WANGuard Platform 3.0 User Manual
Contents
1. E H j d 4 Ke i Fj WN i a j Mp n b WANGuard Lite 4 0 ab WAN WANGuard Lite 4 0 User Manual wg GUARD Copyright amp trademark notices This edition applies to version 4 0 of the licensed program WANGuard Lite and to all subsequent releases and modifications until otherwise indicated in new editions Notices References in this publication to ANDRISOFT S R L products programs or services do not imply that ANDRISOFT S R L intends to make these available in all countries in which ANDRISOFT S R L operates Evaluation and verification of operation in conjunction with other products except those expressly designated by ANDRISOFT S R L are the user s responsibility ANDRISOFT S R L may have patents or pending patent applications covering subject matter in this document Supplying this document does not give you any license to these patents You can send license inquiries in writing to the ANDRISOFT S R L marketing department sales andrisoft com Copyright Acknowledgment ANDRISOFT S R L 2008 All rights reserved All rights reserved This document is copyrighted and all rights are reserved by ANDRISOFT S R L No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying and recording or by any information storage and retrieval system without the permission in writing from ANDRISOFT S R L The information contain2. Manufacturer devices supporting WANGuard Flow are Cisco Systems 1400 1600 1700 2500 2600 3600 4500 4700 AS5300 5800 7200 7500 Catalyst 4500 Catalyst 5000 6500 7600 ESR 10000 GSR 12000 Juniper Extreme Networks Huawei 3COM HP and others 42 ab WAN WANGuard Lite 4 0 User Manual ge GUARD WANGuard Sensor Setup This chapter describes how to configure WANGuard Sensor systems through WANGuard Console To manage WANGuard Sensor systems you must first click Configuration from the West Panel and then expand the WANGuard Sensor Panel Keep in mind that our support team can help you with any configuration issues To learn more about the differences between the two types of WANGuard Sensor please consult Chapter 2 How To Choose A Method Of Traffic Capturing Page 40 WANGuard Sniff Configuration When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networks the use of switches or routers with so called monitoring port is required For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAPs or other devices that support port mirroring please consult the producer s documentation WANGuard Sniff Configuration x Active
3. Class D addresses are used for multicasting applications Class D addresses have their first three bits set to 1 and their fourth bit set to O Class D addresses are 32 bit network addresses meaning that all the values within the range of 224 0 0 0 239 255 255 255 are used to uniguely identify multicast groups There are no host addresses within the Class D address space since all the hosts within a group share the group s IP address for receiver purposes Class E addresses are defined as experimental and are reserved for future testing purposes They have never been documented or utilized in a standard way The WANGuard Lite uses extensively throughout its components IP Addresses and IP Classes with the CIDR notation alal WAN gaga GUARD Subnet CIDR Notation WANGuard Lite 4 0 User Manual CIDR Class Hosts Mask fg 1 256 C d En GE GE E WEE 1 128 C 2 288 B D 730 1 64 C 4 we Ca Oa oe 1 32 C 9 a Ow ow iS 1 16 C 16 VAS we 240 fee 1 3 C 6 E 06224 Mel 1 4 C 64 255 255 2554 192 E 1 2 C 128 wn Ye elo Ua C 290 Aos eo BIVIO EW C 512 255 255 254 000 oo 4 C 1024 ZOO wu Sab OD EN C 2048 255 255 248 000 cc 4096 a O 0DU 19 J32 C 8192 ZOO e204 224 000 ES 64 C 16384 299a ADs Ie x VO OI 128 C 32768 Zoe VO DEE 256 C 1B 65936 ZOO 2 3 000 000 512 C 2 B 131072 299a 2944 000000 14 1024 C 4B 262
4. O 2k Customer Service omz Enterprise Services Z Internal Network Xerox Printer Logs amp Events he ab WAN WANGuard Lite 4 0 User Manual ge GUARD WANGuard Console System The WANGuard Console System table is only displayed if you select All Components as it cannot be assigned to a particular Device Group The table has the following format Status If the WANGuard Console system is functioning properly then a green checked arrow is displayed Load The load of the operating system for the last 5 minutes Mem The amount of RAM memory used by the current PHP process Started The time and date when WANGuard Console s database server has been started Online Users The number of active WANGuard Console sessions Free Graphs Disk The disk space available on the partition configured to store IP graphs data Free DB Disk The disk space available on the partition that is configured to store the MySQL database DB Size The amount of disk space used by the WANGuard Database DB Active Clients The number of clients that are currently using the MySQL server DB Active Connections The number of active connections on the MySQL server Avg DB Queries s The average number of database queries per second reported by the MySQL server Active WANGuard Sniff Systems The Active WANGuard Sniff Systems table displays the latest system information collected from
5. pixels or higher resolution monitor 30 ab WAN WANGuard Lite 4 0 User Manual gage GUARD Software Installation amp Download Software installation instructions are listed and updated on the Andrisoft website for RedHat based SuSE based and Debian based Linux distributions You may a try a fully functional version of WANGuard Lite for 30 days You can switch to a full time registered version by applying a purchased license key Binary WANGuard Lite components are packaged differently for i686 architectures 32 bit Pentium and beyond and for x86_ 64 architectures 64 bit Intel AMD processors Opening WANGuard Console for the first time WANGuard Console is essentially the web interface through which you will control and monitor all other components If you followed correctly the installation instructions from now on you will only need to log into WANGuard Console to manage the components To log into WANGuard Console use a compatible web browser listed at page 30 and access http lt hostname gt wanguard where lt hostname gt is the name of the server where WANGuard Console is installed If the page cannot be displayed make sure the Apache web server is running and the firewall does not block incoming traffic on port 80 If you haven t licensed WANGuard Lite yet you will be asked to do so File Edit View History Bookmarks Tools Help Gare cx BU me SCS WANGuard Licensing Setup Validation PHP Vers
6. 134 5 12 81 134 6 12 81 134 7 12 81 134 11 12 81 134 18 12 81 134 20 12 81 134 23 12 81 134 25 12 81 134 27 12 81 134 28 12 81 134 32 12 81 134 33 12 81 134 37 12 81 134 44 12 81 134 45 12 81 134 46 12 81 134 50 12 81 134 58 12 81 134 60 12 81 134 63 12 81 134 64 12 81 134 68 12 81 134 75 12 81 134 86 0 0k 0 0k 274 4k 67 4k 0 0k 519 1k 0 0k 0 0k 0 0k 83 4k 2 3M 0 0k 289 6k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 12 81 134 106 0 0k 12 81 134 108 0 0k 12 81 134 115 0 0k 12 81 134 147 0 0k 12 81 134 151 0 0k 12 81 134 254 0 0k TOTAL AVG 112 8k 0 4k 1 9k 3 4G 40 4M 0 3k 14 9G 1 6k 1 0k 25 9k 50 0M 2 76 0 4k 1 3G 0 8k 0 4k 0 8k 1 0k 0 4k 0 4k 0 6k 0 3k 0 8k 0 3k 0 8k 0 8k 0 8k 0 8k 3 5k 0 5k 0 3k 0 0k SUM 22 3G 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k AVG 0 0k 0 0k 0 0k 82 6k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 0 0k 5 1k SUM 87 7k 26 IA IP Graphs E IP Accounting ab WAN WANGuard Lite 4 0 User Manual ge GUARD The following options are available e Report Type Select the interval you want for the data to be aggregated for Could be Daily
7. Change Description Li Duplicate IP Zone o Delete IP Zone sa Add Subnet or Host amp Subnet Calculator Subnet Parameters for 0 0 0 0 0 Subnet IP Description Parameter Value Inheritance Flo o o om Unknown IP Description Unknown d none IP Graphs No Go none IP Accounting No a none Comments for 0 0 0 0 0 a Update By default the 0 0 0 0 0 supernet has P Accounting and IP Graphs parameters set to No We don t recommend to generate traffic graphs and accounting reports for unknown IP addresses After adding the 10 0 0 0 8 IP class using the lt Add Subnet or Host gt button the tree is immediately updated to contain the new IP class The Inheritance column shows what are the inherited values and from which parent IP class IP Zone Configuration la IP Zone Description Routed Subnets Change Description Tp Duplicate IP Zone o Delete IP Zone ge Add Subnet or Host sa Delete Subnet or Host Subnet Calculator Subnet Parameters for 10 0 0 0 8 e Subnet IP Description Parameter Value Inheritance 4 17 0 0 0 0 0 messe IP Description Internal Network Y none 10 0 0 0 8 Internal Network IP Graphs Yes mM none IP Accounting No KA 0 0 0 0 0 Comments for 10 0 0 0 8 a bal Update In the image above you can see that the IP Accounting value is inherited from 0 0 0 0 0 because it is the only unmodified parameter Every IP that belongs to the Internal Network will generate traffic graphs because the P Graphs par
8. IP address contained in the selected IP class or IP Description For example when this option is used with a 24 CIDR then 256 traffic graphs are displayed one for each IP address in the C class Sum Sensors If unchecked each WANGuard Sensor generates a different traffic graph If checked all selected WANGuard Sensors generate a single traffic graph that contains the summed traffic data IP Accounting The IP Accounting sub tab generates IP traffic accounting reports for the selected IP class host or IP Description WANGuard Console 4 0 Mozilla Firefox ue E jawn Swn File Edit View History Bookmarks Tools Help dd WANGuard Console 4 Grnereade ua neyd y ta Reports A del http console wanguard index php Default Dashboard F 12 81 134 0 24 WANGuard Sensors Data Unit LAN Switch vian900 Bits Last Month Report Type Monthly e SumlPs 4 F All Components ia LAN Switch vian900 iq WAN Switch vian100 Traffic accounting for 12 81 134 0 24 on LAN Switch vlan900 at April 2010 IP Address Average Inbound Bits s Total Inbound Bits Average Outbound Bits s Total Outbound Bits gt I NetFlow Router M Border Routers M Border Switches M Core Switches IP Addresses IP CIDR 12 81 134 0 24 4 FF 0 0 0 0 0 E 12 81 0 0 16 4 192 168 0 0 16 r 192 168 1 0 24 17 192 168 2 23 32 r 233 213 0 016 12 81 134 3 12 81
9. Sensor generates a different top If checked all selected WANGuard Sensors generate a single top instead 21 ad WAN WANGuard Lite 4 0 User Manual p ga GUARD Protocols Distribution WANGuard Sensor systems collect protocols distribution data Currently supported protocols are SNMP FTP SSH TELNET SMTP HTTP POP3 IMAP SQL NETBIOS IRC DIRECTCONNECT TORRENT DNS ICMP Protocol detection is unreliable for applications that use non standard randomized source or destination ports torrent is the best example a _ WaNGuard Console 40 Mozila Firefox I te File Edit View History Bookmarks Tools Help Ray G A Le y http console wanguard index php Carrler grade traffic analysis 7 el G Abot U ooout T alal WANGuard Console 4 Cresce trafe analysis D Hep i About Logout user Default Dashboard GJ NetFlow Router WANGuard Sensors NetFlow Router WAN NetFlow Ho we Last Day Wal From 2010 04 29 01 38 Graphs Size 900x220 e Sum Sensors 7 fa LAN Switch vian900 iq WAN Switch vian100 IP CIDR 192 168 0 0 16 4 FF 0 0 0 0 0 12 81 0 0 16 4 i 192 168 0 0 16 192 168 1 0 24 1 192 168 2 23 32 i 233 213 0 0 16 Protocols distribution graph for NetFlow Router WAN NetFlow Router LAN BDD M 700 M 6DD M gt 00 M 400 N 300 M 200 M 100 M D Thu 06 00 Thu 12 00 Thu 18 00 Fri DO 00 lt outboun
10. Weekly Monthly and Yearly e Sum IPs Don t check the Sum IPs option if you want a different traffic accounting report displayed for every IP address contained in the selected IP class or IP Description For example when this option is used with a 24 CIDR then 256 traffic accounting reports are displayed one for each IP address in the C class Sum Sensors If unchecked each WANGuard Sensor generates a different traffic accounting report If checked all selected WANGuard Sensors generate a single traffic accounting report that contains the summed traffic accounting data Da ab WAN WANGuard Lite 4 0 User Manual pego GUARD Reports Logs amp Events The Logs amp Events panel located in the Reports region of the West Panel provides a way to access the wanguard database for troubleshooting and debugging purposes Events Logs Events Logs contain all events generated by WANGuard Lite components You can sort filter and manage the columns of the tables by clicking the down arrow on any column header Each component that generates events is listed in the Logs amp Events panel Record are shown the following format lt gt You can see details about each event by clicking this button Description The description of the WANGuard Lite component that generated the event Module The module or internal function that generated the event Level Events are tagged with a severity value that describes t
11. active WANGuard Sniff systems that are included in the selected Device Group If there are no WANGuard Sniff systems configured then this table is not displayed The table has the following format Status If the active WANGuard Sniff system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Sniff system then a red X icon is displayed In this case make sure that WANGuard Sniff is configured correctly read the Events Logs and make sure that the WANGuardController daemon is running on all systems Description Displays the description of the WANGuard Sniff system and a colored box with the eip alal WAN WANGuard Lite 4 0 User Manual gega GUARD Graph Color IN as defined in its configuration When clicked a new WANGuard Sensor Tab is opened see next paragraph Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Sniff process Mem The amount of RAM memory used by the WANGuard Sniff process Started The time and date when the WANGuard Sniff process started IPs The number of unique IP addresses detected making traffic Only your network s IP addresses are counted Pkts s In Out The packets second throughput after validation and filtering Bits s In Out The bits second throughput after validation and filtering Received Pkts s The
12. all selected WANGuard Sensors generate a single graph that contains all data Sensor Tops The Sensor Tops sub tab generates various traffic tops for the selected WANGuard Sensors Top generation for large time frames may take minutes In this case increase the max_execution_time parameter from php ini 20 ad WAN WANGuard Lite 4 0 User Manual gege GUARD r WANGuard Console 4 0 Mozilla Firefox po S mes File Edit View History Bookmarks Tools Help M E A sal http console wanguard index php oL About G Logout user net oj Default Dashboard NetFlow Router WANGuard Sensors Time Frame NetFlow Router WAN NetFlow Rot ze Last Day 29 0 Top Type Autonomous Systems Y Top Protocol IP 4 M AI Components ia LAN Switch vian900 itd WAN Switch vian100 gt i NetFlow Router M Border Routers M Border Switches Core Switches IP Addresses IP CIDR 192 168 0 0 16 NetFlow Router WAN NetFlow Router LAN Inbound 4 EF 0 0 0 0 0 ASN Description Pkts s ASN Description Bits s r 42 81 0 0 16 4 192 168 0 0 16 192 168 1 0 24 192 168 2 23 32 233 213 0 0 16 15169 Google Inc 17 4k 24 15169 Google Inc 168 9M 38 22822 Limelight Networks Inc 2 1k 22822 Limelight Networks Inc 23 3M 5 14778 Inktomi Corporation 2 0k 3356 Level 3 Communications 13 4M 6746 ASTRAL Telecom SA Romania 1 4k 8068 Microsoft European D
13. every time one logs on ISPs and organizations usually apply to the InterNIC for a range of IP addresses so that all clients have similar addresses There are about 4 3 billion IP addresses The class based legacy addressing scheme places heavy restrictions on the distribution of these addresses TCP IP networks are inherently router based and it takes much less overhead to keep track of a few networks than millions of them IP Classes Class A addresses always have the first bit of their IP addresses set to O Since Class A networks have an 8 bit network mask the use of a leading zero leaves only 7 bits for the network portion of the address allowing for a maximum of 128 possible network numbers ranging from 0 0 0 0 127 0 0 0 Number 127 x x x is reserved for loopback used for internal testing on the local machine Class B addresses always have the first bit set to 1 and their second bit set to O Since Class B addresses have a 16 bit network mask the use of a leading 10 bit pattern leaves 14 bits for the network portion of the address allowing for a maximum of 16 384 networks ranging from 128 0 0 0 181 255 0 0 Class C addresses have their first two bits set to 1 and their third bit set to O Since Class C addresses have a 24 bit network mask this leaves 21 bits for the network portion of the address allowing for a maximum of 2 097 152 network addresses ranging from 192 0 0 0 223 255 255 0
14. is divided in two sections one on the left and one on the right In the upper side of the left section you will see a button that is used to add IP addresses subnets to the IP Zone Below you will the allocated IP classes tree When adding a new IP class the tree is automatically updated You may add or delete subnets by right clicking any subnet row In the right section you will see detailed information about the selected IP class or IP address As explained in the Understanding IP Zones Inheritance section every IP Zone contains the 0 0 0 0 0 supernet To edit the 0 0 0 0 0 IP class properties click 0 0 0 0 0 from the Subnets tree After a new IP Zone is added the IP Zone Configuration window will look like in the image below 36 Wm WAN WANGuard Lite 4 0 User Manual pego GUARD IP Zone Configuration mx IP Zone Description Routed Subnets Change Description fe Duplicate IP Zone o Delete IP Zone so Add Subnet or Host Subnet Calculator Subnet Parameters for 0 0 0 0 0 Subnet IP Description Parameter Value Inheritance FF 0 0 0 010 Unknown Pane an Ges IP Graphs No dy none IP Accounting No 4 none Comments for 0 0 0 0 0 a bal Update The right section will be populated with properties that apply to all IP addresses included in the selected IP class if the properties are not subsequently overwritten The Inheritance column shows from which parent IP class was the value inherited from Every IP class r
15. on an IOS DEVICE 53 Configuring NDE on a CatOS DEVICE 54 Configuring NDE on a Native Te CRL uu siccecaecinccectsessctecenaissceecasusicus sete CNC SE AR YNUASAS O NGN AN AEN S TAU OO TASG MORON An O Ua 55 Configuring NDE on a 4000 Series VUE 55 Configuring NDE on a Juniper e TT 55 ab WAN WANGuard Lite 4 0 User Manual ge GUARD Traffic Monitoring and Traffic Accounting with WANGuard M Lite Why WANGuard Lite Is Important Most businesses today rely more and more on network infrastructure So the computer network s reliability and speed are crucial for these businesses to be successful and an efficient use of the available resources must be assured and enforced The significant degradation of the network services can seriously damage the businesses including loss of customers and subsequent loss of revenue For the network administrator this means that he has to ensure the network s uptime reliability speed as well as the efficient use of the existing resources Andrisoft WANGuard Lite is an enterprise grade Linux based software solution that delivers the functionality NOC and IT teams need to effectively monitor their network through a single integrated package The components have been built from the ground up to be high performing reliable and secure WANGuard Lite is feature rich simple to deploy and configure causing no disruption within the network What WANGuard Lite Can Do For You Andrisoft WANGuard Lite is an e
16. parameters collected from active WANGuard Lite components Administrators can restrict what Device Groups are available to individual users File Edit View History Bookmarks Tools Help SS Cl Lo del http console wanguard index php Carrier grade tra analysis alal WANGuard Console 4 rwvor moniterine Reports Default Dashboard M All Components Dashboards Sort by Description v Device Groups a 4 F All Components LAN Switch vian900 WAN Switch vian100 Gi NetFlow Router m Border Routers m Border Switches m Core Switches IP Addresses IP CIDR 192 168 0 0 16 4 17 0 0 0 0 0 Pkts s In Out Inbound Bits s Outbound Bits s Received Pkts s Dropped Pkts s ares Muanswitch visnggg 0 08 2 35 35 MB 2010 04 30 00 59 16 1496 28 1k 0 4k 247 7M ze 2 6m 0 28 5k 0 0k 4 192 168 0 0 16 1 192 168 1 024 f Bj wAn Switch viantoo 0 15 6 48 35 MB 2010 04 30 00 58 54 1284 25 5k 0 0k 17 192 168 2 23 32 i 233 213 0 0 16 Active WANGuard Sniff Systems Status Description Load CPU Mem Started IPs 212 7M ia 0 0k 0 25 4k 0 0k Active WANGuard Flow Systems Status Description Load CPU Mem Started Interface Description IPs Pkts s In Out Inbound Bits s Outbound Bits s Flovs s Flows Delay IP Descriptions Moan 356 10 4k 0 0k 93 6M 9 ook 0 0 1k W NetFlow Router 0 14 1 97 412 MB 2010 04 30 01 01 52 IP Description 201 seconds wan 1168 37 2k 0 0k 169 8M W17 0 0k 0
17. the second eth0 900 for the first interface with VLAN 900 and so on Graph Color In Out Here you can select the color you will see on sensor graphs as inbound and Outbound traffic for the current WANGuard Sniff By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by clicking the drop down menu Link Speed In Out The speed of the monitored links for Inbound traffic and for Outbound traffic This is used to generate reports based on usage percent IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Sniff If the field has no options then you must first define an IP Zone For more information about IP Zones please consult IP Zones Setup chapter page 35 IP Validation For WANGuard Sniff to distinguish between inbound and outbound traffic it must must use at least one of the two techniques available MAC Validation next parameter or IP Validation IP Validation parameter has three options o Off Will disable IP Validation Make sure MAC Validation is configured instead 44 ab WAN WANGuard Lite 4 0 User Manual ge GUARD o On WANGuard Sniff will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 o Strict WANGuard Sniff will only analyze the traffic that has either the source or the destinat
18. users with Administrator or Operator roles to create and edit dashboards that contain custom widgets Administrators can also restrict what Dashboards are available to individual users x WANGuard Console 40 Mozilla Firefox arms File Edit View History Bookmarks Tools Help Cc A Hy http console wanguard index php Default Dashboard amp Actions All Sensors Top 10 Talkers a All Sensors Bits s Last Hour Device Groups IP Adress IP Description IP Bits s sus 233 213 66 12 Unknown 11 0M 4 F Ai Components LAN Switch vian900 il WAN Switch vian100 Gi NetFlow Router m Border Routers M Border Switches M Core Switches 233 213 90 16 Unknown 6 9M 12 81 204 2 Unknown 5 1M 233 213 92 162 Unknown 4 1M 233 213 92 203 Unknown 3 9M 233 213 92 70 Unknown 3 8M 233 213 92 39 Unknown 3 7M Thu 12 00 rri DD DD IP Addresses O Oa Nini ul s amp a Win 100 M z Ea in Unknown 3 7M BH unkown Wsp M ftp Bss W telnet 233 213 90 43 Unknown 3 7M E snp Moittp M pop Bimap Msal d 00 20 OD 4D 1 00 O netbios E irc H directconnect 233 213 93 173 Unknovm E torrent Bl dns O icmp IP CIDR 192 168 0 0 16 Di o a F 0 0 0 0 0 12 81 0 0 16 All Sensors Bits s Last Week 4 192 168 0 0 16 All Sensors Inbound Bits s All Sensors Top 5 IP Protocols 192 168 1 0 24 17 192 168 2 23 32 r 233 213 0 0 16 Sensor Description Bits s Inbound IP Protocol Description IP Bits s EZ Lan switch vianooo 244 5
19. 144 299e LIA 000 000 DEI 2048 C 8 B 524288 255 248 000 000 12 4096 C 16 B 1048576 Z25 2440 000 000 yams 192 C 32 B 2097132 Zoe E 0U 000 10 16384 C 64 B 4194304 Z25192 000 000 a 32768 C 128B 8388608 2954 29 UOVO UDO 8 05556 C 4Z50Bx 1 A 16777216 Lors 0004000 000 ai L31072 GC S3l2B 2 A 33554432 254 000 000 000 Wim 262144 C 1024 B 4 A 67108864 2524000 6000 2000 is 524288 C 2048 B 8A 134217728 248 000 000 000 J 4 1048576 C 4096 B 16 A 268435456 240 000 000 000 2097152 C 8192 B 32 A 530870912 224 000 000 000 2 4194304 C 16384 B 64 A 1073741824 192 000 000 000 yal 038986008 C 34 00 B 128 A 2147483648 129000 000 000 0 LOLTIZVG Cy 63330 By 290 A 4294967296 Ek 000 000 000 ab WAN WANGuard Lite 4 0 User Manual ge GUARD Getting Started with WANGuard Lite Please read the following section in order to get a clear overview of the basic premises required for the proper operation of the software If you re an administrator and you want to setup WANGuard Lite skip to the Installation Chapter page 29 A First Look at the WANGuard Console You can change the Default Tab by editing User preferences Because no WANGuard Sensor system was previously configured and enabled and no data was gathered the most content does not exist yet To understand the operation of WANGuard Console please be aware of the structure of the web application West Panel The West Panel is located on the left west edge of the scre
20. 16 IP Descriptions IP Description Customer Service KEE Z Enterprise Services E Thu Cen Thu 12 00 a Internal Network Maximum 14 4 Mbits s Medium 3 3 Mbits s 95th 9 5 Mbits s xerox Printer Maximum 0 0 bits s Medium 0 0 bits s 95th 0 0 bits s Maximum 14 4 Mbits s Medium 3 3 Mbits s 95th 8 9 5 Mbits s Logs amp Events 12 81 134 0 24 bits s graphs for NetFlow Router LAN Thu E inbound Maximum 27 1 Mbits s Medium 9 2 Mbits s 95th 6 Mbits s EH outbound Maximum 0 0 bits s Medium 0 0 bits s 95th 8 0 0 bits s total Maximum 27 1 Mbits s Medium 9 2 Mbits s 95th 24 6 Mbits s E IP Graphs E IP Accounting The following options are available Graphs Size You can select a predefined graphs size OR you may enter your own graphs size as lt xpixels gt x lt ypixels gt e Graphs Consolidation Select the aggregation procedure old data MINIMUM MAXIMUM or AVERAGE If some aggregation types are missing see the IP Traffic Graphs configuration Page 51 If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the D alal WAN WANGuard Lite 4 0 User Manual pega GUARD AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type e Sum IPs Don t check the Sum IPs option if you want a different traffic graph displayed for every
21. 2 hour s averages for 1 year s Consolidation CF Minimum Average Ui Maximum Vd Storage space required per IP 602 7k a Save By default every WANGuard Sensor stores IP graphs data with 5 minutes averages for 7 days 15 minutes averages for 1 month and 2 hours averages for 1 year If you do not change the default parameters every IP for which you enabled graphs will require 603 kbytes of storage on the WANGuard Console s file system The first accuracy parameter 5 minutes specifies the granularity of the graphs You can set the granularity value between 5 seconds and 5 minutes When using WANGuard Flow do not set the granularity parameter to a lower value than the Analyzer Interval parameter When granularity has a low value WANGuard Sensor uses more CPU the WANGuard Console system becomes more loaded and the network traffic between WANGuard Sensor and WANGuard Console is increased if the components are not installed on the same server The averages and intervals values specify the granularity for old data and for how long do you want the data to be stored The Stored Data options lets you select the traffic parameters that will be stored The Consolidation options lets you select how do you want the average values to be consolidated If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic
22. Description Device Group Sensor information Link Speed IN bps v Link Speed OUT bps v Validation and filtering MAC Validation None wv MAC Address Traffic Direction Inbound amp Outbound e VLAN Tagging Advanced options BPF Expression Frames Buffer 10000 Comments 43 ab WAN WANGuard Lite 4 0 User Manual ge GUARD The WANGuard Sniff Configuration window contains the following fields red fields are mandatory Active WANGuard Sniff is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Sniff system is running then the WANGuardController daemon stops it Description A short generic description that helps you identify the WANGuard Sniff system Device Group A short description of the role the monitored device plays within the network it s location etc IP Address An unique IP address configured on the server that runs the selected WANGuard Sniff This field is used by the WANGuardController daemon for system identification Interface This field must contain the network interface that receives the port mirrored traffic If the WANGuard Sniff server is deployed in line then it must contain the network interface that receives the traffic towards your network The network interface name must use the network interface naming conventions of the Linux operating system ethO for the first interface eth1 for
23. Gbps LAN 2 outbound l _ 100 tops 100 Mbps Null interface 60 null CCFFCC COCOCO 0 0 Validation and filtering IP Zone Routed Subnets wv IP Validation off v Sampling 1 n 1 AS Validation Off v Advanced options Analyzer Interval 15 seconds v Protocol NetFlow Version 5 MY Comments configuration example id Save o Delete 49 ab WAN WANGuard Lite 4 0 User Manual ge GUARD After a new WANGuard Flow system is added the WANGuard Sensor panel is updated If there is a green OK sign on the right of the WANGuard Flow s description then the WANGuard Flow is running If there is a X red sign instead then the WANGuard Flow is inactive or not running If you checked the Active switch but the WANGuard Flow is still not running after few seconds you can find a description of the error in the WANGuard Flow Events Logs see Logs amp Events chapter Page 28 or in the Events Tab in South Panel 50 mn WAN WANGuard Lite 4 0 User Manual y ge GUARD IP Graphs Setup To configure IP traffic graphs parameters expand the WANGuard Console Panel from the Configuration zone in the West Panel IP Graphs Configuration Data Path opt wanguard rrd Graph Color IN Ei v Graph Color OUT Eil Stored data Inbound Bits J Inbound Pkts J Outbound Bits 7 Outbound Pkts V Accuracy RRA C Add Archive A Store 5 minute s averages for 7 day s Store 15 minute s averages for 1 month s Store
24. M Bas TCP Transmission Control 674 7M E wan switch vianioo 215 2M ze UDP User Datagram 52 4M ll NetFlow Router WAN 180 2M Mie ESP Encap Security Payload 2 8M GRE General Routing Encapsulation 611 7k HI NetFlow Router LAN 91 2M 9 ICMP Internet Control Message 503 1k All Sensors Top 5 TCP Ports TCP Port Description TCP Bits s Internal Network 80 HTTP 347 9M Xerox Printer 1935 TINCAN 7 6M 443 HTTPS 5 1M 5100 Unknown 3 6M 51624 Unknown 3 3M Logs amp Events Managing Dashboards You can add new Dashboards by clicking lt Actions gt in the Default Dashboard and select lt Add Dashboard gt The Default Dashboard cannot be deleted or edited However any other Dashboard can be edited or deleted by clicking the same lt Actions gt button and then by clicking lt Edit Dashboard gt You can then change the Description add your own Comments and set the number of columns and the percentage each column should have of the Center Panel s width The sum of all percentages should be 100 uod ab WAN WANGuard Lite 4 0 User Manual ge GUARD Managing Widgets If you are an Administrator or an Operator you can add edit or delete Widgets To sort them click the title bar and move them around To collapse a widget click the first icon on the widget title bar To edit a widget click the second icon on the widget title bar To delete a widget click the third icon on the widget title bar To a
25. N is set to O then the IP address belongs to your Autonomous System 48 ab WAN WANGuard Lite 4 0 User Manual ge GUARD AS Validation has three options o Off Will disable AS Validation o On Only flows that have the source ASN and or the destination ASN set to O are analyzed o Strict Only flows that have either the source ASN or the destination ASN set to 0 are analyzed e Analyzer Interval RAM usage using the highest accuracy 5 seconds can be very high Decreasing the accuracy will decrease RAM usage and won t have any negative effects in most scenarios A very low accuracy increases the traffic anomaly detection time e Protocol You can use WANGuard Flow with Netflow version 5 or sFlow through a sflowtool wrapper e Comments You can use this field to store comments about the current WANGuard Flow configuration In the following configuration example WANGuard Flow monitors traffic passing the WAN and LAN interfaces uses IP class information found in the Routed Subnets IP Zone WANGuard Flow Configuration x Active EA Description Netflow Router Device Group Border Routers b4 Sensor information Flow exporter information IP Address 192 168 1 100 IP Address 192 168 1 1 Listener Port 9900 SNMP Community public Flow exporter monitored interfaces cag Add Interface aaa Description SNMP Index Type Color IN Color OUT Speed IN Speed OUT WAN 1 inbound 0094 8FFBDEE 1Gbps 1
26. NetFlow Router LAN inbound HW NetFlow Router LAN IP CIDR 192 168 0 0 16 a E 0 0 0 010 Bits s graph for NetFlow Router WAN NetFlow Router LAN 7 12 81 0 0 16 4 192 168 0 0 16 r 192 168 1 0 24 17 192 168 2 23 32 200 r 233 213 0 016 to 0 200 M 400 M 3 M Thu 06 00 uu 12 00 Thu 18 00 Fri DD D MB NetFlow Router WAN inbound Bl NetFlow Router WAN BW NetFlow Router LAN inbound HW netrloxw Router LAN IPs s graph for NetFlow Router WAN NetFlow Router LAN Fri HW NetFlow Router WAN HW NetFlow Router LAN Received Frames graph for NetFlow Router WAN NetFlow Router LAN gt 00 00 E netrlow Router WAN E NetFlow Router LAN E Sensor Graphs E sensor Tops SR Protocols Distribution The following options are available e Data Unit Select the traffic parameter the graphs will represent o All All of the below each one in a different graph o Packets The packets second throughput recorded by WANGuard Sensor o Bits The bits second throughput recorded by WANGuard Sensor o Bytes The bytes second throughput recorded by WANGuard Sensor o IPs The number of unique IP addresses detected making traffic Usually a spike in the graph means DG ab WAN WANGuard Lite 4 0 User Manual ge GUARD that an IP class scan was performed Only your network s IP addresses are counted o Received frames For WANGuard Sniff it represents the rate of
27. algorithms integrate traffic data to build accurate and detailed picture of real time and historical traffic flows across the network WANGuard Lite does not enable WANGuard Sensor s traffic anomaly detection and reaction features WANGuard Sensor Features and Benefits Any number of instances can be deployed across the network and all collected data will be centralized and available through a single web interface that you can quickly access from any location The supported traffic monitoring methods are Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment sFlow Cisco NetFlow and Huawei NetStream You can access various real time parameters top talkers number of IP addresses top protocols protocols distribution etc of the data flowing through router interfaces and switch ports Provides on demand MRTG style traffic graphs for any IP address or IP class in your network for any time frame Traffic graphs accuracy can be defined between 5 seconds and 10 minutes WANGuard Sensor is completely scalable and can monitor and generate graphs for hundreds of thousands of IP addresses Includes a very flexible billing system for bandwidth based billing Easy and non disruptive installation on common server hardware e The most cost effective traffic monitoring and accounting solution on the market WANGuard Console WANGuard Console provides a tightly integrated and highly g
28. ameter is set to Yes In the next image a new IP class named Customer Service was added Because this IP class is included in the Internal Network it is displayed under it All parameters except the IP Description were not modified so the values are inherited from the parent IP class 38 alal WAN gege AND WANGuard Lite 4 0 User Manual IP Zone Configuration oO x IP Zone Description Routed Subnets Change Description D Duplicate IP Zone Delete IP Zone sag Add Subnet or Host ag Delete Subnet or Host F Subnet Calculator a 2 m Subnet IP Description Parameter Value Inheritance 4 17 0 0 0 0 0 Unknown IP Description Customer Service M none 0 0 internal 4 57 10 0 0 0 8 IP Graphs Yes v 10 0 0 0 8 z 10 1 1 0 24 Customer Service IP Accounting No ND 0 0 0 0 0 Comments for 10 1 1 0 24 a la Update In the image below you can see that a new IP class called Office Building was added Because the P Accounting parameter was modified to Yes every IP address included in 10 1 2 0 25 will generate accounting data IP Zone Configuration mix IP Zone Description Routed Subnets Change Description fe Duplicate IP Zone Delete IP Zone say Add Subnet or Host ag Delete Subnet or Host Subnet Calculator Subnet Parameters for 10 1 2 0 25 m Subnet IP Description Parameter Value Inheritance a 0 0 0 0 IP Description Off
29. asy to use software solution that provides network traffic monitoring and accounting It allows you to quickly and easily set up and run monitoring server s for networks Using the integrated web interface with just a few mouse clicks you or your users can view Historic and real time network traffic parameters about the data flowing through router interfaces and switch ports packets s bits s bytes s IPs s flows s etc Extensive MRTG style traffic graphs and traffic accounting reports for IP addresses and IP classes in your network for any time frame including 95 Percentile for burstable billing Historic and real time network traffic statistics top talkers per protocol number of IPs top protocols protocols distribution ASN distribution TCP and UDP ports distribution etc The recorded data is stored in an internal SQL database that can be easily queried and referenced The recorded monitoring statistics can be viewed through a rich easy to use Ajax based Web 2 0 web interface WANGuard Lite Components The WANGuard Lite has two main components ab WAN WANGuard Lite 4 0 User Manual ge GUARD WANGuard Sensor WANGuard Sensor is an advanced Linux based software created to do both incoming and outgoing traffic monitoring and accounting At it s core WANGuard Sensor has a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses Complex statistical
30. ata IP classes descriptions When configuring a WANGuard Sensor Page 43 you have to select the IP Zone that will be used An IP Zone may be used by multiple WANGuard Sensor systems but a WANGuard Sensor system can use only one IP Zone An IP Zone must contain the IP classes that are routed within your Autonomous System or the IP classes owned by your organization If you don t populate the IP Zone with your IP classes then WANGuard Sniff can only validate the traffic it captures by analyzing the MAC address of the upstream or downstream router If you don t populate the IP Zone with your IP classes then WANGuard Flow can only validate the traffic it captures by analyzing the ASN or the interface type Keep in mind that WANGuard Lite defines IPs and IP classes using the CIDR notation To enter individual hosts in IP Zones you must use the 32 CIDR For more about CIDR notation you can consult the Network Basics You Should Be Aware Of chapter Page 7 Inheritance One very special IP class that is defined by default in every IP Zone is the 0 0 0 0 0 IP class The 0 0 0 0 0 supernet contains all private and public IP addresses available for IPv4 nb ce ab WAN WANGuard Lite 4 0 User Manual ge GUARD To ease the configuration of IP Zones every new IP class that you define inherits by default the properties of the closest having the biggest CIDR IP class that includes it The only IP class that does not inherit any proper
31. ata Center 7 2M 2 2 3356 Level 3 Communications 1 6k 2 43515 YOUTUBE EUROPE 10 7M 1 3320 Deutsche Telekom AG 1 3k 1 1 43515 YOUTUBE EUROPE 14778 Inktomi Corporation 6 2M 14773 Inktomi Corporation lt 1 6746 ASTRAL Telecom SA Romania 5 3M wo On Dn Uk WN d 3 2 1 30361 Swiftwill Inc 6 5M 1 1 1 1 8068 Microsoft European Data Center lt 1 39572 Haldex Ltd 5 1M H o 47195 Gameforge Productions GmbH lt 1 21844 ThePlanet com Internet Services Inc 3 7M H H 30361 Swiftwill Inc lt 1 3320 Deutsche Telekom AG 3 6M DI N 21844 ThePlanet com Internet Services Inc lt 1 16265 LEASEWEB AS 3 6M H w 9848 Enterprise Networks lt 1 14779 Inktomi Corporation 2 7M H 39572 Haldex Ltd lt 1 31080 O2 pl Ltd 2 0M H u 5483 Hungarian Telecom lt 1 29748 Carpathia Hosting Inc 1 8M EA Sensor Graphs E Sensor Tops g Protocols Distribution The following options are available e Top Type You can select to see top 15 hosts Talkers that make traffic top 15 TCP UDP ports used top 15 IP Protocols and top 15 Autonomous Systems only when WANGuardFlow is used Clicking IP Addresses and ASNs open new tabs with more details about the selection Top Protocol You may further customize the Top Type by selecting only the IP protocols you re interested in Direction The direction of the traffic Inbound or Outbound e Sum Sensors If unchecked each WANGuard
32. blicly available server you should immediately change the default password for the admin user and eventually add new users To manage WANGuard Console users you must select Configuration from the West Panel and then expand the WANGuard Console panel Currently there are three available access levels Roles for users cp alal WAN gaga GUARD WANGuard Lite 4 0 User Manual e Administrator This role has all privileges to view and manage WANGuard Lite components including adding new users and changing users passwords existing users passwords are always shown encrypted Operator This role has all privileges to view and manage WANGuard Lite components but cannot add or modify other users User This role cannot configure anything but if access is permitted it can generate various reports WANGuard Console Users SgAddUsery e Role amp Administrator Username Full Name Home Tab admin Default Administ A Welcome of 1 di Page 1 Last Login Time 2010 04 28 03 08 58 Displaying 1 1 of 1 To modify an user you can double click it or select it and then press Modify User Administrators and Operators have the following properties Modify Administrator User Name admin Full Name Password 96334653B79059B8131C24190B8D43E1509FFEFC Additional information Company Position E mail Telephone Settings Home Tab f Welcome v Events Verbosity Comments id Save Default Adm
33. d and if a predefined time frame was selected then that will be updated too DA ad WAN WANGuard Lite 4 0 User Manual prg GUARD IP Graphs The IP Graphs sub tab generates IP traffic graphs for the selected IP class host or IP Description that include SW percentile information useful for burstable billing WANGuard Console 4 0 Mozilla Firefox bole ed Swan File Edit View History Bookmarks Tools Help e E A cel http console wanguard index php Carrler grade traffic analysis dd WANGuard Console 4 workm onttoring and pro Default Dashboard FF 12 81 134 0 24 WANGuard Sensors Data Unit Time Frame Export Refresh WAN Switch vlan100 LAN Switch w Bits Last Day v From Until amp Print ys PDF On Demand Graphs Size 1000x240 v Graphs Consolidation Maximum vi SumiPs y Sum Sensors Device Groups a 4 M AN Components 12 81 134 0 24 bits s graphs for LAN Switch vlan900 LAN Switch vian900 d it WAN Switch vian100 be NetFlow Router m Border Routers m Border Switches m Core Switches IP Addresses IP CIDR 12 81 134 0 24 WN Maximum 999 7 Medium 28 9 kbits s 95th 210 9 kbits s 4 17 0 0 0 0 0 Maximum 0 0 Medium 0 0 bits s 95th 0 0 bits s 12 81 0 0 16 Maximum 999 7 Medium 28 9 kbits s 95th 210 9 kbits s 4 7 192 168 0 0 16 192 168 1 0 24 12 81 134 0 24 bits s graphs for NetFlow Router WAN 17 192 168 2 23 32 r 233 213 0 0
34. d bits s inbound gt BH unkown B snmp B ftp B ssh Mtelnet Misntp W http B pops Min Psa Moetbios Mirc HR directconnect HW torrent B dns O icmp E sensor Graphs sensor Tops Protocols Distribution You can view protocols distributions graphs for the selected WANGuard Sensors with the following options Graphs Size You can select a predefined graphs size OR you may enter your own graphs size as lt xpixels gt x lt ypixels gt e Sum Sensors If unchecked each selected WANGuard Sensor generates a different graph If checked all selected WANGuard Sensors generate a single graph that contains summed protocols distributions data 22 ad WAN WANGuard Lite 4 0 User Manual GUARD cm ab WAN WANGuard Lite 4 0 User Manual ge GUARD Reports IP Addresses amp IP Descriptions This chapter describes how to generate advanced IP traffic graphs and IP traffic accounting reports from data collected by WANGuard Sensor systems Both IP Addresses Panel and IP Descriptions Panel generate the same reports and that s why those reports are treated in the same chapter If the reports are empty check if the selected IP Class IP Description have IP Accounting parameter and IP Graphs parameter set to Yes in the IP Zones IP Addresses Panel allows quick generation of IP traffic reports by entering the IP CIDR in the upper side of the Panel or by selecting an IP class or host from
35. dd a new Widget click lt Actions gt in the toolbar and then select the Widget Type you like Widgets have the following common fields e Widget Title Enter a relevant description of the widget What it should display e Widget Height Leave the Widget Height to Auto for the widget to take all the vertical space it needs Or you can specify the number of pixels for the Widget Height e WANGuard Sensors Select the WANGuard Sensors that are allowed to provide information to the widget All other options are self explanatory or are described in the next Reports Chapters dle ab WAN WANGuard Lite 4 0 User Manual nen GUARD Reports Device Groups The Device Groups Panel offers a intuitive complete view on all WANGuard Lite components It includes a All Components tree and a separate item for each Device Group configured for WANGuard Sensors The All Components tree can be expanded to show all active WANGuard Flow and WANGuard Sniff systems By clicking All Components a new tab opens that contains live tables for all WANGuard Lite components By clicking a Device Group a new tab opens that contains live tables for each WANGuard Sensor included in that Device Group By clicking a WANGuard Sensor included in the All Components tree a new tab opens that contains Sensor Graphs Sensor Tops and Protocol Distribution Data All Components and Device Group Tabs These tabs display tables with the latest system
36. ebug Configuring NDE on a Native IOS Device To configure NDE use the same commands as for the IOS device In the enable mode on the Supervisor Engine issue the following to set up the NetFlow export version 5 switch config mls nde sender version 5 The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow switch config mls aging long 8 Switch config mls aging normal 4 On the Supervisor Engine 1 issue the following to put full flows into the NetFlow exports switch config mls flow ip full If you have a Supervisor Engine 2 or 720 running IOS version 12 1 13 E or higher issue the following commands instead switch config mls flow ip interface full switch config mls nde interface Configuring NDE on a 4000 Series Switch Configure the switch the same as an IOS device but instead of command ip route cache flow use command ip route cache flow infer fields This series requires a Supervisor IV with a NetFlow Services daughter card to support NDE Configuring NDE on a Juniper Router Juniper supports flow exports by the routing engine sampling packet headers and aggregating them into flows Packet sampling is done by defining a firewall filter to accept and sample all traffic applying that rule to the interface and then configuri
37. ecord stores the following information Subnet Parameters Panel IP Description This parameter should contain a short description for the selected IP class or IP address IP Accounting If the P Accounting parameter is set to Yes then WANGuard Sensor records traffic accounting data for every IP address included in the selected IP class Accounting data contains the number of inbound and outbound packets and bits and averages of packets and bits rates If the P Accounting parameter is set to Inherit then the value is inherited from the parent IP class If the parameter is set to No then no accounting data is recorded IP Graphs If the P Graphs parameter is set to Yes then WANGuard Sensor records graphs data for every IP address included in the selected IP class Graphs data contains accurate information about inbound and outbound packets second and bits second rates If the P Graphs parameter is set to Inherit then the value is inherited from the parent IP class If the parameter is set to No then no graphs will be generated for the current IP class Comments Panel Here you can provide details and comments about the subnet gt 37 ad WAN WANGuard Lite 4 0 User Manual pego GUARD IP Zone Configuration Example In the following images you will see how IP Zone inheritance works and how you can configure the monitored IP classes IP Zone Configuration Pla IP Zone Description Routed Subnets
38. ed in this document is subject to change without notice If you find any problems in the documentation please report them to us in writing ANDRISOFT S R L will not be responsible for any loss costs or damages incurred due to the use of this documentation WANGuard Lite is a SOFTWARE PRODUCT of ANDRISOFT S R L ANDRISOFT and WANGuard Lite are trademarks of ANDRISOFT S R L Other company product or service names may be trademarks or service marks of others ANDRISOFT S R L Str Lunei L30 Ap 11 300109 Timisoara Timis Romania phone 40721250246 fax 40256209738 Sales sales andrisoft com Technical Support support andrisoft com Website http www andrisoft com Copyright ANDRISOFT S R L 2008 All rights reserved ab WAN WANGuard Lite 4 0 User Manual ge GUARD Table of Contents 1 Traffic Monitoring and Traffic Accounting with WANGuard Lite lt lt lt 4 Why WANGuard Lite Is len TE 4 What WANGuard Lite Can Do For TEEN 4 WANGuard BLR lee E 4 MV PNG SIS TE 5 WANCUSd CONSO 6 irene 5 2 Network Basics You Should Be Aware Of rire iii 7 Who Should Reid This SOC ON DE 7 A Short Introduction To IP Addresses A Classes 99 9 9 5 n r rrn nnr nnr Y AYN YA RYN RR D HR ND N RR NN 7 IPAGGUICSS EE 7 Jet 8 OSE RT NOUO EE 9 3 Getting Started with WANGuard M Lite 10 A First Look at the WANGUard CONSO EE 10 SL e E EE 10 C
39. en and it is used for navigation throughout the WANGuard Console If you cant see the West Panel then it may be either collapsed so click the edge to expand it or hidden by an Administrator West Panel contains 2 regions Reports and Configuration hidden if you have User role that can be collapsed or expanded by clicking the title bar In multiple user environments the regions may contain old data but vou can refresh them by clicking the right button on the title bar Each of those regions contain panels that can be either collapsed or expanded their state being kept between sessions Each of these panels are explained in detail in the following chapters Center Panel WANGuard Console offers various ways to look at historic or live collected data Each Report you request through the West Panel opens a new tab on the Center Panel You may switch between tabs or close them all except for the Home Tab that s defined in your User Profile South Panel The south panel is collapsed by default and it is located on the bottom of the browser Window To expand it click the bottom edge If you can t see it then it s hidden through your User Profile lt provides a quick way to view live data collected from WANGuard Lite components structured in tabs WANGuard Sensor Live Graphs The WANGuard Sensor Graphs tab provides an animated dynamic graph that illustrates trends over time of various traffic parameters collected from WANGuard Sensor
40. enter Ge EE 10 ON ANN eebe 10 4 Reports Autonomous SyStGmiS iisYii iiu YN i SAN ugesi MA NANWANNA AN ARNA MANAHAN NAWR AA AR 12 AUONOMOUS O VS E 12 Gell CR ED dee Er TEE 13 PATA UNG ELAS INDO cA FE 13 Managing VICIOUS siii E A 14 6 Reports Device Groups au nuu GYN dec Eed NnN UUN NNA NN OO EUO Uu 15 All Components and Device Group labs 15 WANGuard ee ET D 16 Active WANGUuard Sniff E viens aui myw Ue ia ara 16 Active WANGuard Flow Gvstems e 17 WANGUA d SeNSoriapsaai T A AEE Aa 18 o CH ONG LO cinta Serie O 19 a NSO TO dee 20 FIOOCOS DI DUTON EE 22 7 Reports IP Addresses amp IP DescriptiOhS rire iii iii 24 Pops 25 IPACCOUNING sicilia 26 8 Reports Logs amp Events lai 28 EV CRS LOS unici 28 Sosson 29 SV SUCHE REQUITEMENIS Jia 29 WANGuard Sensor System Requirements for 1 Gigabit Network Intertace 29 WANGuard Console System Requirements for up to 5 WANGuard Gensors 30 Software Installation HR UI Ee EEN 31 Opening WANGuard Console for the first time cccssssessscssssssssessesessessesaesesseseesesecaeseesesaesessesaesassesaeeessetaeeassansasas 31 Managing WANGuard Console US6 PS ccsssscsssesssssssesessessseesecesessecaseessecaeseeseseceesessesaeseesesaesassessesassaeaesansensanagas 32 10 IP Zonos S00 EE 35 Understanding IP Z ONES E 35 T e 35 Changing Description Duplicating amp Deleting IP Zones e 36 ab WAN WANGuard Lite 4 0 User Manual ge GUARD IP Zon C
41. eout active 1 router config ip flow cache timeout inactive 30 In enable mode you can see current NetFlow configuration and state router show ip flow export router show ip cache flow router show ip cache verbose flow Configuring NDE on a CatOS Device In privileged mode on the Supervisor Engine enable NDE switch gt enable set mls nde lt ip address gt 2000 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used only as an example Switch gt enable set mls nde version 5 The following command is required to set up flow mask to full flows Switch gt enable set mls flow full The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow Switch gt enable set mls agingtime long 8 Switch gt enable set mls agingtime 4 If you want to account all traffic within the specified VLANs rather then inter VLAN traffic use CatOS 7 2 or higher and issue the following command Switch gt enable set mls bridged flow statistics enable And enable NDE Switch gt enable set mls nde enable To see current NetFlow configuration and state issue the following commands 54 ab WAN WANGuard Lite 4 0 User Manual wg GUARD Switch gt enable show mls nde Switch gt enable show mls d
42. flow It is necessary to enable NetFlow on all interfaces through which traffic you are interested in will flow Now verify that the router or switch is generating flow stats try command show ip cache flow Note that for routers with distributed switching GSR s 75XX s the RP cli will only show flows that made it up to the RP To see flows on the individual linecards use the attach or if con command and issue the sh ip ca fl on each LC Enable the exports of these flows with the global commands router config ip flow export version 5 router config ip flow export destination lt ip address gt 2000 router config ip flow export source FastEthernet0 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used as an example WANGuard Flow is using NetFlow version 5 The ip flow export source command is used to set up the source IP address of the exports sent by the equipment If your router uses the BGP protocol you can configure AS to be included in exports with command mc ee ab WAN WANGuard Lite 4 0 User Manual wg GUARD router config ip flow export version 5 peer as origin as The following commands break up flows into shorter segments 1 minute for active traffic and 30 seconds for inactive traffic Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow router config ip flow cache tim
43. flows and the destination port as configured on the flow exporter Flow Exporter IP Address SNMP Community The IP address of the flow exporter usually the LoopbackO interface IP on the network device Each server running WANGuard Flow must have it s system time synchronized with the flow exporter The read only SNMP community of the network device allows WANGuard Console to connect to the 47 ab WAN WANGuard Lite 4 0 User Manual ge GUARD flow exporter and request SNMP indexes and other useful information for adding new interfaces e Flow Exporter Monitored Interfaces Here you must define the network interfaces that will be monitored Each interface must contain the following information O Description A short generic description used for interface identification o SNMP Index The SNMP index of the interface When adding a new interface if you entered the SNMP community then simply click the interface to automatically add required parameters O Type Specifies the type of the interface m ngress Traffic entering an Ingress interface also enters your network Traffic that leaves an Ingress interface leaves your network Upstream provider interfaces are always Ingress m Egress Traffic entering an Egress interface leaves your network Traffic that leaves an Egress interface enters your network On border routers interfaces towards your network are always Egress m Null Traffic entering the Null interface is d
44. he importance of the event Severity levels descriptions are listed in the Managing Users chapter Page 32 Event The text of the event Date The date and time when the notification was generated 28 ab WAN WANGuard Lite 4 0 User Manual ge GUARD Installation WANGuard Lite can be installed on common server hardware provided that the system requirements listed later in this chapter are met If you have some basic Linux operation skills then no training is required for the software installation Feel free to contact our support team for any issues Installing WANGuard Lite does not generate any negative side effects on your network s performance Installation and configuration may take less than an hour after that your network will be monitored immediately No baseline data gathering is required System Requirements WANGuard Lite 4 0 has been tested with the following Linux distributions Red Hat Enterprise Linux 5 0 commercial Linux distribution CentOS 5 x free Red Hat Enterprise Linux based distribution OpenSuSE 10 3 11 x free Novel Enterprise Linux based distribution Debian Linux 5 0 free community supported distribution Other distributions should work but haven t been tested yet The WANGuard Lite architecture is completely scalable By installing the software on better hardware the number of monitored endpoints and networks increases All WANGuard Lite components can be installed
45. ice common servers and common clients for well known TCP and UDP port numbers Subnet Calculator The Subnet Calculator lets you see and calculate network masks CIDR broadcast addresses number of hosts and IP ranges for subnets About The About window provides information about the WANGuard version and license The license key can be viewed and updated from this window a BI ab WAN WANGuard Lite 4 0 User Manual ge GUARD Appendix 1 Configuring NetFlow Data Export This appendix is a brief guide to setting up the NetFlow data export NDE on Cisco and Juniper routers or intelligent Cisco Layer 2 Layer 3 Layer 4 switches If you have problems with the configuration contact your network administrator or Cisco consultant For devices that run hybrid mode on a Supervisor Engine Catalyst 65xx series it is recommended to configure IOS NDE on the MSFC card and CatOS NDE on the Supervisor Engine For more information about setting up NetFlow please visit http www cisco com go netflow Configuring NDE on an IOS Device In the configuration mode on the router or MSFC issue the following to start NetFlow Export First enable Cisco Express Forwarding router config ip cef router config ip cef distributed And turn on flow accounting for each input interface with the interface command interface ip route cache flow For example interface FastEthernet0 ip route cache flow interface Serial2 1 ip route cache
46. ice Building Mg none 4 10 0 0 0 8 Internal Network IP Graphs Yes ND 10 0 0 0 8 E 10 1 1 0 24 Customer Service l IP Accounting Yes Mm none 10 1 2 0 25 Office Building Comments for 10 1 2 0 25 E bel Update In the image below you can see that 192 168 0 0 16 IP class was added and placed automatically within the 0 0 0 0 0 IP class WANGuard Sensor will not generate traffic graphs and accounting data for all IPs that belong to this IP class IP Zone Configuration DS IP Zone Description Routed Subnets Change Description Bel Duplicate IP Zone Delete IP Zone Li Add Subnet or Host oa Delete Subnet or Host EI Subnet Calculator name Parameters for 0 0 0 0 0 EI Subnet 4 IP Description Parameter Value Inheritance eloo ag IP Description Unknown none 4 1r 10 0 0 0 8 Internal Network IP Graphs No M none EF 10 1 1 0 24 Customer Service l IP Accounting No dy none E 10 1 2 0 25 Office Building i 192 168 0 0 16 Network Equip Comments for 0 0 0 0 0 ob id Update 39 ab WAN WANGuard Lite 4 0 User Manual ge GUARD How To Choose A Method Of Traffic Capturing This section explains the available methods you can use for traffic capturing Reading this chapter is strongly recommended as it will help you understand how to deploy WANGuard Sensor in your network Supported Traffic Capturing Methods WANGuard Sensor
47. inistrator Account INFO The Full Name Company Position E mail Telephone and Comments fields are optional The Home Tab lets you decide which tab from the Reports Panel should be opened immediately after logging in After Sensors are configured choosing the Default Dashboard is a good option The Events Verbosity field lets you select the minimum severity level of the events that will be displayed in the South Panel and Logs amp Events Panel 33 ab WAN WANGuard Lite 4 0 User Manual ge GUARD MELTDOWN Meltdown events are generated when a very serious error is detected in the system such as a hardware error CRITICAL Critical events are generated when a significant software error is detected such as a memory exhaustion e ERROR Error events are caused by misconfiguration or communication errors between WANGuard Lite components WARNING Warning events are generated when authentication errors occur when there are errors updating graph data files or when there are synchronization issues e INFO Informational events are generated when configurations are changed and when users log into WANGuard Console e DEBUG Debug events are used only for troubleshooting purposes Administrators can restrict Users to access the following reports and panels South Panel West Panel Traffic Alarms only for WANGuard Platform Autonomous Systems Logs amp Events IP Addresses Dashboards Device Groups and IP Desc
48. ion IP addresses in the selected IP Zone excluding 0 0 0 0 0 MAC Validation MAC Address For WANGuard Sniff to distinguish between inbound and outbound traffic it must use at least one of the two techniques available MAC Validation or IP Validation previous parameter The MAC Address should contain the MAC address of the upstream router with the MAC Validation field set to Upstream or the MAC address of the downstream router with the MAC Validation field set to Downstream The MAC Address must be written using the Linux convention six groups of two hexadecimal values separated by colons e_ Traffic Direction You can configure the direction of the traffic that should be analyzed by WANGuard Sniff o Inbound Outbound WANGuard Sniff will monitor both inbound and outbound traffic Using this option generates a minor performance penalty under very high loads o Inbound WANGuard Sniff will only monitor inbound traffic e VLAN Tagging If the traffic is tagged with a VLAN header and you check VLAN Tagging then the VLAN header for each packet will be ignored If you want to split the traffic by VLANs then you must create a virtual network interface for each VLAN using the vconfig command and then add a WANGuard Sniff for each new virtual interface e Comments You can use this field to store comments about the current WANGuard Sniff configuration An example of a working WANGuard Sniff configuration is displayed bel
49. ion incl JSON PHP MagicQuotes RRDtool 1 3 RRDs A DBI installed WANGuardController running License Key File Select the new wanguard key file Al Save Ga hh Copyright 2006 2010 Andrisoft All rights reserved Gau ald WAN WANGuard Lite 4 0 User Manual jaga GUARD You must then upload the wanguard key file we sent you by email by clicking the key icon The license key contains encrypted information about the licensed capabilities of the software You can upgrade to the Full version incl traffic anomalies detection amp protection or downgrade to the Lite version without traffic anomalies detection amp protection solely by changing the license key Log into WANGuard Console using the default username password combination of admin wanguard Ss G X A A http console wanguard login php gt jaga GUARD Evaluation copy for TRIAL User Username Password Language Copyright 2006 2010 Andrisoft All rights reserved After you logged into WANGuard Console you can view and change license information by pressing the lt About gt button in the upper right part of the window The next steps in quickly configuring WANGuard Lite are Modify the Administrator s password next paragraph define your subnets in a new IP Zone next chapter and then configure WANGuard Sensors Managing WANGuard Console Users If you install WANGuard Console on a pu
50. iscarded by the router and by the WANGuard Flow o Graph Color In Graph Color Out Here you can select the color you will see on sensor graphs as inbound and Outbound traffic for the current WANGuard Flow By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color o Link Speed In Link Speed Out The speed of the monitored interface for Inbound traffic and for Outbound traffic This is used to generate reports based on usage percent e IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Flow If the field has no options then you must first define an IP Zone For more information about IP Zones please consult IP Zones Setup chapter page 35 e Sampling 1 n This parameter must contain the same packet sampling rate configured on the router If no packet sampling is used then sampling is 1 1 default e IP Validation o Off Will disable IP Validation o On WANGuard Flow will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 o Strict WANGuard Flow will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e AS Validation Flows might contain the source and destination ASN Autonomous System Number In most configurations if the AS
51. lter what WANGuard Sensors are available to individual users e Time Frame Select predefined time frames or enter your own by selecting Custom e Export You can print the generated WANGuard Sensors reports or you can save them as PDF through plug ins Refresh By default the resulted report is refreshed only when you press the lt On Demand gt button If you select a refresh interval then the report will be constantly refreshed and if a predefined time frame was selected 18 ald WAN WANGuard Lite 4 0 User Manual y ge GUARD then that will be updated too Sensor Graphs The Sensor Graphs sub tab generates various traffic parameters graphs for the selected WANGuard Sensors 8 WANGuard Console 4 0 Mozilla Firefox File Edit View History Bookmarks Tools Help X E A d http console wanguard index php Carrie ade traffic analysis d WANGuard Console 4 netwe wi e gai tion 7 Default Dashboard NetFlow Router WANGuard Sensors Time Frame NetFlow Router WAN NetFlow Ro e Last Day Mal From 2010 04 29 01 34 Untk 2010 04 30 01 34 Graphs Size 700x180 w Graphs Consolidation Maximum Y Sum Sensors J Packets s graph for NetFlow Router WAN NetFlow Router LAN ia LAN Switch vian900 itd WAN Switch vian100 gt i NetFlow Router A Thu D DD Thu 12 00 Thu 18 00 Fri DD DD a HW NetFlow Router WAN inbound Bl NetFlow Router WAN BB
52. me Select predefined time frames or enter your own by selecting Custom Export You can print the generated ASN graphs or you can save them as PDF through plug ins Refresh By default the resulted report is refreshed only when you press the lt On Demand gt button If you select a refresh interval then the report will be constantly refreshed and if a predefined time frame was selected then that will be updated too Autonomous Systems Number s Here you can enter the ASNs you re interested in separated by space If you don t know what ASN is a particular ISP having then you can click on the upper right side of the window Help AS Information gt AS Numbers List You can then apply different filters by clicking table header s down icon Graphs Size You can select a predefined graphs size OR you may enter your own graphs size as lt xpixels gt x lt ypixels gt Sum Sensors If unchecked each WANGuard Sensor generates a different ASN graph If checked all selected WANGuard Sensors generate a single ASN graph that contains summed traffic data Sum ASNs If you entered multiple Autonomous Systems Numbers then you can sum all of them in a single ASN graph This is extremely useful with ISPs and ASN owners that have more than 1 allocated ASN et ab WAN WANGuard Lite 4 0 User Manual ge GUARD Reports Dashboards Dashboards are the best way to organize data so that it can suit your particular needs WANGuard Console allows
53. ng the sampling forwarding option interfaces ge 0 1 0 unit O family inet filter 55 jaga GUARD input all output all address 192 168 1 1 24 firewall filter all term all then sample EE forwarding options sampling input family inet rate 100 output cflowd 192 168 1 100 port 2000 version 5 BO WANGuard Lite 4 0 User Manual
54. niff and WANGuard Flow Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment In order to do traffic monitoring and accounting WANGuard Sniff inspects all network data packets passing the host server s network card including the network data packets sent by a monitoring port of a switch or router How Port Mirroring Network TAP In line Deployment works It is very important to understand that WANGuard Sniff can only inspect data packets that actually flow 40 ab WAN WANGuard Lite 4 0 User Manual wg GUARD through the network interface s of the host server In switched networks only the traffic for a specific device is sent to the device s network card If the server running WANGuard Sniff is not deployed in line it can t capture the traffic of other network components For WANGuard Sniff to analyze the traffic of other hosts in your network you must use a network TAP or a switch or router that offers a monitoring port or port mirroring configuration Switched Port Analyzer SPAN for Cisco devices Roving Analysis Port for 3Com devices In this case the network device sends a copy of data packets traveling through a port or VLAN to the monitoring port After you configure the network device install WANGuard Sensor on a Linux server and connect it to the monitoring port WANGuard Sniff will be able to analyze the whole traffic that passes through the selected
55. on a single server if enough resources are provided RAM CPU Disk Space Network Cards You can also install the components on multiple servers distributed across your network WANGuard Sensor System Requirements for 1 Gigabit Network Interface WANGuard Sensor WANGuard Sniff 4 0 WANGuard Flow 4 0 Architecture x86 32 or 64 bit x86 32 or 64 bit CPU 1 x Pentium IV 2 0 GHz 1 x Pentium IV 1 6 GHz Memory 500 MBytes 2 GBytes 1 x Gigabit Ethernet with NAPI support Eth 1 x Fast Ethernet EHS Network Cards Operating System Linux 2 6 x kernel Linux 2 6 x kernel tcpdump 4 Installed Packages WANGuard Sensor 4 0 We 0 WANGuard Controller 4 0 Disk Space 5 GB including OS 5 GB including OS e e gr mn WAN WANGuard Lite 4 0 User Manual y ge GUARD When using WANGuard Flow network devices must be configured to send NetFlow v 5 or sFlow data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 53 When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networks the use of switches or routers with so called monitoring port is manda
56. onfiguratio siririna iaaiiai aai aaiae aidara aa aat ari erai ianareo 36 Subnet Parameters Danel iii 37 COMMEns ee 37 IP Zon Configuration EXAMPie aaa 38 11 How To Choose A Method Of Traffic Capturing in 40 Supported Traffic Capturing MEMMOGS iiinrinii NOGNGNS SR GYGUAN SA nNARLNGNHNAGNAAT SRG ONGYR DIAR 40 Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment 40 How Port Mirroring Network TAP In line Deployment works YY LL YL LA LLA LLY LY LLY YF YL FLL nuu 40 Reasons to choose Port Mirroring Network TAP In line Deplovment YY LLY LLY LL LL Luuuiuu 41 NetFlow IIe VT deu 41 How NetFlow Monitoring WOrkS ee 41 Reasons to choose NetFlow or sFlow Monitoring e 41 Comparison between Packet Sniffing and NetFlow sFlow Monitoring sssssssssssssssssnnssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnas 42 12 WANGHWAard Sensor SOC BEE 43 WANGUard Shiff e le UTC ME 43 WANGuard Flow Configuration cssscsssssssssssssecsesessecseseesessessssecsecessesesaesessesaesassesaesessecassansesesassenesaesassesaeeesaneas 46 1 IP Grabhs SoD EE 51 14 Help Menu amp ADGUL uii uu duu aU Rod cde Uun RNA adu Ods Uu DL Uyn nU UD UUN EUO CAA 52 HCN cca 52 Uoer IAM MN SEEN A EY RR e Ai 52 AO O E 52 I lte de ln EE 52 00 EE e EE 52 Eeer 52 15 Appendix 1 Configuring NetFlow Data Export rr 53 Configuring NDE
57. or WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering O Refresh Interval Select the interval between consecutive refreshes of the graph The graph will update itself flicker free but it s best to keep the refresh interval big for low bandwidth monitoring stations Latest Events The Latest Events tab provides a list with the latest records from Logs amp Events The records are explained in the Logs amp Events chapter Page 28 WANGuard Lite Components Each tables belonging to WANGuard Components is explained in detail in the Reports Device Groups Chapter page 15 DE E DE ab WAN WANGuard Lite 4 0 User Manual ge GUARD Reports Autonomous Systems The Autonomous Systems Panel contains the following item Autonomous Systems If you are using the flow based WANGuard Sensor WANGuard Flow then you will be able to generate very accurate Autonomous Systems graphs for every detected Autonomous System Number To use this option your flow exporter must be configured to include AS information in the exported flows The Autonomous Systems tab parameters are WANGuard Sensors Select the WANGuard Flow systems that captured the traffic you re interested in Multiple selections can be made Administrators can filter what WANGuard Sensors are available to individual users Time Fra
58. ow This WANGuard Sniff system analyzes all VLAN 900 traffic it receives on the first network interface and uses IP class information found in the Routed Subnets IP Zone for validation 45 alal WAN WANGuard Lite 4 0 User Manual foe GUARD WANGuard Sniff Configuration x Active v Description LAN Switch VLAN 900 Device Group Core Network M Sensor information IP Address 192 168 1 100 Interface eth0 900 Graph Color IN Graph Color OUT Enea v Link Speed IN 1 Gbps e Link Speed OUT 1 Gbps Validation and filtering IP Zone Routed Subnets wv IP Validation On v MAC Validation None wv MAC Address Traffic Direction Inbound amp Outbound e VLAN Tagging Advanced options BPF Expression Frames Buffer 10000 Comments configuration example Al Save Delete After a new WANGuard Sniff system is added the WANGuard Sensor panel is updated If there is a green OK sign on the right of the WANGuard Sniff s description then the WANGuard Sniff is running If there is a X red sign instead then the WANGuard Sniff is inactive or not running If you checked the Active switch but the WANGuard Sniff is still not running after few seconds you can find a description of the error in the WANGuard Sniff Events Logs see Logs amp Events chapter Page 28 or in the Events Tab in South Panel WANGuard Flow Configuration When using WANGuard Flow network devices must be configured to send sFlow o
59. port or VLAN with or without VLAN tag stripping If you don t have network devices that can do port mirroring you can deploy a Linux server on the main data path and WANGuard Sniff will be able to analyze the traffic flows that are routed through the server Note that the server will become a single point of failure if you don t configure VRRP Reasons to choose Port Mirroring Network TAP In line Deployment Packet sniffing comes into consideration if you can provide the higher CPU power needed by WANGuard Sniff Packet sniffing provides extremely fast and accurate traffic accounting and analysis results NetFlow amp sFlow Monitoring NetFlow or sFlow Monitoring is the domain of networks that usually use layer 3 switch or router flows These can be configured to send data streams with the network s usage data to a Linux server running WANGuard Flow How NetFlow amp sFlow Monitoring Works One option to measure bandwidth usage by IP Address is to use the NetFlow sFlow protocol which is especially suited for high traffic remote routers Many routers and Layer 3 switches from Cisco support this protocol as well as vendors like Huawei NetStream Juniper Extreme Networks 3COM HP and others Network devices with NetFlow amp sFlow support track the bandwidth usage of the network internally and can be configured to send pre aggregated data to a Linux server running WANGuard Flow for traffic analysis and accounting purpo
60. r NetFlow v 5 data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 53 46 ab WAN WANGuard Lite 4 0 User Manual pega GUARD WANGuard Flow Configuration x Active Description Device Group Sensor information Flow exporter information pp Address la Altre n Listener Port ii SNMP Community public Flow exporter monitored interfaces sad Add Interface sa Description SNMP Index Type Color IN Color OUT Speed IN Speed OUT Validation and filtering pone e Paiton of Sampling 1 n 1 a AS Validation off v Advanced options Analyzer Interval 15 seconds v Protocol NetFlow Version 5 E Comments The WANGuard Flow Configuration window contains the following fields red fields are mandatory Active WANGuard Flow is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Flow system is running then the WANGuardController daemon stops it Description A short generic description that helps you identify the WANGuard Flow system Device Group A short description of the role the monitored device plays within the network it s location etc Sensor IP Address Listener Port The IP address of the network interface that receives the
61. raphical interactive Ajax based Web 2 0 interface for all aspects of network traffic monitoring and accounting Included in the WANGuard Console is the advanced graphing engine that provides quick and easy ad hoc graphing functionality WANGuard Console offers single point management and reporting by consolidating the data from all WANGuard Sensor systems deployed within the network WANGuard Console Features and Benefits e Consolidated real time WANGuard Sensor management and monitoring using a intuitive easy to use rich Ajax based Web 2 0 web interface IP Zones support for segmenting your network by departments clients server clusters etc Intuitive and customizable Dashboards with widgets defined by you Easy to use navigation allows to drill into the live monitoring results Graphs are always generated on the fly for live reporting Live traffic graphs are animated ab WAN WANGuard Lite 4 0 User Manual ge GUARD Integrated contextual help system e Integrated web based tools that provide O AS Autonomous System information o IP information reverse DNS domain URL IP range AS ISP Country ping traceroute whois o IP Protocols information o TCP and UDP ports information o Subnet calculator The recorded data is stored in an internal SQL database that can be easily queried and referenced Authenticated access username password necessary for an unlimited number of users with fine grained security p
62. rate of received packets before validation and filtering Dropped Pkts s It represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation Active WANGuard Flow Systems The Active WANGuard Flow Systems table displays the latest system information collected from active WANGuard Flow systems that are included in the selected Device Group If there are no WANGuard Flow systems configured then this table is not displayed The table has the following format Status If the active WANGuard Flow system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Flow system then a red X icon is displayed In this case make sure that WANGuard Flow is configured correctly read the Events Logs and make sure that the WANGuardController daemon is running on all systems Description Displays the description of the WANGuard Flow system When clicked a new WANGuard Sensor Tab is opened see next paragraph Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Flow process 17 ab WAN WANGuard Lite 4 0 User Manual wg GUARD Mem The amount of RAM memory used by the WANGuard Flow process S
63. received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs o Dropped frames For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation Unknown frames For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering Graphs Size You can select a predefined graphs size OR you may enter your own graphs size as lt xpixels gt x lt ypixels gt Graphs Consolidation Select the graphs consolidation procedure for the graph MINIMUM MAXIMUM or AVERAGE If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type Sum Sensors If unchecked each selected WANGuard Sensor generates a different graph If checked
64. riptions Dashboards Device Groups and IP Descriptions can be filtered so you can give your customers access only to traffic reports and dashboards that contain fine grained relevant data Add User x Full Name User Name Password Additional information Company Position E mail Telephone Settings Home Tab f Welcome v Events Verbosity WARNING v Permissions South Panel v West Panel d West Panel Permissions Traffic Alarms Autonomous Systems d Logs amp Events d IP Addresses d Dashboards All wv Available Dashboards v Device Groups All wv Available Device Groups v IP Descriptions All wv Available IP Descriptions v Comments DCH ab WAN WANGuard Lite 4 0 User Manual pego GUARD IP Zones Setup This chapter describes how to create and manage IP Zones To add a new IP Zone select Configuration from the West Panel and then expand the IP Zones Panel Understanding IP Zones IP Zones are hierarchical tree like structures that contain user provided information about any combination of the following network elements and segments amp a network server client or router a network link subnet or an entire network an individual Internet user or company an Internet Service Provider ISP Each WANGuard Sensor extracts from it s current IP Zone the following information e the IP classes that will be monitored the IP classes that will generate traffic graphs and accounting d
65. rofiles ab WAN WANGuard Lite 4 0 User Manual ge GUARD Network Basics You Should Be Aware Of Who Should Read This Section If you are new to network administration and network monitoring read about the technical basics in this section It will help you understand how WANGuard Lite works If you are already used to IP addresses and IP classes you can skip this section A Short Introduction To IP Addresses amp Classes IP Addresses In order for systems to locate each other in a distributed environment nodes are given explicit addresses that uniquely identify the particular network the system is on and uniquely identify the system to that particular network When these two identifiers are combined the result is a globally unigue address This address known as IP address as IP number or merely as IP is a code made up of numbers separated by three dots that identifies a particular computer on the Internet These addresses are actually 32 bit binary numbers consisting of the two sub addresses identifiers mentioned above which respectively identify the network and the host to the network with an imaginary boundary separating the two An IP address is as such generally shown as 4 octets of numbers from 0 255 represented in decimal form instead of binary form For example the address 168 212 226 204 represents the 32 bit binary number 10101000 11010100 11100010 11001100 The binary number is important because
66. ses Reasons to choose NetFlow amp sFlow Monitoring Because the NetFlow and sFlow protocols already perform a pre aggregation of traffic data the flows of data sent to the monitoring server running WANGuard Flow is much smaller than the monitored traffic This makes NetFlow or sFlow the ideal option for monitoring remote high traffic networks Un alal WAN gaga GUARD WANGuard Lite 4 0 User Manual The downside of the NetFlow and sFlow monitoring is that computing the pre aggregation of traffic data requires large amounts of RAM it has significant delays and the accuracy of traffic parameters is lower than when directly inspecting network packets especially when packet sampling is used Comparison between Packet Sniffing and NetFlow sFlow Monitoring The table below provides a quick comparison between the three available traffic capturing technologies The system requirements for each method are different The requirements are listed in the next chapter WANGuard Sensor WANGuard Sniff WANGuard Flow Traffic Capturing Technology Port Mirroring Network TAP In line Deployment sFlow NetFlow or NetStream v 5 enabled network devices e 10 GigE 10 GigE M Traffi Se gt 150 000 endpoints lt 100 000 endpoints Traffic Parameters Accuracy Highest 5 seconds averages High Traffic Validation Options IP classes MAC addresses VLANs IP classes interfaces AS Number
67. systems The right side of the tab contains three selections lists that configure the graph FO alal WAN gaga GUARD WANGuard Lite 4 0 User Manual o WANGuard Sensors Select only the WANGuard Sensor systems that you re interested in O Data Unit Select the traffic parameter the graph will represent Bits The bits second throughput recorded by WANGuard Sensors Bytes The bytes second throughput recorded by WANGuard Sensors Packets The packets second throughput recorded by WANGuard Sensors IPs The number of unigue IP addresses detected making traffic Usually a spike in the graph means that an IP class scan was performed Only your network s IP addresses are counted Received frames For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs Dropped frames For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation Unknown frames F
68. tarted The time and date when the WANGuard Flow process started Interface Description The interface description and a colored box with the configured Graph Color IN IPs The number of unique IP addresses detected making traffic through the interface Only your network s IP addresses are counted Pkts s In Out The packets second throughput after validation and filtering Only the traffic passing the interface is analyzed Bits s In Out The bits second throughput after validation and filtering Only the traffic passing the interface is analyzed Flows s The rate of flows that contain traffic passing the interface Flows Delay Because traffic data must be aggregated first flow devices export flows with a configured delay Some devices export flows much later than the configured delays and this field contains the maximum flows delay detected by WANGuard Flow WANGuard Flow cannot run with delays over 5 minutes To minimize the RAM usage and the performance of the WANGuard Flow process the flows must be exported as soon as possible WANGuard Sensor Tabs When clicking a WANGuard Sensor new tab opens that includes 3 additional sub tabs located on the bottom of the window Sensor Graphs Sensor Tops and Protocol Distribution All these sub tabs use the following common toolbar fields e WANGuard Sensors Select the WANGuard Sensors you re interested in Multiple selections can be made Administrators can fi
69. that will determine which class of network the IP address belongs to The Class of the address determines which part belongs to the network address and which part belongs to the node address see IP address Classes further on The location of the boundary between the network and host portions of an IP address is determined through the use of a subnet mask This is another 32 bit binary number which acts like a filter when it is applied to the 32 bit IP address By comparing a subnet mask with an IP address systems can determine which portion of the IP address relates to the network and which portion relates to the host Anywhere the subnet mask has a bit set to 1 the underlying bit in the IP address is part of the network address Anywhere the subnet mask is set to O the related bit in the IP address is part of the host address The size of a network is a function of the number of bits used to identify the host portion of the address If a subnet mask shows that 8 bits are used for the host portion of the address block a maximum of 256 host addresses are available for that specific network If a subnet mask shows that 16 bits are used for the host portion of the address block a maximum of 65 536 possible host addresses are available for use on that network An Internet Service Provider ISP will generally assign either a static IP address always the same or a ab WAN WANGuard Lite 4 0 User Manual ge GUARD dynamic address changes
70. the Subnets tree IP Descriptions Panel lists all IP Descriptions extracted from existing IP Zones You can filter displayed IP Descriptions by entering a string that exists in the IP Description you re interested in IP Descriptions are a great way to generate IP traffic reports for clients that have multiple allocated IP classes You just have to define those IP classes with the same IP Description Administrators can filter what IP Addresses and IP Descriptions are available to individual Users By clicking a subnet or IP Description a new tab will open that includes 2 additional sub tabs located on the bottom of the window IP Graphs and IP Accounting Both sub tabs use the following common toolbar fields e WANGuard Sensors Select the WANGuard Sensor systems that captured the traffic you re interested in Multiple selections can be made and by default all WANGuard Sensors are selected Administrators can filter what WANGuard Sensors are available to individual users Data Unit IP Graphs and IP Accounting reports can be generated for Bits second Bytes second and Packets second Time Frame Select predefined time frames or enter your own by selecting Custom Export You can print the generated IP reports or you can save them as PDF through plug ins e_ Refresh By default the resulted report is refreshed only when you press the lt On Demand gt button If you select a refresh interval then the report will be constantly refreshe
71. ties is the 0 0 0 0 0 IP class because there is no other IP class that includes it WANGuard Sensor must learn from the selected IP Zone the properties of the IP addresses it analyzes This is why if WANGuard Sensor cannot include a detected IP address in the IP classes you defined it applies the properties of the 0 0 0 0 0 IP class So for unknown IP addresses the 0 0 0 0 0 properties are applied and its not recommended setting P Graphs and IP Accounting to On for it In the last section of this chapter you can see an example on how inheritance works Changing Description Duplicating amp Deleting IP Zones To change the description of an IP Zone you must first open the IP Zone Configuration Window provide a new description and then press lt Change Description gt To copy the selected IP Zone you must click the lt Duplicate IP Zone gt button A new IP Zone will be created that will have the same information and the same description with the word copy attached In some cases when you have multiple WANGuard Sensor systems you may have to create multiple IP Zones that share the same IP classes Instead of recreating the same IP classes for each new IP Zone you can duplicate an existing IP Zone and modify only few parameters To delete an IP Zone you must first open the IP Zone Configuration Window press lt Delete IP Zone gt button and then confirm the deletion IP Zone Configuration The IP Zone Configuration window
72. tory For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAP s or other devices that support port mirroring please consult the producer s documentation WANGuard Console System Requirements for up to 5 WANGuard Sensors Architecture x86 32 or 64 bit CPU 1 x Pentium IV 2 4 GHz Memory 500 MBytes Network Cards 1 x Fast Ethernet or Gigabit Ethernet Operating System Linux kernel 2 6 x apache 2 x php 5 2 mysql 5 x rrdtool 1 3 perl 5 x Installed Packages perl rrdtool perl MailTools perl DBD MySQL ping whois traceroute telnet WANGuard Console 4 0 WANGuard Controller 4 0 Disk Space 4GB including OS additional storage when storing IP graphs data To access the web interface provided by WANGuard Console one of the following web browsers is required other should also work but have not been tested Firefox 3 5 or later Apple Safari 3 0 or later Konqueror 4 0 or later Google Chrome 4 0 or later Internet Explorer 7 0 has a slow javascript engine and a non standard behavior so it s not recommended The web browser must javascript and cookies support activated Java support and Flash are not required To access the Contextual Help please install Adobe PDF Reader For the best WANGuard Console experience we highly recommend the Firefox 3 6 browser and a 1280x1024
73. values select the MINIMUM aggregation type All the above options have a direct impact on the storage space required on the WANGuard Console file system The storage space required per IP value will be updated when you click the lt Update gt button If you change the graphs parameters make sure you delete old rrd files from the defined Data Path DEn ab WAN WANGuard Lite 4 0 User Manual ge GUARD Help Menu amp About Help Menu The Help menu is located on the upper right side of the WANGuard Console window User Manual The User Manual provides a contextual access to the WANGuard Lite User Guide Depending on the context the User Guide will open at the chapter describing the last opened window or tab If the Contextual Help does not work please install Adobe PDF Reader on your computer AS Information The AS Information windows provide access to an on line ASN database RIPE ARIN APNIC and to a local ASN database IP Information The IP Information windows provides details about IP addresses and domains as well as web based access to ping whois traceroute and telnet commands IP information is contained in an internal database that contains IP ranges Country codes and Autonomous System information The IP Protocols List window provides access to a table that contains descriptions for all available IPv4 protocols The TCP amp UDP Ports List window provides access to a table that contains name description serv
74. was designed to monitor the largest enterprises with hundreds of thousands of endpoints to the smallest branch office with tens of endpoints The supported traffic capturing methods work with most switches routers firewalls and other network devices The methods are Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP The analysis of network packets sent by a monitoring port of a switch router or network TAP The WANGuard Sensor that handles network packets is called WANGuard Sniff NetFlow amp sFlow Monitoring The analysis of pre aggregated data flows sent by NetFlow sFlow or NetStream enabled routers and Layer 3 switches The WANGuard Sensor that handles NetFlow sFlow and NetStream data is called WANGuard Flow e In line Deployment The analysis of incoming and outgoing network packets that pass through a network card of an in line deployed Linux server From a software perspective this method is virtually identical with the Port Mirroring method so WANGuard Sniff is used in this scenario too Depending on your network topology and configuration your needs and your hardware you must choose between the three methods of traffic capturing For high availability scenarios you could use in parallel more than one method of traffic capturing Please read on to further understand the differences between the supported methods of traffic capturing and the differences between WANGuard S
Download Pdf Manuals
Related Search