Traffic Sentinel : Help
Help Index Top > File > Configure

The Configure page is used to divide the network into administrative groups and to set policies.

Topics:

See Also:


I am setting up the product for the first time, how do I get started?

When you have entered the software key and the server is started for the first time, it is automatically given a minimal configuration.

Manual Device Configuration

If your network includes devices that must be configured manually to send sFlow®, NetFlow™, IPFIX, or LFAP, configure these devices to send data to Traffic Sentinel on the ports given on the Sentinel: File>Status page. Depending on your configuration, the new agent will appear in the matching group (see How do I edit groupings?). If the Traffic Sentinel configuration does not have a group that includes the agent IP address, then it will appear under Sentinel: Traffic>Status in a zone called "other". In the case of IPFIX, NetFlow and LFAP the interface counters are not included, so the server will automatically start to poll for them with SNMP.

Automatic Device Configuration

If your network includes devices that can be configured automatically via the sFlow MIB, then you must either add individual agent sections for each of them, or you can add agent-range sections and set the "scan" flag. To force changes to take effect immediately, use the Sentinel: File>Control page to initiate a new scan. Devices found this way will be tested for sFlow, and configured automatically if possible. These devices must be configured to accept SNMP SET requests from the server.

Note: If the sFlow MIB is not available and the HP XRMON MIB is present, then XRMON will be used instead.

Device Counter Polling

If your network includes devices that do not offer any of the embedded monitoring solutions supported by the server, you may still want to collect interface-counter trends, resolve topology and locate end-hosts to their ports. In that case, creating a separate agent section for each of those devices will cause the server to use SNMP to poll for interface counters, and also collect data used for topology discovery and end-host location.

As described above, this counter polling will also be initiated automatically for devices sending IPFIX, NetFlow™, or LFAP.

Reports Configuration

In order to ensure the maximum visibility into your network, a large number of reports are available to be tailored for your network and scheduled to run regularly. To adapt Traffic Sentinel to your network, you should next configure reporting.

Security Signatures

Traffic Sentinel starts with a number of useful security rules already included. These can trigger alerts as soon as a suspcious packet is matched by a rule. These rules can be tailored to your network, and new rules can be added to tighten security. For details, see Signatures>Configure.

Event Forwarding

Any events that appear under Sentinel: Events>List can be processed by a script and forwarded via:

For details, see How can I get events sent by email, RSS, SNMP traps or logged using syslog?.

Back to Top

What configuration settings are available?

The Traffic Sentinel configuration allows you to tell the server what to monitor and what settings to apply. Configuration settings include:

The configuration is represented as an XML document on the server. You can choose to view and edit the XML directly, or you can use the graphical editor provided. In the Options pane you can select:

The configuration is represented as a hierarchical tree-structure:

Note: the term CIDR (Classless Inter-domain Routing) is used here to mean any IP subnet expressed in the form: address/mask-bits.

The enterprise and site levels are fixed, because one server is always responsible for just one site (even if this particular "site" spans several locations). The zone and group levels are abstract. There is no limit on how many can be defined, and they can be given any name. A common convention is to use zones to represent distinct locations, with groups being used to describe separate buildings or floors. It is also common to separate out the network core from the edge. A typical setup will divide the network into about ten zones. Within a zone, each groups can be a collection of CIDRs to descibe the end-host space, agents to identify individual switches or routers and agent-ranges to identify a range of addresses where switches or routers can be found. Specifying an interface is only ever needed if you want to override a setting just for that interface.

Note that this structure allows end-hosts and the devices that connect them to be logically grouped together, even if there is no overlap in the address space.

In addition to separating the address space and agents into a navigable tree, this structure also allows additional threshold, SNMP and sampling settings to be attached to the tree at any level. For example, a threshold setting applied to a zone will apply to all the interfaces that fall into that zone, unless the same threshold setting is overridden for a specific group, agent or interface.

Back to Top

What are the site settings?

The site settings are include the software key and license number and contact information for the server administrator. Settings can be changed on the Sentinel: File>Configure>Edit page by clicking on the Edit Site link. The following settings are available:

Back to Top

How do I set the software key?

The software key is set as part of the site settings. You can change the software key on the Sentinel: File>Configure>Edit page by clicking on the Edit Site link. You will need to set both the Software Key and the Serial Number. The software key is tied to the Server name. If the key doesn't match the server name then it will not be accepted.

If the software key is rejected you may get one of the following error messages:

Back to Top

How do I edit groupings?

You can change groupings from the Sentinel: File>Configure>Edit page by clicking one of the Groupings links (Edit Zones, Edit Groups, Edit CIDRs, Edit Agent Ranges, Edit Agents or Edit Interfaces). Groupings are constructed hierarchically, you must define zones before you can add groups to them. You must define groups before you can add CIDRs, Agent Ranges or Agents. You must define an Agent before you can add an Interface.

To edit groupings you can either click on the grouping name in the navigation bar at the top of the page, or click on the grouping option on the Index page. You will be presented with a list of groupings of the selected type. Click on the Edit button to modify a grouping, click on the Remove button to remove a grouping (and all the items it contains), finally click on the New button do define a new group.

When editing a group, click on any of the Edit buttons to edit sub-groups and settings.

Depending on the type of group you are editing, additional settings may be available:

CIDR

CIDRs are used to associate end-hosts with a Group. A CIDR is specified by an Address and the number of Mask Bits associated with the subnet mask. These do not have to match the subnets used by your routers, and they may overlap with each other too. For example, you might create a group "all" with the CIDR "128.141.0.0/16" in it, and then a separate group with the smaller CIDR "128.141.122.0/24". When assigning addresses to groups, the smallest enclosing CIDR is used. Grouping hosts in this way is useful when defining security rules (see Signatures>Configure), or when displaying traffic (seeTraffic>Circles).

CIDR (IPv6)

IPv6 CIDRs are used to associate IPv6 hosts with a Group (see CIDR above).

Agent Range

An agent range describes a range of IP addresses that contain network devices to monitor.

Agent

Interface

Interfaces only need to be specified if particular settings are to be applied to the interface, such as custom thresholds. Otherwise interfaces will be automatically discovered.

Back to Top

How do I set thresholds?

You can edit thresholds from the Sentinel: File>Configure>Edit page by clicking one of the Edit Threshold Settings link.

A threshold setting applies a threshold to an interface metric. Specify the Metric and a Limit, or value of the metric that will trigger the threshold. The Minutes over Threshold and Total Minutes settings are used to specify a duration over which the metric must exceed the limit before an alert is generated. For example, if Minutes over Limit was set to 5 and Total Minutes was set to 10 then an alert would result if the limit were exceeded 5 minutes in any 10 minute interval. The Min. ifSpeed and Max. ifSpeed are used to limit the scope of the threshold to only links with particular speeds. The threshold will only be applied to interfaces that fall in the specified speed range. This allows different threshold settings to be applied depending on the interface speed. Finally, the Enable flag can be used to Disable or Enable a particular threshold.

Back to Top

How do I change SNMP settings?

You can edit snmp settings from the Sentinel: File>Configure>Edit page by clicking one of the Edit SNMP Settings link.

An SNMP setting controls how the server will use SNMP to talk to the agents. The Read Community is used when scanning for agents in an Address Range. It is also used when polling counters or reading agent configuration. The Write Community is used when performing SNMP-SET operations. If a Write Community is not provided, the Read Community will be used for both GET and SET operations. Finally, the Enable flag can be used to Disable or Enable SNMP access to agents. SNMP is used to get interface names, agent information, and to poll counters from non-sFlow devices. Disabling SNMP is only recommended in situations where there is no interest in managing the device.

The settings User, Auth. Protocol, Auth. Password, Priv. Protocol, and Priv. Password are only necessary if SNMPv3 is used. Omit the Auth. Password if you don't want to use authentication. Omit the Priv. Password if you don't want to use privacy.

Back to Top

How do I change sampling settings?

You can edit sampling settings from the Sentinel: File>Configure>Edit page by clicking one of the Edit Sampling Settings link.

The sampling setting specifies the packet sampling rate that will be used when configuring an agent using the sFlow (or XRMON) MIB. The Sampling Rate determines the fraction of packets sampled. For example, a value of 100 would mean that, on average, 1 in every 100 packets would be sampled. The Min. ifSpeed and Max. ifSpeed settings allow different sampling rates to be set for interfaces depending on their speeds. An interface will match the first entry for which the condition Min <= ifSpeed < Max is satisfied. Generally, larger Sampling Rate settings are used for faster interfaces. The default settings are usually adequate and provide a useful guide when manually configuring sampling using the CLI.

If sFlow has been configured on the agent using its CLI then this parameter will have no effect. The sampling rate configured on the agent will be adopted and will override any setting made here.

Similarly, if the agent is sending IPFIX, NetFlow or LFAP flow records, then the packet sampling rate being used on the agent will usually be indicated in a field in the data packets. In that case also, the sampling rate configured on the agent will be adopted.

If the agent is not using packet sampling at all, and is sending flow-records generated from every packet, then the sampling rate setting configured here will be applied. It is applied so that the results are equivalent to that packet sampling rate being applied on the agent prior to the flow-cache.

If the agent is using packet sampling but is not indicating the sampling rate in the data packets, then you must follow these steps:

  1. Add a special sampling entry just for this agent.
  2. Match the sampling rate setting to the one being used on the agent.
  3. Edit the XML configuration directly to add:
      preSampled="true"
    as an extra parameter in that <sampling> section.
Back to Top

How can I backup the configuration?

You can download the configuration file from the Sentinel: File>Configure>XML page. Click on the Download link and save a copy of the configuration file. You can reinstall this file by entering its path in the Install XML Configuration File box and clicking Submit.

Back to Top

Can I change the names associated with protocols?

The file /usr/local/inmsf/etc/config/protocols.txt contains names for well known protocol numbers.

You can view or change the protocols.txt file on the Sentinel:File>Logs page.

Back to Top

How do I ensure that clients and servers are correctly identified?

The file /usr/local/inmsf/etc/config/protocolPriorities.txt controls the priority ordering of TCP and UDP ports. It is used to determine which end of a connection was the client and which was the server. When comparing the source and destination port numbers in a flow, the port with the higher priority (the one appearing earlier in the list) is assumed to be the server port.

You can view or change the protocolPriorities.txt file on the Sentinel:File>Logs page.

Back to Top

How can I group similar protocols together?

The file /usr/local/inmsf/etc/config/protocolGroups.txt is used to classify and name groups of protocols. The format of each line is:
name,protocol,port-range,[,port-range...]

The semicolon character ";" is used to indicate a comment.

You can view or change the protocoGroups.txt file on the Sentinel:File>Logs page.

Back to Top

How do I control the length of history and disk space used to store history?

Three parameters: Minutes of Real-time Data, Days of History Data and Mbytes of Free Disk Space are used to manage data retention. These parameters are set in the Site Settings form.

Back to Top

How can I get events sent by email, RSS, SNMP traps or logged using syslog?

Any events that appear under Sentinel: Events>List can be processed by a script and forwarded via:

To use the RSS field, simply select the event list that you want to follow, then click the button. The other event forwarding options are possible because a script is called with each event: /usr/local/inmsf/scripts/eventScript. The script provided can be edited or replaced to customize this behavior. It will pick up settings from the global.prefs file. For example, to have events logged to the system log, forwarded by mail to the address operator@mycompany.com and sent as traps to the host 10.10.1.25, you can edit the file and add the following lines:
 event.syslog = YES
 event.mail = operator@mycompany.com
 event.trap = 10.10.1.25

For mail to be forwarded successfully the service sendmail must be configured on your server. Use a comma separated list of addresses if you want to send email events to more than one recipient.

For traps to be forwarded successfully the rpm package net-snmp-utils must be installed. The traps are described by the INMON-TRAP-MIB.

Back to Top

Are there any other configuration settings available?

Each line in the configuration text file /usr/local/inmsf/etc/config/global.prefs has the format:

  variable = value

with the semicolon character ';' being used to indicate comment fields.

You can view or change the global.prefs settings using the Sentinel:File>Logs page.

These settings are only read when a process starts. Some processes run continuously, so they may have to be restarted before a new setting can take effect. The Sentinel: File>Control page allows either the data collection or the web server processes to be restarted. In the table below, the "Restart" column indicates which restart (if any) is required:

Setting Default Value Description Restart
dns.localsuffix <not set> If set to ".mycompany.com" then DNS names with this suffix will be displayed in their short form (with this suffix removed). web server
SNMPCounterPollInterval  30 (seconds) Unless overridden in the XML configuration file, this is the polling interval used to poll interface counters from an agent via SNMP. data collection and web server
SFlowSamplePort  6343 UDP port to listen on for sFlow® data collection and web server
IPFIXPort  4739 UDP port to listen on for IPFIX data collection and web server
NetFlowPort  9985 UDP port to listen on for NetFlow™ (version 1,5,7 or 9) data collection and web server
LFAPPort  3145 TCP port to listen on for Riverstone LFAP (version 5) data collection and web server
SFlowMIBSamplePort  26343 UDP port used for sFlow MIB data (configured automatically via SNMP) data collection and web server
XRMONSamplePort  19985 UDP port used for Hewlett Packard XRMON data (configured automatically via SNMP) data collection and web server
chart.trend.truncate  5 Number of legend entries (colors) in Traffic>Trend chart web server
chart.trend.height  350 (pixels) Height of Traffic>Trend chart web server
chart.circles.truncate  100 Maximum number of lines (top flows) displayed in Traffic>Circles chart web server
chart.circles.height  450 (pixels) Height of Traffic>Circles chart web server
map.height  600 (pixels) Height of Maps view web server
event.syslog  <not set> Set to YES to configure the default event script to log events to syslog
event.mail  <not set> Set to an email address to configure the default event script to send events by email. sendmail(1) must be configured on the server for this to work. See /usr/local/inmsf/scripts/eventScript
event.trap  <not set> Set to the IP address of an SNMP trap listener to configure the default event script to send events as SNMP traps. The net-snmp-utils rpm package must be installed. The traps sent by the default event script are described by the trapMIB specification
event.severity  2 This integer controls which events are reported to syslog, mail or trap. Choices are 1 = All , 2 = Warn/Severe , 3 = Severe only .
session.timeout  1800 (seconds) If your session is idle for this long, then it will terminate and you will have to log in again.
report.readurl.protocol.http  YES Set to NO to disable script access to URLs starting with "http". web server
report.readurl.protocol.https  YES Set to NO to disable script access to URLs starting with "https". web server
report.readurl.protocol.file  NO Set to YES to allow script access to URLs starting with "file". web server
report.write.allow  NO Set to YES to allow scripts to write files. web server
report.runcmd.allow  NO Set to YES to allow scripts to run shell commands. web server
interface.name  ifName Controls how interfaces are named. Valid settings are ifName, ifAlias, ifDescr or ifIndex (or a comma separated list of these in order of preference). web server
agent.name  sysName Controls how agents are named. Valid settings are sysName, DNS, or IP. data collection and web server
link.agent.label.0  <not set> Specify the name of the a link to be added to the Search > Agent/Interface page. web server
link.agent.url.0  <not set> Specify a link to be added to the Search > Agent/Interface page. The token {0} in the URL string will be replaced by the agent IP address. web server
link.interface.label.0  <not set> Specify the name of the a link to be added to the Search > Agent/Interface page. web server
link.interface.url.0  <not set> Specify a link to be added to the Search > Agent/Interface page. The token {0} in the URL string will be replaced by the agent IP address and the token {1} will be replaced by the ifIndex. web server
link.host.ipv4.label.0  <not set> Specify the name of the a link to be added to the Search > Host page. web server
link.host.ipv4.url.0  <not set> Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replaced by the host IP address. web server
link.host.mac.label.0  <not set> Specify the name of the a link to be added to the Search > Host page. web server
link.host.mac.url.0  <not set> Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replaced by the host MAC address. web server
link.protocol.label.0  <not set> Specify the name of the a link to be added to the Search > Protocol page. web server
link.protocol.url.0  <not set> Specify a link to be added to the Search > Protocol page. The token {0} in the URL string will be replaced by the protocol and the {1} token will be replaced by the port number. web server
report.snmp.allow  YES Allow snmp requests to be made from report templates and scripts. web server
search.snmp.allow  YES Allow snmp requests to be made in Search > Host. web server
search.ssh.user  <not set> Create ssh link in Search>Agent/Interface page using the specified username. web server
a10.server  <not set> Specify the address of an A10 Networks IDsentrie device providing the IP-to-ID service. web server
a10.partner_id  <not set> Specify the partner_id used to authenticate with the server. web server
a10.partner_passcode  <not set> Specify the partner_passcode used to authenticate with the server. web server
a10.protocol  http Specify the protocol (http|https) to be used to communicate with the server. web server
a10.port  2392(http),2393(https) Specify the port used to communicate with the server. web server
a10.host.interval  last60minutes Specify a time range for IP-to-ID lookups in the Search>Host web server
config.topbuttonthreshold  20 Number of items in configuration list before buttons will be displayed on top of form. web server
radius.createusers  NO Automatically create user accounts for users that authenticate using RADIUS. web server
radius.timeout  5 Number of seconds to wait for a response to a RADIUS request. web server
radius.retries  3 Number of RADIUS requests to send before giving up on authenticating a user. web server
Back to Top