HPE IMC NTA/UBA Cisco Network Traffic Monitoring Through NetFlow Configuration Examples
Part number: 5200-1413 Software version: IMC NTA 7.2 (E0401) Software version: IMC UBA 7.2 (E0401) The information in this document is subject to change without notice. © Copyright 2016 Hewlett Packard Enterprise Development LP
Contents Introduction ·····················································································1 Prerequisites ···················································································1 Restrictions and guidelines ·································································1 Example: Using NTA/UBA to monitor Cisco network traffic through NetFlow ·1 Network configuration ················································································································· 1 Software versions used ··············································································································· 2 Procedures ······························································································································· 2 Adding the Cisco switch to IMC management ············································································ 2 Configuring NTA/UBA ·········································································································· 2 Configuring NetFlow on the switch ·························································································· 5 Verifying the configuration············································································································ 6 Viewing interface traffic information ························································································· 6 Auditing user behaviors ········································································································ 9 Troubleshooting NTA/UBA and NetFlow ······················································································· 10 No NetFlow data on the NTA/UBA server ··············································································· 10 No NetFlow data on NTA ···································································································· 10 No audit results on UBA ······································································································ 11
Related documentation ···································································· 11
i
Introduction This document provides examples for using NTA/UBA to monitor network traffic on a Cisco Nexus 7000 switch in real time through NetFlow.
Prerequisites Before you configure NTA/UBA and NetFlow to monitor network traffic, complete the following tasks: •
Make sure the NTA/UBA server is correctly installed and deployed.
•
Make sure the device can communicate with the NTA/UBA server.
•
Make sure the SNMP service is enabled on the device.
Restrictions and guidelines NTA/UBA supports NetFlow log types of NetFlow v5 and NetFlow v9.
Example: Using NTA/UBA to monitor Cisco network traffic through NetFlow Network configuration As shown in Figure 1, configure NTA/UBA to analyze and monitor network traffic sent from a Cisco Nexus 7000 switch through NetFlow v9. Figure 1 Network diagram
1
Software versions used This configuration example was created and verified on Cisco NX-OS(tm) n7000, Software (n7000-s1-dk9), Version 6.2(8a)
Procedures Adding the Cisco switch to IMC management 1.
Click the Resource tab.
2.
From the navigation tree, select Resource Management > Add Device.
3.
On the page that appears, enter 172.16.0.2 in the Host Name/IP field.
4.
Configure the same SNMP, Telnet, and SSH settings as the settings on the device.
5.
Click OK.
Configuring NTA/UBA Adding the NetFlow device to NTA 1.
Click the Service tab.
2.
From the navigation tree, select Traffic Analysis and Audit > Settings. The Settings page opens.
3.
In the Guide to Quick Traffic Analysis and Audit Management area, click Device Management.
4.
Click Add.
The Device Management page opens. The Add Device page opens. 5.
Configure the NetFlow device parameters, as shown in Figure 2: a. In the Device IP field, click Select to select the device from the IMC platform. (Details not shown.) After you select the device, the following fields are automatically populated: Name, SNMP Community, and SNMP Port. If you manually configure the device IP rather than selecting from the platform, make sure the SNMP community and port settings are the same as the settings on the device. b. Use the default values for other parameters.
2
Figure 2 Adding the NetFlow device to NTA
6.
Click OK.
Deploying server configuration 1.
Click the Service tab.
2.
From the navigation tree, select Traffic Analysis and Audit > Settings. The Settings page opens.
3.
In the Guide to Quick Traffic Analysis and Audit Management area, click Server Management. The Server Management page opens.
4.
Click the Modify icon
for the NTA/UBA server with IP address 192.168.1.220.
The Server Configuration page opens. 5.
Configure the server parameters as needed, as shown in Figure 3: a. In the Traffic Analysis and User Behavior Audit areas, select the switch with IP address 172.16.0.2 as the device to be monitored. b. In the Intranet Monitor Information area, configure 172.0.0.0/8 as the intranet information for the device. (Details not shown.)
3
Figure 3 Configuring the NTA/UBA server
6.
Click Deploy.
Adding an interface traffic analysis task 1.
Click the Service tab.
2.
From the navigation tree, select Traffic Analysis and Audit > Settings. The Settings page opens.
3.
In the Guide to Quick Traffic Analysis and Audit Management area, click Traffic Analysis Task Management. The Traffic Analysis Task Management page opens.
4.
Click Add. The Select Task Type page opens. 4
5.
Select Interface and click Next. The Add Traffic Analysis Task page opens.
6.
Configure the basic task information and select interface Ethernet 2/14, as shown in Figure 4. This example uses Interface as the task name. Figure 4 Adding an interface traffic analysis task
7.
Click OK.
Configuring NetFlow on the switch # Configure a flow record. switch#config switch(config)#flow record pw1 switch(config-flow-record)#match ipv4 source address switch(config-flow-record)#match ipv4 destination address switch(config-flow-record)#match ip protocol switch(config-flow-record)#match ip tos switch(config-flow-record)#match transport source-port switch(config-flow-record)#match transport destination-port switch(config-flow-record)#collect transport tcp flags switch(config-flow-record)#collect counter bytes long switch(config-flow-record)#collect counter packets long switch(config-flow-record)#collect timestamp sys-uptime first switch(config-flow-record)#collect timestamp sys-uptime last
# Configure the destination address, UDP port number, and log sending port for NetFlow traffic export. 5
switch(config)#flow exporter pw2 switch(config-flow-exporter)#destination 192.168.1.220 switch(config-flow-exporter)#transport udp 9020 switch(config-flow-exporter)#source Ethernet2/14
# Specify the version of the flow exporter. switch(config-flow-exporter)#version 9
# Create a flow monitor. switch(config)#flow monitor pw switch(config-flow-monitor)#record pw1 switch(config-flow-monitor)#exporter pw2
# Enable NetFlow on Ethernet 2/14. switch(config)#interface Ethernet2/14 switch(config-if)#ip flow monitor pw input switch(config-if)#ip flow monitor pw output
Verifying the configuration Viewing interface traffic information Viewing summary information for all interface traffic analysis tasks 1.
Click the Service tab.
2.
From the navigation tree, select Traffic Analysis and Audit > Interface Traffic Analysis Task. The Interface Traffic page opens, as shown in Figure 5.
6
Figure 5 Viewing summary information for interface traffic analysis tasks
Viewing traffic information for an individual interface traffic analysis task 1.
Click the Service tab.
2.
From the navigation tree, select Traffic Analysis and Audit > Interface Traffic Analysis Task. The Interface Traffic page opens.
3.
To view traffic information for an interface traffic analysis task, do one of the following:
On the Summary List, click the name of the interface traffic analysis task Interface.
From the navigation tree, point to the Expand icon Task and select Interface from the menu that opens.
next to Interface Traffic Analysis
The Interface traffic analysis page displays total traffic information for the interface traffic analysis task, as shown in Figure 6.
7
Figure 6 Viewing traffic information for an interface traffic analysis task
Viewing application information for an interface traffic analysis task On the Interface traffic analysis page, click the Application tab. The tab displays application traffic information for the interface traffic analysis task, as shown in Figure 7. Figure 7 Viewing application information for an interface traffic analysis task
8
Viewing session information for an interface traffic analysis task On the Interface traffic analysis page, click the Session tab. The tab displays session information for the interface traffic analysis task, as shown in Figure 8. Figure 8 Viewing session information for an interface traffic analysis task
Auditing user behaviors 1.
Click the Service tab.
2.
From the navigation tree, select Traffic Analysis and Audit > User Behavior Audit. The User Behavior Audit page opens.
3.
Specify the audit conditions and click Audit. The Audit Result page opens, as shown in Figure 9.
9
Figure 9 Viewing the log audit result
Troubleshooting NTA/UBA and NetFlow No NetFlow data on the NTA/UBA server To resolve the problem: •
Verify that the same UDP port number for log receiving is configured on the device as configured on the NTA server.
•
Verify that the device and the NTA server can reach each other.
•
Check the firewall status on the NTA server. If the firewall is enabled, disable the firewall, or bring up UDP ports 9020, 9021, and 6343.
•
Check the size of files in the directories $IMC_INSTALL/data/recieverData and $IMC_INSTALL/data/processorData/data. If a large number of files exist in the directories, clear files from the installation directory and the database: a. Stop the processor and receiver processes. b. Delete all files in directories $IMC_INSTALL/data/recieverData and $IMC_INSTALL/data/processorData/data. c. Delete the receivedfile.txt file in directory $IMC_INSTALL/unba/conf. d. Clear the unba_slave.tbl_storing_task table from the unba_slave database. e. Restart the processor and receiver processes.
•
Check the database disk usage on the Service > Traffic Analysis and Audit > Database Space page. If the disk usage has exceeded the usage threshold of the database disk, expand the disk capacity or delete useless data.
If the problem persists, contact HPE Support.
No NetFlow data on NTA To resolve the problem: •
Verify that the device uses the same interface index as used in a NetFlow packet.
•
If the interface indexes are different, configure the interface index:
10
a. Click the Service tab. b. From the navigation tree, select Traffic Analysis and Audit > Settings. The Settings page opens. c. In the Guide to Quick Traffic Analysis and Audit Management area, click Traffic Analysis Task Management. The Task Management page opens. d. On the Traffic Analysis Task List, click Add. The Select Task Type page opens. e. Select Interface and click Next. The Add Traffic Analysis Task page opens. f. Configure the basic task information, and then click Select in the Interface Information area. g. On the Add Interface page, click the Configure Manually tab. h. Configure the interface index and click OK. If the problem persists, contact HPE Support.
No audit results on UBA To resolve the problem: •
Check the intranet information on the Server Configuration page. If the IP address of the host that UBA monitors does not belong to the intranet network, the IP address will not be monitored. To add the monitored IP address: a. In the Intranet Monitor Information area, enter the IP address of the monitored host as intranet information. b. Click Add, as shown in Figure 3. The IP address is displayed in the Intranet Information area. c. Click Deploy.
•
Log in to the IMC database and check whether the tbl_flow_YYMMDDHH table exists.
If the table exists, make sure the time setting and time zone of the device are consistent with the setting on the NTA/UBA server.
If the table does not exist, the NTA/UBA server cannot receive NetFlow data. For more information about resolving the problem, see "No NetFlow data on the NTA/UBA server."
If the problem persists, contact HPE Support.
Related documentation HPE IMC Traffic Analysis and Audit Help
11
