Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > How-To Guide for GigaFlow > Diagnostics and Reporting > Create and Use a Profile

Create and Use a Profile

Profiling is a very powerful feature. A flow object is a logical set of defined flows and IP source and destination addresses. Flow objects make it possible to build up a complex profile or profiler quickly. These terms are used interchangeably. A particular network behaviour that involves network flow objects is described by a Profiler. Profiling allows you to congigure both the profiles of the flows to be tested, the entry flows, and the profiles of the allowed flows, i.e. the templates against which the entry flows are tested.

To get going, create your first profile. See Configuration > Configuration/Profiling in the GigaFlow Reference Manual.

Step one is then to create a new flow object. To create a flow object:

  • Go to Configuration > Profiling.
  • Select the Apps/Objects tab.
  • In the New Flow Object section, specify the flows that make up the object.

You can add ANDd existing profile(s) to the new flow object, i.e. the new definitions are added to the existing profile(s).

You can also select alternative existing profile(s) that this new profile also maps to (ORd), i.e. the new flow object uses either the new definitions or the existing flow object definitions.

To ANDd or ORd profile(s), use the drop-down menu in the flow object definitions and click the +.

As an example, a printer installation at a particular location connected to a particular router can be defined by a flow object that consists of:

  • A printer flow object.
  • ANDd a location flow object.
  • ANDd a router flow object.

Or

  • The flow object could define the IP address of a server and the web port(s).

A second flow object can be defined that will have its flow checked against the Allowed profile; this is an Entry profile.

To create a new Profiler (this term is used interchangeably with profile):

  • Go to Configuration > Profiling.
  • Give the new Profiler a name and description.
  • Select an Entry profile (the profile to be monitored) and an Allowed profile (the acceptable profile) from the drop-down lists. The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
  • If you want to be alerted when an exception occurs, select Yes from the drop-down menu.

Select the Apps/Options tab.

GigaFlow comes loaded with a standard set of application port and protocol definitions. Flow records are associated with application names if there is a match.

Users can define their own application names within the software and have that application ID (Appid) available within the flow record. There are 3 techniques used, applied in order:

  1. Customers can define an application profile which lets them match traffic by source/destination IP address, source/destination port, source/destinaton MAC address, protocol, COS and/or nested rules.
  2. They can assign their own application names to specificed IP ports, i.e. create Named Applications.
  3. Or, if there are no user defined settings, the software will select the lowest port.

Select the Apps/Options tab.

To create a new Defined Application:

  • Go to Configuration > Profiling.
  • Select the Apps/Objects tab.
  • In the New Defined Application section, specify a name, a description and select the flow object that is associated with the application.
  • Click + to add the application.

The Realtime Profiling Status at Profiling > Realtime Overview shows realtime data on defined Profilers. The display updates every 5 seconds and shows:

  • Profiler: this is the defined profile.
  • Clients: the number of connected devices.
  • Hits: the number of flow records that have matched the allowed flows.
  • Exceptions: the flow records for this profile that have deviated from the ideal, or Allowed, profile. See Configuration > Profiling.

The Profiling Event Dashboard at Profiling > Profiling Events gives an overview of profile events.

At the top of the page you can set both the reporting period and resolution, from one minute to 4 weeks.

The Profiles infographic shows a timeline of the number of events with the profile(s) involved. Circle diameters represent the number of events. The peak number of events in the timeline for each profile are highlighted in red.

The Severities infographic shows a timeline of the number of events along with their estimated severity level(s). Circle diameters represent the number of events. The peak number of events in the timeline for each severity level are highlighted in red.

The Event Entries table gives a breakdown of profile events with the following entries:

  • The unique event ID number.
  • The time at which event occurred.
  • The category or profile name.
  • The severity of the event as a percentage.
  • The source IP address.
  • The target IP address.
  • The application, user defined if it exists. See also Configuration > Profiling and Flow Details.
  • Any information other error/status message, e.g. Profiler Exception.

A drop-down selector lets you choose the number of the most events to display.

To access a detailed overview of any flow, click on the adjacent Drill Down icon Drill down icon.. This provides a complete overview of that flow, listing:

  • The source address, a link to search forensics and any associated blacklists.
  • Source MAC address.
  • Destination address, a link to search forensics and any associated blacklists.
  • Destination MAC address.
  • Source port.
  • Destination port.
  • Appid: the application ID is a unique identifier for each application.

    In GigaFlow, Appid is a positive or negative integer value. The way in which the Appid is generated depends on which of the 3 ways the application is defined within the system. Following the hierarchy outlined in Configuration > Profiling -- Apps/Options -- Defined Applications, a negative unique integer value is assigned if (1) the application is associated with a Profile Object or (2) if it is named in the system. If the application is given by its port number only (3), a unique positive integer value is generated that is a function of the lowest port number and the IP protocol.

  • Application. See Appid, above, and Configuration > Profiling.
  • Number of packets in flow.
  • Number of bytes.
  • User.
  • Domain.
  • Fwevent. See
  • Fwextcode.
  • Profile, e.g. PCs.
  • Net device IP address, name and number of flows.
  • In-Interface.
  • Out-Interface.

See Glossary for more about flow record fields used by GigaFlow.

See also Search for instructions to access the Graphical Flow Mapping feature.

By clicking any Category, Severity, Source IP or Target IP in the Event Entries table, you will be taken to a version of the Events Dashboard filtered for that item.

See Dashboards > Events for an overview of the structure of this page.