Traffic Sentinel : Help
Help Index Top > File > Configure

The Configure page is used to divide the network into administrative groups and to set policies.

Topics:

See Also:


I am setting up the product for the first time, how do I get started?

Step by step instructions for configuring Traffic Sentinel are provided in Tutorial: Configuring Traffic Sentinel.

Back to Top

What configuration settings are available?

The Traffic Sentinel configuration allows you to tell the server what to monitor and what settings to apply. Configuration settings include:

The configuration is represented as an XML document on the server. You can choose to view and edit the XML directly, or you can use the graphical editor provided. In the Options pane you can select:

The configuration is represented as a hierarchical tree-structure:

Note: the term CIDR (Classless Inter-domain Routing) is used here to mean any IP subnet expressed in the form: address/mask-bits.

The enterprise and site levels are fixed, because one server is always responsible for just one site (even if this particular "site" spans several locations). The zone and group levels are abstract. There is no limit on how many can be defined, and they can be given any name. A common convention is to use zones to represent distinct locations, with groups being used to describe separate buildings or floors. It is also common to separate out the network core from the edge. A typical setup will divide the network into about ten zones. Within a zone, each groups can be a collection of CIDRs to descibe the end-host space, agents to identify individual switches or routers and agent-ranges to identify a range of addresses where switches or routers can be found. Specifying an interface is only ever needed if you want to override a setting just for that interface.

Note: this structure allows end-hosts and the devices that connect them to be logically grouped together, even if there is no overlap in the address space.

In addition to separating the address space and agents into a navigable tree, this structure also allows additional threshold, SNMP and sampling settings to be attached to the tree at any level. For example, a threshold setting applied to a zone will apply to all the interfaces that fall into that zone, unless the same threshold setting is overridden for a specific group, agent or interface.

Back to Top

What are the site settings?

The site settings are include the software key and license number and contact information for the server administrator. Settings can be changed on the Sentinel: File>Configure>Edit page by clicking on the Edit Site link. The following settings are available:

Back to Top

How do I set the software key?

The software key is set as part of the site settings. You can change the software key on the Sentinel: File>Configure>Edit page by clicking on the Edit Site link. You will need to set both the Software Key and the Serial Number. The software key is tied to the Server name. If the key doesn't match the server name then it will not be accepted.

If the software key is rejected you may get one of the following error messages:

Back to Top

How do I edit groupings?

You can change groupings from the Sentinel: File>Configure>Edit page by clicking one of the Groupings links (Edit Zones, Edit Groups, Edit CIDRs, Edit Agent Ranges, Edit Agents or Edit Interfaces). Groupings are constructed hierarchically, you must define zones before you can add groups to them. You must define groups before you can add CIDRs, Agent Ranges or Agents. You must define an Agent before you can add an Interface.

To edit groupings you can either click on the grouping name in the navigation bar at the top of the page, or click on the grouping option on the Index page. You will be presented with a list of groupings of the selected type. Click on the Edit button to modify a grouping, click on the Remove button to remove a grouping (and all the items it contains), finally click on the New button do define a new group.

When editing a group, click on any of the Edit buttons to edit sub-groups and settings.

Depending on the type of group you are editing, additional settings may be available:

CIDR

CIDRs are used to associate end-hosts with a Group. A CIDR is specified by an Address and the number of Mask Bits associated with the subnet mask. These do not have to match the subnets used by your routers, and they may overlap with each other too. For example, you might create a group "all" with the CIDR "128.141.0.0/16" in it, and then a separate group with the smaller CIDR "128.141.122.0/24". When assigning addresses to groups, the smallest enclosing CIDR is used. Grouping hosts in this way is useful when defining security rules (see Signatures>Configure), or when displaying traffic (seeTraffic>Circles).

CIDR (IPv6)

IPv6 CIDRs are used to associate IPv6 hosts with a Group (see CIDR above).

Agent Range

An agent range describes a range of IP addresses that contain network devices to monitor.

Agent Range (IPv6)

IPv6 agent ranges are used to describe a range of IPv6 addresses (see Agent Range above).

Agent

A network device to monitor (identified by its IP address).

Agent (IPv6)

IPv6 agents are identified by an IPv6 address (see Agent above).

Interface

Interfaces only need to be specified if particular settings are to be applied to the interface, such as custom thresholds. Otherwise interfaces will be automatically discovered.

Back to Top

How do I set thresholds?

You can edit thresholds from the Sentinel: File>Configure>Edit page by clicking the Edit Threshold Settings or Edit Host Threshold Settings link. The two options apply thresholds to interface counters or host performance counters respecively.

Specify the Metric and a Limit, or value of the metric that will trigger the threshold. The Minutes over Threshold and Total Minutes settings are used to specify a duration over which the metric must exceed the limit before an alert is generated. For example, if Minutes over Limit was set to 5 and Total Minutes was set to 10 then an alert would result if the limit were exceeded 5 minutes in any 10 minute interval.

The Min. ifSpeed and Max. ifSpeed are used to limit the scope of the threshold to only links with particular speeds. The threshold will only be applied to interfaces that fall in the specified speed range. This allows different threshold settings to be applied depending on the interface speed.

Finally, the Enable flag can be used to Disable or Enable a particular threshold.

Back to Top

How do I change SNMP settings?

You can edit snmp settings from the Sentinel: File>Configure>Edit page by clicking one of the Edit SNMP Settings link.

An SNMP setting controls how the server will use SNMP to talk to the agents. The Read Community is used when scanning for agents in an Address Range. It is also used when polling counters or reading agent configuration. The Write Community is used when performing SNMP-SET operations. If a Write Community is not provided, the Read Community will be used for both GET and SET operations. Finally, the Enable flag can be used to Disable or Enable SNMP access to agents. SNMP is used to get interface names, agent information, and to poll counters from non-sFlow devices. Disabling SNMP is only recommended in situations where there is no interest in managing the device.

The settings User, Auth. Protocol, Auth. Password, Priv. Protocol, and Priv. Password are only necessary if SNMPv3 is used. Omit the Auth. Password if you don't want to use authentication. Omit the Priv. Password if you don't want to use privacy.

Back to Top

How do I change sampling settings?

You can edit sampling settings from the Sentinel: File>Configure>Edit page by clicking one of the Edit Sampling Settings link.

The sampling setting specifies the packet sampling rate that will be used when configuring an agent using the sFlow (or XRMON) MIB. The Sampling Rate determines the fraction of packets sampled. For example, a value of 100 would mean that, on average, 1 in every 100 packets would be sampled. The Min. ifSpeed and Max. ifSpeed settings allow different sampling rates to be set for interfaces depending on their speeds. An interface will match the first entry for which the condition Min <= ifSpeed < Max is satisfied. Generally, larger Sampling Rate settings are used for faster interfaces. The default settings are usually adequate and provide a useful guide when manually configuring sampling using the CLI.

If sFlow has been configured on the agent using its CLI then this parameter will have no effect. The sampling rate configured on the agent will be adopted and will override any setting made here.

Similarly, if the agent is sending IPFIX or NetFlow flow records, then the packet sampling rate being used on the agent will usually be indicated in a field in the data packets. In that case also, the sampling rate configured on the agent will be adopted.

However if the NetFlow/IPFIX agent does not indicate that any packet sampling has been applied on the agent, then the sampling rate setting configured here will be applied. It is applied so that the results are equivalent to that packet sampling rate being applied on the agent prior to the flow-cache.

Finally, if the agent is using packet sampling but is not indicating that sampling rate in the data packets, then you must specify the Pre-Sampled Rate to match the sampling rate that you know is being used on the agent. Otherwise the results will be undercounted by that factor.

Back to Top

How can I backup the configuration?

You can download the configuration file from the Sentinel: File>Configure>XML page. Click on the Download link and save a copy of the configuration file. You can reinstall this file by entering its path in the Install XML Configuration File box and clicking Submit.

Back to Top

Can I change the names associated with protocols?

The file /usr/local/inmsf/etc/config/protocols.txt contains names for well known protocol numbers.

You can view or change the protocols.txt file on the Sentinel:File>Logs page.

Back to Top

How do I ensure that clients and servers are correctly identified?

The file /usr/local/inmsf/etc/config/protocolPriorities.txt controls the priority ordering of TCP and UDP ports. It is used to determine which end of a connection was the client and which was the server. When comparing the source and destination port numbers in a flow, the port with the higher priority (the one appearing earlier in the list) is assumed to be the server port.

You can view or change the protocolPriorities.txt file on the Sentinel:File>Logs page.

Back to Top

How can I group similar protocols together?

The file /usr/local/inmsf/etc/config/protocolGroups.txt is used to classify and name groups of protocols. The format of each line is:
name,protocol,port-range,[,port-range...]

The semicolon character ";" is used to indicate a comment.

You can view or change the protocoGroups.txt file on the Sentinel:File>Logs page.

Back to Top

How do I control the length of history and disk space used to store history?

Two parameters: Days of History Data and Mbytes of Free Disk Space are used to manage data retention. These parameters are set in the Site Settings form.

Back to Top

How can I get events sent by email, RSS, SNMP traps or logged using syslog?

Any events that appear under Sentinel: Events>List can be forwarded via:

To use the RSS field, simply select the event list that you want to follow, then click the button.

The other event forwarding options are configured on the Sentinel: File>Forwarding page.

Back to Top

Are there any other configuration settings available?

Each line in the configuration text file /usr/local/inmsf/etc/config/global.prefs has the format:

  variable = value

with the semicolon character ';' being used to indicate comment fields.

You can view or change the global.prefs settings using the Sentinel:File>Logs page.

These settings are only read when a process starts. Some processes run continuously, so they may have to be restarted before a new setting can take effect. The Sentinel: File>Control page allows either the data collection or the web server processes to be restarted. In the table below, the "Restart" column indicates which restart (if any) is required:

Setting Default Value Description Restart
dns.localsuffix <not set> If set to ".mycompany.com" then DNS names with this suffix will be displayed in their short form (with this suffix removed). web server
SNMPCounterPollInterval  30 (seconds) Unless overridden in the XML configuration file, this is the polling interval used to poll interface counters from an agent via SNMP. data collection and web server
SFlowSamplePort  6343 UDP port to listen on for sFlow® data collection and web server
IPFIXPort  4739 UDP port to listen on for IPFIX data collection and web server
NetFlowPort  9985 UDP port to listen on for NetFlow™ (version 1,5,7 or 9) data collection and web server
SFlowMIBSamplePort  26343 UDP port used for sFlow MIB data (configured automatically via SNMP) data collection and web server
XRMONSamplePort  19985 UDP port used for Hewlett Packard XRMON data (configured automatically via SNMP) data collection and web server
session.timeout  1800 (seconds) If your session is idle for this long, then it will terminate and you will have to log in again.
chart.topn.color.<n> Default colors to use for data series in Top N and Circles charts, n=0 is first data series. web server
chart.trend.color.<n> Default colors to use for data series in Trend charts, n=0 is first data series. web server
report.readurl.protocol.http  YES Set to NO to disable report script access to URLs starting with "http". web server
report.readurl.protocol.https  YES Set to NO to disable report script access to URLs starting with "https". web server
report.readurl.protocol.file  NO Set to YES to allow report script access to URLs starting with "file". web server
report.readurl.protocol.file.path  <not set> If set to a directory path, then only files within that path can be read. web server
report.write.allow  NO Set to YES to allow report scripts to write files. web server
report.write.path  <not set> If set to a directory path, then only files within that path can be written. web server
report.runcmd.allow  NO Set to YES to allow report scripts to run shell commands. web server
report.clifunctions.allow NO Set to YES to allow report scripts to run all CLI privilege level commands. web server
report.chart.<type>.alpha 1.0 Default chart transparency. web server
report.chart.<type>.threeD NO Default chart 3d appearance. web server
report.chart.<type>.backgroundColor white Default chart background color. web server
report.chart.<type>.plotColor light_gray Default chart plot area color. web server
report.chart.<type>.axisColor black Default chart axis color. web server
report.chart.<type>.tickmarkColor dark_gray Default chart axis tick mark color. web server
report.chart.<type>.gridColor white Default chart grid color. web server
report.chart.<type>.height 300 Default chart height. web server
report.chart.<type>.width trend=800,default=400 Default chart height. web server
report.chart.trend.step NO Default appearance of trend lines. web server
report.chart.color.<n> Default colors to use for data series, n=0 is first data series. web server
report.chart.format png Image encoding for charts, options are png, gif or jpeg. web server
mail.chart.format <not set> Override report.chart.format setting for emailed reports. web server
mailfrom <user@server> Override from address for emailed events and reports. web server
event.url.host <not set> Override the hostname in URLs linking back to Traffic Sentinel web server
event.url.scheme http Set the scheme in URLs linking back to Traffic Sentinel web server
event.url.port <not set> Override the port in URLs linking back to Traffic Sentinel web server
interface.name  ifName Controls how interfaces are named. Valid settings are ifName, ifAlias, ifDescr or ifIndex (or a comma separated list of these in order of preference). web server
agent.name  sysName Controls how agents are named. Valid settings are sysName, DNS, or IP. data collection and web server
link.agent.label.0  <not set> Specify the name of the a link to be added to the Search > Agent/Interface page. web server
link.agent.url.0  <not set> Specify a link to be added to the Search > Agent/Interface page. The token {0} in the URL string will be replaced by the agent IP address. web server
link.interface.label.0  <not set> Specify the name of the a link to be added to the Search > Agent/Interface page. web server
link.interface.url.0  <not set> Specify a link to be added to the Search > Agent/Interface page. The token {0} in the URL string will be replaced by the agent IP address and the token {1} will be replaced by the ifIndex. web server
link.host.ipv4.label.0  <not set> Specify the name of the a link to be added to the Search > Host page. web server
link.host.ipv4.url.0  <not set> Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replaced by the host IP address. web server
link.host.ipv6.label.0  <not set> Specify the name of the a link to be added to the Search > Host page. web server
link.host.ipv6.url.0  <not set> Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replace d by the host IPv6 address. web server
link.host.mac.label.0  <not set> Specify the name of the a link to be added to the Search > Host page. web server
link.host.mac.url.0  <not set> Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replaced by the host MAC address. web server
link.protocol.label.0  <not set> Specify the name of the a link to be added to the Search > Protocol page. web server
link.protocol.url.0  <not set> Specify a link to be added to the Search > Protocol page. The token {0} in the URL string will be replaced by the protocol and the {1} token will be replaced by the port number. web server
report.snmp.allow  YES Allow snmp requests to be made from report templates and scripts. web server
search.snmp.allow  YES Allow snmp requests to be made in Search > Host. web server
search.ssh.user  <not set> Create ssh link in Search>Agent/Interface page using the specified username. web server
config.topbuttonthreshold  20 Number of items in configuration list before buttons will be displayed on top of form. web server
radius.authport  1812 Set the UDP port for RADIUS authentication requests. web server
radius.timeout  5 Number of seconds to wait for a response to a RADIUS request. web server
radius.retries  3 Number of RADIUS requests to send before giving up on authenticating a user. web server
Threshold.exclude.ifType  1-3,72-116,118-160,162-200 Thresholds will be ignored for these interface types (e.g. "53,135"). data collection
Back to Top