Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Appendices > TCP Flags

Configuration/Profiling

Host Profiler Wizard

Enter:

  • Name and description. Click Next.
  • Client addresses, i.e. devices whose traffic will be monitored. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff. Click Next.
  • Allowed applications. Select an application from the drop-down list or create a new application at Configuration > Applications.
  • Click Submit.

Service Profiler Wizard

Enter:

  • Name and description. Click Next.
  • Allowed traffic patterns, i.e. allowed applications/services. Select an application from the drop-down list or create a new application at Configuration > Applications. Click Next.
  • Client addresses, i.e. devices whose traffic will be monitored. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff. Click Next.
  • Allowed server addresses, i.e. servers whose use is allowed. These devices can be identified by IP or MAC Address. You can enter single IP Addresses, range or subnet e.g. 1.1.1.0/255.255.255.0. Or you can enter MAC Address or range e.g. 00:0c:29:82:c8:85,00:0c:29:00:00:00-00:0c:29:ff:ff:ff.
  • Click Submit.

Add Profiler

Located at Configuration > Profiling.

This is where you can create profiles that define the normal behaviour of your network.

  • Profiling is a very powerful feature.
  • A Flow Object is a logical set of defined flows and IP source and destination addresses.
  • Flow objects make it possible to build up a complex profile or Profiler quickly. These terms are used interchangeably.
  • A particular network behaviour that involves network flow objects is described by a Profiler.

To get going, create your first profile.

  • A good way to start is to select one type of device and a single IP of this type.
  • For example, in retail, this might be a point of sale machine.
  • Then build a profile based on expected flows out of the device IP.
  • This profile can serve as a template for realtime monitoring; this is an Allowed profile.

Step one is then to create a new Flow Object at Configuration > Applications. To create a flow object:

To create a new Profiler (this term is used interchangeably with profile):

  • Go to Configuration > Profiling.
  • Give the new Profiler a name and description.
  • Select an Entry profile (the profile to be monitored) and an Allowed profile (the acceptable profile) from the drop-down lists. The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
  • If you want to be alerted when an exception occurs, select Yes from the drop-down menu.
  • Click Save.

Existing Profilers

This table displays a list of existing profiles.

  • ID: the profile ID.
  • Name: the name of the profile.
  • Description: a description of the profile.
  • Entry: the Entry profile is the profile that is to be monitored.
The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
  • Allowed: the Allowed profile is the target, or acceptable, profile.
The Entry and Allowed profile selection includes basic flow objects, i.e. individual devices on your network. A profile is a flow object that is itself a combination of flow objects.
  • Checks: this is the number of times that the profiles were compared.
  • Hits: this is the number of matches between the Entry and Allowed profiles.
  • Exceptions: the number of times that the flow records for this profile that have deviated from the ideal, or Allowed, profile.
  • Alert: this is set to true or false - if an alert is raised when an exception is detected, this is set to true.
  • Actions: profiles can be edited, the exception count can be reset and the profile rank order can be raised or lowered.