Tech
QRadar integration
ADS eevents
Correlation
WIP
Log
Product Training Brno 2018.09
Exclude filter
Filter add
Use cases
Peering optimization
HOW?????????????????????,
DDoS
tune up
adaptive baseline
Trending
Scripting
FTI
HTTP host names via probes
SQL like syntax to write your own
Items
Probe
IPFIX over TLS
Collector
Intro
We are best in
Multitenancy
RESTful API
cloud or on premise
400k fps per collector
40G/100G probes
Trends
Flow-enabled devices grow in number
L7 app info
NBAR2
USER PERSP
FTR
on demand and auto capture
APM Transgen
recording
auto testing
HTTP/S and SQL
NG SEC
endpoint, perimeter, signature less
NBA
NG mon
NRT
Flows
STD
sFLow
packet sampled
NEL, NSEL
Cisco fw logs
jFlow
Juniper
NetStream
Huawei
IPFIX
v9
templates, flexible
vlan, mac provided
v5
no mac, vlan
non key fields
AS number
ifindex
byte count
pkt count
Key fields
dst port
src port
dst ip
src ip
v5, v9, IPFIX
SRC IP DST IP Proto Lifetime, PAckets, sum of bytes
IP, MAC, Proto, packets
What we do
Security
Operations
Visibility and monitoring
Not: endpoint security
Not: Perimeter security
Compatible and competitive
APM
Must practice: NPM views with and without APM
Find out in which cases will we miss certain statistical parameters and why
Notifications
Visible in alerts
Attached to apps and groups
Several metrics selectable
Bases for events and alerts
Analisys
SLAs
Uses groups (nothing to do with the former part)
Define an override of SLA for specific parts of apps
Groups
Defined via filters, configurable when off
Sub-views of a given application
Error counts, error codes
Caveat: DBMS and app communication visibility; i.e. local switching problems
Instances of transactions: specifics
Transactions view: aggregate
Counters based view
3x SLA
2x SLA
SLA
Parallel users
Review median, 99% and 95% views
Subordinate apps
Used to chain apps, e.g. database and webserver
User ID
Usually not used, helpful option though
Transaction ID
URL method
Session identification e.g. virtual hosting
Cookies
Wildcards, regexps
User-Agent
Response codes
URL param
URL File ext
URL path
Must define VLAN tags
Probe config
Driver (!)
remote
Local
DDos
DDoS profiles as opposed to FMC profiles
Must check: shadow profiles as parents?
Must review: detection methods
Community
Preconfigured action on the router
ADS
Tuning
Applies to false positives as well
Notable exception: can delete associated events
Previously evaluated events remain in the DB
Actions
Traffic Recorder
Script
Syslog
SNMP
Events View
Aggregated view
Visual patterns of events
View by hosts and number of event occurrences
Categories
Assign events to categories... then categories are searchable
Create in processing
E.g. L1, L2, L3 cases
Different top categories
...
Most hits
Latest
Blacklists
Use your own
Downloaded every 6h
Perspectives
Classify events
FCP instance - 1 flow source profile
Can use relations filter
Associated to individual detection methods
Works with batches of 5 mins
Check: flow processing is coming to ADS too?
Flow sources
Sampling rate; syntax 1:x
Deduplication: flows passing multiple points counted only once
Uses real parent profile
Explicit specification of what is used
Wizard
External services: support purposes and patterns
Hosts count
NTP
DHCP srv
Proxy
DNS
Mail
Servers
Public IPs
FW?
LAN
Template
Erases all previous data
Need to be in Processing
ISP version -> sampling
FCP instances
15k fps hardware limit
Amount of flows analyzed?
Internal options in licensing?
Cache.key?
NPMD
Traffic recorder
Data port - raw format or pcaps?
Traffic recorder only receives the pcaps
Traffic recorder - Probe is essential to captures
Voice analysis
Licensing?
Active devices
Main purpose?
Reporting
Need to personally look at options
Chapters daunting, any knowledge on reports used the most?
Idea: find key applications and report on their use
APM data in reports?
Alerting
Run script
Who runs the script?
User
Root
Execution where?
Routing table use
Flowmon appliance?
Granularity plays an important role here!
30sec
5min
Typical use cases, must-have alerts?
Profiles
What happens when we actually assign source to a role?
Granularity must match the parent
Shadow can not be used for alerting, children and other modules such as ADS or DDoS defender
OK for analysis
OK for reporting
Maximal size, data retention: do we copy the data or is it a subset of the parent data?
Shadow vs Real?
Flow statistics and views
Are these tabs connected?
Aggregation
E.g. source and dest ip; what happens actually?
Use cases?
Looking at specific conversations
Typical
What is the basis of calculation?
NPM Server Response Time
NPM RTT
NPM Jitter
