WANGuard Platform 3.0 User Manual
Contents
1. E H j 3 Gm Ke po ii Cf i a j Mp n b WANGuard Lite 4 1 alla WAN WANGuard Lite 4 1 User Manual wg GUARD Copyright amp trademark notices This edition applies to version 4 1 of the licensed program WANGuard Lite and to all subsequent releases and modifications until otherwise indicated in new editions Notices References in this publication to ANDRISOFT S R L products programs or services do not imply that ANDRISOFT S R L intends to make these available in all countries in which ANDRISOFT S R L operates Evaluation and verification of operation in conjunction with other products except those expressly designated by ANDRISOFT S R L are the user s responsibility ANDRISOFT S R L may have patents or pending patent applications covering subject matter in this document Supplying this document does not give you any license to these patents You can send license inquiries in writing to the ANDRISOFT S R L marketing department sales andrisoft com Copyright Acknowledgment ANDRISOFT S R L 2008 All rights reserved All rights reserved This document is copyrighted and all rights are reserved by ANDRISOFT S R L No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying and recording or by any information storage and retrieval system without the permission in writing from ANDRISOFT S R L The information contai2. 192 168 0 0 16 r 192 168 1 0 24 192 168 2 23 32 200 233 213 0 0 16 to 0 200 M 400 M 3 M Thu 06 00 au 12 00 Thu 18 00 Fri Dr HW NetFlow Router WAN inbound BM NetFlow Router WAN E netrloxw Router LAN inbound HW netrloxw Router LAN IPs s graph for NetFlow Router WAN NetFlow Router LAN Fri HW NetFlow Router WAN HW netrlow Router LAN Received Frames graph for NetFlow Router WAN NetFlow Router LAN gt 00 00 E netrlow Router WAN E NetFlow Router LAN Sensor Graphs I E Sensor Tops SR Protocols Distribution The following options are available e Data Unit Select the traffic parameter the graphs will represent o All All of the below each one in a different graph o Packets The packets second throughput recorded by WANGuard Sensor o Bits The bits second throughput recorded by WANGuard Sensor o Bytes The bytes second throughput recorded by WANGuard Sensor o IPs The number of unique IP addresses detected making traffic Usually a spike in the graph means DG alla WAN WANGuard Lite 4 1 User Manual ge GUARD that an IP class scan was performed Only your network s IP addresses are counted o Received frames For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs o Dropped frame
3. YB unkown W srp ftp W ssh itelnet smtp http pops imap sql Moetbios Mi c W directconnect E torrent E dns O icmp PA sensor Graphs E Sensor Tops Protocols Distribution You can view protocols distributions graphs for the selected WANGuard Sensors with the following options Graphs Size You can select a predefined graphs size OR you may enter your own graphs size as lt xpixels gt x lt ypixels gt Sum Sensors If unchecked each selected WANGuard Sensor generates a different graph If checked all selected WANGuard Sensors generate a single graph that contains summed protocols distributions data 22 alla WAN WANGuard Lite 4 1 User Manual ge GUARD Reports IP Addresses amp IP Groups This chapter describes how to generate advanced IP traffic graphs and IP traffic accounting reports from data collected by WANGuard Sensor systems Both IP Addresses Panel and IP Groups Panel generate the same reports and that s why those reports are treated in the same chapter If the reports are empty check if the selected IP Class IP Group have IP Accounting parameter and IP Graphs parameter set to Yes in the IP Zones IP Addresses Panel allows quick generation of IP traffic reports by entering the IP CIDR in the upper side of the Panel or by selecting an IP class or host from the Subnets tree IP Groups Panel lists all IP Groups extracted from existing IP Zones You can filter dis
4. In order for systems to locate each other in a distributed environment nodes are given explicit addresses that uniquely identify the particular network the system is on and uniquely identify the system to that particular network When these two identifiers are combined the result is a globally unique address This address known as IP address as IP number or merely as IP is a code made up of numbers separated by three dots that identifies a particular computer on the Internet These addresses are actually 32 bit binary numbers consisting of the two sub addresses identifiers mentioned above which respectively identify the network and the host to the network with an imaginary boundary separating the two An IP address is as such generally shown as 4 octets of numbers from 0 255 represented in decimal form instead of binary form For example the address 168 212 226 204 represents the 32 bit binary number 10101000 11010100 11100010 11001100 The binary number is important because that will determine which class of network the IP address belongs to The Class of the address determines which part belongs to the network address and which part belongs to the node address see IP address Classes further on The location of the boundary between the network and host portions of an IP address is determined through the use of a subnet mask This is another 32 bit binary number which acts like a filter when it is applied to the 32 b
5. The IP Graphs sub tab generates IP traffic graphs for the selected IP class host or IP Group that include g5 th percentile information useful for burstable billing File Edit View History Bookmarks Tools Help dd WANGuard Console 4 rs Reports Autonomous Systems A gel http console wanguard index php de traffic analysis ar and protection Default Dashboard F 12 81 134 0 24 WANGuard Sensors Data Unit WAN Switch vlan100 LAN Switch w Bits Last Day Dashboards vw From Time Frame Until WANGuard Console 4 0 Mozilla Firefox lecca Ses Export amp Print Z PDF Device Groups 4 IER AI Components 12 81 134 0 24 LAN Switch vian900 it WAN Switch vian100 Gi NetFlow Router m Border Routers m Border Switches m Core Switches IP Addresses Thu 06 00 IP CIDR 4 0 0 0 0 0 12 81 0 0 16 4 1 192 168 0 0 16 192 168 1 0 24 ES 192 168 2 23 32 233 213 0 0 16 12 81 134 0 24 Maximum 999 7 Maximum 0 0 Maximum 999 7 Medium 28 9 12 81 134 0 24 IP Descriptions IP Description Customer Service omz Enterprise Services Internal Network Maximum 14 4 Mbits s Medium xerox Printer Maximum 0 0 bits s Medium 0 0 Maximum 14 4 Mbits s Medium Logs amp Events 12 81 134 0 24 Maximum E inbound E outbound Do rotal 27 1 Mbits s Medium 9 2 Mbi Maximum 0 0 bits s Medium 0 0 bi Maximum 27 1
6. real time WANGuard Sensor management and monitoring using a intuitive easy to use rich Ajax based Web 2 0 web interface IP Zones support for segmenting your network by departments clients server clusters etc Intuitive and customizable Dashboards with widgets defined by you Easy to use navigation allows to drill into the live monitoring results alla WAN WANGuard Lite 4 1 User Manual ge GUARD Graphs are always generated on the fly for live reporting Live traffic graphs are animated Integrated contextual help system e Integrated web based tools that provide O AS Autonomous System information o IP information reverse DNS domain URL IP range AS ISP Country ping traceroute whois o IP Protocols information O TCP and UDP ports information O Subnet calculator The recorded data is stored in an internal SQL database that can be easily queried and referenced Authenticated access username password necessary for an unlimited number of users with fine grained security profiles alla WAN WANGuard Lite 4 1 User Manual ge GUARD Network Basics You Should Be Aware Of Who Should Read This Section If you are new to network administration and network monitoring read about the technical basics in this section It will help you understand how WANGuard Lite works If you are already used to IP addresses and IP classes you can skip this section A Short Introduction To IP Addresses amp Classes IP Addresses
7. 9 ICMP Internet Control Message 503 1k All Sensors Top 5 TCP Ports a TCP Port Description TCP Bits s Internal Network 80 HTTP 347 9M Xerox Printer 1935 TINCAN 7 6M 443 HTTPS 5 1M Logs amp Events 5100 Unknovm 3 6M 51624 Unknovm 3 3M Managing Dashboards You can add new Dashboards by clicking lt Actions gt in the Default Dashboard and select lt Add Dashboard gt The Default Dashboard cannot be deleted or edited However any other Dashboard can be edited or deleted by clicking the same lt Actions gt button and then by clicking lt Edit Dashboard gt You can then change the Description add your own Comments and set the number of columns and the percentage each column should have of the Center Panel s width The sum of all percentages should be 100 213 alla WAN WANGuard Lite 4 1 User Manual ge GUARD Managing Widgets If you are an Administrator or an Operator you can add edit or delete Widgets To sort them click the title bar and move them around To collapse a widget click the first icon on the widget title bar To edit a widget click the second icon on the widget title bar To delete a widget click the third icon on the widget title bar To add a new Widget click lt Actions gt in the toolbar and then select the Widget Type you like Widgets have the following common fields e Widget Title Enter a relevant description of the widget What it should display e Widget Height Leave the
8. A addresses always have the first bit of their IP addresses set to O Since Class A networks have an 8 bit network mask the use of a leading zero leaves only 7 bits for the network portion of the address allowing for a maximum of 128 possible network numbers ranging from 0 0 0 0 127 0 0 0 Number 127 x x x is reserved for loopback used for internal testing on the local machine Class B addresses always have the first bit set to 1 and their second bit set to 0 Since Class B addresses have a 16 bit network mask the use of a leading 10 bit pattern leaves 14 bits for the network portion of the address allowing for a maximum of 16 384 networks ranging from 128 0 0 0 181 255 0 0 Class C addresses have their first two bits set to 1 and their third bit set to 0 Since Class C addresses have a 24 bit network mask this leaves 21 bits for the network portion of the address allowing for a maximum of 2 097 152 network addresses ranging from 192 0 0 0 223 255 255 0 Class D addresses are used for multicasting applications Class D addresses have their first three bits set to 1 and their fourth bit set to 0 Class D addresses are 32 bit network addresses meaning that all the values within the range of 224 0 0 0 239 255 255 255 are used to uniquely identify multicast groups There are no host addresses within the Class D address space since all the hosts within a group share the group s IP ad
9. Capturing iii 39 Supported Traffic Capturing MEMOGSi iiinrirni Ee 39 Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment 39 How Port Mirroring Network TAP In line Deployment works 39 Reasons to choose Port Mirroring Network TAP In line Deplovment ceeeceeeeeeeaeeeaeeeseeeseeees 40 NetFlow IIe VT deu E 40 How NetFlow amp sFlow Monitoring Works 40 Reasons to choose NetFlow amp sFlow Monitoring 40 Comparison between Packet Sniffing and NetFlow sFlow Monitoring sssesssssssssssnssnnsnsnnnnununnnnnnnnnnnnnnnnnnnnnas 41 12 WANGuard Sensor CT BEEN 42 WANGUard Snif Configuration 42 WANGuard ak Ode ee TTC EE 45 1HP GS oN EE 50 14 SCNequica Reporis iaia 51 15 Help Menu amp E Tee TEE 52 RIN 52 EEE E ARR tte te ce RR A 52 AO Le a 52 Pironato aes 52 e ale TE 52 el EE 52 16 Appendix 1 Configuring NetFlow Data Export rrrrrrirriiiriiia 53 Configuring NDE onan IOS DEVICE 53 Bclitslldet ZEIEN 54 Configuring NDE on a Native IOS DEVICE 55 Configuring NDE on a 4000 Series VE 55 Configuring NDE on a Juniper Router ccccssssccssssscssssesesseseseesesseseeseeaesaeseseseeseesecaesessecaesessesesaseesaeeassesesaesessataess 55 alla WAN WANGuard Lite 4 1 User Manual ge GUARD Traffic Monitoring and Traffic Accounting with WANGuard Lite Why WANGuard
10. Corporation 6 2M 14773 Inktomi Corporation lt 1 6746 ASTRAL Telecom SA Romania 5 3M wo On Dn Uk WN tH 3 2 1 30361 Swiftwill Inc 6 5M 1 1 1 1 8068 Microsoft European Data Center lt 1 39572 Haldex Ltd 5 1M H e 47195 Gameforge Productions GmbH lt 1 21844 ThePlanet com Internet Services Inc 3 7M H H 30361 Swiftwill Inc lt 1 3320 Deutsche Telekom AG 3 6M DI N 21844 ThePlanet com Internet Services Inc lt 1 16265 LEASEWEB AS 3 6M H w 9848 Enterprise Networks lt 1 14779 Inktomi Corporation 2 7M H 39572 Haldex Ltd lt 1 31080 02 pl Ltd 2 0M H u 5483 Hungarian Telecom lt 1 29748 Carpathia Hosting Inc 1 8M EA Sensor Graphs E Sensor Tops g Protocols Distribution The following options are available e Top Type You can select to see top 15 hosts Talkers that make traffic top 15 TCP UDP ports used top 15 IP Protocols and top 15 Autonomous Systems only when WANGuardFlow is used Clicking IP Addresses and ASNs open new tabs with more details about the selection e Top Protocol You may further customize the Top Type by selecting only the IP protocols you re interested in Direction The direction of the traffic Inbound or Outbound e Sum Sensors If unchecked each WANGuard Sensor generates a different top If checked all selected WANGuard Sensors generate a single top instead 21 alla WAN WANGuard Lite 4 1 User Manual fee G
11. Description Parameter Value Inheritance FF 0 0 0 0 0 Unknown i Dee rr morn E IP Graphs No dy none IP Accounting No hA none Comments for 0 0 0 0 0 a bal Update The right section will be populated with properties that apply to all IP addresses included in the selected IP class if the properties are not subsequently overwritten The Inheritance column shows from which parent IP class was the value inherited from Every IP class record stores the following information Subnet Parameters Panel IP Group This parameter should contain a short description for the selected IP class or IP address IP Accounting If the IP Accounting parameter is set to Yes then WANGuard Sensor records traffic accounting data for every IP address included in the selected IP class Accounting data contains the number of inbound and outbound packets and bits and averages of packets and bits rates If the P Accounting parameter is set to Inherit then the value is inherited from the parent IP class If the parameter is set to No then no accounting data is recorded IP Graphs If the P Graphs parameter is set to Yes then WANGuard Sensor records graphs data for every IP address included in the selected IP class Graphs data contains accurate information about inbound and outbound packets second and bits second rates If the P Graphs parameter is set to Inherit then the value is inherited from the parent IP class If the parameter is set t
12. Inbound Bits Average Outbound Bits s Total Outbound Bits 12 81 134 3 0 0k 12 81 134 5 0 0k 12 81 134 6 274 4k 12 81 134 7 67 4k 12 81 134 11 0 0k 12 81 134 18 519 1k 12 81 134 20 0 0k 12 81 134 23 0 0k 12 81 134 25 0 0k 12 81 134 27 83 4k 12 81 134 28 2 3M 12 81 134 32 0 0k 12 81 134 33 289 6k 12 81 134 37 0 0k 12 81 134 44 0 0k 12 81 134 45 0 0k 12 81 134 46 0 0k 12 81 134 50 0 0k 12 81 134 58 0 0k 12 81 134 60 0 0k 12 81 134 63 0 0k 12 81 134 64 0 0k 12 81 134 68 0 0k 12 81 134 75 0 0k 12 81 134 86 0 0k 12 81 134 106 0 0k 12 81 134 108 0 0k 12 81 134 115 0 0k 12 81 134 147 0 0k 12 81 134 151 0 0k 12 81 134 254 0 0k TOTAL AVG 112 8k 0 4k 1 9k 3 4G 40 4M 0 3k 14 9G 1 6k 1 0k 25 9k 50 0M 2 7G 0 4k 1 3G 0 8k 0 4k 0 8k 1 0k 0 4k 0 4k 0 6k 0 3k 0 8k 0 3k 0 8k 0 8k 0 8k 0 8k 3 5k 0 5k 0 3k 0 0k SUM 22 3G 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k AVG 0 0k 0 0k 0 0k 82 6k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 5 ik SUM 87 7k PA IP Graphs _ IP Accounting er alla WAN WANGuard Lite 4 1 User Manual ge GUARD The following options are available e Report Type Select the interval you want for the data t
13. Mbits s Medium 9 2 Mbi IP Graphs E IP Accounting Graphs Size 1000x240 e Graphs Consolidation Maximum vy Sum IPs V Sum Sensors M bits s graphs for LAN Switch vlan900 Thu 12 00 Medium 28 9 kbits s 95th a Medium 0 0 bits s 95th kbits s 95th 210 9 bits s graphs for NetFlow Router WAN Thu 12 00 3 3 Mbits s 95th bits s 95th 3 3 Mbits s 95th 210 9 0 bits s kbits s kbits s 9 5 Mbits s 0 0 bits s 9 5 Mbits s bits s graphs for NetFlow Router LAN Thu 12 ts s 95th ts s 95th a ts s 95th a 6 Mbits s 0 0 bits s 24 6 Mbits s Hep About G Logout user Refresh D On Demand The following options are available Graphs Size You can select a predefined graphs size OR you may enter your own graphs size as lt xpixels gt x lt ypixels gt Graphs Consolidation Select the aggregation procedure old data MINIMUM MAXIMUM or AVERAGE If some aggregation types are missing see the IP Traffic Graphs configuration Page 50 If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation DA alal WAN WANGuard Lite 4 1 User Manual pega GUARD type e Sum IPs Don t check the Sum IPs option if you want a different traffic graph display
14. Sniff to distinguish between inbound and outbound traffic it must must use at least one of the two techniques available MAC Validation next parameter or IP Validation IP Validation parameter has three options o Off Will disable IP Validation Make sure MAC Validation is configured instead o On WANGuard Sniff will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 43 alla WAN WANGuard Lite 4 1 User Manual ge GUARD O Strict WANGuard Sniff will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e MAC Validation MAC Address For WANGuard Sniff to distinguish between inbound and outbound traffic it must use at least one of the two techniques available MAC Validation or IP Validation previous parameter The MAC Address should contain the MAC address of the upstream router with the MAC Validation field set to Upstream or the MAC address of the downstream router with the MAC Validation field set to Downstream The MAC Address must be written using the Linux convention six groups of two hexadecimal values separated by colons Traffic Direction You can configure the direction of the traffic that should be analyzed by WANGuard Sniff O Inbound Outbound WANGuard Sniff will monitor both inbound and outbound traffic Using this option generates a min
15. Value Inheritance 4 0 0 0 0 0 IP Description Internal Network M none 10 0 0 0 8 Internal Network IP Graphs Yes Mm none IP Accounting No v 0 0 0 0 0 Comments for 10 0 0 0 8 a el Update In the image above you can see that the P Accounting value is inherited from 0 0 0 0 0 because it is the only unmodified parameter Every IP that belongs to the Internal Network will generate traffic graphs because the P Graphs parameter is set to Yes In the next image a new IP class named Customer Service was added Because this IP class is included in the Internal Network it is displayed under it All parameters except the P Group were not modified so the values are inherited from the parent IP class gt 37 alal WAN gege AND WANGuard Lite 4 1 User Manual IP Zone Configuration oO x IP Zone Description Routed Subnets Change Description D Duplicate IP Zone Delete IP Zone sag Add Subnet or Host ag Delete Subnet or Host F Subnet Calculator a eee m Subnet IP Description Parameter Value Inheritance 4 0 0 0 0 0 Unknown Ip Description Customer Service M none 0 0 In 4 Fe 10 0 0 018 IP Graphs Yes v 10 0 0 0 8 72 10 1 1 0 24 Customer Service IP Accounting No NA 0 0 0 0 0 Comments for 10 1 1 0 24 a la Update L In the image below you can see that a new IP class called Office Building was added Because the P Accounting param
16. WANGuard Lite components can be installed on a single server if enough resources are provided RAM CPU Disk Space Network Cards You can also install the components on multiple servers distributed across your network WANGuard Sensor System Requirements for 1 Gigabit Network Interface WANGuard Sensor WANGuard Sniff 4 1 WANGuard Flow 4 1 Architecture x86 32 or 64 bit x86 32 or 64 bit CPU 1 x Pentium IV 2 0 GHz 1 x Pentium IV 1 6 GHz Memory 500 MBytes 2 GBytes 1 x Gigabit Ethernet with NAPI support Eth 1 x Fast Ethernet EHS Network Cards Operating System Linux 2 6 x kernel or FreeBSD 8 Linux 2 6 x kernel or FreeBSD 8 tcpdump WAN 4 1 Installed Packages WANGuard Sensor 4 1 Wee 41 WANGuard Controller 4 1 Disk Space 5 GB including OS 5 GB including OS 28 alli WAN WANGuard Lite 4 1 User Manual y ge GUARD When using WANGuard Flow network devices must be configured to send NetFlow v 5 or sFlow data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 53 When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networ
17. Widget Height to Auto for the widget to take all the vertical space it needs Or you can specify the number of pixels for the Widget Height e WANGuard Sensors Select the WANGuard Sensors that are allowed to provide information to the widget All other options are self explanatory or are described in the next Reports Chapters dle bl WAN WANGuard Lite 4 1 User Manual ge GUARD Reports Device Groups The Device Groups Panel offers a intuitive complete view on all WANGuard Lite components It includes a All Components tree and a separate item for each Device Group configured for WANGuard Sensors The All Components tree can be expanded to show all active WANGuard Flow and WANGuard Sniff systems By clicking All Components a new tab opens that contains live tables for all WANGuard Lite components By clicking a Device Group a new tab opens that contains live tables for each WANGuard Sensor included in that Device Group By clicking a WANGuard Sensor included in the All Components tree a new tab opens that contains Sensor Graphs Sensor Tops and Protocol Distribution Data All Components and Device Group Tabs These tabs display tables with the latest system parameters collected from active WANGuard Lite components Administrators can restrict what Device Groups are available to individual users es MM cin File Edit View History Bookmarks Tools Help S E Le del http console wanguard index php rier gra
18. a severity value that describes the importance of the event Severity levels descriptions are listed in the Managing Users chapter Page 31 Event The text of the event Date The date and time when the notification was generated Da alla WAN WANGuard Lite 4 1 User Manual ge GUARD Installation WANGuard Lite can be installed on common server hardware provided that the system requirements listed later in this chapter are met If you have some basic Linux or FreeBSD operation skills then no training is required for the software installation Feel free to contact our support team for any issues Installing WANGuard Lite does not generate any negative side effects on your network s performance Installation and configuration may take less than an hour after that your network will be monitored immediately No baseline data gathering is required System Requirements WANGuard Lite 4 1 has been tested with the following distributions Red Hat Enterprise Linux 5 0 commercial Linux distribution CentOS 5 x free Red Hat Enterprise Linux based distribution OpenSuSE 11 x free Novel Enterprise Linux based distribution Debian Linux 5 0 free community supported distribution FreeBSD 8 Other distributions should work but haven t been tested yet The WANGuard Lite architecture is completely scalable By installing the software on better hardware the number of monitored endpoints and networks increases All
19. e Extensive MRTG style traffic graphs and traffic accounting reports for IP addresses and IP classes in your network for any time frame including 95 Percentile for burstable billing Historic and real time network traffic statistics top talkers per protocol number of IPs top protocols protocols distribution ASN distribution TCP and UDP ports distribution etc The recorded data is stored in an internal SQL database that can be easily queried and referenced The recorded monitoring statistics can be viewed through a rich easy to use Ajax based Web 2 0 web interface WANGuard Lite Components The WANGuard Lite has two main components alla WAN WANGuard Lite 4 1 User Manual ge GUARD WANGuard Sensor WANGuard Sensor is an advanced Linux and FreeBSD software created to do both incoming and outgoing traffic monitoring and accounting At it s core WANGuard Sensor has a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses Complex statistical algorithms integrate traffic data to build accurate and detailed picture of real time and historical traffic flows across the network WANGuard Lite does not enable WANGuard Sensor s traffic anomaly detection and reaction features WANGuard Sensor Features and Benefits Any number of instances can be deployed across the network and all collected data will be centralized and available through a single web interface that you
20. in every IP Zone is the 0 0 0 0 0 IP class The 0 0 0 0 0 supernet contains all private and public IP addresses available for IPv4 To ease the configuration of IP Zones every new IP class that you define inherits by default the properties of the closest having the biggest CIDR IP class that includes it The only IP class that does not inherit any properties is DCH alla WAN WANGuard Lite 4 1 User Manual wg GUARD the 0 0 0 0 0 IP class because there is no other IP class that includes it WANGuard Sensor must learn from the selected IP Zone the properties of the IP addresses it analyzes This is why if WANGuard Sensor cannot include a detected IP address in the IP classes you defined it applies the properties of the 0 0 0 0 0 IP class So for unknown IP addresses the 0 0 0 0 0 properties are applied and its not recommended setting P Graphs and IP Accounting to On for it In the last section of this chapter you can see an example on how inheritance works Changing Description Duplicating amp Deleting IP Zones To change the description of an IP Zone you must first open the IP Zone Configuration Window provide a new description and then press lt Change Description gt To copy the selected IP Zone you must click the lt Duplicate IP Zone gt button A new IP Zone will be created that will have the same information and the same description with the word copy attached In some cases when you have multiple W
21. ip cache verbose flow Configuring NDE on a CatOS Device In privileged mode on the Supervisor Engine enable NDE switch gt enable set mls nde lt ip address gt 2000 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used only as an example Switch gt enable set mls nde version 5 The following command is required to set up flow mask to full flows Switch gt enable set mls flow full The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow Switch gt enable set mls agingtime long 8 Switch gt enable set mls agingtime 4 If you want to account all traffic within the specified VLANs rather then inter VLAN traffic use CatOS 7 2 or higher and issue the following command Switch gt enable set mls bridged flow statistics enable And enable NDE Switch gt enable set mls nde enable To see current NetFlow configuration and state issue the following commands 54 alla WAN WANGuard Lite 4 1 User Manual wg GUARD Switch gt enable show mls nde Switch gt enable show mls debug Configuring NDE on a Native IOS Device To configure NDE use the same commands as for the IOS device In the enable mode on the Supervisor Engine issue the following to set up the NetFlow export versio
22. your subnets in a new IP Zone next chapter and then configure WANGuard Sensors Managing WANGuard Console Users If you install WANGuard Console on a publicly available server you should immediately change the default password for the admin user and eventually add new users To manage WANGuard Console users you must select Configuration from the West Panel and then expand the WANGuard Console panel da alal WAN gaga GUARD WANGuard Lite 4 1 User Manual Currently there are three available access levels Roles for users Administrator This role has all privileges to view and manage WANGuard Lite components including adding new users and changing users passwords existing users passwords are always shown encrypted e Operator This role has all privileges to view and manage WANGuard Lite components but cannot add or modify other users e User This role cannot configure anything but if access is permitted it can generate various reports WANGuard Console Users x ag AddUser o Username Role Full Name Home Tab admin amp Administrator Default Administ Welcome Page 1 of1 Last Login Time 2010 04 28 03 08 58 Displaying 1 1 of 1 To modify an user you can double click it or select it and then press Modify User Administrators and Operators have the following properties Modify Administrator User Name admin Full Name Password 96334653B79059B8131C24190B8D43E1509FFEFC Additi
23. 000 000 000 J 4 1048576 C 4096 B 16 A 268435456 240 000 000 000 WS 2097152 C 8192 B 32 A 530870912 224 000 000 000 102 4194304 C 16384 B 64 A 1073741824 192 000 000 000 yal 038986008 C 34 00 B 128 A 2147483648 126 000 000 000 0 LOLTIZVG Cy 63330 By 290 A 4294967296 000 000 000 000 alla WAN WANGuard Lite 4 1 User Manual ge GUARD Getting Started with WANGuard Lite Please read the following section in order to get a clear overview of the basic premises required for the proper operation of the software If you re an administrator and you want to setup WANGuard Lite skip to the Installation Chapter page 28 A First Look at the WANGuard Console You can change the Default Tab by editing User preferences Because no WANGuard Sensor system was previously configured and enabled and no data was gathered the most content does not exist yet To understand the operation of WANGuard Console please be aware of the structure of the web application West Panel The West Panel is located on the left west edge of the screen and it is used for navigation throughout the WANGuard Console If you cant see the West Panel then it may be either collapsed so click the edge to expand it or hidden by an Administrator West Panel contains 2 regions Reports and Configuration hidden if you have User role that can be collapsed or expanded by clicking the title bar In multiple user environments the regions may contain old data
24. ANGuard Sensor systems you may have to create multiple IP Zones that share the same IP classes Instead of recreating the same IP classes for each new IP Zone you can duplicate an existing IP Zone and modify only few parameters To delete an IP Zone you must first open the IP Zone Configuration Window press lt Delete IP Zone gt button and then confirm the deletion IP Zone Configuration The IP Zone Configuration window is divided in two sections one on the left and one on the right In the upper side of the left section you will see a button that is used to add IP addresses subnets to the IP Zone Below you will the allocated IP classes tree When adding a new IP class the tree is automatically updated You may add or delete subnets by right clicking any subnet row In the right section you will see detailed information about the selected IP class or IP address As explained in the Understanding IP Zones Inheritance section every IP Zone contains the 0 0 0 0 0 supernet To edit the 0 0 0 0 0 IP class properties click 0 0 0 0 0 from the Subnets tree After a new IP Zone is added the IP Zone Configuration window will look like in the image below 35 alla WAN WANGuard Lite 4 1 User Manual pego GUARD IP Zone Configuration DIN IP Zone Description Routed Subnets Change Description fe Duplicate IP Zone Delete IP Zone de Add Subnet or Host Subnet Calculator Subnet Parameters for 0 0 0 0 0 Subnet IP
25. Ingress interface leaves your network Upstream provider interfaces are always Ingress m Egress Traffic entering an Egress interface leaves your network Traffic that leaves an Egress interface enters your network On border routers interfaces towards your network are always Egress WR Null Traffic entering the Null interface is discarded by the router and by the WANGuard Flow O Graph Color In Graph Color Out Here you can select the color you will see on sensor graphs as inbound and Outbound traffic for the current WANGuard Flow By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color o Link Speed In Link Speed Out The speed of the monitored interface for Inbound traffic and for Outbound traffic This is used to generate reports based on usage percent e IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Flow If the field has no options then you must first define an IP Zone For more information about IP Zones please consult IP Zones Setup chapter page 34 e Sampling 1 n This parameter must contain the same packet sampling rate configured on the router If no packet sampling is used then sampling is 1 1 default e IP Validation O Off Will disable IP Validation o On WANGuard Flow will only analyze the traffic that has the source and or the destination IP addresses i
26. Lite Is Important Most businesses today rely more and more on network infrastructure So the computer network s reliability and speed are crucial for these businesses to be successful and an efficient use of the available resources must be assured The significant degradation of the network services can seriously damage the businesses including loss of customers and subsequent loss of revenue For the network administrator this means that he has to ensure the network s uptime reliability speed as well as the efficient use of the existing resources Andrisoft WANGuard Lite is an enterprise grade Linux based software solution that delivers the functionality NOC and IT teams need to effectively monitor their network through a single integrated package The components have been built from the ground up to be high performing reliable and secure WANGuard Lite is feature rich simple to deploy and configure causing no disruption within the network What WANGuard Lite Can Do For You Andrisoft WANGuard Lite is an easy to use software solution that provides network traffic monitoring and accounting It allows you to quickly and easily set up and run monitoring server s for networks Using the integrated web interface with just a few mouse clicks you or your users can view Historic and real time network traffic parameters about the data flowing through router interfaces and switch ports packets s bits s bytes s IPs s flows s etc
27. NGuardController daemon stops it Description A short generic description that helps you identify the WANGuard Flow system Device Group A short description of the role the monitored device plays within the network it s location etc Sensor IP Address Listener Port The IP address of the network interface that receives the flows and the destination port as configured on the flow exporter Flow Exporter IP Address SNMP Community The IP address of the flow exporter usually the LoopbackO interface IP on the network device Each server running WANGuard Flow must have it s system time synchronized with the flow exporter The read only SNMP community of the network device allows WANGuard Console to connect to the 46 alla WAN WANGuard Lite 4 1 User Manual ge GUARD flow exporter and request SNMP indexes and other useful information for adding new interfaces e Flow Exporter Monitored Interfaces Here you must define the network interfaces that will be monitored Each interface must contain the following information Description A short generic description used for interface identification O SNMP Index The SNMP index of the interface When adding a new interface if you entered the SNMP community then simply click the interface to automatically add required parameters O Type Specifies the type of the interface m ngress Traffic entering an Ingress interface also enters your network Traffic that leaves an
28. PDF Reader For the best WANGuard Console experience we highly recommend the Firefox 3 6 browser and a 1280x1024 pixels or higher resolution monitor e e gr bl WAN WANGuard Lite 4 1 User Manual gege GUARD Software Installation amp Download Software installation instructions are listed and updated on the Andrisoft website for RedHat based SuSE based Debian based and FreeBSD based distributions You may a try a fully functional version of WANGuard Lite for 30 days You can switch to a full time registered version by applying a purchased license key Binary WANGuard Lite components are packaged differently for i686 architectures 32 bit Pentium and beyond and for x86_ 64 architectures 64 bit Intel AMD processors Opening WANGuard Console for the first time WANGuard Console is essentially the web interface through which you will control and monitor all other components If you followed correctly the installation instructions from now on you will only need to log into WANGuard Console to manage the components To log into WANGuard Console use a compatible web browser listed at page 29 and access http lt hostname gt wanguard where lt hostname gt is the name of the server where WANGuard Console is installed If the page cannot be displayed make sure the Apache web server is running and the firewall does not block incoming traffic on port 80 If you haven t licensed WANGuard Lite yet you will be asked t
29. Sensor Tops Scheduler m Daily mi Weekly IS Monthly Ea Once Report Time H Mi 00 ai Report Time Frame Previous Day Bi alla WAN WANGuard Lite 4 1 User Manual ge GUARD Help Menu amp About Help Menu The Help menu is located on the upper right side of the WANGuard Console window User Manual The User Manual provides a contextual access to the WANGuard Lite User Guide Depending on the context the User Guide will open at the chapter describing the last opened window or tab If the Contextual Help does not work please install Adobe PDF Reader on your computer AS Information The AS Information windows provide access to an on line ASN database RIPE ARIN APNIC and to a local ASN database IP Information The IP Information windows provides details about IP addresses and domains as well as web based access to ping whois traceroute and telnet commands IP information is contained in an internal database that contains IP ranges Country codes and Autonomous System information The IP Protocols List window provides access to a table that contains descriptions for all available IPv4 protocols The TCP amp UDP Ports List window provides access to a table that contains name description service common servers and common clients for well known TCP and UDP port numbers Subnet Calculator The Subnet Calculator lets you see and calculate network masks CIDR broadcast addresses number of hosts and IP
30. UARD Protocols Distribution WANGuard Sensor systems collect protocols distribution data Currently supported protocols are SNMP FTP SSH TELNET SMTP HTTP POP3 IMAP SQL NETBIOS IRC DIRECTCONNECT TORRENT DNS ICMP Protocol detection is unreliable for applications that use non standard randomized source or destination ports torrent is the best example 8 _ I WANGuard Console 4 0 Mozilla Fi Lo eg File Edit View History Bookmarks Tools Help may E A A i http console wanguard index php Carrier grade traffic analysis 9 Hel GJA ou 5 Logout I d WANTER deg and rotection D Help Q About Logout user Default Dashboard bai NetFlow Router WANGuard Sensors Time Frame Export NetFlow Router WAN NetFlow Rot Last Day From 2010 04 29 01 38 Unt 2010 04 30 01 38 Print Th PDF On Demand Graphs Size 900x220 e Sum Sensors J 4 All Components ia LAN Switch vian900 iq WAN Switch vian100 IP CIDR 4 FF 0 0 0 0 0 192 168 0 0 16 DEED 4 12 192 168 0 0 16 EF 192 168 1 0 24 A ioni d i i s i l Protocols distribution gra or NetFlow Router WAN NetFlow Router LAN E 192 168 2 23 32 d grap L e L FF 233 213 0 0 16 iero A 00 M amp n 00 Mm IP Descriptions P 500 m D H 400 M A A DO N n 00 Mm a 0 100 M A D S Thu 06 00 Thu 12 00 Thu 18 00 rri 00 00
31. all term all then sample EE forwarding options sampling input family inet rate 100 output cflowd 192 168 1 100 port 2000 version 5 BO WANGuard Lite 4 1 User Manual
32. but you can refresh them by clicking the right button on the title bar Each of those regions contain panels that can be either collapsed or expanded their state being kept between sessions Each of these panels are explained in detail in the following chapters Center Panel WANGuard Console offers various ways to look at historic or live collected data Each Report you request through the West Panel opens a new tab on the Center Panel You may switch between tabs or close them all except for the Home Tab that s defined in your User Profile South Panel The south panel is collapsed by default and it is located on the bottom of the browser Window To expand it click the bottom edge If you can t see it then it s hidden through your User Profile It provides a quick way to view live data collected from WANGuard Lite components structured in tabs WANGuard Sensor Live Graphs The WANGuard Sensor Graphs tab provides an animated dynamic graph that illustrates trends over time of various traffic parameters collected from WANGuard Sensor systems The right side of the tab contains three selections lists that configure the graph FO alal WAN gaga GUARD WANGuard Lite 4 1 User Manual oO WANGuard Sensors Select only the WANGuard Sensor systems that you re interested in o Data Unit Select the traffic parameter the graph will represent Bits The bits second throughput recorded by WANGuard Sensors Bytes The bytes secon
33. can quickly access from any location The supported traffic monitoring methods are Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment sFlow Cisco NetFlow and Huawei NetStream You can access various real time parameters top talkers number of IP addresses top protocols protocols distribution etc of the data flowing through router interfaces and switch ports Provides on demand MRTG style traffic graphs for any IP address or IP class in your network for any time frame Traffic graphs accuracy can be defined between 5 seconds and 10 minutes WANGuard Sensor is completely scalable and can monitor and generate graphs for hundreds of thousands of IP addresses Includes a very flexible billing system for bandwidth based billing Easy and non disruptive installation on common server hardware The most cost effective traffic monitoring and accounting solution on the market WANGuard Console WANGuard Console provides a tightly integrated and highly graphical interactive Ajax based Web 2 0 interface for all aspects of network traffic monitoring and accounting Included in the WANGuard Console is the advanced graphing engine that provides quick and easy ad hoc graphing functionality WANGuard Console offers single point management and reporting by consolidating the data from all WANGuard Sensor systems deployed within the network WANGuard Console Features and Benefits Consolidated
34. ce Group Border Routers bd Sensor information Flow exporter information IP Address 192 168 1 100 IP Address 192 168 1 1 Listener Port 9990 SNMP Community public Flow exporter monitored interfaces cag Add Interface aaa Description SNMP Index Type Color IN Color OUT Speed iN Speed OUT WAN 1 inbound 0094 FFEDEE 1Gbps 1 Gbps LAN 2 outbound B 100 tops 100 Mbps Null Interface 60 null CCFFCC COCOCO 0 0 Validation and filtering IP Zone Routed Subnets vy IP Validation Off v Sampling 1 n 1 AS Validation off ze Advanced options Analyzer Interval 15 seconds v Protocol NetFlow Version 5 MY Comments configuration example id Save Delete 48 alla WAN WANGuard Lite 4 1 User Manual ge GUARD After a new WANGuard Flow system is added the WANGuard Sensor panel is updated If there is a green OK sign on the right of the WANGuard Flow s description then the WANGuard Flow is running If there is a X red sign instead then the WANGuard Flow is inactive or not running If you checked the Active switch but the WANGuard Flow is still not running after few seconds you can find a description of the error in the WANGuard Flow Events Logs see Logs amp Events chapter Page 27 or in the Events Tab in South Panel 49 alli WAN WANGuard Lite 4 1 User Manual y ge GUARD IP Graphs Setup To configure IP traffic graphs parameters expand the WANGuard Console Panel from the Configuratio
35. d throughput recorded by WANGuard Sensors Packets The packets second throughput recorded by WANGuard Sensors IPs The number of unique IP addresses detected making traffic Usually a spike in the graph means that an IP class scan was performed Only your network s IP addresses are counted Received frames For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs Dropped frames For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation Unknown frames For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering Oo Refresh Interval Select the interval between consecutive refreshes of the graph The graph will update itself flicker free but it s best to keep the refresh interval big for low bandwidth monitoring stations Lat
36. de traffic analysis Help LI About Logout User alal Car INN WANGuard Console 4 network monitoring and protection ka Reports g Default Dashboard M All Components Autonomous Systems v Sortby Description Ge Refresh v Device Groups a 4 F Al Components LAN Switch vlan900 WAN Switch vian100 ke NetFlow Router m Border Routers M Border Switches m Core Switches IP Addresses a Active WANGuard Sniff Systems prom 192 168 0 0 16 Status Description Load CPU Mem Started IPs Pkts s In Out Inbound Bits s Outbound Bits s Received Pkts s Dropped Pkts s a E 0 0 0 010 lan switch vlansoo 0 08 2 35 35 MB 2010 04 30 00 59 16 1496 28 1k 0 4k 247 7M zo 2 6M 0 28 5k 0 0k FF 12 81 0 0 16 B wan Switch vian100 0 15 6 48 35 MB 2010 04 30 00 58 54 1284 25 5k 0 0k 212 7M Ris 0 0k 0 25 4k 0 0k 4 1 192 168 0 0 16 192 168 1 0 24 192 168 2 23 32 FF 233 213 0 0 16 Status Description Load CPU Mem Started Interface Description IPs Pkts s In Out Inbound Bits s Outbound Bits s Flows s Flows Delay LAN 356 10 4k 0 0k 93 6M Las o 0ok o 0 1k vi NetFlow Router 0 14 1 97 412 MB 2010 04 30 01 01 52 CI 201 seconds wan 1168 37 2k 0 0k 169 8M W17 0 0k 0 0 2k Active WANGuard Flow Systems Kg Customer Service omz Enterprise Services Internal Network xerox Printer Logs amp Events he alla WAN WANGuard Lite 4 1 User Manua
37. dress for receiver purposes Class E addresses are defined as experimental and are reserved for future testing purposes They have never been documented or utilized in a standard way The WANGuard Lite uses extensively throughout its components IP Addresses and IP Classes with the CIDR notation alal WAN gaga GUARD Subnet CIDR Notation WANGuard Lite 4 1 User Manual CIDR Class Hosts Mask Me 11 256 C d En GE GE E WEE 1 128 C 2 2505255 255 254 730 11 64 C 4 Zee Dee Oa oe em 1 32 C 8 LISI Me 1 16 C 16 VAS SPL Ee fee 1 3 C 6 E 06224 Mel 1 4 C 64 255 255 2554 192 E 1 2 C 128 eee e e cio PR e SEI 1 C 290 Aos eo e ora 0 00 gt C 512 255 255 254 000 oo 4 C 1024 ZOO aL EN C 2048 255 255 248 000 oo 16 C 4096 29 719 132 C 8192 ZOO e204 224 000 ES 64 C 16384 299a ADs LIZ 000 OI 128 C 32768 29ed D VO DEE 256 C 1B 65936 ZOO 2 5040002000 DE 512 C 2 B 131072 299a 2944 000000 14 1024 C 4B 262144 299e LIA 000 000 DEI 2048 C 8 B 524288 255 248 000 000 12 4096 C 16 B 1048576 299240000000 yams 192 C 32 B 2097132 ZO 242000 U00 10 16384 C 64 B 4194304 255 a 1924000 000 fame 32768 C 128B 8388608 2954 29 UOVO UDO 8 05556 C 4Z50Bx 1 A 16777216 Lors 0004000 000 ai L31072 GC SLZB 2 A 33554432 254 000 000 000 Wim 262144 C 1024 B 4 A 67108864 2524000 6000 2000 is 524288 C 2048 B 8A 134217728 248
38. ed for every IP address contained in the selected IP class or IP Group For example when this option is used with a 24 CIDR then 256 traffic graphs are displayed one for each IP address in the C class e Sum Sensors If unchecked each WANGuard Sensor generates a different traffic graph If checked all selected WANGuard Sensors generate a single traffic graph that contains the summed traffic data IP Accounting The IP Accounting sub tab generates IP traffic accounting reports for the selected IP class host or IP Group WANGuard Console 4 0 Mozilla Firefox Se File Edit View History Bookmarks Tools Help c A del http console wanguard index php Carrier grade traffic analysis alal WANGuard Console 4 network monitoring and protection Default Dashboard F 12 81134 0 24 WANGuard Sensors Data Unit LAN Switch vian900 Bits Last Month v From Time Frame Report Type Monthly ia LAN Switch vian900 FA WAN Switch vian100 eg NetFlow Router M Border Routers M Border Switches M core Switches IP Addresses IP CIDR 12 81 134 0 24 4 FF 0 0 0 0 0 E 12 81 0 0 16 4 192 168 0 0 16 192 168 1 0 24 192 168 2 23 32 233 213 0 0 16 ze SumiPs won D A WMP Sum Sensors Traffic accounting for 12 81 134 0 24 on LAN Switch vlan900 at April 2010 IP Address Average Inbound Bits s Total
39. eebe 10 4 Reports Autonomous SYStemMS u isriririirriciiiniiiri cirio 12 e ent SVS TEMS rerien ee 12 Gell CR ED dee Er TEE 13 PATA UNG ELAS INDO cA dsc 13 EE Uer siii E A 14 6 Reports Device Groups ccc te cesec dec chue se cetacanenetcnceweceneecccuuesnndunctunndentsecceucwacavenecusussauexs 15 All Components and Device Group labs 15 WANGuard Console SYSTEM ili iii cz 16 Active WANGUard Sniff SYSTEMS asesino EEE ia ara 16 Active WANGuard Flow Gvstems e 17 E Er e E E 18 EE Eege 19 EE EE 20 FIOIOCOS D el tel EE 22 7 Reports IP Addresses amp IP GroOUups rire 23 Polsce 24 IP ACCOUNING sicilia 25 8 Reports Logs amp Events lai 27 EVeNS LOS unici 27 Sosson 28 Oystem REQUITEMENIS 2 28 WANGuard Sensor System Requirements for 1 Gigabit Network Intertace 28 WANGuard Console System Requirements for up to 5 WANGuard Gensors 29 Software Installation HR UI EL EEN 30 Opening WANGuard Console for the first time 30 Managing WANGuard Console USe6 PS cccssscscsssesssssssesessesesseesecseseesecaseessesaeseeseseseesessesaesessesaesassessesassaeaesansensasagss 31 UBITT EEN 34 Understanding lr 34 BENDS CNC ARR RAT 34 Changing Description Duplicating amp Deleting IP Zones e 35 alla WAN WANGuard Lite 4 1 User Manual ge GUARD IP Zon eer e Ur iraniani AN Subnet Parameters Danel ii 36 KEE ee 36 IP Zon Configuration EX ANN DIO csc seco aa 37 11 How To Choose A Method Of Traffic
40. enerated WANGuard Sensors reports or you can save them as PDF through plug ins Refresh By default the resulted report is refreshed only when you press the lt On Demand gt button If you select a refresh interval then the report will be constantly refreshed and if a predefined time frame was selected 2 18 alli WAN WANGuard Lite 4 1 User Manual y ge GUARD then that will be updated too Sensor Graphs The Sensor Graphs sub tab generates various traffic parameters graphs for the selected WANGuard Sensors 8 WANGuard Console 4 0 Mozilla Firefox File Edit View History Bookmarks Tools Help X E A d http console wanguard index php Carrle ade traffic analysis alal WANGuard Console 4 netwe wi e pet Don 7 Default Dashboard NetFlow Router WANGuard Sensors Time Frame NetFlow Router WAN NetFlow Ro e Last Day Mal From 2010 04 29 01 34 Untk 2010 04 30 01 34 Graphs Size 700x180 w Graphs Consolidation Maximum Y Sum Sensors J Packets s graph for NetFlow Router WAN NetFlow Router LAN ia LAN Switch vian900 FA WAN Switch vian100 gt i NetFlow Router La Thu 06 00 Thu 12 00 Thu 18 00 rri 00 00 a HW NetFlow Router WAN inbound WM NetFlow Router WAN BB NetFlow Router LAN inbound HW NetFlow Router LAN IP CIDR 192 168 0 0 16 a E 0 0 0 010 Bits s graph for NetFlow Router WAN NetFlow Router LAN i 12 81 0 0 16 4
41. er that offers a monitoring port or port mirroring configuration Switched Port Analyzer SPAN for Cisco devices Roving Analysis Port for 3Com devices In this case the network device sends a copy of data packets traveling through a port or VLAN to the monitoring port After you configure the network device install WANGuard Sensor on a Linux or FreeBSD server and connect it to the monitoring port WANGuard Sniff will be able to analyze the whole traffic that passes through the selected port or VLAN with or without VLAN tag stripping If you don t have network devices that can do port mirroring you can deploy a Linux or FreeBSD server on the main data path and WANGuard Sniff will be able to analyze the traffic flows that are routed through the server Note that the server will become a single point of failure if you don t configure VRRP Reasons to choose Port Mirroring Network TAP In line Deployment Packet sniffing comes into consideration if you can provide the higher CPU power needed by WANGuard Sniff Packet sniffing provides extremely fast and accurate traffic accounting and analysis results NetFlow amp sFlow Monitoring NetFlow or sFlow Monitoring is the domain of networks that usually use layer 3 switch or router flows These can be configured to send data streams with the network s usage data to a Linux or FreeBSD server running WANGuard Flow How NetFlow amp sFlow Monitoring Works One option to mea
42. est Events The Latest Events tab provides a list with the latest records from Logs amp Events The records are explained in the Logs amp Events chapter Page 27 WANGuard Lite Components Each tables belonging to WANGuard Components is explained in detail in the Reports Device Groups Chapter page 15 By default WANGuard Components that are not defined are hidden After adding the first Sensor the proper tabs will show after re login DE E DE alla WAN WANGuard Lite 4 1 User Manual ge GUARD Reports Autonomous Systems The Autonomous Systems Panel contains the following item Autonomous Systems If you are using the flow based WANGuard Sensor WANGuard Flow then you will be able to generate very accurate Autonomous Systems graphs for every detected Autonomous System Number To use this option your flow exporter must be configured to include AS information in the exported flows The Autonomous Systems tab parameters are WANGuard Sensors Select the WANGuard Flow systems that captured the traffic you re interested in Multiple selections can be made Administrators can filter what WANGuard Sensors are available to individual users Time Frame Select predefined time frames or enter your own by selecting Custom Export You can print the generated ASN graphs or you can save them as PDF through plug ins Refresh By default the resulted report is refreshed only when you press the lt On Demand gt button If y
43. eter was modified to Yes every IP address included in 10 1 2 0 25 will generate accounting data IP Zone Configuration pls IP Zone Description Routed Subnets Change Description fe Duplicate IP Zone Delete IP Zone sia Add Subnet or Host ag Delete Subnet or Host E Subnet Calculator Subnet Parameters for 10 1 2 0 25 Subnet IP Description Parameter Value Inheritance 4 0 0 0 0 0 Uninown IP Description Office Building M none 4 10 0 0 0 8 Internal Network _ IP Graphs Yes MA 10 0 0 0 8 E 10 1 1 0 24 Customer Service l JD Accounting Yes Mm none 10 1 2 0 25 Office Building Comments for 10 1 2 0 25 a id Update In the image below you can see that 192 168 0 0 16 IP class was added and placed automatically within the 0 0 0 0 0 IP class WANGuard Sensor will not generate traffic graphs and accounting data for all IPs that belong to this IP class IP Zone Configuration IP Zone Description Routed Subnets FA dag Add Subnet or Host sag Delete Subnet or Hos E Subnet Calculator Subnet a FF 0 0 0 0 0 4 FF 10 0 0 0 8 E 10 1 1 0 24 EF 10 1 2 0 25 EF 192 168 0 0 16 IP Description Unknown Internal Network Customer Service Office Building Network Equip ox Change Description Bel Duplicate IP Zone Delete IP Zone Subnet Parameters for 0 0 0 0 0 D Parameter Value Inheritance IP Descriptio
44. hod is virtually identical with the Port Mirroring method so WANGuard Sniff is used in this scenario too Depending on your network topology and configuration your needs and your hardware you must choose between the three methods of traffic capturing For high availability scenarios you could use in parallel more than one method of traffic capturing Please read on to further understand the differences between the supported methods of traffic capturing and the differences between WANGuard Sniff and WANGuard Flow Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment In order to do traffic monitoring and accounting WANGuard Sniff inspects all network data packets passing the host server s network card including the network data packets sent by a monitoring port of a switch or router How Port Mirroring Network TAP In line Deployment works It is very important to understand that WANGuard Sniff can only inspect data packets that actually flow 30 alla WAN WANGuard Lite 4 1 User Manual wg GUARD through the network interface s of the host server In switched networks only the traffic for a specific device is sent to the device s network card If the server running WANGuard Sniff is not deployed in line it can t capture the traffic of other network components For WANGuard Sniff to analyze the traffic of other hosts in your network you must use a network TAP or a switch or rout
45. icates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation Active WANGuard Flow Systems The Active WANGuard Flow Systems table displays the latest system information collected from active WANGuard Flow systems that are included in the selected Device Group If there are no WANGuard Flow systems configured then this table is not displayed The table has the following format Status If the active WANGuard Flow system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Flow system then a red X icon is displayed In this case make sure that WANGuard Flow is configured correctly read the Events Logs and make sure that the WANGuardController daemon is running on all systems Description Displays the description of the WANGuard Flow system When clicked a new WANGuard Sensor Tab is opened see next paragraph Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Flow process D pe alla WAN WANGuard Lite 4 1 User Manual wg GUARD Mem The amount of RAM memory used by the WANGuard Flow process Started The time and date when the WANGuard Flow process started Interface Description The interface description and a colored box with the configured Graph Color IN IPs The nu
46. it IP address By comparing a subnet mask with an IP address systems can determine which portion of the IP address relates to the network and which portion relates to the host Anywhere the subnet mask has a bit set to 1 the underlying bit in the IP address is part of the network address Anywhere the subnet mask is set to O the related bit in the IP address is part of the host address The size of a network is a function of the number of bits used to identify the host portion of the address If a subnet mask shows that 8 bits are used for the host portion of the address block a maximum of 256 host addresses are available for that specific network If a subnet mask shows that 16 bits are used for the host portion of the address block a maximum of 65 536 possible host addresses are available for use on that network An Internet Service Provider ISP will generally assign either a static IP address always the same ora alla WAN WANGuard Lite 4 1 User Manual ge GUARD dynamic address changes every time one logs on ISPs and organizations usually apply to the InterNIC for a range of IP addresses so that all clients have similar addresses There are about 4 3 billion IP addresses The class based legacy addressing scheme places heavy restrictions on the distribution of these addresses TCP IP networks are inherently router based and it takes much less overhead to keep track of a few networks than millions of them IP Classes Class
47. itch but the WANGuard Sniff is still not running after few seconds you can find a description of the error in the WANGuard Sniff Events Logs see Logs amp Events chapter Page 27 or in the Events Tab in South Panel WANGuard Flow Configuration When using WANGuard Flow network devices must be configured to send sFlow or NetFlow v 5 data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 53 45 idal WAN WANGuard Lite 4 1 User Manual pega GUARD WANGuard Flow Configuration x Active Description Device Group Sensor information Flow exporter information P Address la Altre n Listener Port ii SNMP Community public Flow exporter monitored interfaces sad Add Interface sa Description SNMP Index Type Color IN Color OUT Speed IN Speed OUT Validation and filtering pone e Paiton of Sampling 1 n 1 al AS Validation off v Advanced options Analyzer Interval 15 seconds v Protocol NetFlow Version 5 E Comments The WANGuard Flow Configuration window contains the following fields red fields are mandatory Active WANGuard Flow is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Flow system is running then the WA
48. kets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networks the use of switches or routers with so called monitoring port is required For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAPs or other devices that support port mirroring please consult the producer s documentation WANGuard Sniff Configuration x Active Description Device Group Sensor information v v Link Speed IN bps ze Link Speed OUT bps Validation and filtering IP Zone KH ze IP Validation On v MAC Validation None v MAC Address Traffic Direction Inbound amp Outbound e VLAN Tagging Advanced options BPF Expression Frames Buffer 10000 Comments The WANGuard Sniff Configuration window contains the following fields red fields are mandatory 42 alla WAN WANGuard Lite 4 1 User Manual ge GUARD e Active WANGuard Sniff is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Sniff system is running then the WANGuardController daemon stops it Description A short generic description that helps you identify the WANGuard Sniff system e Device Group A short description of the role the monitored device pla
49. ks the use of switches or routers with so called monitoring port is mandatory For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAP s or other devices that support port mirroring please consult the producer s documentation WANGuard Console System Requirements for up to 5 WANGuard Sensors Architecture x86 32 or 64 bit CPU 1 x Pentium IV 2 4 GHz Memory 500 MBytes Network Cards 1 x Fast Ethernet or Gigabit Ethernet Operating System Linux kernel 2 6 x or FreeBSD 8 apache 2 x php 5 2 mysql 5 x rrdtool 1 3 perl 5 x perl rrdtool Installed Packages perl MailTools perl DBD MySQL perl MIME Lite perl Email Date Format ping whois traceroute telnet WANGuard Console 4 1 WANGuard Controller 4 1 Disk Space 4GB including OS additional storage when storing IP graphs data To access the web interface provided by WANGuard Console one of the following web browsers is required other should also work but have not been tested Firefox 3 5 or later Apple Safari 3 0 or later Konqueror 4 0 or later Google Chrome Internet Explorer 7 0 has a slow javascript engine and a non standard behavior so it s not recommended The web browser must javascript and cookies support activated Java support and Flash are not required To access the Contextual Help please install Adobe
50. l ge GUARD WANGuard Console System The WANGuard Console System table is only displayed if you select All Components as it cannot be assigned to a particular Device Group The table has the following format Status If the WANGuard Console system is functioning properly then a green checked arrow is displayed Load The load of the operating system for the last 5 minutes Mem The amount of RAM memory used by the current PHP process Started The time and date when WANGuard Console s database server has been started Online Users The number of active WANGuard Console sessions Free Graphs Disk The disk space available on the partition configured to store IP graphs data Free DB Disk The disk space available on the partition that is configured to store the MySQL database DB Size The amount of disk space used by the WANGuard Database DB Active Clients The number of clients that are currently using the MySQL server DB Active Connections The number of active connections on the MySQL server Avg DB Queries s The average number of database queries per second reported by the MySQL server Active WANGuard Sniff Systems The Active WANGuard Sniff Systems table displays the latest system information collected from active WANGuard Sniff systems that are included in the selected Device Group If there are no WANGuard Sniff systems configured then this table is not displayed The table has the f
51. low Note that for routers with distributed switching GSR s 75XX s the RP cli will only show flows that made it up to the RP To see flows on the individual linecards use the attach or if con command and issue the sh ip ca fl on each LC Enable the exports of these flows with the global commands router config ip flow export version 5 router config ip flow export destination lt ip address gt 2000 router config ip flow export source FastEthernet0 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used as an example WANGuard Flow is using NetFlow version 5 The ip flow export source command is used to set up the source IP address of the exports sent by the equipment If your router uses the BGP protocol you can configure AS to be included in exports with command mc ee alla WAN WANGuard Lite 4 1 User Manual wg GUARD router config ip flow export version 5 peer as origin as The following commands break up flows into shorter segments 1 minute for active traffic and 30 seconds for inactive traffic Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow router config ip flow cache timeout active 1 router config ip flow cache timeout inactive 30 In enable mode you can see current NetFlow configuration and state router show ip flow export router show ip cache flow router show
52. mber of unique IP addresses detected making traffic through the interface Only your network s IP addresses are counted Pkts s In Out The packets second throughput after validation and filtering Only the traffic passing the interface is analyzed Bits s In Out The bits second throughput after validation and filtering Only the traffic passing the interface is analyzed Flows s The rate of flows that contain traffic passing the interface Flows Delay Because traffic data must be aggregated first flow devices export flows with a configured delay Some devices export flows much later than the configured delays and this field contains the maximum flows delay detected by WANGuard Flow WANGuard Flow cannot run with delays over 5 minutes To minimize the RAM usage and the performance of the WANGuard Flow process the flows must be exported as soon as possible WANGuard Sensor Tabs When clicking a WANGuard Sensor new tab opens that includes 3 additional sub tabs located on the bottom of the window Sensor Graphs Sensor Tops and Protocol Distribution All these sub tabs use the following common toolbar fields e WANGuard Sensors Select the WANGuard Sensors you re interested in Multiple selections can be made Administrators can filter what WANGuard Sensors are available to individual users e Time Frame Select predefined time frames or enter your own by selecting Custom e Export You can print the g
53. n Unknown N none IP Graphs No NA none IP Accounting No v none Comments for 0 0 0 0 0 a Update 38 alla WAN WANGuard Lite 4 1 User Manual ge GUARD How To Choose A Method Of Traffic Capturing This section explains the available methods you can use for traffic capturing Reading this chapter is strongly recommended as it will help you understand how to deploy WANGuard Sensor in your network Supported Traffic Capturing Methods WANGuard Sensor was designed to monitor the largest enterprises with hundreds of thousands of endpoints to the smallest branch office with tens of endpoints The supported traffic capturing methods work with most switches routers firewalls and other network devices The methods are Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP The analysis of network packets sent by a monitoring port of a switch router or network TAP The WANGuard Sensor that handles network packets is called WANGuard Sniff NetFlow amp sFlow Monitoring The analysis of pre aggregated data flows sent by NetFlow sFlow or NetStream enabled routers and Layer 3 switches The WANGuard Sensor that handles NetFlow sFlow and NetStream data is called WANGuard Flow e In line Deployment The analysis of incoming and outgoing network packets that pass through a network card of an in line deployed Linux or FreeBSD server From a software perspective this met
54. n 5 switch config mls nde sender version 5 The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow switch config mls aging long 8 Switch config mls aging normal 4 On the Supervisor Engine 1 issue the following to put full flows into the NetFlow exports switch config mls flow ip full If you have a Supervisor Engine 2 or 720 running IOS version 12 1 13 E or higher issue the following commands instead switch config mls flow ip interface full switch config mls nde interface Configuring NDE on a 4000 Series Switch Configure the switch the same as an IOS device but instead of command ip route cache flow use command ip route cache flow infer fields This series requires a Supervisor IV with a NetFlow Services daughter card to support NDE Configuring NDE on a Juniper Router Juniper supports flow exports by the routing engine sampling packet headers and aggregating them into flows Packet sampling is done by defining a firewall filter to accept and sample all traffic applying that rule to the interface and then configuring the sampling forwarding option interfaces ge 0 1 0 unit O family inet filter 55 jaga GUARD input all output all address 192 168 1 1 24 firewall filter
55. n the selected IP Zone excluding 0 0 0 0 0 O Strict WANGuard Flow will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e AS Validation Flows might contain the source and destination ASN Autonomous System Number In most configurations if the ASN is set to 0 then the IP address belongs to your Autonomous System 47 alla WAN WANGuard Lite 4 1 User Manual ge GUARD AS Validation has three options O Off Will disable AS Validation o On Only flows that have the source ASN and or the destination ASN set to 0 are analyzed O Strict Only flows that have either the source ASN or the destination ASN set to 0 are analyzed e Analyzer Interval RAM usage using the highest accuracy 5 seconds can be very high Decreasing the accuracy will decrease RAM usage and won t have any negative effects in most scenarios A very low accuracy increases the traffic anomaly detection time e Protocol You can use WANGuard Flow with Netflow version 5 or sFlow through a sflowtool wrapper e Comments You can use this field to store comments about the current WANGuard Flow configuration In the following configuration example WANGuard Flow monitors traffic passing the WAN and LAN interfaces uses IP class information found in the Routed Subnets IP Zone WANGuard Flow Configuration x Active i Description Netflow Router Devi
56. n zone in the West Panel IP Graphs Configuration Data Path opt wanguard rrd Graph Color IN Ei v Graph Color OUT Eil Stored data Inbound Bits y Inbound Pkts d Outbound Bits 7 Outbound Pkts V Accuracy RRA C Add Archive A Store 5 minute s averages for 7 day s Store 15 minute s averages for 1 month s Store 2 hour s averages for 1 year s Consolidation CF Minimum Average NI Maximum NI Storage space required per IP 602 7k a Save By default every WANGuard Sensor stores IP graphs data with 5 minutes averages for 7 days 15 minutes averages for 1 month and 2 hours averages for 1 year If you do not change the default parameters every IP for which you enabled graphs will require 603 kbytes of storage on the WANGuard Console s file system The first accuracy parameter 5 minutes specifies the granularity of the graphs You can set the granularity value between 5 seconds and 5 minutes When using WANGuard Flow do not set the granularity parameter to a lower value than the Analyzer Interval parameter When granularity has a low value WANGuard Sensor uses more CPU the WANGuard Console system becomes more loaded and the network traffic between WANGuard Sensor and WANGuard Console is increased if the components are not installed on the same server The averages and intervals values specify the granularity for old data and for how long do you want the data to be stored The Stored Data option
57. ned in this document is subject to change without notice If you find any problems in the documentation please report them to us in writing ANDRISOFT S R L will not be responsible for any loss costs or damages incurred due to the use of this documentation WANGuard Lite is a SOFTWARE PRODUCT of ANDRISOFT S R L ANDRISOFT and WANGuard are trademarks of ANDRISOFT S R L Other company product or service names may be trademarks or service marks of others ANDRISOFT S R L Str Lunei L30 Ap 11 300109 Timisoara Timis Romania phone 40721250246 fax 40256209738 Sales sales andrisoft com Technical Support support andrisoft com Website http www andrisoft com Copyright ANDRISOFT S R L 2008 All rights reserved alla WAN WANGuard Lite 4 1 User Manual ge GUARD Table of Contents 1 Traffic Monitoring and Traffic Accounting with WANGuard Lite 4 Why WANGuard Lite Is len TE 4 What WANGuard Lite Can Do For TEEN 4 WANGuard Lite Componibili a 4 WAN E e Rn TE 5 A E e E ein Ee 5 2 Network Basics You Should Be Aware Of rire iii 7 Who Should RE This SOC ON DE 7 A Short Introduction To IP Addresses A ClaSses ccsssssssssecsecsecsecssssssessnsessessessecsessecsesaecassassessessessessenseeaetaneaseas 7 IPAGGUICSS OS rear it ani 7 Jet 8 OSE Co INO bielle 9 3 Getting Started with WANGuard Lite 10 A First Look at the WANGuard CONSO EE 10 SL e E EE 10 Center Paneera cca 10 SDE ae e
58. nformation about any combination of the following network elements and segments a network server client or router a network link subnet or an entire network an individual Internet user or company an Internet Service Provider ISP Each WANGuard Sensor extracts from it s current IP Zone the following information the IPclasses that will be monitored the IP classes that will generate traffic graphs and accounting data IP groups When configuring a WANGuard Sensor Page 42 you have to select the IP Zone that will be used An IP Zone may be used by multiple WANGuard Sensor systems but a WANGuard Sensor system can use only one IP Zone An IP Zone must contain the IP classes that are routed within your Autonomous System or the IP classes owned by your organization If you don t populate the IP Zone with your IP classes then WANGuard Sniff can only validate the traffic it captures by analyzing the MAC address of the upstream or downstream router If you don t populate the IP Zone with your IP classes then WANGuard Flow can only validate the traffic it captures by analyzing the ASN or the interface type Keep in mind that WANGuard Lite defines IPs and IP classes using the CIDR notation To enter individual hosts in IP Zones you must use the 32 CIDR For more about CIDR notation you can consult the Network Basics You Should Be Aware Of chapter Page 7 Inheritance One very special IP class that is defined by default
59. o No then no graphs will be generated for the current IP class Comments Panel Here you can provide details and comments about the subnet 36 alli WAN WANGuard Lite 4 1 User Manual y ge GUARD IP Zone Configuration Example In the following images you will see how IP Zone inheritance works and how you can configure the monitored IP classes IP Zone Configuration Glas IP Zone Description Routed Subnets Change Description D Duplicate IP Zone Delete IP Zone sa Add Subnet or Host ag i Subnet Calculator Subnet Parameters for 0 0 0 0 0 e Subnet a IP Description Parameter Value Inheritance E 0 0 0 0 0 Unknown IP Description Unknown none IP Graphs No mA none IP Accounting No S none Comments for 0 0 0 0 0 a A Update By default the 0 0 0 0 0 supernet has IP Accounting and IP Graphs parameters set to No We don t recommend to generate traffic graphs and accounting reports for unknown IP addresses After adding the 10 0 0 0 8 IP class using the lt Add Subnet or Host gt button the tree is immediately updated to contain the new IP class The Inheritance column shows what are the inherited values and from which parent IP class IP Zone Configuration Glas IP Zone Description Routed Subnets Change Description D Duplicate IP Zone Delete IP Zone om Add Subnet or Host sa Delete Subnet or Host Subnet Calculator Subnet Parameters for 10 0 0 0 8 e subnet IP Description Parameter
60. o be aggregated for Could be Daily Weekly Monthly and Yearly e Sum IPs Don t check the Sum IPs option if you want a different traffic accounting report displayed for every IP address contained in the selected IP class or IP Group For example when this option is used with a 24 CIDR then 256 traffic accounting reports are displayed one for each IP address in the C class Sum Sensors If unchecked each WANGuard Sensor generates a different traffic accounting report If checked all selected WANGuard Sensors generate a single traffic accounting report that contains the summed traffic accounting data De ae alla WAN WANGuard Lite 4 1 User Manual pego GUARD Reports Logs amp Events The Logs amp Events panel located in the Reports region of the West Panel provides a way to access the wanguard database for troubleshooting and debugging purposes Events Logs Events Logs contain all events generated by WANGuard Lite components You can sort filter and manage the columns of the tables by clicking the down arrow on any column header Each component that generates events is listed in the Logs amp Events panel Record are shown the following format lt gt You can see details about each event by clicking this button Description The description of the WANGuard Lite component that generated the event Module The module or internal function that generated the event Level Events are tagged with
61. o do so File Edit View History Bookmarks Tools Help PO SCS WANGuard Licensing Setup Validation PHP Version incl JSON PHP MagicQuotes RRDtool 1 3 RRDs A DBI installed WANGuardController running License Key File Select the new wanguard key file A Save i en Copyright 2006 2010 Andrisoft All rights reserved 30 alli WAN WANGuard Lite 4 1 User Manual gege GUARD You must then upload the wanguard key file we sent you by email by clicking the key icon The license key contains encrypted information about the licensed capabilities of the software You can upgrade to the Full version incl traffic anomalies detection amp protection or downgrade to the Lite version without traffic anomalies detection amp protection solely by changing the license key Log into WANGuard Console using the default username password combination of admin wanguard File Edit View History Bookmarks Tools Help gi CX a http console wanguard login php T gt jaga GUARD Evaluation copy for TRIAL User Username Password Language Copyright 2006 2010 Andrisoft All rights reserved After you logged into WANGuard Console you can view and change license information by pressing the lt About gt button in the upper right part of the window The next steps in quickly configuring WANGuard Lite are Modify the Administrator s password next paragraph define
62. ollowing format Status If the active WANGuard Sniff system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Sniff system then a red X icon is displayed In this case make sure that WANGuard Sniff is configured correctly read the Events Logs and make sure that the WANGuardController daemon is running on all systems Description Displays the description of the WANGuard Sniff system and a colored box with the eip alal WAN WANGuard Lite 4 1 User Manual gega GUARD Graph Color IN as defined in its configuration When clicked a new WANGuard Sensor Tab is opened see next paragraph Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Sniff process Mem The amount of RAM memory used by the WANGuard Sniff process Started The time and date when the WANGuard Sniff process started IPs The number of unique IP addresses detected making traffic Only your network s IP addresses are counted Pkts s In Out The packets second throughput after validation and filtering Bits s In Out The bits second throughput after validation and filtering Received Pkts s The rate of received packets before validation and filtering Dropped Pkts s It represents the rate of packets dropped in the capturing process When the number is high it ind
63. onal information Company Position E mail Telephone Settings Home Tab 7 welcome Events Verbosity Comments id Save Default Administrator Account INFO The Full Name Company Position E mail Telephone and Comments fields are optional The Home Tab lets you decide which tab from the Reports Panel should be opened immediately after logging in After Sensors are configured choosing the Default Dashboard is a good option The Events Verbosity field lets you select the minimum severity level of the events that will be displayed in the South Panel and Logs amp Events Panel mc e u alla WAN WANGuard Lite 4 1 User Manual ge GUARD MELTDOWN Meltdown events are generated when a very serious error is detected in the system such as a hardware error CRITICAL Critical events are generated when a significant software error is detected such as a memory exhaustion ERROR Error events are caused by misconfiguration or communication errors between WANGuard Lite components WARNING Warning events are generated when authentication errors occur when there are errors updating graph data files or when there are synchronization issues INFO Informational events are generated when configurations are changed and when users log into WANGuard Console DEBUG Debug events are used only for troubleshooting purposes Since 4 1 users can be authenticated though LDAP To use LDAP click LDAP Settings in the WANGuard Con
64. or performance penalty under very high loads O Inbound WANGuard Sniff will only monitor inbound traffic e VLAN Tagging This option is now obsolete Since 4 1 VLAN and MPLS headers are ignored e Comments You can use this field to store comments about the current WANGuard Sniff configuration An example of a working WANGuard Sniff configuration is displayed below This WANGuard Sniff system analyzes all VLAN 900 traffic it receives on the first network interface and uses IP class information found in the Routed Subnets IP Zone for validation 44 alal WAN WANGuard Lite 4 1 User Manual foe GUARD WANGuard Sniff Configuration x Active v Description LAN Switch VLAN 900 Device Group Core Network M Sensor information IP Address 192 168 1 100 Interface eth0 900 Link Speed IN 1 Gbps e Link Speed OUT 1 Gbps M Validation and filtering IP Zone Routed Subnets se IP Validation On v MAC Validation None v MAC Address Traffic Direction Inbound amp Outbound e VLAN Tagging Advanced options BPF Expression Frames Buffer 10000 Comments configuration example Al Save Delete After a new WANGuard Sniff system is added the WANGuard Sensor panel is updated If there is a green OK sign on the right of the WANGuard Sniff s description then the WANGuard Sniff is running If there is a X red sign instead then the WANGuard Sniff is inactive or not running If you checked the Active sw
65. ou select a refresh interval then the report will be constantly refreshed and if a predefined time frame was selected then that will be updated too Autonomous Systems Number s Here you can enter the ASNs you re interested in separated by space If you don t know what ASN is a particular ISP having then you can click on the upper right side of the window Help AS Information gt AS Numbers List You can then apply different filters by clicking table header s down icon Graphs Size You can select a predefined graphs size OR you may enter your own graphs size as lt xpixels gt x lt ypixels gt Sum Sensors If unchecked each WANGuard Sensor generates a different ASN graph If checked all selected WANGuard Sensors generate a single ASN graph that contains summed traffic data Sum ASNs If you entered multiple Autonomous Systems Numbers then you can sum all of them in a single ASN graph This is extremely useful with ISPs and ASN owners that have more than 1 allocated ASN et bl WAN WANGuard Lite 4 1 User Manual ge GUARD Reports Dashboards Dashboards are the best way to organize the viewing of data so that it suits your particular needs WANGuard Console allows users with Administrator or Operator roles to create and edit dashboards that contain custom widgets Administrators can also restrict what Dashboards are available to individual users S WANGuard Console 4 0 Mozilla Firefox arms File Edit View Histor
66. played IP Groups by entering a string that exists in the IP Group you re interested in IP Groups are a great way to generate IP traffic reports for clients that have multiple allocated IP classes You just have to define those IP classes with the same IP Group Administrators can filter what IP Addresses and IP Groups are available to individual Users By clicking a subnet or IP Group a new tab will open that includes 2 additional sub tabs located on the bottom of the window IP Graphs and IP Accounting Both sub tabs use the following common toolbar fields e WANGuard Sensors Select the WANGuard Sensor systems that captured the traffic you re interested in Multiple selections can be made and by default all WANGuard Sensors are selected Administrators can filter what WANGuard Sensors are available to individual users Data Unit IP Graphs and IP Accounting reports can be generated for Bits second Bytes second and Packets second Time Frame Select predefined time frames or enter your own by selecting Custom Export You can print the generated IP reports or you can save them as PDF through plug ins Refresh By default the resulted report is refreshed only when you press the lt On Demand gt button If you select a refresh interval then the report will be constantly refreshed and if a predefined time frame was selected then that will be updated too oc alal WAN gaga GUARD IP Graphs WANGuard Lite 4 1 User Manual
67. r each method are different The requirements are listed in the next chapter WANGuard Sensor WANGuard Sniff WANGuard Flow Traffic Capturing Technology Port Mirroring Network TAP In line Deployment sFlow NetFlow or NetStream v 5 enabled network devices l i 10 GigE 10 GigE M Traffic C SEET gt 150 000 endpoints lt 100 000 endpoints Traffic Parameters Accuracy Highest 5 seconds averages High Traffic Validation Options IP classes MAC addresses VLANs IP classes interfaces AS Number Manufacturer devices supporting WANGuard Flow are Cisco Systems 1400 1600 1700 2500 2600 3600 4500 4700 AS5300 5800 7200 7500 Catalyst 4500 Catalyst 5000 6500 7600 ESR 10000 GSR 12000 Juniper Extreme Networks Huawei 3COM HP and others DEE a alla WAN WANGuard Lite 4 1 User Manual ge GUARD WANGuard Sensor Setup This chapter describes how to configure WANGuard Sensor systems through WANGuard Console To manage WANGuard Sensor systems you must first click Configuration from the West Panel and then expand the WANGuard Sensor Panel Keep in mind that our support team can help you with any configuration issues To learn more about the differences between the two types of WANGuard Sensor please consult Chapter 2 How To Choose A Method Of Traffic Capturing Page 39 WANGuard Sniff Configuration When using WANGuard Sniff you must know that by default only data pac
68. ranges for subnets About The About window provides information about the WANGuard version and license The license key can be viewed and updated from this window a BI alla WAN WANGuard Lite 4 1 User Manual ge GUARD Appendix 1 Configuring NetFlow Data Export This appendix is a brief guide to setting up the NetFlow data export NDE on Cisco and Juniper routers or intelligent Cisco Layer 2 Layer 3 Layer 4 switches If you have problems with the configuration contact your network administrator or Cisco consultant For devices that run hybrid mode on a Supervisor Engine Catalyst 65xx series it is recommended to configure IOS NDE on the MSFC card and CatOS NDE on the Supervisor Engine For more information about setting up NetFlow please visit http www cisco com go netflow Configuring NDE on an IOS Device In the configuration mode on the router or MSFC issue the following to start NetFlow Export First enable Cisco Express Forwarding router config ip cef router config ip cef distributed And turn on flow accounting for each input interface with the interface command interface ip route cache flow For example interface FastEthernet0 ip route cache flow interface Serial2 1 ip route cache flow It is necessary to enable NetFlow on all interfaces through which traffic you are interested in will flow Now verify that the router or switch is generating flow stats try command show ip cache f
69. s For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation Unknown frames For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering Graphs Size You can select a predefined graphs size OR you may enter your own graphs size as lt xpixels gt x lt ypixels gt Graphs Consolidation Select the graphs consolidation procedure for the graph MINIMUM MAXIMUM or AVERAGE If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type Sum Sensors If unchecked each selected WANGuard Sensor generates a different graph If checked all selected WANGuard Sensors generate a single graph that contains all data Sensor Tops The Sensor Tops sub tab generates various traffic tops for the selected WANG
70. s lets you select the traffic parameters that will be stored The Consolidation options lets you select how do you want the average values to be consolidated If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type All the above options have a direct impact on the storage space required on the WANGuard Console file system The storage space required per IP value will be updated when you click the lt Update gt button If you change the graphs parameters make sure you delete old rrd files from the defined Data Path 50 alla WAN WANGuard Lite 4 1 User Manual gega GUARD Scheduled Reports Scheduled Reports is a great way to setup the Console to automatically email reports to you or to your customers You can manage them by expanding the Scheduled Reports Panel from the Configuration zone in the West Panel To see how the report would look like enter a description your email address and then click the Save amp Test button Immediately after that you should receive an email with the report Scheduled Report Configuration Active Description Email To wr E WANGuard Sensor Report ge IP Group Report WANGuard Sensors All _ Include Traffic Anomalies Include Sensor Graphs Include Protocols Distribution Graphs Include
71. sole Users window and enter the LDAP server settings Login Attribute usually is sAMAccountName for Active Directory or uid for OpenLDAP You can then check LDAP Authentication in each user profile Administrators can restrict Users to access the following reports and panels South Panel West Panel Traffic Alarms only for WANGuard Platform Autonomous Systems Logs amp Events IP Addresses Dashboards Device Groups and IP Groups Dashboards Device Groups and IP Groups can be filtered so you can give your customers access only to traffic reports and dashboards that contain fine grained relevant data Add User x Full Name User Name Password Additional information Company Position E mail Telephone Settings Home Tab FS Welcome ze Events Verbosity WARNING v Permissions South Panel 7 West Panel d West Panel Permissions Traffic Alarms Autonomous Systems d Logs amp Events v IP Addresses v Dashboards All v Available Dashboards v Device Groups All ze Available Device Groups v IP Descriptions All vw Available IP Descriptions v Comments e EE alla WAN WANGuard Lite 4 1 User Manual pego GUARD IP Zones Setup This chapter describes how to create and manage IP Zones To add a new IP Zone select Configuration from the West Panel and then expand the IP Zones Panel Understanding IP Zones IP Zones are hierarchical tree like structures that contain user provided i
72. sure bandwidth usage by IP Address is to use the NetFlow sFlow protocol which is especially suited for high traffic remote routers Many routers and Layer 3 switches from Cisco support this protocol as well as vendors like Huawei NetStream Juniper Extreme Networks 3COM HP and others Network devices with NetFlow amp sFlow support track the bandwidth usage of the network internally and can be configured to send pre aggregated data to a Linux or FreeBSD server running WANGuard Flow for traffic analysis and accounting purposes Reasons to choose NetFlow amp sFlow Monitoring Because the NetFlow and sFlow protocols already perform a pre aggregation of traffic data the flows of data sent to the monitoring server running WANGuard Flow is much smaller than the monitored traffic This makes NetFlow or sFlow the ideal option for monitoring remote high traffic networks The downside of the NetFlow and sFlow monitoring is that computing the pre aggregation of traffic data 40 alal WAN gaga GUARD requires large amounts of RAM it has significant delays and the accuracy of traffic parameters is lower than when WANGuard Lite 4 1 User Manual directly inspecting network packets especially when packet sampling is used Comparison between Packet Sniffing and NetFlow sFlow Monitoring The table below provides a quick comparison between the three available traffic capturing technologies The system requirements fo
73. uard Sensors Top generation for large time frames may take minutes In this case increase the max_execution_time parameter from php ini 20 alla WAN WANGuard Lite 4 1 User Manual gege GUARD E WANGuard Console 4 0 Mozilla Firefox e S mes File Edit View History Bookmarks Tools Help be E A sal http console wanguard index php Hep About G Logout user net oj Default Dashboard G NetFlow Router WANGuard Sensors Time Frame NetFlow Router WAN NetFlow Rot ze Last Day 29 0 b i 1 Top Type Autonomous Systems Y Top Protocol IP 4 M AI Components ia LAN Switch vian900 itd WAN Switch vian100 gt i NetFlow Router M Border Routers M Border Switches Core Switches _IP Addresses IP CIDR 192 168 0 0 16 NetFlow Router WAN NetFlow Router LAN Inbound 4 Teo ng om ASN Description Pkts s ASN Description Bits s i 12 81 0 0 16 4 192 168 0 0 16 192 168 1 0 24 192 168 2 23 32 233 213 0 0 16 15169 Google Inc 17 4k 24 15169 Google Inc 168 9M 38 22822 Limelight Networks Inc 2 1k 22822 Limelight Networks Inc 23 3M 5 14778 Inktomi Corporation 2 0k 3356 Level 3 Communications 13 4M 6746 ASTRAL Telecom SA Romania 1 4k 8068 Microsoft European Data Center 7 2M 2 2 3356 Level 3 Communications 1 6k 2 43515 YOUTUBE EUROPE 10 7M 1 3320 Deutsche Telekom AG 1 3k 1 1 43515 YOUTUBE EUROPE 14778 Inktomi
74. y Bookmarks Tools Help Cc A dl http console wanguard index php Default Dashboard amp Actions All Sensors Top 10 Talkers a All Sensors Bits s Last Hour Device Groups IP Adress IP Description IP Bits s sus 233 213 66 12 Unknown 11 0M 4 F Ai Components LAN Switch vlan900 RIWAN Switch vian100 Gi NetFlow Router m Border Routers M Border Switches M core Switches 233 213 90 16 Unknown 6 9M 12 81 204 2 Unknown 5 1M 233 213 92 162 Unknovwm 4 1M 233 213 92 203 Unknovm 3 9M 233 213 92 70 Unknown 3 8M 233 213 92 39 Unknovm 3 7M Thu 12 00 rri 00 00 IP Addresses WO Oa Nini ul s amp a Win e 100 M z erte Unknown 3 7M BH unkown Wsp M ftp Bss W telnet 233 213 90 43 Unknown 3 7M E snp Moittp M pop Bimap sql d 00 20 OD 4D 1 00 O netbios E irc H directconnect 233 213 93 173 Unknovm E torrent H dns O icmp IP CIDR 192 168 0 0 16 Di CO 4 FF 0 0 0 0 0 12 81 0 0 16 All Sensors Bits s Last Week 4 192 168 0 0 16 All Sensors Inbound Bits s All Sensors Top 5 IP Protocols a 192 168 1 0 24 192 168 2 23 32 FF 233 213 0 0 16 Sensor Description Bits s Inbound IP Protocol Description IP Bits s EZ Lan switch viang00 244 5M Bas TCP Transmission Control 674 7M IM wan switch vianioo 215 2M ze UDP User Datagram 52 4M II NetFlow Router WAN 180 2M W18 ESP Encap Security Payload 2 8M GRE General Routing Encapsulation 611 7k BM NetFlow Router LAN 91 2M I
75. ys within the network it s location etc IP Address An unique IP address configured on the server that runs the selected WANGuard Sniff This field is used by the WANGuardController daemon for system identification e Interface This field must contain the network interface that receives the port mirrored traffic If the WANGuard Sniff server is deployed in line then it must contain the network interface that receives the traffic towards your network The network interface name must use the network interface naming conventions of the Linux operating system eth0 for the first interface eth1 for the second eth0 900 for the first interface with VLAN 900 and so on Graph Color In Out Here you can select the color you will see on sensor graphs as inbound and Outbound traffic for the current WANGuard Sniff By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by clicking the drop down menu e Link Speed In Out The speed of the monitored links for Inbound traffic and for Outbound traffic This is used to generate reports based on usage percent e IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Sniff If the field has no options then you must first define an IP Zone For more information about IP Zones please consult IP Zones Setup chapter page 34 e IP Validation For WANGuard
Download Pdf Manuals
Related Search