| 1

Scrutinizer 11.0Administrators Guide

2013 Dell Inc.Trademarks: Dell, the DELL logo, SonicWALL, and all other SonicWALL product and service names and slogans are trademarks of Dell Inc.

2013 07 P/N 232-002244-00 Rev. A

iii

Table of Contents Welcome to the Scrutinizer Manual .................................................................................................... 1

Overview .................................................................................................................................... 1

Admin Tab ..................................................................................................................................... 3

Admin Tab .................................................................................................................................. 3

Overview ................................................................................................................................. 3

Admin Tab .................................................................................................................................. 6

Overview ................................................................................................................................. 6

SNMP Device View ..................................................................................................................... 10

Vitals Main View ........................................................................................................................ 11

Overview ............................................................................................................................... 11

Alarms Tab .................................................................................................................................. 15

Alarms Tab ............................................................................................................................... 15

Overview ............................................................................................................................... 15

Configuring Alarm Conditions .................................................................................................... 16

Flow Analytics .............................................................................................................................. 17

Flow Analytics ........................................................................................................................... 17

Overview ............................................................................................................................... 17

Maps Tab .................................................................................................................................... 23

Maps Main View ......................................................................................................................... 23

Overview ............................................................................................................................... 23

Map Connections ....................................................................................................................... 23

Overview ............................................................................................................................... 23

Map Settings ............................................................................................................................. 24

Overview ............................................................................................................................... 24

Map Groups .............................................................................................................................. 25

Overview ............................................................................................................................... 25

Map Objects .............................................................................................................................. 25

Overview ............................................................................................................................... 25

Flash Maps ................................................................................................................................ 26

Overview ............................................................................................................................... 26

Map Status ............................................................................................................................... 26

Overview ............................................................................................................................... 26

Device Overview ........................................................................................................................ 27

Overview ............................................................................................................................... 27

Status Tab ................................................................................................................................... 29

Status Tab ................................................................................................................................ 29

Overview ............................................................................................................................... 29

Scrutinizer Manual

iv

System ....................................................................................................................................... 33

Access Denied ........................................................................................................................... 33

Backups ................................................................................................................................... 33

Overview ............................................................................................................................... 33

Database Connection Failure ........................................................................................................ 34

Overview ............................................................................................................................... 34

Distributed Collectors ................................................................................................................. 34

Overview ............................................................................................................................... 34

Language Translations ................................................................................................................ 34

Overview ............................................................................................................................... 34

Systrax .................................................................................................................................... 35

Troubleshooting ......................................................................................................................... 35

Getting Started Guide .............................................................................................................. 35

Web Server Port ........................................................................................................................ 35

Overview ............................................................................................................................... 35

Index .......................................................................................................................................... 37

1

Introduction

Overview

Welcome to the Dell SonicWALL Scrutinizer 11.0 Administrator's Guide. This manual provides the information you need to successfully activate, configure, and administer the Dell SonicWALL Scrutinizer.

Resources

There are also online webcasts which give quick overviews (i.e. 2 - 5 minutes each) of specific features.

For Scrutinizer frequently asked questions, Click Here.

For procedures on globally configuring NetFlow, Click Here.

For timely resolution of technical support questions, visit Dell SonicWALL on the Internet at: http://www.sonicwall.com/us/en/support.html

Adobe Flash Player. Copyright(c) 1996-2013. Adobe Systems Incorporated. All Rights Reserved. Patents pending in the United States and other countries. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries. Please reference the End User License Agreement for more information on using Adobe Flash Player in Scrutinizer.

http://www.systrax.com/custom/webcasts.phphttp://www.sonicwall.com/us/en/products/14633.htmlhttp://www.sonicwall.com/us/en/products/14626.htmlhttp://www.sonicwall.com/us/en/support.html

3

Admin Tab

Admin Tab

Overview

The Settings page is primarily left to the administrators.

Settings:

Alarm Notifications: enable additional system alarms

Alarm Settings: modify settings to optimize syslog and SMTP processing.

CrossCheck: Specify the thresholds for changing color and the syslog threshold that the Fault Index must reach to trigger a syslog.

Data History: Specify how long each flow interval is saved.

Historical 1 Min Avg: Saves 100% of all flows received. Make sure the server has enough disk space to save significant quantities of the raw flows. The 1 minute intervals consume the most disk space as it is not aggregated and flows are in raw format.

Historical 5 minute - 1 week Avg: These intervals only save the specified Maximum Conversations after aggregation per interval.

Maximum Conversations: Used when creating large intervals (e.g. 5 minute) from prior intervals (e.g. 1 minute). All flows are aggregated together per router. The top 10,000 (default) based on bytes are saved.

Denika Connections: integration with Denika SNMP Performance Trender for SNMP details to represent link status.

Email Server: Necessary for on demand and scheduled emailed reports. Make sure the test is successful.

Flow Analytics: configure advanced algorithms (e.g. DDoS, Nefarious Activity, etc.)

LDAP Credentials: The web interface has the capability of integrating with Mircrosoft Active Directory so that users can simply log in to the web interface by using their windows domain authentication. When a user logs in for the first time, a new account is created in Scrutinizer and given Guest access by default. The Scrutinizer administrator can then grant that user further reaching capabilities if desired.

Requirements for LDAP integration:

1) The name or IP Address of the LDAP server

2) An account with one of the following permissions to the LDAP server:

a. Account Operators (must also be a member of Distributed COM Users for remote WMI Access)

b. Administrators

c. Domain Admins

d. Enterprise Admins

3) The account chosen must have WMI Read access to \root\Directory\LDAP

Instructions to Integrate Scrutinizer with LDAP: There is a wizard utility which makes the process easier. To activate LDAP configuration wizard:

Scrutinizer Manual

4

1) Open a command prompt on the server

2) Change directories to the \scrutinizer\bin\ directory

3) Run scrut_util ldapwizard and follow the instructions

4) Enter the IP or Hostname of LDAP server

5) Enter LDAP Binding Account Username:

6) Enter LDAP Binding Account Password, then verify by retyping

7) Is it configured to use LDAPS or LDAP over SSL? Answer y or n

8) If successful, the wizard returns LDAP configurations that will be saved to the database. The next step is to use a typical account to test connectivity

9) Enter a Username of a LDAP account that will be used to log into the Scrutinizer Web Interface

10) Enter a password and then verify by retyping

11) If successful, the wizard will display the success of the connection and update the configuration

Users should now be able to log in to the web interface with their LDAP account. If unsuccessful, contact support.

Licensing:Enter the license key for Flow Analytics and or the Service Provider module

Flow Analytics

Mailinizer

Service Provider Module

Mapping Configuration: Customization for both Flash and Google maps (e.g. connections, text boxes, etc.). Learn more about mapping.

Mobile IAM: Specify the settings on how to attach to the Enterasys Mobile IAM authentication server.

Proxy Configuration: Setup the server to work with a proxy server

Syslog Notifications: Configure the syslog server, port and priority

System Preferences: Other options

Definitions:

3rd Party Integration: Create links to 3rd party applications and pass variables in URLs

Applications: Setup and modify applications using ranges of ports and IP addresses. This feature is useful for properly labeling in house applications.

Autonomous Systems: Setup and modify Autonomous Systems that are shipped with the software.

Device Details: Displays the SNMP details of the devices sending flows. Allows custom device and interface names to be defined which override the defaults. Notice that in and out speeds can be configured.

Host Names: Setup and modify known hosts. Use this option to statically assign host names to IP addresses that will not age out. It can also be used to label subnets in the Subnet report types. There are three Resolve DNS options:

1. Current - has been or attempted to be resolved already (will expire in whatever days are set in the serverprefs)

http://www.plixer.com/custom/mailinizer.php

Admin Tab

5

2. Queued - ready to be resolved by the resolver. User can set it to queued to force a DNS resolve again on the host.

3. Never - a permanent address that was manually added by the user. Users can make names permanent by switching this to never. Its not purged.

IP Groups: Define ranges of IP address that belong in a specific group (e.g. Marketing, sales, phones, etc.). Run a report on an interface to see the IP Group reports.

Languages: use this interface to update languages or create new translations.

Manage Exporters: Details on the devices sending flows. Options include:

Listener Ports are listed in the top left: 2055 2056 4432 4739 6343 9991 9994 9995 9996. These ports change color:

Green: all devices sending flows on that port are active and sending flows. Click on the port to view the vitals.

Yellow: one or more devices has recently stopped sending flows. Click on the port to view the vitals.

Red: all devices once sending to this port have stopped. Click on the port to view the vitals.

Per Device:

Delete: This check box can be used to remove the device from the Status tab device tree. The device will be rediscovered immediately if the collector is still receiving flows from the device. Also, templates and interfaces from devices that stop sending flows are aged out.

Icons:

Status: tells if the device is currently receiving flows (i.e. green) or not receiving flows (i.e. red).

Device Details: click to view the Device Details.

Configure NetFlow Via SNMP: Use the wizard to re-configure the NetFlow exporting on the device.

Current protocol exclusions: Specify which protocols will be dropped for collector, selected device or selected interface on a selected device. Visit the Device View for more details and to learn about Protocol Exclusions per device/interface.

Click on the edit icon to modify the default name used for the device.

Credentials: Select a community string to use on this device.

Status: Modify status from Active (accept flows) to Inactive (drop all flows from device). NOTE: the flows are still being received but, are being ignored by Scrutinizer (i.e. not saved).

Update SNMP: force an immediate SNMP query for Device Details. Checking this off ensures that the Device Details will be updated every night automatically.

MIB Import: Manage SNMP MIB files that have been compiled for SNMP traps

Notification Manager: Configure notifications to be applied to Policies in the Alarms tab

Policy Manager: List all of the Policies that are configured for the Alarms Tab

SNMP Credentials: Configure the SNMP Credentials used on each flow exporter. SNMP v1, v2 and v3 are supported.

Type of Service (ToS): Configure the ToS and DSCP values displayed in the reports. Be sure to Define the "ToS Family" under System Preferences.

Scrutinizer Manual

6

Well Known Ports: define port names. In the Well Known Ports report, the following logic is used:

Which port is lower the source port or the destination port

If the source port is lower and defined, use this as the well known port

else, use the destination port if defined as the wellknown port

else, display the lower port as the wellknown port

Security:

User Groups: Specifies what a Group login account can access. Limited to 10 Group accounts without a Service Provider license key. Some permissions require further explanation:

Device Status: Grants permission to see the status of the device (i.e. Flow exporter). Device icons appear blue in maps if the Device Group permission is granted without this permission. Mailinizer devices show up here.

Interface Statistics: Grants permission to see the statistics of an interface. Mailinizer does not show up here.

Device Groups: Grants permission to see a Group (i.e. map). Devices (i.e. Flow Exporters) appear blue and interfaces black unless permission is granted in Device Status and Interface Statistics.

User Accounts: Configure login preferences for individual accounts. User Accounts must be a member of one or more User Groups. By default, they are placed in a default (e.g. Guest) User Group. Permissions are inherited by all User Groups a User Account is a member of.

Reports:

Report Folders: Manage Saved Report Folders found in the Status tab under saved reports. Notice the Membership drop down box:

Folders: Select a folder and add or remove reports from it.

Reports: Select a report and add or remove folders it can be found in.

Scheduled Reports: Manage Scheduled Reports, delete, etc.

Top Saved Syslogs: The top devices sending syslogs.

Top Syslog Orphans: The top devices sending syslogs that don't match policies.

Vitals: View vital information on how well the server is handling the NetFlow and sFlow volume. More details can be found in the Vitals Tab.

NetFlow Help:

Activating NetFlow, J-Flow, sFlow, NetStream, IPFIX, etc.

Admin Tab

Overview

The Settings page is primarily left to the administrators.

Settings:

http://www.plixer.com/custom/configure-netflow-sflow.php

Admin Tab

7

Alarm Notifications: enable additional system alarms

Alarm Settings: modify settings to optimize syslog and SMTP processing.

CrossCheck: Specify the thresholds for changing color and the syslog threshold that the Fault Index must reach to trigger a syslog.

Data History: Specify how long each flow interval is saved.

Historical 1 Min Avg: Saves 100% of all flows received. Make sure the server has enough disk space to save significant quantities of the raw flows. The 1 minute intervals consume the most disk space as it is not aggregated and flows are in raw format.

Historical 5 minute - 1 week Avg: These intervals only save the specified Maximum Conversations after aggregation per interval.

Maximum Conversations: Used when creating large intervals (e.g. 5 minute) from prior intervals (e.g. 1 minute). All flows are aggregated together per router. The top 10,000 (default) based on bytes are saved.

Denika Connections: integration with Denika SNMP Performance Trender for SNMP details to represent link status.

Email Server: Necessary for on demand and scheduled emailed reports. Make sure the test is successful.

Flow Analytics: configure advanced algorithms (e.g. DDoS, Nefarious Activity, etc.)

LDAP Credentials: The web interface has the capability of integrating with Mircrosoft Active Directory so that users can simply log in to the web interface by using their windows domain authentication. When a user logs in for the first time, a new account is created in Scrutinizer and given Guest access by default. The Scrutinizer administrator can then grant that user further reaching capabilities if desired.

Requirements for LDAP integration:

1) The name or IP Address of the LDAP server

2) An account with one of the following permissions to the LDAP server:

a. Account Operators (must also be a member of Distributed COM Users for remote WMI Access)

b. Administrators

c. Domain Admins

d. Enterprise Admins

3) The account chosen must have WMI Read access to \root\Directory\LDAP

Instructions to Integrate Scrutinizer with LDAP: There is a wizard utility which makes the process easier. To activate LDAP configuration wizard:

1) Open a command prompt on the server

2) Change directories to the \scrutinizer\bin\ directory

3) Run scrut_util ldapwizard and follow the instructions

4) Enter the IP or Hostname of LDAP server

5) Enter LDAP Binding Account Username:

6) Enter LDAP Binding Account Password, then verify by retyping

7) Is it configured to use LDAPS or LDAP over SSL? Answer y or n

Scrutinizer Manual

8

8) If successful, the wizard returns LDAP configurations that will be saved to the database. The next step is to use a typical account to test connectivity

9) Enter a Username of a LDAP account that will be used to log into the Scrutinizer Web Interface

10) Enter a password and then verify by retyping

11) If successful, the wizard will display the success of the connection and update the configuration

Users should now be able to log in to the web interface with their LDAP account. If unsuccessful, contact support.

Licensing:Enter the license key for Flow Analytics and or the Service Provider module

Flow Analytics

Mailinizer

Service Provider Module

Mapping Configuration: Customization for both Flash and Google maps (e.g. connections, text boxes, etc.). Learn more about mapping.

Mobile IAM: Specify the settings on how to attach to the Enterasys Mobile IAM authentication server.

Proxy Configuration: Setup the server to work with a proxy server

Syslog Notifications: Configure the syslog server, port and priority

System Preferences: Other options

Definitions:

3rd Party Integration: Create links to 3rd party applications and pass variables in URLs

Applications: Setup and modify applications using ranges of ports and IP addresses. This feature is useful for properly labeling in house applications.

Autonomous Systems: Setup and modify Autonomous Systems that are shipped with the software.

Device Details: Displays the SNMP details of the devices sending flows. Allows custom device and interface names to be defined which override the defaults. Notice that in and out speeds can be configured.

Host Names: Setup and modify known hosts. Use this option to statically assign host names to IP addresses that will not age out. It can also be used to label subnets in the Subnet report types. There are three Resolve DNS options:

1. Current - has been or attempted to be resolved already (will expire in whatever days are set in the serverprefs)

2. Queued - ready to be resolved by the resolver. User can set it to queued to force a DNS resolve again on the host.

3. Never - a permanent address that was manually added by the user. Users can make names permanent by switching this to never. Its not purged.

IP Groups: Define ranges of IP address that belong in a specific group (e.g. Marketing, sales, phones, etc.). Run a report on an interface to see the IP Group reports.

Languages: use this interface to update languages or create new translations.

Manage Exporters: Details on the devices sending flows. Options include:

http://www.plixer.com/custom/mailinizer.php

Admin Tab

9

Listener Ports are listed in the top left: 2055 2056 4432 4739 6343 9991 9994 9995 9996. These ports change color:

Green: all devices sending flows on that port are active and sending flows. Click on the port to view the vitals.

Yellow: one or more devices has recently stopped sending flows. Click on the port to view the vitals.

Red: all devices once sending to this port have stopped. Click on the port to view the vitals.

Per Device:

Delete: This check box can be used to remove the device from the Status tab device tree. The device will be rediscovered immediately if the collector is still receiving flows from the device. Also, templates and interfaces from devices that stop sending flows are aged out.

Icons:

Status: tells if the device is currently receiving flows (i.e. green) or not receiving flows (i.e. red).

Device Details: click to view the Device Details.

Configure NetFlow Via SNMP: Use the wizard to re-configure the NetFlow exporting on the device.

Current protocol exclusions: Specify which protocols will be dropped for collector, selected device or selected interface on a selected device. Visit the Device View for more details and to learn about Protocol Exclusions per device/interface.

Click on the edit icon to modify the default name used for the device.

Credentials: Select a community string to use on this device.

Status: Modify status from Active (accept flows) to Inactive (drop all flows from device). NOTE: the flows are still being received but, are being ignored by Scrutinizer (i.e. not saved).

Update SNMP: force an immediate SNMP query for Device Details. Checking this off ensures that the Device Details will be updated every night automatically.

MIB Import: Manage SNMP MIB files that have been compiled for SNMP traps

Notification Manager: Configure notifications to be applied to Policies in the Alarms tab

Policy Manager: List all of the Policies that are configured for the Alarms Tab

SNMP Credentials: Configure the SNMP Credentials used on each flow exporter. SNMP v1, v2 and v3 are supported.

Type of Service (ToS): Configure the ToS and DSCP values displayed in the reports. Be sure to Define the "ToS Family" under System Preferences.

Well Known Ports: define port names. In the Well Known Ports report, the following logic is used:

Which port is lower the source port or the destination port

If the source port is lower and defined, use this as the well known port

else, use the destination port if defined as the wellknown port

else, display the lower port as the wellknown port

Security:

Scrutinizer Manual

10

User Groups: Specifies what a Group login account can access. Limited to 10 Group accounts without a Service Provider license key. Some permissions require further explanation:

Device Status: Grants permission to see the status of the device (i.e. Flow exporter). Device icons appear blue in maps if the Device Group permission is granted without this permission. Mailinizer devices show up here.

Interface Statistics: Grants permission to see the statistics of an interface. Mailinizer does not show up here.

Device Groups: Grants permission to see a Group (i.e. map). Devices (i.e. Flow Exporters) appear blue and interfaces black unless permission is granted in Device Status and Interface Statistics.

User Accounts: Configure login preferences for individual accounts. User Accounts must be a member of one or more User Groups. By default, they are placed in a default (e.g. Guest) User Group. Permissions are inherited by all User Groups a User Account is a member of.

Reports:

Report Folders: Manage Saved Report Folders found in the Status tab under saved reports. Notice the Membership drop down box:

Folders: Select a folder and add or remove reports from it.

Reports: Select a report and add or remove folders it can be found in.

Scheduled Reports: Manage Scheduled Reports, delete, etc.

Top Saved Syslogs: The top devices sending syslogs.

Top Syslog Orphans: The top devices sending syslogs that don't match policies.

Vitals: View vital information on how well the server is handling the NetFlow and sFlow volume. More details can be found in the Vitals Tab.

NetFlow Help:

Activating NetFlow, J-Flow, sFlow, NetStream, IPFIX, etc.

SNMP Device View

Using this interface, selected interfaces can be hidden from the reporting GUI. The SNMP community string used to communicate with the device can be altered.

Notice at the top: there is a drop down box with all the flow sending devices. Under the devices is a drop down box to select the SNMP community string/credential for the selected device. Next to the community string is a check box for SNMP Enabled. If SNMP Enabled is checked, the Watcher Service will attempt to poll and update SNMP information for the device. By default, the automatic SNMP discovery occurs once a night. The user can disable the automatic SNMP capability by unchecking "Auto SNMP Update" from the Admin Tab, Settings -> System Preferences.

There are several columns displayed for each interface on the NetFlow capable router/switch. Some of them include:

Instance Custom Description: A custom interface name can be entered. ifAlias ifName ifDescr

http://www.plixer.com/custom/configure-netflow-sflow.php

Admin Tab

11

ifSpeed: Custom speeds can be specified both inBound and outBound per interface. Direction: tells us if NetFlow is collected INGRESS, EGRESS or BOTH on this interface.

Scrutinizer will attempt to build the drop down boxes based on whether or not the following information is available in this order:

Instance and Custom Name Instance, ifAlias and ifDescr Instance, ifDescr and ifName Instance and ifDescr Instance

This interface relies on devices that support the SNMP standard MIB II. SNMP Enterprise MIBs may require 3rd party software or customized scripts to correlate the enterprise instances to match the MIB II instances.

If SNMP is not available, the collector will look for an interface names option template. Some vendors export an interface names option template using NetFlow or IPFIX. This option template contains the names of the interfaces. In Cisco IOS v 12.4(2)T or greater, the command is:

Router(config)# ip flow-export interface-names

SonicWALL and other vendors export a similar options template.

If the Custom Description is filled in, it will over ride the use of the SNMP descriptions. This is also true when the Custom (Mb) is filled in, they will over ride the use of the SNMP ifSpeed. Enter a 0 in the Custom (Bits) ifSpeed to force the Status tab to display the interface in bits in lieu of % utilization.

If any updates are applied to a router or switch, be sure to go back to the device interface and run an update by clicking on the Update button else, the default evening update will take effect.

Direction: Displays how the flows are collected and reported on for the interface. Values are INGRESS, EGRESS or BOTH and are not updated until the collector is restarted. If Direction is unset '-' this means NetFlow is not exporting for this interface.

If the interface row is white then the interface number and traffic values are inferred from NetFlow exported from another interface. If the interface row is gray then the interface number was discovered via SNMP and there will be no traffic values.

Protocol Exclusions are performed to avoid traffic from being counted twice on a given interface. Generally over reporting is caused by VPNs or tunnel traffic. Exclusions can be made per exporter (e.g. router, switch, etc.) or per interface per exporter. They can also be excluded globally across all exporters. Click on the (-) icon to launch the Protocol Exclusions modal.

VERY IMPORTANT By default, the flow collector nightly SNMP polls the switches and routers it is receiving flows from. This software was engineered to be a passive collection tool with minimal SNMP requirements. The best way to update the SNMP information including the information on the interfaces is to click on the "Update" button. NetFlow v9 option templates can be used in place of SNMP to gather interface names and speeds.

Vitals Main View

Overview

The Vitals page provides insight on the health of the server that is receiving the flows (e.g. CPU, Memory usage, Hard drive space available, etc.).

CPU: Average CPU utilization for the computer the NetFlow Collector is installed on.

Scrutinizer Manual

12

Avail Mem: Available Memory displays how much memory is being consumed by all programs on the computer. It is not specific to NetFlows being captured.

NOTE: The flow collector will continue to grab memory depending on the size of the memory bucket it requires to save data and it will not shrink unless the machine is rebooted. This is not a memory leak.

Avail HDD: Available Hard Drive displays the amount of disk space that is available. After an initial period of a few weeks/months, this should stabilize providing that the volume of NetFlow stays about the same. This statistic is best viewed by clicking on the trend. A historical report will pop up providing a better idea on how long the disk storage will hold out.

Datagrams: Average Datagrams per second in a 5 minute interval trend. Flows: Average Flows per second in a 5 minute interval trend: This is a measure of the number of

conversations being observed. Each Netflow packet (i.e. UDP datagram) sent can contain information on as many as 30 flows.

MFSN: Missing Flow sequence Numbers. This is an aggregate across all flows sending devices. At the top of the page, click on individual ports to get an MFSN report per listening port and per device exporting flows.

Syslogs Received: The average number of syslogs received per second. Syslogs Processed: The average number of syslogs processed per second. Connections: Tracks the number of connections that are being opened on the MySQL server.

Excessive connections results in reduced performance. NOTE: other applications sharing the same mysql will cause this number to increase.

DB Queries: Tracks the number of queries made to MySQL. The more queries indicates heavier load to the MySQL server. Generally there will be spikes at intervals of 5 minutes, 30 minutes, 2 hours, 12 hour intervals, etc. This indicates the rolling up of statistics done by the stored procedures. This vital is important to watch if the NetFlow collector is sharing the MySQL server with other applications.

KRR: Key Read Requests - The number of requests to read a key block from the cache. A high number requested means the server is busy.

KWR: Key Write Requests - The number of requests to write a key block to the cache. A high number of requests means the server is busy.

Cached Queries: The query cache stores the select query and the resulting data that was sent to the client. If an identical statement is received later, the server retrieves the results from the query cache rather than requesting the data again from the database. The query cache is shared across all database connections, which means the results generated by one connection can be utilized by another connection. For more information, please reference the MySQL Documentation.

Cached Memory: The total amount of memory available to query caching. Contact support if you find that your query cache is presently under 1 MB. For more information, please reference the MySQL Documentation.

Threads: Threads are useful to help pass data back and forth between Scrutinizer and the database engine. The MySQL Server currently manages whether or not to utilize the configured amount of threads. For more information, please reference the MySQL Documentation.

KBU: Key Buffers Used - indicates how much of the allocated key buffers are being utilized. If this vital begins to consistently hit 100%, it indicates that there is not enough memory allocated. Scrutinizer will compensate by utilizing swap on the disk. This can cause additional delay retrieving data due to increased disk I/O. On larger implementations, this can cause performance to degrade quickly. Users can adjust the amount of memory allocated to the key buffers by modifying the \scrutinizer\mysql\my.ini file and adjusting the key_buffer_size setting. A general rule of thumb is to allocate as much RAM to the key buffer as you can, up to a maximum of 25% of system RAM (e.g. 1GB on a 4GB system). This is about the ideal setting for systems that read heavily from keys. If you allocate too much memory, you risk seeing further degradation of performance because the system has to use virtual memory for the key buffer.

Listener Ports

The flow collector can listen on multiple ports simultaneously. The defaults are 2055, 2056, 4432, 4739, 9995, 9996 and 6343 however, more can be added. Click on the different listener ports to view total packet rate per port. Click on any trend for a daily, weekly, monthly and year trend.

Admin Tab

13

15

Alarms Tab

Alarms Tab

Overview

The Alarms tab lists alarms that are determined locally or received via syslog, email or SNMP trap from distributed flow collectors. The Alarms tab maintains two primary tables:

History: As the messages come in, they are run past the Policy Manager. If the message violates a policy, it can be saved to the history table and may end up being posted to the alarms table which is also known as the Bulletin Board.

Orphans: Messages that don't match a policy become orphans and are saved to this table.

Overview:

Bulletin Board: lists the current outstanding alarms that should be cleared. Messages do not appear in the Bulletin Board unless a Policy is violated.

Per Policy/Per Violator : Drop down box: Per Policy: Displays Policies, the corresponding violation count, violators and other

columns selected Per Violator: Displays the Unique Index (UI) for hosts violating multiple policies

Heat Map: objects appearing high and to the right are the hosts or policies that often need immediate attention.

Per Policy: the heat map displays the policies (E.g. threat algorithms) that are violated. Y axis = count, X axis = unique hosts

Per Violator: the heat map displays the hosts that are violating policies. Y axis = count, X axis = unique policies

Refresh: Refresh the Bulletin Board OK: Click on check boxes and click the 'OK' button to clear entries in the Bulletin Board Customize: Select which columns are displayed in the Bulletin Board Orphans: View the Orphans that didn't violate policies New Board: Create a new Bulletin Board Policy Manager: Create a new policy. Usually Policies are created via clicking on an Orphan

first Search: Search the Bulletin Board for specific data Advanced Filters: Used to search the Bulletin Board using multiple criteria Threats Overview: Displays the Policies and the corresponding violations in the last 5 minutes,

last hour, all in history Clicking on the column headers in the Bulletin Board will cause a sort routine. Click on a Policy

name to see all of the messages that violated the Policy from all hosts. To see messages from a specific host for the desired policy, click on an individual host in the Violations column.

Notification Queue: Lists the last 24 hours of notifications that were sent or currently in queue and waiting for execution.

Orphans: Lists the messages that did not violate policies. Click on an orphan to create a policy.

Refresh: Refresh the list of Orphans that have not violated a policy. Delete: Check off policies and click 'OK' to delete them Bulletin Board: View the Bulletin Board Search: Search the Orphans table for specific data Advanced Filters: Used to search the Orphans using multiple criteria

Threats: Lists the threats detected by Flow Analytics. Displays the Policies and the corresponding violations in the last 5 minutes, last hour, all in history.

Reporting:

Scrutinizer Manual

16

Search History Table: Searches the history tables for matching data. Top Syslog Orphans: Searches the orphan table for matching data. This report identifies syslog

senders, priorities, and severities that are being received, but that are not being caught by policies. Report Manager: View, manage and execute the Saved Reports. Top Syslog Senders: Display the top syslog senders

Configuring Alarm Conditions

Most administrators will want notifications from Scrutinizer for one or more of the following reasons: To set inbound thresholds on saved reports To get notified for threats detected by the one or more of the Network Behavioral Analysis

Algorithms in Flow Analytics To get notified if the poller detects that an Object in a map is no longer responding

17

Flow Analytics

Flow Analytics

Overview

Flow Analytics (i.e. FA) is the commercial add on to Scrutinizer. FA brings the following additional features to Scrutinizer:

Functions as a Network Behavior Analysis system by constantly monitoring all flows for behaviors that could be compromising the health of the network (networks scans, illegal applications, P2P, etc.). It interrogates every flow from every host from selected flow exporting devices for suspicious patterns and anomalies. All flows across selected flow sending devices are monitored at all times.

Performs the NetFlow aggregations so that data can be saved beyond 24 hours. Scrutinizer drops data every night just after midnight. Flow Analytics 'FA' does the archiving for Scrutinizer.

Numerous additional reports that provide more detailed information on the flows received.

DNS is run constantly to help with performance in the front end. Without Flow Analytics, Scrutinizer performs DNS resolutions on the as needed. DNS entries will age out as configured in the Admin tab -> Settings -> System Preferences. This feature will place additional load on the server. Be careful when enabling it.

Performs threshold watches for saved reports. FA can monitor for nearly any combination of flow characteristics and export a syslog if a match or a high/low threshold is reached.

Contact your vendor for the "NetFlow Challenge" document which outlines what is and isn't free.

FA Navigation

The navigation for FA is via gadgets in the Dashboard tab. The primary gadget "Flow Analytics Configuration" should be added to Dashboard.

At the top, it displays the overall time to run all algorithms and the total count of violations across all algorithms.

Name: This is the name of the algorithm that is checking for abnormal behaviors.

Time: This is the amount of time the algorithm takes to run across all selected routers/switches.

Count: This is the number of violations found the last time the algorithm ran. Click on the trend to view graphs for longer time periods.

Time exceeded: Algorithms that exceed the configured run time will be cancelled.

Algorithms and Gadgets

FA Algorithms may or may not include gadgets. Some algorithms are enabled by default. Others need to have selected flow exporting devices added to them. A few algorithms need to have thresholds configured or modified from the defaults.

FA Gadgets that can be added to Dashboard:

Flow Analytics Configuration: The overall status of all algorithms and the total runtime and count of violations across all algorithms. Algorithms can be ordered alphabetically or by order of execution. LEDs in this gadget are as follows (refresh the gadget in the upper right corner):

Scrutinizer Manual

18

o Name - The name of each algorithm executed by Flow Analytics. Expand Flow Analytics Overall Status. If the status of "Disable All" is toggled, be sure to click Save at the bottom on the gadget. Some algorithms look for network threats and others simply list the Top x across multiple flow exporters. Some algorithms such as Top Network Transports do both.

o LED Colors:

Yellow - incomplete run (time limit caused the algorithm not to run during the last cycle)

Lite Green - successfully completed on the last run

Gray - disabled

Trend - actively executing the algorithm

Dark Green - successfully completed on the current run o Time - the time given to each algorithm to run. Some algorithms need more time to run

depending on the number of flow exporting devices included and the number of flows exported by each device.

o Count - the number of violations the last time the algorithm ran.

Network Volume: The scale of the traffic traversing through the core network. It lists the volume of unique traffic on the network for the last 5 minute Vs. last 30 hours. Only include a few core routers/switches.

Flow Analytics Devices: Select the flow exporting devices that each algorithm will run against. Enter text and click 'Filter' to find specific devices. Click the 'Clear' button to remove the filter and display all devices. Some algorithms are run against all tables created by flow exporting devices while others are only run against one or two tables (e.g. routers). The "Select Flow Devices" gadget 'scrut_fa_devices.cgi' can be added to Dashboard however it is not necessary because it is best utilized as a popup.

Flow Analytics Exclusions: Exclude hosts from selected algorithms to help prevent false positives. Some hosts will constantly violate the threshold of certain algorithms. This interface helps prevent false positive alarms by allowing selected hosts (i.e. IP addresses) to be excluded from violating one or more algorithms. The "Exclude Hosts" gadget 'scrut_fa_exclusions.cgi' is not necessary in Dashboard as it is bested utilized as a popup.

Flow Reports Thresholds: Saved reports that are given a threshold to compare against every five minutes show up in this gadget.

Top Subnets and IP Violation: Define the subnets allowed on the network and Scrutinizer will notify for any flow that occurs outside of these ranges. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

Threats Overview: Gives Network Administrators an idea on the frequency that each Flow Analytics algorithm is being violated. The colors indicate the frequency within each time interval: Last 5 min, Last Hour and All.

Top Applications: Top Applications on the network. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

Top Conversations: Top Conversations across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

Top Countries: Top Countries across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

Top Domains: Top Domains across selected flow exporting devices.

Top Flows: Top Flow sending end systems across selected flow exporting devices.

Top Hosts: Top Hosts sending data across selected flow exporting devices. It is also responsible for executing the Unfinished Flows Violation algorithm. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

Flow Analytics

19

Top Subnet Traffic: Top IP Subnets across selected flow exporting devices. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

Top Network Transports: Top Transport Layer Protocols across selected flow exporting devices. Alarms trigger for protocols that appear that haven't been approved. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

Top Well Known Ports: Top ports be they the source or destination port. NOTE: Some include algorithms that should only run against core routers/switches. Watch the Flow Analytics Overall Status gadgets for algorithms that need more time to run.

Setting Up Flow Analytics (FA):

FA algorithms run sequentially. By default, they do not run against any NetFlow exporters until the NetFlow exporters are added to the selected algorithms. To add routers to algorithm, visit Dashboard > Configure Flow Analytics > Flow Analytics Configuration (Gadget):

Click on the + icon at the top for "Flow Analytics Overall Status" and uncheck "Disable all". A license key is necessary for evaluation.

Expand an algorithm by clicking on the + icon

Uncheck Disable

Click on the number (e.g. 0) below the blue router icon. This will bring up the "Devices in Flow Analytics" gadget which is also displayed on this page. See IMPORTANT NOTES below.

Click on the number (e.g. 0) below the two people icon. This will bring up the "Flow Analytics Exclusions" gadget which is also displayed on this page. Use this window to include hosts to be excluded from selected algorithms. It is generally easier to add them from the Alarms tab once they violate an alarm.

Continue selecting Algorithms and adding NetFlow exporters as outlined below. IMPORTANT NOTES:

All algorithms are intended to detect internal threats and should be applied against non internet border routers.

Add only a few routers to a few algorithms initially and start off slowly. Pay attention to the Vitals of the server. After 15-30 minutes add few more routers to selected algorithms and slowly ramp up the FA deployment.

FA has only 300 seconds (i.e. 5 minutes) to finish all enabled algorithms. If it can't finish in 300 seconds, it will stop where it is and start over. All algorithms must finish within 5 minutes as the process repeats every 5 minutes. Optimize performance by paying attention to the Time each algorithm takes to run as well as the overall time shown at the very top of the Flow Analytics Configuration gadget.

FA Algorithms that don't include Gadgets:

Be sure to exclude certain hosts from select algorithms to avoid false positives. This can easily be done from the alarms tab as well by clicking on the host. The interface will prompt for the exclude confirmation.

Breach Attempts Violation: Looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack. A typical scenario would be a dictionary attack on an SSH server. The default threshold is 100. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields.

DDoS Violation: Identifies a Distributed Denial of Service attack such as those that can be launched by a BOTNET. Visit Admin -> Settings -> Flow Analytics to set the threshold.

Denied Flows ASA - pre-8.4(5): Triggers events for hosts that cause greater than the threshold of denied flows. Apply Cisco ASAs to this algorithm if they are running an OS prior to 8.4(5).

Scrutinizer Manual

20

Denied Flows Firewall: Apply firewalls to this algorithm. It triggers events for hosts that cause greater than the threshold of denied flows.

DNS Hits: Alerts when a host initiates an excessive number of DNS queries. This can help to identify hosts that may be infected with a mailer worm or other issues that require an inordinate number DNS lookups. The default threshold is 100.

FIN Violation: The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking. The default threshold is 100 and the minimum that can be set is 20.

ICMP Destination Unreachable: This is a message that comes back from the router to the requesting host stating that it doesn't have a route to the destination network of the target host. The default threshold is 100 and the minimum that can be set is 20.

ICMP Port Unreachable Algorithm: This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host. The default threshold is 100 and the minimum that can be set is 20.

Internet Threats Monitor: This algorithm goes out to an Internet site every hour and downloads an updated list of known hosts that end systems on the network should not be communicating with. Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic. This list is updated by several Internet Service Providers. The default threshold minimum that can be set is 1. This algorithm is on by default across all flow exporting devices that are exporting the necessary fields. Below are the types of hosts that make it onto the list that we get from Emerging Threats.

o CnC: Malware Command and Control Server Observed or DGA predicted domains and IPs that are command and control for known trojans. Specifically criminal, differentiated from spyware and user tracking domains which are classified in SpywareCnC.

o Bot: Known Infected Bot A host observed checking in to a command and control server, or exhibiting clear indications of unwanted and criminal code on the host.

o Spam: Known Spam Source We don't track all spam sources, but those observed sending spam or being rejected as blacklisted are included.

o Drop: Drop site for logs or stolen credentials Differentiated from CnC servers, but sometimes overlapping. Anywhere where we see stolen data or credentials being push to. Does not include droppers being served or other exe movement.

o SpywareCnC: Spyware Reporting Server Servers and domains observed being used to serve or track user activity. Specifically not clearly criminal, but we avoid plain ad-serving sites as much as is possible. Generally these are going to be toolbars, rogue gaming, free screensavers, etc.

o OnlineGaming: Questionable Gaming Site Gambling, flash games, and similar that install a client and report or track user activity. Most of these do not cross the line of criminal, but are differentiated from plain spyware activity.

o DriveBySrc: Driveby Source Kit redirectors, exploit serving, or injected/compromised sites that either have attempted to or will lead to a compromised browser.

o ChatServer: POLICY Chat Server Observed chat activity, including but not limited to IRC, Jabber, Google Talk, MSN, AIM, ICQ, Baidu, GaduGadu, etc. This is not an indication of hostile activity, only known chat activity. Can be cross-sorrelated with CnC to help mitigate legitimate IRC networks in use as CnC.

o TorNode: POLICY Tor Node Tor exit nodes and participants seen participating in the network.

o Compromised: Known compromised or Hostile A bit of a catch-all category for hosts that are observed hostile including compromised web servers, brute forcers, or otherwise not easily classifiable activity.

o P2P: P2P Node Observed clients and sources of generally legitimate file sharing, including traditional bittorrents, limewire/kazaa, qvod, and others.

http://www.emergingthreats.net/http://www.emergingthreats.net/

Flow Analytics

21

o Proxy: Proxy Host Observed proxy endpoint for http, stun, socks, etc. o IPCheck: IP Check Services IP and geo check services. Generally public services which are

very often abused by malware or dyndns activity.

o SocialMedia: Social Media sites and servers Observed activity to frontends like Facebook, Myspace, and others.

o Utility: Known Good Public Utility Known good nets and services such as google search frontends, bing, etc.

o DDoSTarget: Target of a DDoS Observed DDoS targets by traffic, or observed commands to launch attacks to these nets.

o Scanner: Host Performing Scanning Web vuln scanning, open relay scanning, network and service recon, and often Nessus or other scanner activity.

o Brute_Forcer: SSH or other brute forcer All observed authentication brute forcing, including SSH, imap, VNC, etc.

o FakeAV: Fake AV and AS Products Fake antuspyware and av product sites being sold or distributed. Often overlaps with CnC.

o DynDNS: Domain or IP Related to a Dynamic DNS Entry or Request Host or domain observed using DynDNS.

o Undesirable: Undesirable but not illegal. Some hack tool forums, metasploit updates, etc. Not illegal, but of interest on an otherwise controlled network.

o AbusedTLD: Abused or free TLD Related Activity or DNS related to rogue TLD and GTLDs such as .tk, co.cc, and others. Not always hostile, but of interest.

o SelfSignedSSL: Self Signed SSL or other suspicious encryption Self-signed or invalid SSL certificates in use.

o Blackhole: Blackhole or Sinkhole systems Known sinkhole in use by a trusted organization. Will often overlap with CnC.

o RemoteAccessService: GoToMyPC and similar remote access services observed but often legitimate remote access services like Kaseya, Gotomypc, Citrix, and others.

o P2PCnC: Distributed CnC Nodes Zeus and other families that use P2P as a cnc mechanism. Separated by category to handle the volume and transient nature of these hosts.

o SharedHosting: Known Shared Hosting server Known mass host server. Useful to cross correlate with compromised domains.

o Parking: Domain or SEO Parked Known parked domain or parking server. o EXE_Source: Suspicious exe or dropper service Observed serving of an Executable. Not

necessarily hostile, but will often coincide with CnC.

Multicast Violations: Any multicast traffic that exceeds the threshold that isn't excluded will violate this algorithm. The default threshold is 1,000,000 and the minimum that can be set is 100,000.

Nefarious Activity: Looks for hosts communicating with many hosts with a low number of flows. An example would be a port 80 scan of an entire subnet. Visit Admin -> Settings -> Flow Analytics to set the threshold.

NULL Scan Violations: The null scan turns off all flags, creating a lack of TCP flags that should never occur.

P2P Monitor: Peer to Peer (includes BitTorrent) connections are monitored by this algorithm. The default threshold is 100 and the minimum that can be set is 100.

RST/ACK Destinations: RST/ACK packets are connection denials that come back from destinations to the originating hosts. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20. Print servers can cause false positives with this algorithm and often need to be excluded.

Scrutinizer Manual

22

SYN Violations: SYN packets are sent out in an attempt to make a network connection with a target host. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20.

Unfinished Flows: Executed by the Top Flows Algorithm, helps identify hosts that have a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured applications on a host. The default threshold is 100 and a minimum threshold can also be configured. Visit Admin -> Settings -> Flow Analytics to set the threshold.

XMAS Tree Violation: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.

IMPORTANT NOTE: Hosts can easily be excluded from certain algorithms by clicking on the IP address in the Alarm Tab. This will popup the Exclude Hosts table where the IP address can then be excluded from other algorithms as well.

Optimizing FA

Flow Analytics can be optimized in several different ways:

1. Modify the number of flow exporting devices included in the algorithm

2. Disable selected Algorithms

3. Utilize a second or third copy of Scrutinizer with FA.

4. Contact your vendor to learn about the minimum hardware requirements.

23

Maps Tab

Maps Main View

Overview

The Mapping options are primarily utilized by administrators to display all or a portion of the network topology. Right mouse button on the background of a Flash map (i.e. not Google map) and toggle between Edit mode and View mode to rearrange the icons. Be sure to be in View mode when saving. Don't forget to save the position of the icons.

A default map per login account can be selected under Admin -> Security -> User Accounts. Click on the Configure button to configure the maps.

There are several types of images used in the maps:

Objects: come in four formats.

Backgrounds: can be added to the maps.

Links Status: can be read about here.

The device icon color is based on the Fault Index (FI) value in CrossCheck and the corresponding color thresholds. The link color between devices can be based on utilization between the devices. Click on the link to bring up a flow report for the connection.

IMPORTANT: Click on the map and then use the right mouse button to bring up a menu of options.

Map Connections

Overview

Connections between objects:

A Connection between any two objects can be created using this interface.

Selecting a From Device which is sending flows will cause the Interface drop-down box to fill in with the corresponding flow interfaces available.

Selecting a Group or Icon From object results in an empty Interface drop-down box. Check off "Display all interfaces in this group" to fill in the Interface drop-down box with all interfaces from devices in the group. You can also select "Connect with black line" to connect to the To Object.

Click the Connect button and the connection will be displayed in the window below.

IMPORTANT: When creating connections for a Google map, a device name might be followed by (Needs GPS coordinates - Go to Objects Tab). Devices in a Google Map Group will not appear until they are given GPS coordinates or an address using the Objects tab.

Links Status comes in 3 formats:

Flow link: are links representing flow capable interfaces.

Scrutinizer Manual

24

o Link colors can be green, yellow, orange or red and are based on settings configured in the Admin Tab -> Settings -> System Preferences.

o Links are blue if there is no bandwidth statement for the interface. o Links are dashed gray if flows are not received within the last five minutes from the

interface. Click on a link to bring up the current flow information.

Black line: is a static link between two devices. It is not clickable and doesn't provide a status.

SNMP: links can be inserted into the maps using a third party package called Denika SNMP Performance Trender. Links can change color based on a threshold setting of any SNMP OID counter. Click on a link to bring up the SNMP trend.

Additional Notes on Links:

Label: displays the percent utilization or the bits received in the last average interval. Set the "average interval" under Admin tab ->Settings -> System Preferences "Status/Link Average". The default is 5 minutes.

ALT tag: over the Label displays the full interface description.

Arrow: on the link reflects highest utilization direction.

Clicking: on the link will bring up the default user preference report on the link for the last few minutes (5 minutes by default) in one minute intervals. Outbound or Inbound traffic is displayed depending on the direction of the arrow when clicked.

Denika Integration:

Denika can be integrated in the maps. Devices can be connected twice with two separate links to represent both:

utilization and

latency between devices (e.g. CBQoS, IP SLA, etc.) Click on the Denika links to bring up trends. Denika links change color just like the flow utilization links.

Denika can be installed on the same machine as the NetFlow collector, however for performance reasons it is often installed on a separate machine. Visit the Admin Tab -> Settings -> Denika/Logalot if Denika is installed on a separate machine. Once Denika is integrated, the check box option will be enabled.

Check off "Connect with Denika Report" then enter a filter and click on the 'Filter' button to find the desired report. Notice the "Color Change" options automatically fill in with threshold suggestions for each selected report. This only occurs if Denika has collected enough data. Click on the Denika icon to view the current trend of the selected report. After confirming, click on the "Connect" button. Contact your vendor to download and try this free integration!

Map Settings

Overview

The Map Settings are used to set defaults for all maps:

Google Maps: o Zoom Level: set when using the option "Save Zoom & Position" in a Google map. By

default, Google maps auto scale to fit all icons on the map. This option overrides Auto with a favorite position on the map. To undo the Save Level, select 'Auto' and click 'Save'.

Maps Tab

25

Click for other System Preferences.

Map Groups

Overview

Groups are the foundation of all maps. Creating a new group creates a map. There are two types of maps:

Flash: maps that utilize flash technology

Google: maps that utilize Google map technology

Highlights:

Flow devices can be added to more then one group/map.

Flow devices added to groups are removed from Ungrouped.

Membership: use this to add devices and objects to the group.

Map Status: use this to pass the status of any down devices in a lower map up to parent map.

Permissions can be set on Group visibility

Map Objects

Overview

Objects are placed in groups. Each Group is a map. Generally Objects on the map represent flow exporting Devices however, polled devices can be added as well. Objects have several properties:

Label: a read only field determined by the collector

Poll Using: IP Address, Hostname or disable

Notification: Specify how you want the alert on the status on the object/device to be sent out.

Primary Status: This is the background color of icons throughout Scrutinizer. The default primary color of an icon is "Flow". That is an indication of whether we are still receiving flows from an exporter. To change primary status, edit an object under Mapping Configuration and change "Primary Status".

Secondary Status: This is the colored square that is superimposed on an icon. The secondary or sub icon color is based on CrossCheck status for a device. If the primary status is CrossCheck then there won't be a secondary status.

Icon image: shape of the icon

Dependencies: are used to determine how and when the device is polled.

Membership: Specify the groups / maps the object is a member of. Modify an Objects Membership to place it in another group/map.

Objects come in four formats:

Scrutinizer Manual

26

o Devices: are imported from CrossCheck or can be manually added here. These objects change color based on the Fault Index and the threshold settings in CrossCheck. To remove a device that was imported from CrossCheck, the 3rd Party Method must be disabled or the device must be removed from the 3rd Party Method script or removed from the 3rd party application else it will continue to be re imported after deletion.

o Label: If the device is imported from CrossCheck, this value is imported. o Poll Using: Select, IP Address, Hostname or Disable Polling. o Notification: Select a Notification Profile which will be triggered when the CrossCheck Fault

Index threshold is breached.

o Icon: The default icon type and size can be modified. o Groups: represent other maps and the status of devices in those maps. They are clickable

and bring up the appropriate map.

o Symbols: represent devices you want on your maps that don't display a status. They can be assigned labels and made clickable to launch other applications and/or web pages.

o Text Boxes: can be placed on maps and generally contain text. Shapes, colors and size can all be defined. As well as the Label and a clickable link. Text boxes are for flash maps only. They cannot be placed on Google maps.

NOTE: to modify the Google address of an Object, select a map the Object is on and then edit the Object. Since the same Object can be in multiple maps with different addresses, the map must be selected first. The 'Address' listed is generally the mailing address of the location of the Object. Google uses this 'Address' to locate the GPS coordinates. The actual GPS coordinates can also be manually edited.

Adding custom Device icons:

Object Icons: Save graphic icons to the ~/scrutinizer/html/images/maps directory with the naming convention of _object.gif. Make sure the background of the image is transparent or it may not look very good on the map.

Device "Status" Icons: Save device icons to the ~/scrutinizer/html/images/maps directory with the naming convention of _red.gif and _green.gif. You must have two icons, one for up status (green) and one for down status (red). Make sure the background of the images are transparent or it may not look very good on the map.

Flash Maps

Overview

The maps can be viewed by clicking on the map name. Backgrounds can be added to the maps by selecting them in the drop down box. The size of a background image dictates the length and width in pixels of the map. Gray scale background images are ideal as colorful maps distract from the messages displayed by the software.

Save background images to the ~/scrutinizer/html/images/maps/backgrounds directory.

Images can be in .gif, .jpg, .swf or .png format.

NOTE: Maps with background images autoscale to the size of the background image. Animated flash images will work as well.

Map Status

Overview

Maps Tab

27

This Status tab allows convenient access to the status of a flow device without bringing up a map.

Select a map at the top and then select a flow device from the drop down box.

The Device Overview is displayed.

Click on the InBound or OutBound bars to pop up utilization for the top conversations on the selected link for the past few (default =5) minutes.

Click on the interface description to pop up a utilization trend for the selected link for the past 24 hours.

Click Here to learn how to add links to other favorite third party applications that are not part of CrossCheck.

Device Overview

Overview

When clicking on a device within a map, will launch the Device Overview. This window will display:

The SNMP information Integration with 3rd party applications Applications associated with the device as determined by CrossCheck The three busiest interfaces Response Time and Availability Trends if the device is being polled Any outstanding alarms on the device

29

Status Tab

Status Tab

Overview

The Status tab is one of the most popular views for gaining quick access to the status of all the NetFlow capable interfaces on the network. Choose from 1 of several views. This tab can a corresponding view can be made the default under Admin tab > Security > User Preferences.

The 4 LEDs at the top provide insight into the collector services and the status of the flows it is receiving. Click on the binoculars to search several flow exporting devices for an IP address or click on the spinning icon for several other options and utilities.

The left frame lists the Device Explorer and is explained below:

Wizards:

Run Report Wizard: Used to create reports with filters

Create Maps / Device Groups: Used to create groups / maps of devices that are currently in 'Ungrouped' a device can be in more than one group.

All Device Trends

Cisco Medianet Jitter by Interface: This lists all Cisco interfaces exporting VoIP jitter information and ordered by most jitter. The default interval is 5 minutes. One minute intervals are available if you drill in on a device.

Cisco Latency by Interface: This lists all Cisco interfaces exporting TCP latency information and ordered by most latency. The default interval is 5 minutes. One minute intervals are available if you drill in on a device.

Cisco PfR Out of Policy: This lists all Cisco interfaces exporting PfR (Performance Routing) information order by highest count out of policy. The default interval is 1 minute. Larger intervals are not available on this report.

Views

CrossCheck List: Provides a list of devices imported from 3rd party applications

CrossCheck Summary: Summary report based on data from the CrossCheck List

Service Level Report: Response time and availability reports based on polling.

Top Interfaces: This report displays the top x interfaces on the network where flows are being received.

Click on the headings to sort. The number to display (e.g. 25 ) followed by pagination. The average time frame in the Inbound and Outbound columns is the last 5

minutes. Interfaces can be ordered by selecting Bits, Bytes, Packets or Percent from the

drop down box. The number of interfaces can be specified as well as a search box to find specific

interfaces. The flow exporters are the routers, switches and other devices that the collector is

receiving flows from. Green means the collector is currently receiving flows from the device. Red means the device has stopped sending flows to the collector for the interface.

Clicking on the version of flow received (E.g. v9, v5) can be clicked on to bring up the flow volume for the device.

Scrutinizer Manual

30

Clicking on a device name will prompt the user to run a report on availability or latency.

Clicking on an interface name will bring up a list of reports for the selected interface. The default time frame is 24 hours in 30 minute intervals.

If more than 1 template exists, the user will be prompted to select a template first. In most cases, selecting All templates is the best choice as this takes advantage of the Total tables created during Data Aggregation. In some cases (e.g. Cisco) the same flows are represented in two or more different templates and selecting all templates will result in overstated utilization. Templates usable for reports that are seen in the last 24 hours are displayed. Templates that don't get updated will disappear from the list after 24 hours.

Clicking on the down arrow launches a menu to view inBound / outBound time trends or to clear the high water mark(s). The high water marks are the vertical dotted lines on the utilization bars. Pause the mouse over the dotted line to see the peak value in the ALT.

The Device Details view can be launched by clicking on Device Details. The Device Overview can be launched by clicking on Device Overview.

The Inbound and Outbound columns represent utilization over the last 5 minutes. Clicking on them will prompt the user to run a report for the last 5 minutes in 1 minute intervals.

Top mail Servers: This report displays the top x mail servers. Requires Mailinizer Click on the server name and select a report for the last 24 hours. Click on the Sender, Recipient or Volume count and bring up a report for the last 5

minutes Click on the column headings to sort.

Groups

Ungrouped: By default all flow exported devices are placed in Ungrouped until they are place into one or more user created groups.

Group Name: Create a new Group by going to the Wizard and selecting "Create Maps / Device Groups".

View This Map: Displays the map for the devices in the group. Modify Membership: Modify which flow exporting devices belong to the group.

Group CrossCheck: View CrossCheck for the devices in this group. Service Level Report: View the Service Level Report for the flow exporting devices

in this group. Show Interfaces: Show all interfaces for the flow exporting devices in this group. Exporters: Only devices that are exporting flows show up in the left column. The

color of the icon represents the selected primary status for the object. The sub icon represents the value for the device in CrossCheck.

Change Address: only appears if the device / object has been given a GPS address. Clicking on this will bring up the Map -> Objects tab for the device where the address or GPS information can be modified.

Show Interfaces: displays the interfaces for the device Report List: select a report and display the data. Clicking here will run the report

for ALL interfaces of the device resulting in the in traffic matching the out traffic. For this reason, this report is displayed inBound by default. If more than 1 template exists, the user will be prompted to select a template first. In most cases, selecting All templates is the best choice as this takes advantage of the Total tables created during Data Aggregation. In some cases (e.g. Cisco) the same flows are represented in two or more different templates and selecting all templates will result in overstated utilization. Templates usable for reports that are seen in the last 5 minutes are displayed. Templates that don't get updated will disappear from the list after 5 hours. Note this behavior is different from the 24 hour behavior found in the top interfaces view.

http://www.plixer.com/custom/mailinizer.php

System

31

Device Details: Device Details launches the Device View which lists SNMP details about the device as well as the interface speeds.

Flow Templates (Advanced): displays the templates currently being received from the device.

Reports Available (Advanced): displays all of the reports possible and the corresponding template fields necessary to run the report.

Device Overview: Provides the overall status of the device by leveraging data from CrossCheck, the poller and the alarms.

HTTP: Launch a web browser to the device. Telnet: Launch a telnet session to the device. FTP: Launch a FTP session to the device. SSH: Launch a Secure Shell connection to the device. Alarms: Displays the outstanding alarms for the device.

*WhatsUp Gold is the trademark of ipswitch.com

**Orion is the trademark of Solarwinds.com

33

System

Access Denied

The Administrator has denied your user account from accessing this tool.

Backups

Overview

This page explains the Alternate Copy and Backup Method for Large Scrutinizer Databases .

Abstract

Some users with large amounts of data being stored by Scrutinizer may find that using MySQL Administrator for backups is extremely slow and CPU intensive. MySQL Administrator takes a very conservative approach to doing the backup. This is reasonable for a general purpose backup tool with no application knowledge of what is being backed up. For Scrutinizer the additional overhead can degrade performance and is not necessary for a successful backup.

Backing up the data

The historical and configuration data for Scrutinizer is stored in \Scrutinizer\mysql\data. Users are not recommended to backup \Scrutinizer\mysql\data directly. The recommended solution is to copy the data directory to a backup location and optionally run the backup on that directory.

Copying the data

Use the windows command xcopy to hotcopy the MySQL data files to the backup directory.

C:\>xcopy /D /E /I /Y /Z "\SCRUTINIZER\mysql\data" "\SCRUTINIZER_backup"

The above command will only copy files that have changed. The initial copy will need to duplicate the entire DB. Subsequent runs will only copy files that have been modified since the previous run.

Caveats

Incrementally copying files with xcopy will not remove tables from the backup directory that have been dropped by Scrutinizer. To get a list of files to delete from the backup directory simply reverse the xcopy command and add the /L to only print results.

xcopy /D /E /I /Y /Z /L "\SCRUTINIZER_backup" "\SCRUTINIZER\mysql\data"

Choosing when to run the backup

There is no one right time to do a backup, but it is best to try and pick a time when Scrutinizer is least busy on your system. In addition to when the network is busy a few times to keep in mind are:

2h are written to starting at the top of even hours 12h are written to starting after 12 and midnight 1d are written to starting after midnight 1w are written after midnight on Saturday

Scrutinizer Manual

34

Suggested times

Weekly : 3am Sunday Daily : 3 am Daily

Database Connection Failure

Overview

The system is having trouble connecting to the database. Please contact support directly for more information about your query.

Distributed Collectors

Overview

Scrutinizer supports a distributed architecture where several servers can collect and report on flows received locally and simultaneously display data from all collectors. One or all collectors can act as and display the Central Interface.

Central Interface

The distributed architecture provides a central interface via MyView to view all interfaces from several separate NetFlow & sFlow collectors.

Navigate to the MyView tab and create a new MyView then give it a name (e.g. Central View). On the right hand side of the page, click ont he (+) icon and a menu will appear. Click on the icon at the top to the right of the drop down menu. Enter a Title (e.g. Server 1) Take the default height and Width. These can be adjusted later in the dashboard. Enter the URL:

http://10.10.10.10/statusGadget.html?type=ti&limit=10&percent=1

http://10.10.10.10/statusGadget.html?type=ti&limit=10 You can also pass authentication:

http://10.10.10.10/statusGadget.html?type=ti&limit=10&percent=1&user=&pass=

http://10.10.10.10/statusGadget.html?type=ti&limit=10&user=&pass=

To fit more gadgets into view without scrolling, increase your screen resolution or display settings to 1440 x 900 or greater.

Language Translations

Overview

Index

35

This software can be translated to another language. To translate or localize Scrutinizer to another language, navigate as follows:

1. Admin Tab -> Definitions -> Language

2. Select a language and make updates. Notice the pagination at the bottom, there are well over 1000 translations.

3. languages are saved as ~scrutinizer/files/localize_LANGUAGENAMEHERE.xls

4. Contact support and they will create a file that can be imported into Scrutinizer to support your language.

Systrax

The Help tab is a link to http://www.systrax.com. This site is the on-line support community and is used to bring subjects of interest directly to customers and evaluators. This is done in several ways, some of which include:

A frequently updated blog

The on-line support forum Posting a comment or question requires membership. Click here to join.

Troubleshooting

Getting Started Guide

Contact Support: For assistance setting up the server or the collector or for navigation techniques.

How to enable NetFlow or sFlow on various hardware.

System LEDs: Familiarize yourself with these. They should all be green.

FAQ: This page lists many common questions we have received over the years.

Webvideos: These are short 2-5 minute videos that offer good general help with different areas of the software.

Web Server Port

Overview

This software runs on the Apache Web Server.

Follow these steps to change the web server port Scrutinizer is running on.

1. Stop the "plixer_apache" service

2. Edit the ~\SCRUTINIZER\apache\conf\httpd.conf

3. Search for the line "listen 80" or "server name" or "127.0.0.1:80" or "localhost:80"

4. Change the 80 to whatever you want

http://www.systrax.com/http://www.plixer.com/bloghttp://forums.plixer.com/http://www.plixer.com/support/forums.phphttp://www.plixer.com/custom/configure-netflow-sflow.phphttp://www.plixer.com/custom/faq-scrutinizer.phphttp://www.systrax.com/custom/webcasts.phphttp://www.apache.org/

Scrutinizer Manual

36

5. Restart the Plixer apache web server service

SSL Support

Please contact support to acquire the SSL version of Scrutinizer.

To configure SSL, run ~\SCRUTINIZER\bin\scrut_util -ssl and follow the instructions provided.

37

Index

A

access ....................................................... 33

alarms ....................................................... 15

apache ....................................................... 35

C

configuration............................................. 3, 6

D

database .................................................... 34

denied ....................................................... 33

E

Executive Summary ..................................... 29

F

failure ........................................................ 34

Flow Analytics ............................................. 17

I

interfaces ................................................... 29

M

main page .................................................... 1

main view................................................... 29

manual ........................................................ 1

Mapping ................................ 23, 24, 25, 26, 27

Maps .......................................................... 23

O

overview .................................................... 29

P

preferences ............................................... 3, 6

S

scalability ................................................... 11

server hardware .......................................... 11

server performance ...................................... 11

server specifications ..................................... 11

settings .................................................... 3, 6

status ........................................................ 29

status tab ..................................................