Documentation >
Appendices >
TCP FlagsEnter:
- Name and description. Click Next.
- Client addresses, i.e. devices whose traffic will be monitored. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff. Click Next.
- Allowed applications. Select an application from the drop-down list or create a new application at Configuration > Applications.
- Click Submit.
Enter:
- Name and description. Click Next.
- Allowed traffic patterns, i.e. allowed applications/services. Select an application from the drop-down list or create a new application at Configuration > Applications. Click Next.
- Client addresses, i.e. devices whose traffic will be monitored. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff. Click Next.
- Allowed server addresses, i.e. servers whose use is allowed. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff.
- Click Submit.
Located at Configuration > Profiling.
This is where you can create profiles that define the normal behaviour of your network.
- Profiling is a very powerful feature.
- A Flow Object is a logical set of defined flows and IP source and destination addresses.
- Flow objects make it possible to build up a complex profile or Profiler quickly. These terms are used interchangeably.
- A particular network behaviour that involves network flow objects is described by a Profiler.
To get going, create your first profile.
- A good way to start is to select one type of device and a single IP of this type.
- For example, in retail, this might be a point of sale machine.
- Then build a profile based on expected flows out of the device IP.
- This profile can serve as a template for realtime monitoring; this is an Allowed profile.
Step one is then to create a new Flow Object at Configuration > Applications. To create a flow object:
To create a new Profiler (this term is used interchangeably with profile):
- Go to Configuration > Profiling.
- Give the new Profiler a name and description.
- Select an Entry profile (the profile to be monitored) and an Allowed profile (the acceptable profile) from the drop-down lists. The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
- If you want to be alerted when an exception occurs, select Yes from the drop-down menu.
- Click Save.
This table displays a list of existing profiles.
- ID: the profile ID.
- Name: the name of the profile.
- Description: a description of the profile.
- Entry: the Entry profile is the profile that is to be monitored.
- The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
- Allowed: the Allowed profile is the target, or acceptable, profile.
- The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
- Checks: this is the number of times that the profiles were compared.
- Hits: this is the number of matches between the Entry and Allowed profiles.
- Exceptions: the number of times that the flow records for this profile that have deviated from the ideal, or Allowed, profile.
- Alert: this is set to true or false - if an alert is raised when an exception is detected, this is set to true.
- Actions: profiles can be edited, the exception count can be reset and the profile rank order can be raised or lowered.