The Configure page is used to divide the network into administrative groups and to set policies.
Topics:
- I am setting up the product for the first time, how do I get started?
- What configuration settings are available?
- What are the site settings?
- How do I set the software key?
- How do I edit groupings?
- How do I set thresholds?
- How do I change SNMP settings?
- How do I change sampling settings?
- How can a backup the configuration?
- Can I change the names associated with protocols?
- How do I ensure that clients and servers are correctly identified?
- How can I group similar protocols together?
- How do I control the length of history and disk space used to store history?
- How can I get events sent by email, RSS, SNMP traps or logged using syslog?
- Are there any other configuration settings available?
See Also:
I am setting up the product for the first time, how do I get started?
When you have entered the software key and the server is started for the first time, it is automatically given a minimal configuration.
Manual Device Configuration
If your network includes devices that must be configured manually to send sFlow®, NetFlow™, IPFIX, or LFAP, configure these devices to send data to Traffic Sentinel on the ports given on the Sentinel: File>Status page. Depending on your configuration, the new agent will appear in the matching group (see How do I edit groupings?). If the Traffic Sentinel configuration does not have a group that includes the agent IP address, then it will appear under Sentinel: Traffic>Status in a zone called "other". In the case of IPFIX, NetFlow and LFAP the interface counters are not included, so the server will automatically start to poll for them with SNMP.
Automatic Device Configuration
If your network includes devices that can be configured automatically via the sFlow MIB, then you must either add individual agent sections for each of them, or you can add agent-range sections and set the "scan" flag. To force changes to take effect immediately, use the Sentinel: File>Control page to initiate a new scan. Devices found this way will be tested for sFlow, and configured automatically if possible. These devices must be configured to accept SNMP SET requests from the server.
Note: If the sFlow MIB is not available and the HP XRMON MIB is present, then XRMON will be used instead.
Device Counter Polling
If your network includes devices that do not offer any of the embedded monitoring solutions supported by the server, you may still want to collect interface-counter trends, resolve topology and locate end-hosts to their ports. In that case, creating a separate agent section for each of those devices will cause the server to use SNMP to poll for interface counters, and also collect data used for topology discovery and end-host location.
As described above, this counter polling will also be initiated automatically for devices sending IPFIX, NetFlow™, or LFAP.
Reports Configuration
In order to ensure the maximum visibility into your network, a large number of reports are available to be tailored for your network and scheduled to run regularly. To adapt Traffic Sentinel to your network, you should next configure reporting.
Security Signatures
Traffic Sentinel starts with a number of useful security rules already included. These can trigger alerts as soon as a suspcious packet is matched by a rule. These rules can be tailored to your network, and new rules can be added to tighten security. For details, see Signatures>Configure.
Event Forwarding
Any events that appear under Sentinel: Events>List can be processed by a script and forwarded via:
- RSS feed
- system log
- SNMP trap
For details, see How can I get events sent by email, RSS, SNMP traps or logged using syslog?.
What configuration settings are available?
The Traffic Sentinel configuration allows you to tell the server what to monitor and what settings to apply. Configuration settings include:
- How to divide up the network into a hierarchy of zones and groups to reflect your internal administrative domains.
- Where to find the switch and router agents, and talk to them with SNMP.
- What are the end-host subnets that make up the local IP address space on your network.
- What thresholds to apply, so that events are raised on excessive load conditions, or high error rates.
- What sampling rates to use for different link speeds (where sampling is configured automatically via SNMP).
The configuration is represented as an XML document on the server. You can choose to view and edit the XML directly, or you can use the graphical editor provided. In the Options pane you can select:
- Show Configuration to see a formatted representation of the current configuration.
- Edit Configuration to use the graphical editor to make changes.
- XML to download the XML configuration file, and upload it again after making your changes.
The configuration is represented as a hierarchical tree-structure:
- enterprise
- site
- zone
- group
- CIDR
- agent-range
- agent
- interface
- group
- zone
- site
Note: the term CIDR (Classless Inter-domain Routing) is used here to mean any IP subnet expressed in the form: address/mask-bits.
The enterprise and site levels are fixed, because one server is always responsible for just one site (even if this particular "site" spans several locations). The zone and group levels are abstract. There is no limit on how many can be defined, and they can be given any name. A common convention is to use zones to represent distinct locations, with groups being used to describe separate buildings or floors. It is also common to separate out the network core from the edge. A typical setup will divide the network into about ten zones. Within a zone, each groups can be a collection of CIDRs to descibe the end-host space, agents to identify individual switches or routers and agent-ranges to identify a range of addresses where switches or routers can be found. Specifying an interface is only ever needed if you want to override a setting just for that interface.
Note that this structure allows end-hosts and the devices that connect them to be logically grouped together, even if there is no overlap in the address space.
In addition to separating the address space and agents into a navigable tree, this structure also allows additional threshold, SNMP and sampling settings to be attached to the tree at any level. For example, a threshold setting applied to a zone will apply to all the interfaces that fall into that zone, unless the same threshold setting is overridden for a specific group, agent or interface.
What are the site settings?
The site settings are include the software key and license number and contact information for the server administrator. Settings can be changed on the Sentinel: File>Configure>Edit Configuration page by clicking on the Edit Site link. The following settings are available:
- Enterprise Name, the name of the company or organization that owns the network being monitored.
- Site Name, the name of the campus or city containing the devices being monitored.
- Server, the hostname of the server. This name cannot be changed from within Traffic Sentinel. Consult the documentation for the server operating system if you need to change the hostname. Note: the software key is tied to the hostname, so changing it will require a new key.
- Serial Number, the serial number associated with the software license. This must be the serial number provided with the software key.
- Software Key, the key used to unlock the software. The key is tied to a particular hostname and serial number. If you need to change the hostname then a new key will be required.
- Contact Name, the name of the person responsible for this server.
- Contact Location, the mailstop, address or building where the contact person can be reached.
- Contact Phone, the contact person's phone number.
How do I set the software key?
The software key is set as part of the site settings. You can change the software key on the Sentinel: File>Configure>Edit Configuration page by clicking on the Edit Site link. You will need to set both the Software Key and the Serial Number. The software key is tied to the Server name. If the key doesn't match the server name then it will not be accepted.
How do I edit groupings?
You can change groupings from the Sentinel: File>Configure>Edit Configuration page by clicking one of the Groupings links (Edit Zones, Edit Groups, Edit CIDRs, Edit Agent Ranges, Edit Agents or Edit Interfaces). Groupings are constructed hierarchically, you must define zones before you can add groups to them. You must define groups before you can add CIDRs, Agent Ranges or Agents. You must define an Agent before you can add an Interface.
To edit groupings you can either click on the grouping name in the navigation bar at the top of the page, or click on the grouping option on the Index page. You will be presented with a list of groupings of the selected type. Click on the Edit button to modify a grouping, click on the Remove button to remove a grouping (and all the items it contains), finally click on the New button do define a new group.
When editing a group, click on any of the Edit buttons to edit sub-groups and settings.
Depending on the type of group you are editing, additional settings may be available:
CIDR
CIDRs are used to associate end-hosts with a Group. A CIDR is specified by an Address and the number of Mask Bits associated with the subnet mask. These do not have to match the subnets used by your routers, and they may overlap with each other too. For example, you might create a group "all" with the CIDR "128.141.0.0/16" in it, and then a separate group with the smaller CIDR "128.141.122.0/24". When assigning addresses to groups, the smallest enclosing CIDR is used. Grouping hosts in this way is useful when defining security rules (see Signatures>Configure), or when displaying traffic (seeTraffic>Circles).
- Group, the group where this CIDR will appear.
- Address, the IP address.
- Mask Bits, the number of mask bits to apply.
Agent Range
An agent range describes a range of IP addresses that contain network devices to monitor.
- First Address, the first address in the range.
- Last Address, the last address in the range.
- Scan, indicates whether to search through this range looking for devices that can be configured to send sFlow using SNMP. The scan will happen automatically every night, but if you want your changes to take effect immediately you can initiate a new scan on the File>Control page.
- Override Control, this setting also relates to configuration using the sFlow MIB. If Override Control is set to Override then Traffic Sentinel will add itself as a monitoring receiver, even if that means taking over from another application.
- Enable, can be set to Disable to explicitly avoid discovering agents in this range, and to turn off monitoring on any agent in that range that might have been discovered before.
Agent
- Group, the group where this agent will appear.
- Address. This is the address that will be used to communicate with the device's SNMP Agent.
- Override Control see Agent Range above.
- Enable see Agent Range above.
Interface
Interfaces only need to be specified if particular settings are to be applied to the interface, such as custom thresholds. Otherwise interfaces will be automatically discovered.
- Agent, the device whose interface is being specified.
- IfIndex, the MIB-II ifIndex number of the interface.
How do I set thresholds?
You can edit thresholds from the Sentinel: File>Configure>Edit Configuration page by clicking one of the Edit Threshold Settings link.
A threshold setting applies a threshold to an interface metric. Specify the Metric and a Limit, or value of the metric that will trigger the threshold. The Minutes over Threshold and Total Minutes settings are used to specify a duration over which the metric must exceed the limit before an alert is generated. For example, if Minutes over Limit was set to 5 and Total Minutes was set to 10 then an alert would result if the limit were exceeded 5 minutes in any 10 minute interval. The Min. ifSpeed and Max. ifSpeed are used to limit the scope of the threshold to only links with particular speeds. The threshold will only be applied to interfaces that fall in the specified speed range. This allows different threshold settings to be applied depending on the interface speed. Finally, the Enable flag can be used to Disable or Enable a particular threshold.
How do I change SNMP settings?
You can edit snmp settings from the Sentinel: File>Configure>Edit Configuration page by clicking one of the Edit SNMP Settings link.
An SNMP setting controls how the server will use SNMP to talk to the agents. The Read Community is used when scanning for agents in an Address Range. It is also used when polling counters or reading agent configuration. The Write Community is used when performing SNMP-SET operations. If a Write Community is not provided, the Read Community will be used for both GET and SET operations. Finally, the Enable flag can be used to Disable or Enable SNMP access to agents. SNMP is used to get interface names, agent information, and to poll counters from non-sFlow devices. Disabling SNMP is only recommended in situations where there is no interest in managing the device.
The settings User, Auth. Protocol, Auth. Password, Priv. Protocol, and Priv. Password are only necessary if SNMPv3 is used. Omit the Auth. Password if you don't want to use authentication. Omit the Priv. Password if you don't want to use privacy.
How do I change sampling settings?
You can edit sampling settings from the Sentinel: File>Configure>Edit Configuration page by clicking one of the Edit Sampling Settings link.
The sampling setting specifies the packet sampling rate that will be used when configuring an agent using the sFlow (or XRMON) MIB. The Sampling Rate determines the fraction of packets sampled. For example, a value of 100 would mean that, on average, 1 in every 100 packets would be sampled. The Min. ifSpeed and Max. ifSpeed settings allow different sampling rates to be set for interfaces depending on their speeds. An interface will match the first entry for which the condition Min <= ifSpeed < Max is satisfied. Generally, larger Sampling Rate settings are used for faster interfaces. The default settings are usually adequate and provide a useful guide when manually configuring sampling using the CLI.
If sFlow has been configured on the agent using its CLI then this parameter will have no effect. The sampling rate configured on the agent will be adopted and will override any setting made here.
Similarly, if the agent is sending IPFIX, NetFlow or LFAP flow records, then the packet sampling rate being used on the agent will usually be indicated in a field in the data packets. In that case also, the sampling rate configured on the agent will be adopted.
If the agent is not using packet sampling at all, and is sending flow-records generated from every packet, then the sampling rate setting configured here will be applied. It is applied so that the results are equivalent to that packet sampling rate being applied on the agent prior to the flow-cache.
If the agent is using packet sampling but is not indicating the sampling rate in the data packets, then you must follow these steps:
- Add a special sampling entry just for this agent.
- Match the sampling rate setting to the one being used on the agent.
- Edit the XML configuration directly to add:
preSampled="true"
as an extra parameter in that <sampling> section.
How can a backup the configuration?
You can download the configuration file from the Sentinel: File>Configure>XML page. Click on the Download link and save a copy of the configuration file. You can reinstall this file by entering its path in the Install XML Configuration File box and clicking Submit.
Can I change the names associated with protocols?
The file /usr/local/inmsf/etc/config/protocols.txt contains names for well known protocol numbers.
You can view or change the protocols.txt file on the Sentinel:File>Logs page.
How do I ensure that clients and servers are correctly identified?
The file /usr/local/inmsf/etc/config/protocolPriorities.txt controls the priority ordering of TCP and UDP ports. It is used to determine which end of a connection was the client and which was the server. When comparing the source and destination port numbers in a flow, the port with the higher priority (the one appearing earlier in the list) is assumed to be the server port.
You can view or change the protocolPriorities.txt file on the Sentinel:File>Logs page.
How can I group similar protocols together?
The file /usr/local/inmsf/etc/config/protocolGroups.txt
is used to classify and name groups of protocols. The format of each line is:
name,protocol,port-range,[,port-range...]
The semicolon character ";" is used to indicate a comment.
You can view or change the protocoGroups.txt file on the Sentinel:File>Logs page.
How do I control the length of history and disk space used to store history?
Three parameters: KeepActiveMinutes, KeepHistoryDays and KeepFreeMBytes are used to manage data retention. These parameters are set in the global.prefs file.
How can I get events sent by email, RSS, SNMP traps or logged using syslog?
Any events that appear under Sentinel: Events>List can be processed by a script and forwarded via:
- RSS feed
- system log
- SNMP trap
To use the RSS field, simply select the event list that you want to follow, then click the 
button. The other event forwarding options are possible because a script is called with each event:
/usr/local/inmsf/scripts/eventScript.
The script provided can be edited or replaced to customize this behavior. It will pick up settings
from the global.prefs file. For example,
to have events logged to the system log, forwarded by mail to the address operator@mycompany.com and sent as traps to
the host 10.10.1.25, you can edit the file
and add the following lines:
event.syslog = YES
event.mail = operator@mycompany.com
event.trap = 10.10.1.25
For mail to be forwarded successfully the service sendmail must be configured on your server. Use a comma separated list of addresses if you want to send email events to more than one recipient.
For traps to be forwarded successfully the rpm package net-snmp-utils must be installed. The traps are described by the INMON-TRAP-MIB.
Are there any other configuration settings available?
Each line in the configuration text file /usr/local/inmsf/etc/config/global.prefs has the format:
variable = value
with the semicolon character ';' being used to indicate comment fields.
You can view or change the global.prefs settings using the Sentinel:File>Logs page.
These settings are only read when a process starts. Some processes run continuously, so they may have to be restarted before a new setting can take effect. The Sentinel: File>Control page allows either the data collection or the web server processes to be restarted. In the table below, the "Restart" column indicates which restart (if any) is required:
| Setting | Default Value | Description | Restart |
|---|---|---|---|
| KeepActiveMinutes | 480 (8 hours) | How long to keep the per-interface traffic database (rtcounters and rttraffic) | |
| KeepHistoryDays | 35 | How long to keep the consolidated traffic database (historycounters, historyflows and events) | |
| KeepFreeMBytes | 400 | The oldest history days will be deleted automatically if the disk partition fills. | |
| dns.localsuffix | <not set> | If set to ".mycompany.com" then DNS names with this suffix will be displayed in their short form (with this suffix removed). | web server |
| SNMPCounterPollInterval | 30 (seconds) | Unless overridden in the XML configuration file, this is the polling interval used to poll interface counters from an agent via SNMP. | data collection and web server |
| SFlowSamplePort | 6343 | UDP port to listen on for sFlow® | data collection and web server |
| IPFIXPort | 4739 | UDP port to listen on for IPFIX | data collection and web server |
| NetFlowPort | 9985 | UDP port to listen on for NetFlow™ (version 1,5,7 or 9) | data collection and web server |
| LFAPPort | 3145 | TCP port to listen on for Riverstone LFAP (version 5) | data collection and web server |
| SFlowMIBSamplePort | 26343 | UDP port used for sFlow MIB data (configured automatically via SNMP) | data collection and web server |
| XRMONSamplePort | 19985 | UDP port used for Hewlett Packard XRMON data (configured automatically via SNMP) | data collection and web server |
| chart.trend.truncate | 5 | Number of legend entries (colors) in Traffic>Trend chart | web server |
| chart.trend.height | 350 (pixels) | Height of Traffic>Trend chart | web server |
| chart.circles.truncate | 100 | Maximum number of lines (top flows) displayed in Traffic>Circles chart | web server |
| chart.circles.height | 450 (pixels) | Height of Traffic>Circles chart | web server |
| map.height | 600 (pixels) | Height of Maps view | web server |
| event.syslog | <not set> | Set to YES to configure the default event script to log events to syslog | |
| event.mail | <not set> | Set to an email address to configure the default event script to send events by email. sendmail(1) must be configured on the server for this to work. See /usr/local/inmsf/scripts/eventScript | |
| event.trap | <not set> | Set to the IP address of an SNMP trap listener to configure the default event script to send events as SNMP traps. The net-snmp-utils rpm package must be installed. The traps sent by the default event script are described by the trapMIB specification | |
| event.severity | 2 | This integer controls which events are reported to syslog, mail or trap. Choices are 1 = All  , 2 = Warn/Severe , 3 = Severe only .
| |
| session.timeout | 1800 (seconds) | If your session is idle for this long, then it will terminate and you will have to log in again. | |
| report.readurl.protocol.http | YES | Set to NO to disable script access to URLs starting with "http". | web server |
| report.readurl.protocol.https | YES | Set to NO to disable script access to URLs starting with "https". | web server |
| report.readurl.protocol.file | NO | Set to YES to allow script access to URLs starting with "file". | web server |
| interface.name | ifName | Controls how interfaces are named. Valid settings are ifName, ifAlias, ifDescr or ifIndex (or a comma separated list of these in order of preference). | web server |
| agent.name | sysName | Controls how agents are named. Valid settings are sysName, DNS, or IP. | data collection and web server |
| link.agent.label.0 | <not set> | Specify the name of the a link to be added to the Search > Agent/Interface page. | web server |
| link.agent.url.0 | <not set> | Specify a link to be added to the Search > Agent/Interface page. The token {0} in the URL string will be replaced by the agent IP address. | web server |
| link.interface.label.0 | <not set> | Specify the name of the a link to be added to the Search > Agent/Interface page. | web server |
| link.interface.url.0 | <not set> | Specify a link to be added to the Search > Agent/Interface page. The token {0} in the URL string will be replaced by the agent IP address and the token {1} will be replaced by the ifIndex. | web server |
| link.host.ipv4.label.0 | <not set> | Specify the name of the a link to be added to the Search > Host page. | web server |
| link.host.ipv4.url.0 | <not set> | Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replaced by the host IP address. | web server |
| link.host.mac.label.0 | <not set> | Specify the name of the a link to be added to the Search > Host page. | web server |
| link.host.mac.url.0 | <not set> | Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replaced by the host MAC address. | web server |
| link.protocol.label.0 | <not set> | Specify the name of the a link to be added to the Search > Protocol page. | web server |
| link.protocol.url.0 | <not set> | Specify a link to be added to the Search > Protocol page. The token {0} in the URL string will be replaced by the protocol and the {1} token will be replaced by the port number. | web server |
| report.snmp.allow | YES | Allow snmp requests to be made from report templates and scripts. | web server |
| search.snmp.allow | YES | Allow snmp requests to be made in Search > Host. | web server |