Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Reference Manual for GigaFlow > Configuration

Configuration

Figure: The Configuration menu

Configuration menu.

Applications

GigaFlow comes loaded with a standard set of application port and protocol definitions. Flow records are associated with application names if there is a match.

Users can define their own application names within the software and have that application ID (Appid) available within the flow record. There are 3 techniques used, applied in order:

  1. Customers can define an application profile which lets them match traffic by source/destination IP address, source/destination port, source/destinaton MAC address, protocol, COS and/or nested rules.
  2. They can assign their own application names to specificed IP ports, i.e. create Named Applications.
  3. Or, if there are no user defined settings, the software will select the lowest port.

Configuration - Applications

Add Defined Application
  • In the New Defined Application section, specify a name, a description and select the flow object that is associated with the application.
  • Click Save to add the application.
Add Flow Object
  • Specify the flows that make up the object.

Flow Objects are defined by:

  • Name.
  • Description.
  • Device IP address (Device IP).
  • Source IP address (Src IP).
  • Source MAC address (Src MAC).
  • Source Port (Src Port).
  • Source Traffic Group.
  • Destination IP address (Dst IP).
  • Destination MAC address (Dst MAC).
  • Destination Port (Dst Port).
  • Destination Traffic Group.
  • Protocol.
  • Class of Service (COS).
  • Negate (True/False)

IP addresses, MAC addresses, Ports and Traffic Groups can also be defined as both Source/Destination.

You can add ANDd existing profile(s) to the new Flow Object, i.e. the new definitions are added to the existing profile(s).

You can also select alternative existing profile(s) that this new profile also maps to (ORd), i.e. the new Flow Object uses either the new definitions or the existing Flow Object definitions.

To ANDd or ORd profile(s), use the drop-down menu in the Flow Object definitions and click the +.

As an example, a printer installation at a particular location connected to a particular router can be defined by a Flow Object that consists of:

  • A printer Flow Object.
  • ANDd a location Flow Object.
  • ANDd a router Flow Object.

Or

  • The Flow Object could define the IP address of a server and the web port(s).

A second Flow Object can be defined that will have its flow checked against the Allowed profile; this is an Entry profile.

Add Protocol/Port Application

To add a protocol or port application, click the Add protocol/port application icon and enter:

  • Name: Name of the application.
  • Protocol: the network protocol associated with the application.
  • Port: the port number associated with the application.

Click Save.

Existing Defined Application

Already defined applications are listed here. Existing applications can be edited to associate icons.

Existing Flow Objects

Already defined flow objects are listed here.

Existing Protocol/Port Applications

Already defined protocol/port applications are listed here. Existing protocol/port applications can be edited to associate icons.

Attributes

Located at Configuration > Attributes.

Attributes are aliases used to help with identification of network infrastructure and users. Assigning an attribute category to a MAC address, user, IP, device or interface allows different user groups easily tag and identify your network infrastructure. For example, a network engineer may prefer to alias a device with a name or category appropriate to their view of your network. The security team may prefer a different categorisation.

The categories are:

  • MAC Categories
  • IP Categories
  • User Categories
  • Device Categories
  • Interface Categories

The aim is to facilitate rapid identification of network infrastructure and user groups.

If you want to add a new device attribute:

  • Click Configuration > Attributes
  • Click +, Add.
  • Enter the new attribute name and category type and then Save Save icon..

GEOIP

Located at Configuration > GEOIP.

You can change the geolocation and IP settings here.

To add new GEOIP overrides:

  • Enter comma-separated parameters as follows:
"Start IP,End IP,Country ISO Code,Region Name,Latitude,Longitude"
or
"IP/MaskBits,Country ISO Code,Region Name,Latitude,Longitude.
  • Click Add GEO to IPs.

A table of existing GEOIP overrides is shown in the table below this.

You can select the number of items to show from the dropdown menu above the table; the default is 50 items.

Information displayed includes:

  • Start IP.
  • End IP.
  • Country ISO code.
  • Region name.
  • Latitude.
  • Longitude.
  • List of actions you can perform, i.e. modify or delete entries.

You can also search by entering a country code or clicking on the map below the table.

Infrastructure Devices

Located at Configuration > Infrastructure Devices.

Actions

Add Device

To add a new infrastructure device:

  • Enter the IP address.
  • Enter the SNMP community.
  • Click Save Save icon. to save changes.
Add Bulk Devices

To bulk-add new devices, i.e. more than one device at a time:

  • Enter device information using the format:
ip 
or
ip, communityString 
or
ip, communityString, deviceName

Use a new line for each new device added.

Recheck Forensics

Recheck Forensics by clicking Refresh Refresh icon..

Extended Stats

This shows a more detailed version of the Existing Devices table, with additional statistics for each device.

Existing Devices

The Existing Device(s) table lists all connected infrastructure devices.

You can select how many of the devices to view, i.e. the most recent 10, 25, 50, 100 or all devices.

At the top of the table, the total number of infrastructure devices is given. You can also search for a particular device. Each column is sortable. The table displays interactive information, including:

  • Device ID. To view a detailed overview of this device, click on the IP. See the next section, Detailed Device Information. The Device ID is assigned when the system receives a flow or syslog from it for the first time.
  • Device IP address. It is good practice to ensure that the source address is fixed, ideally, to a VLAN or management VLAN address. Otherwise, multiple entries might be created for each alternative pathway.
  • SNMP IP: IP address for SNMP access.
  • Device name. To change the device name, enter a new name and click Save Save icon.. This defaults to the IP address or the SNMP system name if this exists. Both can be overwritten.
  • SNMP state, up or down. This indicates whether or not the sender can be polled for more information. To refresh the SNMP state, click Refresh Refresh icon..
  • Number of associated Layer-3 interfaces.
  • Number of VLANs.
  • Number of ARPs.
  • Number of BPNs.
  • Number of CAM (latest).
  • Number of CAMs.
  • Number of LLDPs.
  • Number of Drops.
  • Flows per second. This is GigaFlow's current flow processing rate.
  • Number of Flows. This is the total number of flows received by GigaFlow since the last reset or restart, not including duplicates.
  • Sampling rate.
  • Trigger. This is the flow resolution used in the flows per second calculation.
  • Associated Netflow templates.
  • Number of forensics.
  • Stored MB. This is the storage used for the sender's flow/syslog information.
  • GBs. This is the storage limit for the sender's flow/syslog information. When this limit is exceeded, the system will purge the oldest entries.
  • Oldest entry.
  • Store (yes or no.) See also System > Global > Storage. If the sender's flows/syslogs are stored or not. If not, they will be checked, still, against blacklists and Profilers.
  • Associated System Object Identifier (SysOID).
  • Number of duplicate flows discarded (if any).

Device SNMP Mapping

The Device SNMP Mapping table displays:

  • System Object Identifier (SysOID).
  • Poller. To change the poller, select from the drop-down list and click Save Save icon..
  • The number of devices using this SysOID.
  • A description of the system, e.g. Gigabit Smart Switch.

Detailed Device Information

Located at Configuration > Infrastructure Devices > Detailed Device Information.

By clicking any device IP address in the Existing Devices table, you can bring up a detailed overview of that device.

On loading, the device name, device IP address and device ID are given across the top of the page.

SNMP Settings

Below this information, you will see the SNMP Settings panel. SNMP information is listed here. This includes:

  • Date and time of last SNMP details poll.
  • Date and time of last SNMP Interfaces poll.
  • Last SNMP duration in milliseconds.
  • Date and time of last DSP check.
  • SNMP Location.
  • Number of interfaces.
  • Device description.
  • Device ObjectID.
  • Device poller.
  • Device name.
  • Templates, e.g. V5.
  • Flows: more detail can be shown by clicking the drill down arrow.

To change the device name:

  • Enter the new name in the text box.
  • Click Save Save icon. to save changes.

To change SNMP version and/or community:

  • Select a version number from the drop-down box.
  • Enter a community name.
  • Click Save Save icon. to save changes.
  • Click Test SNMP Fields to test these settings.

To test SNMP settings and status:

  • Click Refresh Refresh icon. to refresh status.
  • You will seen a green Up arrow indicating that SNMP is up or a red Down arrow if SNMP is down.

All other device information is populated automatically from the device and cannot be edited.

Attributes and Tools

To add attributes to the device:

  • Select a device type from the drop-down menu.
  • Enter a name for the attribute and click + to add.
  • To remove an attribute, click the small x.

There are quick-links to useful tools, including:

  • Forensics.
  • ARPs.
  • CAMs.
  • Int Tools.
  • Traffic Overview.

And links to associated integrations (Integrations) and servers (Server Discovery). See also System > Global for more about integrations.

See Reports > Forensics for more.

Storage Setting

In this panel, you can view and make changes to the device information storage settings:

  • Storage profile name.
  • Allowed disk duration, set to 14 days.
  • Allowed disk storage (GB). This defaults to 1 GB. To change this, enter a new value and click Save Save icon..
  • Process flows. You can change this by selecting from the drop-down menu. The choices are:
  • Yes.
  • No forensics storage.
  • No processing.
  • Store seen IP, Yes or No.
  • Sample rate, per second.
  • Time and date of oldest Disk Storage.
  • Click Save Save icon. after making a change.
  • Sample rate. This defaults to 1 millisecond. To change this, enter a new value and click Save Save icon..
  • To remove a device, click Remove Device.

At the bottom of the detailed infrastructure device settings page, there are several tabs:

  • Interfaces.
  • Subnets.
  • Flow Templates.
  • Stats.
  • VLANs.
  • Bridge Ports.
  • Bridge Ports To IF Index.
  • Application mapping.

Other Settings

The Interfaces tab consists of an editable table with the following information:

  • IfIndex: the interface number.
  • The interface name. To change this, enter a new name and click Save Save icon..
  • The interface alias. To change this, enter a new alias and click Save Save icon..
  • The interface description. To change this, enter a new value and click Save Save icon..
  • The interface IP address.
  • The interface MAC address.
  • Speed In (MB/s). To change this, enter a new value and click Save Save icon..
  • Speed Out (MB/s). To change this, enter a new value and click Save Save icon..
  • Admin status.
  • Oper status.

The Subnets tab displays a list of SNMP discovered subnets. See also Reports > System Wide Reports > Subnet List.

The Flow Templates tab displays a list of the Netflow templates used, e.g.:

  • V9 Templates.
  • V10 Templates.
  • NSEL Templates.

The Stats tab consists of a list of the number of VLAN, ARP and CAM entries.

The VLANs tab consists of a list of VLANs.

The Bridge Ports tab consists of a list of bridge ports.

The Bridge PortNumbers To ifIndex tab consists of a list of bridge ports.

The Application Mapping tab displays a list of mapped applications with the key, appid and application listed for each mapping.

Configuration/Profiling

Host Profiler Wizard

Enter:

  • Name and description. Click Next.
  • Client addresses, i.e. devices whose traffic will be monitored. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff. Click Next.
  • Allowed applications. Select an application from the drop-down list or create a new application at Configuration > Applications.
  • Click Submit.

Service Profiler Wizard

Enter:

  • Name and description. Click Next.
  • Allowed traffic patterns, i.e. allowed applications/services. Select an application from the drop-down list or create a new application at Configuration > Applications. Click Next.
  • Client addresses, i.e. devices whose traffic will be monitored. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff. Click Next.
  • Allowed server addresses, i.e. servers whose use is allowed. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff.
  • Click Submit.

Add Profiler

Located at Configuration > Profiling.

This is where you can create profiles that define the normal behaviour of your network.

  • Profiling is a very powerful feature.
  • A Flow Object is a logical set of defined flows and IP source and destination addresses.
  • Flow objects make it possible to build up a complex profile or Profiler quickly. These terms are used interchangeably.
  • A particular network behaviour that involves network flow objects is described by a Profiler.

To get going, create your first profile.

  • A good way to start is to select one type of device and a single IP of this type.
  • For example, in retail, this might be a point of sale machine.
  • Then build a profile based on expected flows out of the device IP.
  • This profile can serve as a template for realtime monitoring; this is an Allowed profile.

Step one is then to create a new Flow Object at Configuration > Applications. To create a flow object:

To create a new Profiler (this term is used interchangeably with profile):

  • Go to Configuration > Profiling.
  • Give the new Profiler a name and description.
  • Select an Entry profile (the profile to be monitored) and an Allowed profile (the acceptable profile) from the drop-down lists. The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
  • If you want to be alerted when an exception occurs, select Yes from the drop-down menu.
  • Click Save.

Existing Profilers

This table displays a list of existing profiles.

  • ID: the profile ID.
  • Name: the name of the profile.
  • Description: a description of the profile.
  • Entry: the Entry profile is the profile that is to be monitored.
The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
  • Allowed: the Allowed profile is the target, or acceptable, profile.
The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
  • Checks: this is the number of times that the profiles were compared.
  • Hits: this is the number of matches between the Entry and Allowed profiles.
  • Exceptions: the number of times that the flow records for this profile that have deviated from the ideal, or Allowed, profile.
  • Alert: this is set to true or false - if an alert is raised when an exception is detected, this is set to true.
  • Actions: profiles can be edited, the exception count can be reset and the profile rank order can be raised or lowered.

Reporting

Located at Configuration > Reporting.

One of the difficult aspects of reporting on network flows is the number of possible field combinations, with 25+ fields in the extended range. GigaFlow records all fields for all flows with no summarization and no deduplication. GigaFlow allows you to create exactly the report you want.

You can change reporting settings here, in the General and Forensics Reports panels.

New Report Link

Allows you to add new entries to be displayed in the left hand navigation under the Reports option.

You can enter:

  • The URL to be called (must be unique).
  • The name displayed in the left had menu for this URL.
  • Whether this url should be opened in a new window (YES) or the GigaFlow main content frame (NO)

Import Report Link

Allows you to import a JSON representation of new entries to be displayed in the left hand navigation under the Reports option.

General

You can edit the general reporting settings in this panel:

  • Default search period: select 1 day, 2 days, 7 days, 14 days or 21 days. The default selection is 1 day.
  • Forensics graph summary rows: select 5, 10, 20, 30, 40 or 50 rows. The default selection is 10 rows.
  • Default reporting period: the default reporting period is 10 minutes, i.e. the last 10 minutes of information will be presented.
  • Maximum number of table rows to return: select 1,000, 5,000, 10,000, 20,000, 50,000, 100,000 or 1,000,000. The default selection is 1,000,000.
  • Default Forensics Report: Select which report should automatically run when going from a summary report to a forensics report.
The default selection is Application Flows.
  • Show Cumulative Stacked Chart Values.
  • Show Stacked Charts.
  • Chart Format.
  • Chart Format Custom Settings.
  • Click Save Report Settings to save changes or Cancel to clear changes not submitted.

Forensics Reports

See Appendix > Forensic Report Types for a complete description of the different report types. See also Reports > Forensics for the Direct Filtering Syntax used by GigaFlow.

You can view and clone built-in forensics reports in this panel.

From the Report drop-down menu, select the report type to view or clone. The default selection is Application Flows. In the panel below, you can view:

  • The report name.
  • The associated table query, in this case:
select srcadd as srcadd,dstadd as dstadd,appid as appid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd,dstadd,appid ORDERBY LIMITROW
  • The table value field, in this case:
bits_total
  • The graph query, in this case:
select FIRSTSEEN as afirstseen,srcadd as srcadd,dstadd as dstadd,appid as appid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow  WHERECLAUSE group by afirstseen,srcadd,dstadd,appid order by srcadd,dstadd,appid,afirstseen
  • The graph time field, in this case:
afirstseen
  • The graph value field, in this case:
bits_avgsec
  • The graph key field(s), separated by "__", in this case:
srcadd__dstadd__appid

To clone a report:

  • Enter the new cloned report name.
  • Click Clone Forensics Report to create new cloned report.

Existing DSCP Names

  • This is a list of existing, editable DSCP names.
  • Click Save DSCP Names to commit any changes.

New DSCP Name

To add a new DSCP name:

  • Enter the DSCP number.
  • Enter the new name.
  • Click Save DSCP Name.

Existing Report Links

Lists the existing user defined report URLS that are available from the left hand navigation under the Reports option.

The table lists:

  • The URL to be called (must be unique).
  • The name displayed in the left had menu for this URL.
  • Whether this url should be opened in a new window (YES) or the GigaFlow main content page (NO).

Server Subnets

Located at Configuration > Server Subnets. See also Reports > First Packet Response.

To begin using First Packet Response (FPR), you must specify the server subnets and ports that you would like to monitor. FPR monitors TCP and UDP traffic, e.g. DNS 53/UDP, and is inherently multi-threaded by device.

Add Server Subnet

To add a new server subnet:

  • Click + at the top of the page.
  • Enter the subnet address.
  • Enter the subnet mask.
  • Click Add Server Subnet.
  • Click Cancel to clear the data entered.

Server Subnets

This tab allows you to view a list of existing monitored server subnets and to add new subnets. The main table displays the following information:

  • ID.
  • Subnet.
  • Mask.
  • Ports.

Actions, i.e. edit or delete a subnet. Editing a subnet allows you to specify a particular port to monitor.

Servers

This tab allows you to view a list of identified servers on the monitored server subnets. The main table displays a list of the infrastructure devices, routers, involved in transactions to or from the server subnets and associated servers.

Devices

This tab allows you to view a list of infrastructure devices, routers, involved in transactions to or from the server subnets and associated servers.

You can select the number of items to show from the drop-down menu above the table; the default is 10 items.

Traffic Groups

Located at Configuration > Traffic Groups.

Traffic groups are subnet and IP range aliases.

  • You can assign a name to a subnet or IP range.
  • GigaFlow will collect data associated with this range.

To define a new traffic group:

  • Click Configuration > Traffic Groups.
  • Existing traffic groups are displayed in the main table.
  • Scroll down to create a new traffic group.

Add Traffic Group

To add a new traffic group:

  • Enter the name of the new traffic group.
  • Enter a description of the new traffic group.
  • Enter a start IP address for the traffic group, e.g. 172.1.1.0.
  • Enter an end IP address for the traffic group, e.g. 172.1.1.255.
  • Is the traffic natted? Yes or no.

Sometimes, it can be useful to define a traffic group by subnet and by infrastructure device. For example, a corporate network could have a subnet served by more than one router. To create a granular view of flow through each router, a separate traffic group could be created for each router, defined by the IP range of the subnet as well as the device name. You can type to filter the device list.

To add a device to a traffic group:

  • Click to select a device to associate with the traffic group.
  • Click the up arrow Up arrow icon.. to associate this device with the traffic group; the traffic group is now defined by the IP range and the selected device(s).
  • Click Save.

Add Bulk Traffic Group

To bulk-add new traffic groups, i.e. more than one group at a time:

  • Enter required traffic group information using the format:
name,description,startip,endip,natted(y/n),deviceIP
  • Click Save.

Use a new line for each new traffic group.

Existing Traffic Groups

To edit a traffic group definition, click Configuration > Traffic Groups and click on the traffic group name or on the adjacent drill down icon Drill down icon.. This will bring up a new page for that traffic group where you can edit the group definition.

The table of traffic groups shows:

  • Name.
  • Start.
  • End.
  • Natted.
  • Devices.
  • Devices Remaining.
  • Hits.
  • Src Bytes.
  • Dst Bytes.
  • Src Pkt.
  • Dst Pkt.

SNMP Discovered Subnets

To edit a traffic group definition, click Configuration > Traffic Groups and click on the traffic group name or on the adjacent drill down icon Drill down icon.. This will bring up a new page for that traffic group where you can edit the group definition.

For each SNMP discovered subnet, the table displays:

  • Device.
  • Name.
  • Device IP.
  • IfIndex.
  • Name.
  • Subnet.
  • Action.
  • Alias.
  • Description.
  • Speed In.
  • Speed Out.
  • Admin.
  • Oper.