Scrutinizer 10.1 Administrator s Guide

Author: Suzanna Candace Dixon

0 downloads 2 Views 420KB Size

Report

Download PDF

Recommend Documents

Scrutinizer 11.0 Administrator s Guide

The Administrator s Guide

ADMINISTRATOR S GUIDE

Administrator s Guide

System Administrator s Guide

MVO 6.0. Administrator s Guide

GMetrix SMS. Administrator s Guide

Application Profiler Administrator s Guide

GMetrix SMS. Administrator s Guide

Small Business Administrator s Guide

The EMBOSS Administrator s Guide

ADULT EDUCATION ADMINISTRATOR S GUIDE

Standalone System Administrator s Guide

Administrator s Guide. Release 5.0

CBCAMPUS.COM S REALITY 101 GUIDE

SAS. 9.1 OLAP Server Administrator s Guide

Microsoft Dynamics GP. System Administrator s Guide

Kerberos V5 System Administrator s Guide

Solstice CMIP 8.2 Administrator s Guide

OpenText RightFax 10.5 Administrator s Guide

Enterprise etime System Administrator s Guide

Kerio Control. Administrator s Guide. Kerio Technologies

Scrutinizer 10.1 Administrator’s Guide

| 1

© 2012 Dell Inc. Trademarks: Dell™, the DELL logo, SonicWALL™, SonicWALL GMS™, SonicWALL ViewPoint™, Aventail™, Reassembly-Free Deep Packet Inspection™, Dynamic Security for the Global Network™, SonicWALL Aventail Advanced End Point Control™ (EPC™), SonicWALL Aventail Advanced Reporting™, SonicWALL Aventail Connect Mobile™, SonicWALL Aventail Connect™, SonicWALL Aventail Native Access Modules™, SonicWALL Aventail Policy Zones™, SonicWALL Aventail Smart Access™, SonicWALL Aventail Unified Policy™, SonicWALL Aventail™ Advanced EPC™, SonicWALL Clean VPN™, SonicWALL Clean Wireless™, SonicWALL Global Response Intelligent Defense (GRID) Network™, SonicWALL Mobile Connect™, SonicWALL SuperMassive™ E10000 Series, and all other SonicWALL product and service names and slogans are trademarks of Dell Inc. 2012 – 11

P/N 232-001347-00

Rev. A

Table of Contents Introduction ............................................................................................................................. 1 Overview .............................................................................................................................. 1 Resources ............................................................................................................................. 1 Admin Tab ............................................................................................................................... 3 Data Aggregation - What is 'Other' Traffic? .................................................................................. 3 Overview ............................................................................................................................ 3 Report Designer ..................................................................................................................... 4 Overview ............................................................................................................................ 4 Admin Tab............................................................................................................................. 4 Overview ............................................................................................................................ 4 SNMP Device View .................................................................................................................. 8 Individual Exporters ................................................................................................................ 9 Overview ............................................................................................................................ 9 Vitals Main View .................................................................................................................... 10 Overview ........................................................................................................................... 10 Flow Analytics.......................................................................................................................... 13 Flow Analytics ....................................................................................................................... 13 Overview ........................................................................................................................... 13 Flow Hopper ......................................................................................................................... 17 System .................................................................................................................................. 19 404 Error ............................................................................................................................. 19 500 Error ............................................................................................................................. 19 Access Denied ....................................................................................................................... 19 Database Connection Failure .................................................................................................... 19 Overview ........................................................................................................................... 19 Distributed Collectors ............................................................................................................. 19 Overview ........................................................................................................................... 19 Flowalyzer ............................................................................................................................ 20 Installing Adobe Flash............................................................................................................. 20 Overview ........................................................................................................................... 20 Language Translations ............................................................................................................ 21 Overview ........................................................................................................................... 21 Scrut_util ............................................................................................................................. 21 Overview ........................................................................................................................... 21 Search Tool .......................................................................................................................... 25 Overview ........................................................................................................................... 25 Multi Tenancy Module ............................................................................................................. 25

Dell SonicWALL Scrutinizer 10.1 Admin Guide

Overview ........................................................................................................................... 25 Systrax ................................................................................................................................ 25 Troubleshooting..................................................................................................................... 26 Getting Started Guide .......................................................................................................... 26 Web Server Port .................................................................................................................... 26 Overview ........................................................................................................................... 26

Introduction Overview Welcome to the Dell SonicWALL Scrutinizer 10.1 Administrator's Guide. This manual provides the information you need to successfully activate, configure, and administer the Dell SonicWALL Scrutinizer.

Resources •

For troubleshooting procedures, Click Here.

•

There are also online webcasts which give quick overviews (i.e. 2 - 5 minutes each) of specific features.

•

For Scrutinizer frequently asked questions, Click Here.

•

For procedures on globally configuring NetFlow, Click Here.

•

For timely resolution of technical support questions, visit Dell SonicWALL on the Internet at: http://www.sonicwall.com/us/en/support.html

Adobe® Flash® Player. Copyright(c) 1996-2012. Adobe Systems Incorporated. All Rights Reserved. Patents pending in the United States and other countries. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries. Please reference the End User License Agreement for more information on using Adobe® Flash® Player in Scrutinizer.

1

Admin Tab Data Aggregation - What is 'Other' Traffic? Overview What is other traffic? Other traffic is traffic that didn't make it into the top 10. Some important details should be understood when trying to comprehend Other traffic. The collector saves 100% of all data in raw format to the 1 minute conversations tables for each router. Every hour it creates a new 1 minute interval table per router. Every 5 minutes, it creates higher intervals using the smaller intervals. This process is called "roll ups". When the roll ups occur for 5 Min, 30 Min, 2 Hr, 12 Hr, 1 Day and 1 week, two tables are created: 1.

2.

Totals: The total in and out byte counts are saved per interface before the data for the conversations table is calculated. This table allows the reporting front end to display accurate total throughput per interface over time and allows the front end to operate with no dependency on SNMP yet still provide accurate total utilization reporting. Conversations: All flows for the time period (e.g. 5 minutes) are aggregated together based on a tuple. Once all flows are aggregated together, the top 1000 (i.e. default) flows based on byte count are saved. The non top 1000 flows are dropped. Remember: the total tables ensure a record of the total in / out utilization per interface over time.

When a report is run on an individual interface within 1 minute intervals, the totals table isn’t needed because the conversations table contains 100% of the data. When a report is run on an individual interface with no filters in 5 minute or higher intervals, both the Conversations and Total tables are used in the report. When reporting, the Total tables are used to display the total in and out utilization of the interface and the top 10 from the Conversations table are subtracted out from the total and added back in color. IMPORTANT: In some cases, a report that doesn't utilize the Total tables can understate the actual utilization of the interface. The Total tables are not used when:

• • • •

Reporting across All interfaces of a device A report is run on multiple interfaces from different devices regardless of filters Looking at data from a single template (e.g. using a single or multiple Medianet templates). Looking at 1 minute intervals in a report. One minute intervals contain 100% of all data exported for the template as no roll ups have occurred. As a result, no Total tables are created for 1 minute intervals.

The Total tables are only being used when

• • •

Looking at 5 minute intervals and higher The "Flow Templates" section of the report filter indicates "Available Templates". Looking at a single interface without any additional filters

Remember: Only the top 1000 (default) conversations are saved in the roll ups by default. If the server has the available disk space, try increasing the Maximum Conversations under Admin Tab - Settings - Data History to 10,000 and see if it improves the accuracy. Don’t configure it right away for the maximum of 100K rather, ease up the number of conversations saved over a few days. Some reports may render more slowly when the Maximum conversations is increased, this is the result of the tables being larger. A Word about sFlow When collecting sFlow, make sure the packet samples and the interface counters are both being exported to the collector. The collector will save the packet samples to the Conversation tables and the Interface counters to Total tables even at 1 minute intervals.

3

Dell SonicWALL Scrutinizer 10.1 Admin Guide

WARNING:

If the flow device (e.g. router) is exporting multiple templates for different flows it is exporting, utilization could be over stated if the flows contain the same or nearly the same information. The front end of Scrutinizer will render reports using data from all templates with matching information. Be careful when exporting multiple templates from the same device! If you find this to be the case, use the filters to select a single template.

Report Designer Overview The Report Designer requires an Advanced Reporting license and is used to create new reports that are not part of the core reporting solution. It can be used against any flow template even when byte counts are not available. These new report types only appear on devices that are exporting the necessary elements in templates. The steps to design a new report is as follows: 1. 2. 3. 4.

Copy and existing report design or select 'New'. Enter a name for the new report design. Select a device that is exporting the template that is needed for the report. Select an element in the template for the first column. 1. Specify the column name. 2. Specify the width. In most cases use 'Dynamic' as specifying pixels is generally used to cut off long element names. 3. Specify the treatment. Don't confuse 'Count' with 'Sum'. Count counts the number of entries whereas Sum adds up the values. This option may lead to further drop down boxes. 4. Rate Vs. Total 1. Rate : trend the data by rate per second. Total is not an option in the drop down box. 2. Total : trend the data by total per interval. Rate is not an option in the drop down box. 3. Rate (default) / Total : trend the data by rate per second. Total is an option in the drop down box. 4. Rate / Total (default) : trend the data by total per interval. Rate is an option in the drop down box.

5.

Stack or Unstacked 1. Stacked : trend the data as a stacked trend. Non Stacked is not an option in the drop down box. 2. Non Stacked : trend the data as an unstacked trend. Stack trend is not an option in the drop down box. 3. Stacked (default) / Non Stacked : trend the data as a stacked trend. Non Stacked is an option in the drop down box. 4. Stacked / Non Stacked (default) : trend the data as an unstacked trend. Stack trend is an option in the drop down box.

The new report will show up in the category Designed Reports when the device template(s) contain the elements necessary for the report. NOTE: The report will not work outside of one minute intervals if rollups are not being performed on the template in a format that is supportive of the report created.

Admin Tab Overview The Settings page is primarily left to the administrators.

Settings:

4

Admin Tab

•

Alarm Notifications: enable additional system alarms

•

Alarm Settings: modify settings to optimize syslog and SMTP processing.

•

CrossCheck: Specify the thresholds for changing color and the syslog threshold that the Fault Index must reach to trigger a syslog.

•

Data History: Specify how long each flow interval is saved.

•

Historical 1 Min Avg: Saves 100% of all flows received. Make sure the server has enough disk space to save significant quantities of the raw flows. The 1 minute intervals consume the most disk space as it is not aggregated and flows are in raw format.

•

Historical 5 minute - 1 week Avg: These intervals only save the specified Maximum Conversations after aggregation per interval.

•

Maximum Conversations: Used when creating large intervals (e.g. 5 minute) from prior intervals (e.g. 1 minute). All flows are aggregated together per router. The top 10,000 (default) based on bytes are saved.

•

Denika Connections: integration with Denika SNMP Performance Trender for SNMP details to represent link status.

•

Email Server: Necessary for on demand and scheduled emailed reports. Make sure the test is successful.

•

Flow Analytics: configure advanced algorithms (e.g. DDoS, Nefarious Activity, etc.)

•

LDAP Credentials: The web interface has the capability of integrating with Mircrosoft Active Directory so that users can simply log in to the web interface by using their windows domain authentication. When a user logs in for the first time, a new account is created in Scrutinizer and given “Guest” access by default. The Scrutinizer administrator can then grant that user further reaching capabilities if desired.

•

Requirements for LDAP integration:

•

1) The name or IP Address of the LDAP server

•

2) An account with one of the following permissions to the LDAP server:

• •

•

a. Account Operators (must also be a member of “Distributed COM Users” for remote WMI Access)

•

b. Administrators

•

c. Domain Admins

•

d. Enterprise Admins

3) The account chosen must have WMI Read access to \root\Directory\LDAP

Instructions to Integrate Scrutinizer with LDAP: There is a wizard utility which makes the process easier. To activate LDAP configuration wizard:

•

1) Open a command prompt on the server

•

2) Change directories to the \scrutinizer\bin\ directory

•

3) Run “scrut_util –ldapwizard” and follow the instructions

•

4) Enter the IP or Hostname of LDAP server

•

5) Enter LDAP Binding Account Username:

•

6) Enter LDAP Binding Account Password, then verify by retyping

•

7) Is it configured to use LDAPS or LDAP over SSL? Answer “y” or “n”

5

Dell SonicWALL Scrutinizer 10.1 Admin Guide

• •

•

8) If successful, the wizard returns LDAP configurations that will be saved to the database. The next step is to use a typical account to test connectivity

•

9) Enter a Username of a LDAP account that will be used to log into the Scrutinizer Web Interface

•

10) Enter a password and then verify by retyping

•

11) If successful, the wizard will display the success of the connection and update the configuration

Users should now be able to log in to the web interface with their LDAP account. If unsuccessful, contact support.

Licensing:Enter the license key for Flow Analytics and or the Multi-Tenancy module

•

Flow Analytics

•

Mailinizer

•

Multi-Tenancy Module

•

Mapping Configuration: Customization for both Flash and Google maps (e.g. connections, text boxes, etc.). Learn more about mapping.

•

Mobile IAM: Specify the settings on how to attach to the Enterasys Mobile IAM authentication server.

•

Proxy Configuration: Setup the server to work with a proxy server

•

Syslog Notifications: Configure the syslog server, port and priority

•

System Preferences: Other options

Definitions:

6

•

3rd Party Integration: Create links to 3rd party applications and pass variables in URLs

•

Applications: Setup and modify applications using ranges of ports and IP addresses. This feature is useful for properly labeling in house applications.

•

Autonomous Systems: Setup and modify Autonomous Systems that are shipped with the software.

•

Device Details: Displays the SNMP details of the devices sending flows. Allows custom device and interface names to be defined which override the defaults. Notice that in and out speeds can be configured.

•

Host Names: Setup and modify known hosts. Use this option to statically assign host names to IP addresses that will not age out. It can also be used to label subnets in the Subnet report types. There are three Resolve DNS options: 1.

Current - has been or attempted to be resolved already (will expire in whatever days are set in the serverprefs)

2.

Queued - ready to be resolved by the resolver. User can set it to queued to force a DNS resolve again on the host.

3.

Never - a permanent address that was manually added by the user. Users can make names permanent by switching this to never. It’s not purged.

•

IP Groups: Define ranges of IP address that belong in a specific group (e.g. Marketing, sales, phones, etc.). Run a report on an interface to see the IP Group reports.

•

Languages: use this interface to update languages or create new translations.

•

Manage Exporters: Details on the devices sending flows. Options include:

Admin Tab

•

•

Listener Ports are listed in the top left: 2055 2056 4432 4739 6343 9991 9994 9995 9996. These ports change color:

•

Green: all devices sending flows on that port are active and sending flows. Click on the port to view the vitals.

•

Yellow: one or more devices has recently stopped sending flows. Click on the port to view the vitals.

•

Red: all devices once sending to this port have stopped. Click on the port to view the vitals.

Per Device:

•

Delete: This check box can be used to remove the device from the Status tab device tree. The device will be rediscovered immediately if the collector is still receiving flows from the device. Also, templates and interfaces from devices that stop sending flows are aged out.

•

Icons:

•

Status: tells if the device is currently receiving flows (i.e. green) or not receiving flows (i.e. red).

•

Device Details: click to view the Device Details.

•

Configure NetFlow Via SNMP: Use the wizard to re-configure the NetFlow exporting on the device.

•

Current protocol exclusions: Specify which protocols will be dropped for collector, selected device or selected interface on a selected device. Visit the Device View for more details and to learn about Protocol Exclusions per device/interface.

•

Click on the edit icon to modify the default name used for the device.

•

Credentials: Select a community string to use on this device.

•

Status: Modify status from Active (accept flows) to Inactive (drop all flows from device). NOTE: the flows are still being received but, are being ignored by Scrutinizer (i.e. not saved).

•

Update SNMP: force an immediate SNMP query for Device Details. Checking this off ensures that the Device Details will be updated every night automatically.

•

MIB Import: Manage SNMP MIB files that have been compiled for SNMP traps

•

Notification Manager: Configure notifications to be applied to Policies in the Alarms tab

•

Policy Manager: List all of the Policies that are configured for the Alarms Tab

•

SNMP Credentials: Configure the SNMP Credentials used on each flow exporter. SNMP v1, v2 and v3 are supported.

•

Type of Service (ToS): Configure the ToS and DSCP values displayed in the reports. Be sure to Define the "ToS Family" under System Preferences.

•

Well Known Ports: define port names. In the Well Known Ports report, the following logic is used:

•

Which port is lower the source port or the destination port

•

If the source port is lower and defined, use this as the well known port

•

else, use the destination port if defined as the wellknown port

•

else, display the lower port as the wellknown port

Security: 7

Dell SonicWALL Scrutinizer 10.1 Admin Guide

•

•

User Groups: Specifies what a Group login account can access. Limited to 10 Group accounts without a Multi-Tenancy license key. Some permissions require further explanation:

•

Device Status: Grants permission to see the status of the device (i.e. Flow exporter). Device icons appear blue in maps if the “Device Group” permission is granted without this permission. Mailinizer devices show up here.

•

Interface Statistics: Grants permission to see the statistics of an interface. Mailinizer does not show up here.

•

Device Groups: Grants permission to see a Group (i.e. map). Devices (i.e. Flow Exporters) appear blue and interfaces black unless permission is granted in “Device Status” and “Interface Statistics”.

User Accounts: Configure login preferences for individual accounts. User Accounts must be a member of one or more User Groups. By default, they are placed in a default (e.g. Guest) User Group. Permissions are inherited by all User Groups a User Account is a member of.

Reports: •

Report Folders: Manage Saved Report Folders found in the Status tab under saved reports. Notice the Membership drop down box:

•

Folders: Select a folder and add or remove reports from it.

•

Reports: Select a report and add or remove folders it can be found in.

•

Scheduled Reports: Manage Scheduled Reports, delete, etc.

•

Top Saved Syslogs: The top devices sending syslogs.

•

Top Syslog Orphans: The top devices sending syslogs that don't match policies.

•

Vitals: View vital information on how well the server is handling the NetFlow and sFlow volume. More details can be found in the Vitals Tab.

NetFlow Help: •

Activating NetFlow, J-Flow, sFlow, NetStream, IPFIX, etc.

SNMP Device View Using this interface, selected interfaces can be hidden from the reporting GUI. The SNMP community string used to communicate with the device can be altered. Notice at the top: there is a drop down box with all the flow sending devices. Under the devices is a drop down box to select the SNMP community string/credential for the selected device. Next to the community string is a check box for SNMP Enabled. If SNMP Enabled is checked, the Watcher Service will attempt to poll and update SNMP information for the device. By default, the automatic SNMP discovery occurs once a night. The user can disable the automatic SNMP capability by unchecking "Auto SNMP Update" from the Admin Tab, Settings -> System Preferences. There are several columns displayed for each interface on the NetFlow capable router/switch. Some of them include:

• • • •

8

Instance Custom Description: A custom interface name can be entered. ifAlias ifName

Admin Tab

• • •

ifDescr ifSpeed: Custom speeds can be specified both inBound and outBound per interface. Direction: tells us if NetFlow is collected INGRESS, EGRESS or BOTH on this interface.

Scrutinizer will attempt to build the drop down boxes based on whether or not the following information is available in this order:

• • • • •

Instance and Custom Name Instance, ifAlias and ifDescr Instance, ifDescr and ifName Instance and ifDescr Instance

This interface relies on devices that support the SNMP standard MIB II. SNMP Enterprise MIBs may require 3rd party software or customized scripts to correlate the enterprise instances to match the MIB II instances. If SNMP is not available, the collector will look for an interface names option template. Some vendors export an interface names option template using NetFlow or IPFIX. This option template contains the names of the interfaces. In Cisco IOS v 12.4(2)T or greater, the command is: Router(config)# ip flow-export interface-names SonicWALL and other vendors export a similar options template. If the Custom Description is filled in, it will over ride the use of the SNMP descriptions. This is also true when the Custom (Mb) is filled in, they will over ride the use of the SNMP ifSpeed. Enter a 0 in the Custom (Bits) ifSpeed to force the Status tab to display the interface in bits in lieu of % utilization. If any updates are applied to a router or switch, be sure to go back to the device interface and run an update by clicking on the Update button else, the default evening update will take effect. Direction: Displays how the flows are collected and reported on for the interface. Values are INGRESS, EGRESS or BOTH and are not updated until the collector is restarted. If Direction is unset '-' this means NetFlow is not exporting for this interface. If the interface row is white then the interface number and traffic values are inferred from NetFlow exported from another interface. If the interface row is gray then the interface number was discovered via SNMP and there will be no traffic values. Protocol Exclusions are performed to avoid traffic from being counted twice on a given interface. Generally over reporting is caused by VPNs or tunnel traffic. Exclusions can be made per exporter (e.g. router, switch, etc.) or per interface per exporter. They can also be excluded globally across all exporters. Click on the (-) icon to launch the Protocol Exclusions modal. VERY IMPORTANT By default, the flow collector nightly SNMP polls the switches and routers it is receiving flows from. This software was engineered to be a passive collection tool with minimal SNMP requirements. The best way to update the SNMP information including the information on the interfaces is to click on the "Update" button. NetFlow v9 option templates can be used in place of SNMP to gather interface names and speeds.

Individual Exporters Overview When clicking on a port number (e.g. 2055, 6343, etc.) in the Vitals report, the total Datagrams, Flows and MFSN (Missed Flow Sequence Numbers) are displayed. This is the aggregate for all flow devices exporting on this port.

9

Dell SonicWALL Scrutinizer 10.1 Admin Guide

Click on one of the three trends to view the daily, weekly, monthly and year trends. The statistics for the port (e.g. 2055) are displayed. Statistics include Datagrams, Flows and MFSN for each exporter sending on the selected port. When navigating to this page by clicking on Flow version from the Status tab, only the 3 reports (i.e. Datagrams, Flows and MFSN) are displayed for the selected device. Sometimes values like MFSN will show up as 10m or 400m. To get the dropped flows per second, divide the value by 1000ms. A value of 400m is .4 of a second. 1 / .4 = 2.5 second. A flow is dropped every 2.5 seconds or 120 (i.e. 300 seconds/2.5) dropped flows in the 5 minute interval displayed in the trend. NOTE: there can be as many as 30 flows per NetFlow v5 datagram and up to 24 flows per NetFlow v9 datagram. With sFlow, as many as 1 sample (i.e. flow) or greater than 10 samples can be sent per datagram.

Vitals Main View Overview The Vitals page provides insight on the health of the server that is receiving the flows (e.g. CPU, Memory usage, Hard drive space available, etc.).

• •

•

• • • • • • •

• • •

10

CPU: Average CPU utilization for the computer the NetFlow Collector is installed on. Avail Mem: Available Memory displays how much memory is being consumed by all programs on the computer. It is not specific to NetFlows being captured. • NOTE: The flow collector will continue to grab memory depending on the size of the memory bucket it requires to save data and it will not shrink unless the machine is rebooted. This is not a memory leak. Avail HDD: Available Hard Drive displays the amount of disk space that is available. After an initial period of a few weeks/months, this should stabilize providing that the volume of NetFlow stays about the same. This statistic is best viewed by clicking on the trend. A historical report will pop up providing a better idea on how long the disk storage will hold out. Datagrams: Average Datagrams per second in a 5 minute interval trend. Flows: Average Flows per second in a 5 minute interval trend: This is a measure of the number of conversations being observed. Each Netflow packet (i.e. UDP datagram) sent can contain information on as many as 30 flows. MFSN: Missed Flow sequence Numbers. This is an aggregate across all flows sending devices. At the top of the page, click on individual ports to get an MFSN report per listening port and per device exporting flows. Syslogs Received: The average number of syslogs received per second. Syslogs Processed: The average number of syslogs processed per second. Connections: Tracks the number of connections that are being opened on the MySQL server. Excessive connections results in reduced performance. NOTE: other applications sharing the same mysql will cause this number to increase. DB Queries: Tracks the number of queries made to MySQL. The more queries indicates heavier load to the MySQL server. Generally there will be spikes at intervals of 5 minutes, 30 minutes, 2 hours, 12 hour intervals, etc. This indicates the rolling up of statistics done by the stored procedures. This vital is important to watch if the NetFlow collector is sharing the MySQL server with other applications. KRR: Key Read Requests - The number of requests to read a key block from the cache. A high number requested means the server is busy. KWR: Key Write Requests - The number of requests to write a key block to the cache. A high number of requests means the server is busy. Cached Queries: The query cache stores the select query and the resulting data that was sent to the client. If an identical statement is received later, the server retrieves the results from the query cache rather than requesting the data again from the database. The query cache is shared across all

Admin Tab

• • •

database connections, which means the results generated by one connection can be utilized by another connection. For more information, please reference the MySQL Documentation. Cached Memory: The total amount of memory available to query caching. Contact support if you find that your query cache is presently under 1 MB. For more information, please reference the MySQL Documentation. Threads: Threads are useful to help pass data back and forth between Scrutinizer and the database engine. The MySQL Server currently manages whether or not to utilize the configured amount of threads. For more information, please reference the MySQL Documentation. KBU: Key Buffers Used - indicates how much of the allocated key buffers are being utilized. If this vital begins to consistently hit 100%, it indicates that there is not enough memory allocated. Scrutinizer will compensate by utilizing swap on the disk. This can cause additional delay retrieving data due to increased disk I/O. On larger implementations, this can cause performance to degrade quickly. Users can adjust the amount of memory allocated to the key buffers by modifying the \scrutinizer\mysql\my.ini file and adjusting the key_buffer_size setting. A general rule of thumb is to allocate as much RAM to the key buffer as you can, up to a maximum of 25% of system RAM (e.g. 1GB on a 4GB system). This is about the ideal setting for systems that read heavily from keys. If you allocate too much memory, you risk seeing further degradation of performance because the system has to use virtual memory for the key buffer.

Listener Ports The flow collector can listen on multiple ports simultaneously. The defaults are 2055, 2056, 4432, 4739, 9995, 9996 and 6343 however, more can be added. Click on the different listener ports to view total packet rate per port. Click on any trend for a daily, weekly, monthly and year trend.

11

Flow Analytics Flow Analytics Overview Flow Analytics (i.e. FA) is the commercial add on to Scrutinizer. FA brings the following additional features to Scrutinizer:

•

Functions as a Network Behavior Analysis system by constantly monitoring all flows for behaviors that could be compromising the health of the network (networks scans, illegal applications, P2P, etc.). It interrogates every flow from every host from selected flow exporting devices for suspicious patterns and anomalies. All flows across selected flow sending devices are monitored at all times.

•

Performs the NetFlow aggregations so that data can be saved beyond 24 hours. Scrutinizer drops data every night just after midnight. Flow Analytics 'FA' does the archiving for Scrutinizer.

•

Numerous additional reports that provide more detailed information on the flows received.

•

DNS is run constantly to help with performance in the front end. Without Flow Analytics, Scrutinizer performs DNS resolutions on the as needed. DNS entries will age out as configured in the Admin tab -> Settings -> System Preferences. This feature will place additional load on the server. Be careful when enabling it.

•

Performs threshold watches for saved reports. FA can monitor for nearly any combination of flow characteristics and export a syslog if a match or a high/low threshold is reached.

•

Contact your vendor for the "NetFlow Challenge" document which outlines what is and isn't free.

FA Navigation

The navigation for FA is via gadgets in the Dashboard tab. The primary gadget "Flow Analytics Configuration" should be added to Dashboard.

•

At the top, it displays the overall time to run all algorithms and the total count of violations across all algorithms.

•

Name: This is the name of the algorithm that is checking for abnormal behaviors.

•

Time: This is the amount of time the algorithm takes to run across all selected routers/switches.

•

Count: This is the number of violations found the last time the algorithm ran. Click on the trend to view graphs for longer time periods.

•

Time exceeded: Algorithms that exceed the configured run time will be cancelled.

Algorithms and Gadgets

FA Algorithms may or may not include gadgets. Some algorithms are enabled by default. Others need to have selected flow exporting devices added to them. A few algorithms need to have thresholds configured or modified from the defaults. FA Gadgets that can be added to Dashboard:

•

Custom Filters: Saved reports that are run constantly and compared to acceptable thresholds.

•

Exclude Hosts: Exclude hosts from selected algorithms to help prevent false positives. Some hosts will constantly violate the threshold of certain algorithms. This interface helps prevent false

13

Dell SonicWALL Scrutinizer 10.1 Admin Guide

positive alarms by allowing selected hosts (i.e. IP addresses) to be excluded from violating one or more algorithms. The "Exclude Hosts" gadget 'scrut_fa_exclusions.cgi' is not necessary in Dashboard as it is bested utilized as a popup.

•

Flow Analytics Configuration: The overall status of all algorithms and the total runtime and count of violations across all algorithms. Algorithms can be ordered alphabetically or by order of execution. LEDs in this gadget are as follows (refresh the gadget in the upper right corner):

o

Yellow - incomplete run (time limit caused the algorithm not to run during the last cycle)

o

Lite Green - successfully completed on the last run

o

Gray - disabled

o

Trend - actively executing the algorithm

o

Dark Green - successfully completed on the current run

•

Flow Analytics Run Time Thresholds: The time given to each algorithm to run. Some algorithms need more time to run depending on the number of flow exporting devices included.

•

Network Volume: The scale of the traffic traversing through the core network. It lists the volume of unique traffic on the network for the last 5 minute Vs. last 30 hours. Only include a few core routers/switches.

•

Select Flow Devices: Select the flow exporting devices that each algorithm will run against. Enter text and click 'Filter' to find specific devices. Click the 'Clear' button to remove the filter and display all devices. Some algorithms are run against all tables created by flow exporting devices while others are only run against one or two tables (e.g. routers). The "Select Flow Devices" gadget 'scrut_fa_devices.cgi' can be added to Dashboard however it is not necessary because it is best utilized as a popup.

•

Top Subnets and IP Violation: Define the subnets allowed on the network and Scrutinizer will notify for any flow that occurs outside of these ranges. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Threats Overview: Gives Network Administrators an idea on the frequency that each Flow Analytics algorithm is being violated. The colors indicate the frequency within each time interval: Last 5 min, Last Hour and All.

•

Top Applications: Top Applications on the network. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Top Conversations: Top Conversations across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Top Countries: Top Countries across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Top Domains: Top Domains across selected flow exporting devices.

•

Top Flows: Top Flow sending end systems across selected flow exporting devices.

•

Top Hosts: Top Hosts sending data across selected flow exporting devices. It is also responsible for executing the Unfinished Flows Violation algorithm. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Top Networks: Top IP Subnets across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Top Protocols: Top Transport Layer Protocols across selected flow exporting devices. Alarms trigger for protocols that appear that haven't been approved. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Top Well Known Ports: Top ports be they the source or destination port.

NOTE: Some include algorithms that should only run against core routers/switches. Watch the Flow Analytics Overall Status gadgets for algorithms that need more time to run.

14

Flow Analytics

Setting Up Flow Analytics (FA): FA algorithms run sequentially. By default, they do not run against any NetFlow exporters until the NetFlow exporters are added to the selected algorithms. To add routers to algorithm, visit Dashboard > Configure Flow Analytics > Flow Analytics Configuration (Gadget):

•

Click on the + icon at the top for "Flow Analytics Overall Status" and uncheck "Disable all". A license key is necessary for evaluation.

•

Expand an algorithm by clicking on the + icon

•

Uncheck Disable

•

Click on the number (e.g. 0) below the blue router icon. This will bring up the "Devices in Flow Analytics" gadget which is also displayed on this page. See IMPORTANT NOTES below.

•

Click on the number (e.g. 0) below the two people icon. This will bring up the "Flow Analytics Exclusions" gadget which is also displayed on this page. Use this window to include hosts to be excluded from selected algorithms. It is generally easier to add them from the Alarms tab once they violate an alarm.

•

Continue selecting Algorithms and adding NetFlow exporters as outlined below.

IMPORTANT NOTES:

•

All algorithms are intended to be run against non internet border routers (i.e. internal NetFlow exporters).

•

Add only a few routers to a few algorithms initially and start off slowly. Pay attention to the Vitals of the server. After 15-30 minutes add few more routers to selected algorithms and slowly ramp up the FA deployment.

•

FA has only 300 seconds (i.e. 5 minutes) to finish all enabled algorithms. If it can't finish in 300 seconds, it will stop where it is and start over. All algorithms must finish within 5 minutes as the process repeats every 5 minutes. Optimize performance by paying attention to the Time each algorithm takes to run as well as the overall time shown at the very top of the Flow Analytics Configuration gadget.

FA Algorithms that don't include Gadgets: Be sure to exclude certain hosts from select algorithms to avoid false positives. This can easily be done from the alarms tab as well by clicking on the host. The interface will prompt for the exclude confirmation.

•

Breach Attempts Violation: Looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack. A typical scenario would be a dictionary attack on an SSH server. The default threshold is 100. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Custom Reports Thresholds: Any saved reports that have an inbound threshold are executed sequentially by this algorithm. Clicking on the name of this algorithm in the Flow Analytics Overview gadget, will launch the Custom Filters gadget.

•

DDoS Violation: Identifies a Distributed Denial of Service attack such as those that can be launched by a BOTNET. Visit Admin -> Settings -> Flow Analytics to set the threshold.

•

DNS Violation: Alerts when a host initiates an excessive number of DNS queries. This can help to identify hosts that may be infected with a mailer worm or other issues that require an inordinate number DNS lookups. The default threshold is 100.

•

FIN Scan: The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking. The default threshold is 100 and the minimum that can be set is 20.

15

Dell SonicWALL Scrutinizer 10.1 Admin Guide

•

ICMP Destination Unreachable: This is a message that comes back from the router to the requesting host stating that it doesn't have a route to the destination network of the target host. The default threshold is 100 and the minimum that can be set is 20.

•

ICMP Port Unreachable Algorithm: This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host. The default threshold is 100 and the minimum that can be set is 20.

•

Internet Threats: This algorithm goes out to an Internet site every hour and downloads an updated list of known hosts that end systems on the network should not be communicating with. Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic. This list is updated by several Internet Service Providers. The default threshold minimum that can be set is 1. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

•

Multicast Traffic Violation: Any multicast traffic that exceeds the threshold that isn't excluded will violate this algorithm. The default threshold is 1,000,000 and the minimum that can be set is 100,000.

•

Nefarious Activity Violation: Looks for hosts communicating with many hosts with a low number of flows. An example would be a port 80 scan of an entire subnet. Visit Admin -> Settings -> Flow Analytics to set the threshold.

•

NULL Scan: The null scan turns off all flags, creating a lack of TCP flags that should never occur.

•

Peer to peer: P2P (includes BitTorrent) connections are monitored by this algorithm. The default threshold is 100 and the minimum that can be set is 100.

•

RST/ACK: RST/ACK packets are connection denials that come back from destinations to the originating hosts. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20. Print servers can cause false positives with this algorithm and often need to be excluded.

•

SYN scan/flood: SYN packets are sent out in an attempt to make a network connection with a target host. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20.

•

Unfinished Flows Violation: Executed by the Top Flows Algorithm, helps identify hosts that have a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured applications on a host. The default threshold is 100 and a minimum threshold can also be configured. Visit Admin -> Settings -> Flow Analytics to set the threshold.

•

XMAS Tree scan: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.

IMPORTANT NOTE: Hosts can easily be excluded from certain algorithms by clicking on the IP address in the Alarm Tab. This will popup the Exclude Hosts table where the IP address can then be excluded from other algorithms as well.

Optimizing FA

Flow Analytics can be optimized in several different ways: 1. Modify the number of flow exporting devices included in the algorithm 2. Disable selected Algorithms 3. Utilize a second or third copy of Scrutinizer with FA. 4. Contact your vendor to learn about the minimum hardware requirements.

16

Flow Analytics

Flow Hopper Flow Hopper provides end to end visibility into the path a flow took through the network on a router hop by hop basis. Because multiple paths exist between devices, leveraging traceroute or routed topology information may not provide the exact path taken by an end to end flow. Flow Hopper displays the correct path at the time of the flow. This connection solution requires that most if not all of the flow exporting devices in the path be exporting NetFlow v5 or more recent to the collector. This feature requires nexthop routing information as well as read only SNMPv2 or v3 access to the router. If Flow Hopper determines that an asymmetric flow path exists (i.e. a different route is taken on the return path), the GUI will draw out the connection accordingly. Admins can click on each router or layer 3 switch in the path and view all details exported in the flow template. Changes in element values (e.g. DSCP, TTL, octets, etc.) between ingress and egress metered flows are highlighted. This feature requires a Flow Analytics license key.

17

System 404 Error We are sorry, the page you requested cannot be found. Please contact support directly for more information about your query.

500 Error Internal Server Error: Please contact support.

Access Denied The Administrator has denied your user account from accessing this tool.

Database Connection Failure Overview The system is having trouble connecting to the database. Please contact support directly for more information about your query.

Distributed Collectors Overview Scrutinizer supports a distributed architecture where several servers can collect and report on flows received locally and simultaneously display data from all collectors. One or all collectors can act as and display the Central Interface. Central Interface

The distributed architecture provides a central interface via MyView to view all interfaces from several separate NetFlow & sFlow collectors.

• • • • • •

Navigate to the MyView tab and create a new MyView then give it a name (e.g. Central View). On the right hand side of the page, click ont he (+) icon and a menu will appear. Click on the icon at the top to the right of the drop down menu. Enter a Title (e.g. Server 1) Take the default height and Width. These can be adjusted later in the dashboard. Enter the URL:

19

Dell SonicWALL Scrutinizer 10.1 Admin Guide

•

http://10.10.10.10/statusGadget.html?type=ti&limit=10&percent=1

•

http://10.10.10.10/statusGadget.html?type=ti&limit=10 You can also pass authentication:

•

http://10.10.10.10/statusGadget.html?type=ti&limit=10&percent=1&user=& pass=

•

http://10.10.10.10/statusGadget.html?type=ti&limit=10&user=&pass=

To fit more gadgets into view without scrolling, increase your screen resolution or display settings to 1440 x 900 or greater.

Flowalyzer Flowalyzer is a free NetFlow and sFlow Tool Kit (TM) for testing flow technologies. This utility has several tabs each with a unique function:

•

•

• • • •

Listener: The Listener is used to determine whether or not NetFlow or sFlow is being received and what ports they are being received on. Any application currently listening on the same port as Flowalyzer will cause conflicts. Conflicting applications must stop using the ports Flowalyzer is trying to listen on. Generator: The Generator is used to send NetFlow packets with specified flows. Up to 30 flows can be sent with NetFlow version 5 or up to 24 flows with NetFlow version 9 and IPFIX. If a range of bytes and packets is specified, Flowalyzer will randomly assign these values between the ranges specified in each flow packet sent out. The Flow Time range can also be randomized. Reference the NetFlow v5 format or read RFC 3954 to learn more about NetFlow v9. You can also read the Charter on IPFIX. Configuration: The Configurator is used to configure NetFlow v5 and v9 on Cisco routers or NetFlow v9 on Enterasys hardware (switches and routers). Communicator: The Communicator is used to ping destination hosts with specified ports using ICMP, TCP or UDP. It can also perform trace routes. Poller: Polls Devices found in Scrutinizer or devices can be manually added. The availability and response time for each device polled is sent off to the flow collector in IPFIX datagrams. Trender: Polls devices for SNMP counters and trends the values returned.

The Flowalyzer page can provide additional information on this free NetFlow and sFlow testing utility. This utility is fully compatible with most NetFlow and sFlow reporting tools.

Installing Adobe Flash Overview Scrutinizer requires that the correct version of Adobe Flash player for the server's OS (e.g. Windows 2008) be installed on the Scrutinizer server itself (i.e. not just the end user browser). IMPORTANT: Download and install the Flash Player (e.g. 10) for Windows Other Browsers. The Windows Internet Explorer version will not work! The Other Browsers version is required even if others browsers

20

System

are not installed on the server (e.g. Firefox, Safari, Opera, etc.). Here is the download URL. This must be done because the server converts the Flash graphs to .jpg files for emailed reports.

Language Translations Overview This software can be translated to another language. To translate or localize Scrutinizer to another language, navigate as follows: 1. Admin Tab -> Definitions -> Language 2. Select a language and make updates. Notice the pagination at the bottom, there are well over 1000 translations. 3. languages are saved as ~scrutinizer/files/localize_LANGUAGENAMEHERE.xls 4. Contact support and they will create a file that can be imported into Scrutinizer to support your language.

Scrut_util Overview In the \scrutinizer\bin\ directory there is a command line utility used for many advanced administrative tasks. The executable is called scrut_util.exe. Here is a list of available command line arguments: (e.g. scrut_util -checkversion). -appgroups_conflict_check Checks to see if there are any existing application group conflicts. -checkversion Checks to see if there is a newer version of Scrutinizer. -cleanall Runs all maintenance tasks in one easy command. -clean_bulletin_board Removes bulletin board events older than the number of days specified in Admin -> Settings -> Logalot. -clean_orphans Removes orphaned alarm events older than the number of days specified in Admin -> Settings -> Logalot. -clean_scheduled_reports Expires Logalot alarm reports flag for expiration. -collect_summary_stats Collects and generates event summary data reports.

21

Dell SonicWALL Scrutinizer 10.1 Admin Guide

-create_logalot_history Manually checks and creates (if necessary) logalot history tables. -db_clean This command removes any temporary databases created by the graphing engine. Executing it will perform an on demand clean up. By default, it is a scheduled event. -dbconnect [DB_SERVER] [DB_TCP_PORT] [DB_USER] [DB_PASSWORD] Changes the way Scrutinizer connects to a MySQL Database. Whether local or remote. Note the [DB_USER] must exists and capable of remote connection. This command assumes that your plixer database has already been migrated to the new database server. To specify no password, use "" as the password. -delete_all_orphans Use this command to remove all orphaned alarm events. -dnscachedump [all] Expires entries in the DNS Cache that are older than X days as specified in the server preferences. If all is included, then it will empty the entire cache regardless of expiry. -expire_history Expires historical data as specified in the server preferences. -expire_logalot_history_info Expires Logalot alarm history flagged as INFO events as specified in the server preferences. -expire_logalot_history Expires Logalot alarm history from table as specified in the server preferences. -fixNBAR Renames NBAR_APPLCATION_ID to applicationTag per: draft-claise-export-application-info-in-ipfix-03. This needs to be run after a 9.0 upgrade for NBAR reports to work with historical data. -fix_priority_order With some professional services and automated policy creation, some policy IDs have been known to get out of wack (or duplicated). This tool will make sure the priority order is correctly stored. -fix_tables Alters history that were created with incorrectly sized octetDeltaCount -flowalarms [Thresholds|DevFlow|Diskspace|AvailMem] Checks for general conditions and anomalies caused by the flow data currently received from Scrutinizer. The options list defines which details to check. No list indicates all reports. To customize the list, comma delimit the report parameters. Do not put spaces between commas. -get_miam Collects Enterasys Mobile IAM data and caches it locally. Server settings are specified under Admin -> Settings -> Mobile IAM. -hostimport Imports a host file (hosts.txt) into Scrutinizer's host tables. Host file can contain IPv4 and IP v6 addresses. The host file MUST be placed in the \files\ directory. e.g. c:\program files\scrutinizer\files\hosts.txt. Host descriptions are not required. example of hosts file: IP

Hostname

Host Description

192.168.1.1 example.com 172.16.2.1 Mike-PC

22

This is an example entry

Another example

System

-hostmigrate Imports CUSTOM host information from v7 into v8. This DOES NOT bring over hostnames resolved automatically by the DNS resolver service. -hwsummary [SHOW] Creates a hardware summary of the Scrutinizer server that is used for vitals. By default, this event is automatically executed routinely. If the optional parameter SHOW is used, the profile will be printed to the screen. -ifinfo_clean This will purge all entries in the plixer.ifinfo table that are not in the plixer.activeif table. We keep ifinfo entries so that custom port speed and interface descriptions will not be lost when a device stops exporting flows. Running this option will help with the performance of the Multi-Tenancy Module interface permissions interface. -ifpurge Deletes information for interfaces that are no longer sending flows. If any interface removed had a custom description or port speed, it will need to be customized again if the interface resumes sending flows. Typically, interfaces that have not sent flows in over 24 hours will fall into this category. -inactiveFlowDrop Expires interfaces from the interface view that have stopped sending flows. Entries are expired based on the number of hours specified in the Scrutinizer Server Preferences. (Settings -> Server Preferences) -interfaces [all|cisco|huawei|sonicwall] This call will try alternative methods to retrieve interface descriptions. For Cisco and SonicWALL that means using Netflow data. For Huawei, that means using SNMP and referencing their vendor specific MIBs. -ldap [USERNAME] [PASSWORD] Test an LDAP connection based on the LDAP Credentials configured via the front end. This command line is intended as a test only. Required params are the user name and password. If password is blank, pass a "" -ldapwizard Use this wizard to guide you through the steps to configure LDAP or LDAPS authentication. -install [HOMEDIR] Executes the install or upgrade procedure. This should only be executed with the assistance of Plixer Support. -localize [LANGUAGE_NAME] The LANGUAGE_NAME parameter is required. If the language exists, then it will create a CSV that shows the english and LANGUAGE_NAME keys. If the language does not exists, a blank template will be created. -maint [OPTION] [DB] [PWD] Valid options are ANALYZE, CHECK, OPTIMIZE, and REPAIR, The database (DB) to perform the desired action, and the root password of the database. If PWD is blank, pass a double quote (i.e. "") as the parameter. -opstats Polls vitals for Scrutinizer. By default, this event is automatically executed routinely. -optimizeCommon Optimizes tables that are commonly inserted and deleted. This action keeps things neat and clean for the database. -remote [on|off] This command will toggle remote access to the database. -remove

23

Dell SonicWALL Scrutinizer 10.1 Admin Guide

Executes the uninstall procedure. This should only be executed with the assistance of Plixer Support. -removehostpartitions This removes table partitioning from the host_X tables. This should only be executed with the assistance of Plixer Support. -reset_admin_password [USERNAME] The USERNAME is the name of the Scrutinizer user account to modify. -reset_mysql_password Changes the MySQL root account password. -reset_scrutdb_password Changes the other MySQL scrutinizer user account passwords. -reset_vitals Resets all vital tab statistics. Once reset, old statistics will no longer be available. Use with caution. -routeTables Collects routing tables for all active devices. -ssl [ON|OFF] [TCPPORT] [COUNTRY] [STATE] [CITY] [ORG] [EMAIL] [COMMON] Enable or disable SSL support in Scrutinizer. It only work with the local Apache Server bundled with Scrutinizer. All fields are required when [ON]is used. NOTE: Make sure to put " " around the parameters that have white spaces. Name Field

Explanation

-------------------------------------------------------------------------Country Name

The two-letter ISO abbreviation for your country US = United States

State/Province The state/province where your organization is located. Can not be abbreviated. ex: Maine City/Locality

The city where your organization is located. ex: Atlanta

Organization Inc. Email Address Common Name

The exact legal name of your organization. Do not abbreviate. ex: Plixer International, The email address for the CA (who to contact)ex: [email protected] URL that you wish to attach the certificate. ex: 10.1.1.10 or scrutinizer.company.com

-snmp_discover Performs an SNMP discovery on exporters flagged for auto SNMP update. -testSNMP This command will try to get SysObjectID for all devices. If SNMP connected succesfully, it will return the credential object. Otherwise, it will return the error message. -tmp_clean This command removes any temporary files created by the graphing engine. Executing it will perform an on demand clean up. By default, it is a scheduled event. -update_httpd_port [TCPPORT] Use this command to change the apache web port. Do not edit the httpd.conf manually or certain functionality will not work properly. -update_plixerini_mysqlroot Use this command to update the plixer.ini database root user password. Scrutinizer and the database root password must be in sync. To change the database root password use -reset_mysql_password instead.

24

System

-voip [on|off] When enabled, the command will define all even and odd ports appropriately as VoIP RTCP or VoIP RTP. When toggled off, those definitions will be rest to undefined.

Search Tool Overview The Search Tool is launched by clicking on the binocular icon in the upper right hand corner. It is used to perform a quick search for:

•

IP address or DNS host name

•

Well known port (e.g. http, 80, etc.) across all protocols (e.g. TCP, UDP, etc.)

Select a date range. Then select the flow exporting devices that the query will be run against. NOTE: Only the 1 minute interval tables contain 100% of all flows collected. To make sure you are querying 1 minute interval data, limit the search to under 1 hour of time. Visit the Admin tab -> Settings -> Data History to increase the "Maximum Conversations" saved per interval to increase the volume of flows saved per interval. Be aware that this may require more hard disk space. Visit the Admin Tab -> Reports > Vitals to view how much hard drive space is being consumed.

Multi Tenancy Module Overview The Multi Tenancy module must be installed and licensed to access the following features: 1. Create more than 10 User Groups 2. Apply permissions to User Groups per Interface 3. Apply permissions to User Groups per Device The Multi Tenancy module is useful to companies who need to give customers a unique login and restrict what they see to specific devices and or interfaces.

Systrax The Help tab is a link to http://www.systrax.com. This site is the on-line support community and is used to bring subjects of interest directly to customers and evaluators. This is done in several ways, some of which include:

•

A frequently updated blog

•

The on-line support forum

Posting a comment or question requires membership. Click here to join.

25

Dell SonicWALL Scrutinizer 10.1 Admin Guide

Troubleshooting Getting Started Guide Contact Support: For assistance setting up the server or the collector or for navigation techniques. How to enable NetFlow or sFlow on various hardware. System LEDs: Familiarize yourself with these. They should all be green. FAQ: This page lists many common questions we have received over the years. Webvideos: These are short 2-5 minute videos that offer good general help with different areas of the software.

Web Server Port Overview This software runs on the Apache Web Server. Follow these steps to change the web server port Scrutinizer is running on. 1. Stop the "plixer_apache" service 2. Edit the ~\SCRUTINIZER\apache\conf\httpd.conf 3. Search for the line "listen 80" or "server name" or "127.0.0.1:80" or "localhost:80" 4. Change the 80 to whatever you want 5. Restart the Plixer apache web server service

SSL Support

Please contact support to acquire the SSL version of Scrutinizer. To configure SSL, run ~\SCRUTINIZER\bin\scrut_util -ssl and follow the instructions provided.

26