What's new in Performance Vision version 2.18

© SecurActive 2013

WHAT’S NEW IN VERSION 2.18?

© SecurActive 2013 2

PERFORMANCE VISION VERSION 2.18

Applications

HTTP improvements & TLS support

Protocols: Stack, Netflow & Skinny

Flexibility, Usability & Performance

© SecurActive 2013

Performance Vision 2.18

NEW APPLICATION DEFINITION

Applications


APPLICATION DEFINITION

Manage your application definitions:

With the internal editor

With your favorite tool (any CSV capable

software)

SPV Internal Editor

Any CSV capable software

or

Support both:

Import and Export


NEW APPLICATION LIST

Application Definition Application Rules

Create your own custom applications with the new editor

First step: Create your application

Second step: Define your application rules


EASILY CREATE NEW APPLICATIONS

Create your own custom applications with our new editor.

First step: Create your application


EASILY DEFINE APPLICATION RULES

Create your own custom applications with our new editor.

Second step: Define your application rules


APPLICATION RULES: CRITERIA

Criteria Description Example

Priority Higher values: highest priority 0 (default) or -100 or 1000

IP Protocol IP Protocol TCP, UDP, IpV6, ICMP…

Server Port Singe value or range 0 or 8080 - 8090

Protocol Stack List of protocols composing the flow IPv4/*/DNS

Pattern Web pattern for URL matching *.mycompany.com/intranet

Client IP IP or Subnet 192.168.80.0/24 or 192.168.80.1

Server IP IP or Subnet 192.168.80.0/24 or 192.168.80.1

Poller Poller that receives the traffic SPV (localhost)

Device Port on which the traffic gets in eth1

Netflow Source IP or subnet of Netflow device 127.69.12.99

Client Zone Name of the selected zone Internal Clients Sales

Server Zone Name of the selected zone Servers Database

Vlan Singe value or range 15 or 100-200

Ethernet Prococol Ethernet protocol IPv4 (0x800), IPv6 (0x86DD),…

Client Side MAC MAC Address 12:34:56:78:9A:BC

Server Side MAC MAC Address 12:34:56:78:9A:BC


APPLICATION RULES: COMBINATION

An application is defined by the scope of all associated rules.

Rules are combined with an OR operator

Application Rule 1 Rule 2OR


APPLICATION CONFIGURATION

Application Configuration

Web Applications are directly integrated into applications rules

Dynamic Protocols page is no longer useful thanks to auto-discovery

2.15 2.18


CHECK APPLICATION RULES CONFIGURATION

Check application rules configuration

Review the full rules list

Test matching rules


IMPROVE PERFORMANCE BY DELETING UNUSED APPLICATION

Need to speed-up performances?

Check unused application

Review and delete unused application


CREATE NEW APPLICATIONS FROM NON CLASSIFIED TRAFFIC

One-click application creation

Create an application with these properties

Use Filters for Non Classified traffic

© SecurActive 2013


HTTP IMPROVEMENTS & TLS SUPPORT


DECODE HTTPS TRAFFIC

Install private keys on the probe

Decode https (TLS) traffic

Check constraints: User Guide > Configuration > TLS Decryption


TLS HANDSHAKE & SSL PROTOCOL NEGOTIATION

Client Server

Network

SYN

SYN ACK

ACKClient Hello

Server Hello

I request a secure connection,

here is my list of preferred cipher suites

Certificate

Server Hello Done

Client Key Exchange

Change Cipher Spec

Finished

Change Cipher Spec

Finished

Data

Data

This is my identity (digital certificate)

I would like to start a conversation with you

Sure, it would be a pleasure!

So far, I have nothing more to say

Here is a pre-master secret encrypted using your public key

Ok, among these, here is what we will use to discuss

I’m switching to secure mode,

all future communication should be done that way

I’m done with TLS negotiation, do you understand me?

I’m switching to secure mode too,

all future communication should be done that way

I’m done wit TLS negotiation, do you understand me?

Encrypted Data

List Must be compatible


NOTIFICATION ON INVALID KEYS

If key is malformed a notification is sent

Displayed in the notification area

Accessible through the Event Log

A key can be valid but not suited to the traffic or can be using an inappropriate protocol


HTTP PERFORMANCE: TOP URL

Displays top URL

Best when used with a filter on a host


TOP URLAGGREGATES URL WITHOUT QUERY

STRINGS

Full transaction URL Top URL Count

/service/soap/SearchRequest ?ID=256789&Query=Azerty

/service/soap/SearchRequest

5

/service/soap/SearchRequest ?ID=256789&Query=Qwerty



/service/soap/SearchRequest ?ID=256789&Query=Poiuyt

/service/soap/DoSearch ?Ax76h=0564

/service/soap/DoSearch 2

/service/soap/DoSearch

Displays top URLs, without query strings

Differentiates up to the ? character


IMPROVED HTTP INSPECT PAGE

HTTP Inspect pages has been updated

More information

Better design


REMOVED THE DEPRECATED WEB BROWSING

2.15 2.18

The deprecated Web module has been removed

Conversations are now in HTTP Performance

Reports will be migrated automatically


HTTP HITS ANALYSIS

Adds URL parsing on all HTTP traffic

Standard history length with degradation rules


HTTP PERFORMANCE LEVELS

HTTP traffic in Applications & Network conversations

No data in HTTP Performance

Adds URL parsing on all HTTP traffic

Standard history length with degradation rules

Adds page level analysis on selected traffic

48 hours history maximum

Store http requests with

"Save HTTP content" optionStore Content

Pages

Hits

No HTTP

Adds https analysis on traffic for which appropriate keys are providedHTTPS


Pages

HTTP PERFORMANCE IMPACT

Check impact of HTTP Hits!

Go to Workload database

Validate license limits

Enable / Disable HTTP Hits

Reduce scope of HTTP Pages

DiskWith this option

No HTTP

Database

CPU

RAM

Disk

Hits

Database

CPU

RAM

Disk

Database

CPU

RAM

Disk

HTTPS

Database

CPU

RAM

Disk


LINK TO CONFIGURATION FOR HTTP PAGES ACTIVATION

A warning is displayed with a direct link to configuration if HTTP Pages is not activated

Applies to HTTP Performance > Pages

© SecurActive 2013


PROTOCOLS: STACK, NETFLOW

& SKINNY


PROTOCOL STACK

A New Depth in Analysis!


PROTOCOL STACK

Ethernet

IPv4 (tunnel)

IPv6

TCP

HTTP

Identify the different protocols layers of a flow

Make all sort of tunnels visible

Can automatically detect protocols even when running on non standard ports


PROTOCOL STACK

Protocol Stack data is available in:

Flow Detail screens

Raw Data screens

Applications

Network


PROTOCOL STACK FILTER

New Protocol Stack filter available on most screens

Separate protocols layers with / character

Autocomplete list

Simple wildcard syntax

Advanced regex filtering

Examples:

*IP*/UDP/DNS

*IP*/*/DNS

~.*IPv4/(TCP|UDP)$


ARP BGP Bittorrent CIFS Citr ix DNS DNS/TCP ERSPAN Ethernet FTP Gnutel la GRE HTTP ICMP ICMPv6 IMAP IPv4 IPv6 IRC Jabber

MGCP MySQL Netbios NTP PCanywhere POP PostgreSQL RDP RTCP RTP SDP SIP Skinny SSLv2 TCP Telnet TLS TNS UDP VNC

LIST OF PROTOCOLS IN PROTOCOL STACK

Protocols identified independently of the port number used (non exhaustive list)

Port Independent Protocol Identification


NETFLOW V5 SUPPORT

Support of Netflow v5

Integrated in Performance Vision workflow

DeviceID displays ports In -> Out of the switch


NETFLOW FILTERING

A new filter is available

Use 0.0.0.0/0 to see all Netflow traffic


NETFLOW V5 CONFIGURATION

Setup your devices to send Netflow traffi c to the IP address of any Performance Vision collector or poller

Confi gure Netflow devices update frequency!

You must configure all your Netflow emitters to

expire flows after not more than 2 minutes.

Central

Collector

Remote Poller

Remote Poller

Remote Poller

Remote Poller

Remote PollerNetflow

Netflow

Netflow


VOIP: SKINNY SUPPORT (BETA)

Support of Cisco’s Skinny Call Control Protocol (SCCP) in beta

In 2.18: VoIP Module: SIP, MGCP and Skinny

© SecurActive 2013


FLEXIBILITY, USABILITY &

PERFORMANCE


NPS WORKS IN DISTRIBUTED MODE

NPS

NPP

NPP

NPP

NPPNPP

NPP

NPP

NPP

NPS works in distributed mode

Support of NPP pollers.

Network metrics only


AN APS COLLECTOR SUPPORTS NPP POLLER(S)

APS

APP

APP

NPP

APPAPP

APP

APP

APP

If absolutely required, this kind of configuration will work.

You will only have network metrics from the NPP poller


A NPS COLLECTOR DOES NOT SUPPORT APP POLLER(S)

NPS

NPP

NPP

APP

NPPNPP

NPP

NPP

NPPThis kind of configuration mixing an app poller with a NPS collector will not work.

Virtual APP (Poller) 1 credit

Virtual APS Express 1 credit

Virtual APS 100k flows 3 credits

Virtual APS Unlimited Flows 5 credits

MORE FREEDOM WITHENTERPRISE LICENSE AGREEMENT

(ELA)

© SecurActive 2013

Buy a stock of credits

Turn credits into licenses

Benefi ts

Full fl exibil ity

Economics based on the volume of credits

43

15 20 30 50 75 100


RAW DATA FOR IN-DEPTH ANALYSIS

Raw Data: In-depth flow analysis


RAW DATA FOR IN-DEPTH ANALYSIS

Flow Detail: Grouped by 2 minutes

Raw Data: No grouping

Display database data without any grouping

Useful for in-depth troubleshooting

Application behavior auditing


NEXT LEVEL CUSTOM FILTERS

For more information: User Guide > Appendix > Custom Filters

Examples: app=‘sql-intranet’ and srt > 200ms

bandw >= 10MiB and 0win > 100

begin > 100 and ct.count = 0

app=‘video_live' and diffserv != 20

(ip=10.10.*.* or ip.srv=10.20.30.*) and os.clt='linux‘

zone in 'Headquarters' and port.srv > 1024 and begin > 10000

(proto=udp and port.srv=53) and zone in '/Private/DNS'

Build fully customized filters for in-depth data mining.


COMBINE ADVANCED FILTERS

Combine advanced filters options

Build custom requests to isolate specific traffic

2.15 2.18


ADVANCED FILTERS: NEW OPTIONS

Add two new options in advanced filters:

Exclude intersection of provided zones

Only intersection of provided zones

Exclude intersection of provided

zones

Only intersection of provided

zones


INTEGRATION OF NON IPTRAFFIC IN GENERAL WORKFLOW

Non IP traffic is integrated in global workflow

New option “Non IP” in Protocol filter

Works for both tables and graph views


PERFORMANCES IMPROVEMENTS

Performance oriented improvements

More aggressive default data degradation

ICMP can now be degraded


MORE AGGRESSIVE DEFAULT DATA DEGRADATION

Version 2.15

Version 2.18

Default configuration is more aggressive on data degradation

No automatic update during migration

Use “Default button to apply 2.18 factory settings to a migrated 2.15


DATA DEGRADATION ON ICMP

Data merging enhancements

Data degradation is now possible on ICMP

Clear indication on which metric is degraded


PERFORMANCES: UNDER THE HOOD

Improved network sniffing

Better usage of multi-core by the sniffer/dumper

Optimized database querying

Database improvements for user requests (up to +20% faster)

Faster exporting

Export to CSV is significantly faster


SIMPLIFIED DISPLAY OF FILTERS

New filter presentation

Default basic filters on one line

Expand for more filters if needed

Memorize expansion state (session)


NEW TABLES DESIGN

Refined look & feel

Show / hide data columns

Memorize show / hide state (session)


INTEGRATED CONTEXTUAL HELP

Contextual help for expert filters is displayed:

On mouse over help icon

On field focus (click or tab)


NEW FILTERS FOR DASHBOARDS

Dashboards get extended filter options

2.15

2.18


DEFAULT VALUES FOR BCA/BCN

Save time on BCA/BCN creation

Default values for BCA creation

Use predefined templates for BCN


LIST OF GENERATED REPORTS

Display reports stored on the probe

Delete files

Browse through ftp


EMAIL ALERTS TO ADMINISTRATOR

An email alert is sent (once per hour) on:

License issue

Disk is almost full (<150 MB)

Configure SMTP Server and administrator’s email in Pulsar


SLIDE ON MATRIXES SCREENS WITH KINETICS

Move the matrixes with Kinetics

Click and drag (use inertia)

Efficiency depends on browser


SPV FOR DEVELOPERS, GEEKS, NERDS…

For developers, it is now possible to:

Programmatically run searches

Retrieve the result as HTML or PDF

through support of session-less access

Retrieve the Top Servers page as stripped-down HTML, using the command-line with wget:

wget 'http://admin:admin@SPV/++skin++simplehtml/nevrax/network/ipstats_dst.html?filter.capture_begin=2013-

01-31+14:50’

For more information:

User Guide > Appendix > SPV For Developpers


GET IN TOUCH THROUGH NEW FORUM

Through the forum to be launched

Follow news and announcements

Get general support

Provide feedback & feature requests


Vers ion 2.18

User Guide

Release Notes

DOCUMENTATION UPDATE

Documentation update:

One-click access in the interface

Available on SecurActive web site

User guide and release notes

http://www.securactive.net/en/resource-library/usersguide


VERSION 2.18: IMPACTS SUMMARY

Main Impacts compared to 2.15:

Database Migration Time: Medium

HTTP Hits

No major impact on existing metrics

Check impact of HTTP Hits on workload and license limits

Impact on database is medium.

Update should take few minutes to one hour or more depending on database size


REBOOT AFTER UPDATE

After the upgrade is completed


YOU’RE READY TO GO, ENJOY!

© SecurActive 2013

What’s Newin Version 2.18?

THANK YOU!

69

For any [email protected]

[email protected]

Follow Us on@SecurActivePV

www.securactive.netblog.securactive.net

mailto:[email protected]



mailto:[email protected]?subject=Contact%20from%20What's%20new%20in%202.12

mailto:[email protected]?subject=Contact%20from%20What's%20new%20in%202.12

http://www.securactive.net/

http://www.securactive.net/

Technology

What's new in Performance Vision version 2.18