined by default in every IP Zone is the 0 0 0 0 0 IP class The 0 0 0 0 0 supernet contains all private and public IP addresses available for I
7. the Destination switch on The MAC address must be written using the Linux convention six groups of two hexadecimal values separated by colons e IP Validation For WANGuard Sniff to distinguish between inbound and outbound traffic it must must use at least one of the two techniques available MAC filtering previous parameter or IP Validation IP Validation parameter has three options o Off Will disable IP Validation Make sure MAC Filter is configured instead o On WANGuard Sniff will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 o Strict WANGuard Sniff will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e Direction You can configure the direction of the traffic that should be analyzed by WANGuard Sniff o Inbound Outbound WANGuard Sniff will monitor both inbound and outbound traffic Using this option generates a minor performance penalty under very high loads o Inbound WANGuard Sniff will only monitor inbound traffic e Top This checkbox lets you choose if you want WANGuard Sniff to sort the traffic statistics for top like visualizations It is recommended to leave it on because the performance penalty is extremely low e Graph Data Path This field contains the path on the WANGuard Console server where the traffic graphs data collected from t
8. BGP protocol you can configure AS to be included in exports with command router config ip flow export version 5 peer as origin as The following commands break up flows into shorter segments 1 minute for active traffic and 30 seconds for inactive traffic Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow router config ip flow cache timeout active 1 router config ip flow cache timeout inactive 30 In enable mode you can see current NetFlow configuration and state router show ip flow export router show ip cache flow router show ip cache verbose flow Configuring NDE on a CatOS Device In privileged mode on the Supervisor Engine enable NDE switch gt enable set mls nde lt ip address gt 2000 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used only as an example Switch gt enable set mls nde version 5 The following command is required to set up flow mask to full flows Switch gt enable set mls flow full The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow Switch gt enable set mls agingtime long 8 Switch gt enable set mls agingtime 4 If you want to account all traffic within the specified VLANs rather
9. Bits 888 1k 1 9M TOTAL AVG 0 0k_ AVG 80 4k SUM 5 0M SUM 10 3G AVG 0 0k AVG 75 5k SUM 5 8M SUM 14 9G E http console wanguard edit reports ip php p subnet amp v 80 95 128 1 32 E 43 7 WANGuard Lite 3 1 User Manual AAD SCC Traffic Accounting and Graphing This chapter describes how to generate advanced traffic graphs and traffic accounting reports from data collected by WANGuard Sensor systems For an easier but more limited access to traffic graphs and accounting reports you can use the Reports View Page 41 IP Traffic Graphs Setup To configure IP traffic graphs parameters select IP Graphs from the Setup menu A WANGuard Console 3 1 J Views w Archive e Reportsw Setup e LA Help e IP Graphs Parameters M IP Graphs Parameters Graphing Interval 5 minutes DI Averages 3 ll Averages Interval 5 inute s 71 7 day D Intervals am e 15 minute s DI 1 month ei D hour s 1 year 3 D IW x Inbound Bits x Outbound Bits Data Units x Inbound Packets xI Outbound Packets Minimum a 71 Aggregation Maximum x verage Change Parameters By default every WANGuard Sensor stores IP graphing data with 5 minutes averages for 7 days 15 minutes averages for 1 month and 2 hours averages for 1 year The default graphing interval is 5 minutes If you do not
10. and Company fields are optional The Events Verbosity field lets you select the minimum severity level of the events that will be displayed in the Systems View MELTDOWN Meltdown events are generated when a very serious error is detected in the system such as a hardware error CRITICAL Critical events are generated when a significant software error is detected such as a memory exhaustion ERROR Error events are caused by misconfiguration or communication errors between WANGuard Lite components WARNING Warning events are generated when authentication errors occur when there are errors updating graph data files and when there are synchronization issues INFO informational events are generated when configurations are changed and when users log into WANGuard Console DEBUG Debug events are used only for troubleshooting purposes The Default View field lets you select what View will be displayed immediately after logging into WANGuard Console e Systems View recommended for systems administrators e Reports View recommended for network administrators 20 _ WANGuard Lite 3 1 User Manual ANDRI SOFT IP Zones Setup This chapter describes how to create manage and understand IP Zones Understanding IP Zones IP Zones are hierarchical tree like structures that contain user provided information about any combination of the following elements e a network server client or router e a network link
11. change the default parameters every IP for which you enabled graphing will require 603 kbytes of storage on the WANGuard Console s file system The Graphing Interval specifies the granularity of the graphs The highest available granularity value is 5 seconds and the lowest is 5 minutes When using WANGuard Flow do not set the Graphing Interval to a lower value than the Accuracy parameter 44 SZ Ke WANGuard Lite 3 1 User Manual When granularity is very high WANGuard Sensor uses more CPU the WANGuard Console system becomes more loaded and the network traffic between WANGuard Sensor and WANGuard Console is increased if the components are not installed on the same server The Averages and Intervals values specify the granularity for old data and for how long do you want the data to be stored The Data Units options lets you select the traffic parameters that will be stored The Aggregation options lets you select how do you want the average values to be consolidated If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type All the above options have a direct impact on the storage space required on the WANGuard Console file system The storage space required per IPwill be updated when you click the lt Change Parameters gt button If you change the graph
12. mask shows that 8 bits are used for the host portion of the address block a maximum of 256 host addresses are available for that specific network If a subnet mask shows that 16 bits are used for the host portion of the address block a maximum of 65 536 13 S Am WANGuard Lite 3 1 User Manual AMOR SOFT possible host addresses are available for use on that network An Internet Service Provider ISP will generally assign either a static IP address always the same or a dynamic address changes every time one logs on ISPs and organizations usually apply to the InterNIC for a range of IP addresses so that all clients have similar addresses There are about 4 3 billion IP addresses The class based legacy addressing scheme places heavy restrictions on the distribution of these addresses TCP IP networks are inherently router based and it takes much less overhead to keep track of a few networks than millions of them IP Classes Class A addresses always have the first bit of their IP addresses set to O Since Class A networks have an 8 bit network mask the use of a leading zero leaves only 7 bits for the network portion of the address allowing for a maximum of 128 possible network numbers ranging from 0 0 0 0 127 0 0 0 Number 127 x x x is reserved for loopback used for internal testing on the local machine Class B addresses always have the first bit set to 1 and their second bit set to O Since Class B addres
13. significant degradation of the services can seriously damage the businesses including loss of customers and subsequent loss of revenue For the network administrator this means that he has to ensure the network s uptime reliability speed as well as the efficient use of the existing resources Andrisoft WANGuard Lite is an enterprise grade Linux based software solution that delivers the functionality NOC and IT teams need to effectively monitor their network through a single integrated package The components have been built from the ground up to be high performing reliable and secure WANGuard Lite is feature rich simple to deploy and configure causing no disruption within the network What WANGuard Lite Can Do For You Andrisoft WANGuard Lite is an easy to use software that provides network traffic monitoring and accounting It allows you to quickly and easily set up and run monitoring server s for networks Using the integrated web interface with just a few mouse clicks you can view e Historic and real time network traffic parameters about the data flowing through router interfaces and switch ports packets s bits s bytes s IPs s flows s etc e MRTG style traffic graphs and traffic accounting reports for IP addresses and IP classes in your network for any time frame e Historic and real time network traffic statistics top talkers per protocol number of IPs top protocols protocols distribution ASN distribution TCP an
14. 1 256 C 1 CASES EE WEE 1 128 C 2 255 255 255 254 fo 1 64 C 4 DO Oe a A fee 1 32 C 8 ZOO REO e Is O 28 1 16 C 16 VAS SOLOS Ee MEN 1 8 C 32 2 ado ud a dA 26 1 4 C 64 25522555255 192 EE 1 2 C 128 Pio o ps PAS Po PIVA WE 1 C 256 Pile do peo o PAS po 0610 WE C 512 255 255 254 000 7 4 C 1024 LD ga DO que 07 00 ERS C 2048 Aos LII L e EU 20 116 C 4096 AeA 99 L10000 lo 32 C 8192 LO gd DO qua LA 00 fee 64 C 16384 ZOO wl ed Sa 00 EI 128 C 32768 Poco do ee es po eal EEN DEE 256 C 1B 03930 Lores 00460002000 TERE 512 C 2 B 131072 299s DA 000 000 ME 1024 C 4B 262144 e EE KE DEI 2048 C 8 B 524288 24246 40004000 12 4096 C 16 B 1048576 LD DO 000000 DI 8192 C 32 B 2097152 2006224000 000 10 16384 C 64 B 4194304 25541924000 000 DEN 32768 C 128B 8388608 25031204000 000 8 65536 C 256B 1A 16777216 Aoo s 000000 U00 T L31072 C SI2B 2 A 33554432 254 000 000 000 262144 C 1024 B 4 A 67108864 2024000 000 000 LS 524288 C 2048 B 8 A T34217728 248 000 000 000 4 1048576 C 4096 B 16 A 268435456 240 000 000 000 E 2097152 C 8192 B 32 A 9368709172 224 000 000 000 eZ 4194304 C 16384 B 64 A 1073741824 192 000 000 000 Gei 5900006 C 32708 B 128 A 2147483648 128 000 000 0D0 0 E IZI6G Cy 65956 B 296 A 4294967296 000 000 000 000 EE _ WANGuard Lite 3 1 User Manual ANDRI SOFT Getting Started with WANGuard Lite Please read the following Basic Concepts section in order to get a clear overview of the ba
15. Outbound Action Ingress See Interfaces Egress Blackhole Null E FT Ingress DI cl 8004 004 008080 soososo EH sei D cr veem ER nen fore 2 e E 7 opt wanguard rrd e zone Jee 1Ps E After a new WANGuard Flow system is added the WANGuard Flow Selection window is updated If there is a green OK sign on the right of the WANGuard Flow then the WANGuard Flow is running If there is a X red sign instead then the WANGuard Flow is inactive or not running If you checked the Active switch but the WANGuard Flow is still not running you can find a description of the error in the WANGuard Flow Events Logs see Archive chapter Page 53 or in the Events Tab see Views chapter Page 40 3 4 WANGuard Console 3 1 C Miews e Archivew Reports Setup e LI Help e WANGuard Flow Selection Eed WANGuard Flow Selection e NetFlow Router o New WANGuerd Flow 36 T y WANGuard Lite 3 1 User Manual Views Views are WANGuard Console windows that display the latest information collected from WANGuard Lite components Every View displays text and graphical elements using the Ajax technology Web 2 0 that offers flicker free web page updates every 5 seconds To browse through available Views click the Views menu and then select Systems View for systems administrators or Reports View for network administrators Systems Vie
16. Pv4 me W A SZ Ke WANGuard Lite 3 1 User Manual ANDRI SOFT To ease the configuration of IP Zones every new IP class that you define inherits by default the properties of the closest having the biggest CIDR IP class that includes it The only IP class that does not inherit any properties is the 0 0 0 0 0 IP class because there is no other IP class that includes it WANGuard Sensor must learn from it s IP Zone the properties of the IP addresses it analyzes This is why if WANGuard Sensor cannot include a detected IP address in the IP classes you defined it applies the properties of the 0 0 0 0 0 IP class So for unknown IP addresses the 0 0 0 0 0 properties are applied In the last section of this chapter you can see an example on how inheritance works IP Zone Selection To manage IP Zones you must first select IP Zones from Setup menu You will enter the IP Zones Selection window f ADMIN C Logout WANGuard Console 3 1 J Views v Archive Reports v Systems View wi IP Graphs 17 26 39 AL Users WANGuard Sensor gt The IP Zones Selection window lets you select existing IP Zones to edit change description copy or delete If no IP Zones were previously added then the form will only have the option to add a new IP Zone F ADMIN C Logout WANGuard Console 3 1 J Views e Archive Reports Setup w LI Help e IP Zone Selection 17 27 13 TP IP Zones Selection
17. Router e WAN Interface Packets LAN Interface Packets s graph for NetFlow Router WAN Interface IP Descriptions 0 Branch Office 8 k Tei Corporate Network 0 Customer 1 6 k D Customer 1 WAN 0 Customer 1 WEB 4k o Customer 2 o Customer Service f 0 Customers D DMZ a E e Thu Fri Sat Sun 0 DMZ SMTP Cluster E NetFlow Router WAN Interface inbound W NetFlow Router WAN Interface outbound o DNS 5 Email i o Enterprise Services Internal Network Local Clients 0 Network Equip Office Building 0 Remote Clients IP Addresses e E 1 10 0 0 0 8 192 168 0 0 16 Gill 192 31 0 0 16 iP 80 95 128 0 18 81 94 128 0 20 iP 81 95 124 0 24 iP 81 95 129 0 26 88 94 122 0 26 2k IPs s graph for NetFlow Router WAN Interface Am http console wanguard edit_reports_sensor php v 3 2 2 sA a 4 WANGuard Lite 3 1 User Manual The Traffic Tops area provides live statistics about top hosts talkers top TCP ports top UDP ports top IP protocols and top AS Numbers only when NetFlow is used This tab is not available if the selected WANGuard Sensor does not have the Top option activated in its configuration IP Descriptions Section This section contains IP Description fields extracted from all existing IP Zones When you click an IP Description the right side of the Reports View will contain two tabbed areas as you can see in the screens
18. VERAGE If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type WANGuard Flow ASN Graphs The WANGuard Flow ASN Graphs page will not be accessible through the Menu if there is no previously configured WANGuard Flow system WANGuard Flow systems configured with the Top option collect data that can be used to generate very accurate Autonomous System graphs for every detected Autonomous System Number To use this option your flow exporter must be configured to include AS information in the exported flows You can generate graphs by ASN by entering one or more Autonomous System Numbers If more then one ASN is entered delimited by space and if you check the Sum Multiple ASNs option then a single graph will be generated containing data from all ASNs DJa SZ Yy WANGuard Lite 3 1 User Manual Archive All WANGuard Lite components store traffic and operational details in a MySQL database located on the WANGuard Console server You can view the contents of the database by selecting the tables from the Archive menu e D WANGuard Console 3 1 Views e a Reports e Setup e LA Help e IP Zone Selection Events Logs d Stats Logs gt Events Logs Events Logs contain all events generated by WANGuard Lite components Each component that generate
19. WANGuard Sniff Packet sniffing provides extremely fast and accurate traffic accounting and analysis results NetFlow Monitoring NetFlow Monitoring is the domain of networks that usually use Cisco or Huawei L3 switch or router flows These can be configured to send data streams with the network s usage data to a Linux server running WANGuard Flow How NetFlow Monitoring Works One option to measure bandwidth usage by IP Address is to use the NetFlow protocol which is especially suited for high traffic remote networks Many routers and Layer 3 switches from Cisco support this protocol as well as vendors like Huawei NetStream Juniper Extreme Networks 3COM and others Network devices with NetFlow support track the bandwidth usage of the network internally and can be configured to send pre aggregated data to a Linux server running WANGuard Flow for traffic analysis and accounting purposes A S Am WANGuard Lite 3 1 User Manual AMOR SOFT Reasons to choose NetFlow Monitoring Because the NetFlow protocol already performs a pre aggregation of traffic data the flows of data sent to the monitoring server running WANGuard Flow is much smaller than the monitored traffic This makes NetFlow the ideal option for monitoring remote high traffic networks The downside of the NetFlow monitoring is that computing the pre aggregation of traffic data requires large amounts of RAM it has significant delays and the accuracy of traff
20. WANGuard Sniff can only inspect data packets that actually flow through the network interface s of the host server In switched networks only the traffic for a specific device is sent to the device s network card If the server running WANGuard Sniff is not deployed in line it can t capture the traffic of other network components For WANGuard Sniff to analyze the traffic of other hosts in your network you must use a network TAP or a switch or router that offers a monitoring port or port mirroring configuration Switched Port Analyzer SPAN for Cisco devices Roving Analysis Port for 3Com devices In this case the network device sends a copy of data packets traveling through a port or VLAN to the monitoring port After you configure the network device install WANGuard Sensor on a Linux server and connect it to the monitoring port WANGuard Sniff will be able to analyze the whole traffic that passes through the selected port or VLAN with or without VLAN tag Stripping If you don t have network devices that can do port mirroring you can deploy a Linux server on the main data path and WANGuard Sniff will be able to analyze the traffic flows that are routed through the server Note that the server will become a single point of failure system if you don t configure VRRP Reasons to choose Port Mirroring Network TAP In line Deployment Packet sniffing comes into consideration if you can provide the higher CPU power needed by
21. a colored box with the Graph Color Inbound configured for the interface IPs The number of unique IP addresses detected making traffic through the interface Only your network s IP addresses are counted Pkts s Inbound Outbound The packets second throughput after validation and filtering Only the traffic passing the interface is analyzed Bits s Inbound Outbound The bits second throughput after validation and filtering Only the traffic passing the interface is analyzed Flows s The rate of flows that contain traffic passing the interface Flows Delay Because traffic data must be aggregated NetFlow devices export flows with a certain configured delay Some devices export flows much later than the configured delays and this field contains the maximum flows delay detected by WANGuard Flow WANGuard Flow cannot run with delays over 5 minutes To minimize the RAM usage and the performance of the WANGuard Flow process the flows must be exported as soon as possible DO e S Am WANGuard Lite 3 1 User Manual AMOR SOFT WANGuard Sensor Live Graphs Tab The WANGuard Sensor Graphs Tab provides an animated dynamic graph that illustrates trends over time of various traffic parameters collected from WANGuard Sensor systems The right side of the tab contains three selections lists that configure the graph e WANGuard Sensor Select the WANGuard Sensor system you re interested in e Data Unit Sel
22. aceroute and telnet commands IP information is contained in an internal database that contains IP ranges Country codes and Autonomous System information IP Protocols The IP Protocols window provides access to a table that contains descriptions for all available IPv4 protocols Subnet Calculator The Subnet Calculator lets you see and calculate network masks CIDR broadcast addresses number of hosts and IP ranges for subnets TCP amp UDP Ports The TCP amp UDP Ports window provides access to a table that contains name description service common servers and common clients for well known TCP and UDP port numbers About The About window provides information about the WANGuard version and license The license key can be changed from this window 54 PAN 1 Kees WANGuard Lite 3 1 User Manual ANDRE SOFT Appendix 1 Configuring NetFlow Data Export This appendix is a brief guide to setting up the NetFlow data export NDE on Cisco and Juniper routers or intelligent Cisco Layer 2 Layer 3 Layer 4 switches If you have problems with the configuration contact your network administrator or Cisco consultant For devices that run hybrid mode on a Supervisor Engine Catalyst 65xx series it is recommended to configure IOS NDE on the MSFC card and CatOS NDE on the Supervisor Engine For more information about setting up NetFlow please visit http www cisco com go netflow Configuring NDE on an IOS Device In the configura
23. address configured on the server that must run the selected WANGuard Sniff This field is used by the WANGuardController daemon for system identification e Network Interface This field must contain the network interface that receives the port mirrored traffic If the WANGuard Sniff server is deployed in line then it must contain the network interface that receives the traffic towards your network If the traffic is tagged with a VLAN header and you check VLAN Support then the VLAN header will be ignored If you want to split the traffic by VLANs then you must create a virtual network interface for each VLAN using the vconfig command and then add a WANGuard Sniff for each new virtual interface e e WI S Am WANGuard Lite 3 1 User Manual AMOR SOFT The network interface name must use the network interface naming conventions of the Linux operating system ethO for the first interface eth1 for the second eth0 900 for the first interface with VLAN 900 and so on e MAC Filter For WANGuard Sniff to distinguish between inbound and outbound traffic it must use at least one of the two techniques available MAC filtering or IP Validation next parameter The MAC Filter together with the Source Destination switch allows WANGuard Sniff to validate the inbound traffic and the outbound traffic The MAC Filter should contain the MAC address of the upstream router with the Source switch on or the MAC address of the downstream router with
24. ained in this document is subject to change without notice If you find any problems in the documentation please report them to us in writing ANDRISOFT S R L will not be responsible for any loss costs or damages incurred due to the use of this documentation WANGuard Lite is a SOFTWARE PRODUCT of ANDRISOFT S R L ANDRISOFT and WANGuard are trademarks of ANDRISOFT S R L Other company product or service names may be trademarks or service marks of others ANDRISOFT S R L Str Lunei L30 Ap 11 300109 Timisoara Timis Romania phone 40721250246 fax 40256209738 Sales Sales andrisoft com Technical Support Support andrisoft com Website http www andrisoft com Copyright ANDRISOFT S R L 2008 All rights reserved A S Am WANGuard Lite 3 1 User Manual AMOR SOFT Table of Contents 1 Traffic Monitoring and Traffic Accounting with WANGuard Lite eee 4 Why WANGuard Lite Is rd el 4 What WANGuard Lite Can Do For e E 4 WANGuard LCE CN 4 WY INAS CIS OM acertada EE tai coves as pa nations dd donas Con tandepds n o 5 WV AINE COS Ce EE 5 2 How To Choose A Method Of Traffic Capturing ERKENNEN REENEN REENEN ENEE REENEN RENE ENEE 7 Supported Traffic Capturing Er e DEE 7 Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line deployment 7 How Port Mirroring Network TAP In line Deployment works cece cece eeeaeeeeeeceeeeeeese
25. al between consecutive refreshes of the graph The graph will update itself flicker free but it s best to keep the refresh interval big for low bandwidth monitoring stations Events Tab The Events Tab provides a list with the latest events recorded in the Events Log Every field is explained in the Events Log section of the Archive chapter Page 53 40 O Km WANGuard Lite 3 1 User Manual AND SOFT Reports View The Reports View provides easy access to live and historical information about monitored hosts networks and network interfaces The Reports View is split vertically in two sides The left side contains three sections WANGuard Sensors IP Descriptions and IP Addresses To prevent clutter you can click each section s header to minimize or maximize the section WANGuard Sensors Section When you click a WANGuard Sensor description or interface the right side of the Reports View will contain two tabbed areas as you can see in the screenshot below The Traffic Graphs area displays graphs containing traffic parameters generated by the selected WANGuard Sensor WANGuard Console 3 0 Reports View Mozilla Firefox WAMGuard Platform 3 0 J Views e Archive e Reports vw Setup e LI Help e Reports View WANGuard Sensors v Traffic Graphs DESEEETSSS BN Peering SPAN R12000 SPAN Timeframe Last Week DI Graphs Size 700x140 il Aggregation AVERAGE DI Refresh LAN Switch VLAN 900 ER NetFlow
26. and will use IP class information found in the VLAN 900 IP Zone A WANGuard Console 3 1 J Views wv Archive vw l Reports v Setup e LI Help e WANGuard Sniff Selection WANGuard Sniff Configuration WANGuard Sniff Configuration Active v Description LAN Switch VLAN 900 IP Address 192 168 1 100 Network Interface eth0 900 viam Support MAC Filter o Source d Destination IP Validation On z Direction Inbound amp Outbound Top Iv GraphData Path opt wanguard rrd Graph Color Inbound E 0033CC Beal Graph Color Outbound E 8CC0000 BE IP Zone configuration example Details Add WANGuard Sniff After a new WANGuard Sniff system is added the WANGuard Sniff Selection window is updated If a By a A o WANGuard Lite 3 1 User Manual ANDIR SOFT there is a green OK sign on the right of the WANGuard Sniff then the WANGuard Sniff is running If there is a X red sign instead then the WANGuard Sniff is inactive or not running If you checked the Active switch but the WANGuard Sniff is still not running you can find a description of the error in the WANGuard Sniff Events Logs see Archive chapter Page 53 or in the Events Tab see Views chapter Page 40 e D WANGuard Console 3 1 J Views e Archive w Reports vw Setup e LI Help e
27. aphs Tab and Events Tab Each of those elements is explained in the following sections Active WANGuard Sniff Systems Table The Active WANGuard Sniff Systems table displays the latest system information collected from active WANGuard Sniff systems If there are no WANGuard Sniff systems configured then this table is not displayed The table has the following format Status If the active WANGuard Sniff system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Sniff system then a red X icon is displayed In this case make sure that WANGuard Sniff is configured correctly read the Events Log and make sure that the WANGuardController daemon is running on all systems WANGuard Sniff Displays the description of the WANGuard Sniff system and a colored box with the Graph Color Inbound as defined in the configuration Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Sniff process Mem The amount of memory used by the WANGuard Sniff process Started The time and date when the WANGuard Sniff process started IPs The number of unique IP addresses detected making traffic Only your network s IP addresses are counted Pkts s Inbound Outbound The packets second throughput after validation and filtering Bits s Inbound Outbound The bits second throughput after validation and fil
28. at handles network packets is called WANGuard Sniff e NetFlow Monitoring The analysis of pre aggregated data flows sent by NetFlow or NetStream enabled routers and Layer 3 switches The WANGuard Sensor that handles NetFlow and NetStream data is called WANGuard Flow e In line Deployment The analysis of incoming and outgoing network packets that pass through a network card of an in line deployed Linux server From a software perspective this method is virtually identical with the Port Mirroring method so WANGuard Sniff is used in this scenario too Depending on your network configuration your needs and your hardware you must choose between the three methods of traffic capturing For high availability scenarios it s recommended to use in parallel more than one method of traffic capturing Please read on to further understand the differences between the supported methods of traffic capturing and the differences between WANGuard Sniff and WANGuard Flow Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line deployment In order to do traffic monitoring and accounting WANGuard Sniff inspects all network data packets passing the host server s network card including the network data packets sent by a monitoring port of a switch or router S Am WANGuard Lite 3 1 User Manual AMOR SOFT How Port Mirroring Network TAP In line Deployment works It is very important to understand that
29. at will be monitored Each interface must contain the following information O SNMP Index The SNMP index of the interface You can click the lt gt button to allow WANGuard Console to connect to the network device using the Flow Exporter IP and SNMP Community defined earlier and to display the available interfaces and indexes Description A short generic description used for interface identification Type Specifies the type of the interface E Ingress Traffic entering an Ingress interface also enters your network Traffic that leaves an Ingress interface leaves your network Upstream provider interfaces are always Ingress m Egress Traffic entering an Egress interface leaves your network Traffic that leaves an Egress interface enters your network On border routers interfaces towards your network are always Egress m Null Traffic entering the Null interface is discarded by the router and by the WANGuard Flow Graph Color Inbound Here you can select the color you will see on graphs as inbound ingress traffic for the current interface By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button Graph Color Outbound Here you can select the color you will see on graphs as outbound egress traffic for the current interface By default a random color will be chosen To change the color you ca
30. ates a different traffic graph If checked all selected WANGuard Sensors generate a single traffic graph that contains the summed traffic data e Data Unit Enter the data unit for the traffic graph packets second bits second or bytes second If some data units are missing see the IP Traffic Graphs configuration Page 44 e Graph Size Select the graph size e Aggregation Select the aggregation procedure for the graph MINIMUM MAXIMUM or AVERAGE If some aggregation types are missing see the IP Traffic Graphs configuration Page 44 By IP Description By selecting this option you can generate traffic graphs for IPs or IP classes that share the selected IP Description To generate traffic graphs using IP Descriptions fillthe form displayed below WANGuard Console 3 1 J Views v Archive vw Reports w gt Setup w t Help e Traffic Graphing by IP Description Ji IP Traffic Graphs IP Zone Public IPs D IP Description Corporate Network From Until Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface Sum Multiple Sensors Unit Bits sl Graph Size 500x140 sl Aggregation MAXIMUM sl Generate Traffic Graphs Most fields are explained in the beginning of this section To generate IP traffic graphs using this option first select an IP Zone and then select an IP Descripti
31. d UDP ports distribution etc The recorded data is stored in an internal SQL database that can be easily queried and referenced The recorded monitoring statistics can be viewed through a rich Ajax based Web 2 0 web interface WANGuard Lite Components The WANGuard Lite has two main components S Am WANGuard Lite 3 1 User Manual AMOR SOFT WANGuard Sensor WANGuard Sensor is an advanced Linux based software created to do both incoming and outgoing traffic monitoring and accounting At it s core WANGuard Sensor has a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses Complex statistical algorithms integrate traffic data to build accurate and detailed picture of real time and historical traffic flows across the network WANGuard Lite does not enable WANGuard Sensor s traffic anomaly detection and reaction features WANGuard Sensor Features and Benefits e Any number of instances can be deployed across the network and all collected data will be centralized and available through a single web interface that you can quickly access from any location e The supported traffic monitoring methods are Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment Cisco NetFlow and Huawei NetStream e You can access various real time parameters top talkers number of IP addresses top protocols protocols distribution etc
32. dress selected As explained in the Understanding IP Zones Inheritance section every IP Zone contains the 0 0 0 0 0 supernet To edit the 0 0 0 0 0 IP class properties click 0 0 0 0 0 from the IP classes tree Dau SZ Yy WANGuard Lite 3 1 User Manual f ADMIN C Logout WANGuard Console 3 1 J Views e Archive Reports 7 Setup w t Help e IP Zone Selection IP Zone Configuration 17 53 16 New IP Address Subnet Parameters for 0 0 0 0 0 Do Add Parameter Value Inheritance Accounting No k IP Zone VLAN 900 Graphing No b Gel 0 0 0 0 0 Unknown Description Unknown Change Record Delete Record The right section will be populated with properties that apply to all IP addresses included in the selected IP class if the properties are not subsequently overwritten The Inheritance column shows from which parent IP class was the value inherited from Every IP class has the following properties Accounting If the Accounting parameter is set to Yes then WANGuard Sensor records traffic accounting data for every IP address included in the selected IP class Accounting data contains the number of inbound and outbound packets and bits and averages of packets and bits rates If the Accounting parameter is set to Inherit then the value is inherited from the parent IP class If the parameter is set to No then no accounting da
33. e 3 1 User Manual AAD S CH E WANGuard Sensor Graphs WANGuard Console can generate on demand MRTG style graphs for WANGuard Sensor traffic parameters for the selected time frame To generate WANGuard Sensor graphs you must fill the form below after selecting WANGuard Sensor Graphs from the Reports menu f ADMIN A Logout WANGuard Console 3 1 J Views e Archive vw Reports Setup w t Help e WANGuard Sensor Graphs 18 04 20 WANGuard Sensor Graphs 008 July D 27 D 00 o0 DI 2008 gl auss log 23 E ss Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface H Sum Multiple Sensors T Unit Packets sl Graph Size 500x140 zl Aggregation MAXIMUM E The WANGuard Sensor Graphs form fields e From Until Enter the desired time frame e WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding the Control key e Sum Multiple Sensors If unchecked each WANGuard Sensor generates a different traffic graph If checked all selected WANGuard Sensors generate a single traffic graph that contains all traffic data e Data Unit Select the traffic parameter the graph will represent o Bits The bits second throughput recorded by WANGuard Sensor o Bytes The bytes second through
34. e Configuration New IP Address Subnet Parameters for 10 0 1 0 24 Parameter value iP Description Customer Service 1 10 0 0 0 8 Internal Network In the image below you can see that a new IP class called Office Building was added Because the Accounting parameter was modified to Yes every IP address included in 10 0 2 0 25 will generate accounting data gt Logout 4 WANGUard Console 3 1 Jj Viewsw Archive vw Reports 5 Setup vw LI Help e IP Zone Selection IP Zone Configuration 17 58 50 New IP Address Subnet Parameters for 10 0 2 0 25 Parameter Value Inheritance IP Zone VLAN 900 Graphing ves DI 10 0 0 0 8 Ge one 1p 10 0 0 0 8 Internal Network In the image below you can see that 192 168 0 0 16 IP class was added and placed automatically within the 0 0 0 0 0 IP class WANGuard Sensor will generate traffic graphs and will record accounting data for all IPs that belong to this IP class 2 ALV WANGuard Console 3 1 JViewsv Archive vw Reportsw gt Setup e Help e IP Zone Selection IP Zone Configuration New IP Address Subnet Parameters for 192 168 0 0 16 Parameter gab inheritance GP 0 0 0 0 0 Unknown P 10 0 0 0 8 Internal Network Lie 10 0 1 0 24 Customer Service ie 10 0 2 0 25 Office Building 27 SZ Yy WANGuard Lite 3 1 User Manual ANDRE SOL T WANGuard Sensor Setu
35. e actually 32 bit binary numbers consisting of the two sub addresses identifiers mentioned above which respectively identify the network and the host to the network with an imaginary boundary separating the two An IP address is as such generally shown as 4 octets of numbers from 0 255 represented in decimal form instead of binary form For example the address 168 212 226 204 represents the 32 bit binary number 10101000 11010100 11100010 11001100 The binary number is important because that will determine which class of network the IP address belongs to The Class of the address determines which part belongs to the network address and which part belongs to the node address see IP address Classes further on The location of the boundary between the network and host portions of an IP address is determined through the use of a subnet mask This is another 32 bit binary number which acts like a filter when it is applied to the 32 bit IP address By comparing a subnet mask with an IP address systems can determine which portion of the IP address relates to the network and which portion relates to the host Anywhere the subnet mask has a bit set to 1 the underlying bit in the IP address is part of the network address Anywhere the subnet mask is set to O the related bit in the IP address is part of the host address The size of a network is a function of the number of bits used to identify the host portion of the address If a subnet
36. ect the traffic parameter the graph will represent O O O Bits The bits second throughput recorded by WANGuard Sensor Bytes The bytes second throughput recorded by WANGuard Sensor Packets The packets second throughput recorded by WANGuard Sensor IPs The number of unique IP addresses detected making traffic Usually a spike in the graph means that an IP class scan was performed Only your network s IP addresses are counted Received packets or flows For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs Dropped packets or flows For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation Unknown packets or flows For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering e Refresh Interval Select the interv
37. eeseeeseeeseeeaeeeaees 8 Reasons to choose Port Mirroring Network TAP In line Deplovment erre 8 NEIFIOWO ee el Le DE 8 How NetFlow Monitoring Ke 8 Reasons to choose NetFlow Monitoring nsnannsennnennoennosnnesnnrsnresrrrruresrnrrsrerrnrrsnrrsrrrsnrrsrrrrurenenrrsrerenenne 9 Comparison between Packet Sniffing and NetFlow Monitoring eres 9 TC Fd Co EE 10 System e TUE 10 WANGuard Sensor System Requirements for 1 Gigabit Network Interface ii 10 WANGuard Console System Requirements for lt 5 WANGuard Gensors 11 Wale BEE 12 Son Ware AS TE TE 12 4 Network Basics You Should Be Aware Off c cccccceeceeeceeeeeeeeeeeeeeeeeeeeeeeeeneeeeneeeeeeeneeeeeeneeeeneees 13 Who Should Read This SECU ONS sa sd SS ODAS nn 13 A Short Introduction To IP Addresses amp ClaSses cccssssssssssssssssssesessesessessesessessesessesseeessesesassessesassansesssensenaess 13 Jee ee 13 Je 14 U ag a SI NOO ans rs e 15 5 Getting Started with WANGuard Lite eee EERENRR eee cera era cena cee aeee ERKENNEN 16 BASIC CONCODES annan E AA AAA E 16 NEM E 16 EIERE 16 Ee 16 Jr ein 17 Opening WANGuard Console for the first time eee cereereeereerer encarece reeneeensenaanaa 17 A First LOOK at th Systems VICW a esccescsccercenseccesecesesexcssesseieesesceeusescdestuesusieencnsceceseraeiseckssesxsnacse atesteclactseatsaesseeeszecces 18 Managing WANGuard Console USe6 PS cccsssscscsssssssss
38. ess in the C class If the traffic graphs are not displayed check if the entered IP Address Subnet is included in the selected WANGuard Sensor s IP Zone and that the Graphing parameter for that IP class is set to Yes IP Traffic Accounting WANGuard Console can generate on demand IP traffic accounting reports for every host IP class or IP 47 b WANGuard Lite 3 1 User Manual classes that share the same IP Description for any time frame To generate an IP traffic accounting report select IP Traffic Accounting from the Reports menu and then select one of the two available options amp ADMIN Ai Logout WANGuard Console 3 1 gt Setup e LA Help e Reports View Traffic Accounting by IP Description H IP Traffic Accounting Ah d By IP Description 12 41 30 IP Traffic Graphs Protocols Distribution 4 WANGuard Sensor Tops x WANGuard Sensor Graphs 3 WANGuard Flow ASN Graphs By IP Subnet The first option generates IP traffic accounting reports for IP addresses or IP classes that have the IP Description you select The second option generates IP traffic accounting reports for the entered IP address or IP class The following fields are common for both options e From Until Enter the desired time frame e WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding
39. esses E iP 10 0 0 0 8 H lip 192 168 0 0 16 Mon 00 00 Mon 12 00 Tue 00 00 SR menune pakde kenai E Inbound Maximum 42 4 Mbits s Medium 9 2 Mbits s Last ll 80 95 128 0 18 E Outbound Maximum 9 0 Mbits s Medium 224 2 kbits s Last 1 81 94 128 0 20 81 95 124 0 24 NetFlow Router LAN Interface ip 81 95 129 0 26 iP 88 94 122 0 26 Customer 1 WEB bits s graphs for NetFlow Router LAN Interface 8 0 nt 6 0 M 2 0 M R12000 SPAN 6 0 M 4 0 M 2 0 M 0 0 Mon 00 00 Mon 12 00 Tue 00 00 Tue 12 00 Done A A WANGuard Lite 3 1 User Manual IP Addresses Section This section provides an IP tree that contains all IP classes extracted from existing IP Zones When you click an IP class the right side of the Reports View will contain two tabbed areas as you can see in the screenshot below The Traffic Graphs area contains graphs with traffic parameters generated for the selected host or network The Traffic Accounting area contains a traffic accounting report generated for the selected host or network WANGuard Console 3 0 Reports View Mozilla Firefox File Edit View History Bookmarks Tools Help ES 7 tr xX A http console wanquard reports php A Logout WANGuard Platform 3 0 J Viewsw Archive Reportsw Setup e t Help e Reports View ab gat Pee ie l A Traffic Graphs Traffic Accounting AS RN Peering SPAN ES R12000 SPAN Timefra
40. he WANGuard Sniff system is stored It s safe to save multiple WANGuard Sensors graph data in the same path If you set the data path on a larger partition on RAM with tmpfs etc make sure that the wanguard user has writing privileges there e Graph Color Inbound Here you can select the color you will see on graphs as inbound traffic for the current WANGuard 30 1 ye WANGuard Lite 3 1 User Manual Sniff By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button e Graph Color Outbound Here you can select the color you will see on graphs as outbound traffic for the current WANGuard Sniff By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button e IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Sniff If the field has no options then you must first define an IP Zone For more information about IP Zones please read the previous chapter e Details You can use this field to store comments about the current WANGuard Sniff configuration An example of a working WANGuard Sniff configuration is displayed below This WANGuard Sniff system analyzes all VLAN 900 traffic it receives on the first network interface it generates Top statistics
41. hot below The Traffic Graphs area contains graphs with traffic parameters generated for all hosts or networks that have the selected IP Description The Traffic Accounting area contains a traffic accounting report generated for the hosts or networks that have the selected IP Description WANGuard Console 3 0 Reports View Mozilla Firefox File Edit View History Bookmarks Tools Help em h X A KA http console fwanguard reports php Ly Google P f ADMIN gt C Logout WANGuard Platform 3 0 JViewsv Archive vw Reportsw Setup e LA Help e Reports View 16 42 28 A WANGuard Sensors v Traffic Graphs SERES E Ka Peering SPAN Big R12000 SPAN Data Unit Bits zl Timeframe Last 2 Days zl Graphs Size 500x100 sl Aggregation maximum Wa LAN Switch VLAN 900 we NetFlow Router LAN Switch VLAN 900 IP Descriptions w D Branch Office Customer 1 WEB bits s graphs for LAN Switch VLAN 900 Corporate Network son 0 Customer 1 0 Customer 1 WAN o SETE H 40M 0 Customer 2 o Customer Service 0 Customers 0 0 0 DMZ Mon 00 00 Mon 12 00 Tue 00 00 0 DMZ SMTP Cluster E Inbound Maximum 7 4 Mbits s Medium 741 0 kbits s Last 0 DNS E Outbound Maximum 261 3 kbits s Medium 46 3 kbits s Last 0 EMail Enterprise Services 2 Internal Network Customer 1 WEB bits s graphs for R12000 SPAN Local Clients Network Equip o Office Building 0 Remote Clients IP Addr
42. ic parameters is lower than when directly inspecting network packets especially when flow packet sampling is used Comparison between Packet Sniffing and NetFlow Monitoring The table below provides a quick comparison between the three available traffic capturing technologies The hardware requirements for each method are different The requirements are listed in the next chapter WANGuard Sensor WANGuard Sniff WANGuard Flow Port Mirroring Network TAP In line NetFlow or NetStream v 5 enabled Traffic Capturing Technology ae Deployment network devices 10 GigE 10 GigE M Traffi emana capac gt 150 000 endpoints lt 100 000 endpoints Traffic Parameters Accuracy Highest 5 seconds averages High Traffic Validation Options IP classes MAC addresses VLANs IP classes interfaces AS Number Manufacturer devices supporting WANGuard Flow are Cisco Systems 1400 1600 1700 2500 2600 3600 4500 4700 AS5300 5800 7200 7500 Catalyst 4500 Catalyst 5000 6500 7600 ESR 10000 GSR 12000 Juniper Extreme Networks Huawei 3COM and others A 7 Ae WANGuard Lite 3 1 User Manual ANDI SOFT Installation WANGuard Lite can be installed on common server hardware provided that the system requirements listed later in this chapter are met If you have some basic Linux operation skills then no training is required for the software installation Feel free to contact our support team for any issues Instal
43. if you want WANGuard Flow to sort the traffic statistics for top like visualizations It is recommended to leave it on because the performance penalty is extremely low e Graph Data Path This field contains the path on the WANGuard Console server where the traffic graphs data collected from the WANGuard Flow system is stored It s safe to save multiple WANGuard Sensors graph data in the same path If you set the data path on a larger partition on RAM with tmpfs etc make sure that the wanguard system user has writing privileges there e IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Flow If the field has no options then you must first define an IP Zone For more information about IP Zones please read the previous chapter e Details You can use this field to store comments about the current WANGuard Flow configuration In the following configuration example WANGuard Flow monitors traffic passing the WAN and LAN interfaces it generates Top statistics and uses IP class information found in the Public IPs IP Zone 35 y WANGuard Lite 3 1 User Manual 4 WANGuard Console 3 1 J Views Archive Reportsw 5 Setup e t Help e Reports View WANGuard Flow Selection WANGuard Flow Configuration wo WANGuard Flow Configuration NetFlow Router po comnsey pule gune Indes Description Description Type Graph Color Inbound Graph Color
44. ing System Linux 2 6 x kernel Linux 2 6 x kernel tcpdump WAN 3 1 Installed Packages WANGuard Sensor 3 1 ie ap 31 WANGuard Controller 3 1 Disk Space 5 GB including OS 5 GB including OS FO _ WANGuard Lite 3 1 User Manual AMOR SOFT When using WANGuard Flow network devices must be configured to send NetFlow version 5 data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 55 When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networks the use of switches or routers with so called monitoring port is required For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAP s or other devices that support port mirroring please consult the producer s documentation WANGuard Console System Requirements for lt 5 WANGuard Sensors Architecture x86 32 or 64 bit CPU 1 x Pentium IV 2 4 GHz Memory 500 MBytes Network Cards 1 x Fast Ethernet or Gigabit Ethernet Operating System Linux kernel 2 6 x apache 2 x php 5 mysql 5 x rrdtoo
45. irst column f ADMIN Logout 3 WANGuard Console 3 1 J Views e Archivew Reports e WANGuard Console Users 5 Setup e LA Help e 17 22 37 Full Name Company Default View ES sl Add gt Page 1 of 1 Records 1 To add a new user click the lt Add gt button Fill the following fields and click the lt Save gt button to add the new user e q f ADMIN A Logout WANGuard Console 3 1 J Viewsw Archive vw Reports 7 Setup w LI Help e WANGuard Console Users 17 24 00 Username Password Role Administrator Full Name Email Title Phone Departament Company Events Verbosity DEBUG sl Default View Reports View sl The Username and Password fields are mandatory Enter unique names for users Currently there are two available access levels Roles for users e Normal User The user can access all Views generate traffic accounting and traffic graphs reports read event logs and archives but cannot view or manage WANGuard Sensor configurations nor can O S Am WANGuard Lite 3 1 User Manual ANDRI SOFT it add or delete users Administrator The user has all privileges to view and manage WANGuard Lite components including adding new users and changing users passwords existing users passwords are always shown encrypted The Full Name Email Title Phone Department
46. ive monitoring results Graphs are always generated on the fly for live reporting Live traffic graphs are animated Integrated contextual help system Integrated web based tools that provide O O O O O AS Autonomous System information IP information reverse DNS domain URL IP range AS ISP Country ping traceroute whois IP Protocols information TCP and UDP ports information Subnet calculator The recorded data is stored in an internal SQL database that can be easily queried and referenced Authenticated access username password necessary for an unlimited number of users with different security profiles _ WANGuard Lite 3 1 User Manual ANDRI SOFT How To Choose A Method Of Traffic Capturing This section explains the available methods you can use for traffic capturing Reading this chapter is strongly recommended as it will help you understand how to deploy WANGuard Sensor Supported Traffic Capturing Methods WANGuard Sensor was designed to monitor the largest enterprises with hundreds of thousands of endpoints to the smallest branch office with tens of endpoints The supported traffic capturing methods work with most switches routers firewalls and other network devices The methods are e Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP The analysis of network packets sent by a monitoring port of a switch router or network TAP The WANGuard Sensor th
47. l 1 2 x perl 5 x Installed Packages perl rrdtool perl MailTools perl DBD MySQL ping whois traceroute telnet WANGuard Console 3 1 WANGuard Controller 3 1 Disk Space 5GB including OS additional storage when storing IP graphs data To access the web interface provided by WANGuard Console one of the following web browsers is required other should also work but have not been tested Firefox 2 0 or later Internet Explorer 6 0 or later Apple Safari 3 0 or later Konqueror 3 5 or later Opera 8 0 or later The web browser must javascript and cookies support activated Java support is not required To access the Contextual Help please install Adobe PDF Reader For the best WANGuard Console experience we highly recommend the Firefox 3 browser and a 1280x1024 pixels or higher resolution monitor 11 kt cem WANGuard Lite 3 1 User Manual Download All WANGuard Lite components can be downloaded directly from the Andrisoft website http www andrisoft com download rpm for RedHat based Linux distributions packages http www andrisoft com download suse for SuSE based Linux distributions packages http www andrisoft com download deb for Debian based Linux distributions packages You may a try a fully functional version of WANGuard Lite for 30 days You can switch to a full time registered version by applying a purchased license key Binary WANGuard Lite components are packaged differently for i686 architec
48. ling WANGuard Lite does not generate any negative side effects on your network s performance Installation and configuration may take less than an hour after that your network will be monitored immediately No baseline data gathering is required System Requirements WANGuard Lite 3 1 has been tested with the following Linux distributions Red Hat Enterprise Linux 5 0 commercial Linux distribution CentOS 4 0 5 0 5 1 5 2 free Red Hat Enterprise Linux based distribution OpenSuSE 10 3 free Novel Enterprise Linux based distribution Debian Linux 4 0 free community supported distribution Other distributions should work but haven t been tested yet The WANGuard Lite architecture is completely scalable By installing the software on better hardware the number of monitored endpoints and networks increases All WANGuard Lite components can be installed on a single server if enough resources are provided RAM CPU Disk Space Network Cards You can also install the components on multiple servers distributed across your network WANGuard Sensor System Requirements for 1 Gigabit Network Interface WANGuard Sensor WANGuard Sniff 3 1 WANGuard Flow 3 1 Architecture x86 32 or 64 bit x86 32 or 64 bit CPU 1 x Pentium IV 2 0 GHz 1 x Pentium IV 1 6 GHz Memory 500 MBytes 2 GBytes 1 x Gigabit Ethernet with NAPI support h 1 x Fast Ethernet Peer alo ties Network Cards Operat
49. me Last 3 Days DI Refresh Wa LAN Switch VLAN 900 e E NetFlow Router Inbound Traffic Outbound Traffic DESO bound Traffic Outbound Traffic HO betedetddeteees 2008 10 25 0 1 696 2k 6 0M 54 5G 0 0k 47 9k 1 4M 3 96 TOTAL __ AVG 0 1k AVG 696 2k SUM 6 0M SUM 54 5G AVG 0 0k AVG 47 9k SUM Lan SUM 3 96 D Corporate Network 80 95 128 1 32 on R12000 SPAN WANGuard Sensors e 0 Customer 2 0 Customer Service Inbound Traffic Outbound Traffic Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total Bits D DNS 2008 10 25 0 1x 155 8k 874 1k D EMail 30 4k 188 Ok Enterprise Services S E R Tel Internal Network 317 0k 618 7k Local Clients 0 Network Equip TOTAL AVG O 1k AVG 167 7k SUM 25 4M SUM 38 2G AVG 0 1k__ AVG 560 3k SUM 23 0M SUM 137 1G 80 95 128 1 32 on NetFlow Router LAN Interface IP Addresses w lgl 10 0 0 0 8 ll 192 168 0 0 16 ig 192 31 0 0 16 Ei 80 95 128 0 18 E 9 80 95 128 0 20 iP 80 95 129 0 24 iP 80 95 130 0 24 E 1P 81 94 128 0 20 81 95 124 0 24 81 95 129 0 26 iP 88 94 122 0 26 2008 10 27 0 0k 22 4k 4k 62 4M 0 0k 1 5k 5 3k 4 1M TOTAL AVG 0 0k AVG 22 4k 80 95 128 1 32 on NetFlow Router WAN Interface Inbound Traffic Outbound Traffic Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total
50. n enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button e Sampling This parameter must contain the same sampling rate configured on the router If no flows packet sampling is used then sampling is 1 1 default e Accuracy RAM usage using the highest accuracy 5 seconds can be very high Decreasing the accuracy will decrease RAM usage and won t have any negative effects in most scenarios A very low accuracy increases the traffic anomaly detection time e IP Validation O O Off Will disable IP Validation On WANGuard Flow will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 Strict WANGuard Flow will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e AS Validation a BA 1 ye WANGuard Lite 3 1 User Manual ADIT S CH E Flows might contain the source and destination ASN Autonomous System Number In most configurations if the ASN is set to O then the IP address belongs to your Autonomous System AS Validation has three options o Off Will disable AS Validation o On Only flows that have the source ASN and or the destination ASN set to O are analyzed O Strict Only flows that have either the source ASN or the destination ASN set to O are analyzed e Top This checkbox lets you choose
51. nd ip route cache flow infer fields This series requires a Supervisor IV with a NetFlow Services daughter card to support NDE Configuring NDE on a Juniper Router Juniper supports flow exports by the routing engine sampling packet headers and aggregating them into flows Packet sampling is done by defining a firewall filter to accept and sample all traffic applying that rule to the interface and then configuring the sampling forwarding option 57 2 Am WANGuard Lite 3 1 User Manual AMAL SOL T interfaces ge 0 1 0 unit O family inet filter input all output all address 192 168 1 1 24 firewall filter all term all then sample accept forwarding options sampling input family inet rate 100 output cflowd 192 168 1 100 4 port 2000 version 5 EO a
52. ng can be done by clicking the column name By default the records are sorted by the insertion time with the latest records being displayed first To prevent clutter and high loading times the records are listed on multiple pages You can navigate through the pages with the bottom navigation buttons me SZ Ke WANGuard Lite 3 1 User Manual The first column on every record is populated with icons that engage actions such as viewing details about the record changing the record and deleting the record Users with Normal User privileges can only view details about records Users with Administrator privileges can view change and delete records IP Zones IP Zones are hierarchical tree like structures that contain user provided details about your network elements and segments Each WANGuard Sensor uses an IP Zone from which it extracts information such as what IP classes must be monitored what IP classes should generate traffic graphs and accounting data IP classes descriptions The same IP Zone may be used by different WANGuard Sensor systems Opening WANGuard Console for the first time WANGuard Console is essentially the web interface through which you will control and monitor all other components If you followed correctly the installation instructions from now on you will only need to log into WANGuard Console to manage the components To log into WANGuard Console use a compatible web browser listed at page 11 and access ht
53. on included in the selected IP Zone WANGuard Console 46 7 WANGuard Lite 3 1 User Manual AAD k A 8 will search for IP addresses and IP classes that match the selected IP Description and will generate IP traffic graphs accordingly By using this option you can easily generate traffic graphs for clients departments etc with multiple allocated IP classes By IP Address Subnet To generate traffic graphs for an IP address or IP class fill the form displayed below WANGuard Console 3 1 J Views e Archive Reports Setup e LA Help e Traffic Graphing by IP Subnet IM IP Traffic Graphs IP Address Subnet Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface Sum Multiple Sensors Single IPs Unie Graph Size Aggregation MAXIMUM sl Most fields are explained on the beginning of this section For the IP Address Subnet fields use the CIDR notation To generate traffic graphs for hosts not networks select the 32 CIDR For more information about CIDR consult the Network Basics You Should Be Aware Of chapter Page 13 Check the Single IPs option if you want a different traffic graph displayed for every IP address contained in the selected subnet For example when this option is used with a 24 CIDR then 256 traffic graphs are displayed one for each IP addr
54. p This chapter describes how to add configure and delete WANGuard Sensor systems through WANGuard Console To manage WANGuard Sensor systems you must first select the WANGuard Sensor type from the Setup menu Keep in mind that our support team can help you with any configuration issues WANGuard Console 3 1 J Views e Archive Reports e Systems View Iw IP Graphs UN IP Zones Users N WANGuard Sensor 24 WANGuard Flow WANGuard Sniff To learn more about the differences between the two types of WANGuard Sensor please consult Chapter 2 How To Choose A Method Of Traffic Capturing Page 7 WANGuard Sniff Configuration When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networks the use of switches or routers with so called monitoring port is required For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAPs or other devices that support port mirroring please consult the producer s documentation The WANGuard Sniff Selection window lets you select which WANGuard Sniff system you wish to edit or delete To add a new WANGuard Sniff system select New WANGuard Sniff and then click lt Next gt If no WANGuard Sniff system wa
55. put recorded by WANGuard Sensor S Am WANGuard Lite 3 1 User Manual AMOR SOFT o Packets The packets second throughput recorded by WANGuard Sensor o Ps The number of unique IP addresses detected making traffic Usually a spike in the graph means that an IP class scan was performed Only your network s IP addresses are counted o Received packets or flows For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs o Dropped packets or flows For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation o Unknown packets or flows For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering e Graph Size Select the size of the graph e Aggregation Select the aggregation procedure for the graph MINIMUM MAXIMUM or A
56. ress TEE 47 IP Traffic ACCOUNTING nn een ee ianba aeaiiai 47 By IP DES CIMO min e saad 48 BY IF Address TE 49 Proto ls Distribution Graphs EE 49 WANGuard Sensor LEE 50 WANG yard Sensor Graphis E 51 WANGuard FIOW ASN Graphs EE 52 PC essa Sd E E A 53 Events LOOS saia EEA EE REESE EA EAEE 53 AS LOGS aeaee E E E E EE a E S 53 ga TT EN 54 Contextual Hel BEE 54 AS MIOMA ON sarrerari a iraa aa A aain 54 IP ite CU Le BEE 54 LE POO ONS sc ig 54 UIST tC COL assa OS Dai end 54 TFOPSUDP PONS EE 54 ANDOU EE 54 12 Appendix 1 Configuring NetFlow Data Export ccccccccceeceeeeeeeeeneeeeeeeeeeneneeeeeneneeeeneeeeeenes 55 Configuring NDE EIN eens eee cee eee ee ee ee er 55 Configuring NDE on a CatOS RT 56 Configuring NDE on a ECHT et EN 57 Configuring NDE on a 4000 Series SwitCh sssssssssssssnsnsnsnsnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnannnnnnnnnanne 57 Configuring NDE on a Juniper Router ccsssssssssssescsessssessssssseesecseseeseeesaesesseseeseeecaesessesaeeessesaesaesesesassensesassensanaess 57 _ WANGuard Lite 3 1 User Manual ANDRI SOFT Traffic Monitoring and Traffic Accounting with WANGuard Lite Why WANGuard Lite Is Important Most businesses today rely more and more on network infrastructure So the computer network s reliability and speed are crucial for these businesses to be successful and an efficient use of the available resources must be assured The
57. s events is listed in a sub menu Each record has the following format System The name or description of the WANGuard Lite component that generated the event Module The module or internal function that generated the event Severity Events are tagged with a severity value that describes the importance of the event Severity levels descriptions are listed in the Managing Users chapter Page 18 Event The text of the event Details Some modules provide additional information in this field Date The date and time when the notification was generated Stats Logs Statistics Logs contain traffic statistics recorded by WANGuard Lite components New rows are inserted every 5 seconds so expect lots of records These logs are used only for debugging purposes and are not documented in this manual mc ee _ WANGuard Lite 3 1 User Manual ANDRI SOFT Help Menu Contextual Help The Contextual Help provides direct access to the WANGuard Lite User Guide Depending on the context the User Guide will open at the chapter describing the active window If the Contextual Help does not work please install Adobe PDF Reader on your computer AS Information The AS Information windows provide access to an on line ASN database RIPE ARIN APNIC and to a local ASN database IP Information The IP Information windows provides details about IP addresses and domains as well as web based access to ping whois tr
58. s parameters make sure you delete old data from the paths defined in WANGuard Sensor configurations IP Traffic Graphs WANGuard Console can generate on demand MRTG style graphs for every hosts IP class or IP classes sharing the same IP Description The time frame must be included in the biggest interval value configured in IP Traffic Graphs Setup To generate IP traffic graphs select IP Traffic Graphs from the Reports menu and then select one of the two available options f ADMIN E Logout WANGuard Console 3 1 J Views e Archive v E Reports e gt Setup e LA Help e gt Reports View Traffic Graphing by IP Description Z IP Traffic Accounting 12 41 55 IP Traffic Graphs d o By IP Description 32 Protocols Distribution d WANGuard Sensor Tops WANGuard Sensor Graphs 3 WANGuard Flow ASN Graphs By IP Subnet The first option generates traffic graphs for IPs or IP classes that have the IP Description you select The second option generates traffic graphs for the entered IP address or IP class The following fields are common for both options e From Until Enter the desired time frame e WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding the Control Ctrl key 45 1 ye WANGuard Lite 3 1 User Manual e Sum Multiple Sensors If unchecked each WANGuard Sensor gener
59. s previously configured then the WANGuard Sniff Selection form will have only the option to add a new WANGuard Sniff system e WANGuard Console 3 1 Views e Archive Reports Setup w t Help v WANGuard Sniff Selection WANGuard Sniff Selection o New WANCuard Sniff Next 28 gt WANGuard Lite 3 1 User Manual AAD SOFT F ADMIN Logout WANGuard Console 3 1 J Views e Archive e Reportsw Setup e Help e WANGuard Sniff Selection WANGuard Sniff Configuration 13 28 49 WANGuard Sniff Configuration Active E Description IP Address Network Interface E VLAN Support MAC Filter Source d Destination IP Validation Direction Top Craph Data Path lo pt wa n guard rrd Graph Color Inbound E 0033CC Ez Graph Color Outbound E cco000 EM IP Zone vian 900 D Details Add WANGuard Sniff The WANGuard Sniff Configuration window contains the following fields e Active WANGuard Sniff is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Sniff system is running then the WANGuardController daemon stops it e Description A short generic description that helps you identify the WANGuard Sniff system e IP Address A unique IP
60. ses f ADMIN A Logout WANGuard Console 3 1 JViewsv Archive vw Reports w Setup e t Help e IP Zone Selection IP Zone Configuration 17 56 03 New IP Address Subnet Parameters for 10 0 0 0 8 Aa IP Zone VLAN 500 Graphing Yes E none ie 0 0 0 0 0 Unknown Description Internal Network none ip 10 0 0 0 8 Internal Network Parameter Value Inheritance Accounting No x 0 0 0 0 0 Change Record Delete Record After adding the 10 0 0 0 8 IP class using the top left form the tree is immediately updated to contain the new IP class The Inheritance column shows what are the inherited values and from which parent IP class In the image above you can see that the Accounting value is inherited from 0 0 0 0 0 because it is the only unmodified parameter Every IP that belongs to the Internal Network will generate traffic graphs because the Graphing parameter is set to Yes In the next image a new IP class named Customer Service was added Because this IP class is included in the Internal Network it is displayed under it All parameters except the Description were not modified so the values are inherited from the direct parent IP class 26 y O WANGuard Lite 3 1 User Manual 2 AL WANGuard Console 3 1 J Viewsw lt Archive vw Reports w gt Setup w LI Help e IP Zone Selection IP Zon
61. ses have a 16 bit network mask the use of a leading 10 bit pattern leaves 14 bits for the network portion of the address allowing for a maximum of 16 384 networks ranging from 128 0 0 0 181 255 0 0 Class C addresses have their first two bits set to 1 and their third bit set to 0 Since Class C addresses have a 24 bit network mask this leaves 21 bits for the network portion of the address allowing for a maximum of 2 097 152 network addresses ranging from 192 0 0 0 223 255 255 0 Class D addresses are used for multicasting applications Class D addresses have their first three bits set to 1 and their fourth bit set to 0 Class D addresses are 32 bit network addresses meaning that all the values within the range of 224 0 0 0 239 255 255 255 are used to uniquely identify multicast groups There are no host addresses within the Class D address space since all the hosts within a group share the group s IP address for receiver purposes Class E addresses are defined as experimental and are reserved for future testing purposes They have never been documented or utilized in a standard way The WANGuard Lite uses extensively throughout its components IP Addresses and IP Classes with the CIDR notation a Ae Subnet CIDR Notation WANGuard Lite 3 1 User Manual CIDR Class Hosts Mask peg
62. sic premises required for the proper operation of the software Basic Concepts To understand the concepts of WANGuard Lite please be aware of following phrases Menu Bar Every browser window has on top a fixed drop down menu bar used for navigation throughout the WANGuard Console The Menu Bar contains drop down menus similar with the ones used in common desktop applications Views WANGuard Console offers various ways to look at live collected data We call these Views You can switch between them by selecting the Views menu from the Menu Bar There are two different types of Views available in the Lite version e Systems View Displays a table with live information about all running WANGuard Sensor systems On the bottom section it displays tabbed live traffic graphs and events e Reports View Displays graphs and reports that contain traffic parameters collected from monitored network links IP classes and IP Zones Includes a live top like network traffic visualizer supporting multiple protocols such as IPv4 TCP syn UDP ICMP as well as TCP and UDP ports and AS Numbers More information about Views is available on the Views chapter page 37 Tables All WANGuard Lite modules store traffic and operational details in a MySQL database The contents of the database is presented in WANGuard Console in form of tables with an unified look and feel Records can be queried using the top left lt Search gt button Sorti
63. ssesecseseeseesecseseesesaesessesaesaesessecessessesaesessesaesassessesasseeaesansensasanss 18 O IP ZOOS SOU WEEN 21 Understanding ln 21 Jules e EE 21 BF ZONE SSG VOM EE 22 PACU e Nem IP e uia Nase eter cerns tests Sects eats Da E E ER ui 22 Changing Description Copying amp Deleting IP Zones errar rererere as erenrenanno 23 IE Zone Ree e Dr a E a eee ee 24 PC COMMING EE 25 EC ell e BE 25 DE SCHUON EE 25 IP Zone Configuration ue EE 26 7 WANGuard Sensor Setup ccccccccccccccccsncsncccccnnccnccncccnccnecnccnnenseuneceacnnecacensenseuaeceacnnenaecanensenas 28 A S Am WANGuard Lite 3 1 User Manual AMOR SOFT WANGuard Sniff C MANU CUT AUN as occa ea ca ees a ad 28 WANGuara Flow Configuration snes O O dead as Ro 32 CA OO EE 37 SCLC CS or CORREIO E eee ER 37 Active WANGuard Sniff Systems Table e eerreeree eae ren aerea rrenan era a arena renan re narrada 38 Active WANGuard Flow Systems Table errar renan er ear eaa arena ren arena nene aanreeanaaa 39 WANGuard Sensor Live Graphs Tab erre erre rear re arara aeee aerea aeee aaa ea na 40 EVER AD DE 40 REDORS VICW EE 41 WANGuard Sensors Gechon truno rE rrr orror ES EESE ESEESEES rreren erreren nrn rrene 41 PDG lee Ee DEE 42 IP Addresses SC MOM EE 43 9 Traffic Accounting and Graphing ccccccsceeeeeeeeeeeeneeeeeeeeeeaeeeeeeeeneeeeeaeeeeeeneneeeeeeeeeeeeeeeeneneees 44 P ul NAPS EE 44 P Tame ORA DIAS css 45 E VT DES ET PIO o E o da E EA E EEAS 46 By IP Add
64. t share the same IP classes Instead of recreating the same IP classes for each new IP Zone you can copy an existing IP Zone and modify only the IP classes parameters To delete the selected IP Zone you must click the lt Delete gt button and then confirm the deletion e e ay re WANGuard Lite 3 1 User Manual f ADMIN C Logout WANGuard Console 3 1 J Views e Archive Reports w 7 Setup w LI Help e IP Zone Selection 17 52 06 IP IP Zones Selection D VLAN 900 O VLAN 900 copy C New IP Zone Edit Description Copy Delete IP Zone Configuration After a new IP Zone is added the IP Zone Configuration window will look like in the image below A WANGuard Console 3 1 JViewsv Archive Reportsw Setup w LI Help e IP Zone Selection IP Zone Configuration New IP Address Subnet et IP Zone VLAN 900 The IP Zone configuration window is divided in two sections one on the left and one on the right In the upper side of the left section you will see a form that is used to add IP addresses classes to the IP Zone Below you will see the name of the current IP Zone and the allocated IP classes tree When adding a new IP class the tree is automatically updated In the right section you will see detailed information about the selected IP class or IP address The right section will be empty if there is no IP class or IP ad
65. ta is recorded Graphing If the Graphing parameter is set to Yes then WANGuard Sensor records graphing data for every IP address included in the selected IP class Graphing data contains accurate information about inbound and outbound packets second and bits second rates Ifthe Graphing parameter is set to Inherit then the value is inherited from the parent IP class If the Graphing parameter is set to No then no graphs will be generated for the current IP class Description This parameter should contain a short description for the selected IP class or IP address If the description field is empty then the description is inherited from the parent IP class DE a E WANGuard Lite 3 1 User Manual IP Zone Configuration Example In the following images you will see how IP Zone inheritance works and how you can define the monitored IP classes f ADMIN Logout WANGuard Console 3 1 JViewsv Archive vw Reports vw 5 Setup w LI Help e IP Zone Selection IP Zone Configuration 17 53 16 New IP Address Subnet Parameters for 0 0 0 0 0 al Parameter Value Inheritance Accounting NO none IP Zone VLAN 900 Graphing none Change Record Delete Record By default the 0 0 0 0 0 supernet has Accounting and Graphing parameters set to No We don t recommend to generate traffic parameters for unknown IP addres
66. tering Received Pkts s The rate of received packets before validation and filtering Dropped Pkts s It represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation 38 SZ Ke WANGuard Lite 3 1 User Manual Active WANGuard Flow Systems Table The Active WANGuard Flow Systems table displays the latest system information collected from the active WANGuard Flow systems If there are no WANGuard Flow systems configured then this table is not displayed The table has the following format Status If the active WANGuard Flow system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Flow system then a red X icon is displayed In this case make sure that WANGuard Flow is configured correctly read the Events Log and make sure that the WANGuardController daemon is running on all systems WANGuard Flow Displays the description of the WANGuard Flow system Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Flow process Mem The amount of memory used by the WANGuard Flow process Started The time and date when the WANGuard Flow process started Interface The interface description and
67. the Control key By IP Description By selecting this option you can generate traffic accounting reports for IP addresses or IP classes that have the selected IP Description f ADMIN g Logout WANGuard Console 3 1 J Viewsw Archive Reportsw Setup e t Help e Traffic Accounting by IP Description 15 18 11 IP Traffic Accounting IP Zone Public IPs D IP Description Branch Office iv From 2008 October E Until 2008 October ER il Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface g Generate Accounting Report Ag SZ Ke WANGuard Lite 3 1 User Manual The From Until and WANGuard Sensor s fields are explained in the beginning of this section To generate traffic accounting reports using this option first select an IP Zone and then select an IP Description included in the selected IP Zone WANGuard Console will search for IP addresses and IP classes that match the selected IP Description and will generate a traffic accounting report for them By using this option you can easily generate IP traffic accounting reports for clients departments etc with multiple allocated IP classes By IP Address Subnet To generate a traffic accounting report for an IP address or IP class fillthe form displayed below f ADMIN g Logout WANGuard Console 3 1 J Views e Archive w Reports w
68. then inter VLAN traffic use CatOS 7 2 or higher and issue the following command Switch gt enable set mls bridged flow statistics enable And enable NDE 56 PAN 1 ye WANGuard Lite 3 1 User Manual ANDRI SOL switch gt enable set mls nde enable To see current NetFlow configuration and state issue the following commands switch gt enable show mls nde switch gt enable show mls debug Configuring NDE on a Native IOS Device To configure NDE use the same commands as for the IOS device In the enable mode on the Supervisor Engine issue the following to set up the NetFlow export version 5 switch config mls nde sender version 5 The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow switch config mls aging long 8 switch config mls aging normal 4 On the Supervisor Engine 1 issue the following to put full flows into the NetFlow exports switch config mls flow ip full If you have a Supervisor Engine 2 or 720 running IOS version 12 1 13 E or higher issue the following commands instead switch config mls flow ip interface full switch config mls nde interface Configuring NDE on a 4000 Series Switch Configure the switch the same as an IOS device but instead of command ip route cache flow use comma
69. tion mode on the router or MSFC issue the following to start NetFlow Export First enable Cisco Express Forwarding router config ip cef router config ip cef distributed And turn on flow accounting for each input interface with the interface command interface ip route cache flow For example interface FastEthernetO ip route cache flow interface Serial2 1 ip route cache flow It is necessary to enable NetFlow on all interfaces through which traffic you are interested in will flow Now verify that the router or switch is generating flow stats try command show ip cache flow Note that for routers with distributed switching GSR s 75XX s the RP cli will only show flows that made it up to the RP To see flows on the individual linecards use the attach or if con command and issue the sh ip ca fl on each LC Enable the exports of these flows with the global commands router config ip flow export version 5 router config ip flow export destination lt ip address gt 2000 router config ip flow export source FastEthernet0 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used as an example WANGuard Flow is using NetFlow version 5 The ip flow export source command is used to set up the source IP address of the exports sent by the equipment 55 PAN 1 ye WANGuard Lite 3 1 User Manual ANDRI SOL If your router uses the
70. tp lt hostname gt wanguard where lt hostname gt is the name of the server where WANGuard Console is installed If the page cannot be displayed make sure the Apache web server is running and the firewall does not block incoming traffic on port 80 If you haven t licensed WANGuard Lite yet you will be asked to do so Andrisoft WANGuard Platform 3 0 Licensing Mozilla Firefox File Edit View History Bookmarks Tools Help a v l e 2 http fconsole fwanguard add license php Add License Key Use the opt wanguard etc wanguard key file found C Enter the license key Add License Key D Licensing will be sucessful only if you have previously installed configured and started the WANGuerdController daemon You can add a license key by two methods You can either copy the wanguard key file we sent you by email in opt wanguard etc or you can paste directly the file s content in the input field The license key contains encrypted information about the licensed capabilities of the software You can upgrade to the Full version incl traffic anomalies detection amp protection or downgrade to the Lite version without traffic anomalies detection amp protection solely by changing the license key 17 Am WANGuard Lite 3 1 User Manual Andrisoft WANGuard Console 3 1 Login Mozilla Firefox File Edit View History Bookmarks Tools Help e
71. tures 32 bit Pentium and beyond and for x36 64 architectures 64 bit Intel AMD processors Software Installation Software installation instructions are listed and updated on the Andrisoft website under the download links http www andrisoft com download rpmi installation for RedHat based Linux distributions http www andrisoft com download suse installation for SUSE based Linux distributions http www andrisoft com download deb installation for Debian based Linux distributions 12 _ WANGuard Lite 3 1 User Manual ANDRI SOFT Network Basics You Should Be Aware Of Who Should Read This Section If you are new to network administration and network monitoring read about the technical basics in this section It will help you understand how WANGuard Lite works If you are already used to IP addresses and IP classes you can skip this section A Short Introduction To IP Addresses amp Classes IP Addresses In order for systems to locate each other in a distributed environment nodes are given explicit addresses that uniquely identify the particular network the system is on and uniquely identify the system to that particular network When these two identifiers are combined the result is a globally unique address This address known as IP address as IP number or merely as IP is a code made up of numbers separated by three dots that identifies a particular computer on the Internet These addresses ar
72. unity SNMP Index Description Graph Color Inbound Graph Color Outbound Action GE Ingress E el fesocoso ss0s0rr E Ada Sampling 1 n 1 Accuracy 10 seconds zl IP Validation ozz gt AS Validation fore sl Top Iw Graph Data Path optiwanguard rrd IP Zone Public IPs Details Add WANGuard Flow The WANGuard Flow Configuration window contains the following fields e Active WANGuard Flow is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Flow system is running then the WANGuardController daemon stops it e Description A short generic description that helps you identify the WANGuard Flow system e IP Address Port The IP address of the network interface that receives the flows and the port as configured on the flow exporter e Flow Exporter IP The IP address of the flow exporter usually the LoopbackO interface IP on the network device Each server running WANGuard Flow must have it s system time synchronized with the flow exporter e SNMP Community The read only SNMP community of the network device The community is used by WANGuard Console when it connects to the flow exporter to get SNMP indexes e Interfaces miee e S Am WANGuard Lite 3 1 User Manual AMOR SOFT Here you must define the network interfaces th
73. w The Systems View displays tables with the latest system parameters collected from active WANGuard Lite components WANGuard Console 3 0 Systems View Mozilla Firefox File Edit View History Bookmarks Tools Help E3 Cc x A Col https console wangquard systemstatus php LY h Eg Google P L amp ADMIN D E Logout A S WANGuard Platform 3 0 Jj Viewsw Archive Reportsw Setup e LI Help e Systems View 16 46 54 33 8M 29 2M WANGuard Sensor Live Graphs Live bits s throughput graph S WANGuard Sensor All WANGuard Sensors DI RAL cd do de a a rd Ae Deen a Een A E gege end een den DE O EE E E EE ER eer DE ES o we r eg eer eg Data Unit 16 00 16 05 E 16 20 16 25 16 30 16 35 16 40 16 45 16 50 ng Bits E LAN Switch VLAN 900 inbound E LAN Switch VLAN 900 outbound DI R12000 SPAN inbound E R12000 SPAN outbound Refresh Interval D Peering SPAN inbound D Peering SPAN outbound O NetFlow Router LAN Interface inbound D NetFlow Router LAN Interface outbound W NetFlow Router WAN Interface inbound W NetFlow Router WAN Interface outbound s seconds a SZ Ke WANGuard Lite 3 1 User Manual The refreshing of tables can be stopped by clicking the lt Pause gt button When the lt Pause gt button is clicked it will change into a lt Resume gt button that will resume the refreshing of tables when clicked The Systems View page includes Active Systems tables and two tabs WANGuard Sensor Live Gr
74. witch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface E Graph Size 500x240 e Generate Protocols Distribution Graphs All fields are explained in the previous sections Currently supported protocols are SNMP FTP SSH TELNET SMTP HTTP POP3 IMAP SQL NETBIOS IRC DIRECTCONNECT TORRENT DNS ICMP Protocol detection is less reliable for applications that use non standard randomized source or destination ports WANGuard Sensor Tops WANGuard Sensor systems configured with the Top option collect data that can be used to generate top statistics for any selected time frame Available statistics are top hosts talkers top TCP ports top UDP ports top IP protocols and top AS Numbers only when NetFlow is used Top generation for large time frames may take minutes In this case edit the max_execution_time parameter from php ini accordingly l f ADMIN 2 Logout WANGuard Console 3 1 J Viewsw Archive Reports Setup e t Help e Reports View WANGuard Sensor Tops 12 49 41 4 WANGuard Sensor Tops 2008 July DI 27 DI 00 00 DI LAN Switch VLAN 900 Peering SPAN R12000 SPAN WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface E Sum Multiple Sensors Top Talkers DI Protocol IP Direction Inbound Generate Traffic Tops 50 Km WANGuard Lit
75. x A Ca http console wanquard login php ADORE SOS T WANGuard Lite 3 1 Evaluation copy for TRIAL User Username Password A First Look at the Systems View Immediately after logging into WANGuard Console the layout of the Systems View will be displayed You can change the default View by editing your User preferences Because no WANGuard Sensor system was previously configured and enabled and no data was gathered the Systems View will be mostly empty More information about Views can be found in the Views chapter Page 37 You can navigate throughout WANGuard Console using the drop down menu located in the upper side of every page Managing WANGuard Console Users WANGuard Console 3 1 JVviewsv u aArchivev Reportsv Systems View IP Graphs IP Zones x WANGuard Sensor gt If you install WANGuard Console on a publicly available server you should immediately change the es WANGuard Lite 3 1 User Manual ANDIR SOFT default password for the admin user and eventually add new users To manage WANGuard Console users you must select Users from the Setup menu A list of existing users will be displayed To view additional information about a user you must click the first icon in the first column To change user passwords or to edit user details you must click the second icon in the first column To delete a user you must click the third icon in the f
Download Pdf Manuals
Related Search