Figure: GigaFlow's login screen
The left menu contains links to the main outputs from GigaFlow.
Figure: Detail of the left main menu
The top menu contains links to system configuration, system settings and user settings.
Figure: Detail of the top main menu
Most items in GigaFlow will have a white information button on a gray background at the top right. Click this to link out to the relevant section in the GigaFlow Reference Manual.
You can refresh any page in GigaFlow using the browser refresh button.
By clicking, holding and dragging left or right, you can create a report for any shorter time period.
Figure: Click and drag to create a report for a particular timeframe within a timeline
The user selects a shorter time period of interest by clicking and dragging, in this case from just before 11:00 to just before 11:15.
Figure: Re-scaled timeline
The timeline is re-drawn for the selected time period. All associated information on this page is recalculated, i.e. tables and graphs.
Throughout GigaFlow, all hyperlinks are colored blue.
The system search is at the top of every GigaFlow page; it is a powerful and convenient way to access information directly, returning relevant matches and detailed summary information.
The left hand side of the search results screen displays summary information about that IP address, including:
The Treeview, a kind of graphical flow mapping, will automatically load on the right hand side of the search results screen. This is a visual representation of the in- and out- traffic associated with a selected device.
See Search > Graphical Flow Mapping for more.
Figure: GigaFlow's search bar and results screen. In this screenshot, the user is searching for an IP address, 172.21.21.254.
Scrolling down reveals additional results:
Click to expand.The tabbed box on the left displays search results for that IP address, including any infrastructure device that it is associated with, the number of interfaces it was recently seen on, IP entry details, ARP entries and the number of secflow events associated with it.
Each item can be clicked to display more information and follow-on searches can be carried out for linked information, e.g. for associated MAC addresses.
GigaFlow can search by MAC address. This returns the name of the connected device and its VLAN.
To search by MAC address:
After searching the MAC address a number of key pieces of information will be displayed, including:
From here, some of the other actions you can take include:
To search by username:
To search for a specific network switch:
To make a follow-on search from a specific device or switch:
GigaFlow Search provides access to the Graphical Flow Mapping feature. Searching for any IP address returns summary tables as well as a visualisation of flows during the reporting period selected.
To access this feature, search for an IP address. See Searching by IP Address above.
On the right hand side of the screen, you will see the Graphical Flow Map.
Figure: GigaFlow's Graphical Flow Map
The Graphical Flow Map is an interactive visualisation of the flows associated with that IP address. The branches of the Graphical Flow Map can be expanded to show associated interfaces and destination and source devices. These in turn can be explored.
To explore the Graphical Flow Map:
See also Profiling > Events > Flow Details
After logging in, you will see the Server Overview Dashboard. From here you have direct access to some of GigaFlow's main functions.
Figure: GigaFlow's main dashboard
Located at Dashboards > Performance Overview.
This is a summary of traffic across the busiest infrastructure devices over the past hour. Infrastructure devices are routers sending flow as well as other Layer-2 devices that are not sending flow but sending ARP and CAM Tables. The information displayed includes:
When more than ten devices are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This is a summary of traffic across the busiest interfaces over the past hour. The information displayed includes:
When more than ten interfaces are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
See Configuration > Infrastructure Devices for setup instructions.
This graph shows the traffic associated with the busiest traffic groups over the past hour. The information displayed includes:
When more than ten traffic groups are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This graph shows the traffic associated with the busiest applications over the past hour. The information displayed includes:
When more than ten applications are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This graph shows the traffic associated with the busiest source IPs in the past hour. The information displayed includes:
When more than 10 IP addresses are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This graph shows the traffic associated with the busiest destination IPs in the past hour. The information displayed includes:
When more than 10 IP addresses are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
Located at Dashboards > Server Overview.
Figure: Detail of the left main menu and Dashboards submenu.
This default welcome screen shows summary server flow information with three main sections:
This is a summary of traffic across all of your infrastructure devices ranked by the busiest network device. Infrastructure devices are routers sending flow as well as other Layer-2 devices that are not sending flow but sending ARP and CAM Tables. The information displayed includes:
The bars on the graph indicate the volume of data seen over the reporting period, by default 2 hours.
This is a graph and table of interface bit rates, with a breakdown by individual interface. This is a summary of the busiest interfaces across your network.
See Configuration > Infrastructure Devices for setup instructions.
When more than 10 devices are registered, the full list can be displayed by clicking List All Drill down icon. beside the table title.
The CSV link at the top right of the table generates a .csv export.
This middle graph shows all events and alerts across your network during the reporting period.
Figure: Detail of GigaFlow's report period selection panel, at the top of most pages
Figure: Clicking in either the From or To field brings up a date and time selector.
Click once on any infrastructure device IP address or interface in the tables and you will be taken to an overview report for that device or interface. You can access the same overview using GigaFlow's search function. Search for the IP address and in the main left-hand side table, click the Infrastructure Device name. In the right-hand side table, click Overview.
See Dashboards > Device Overview and Dashboards > Interface Overview.
Located at Dashboards > Device Overview; there is also a unique Device Overview subpage for each infrastructure device.
From the Dashboards menu, the Device Overview option displays:
This information is also displayed in Performance Overview and in Server Overview. See Dashboards > Performance Overview > Top Devices (Last Hour v Last Week Hour) and Dashboards > Server Overview.
Device Overview Subpages
Click once on any infrastructure device IP address or interface in the tables and you will be taken to an overview report for that device or interface. You can access the same overview using GigaFlow's search function. Search for the IP address and in the main left-hand side table, click the Infrastructure Device name. In the right-hand side table, click Overview.
The overview for each infrastructure device includes graphs and tables with useful information. These include:
This panel lists the most important device information, including:
You can add an Attribute, or alias, for network infrastructure by selecting from the interface Attributes drop down selector. See Configuration > Attributes for more on attributes. This panel lists attributes and useful tools associated with the selected device, including:
Attributes. See Configuration > Infrastructure Devices and click on any device for more.Links out to useful tools, including Forensics, ARPs, CAMs, Live Interfaces and Traffic Overview.Links to associated integrations. See System > Global for more about integrations.
Figure: Visual from Device Overview subpage
The information is presented as a pie-chart. Each application can be queried by clicking the drill down icon for more.
This graph shows the top 10 ports/applications associated with this device in the past hour.
This graph shows the top 10 traffic group pairs associated with this device in the past hour.
This graph shows the top 10 source IPs associated with this device in the past hour.
This graph shows the top 10 destination IPs associated with this device in the past hour.
This graph shows the summary traffic volume information for this device (MB/s).
This graph shows the summary interface traffic volume information for this device (MB/s).
A timeline of threat events associated with the device in the report period.
A table of all the interfaces associated with this device is displayed at the bottom of the page; the information presented includes:
Located at Dashboards > Interface Overview; there is also a unique Interface Overview subpage for each interface.
From the Dashboards menu, the Interface Overview option displays high-level summary information; some of this is also displayed in Server Overview. See Dashboards > Server Overview. The three graphs displayed are:
Figure: GigaFlow's Interface Overview page
Click once on any infrastructure device IP address or interface in the tables and you will be taken to an overview report for that device or interface. You can access the same overview using GigaFlow's search function. Search for the IP address and in the main left-hand side table, click the Infrastructure Device name. In the right-hand side table, click Overview.
Dedicated Interface Overview Pages
At the top of the page, you can see:
This panel displays the interface details:
You can edit these at Configuration > Infrastructure Devices.
You can add an Attribute, or alias, for an interface by selecting from the interface Attributes drop down selector. See Configuration > Attributes for more. This panel lists attributes and useful tools associated with the selected interface, including:
In addition, you will see graphs and tables of:
This is a summary of the total traffic for that interface.
This is a summary of the total inward traffic for that interface.
This is a summary of the total outward traffic for that interface.
This is a summary of the total inward packets for that interface.
This is a summary of the total outward packets for that interface.
A summary of the total inward flows for that interface.
This is a summary of the total outward flows for that interface.
DSCP (differentiated services code point) in summary information used for ingress policing configuration.
DSCP (differentiated services code point) out summary information used for ingress policing configuration.
DSCP (differentiated services code point) in summary information used for egress policing configuration.
DSCP (differentiated services code point) out summary information used for egress policing configuration.
Application traffic overview.
This graph shows the traffic associated with the busiest applications over the past hour. The information displayed includes:
When more than ten applications are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This graph shows the top 10 source IPs over the past hour; this is compared with the same hour a week before.
This graph shows the top 10 destination IPs over the past hour; this is compared with the same hour a week before.
This is a graph and table of traffic group bit rates, with a breakdown by individual traffic group. This is a summary of the busiest traffic groups across your network.
See Configuration > Traffic Groups for setup instructions.
When more than 10 traffic groups are registered, the full list can be displayed by clicking List All Drill down icon. beside the table title.
The CSV link at the top right of the table generates a .csv export.
This section provides an overview of the traffic associated with source IPs.
This graph shows the traffic associated with the busiest applications over the past hour. The information displayed includes:
When more than ten applications are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This graph shows the top 10 destination IPs over the past hour.
This graph shows the top 10 destination IPs over the past hour.
This is a graph and table of traffic source IP bit rates, with a breakdown by individual traffic group. This is a summary of the busiest traffic source IPs across your network.
When more than 10 traffic source IPs are registered, the full list can be displayed by clicking List All Drill down icon. beside the table title.
The CSV link at the top right of the table generates a .csv export.
This section provides an overview of the traffic associated with destination IPs.
This graph shows the traffic associated with the busiest applications over the past hour. The information displayed includes:
When more than ten applications are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This graph shows the top 10 source IPs over the past hour.
This graph shows the top 10 destination IPs over the past hour.
This is a graph and table of traffic destination IP bit rates, with a breakdown by individual traffic group. This is a summary of the busiest traffic destination IPs across your network.
When more than 10 traffic destination IPs are registered, the full list can be displayed by clicking List All Drill down icon. beside the table title.
The CSV link at the top right of the table generates a .csv export.
Located at Dashboards > Traffic Group Overview; there is also a unique Traffic Group Overview subpage for each Traffic Group.
From the Dashboards menu, the Traffic Group option displays summary information.
Traffic Group Subpages
Click once on any Traffic Group name in the table and you will be taken to an overview report for that Traffic Group. .
Click once on any of the "Down Arrows" beside the Traffic Group name in the table and you will be taken to the forensics report for that Traffic Group.
The overview for each Traffic Group includes graphs and tables with useful information (similar to device overviews). These include:
This graph shows the top 10 destination IPs over the past hour.
This graph shows the top 10 destination IPs over the past hour.
This graph shows the top 10 source IPs over the past hour.
This graph shows the top 10 destination IPs over the past hour.
This graph shows the source traffic associated with traffic groups over the past hour. The information displayed includes:
When more than ten traffic group are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This graph shows the destination traffic associated with traffic groups over the past hour. The information displayed includes:
When more than ten traffic group are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
Located at Dashboards > Events.
From the Dashboards menu, the Events option displays summary information about events and exceptions. See also Dashboards > Server Overview. You can also click on Events item in the main menu to access the same information.
Some things that will trigger an event record include:
On the Events page, you can see:
A timeline of all events in the reporting period, the Events Graph. A tabulated version of this information is shown underneath.
Figure: Events Graph
Figure: Event Categories infographic
Figure: Confidence & Severity infographic
By clicking once on any legend item, you will be taken to a detailed report, e.g. detailed reports for each Event Type, Source Host, Infrastructure Device, Event Category and Target Host.
To view a world map overlaid with attack/event trajectories, click on the Threat Map main menu item.
Figure: The main threat map visualization
Alongside the map, you will see the expandable tables:
Most items in the side tables can be examined in isolation, i.e. Event IP Sources, Event Types, Event Categories, Event Devices, Event IP Destinations.
Click on the relevant IP and the page will display information related only to that IP.The main table below the map displays a complete summary of the the threats mapped with time. In addition to the information presented in the side tables, the main table includes:
See Dashboards > Events.
The Profiling main menu item has three options: Realtime Overview, Event Dashboard and Traffic Groups.
Profiles help you to understand the normal behaviour of your network. For more, and to create profiles, go to Configuration > Profiling.
Profiling > Realtime Overview
The Realtime Profiling Status shows realtime data on defined Profilers. The display updates every 5 seconds and shows:
Located at Profiling > Profiling Events.
The Profiling Event Dashboard gives an overview of profile events.
Figure: The Profiling Events page
At the top of the page you can set both the reporting period and resolution, from one minute to 4 weeks.
This infographic shows a timeline of the number of events with the profile(s) involved. Circle diameters represent the number of events. The peak number of events in the timeline for each profile are highlighted in red.
This infographic shows a timeline of the number of events along with their estimated severity level(s). Circle diameters represent the number of events. The peak number of events in the timeline for each severity level are highlighted in red.
Event Entries is dynamically generated; you must click Click To Load to populate the table. The Event Entries table gives a breakdown of profile events with the following entries:
A drop-down selector lets you choose the number of the most events to display.
To access a detailed overview of any flow, click on the adjacent Drill Down icon . This provides a complete overview of that flow, listing:
See Glossary for more about flow record fields used by GigaFlow.
See also Search for instructions to access the Graphical Flow Mapping feature.
By clicking any Category, Severity, Source IP or Target IP in the Event Entries table, you will be taken to a version of the Events Dashboard filtered for that item.
See Dashboards > Events for an overview of the structure of this page.
Located at Profiling > Traffic Groups.
Traffic groups are subnet and IP range aliases.
This graph shows the top 10 destination IPs over the past hour.
This graph shows the top 10 destination IPs over the past hour.
This graph shows the top 10 source IPs over the past hour.
This graph shows the top 10 destination IPs over the past hour.
This graph shows the traffic associated with traffic groups over the past hour. The information displayed includes:
When more than ten traffic group are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
This graph shows the destination traffic associated with traffic groups over the past hour. The information displayed includes:
When more than ten traffic group are registered, the full list can be displayed by clicking the drill down icon. This displays a tabular version of all the data, with a CSV export option.
Reports gives you access to system reports and logs. GigaFlow stores a record of all reports. Reports can be generated in many ways but most commonly by viewing a Forensics page; viewing a Forensics page automatically generates a report. When a report is generated by a user, it is cached by the system and can be accessed again almost immediately. In addition, all recorded reports can be re-run from scratch at any time. Runtimes vary with the scope of the report, i.e. reports that involve more data will take longer to complete. Typical reports for limited periods of time complete in seconds.
Administrators have access to all reports run by all users.
See Configuration > Reporting for more.
Located at Reports > My Current Queries.
My Current Queries lists your queries currently in process. The table includes:
The filters used to define the report.
Located at Reports > My Complete Queries.
My Complete Queries lists your completed queries. The table includes:
Located at Reports > All Complete Queries.
This option provides administrators with a view of all queries made by all users.
This option provides administrators with a view of all forensic queries made by all users.
Located at Reports > Canceled Queries.
Canceled Queries lists your canceled queries. The table includes:
Located at Reports > Cluster Search.
Figure: Conducting a GigaFlow Cluster search
[file: Conducting a GigaFlow Cluster search.]
Following the search link from Apex, you will be brought to a new tab and the log in screen for the Pitcher machine. After logging in, you will be brought to the GigaFlow Cluster report page.
Figure: The initial view of the GigaFlow Cluster report page
This displays a list of hits for this IP address across the cluster; in this example, the IP address 172.21.21.21 was found on 11 devices monitored by three receivers. On these receivers the system found 9 devices with data matching the search and there were no errors.
In the first first table, each GigaFlow server is listed with:
Figure: Clicking on the drill down icon beside a result brings up the full user interface and a forensics report for that device on the associated GigaFlow server
The system allows ten minutes between running the report and viewing these results without re-authentication.
You can also select different report types to run on that device on that GigaFlow server by selecting from the drop-down menu. See Reports > Forensics in the main Reference Manual for more.
Located at Reports > DB Queries.
DB Queries displays a list of the most recent database queries. The information returned includes:
Located at Reports > Forensics.
See Configuration > Reporting for instructions on how to configure and create new report types. See Appendix > Forensic Report Types for a complete description of the different report types.
Forensics allows you granular, filterable reporting on the stored records. GigaFlow records flow posture, i.e. whether or not a flow is flagged as an excepted event, allowing for detailed analysis.
To create a report:
A router - an infrastructure device - has an IP of 192.0.2.1.This router was defined at Configuration > Infrastructure Devices.Choose an Applications report from the report type drop-down menu.Choose Infrastructure Device from the filter drop-down menu.Choose the router from the list of devices and apply the filter by clicking +.
The system will return a graph and/or table with details of:
Queries can be entered directly and quickly using the direct filtering syntax.
Field | Operators | Description | Example |
---|---|---|---|
srcadd | =, != | IP Address that the traffic came from. | srcadd=172.21.40.2 |
dstadd | =, != | IP Address that the traffic went to. | dstadd=172.21.40.3 |
inif | <, =, >, != | ifIndex of the interface through which the traffic came into the router. | inif=23 |
outif | <, =, >, != | ifIndex of the interface through which the traffic left the router. | inif=25 |
pkts | <, =, >, != | Number of packets seen in the flow. | pkts>100 |
bytes | <, =, >, != | Number of bytes seen in the flow. | bytes<10000 |
duration | <, =, >, != | Duration of flow in milliseconds. | duration>100 |
srcport | <, =, >, != | Source IP port of flow. | srcport>1024 |
dstport | <, =, >, != | Destination IP port of flow. | dstport=5900 |
flags | <, =, >, != | TCP Flags of flow. flags=2 i.e. syn only. | Flags=CEUAPRSF |
proto | <, =, >, != | IP Protocol Number/Type. | proto=16 |
tos | <, =, >, != | TOS Marking. tos=104 | //Flash |
srcas | <, =, >, != | Source AS Number. | srcas!=5124 |
dstas | <, =, >, != | Destination AS Number. | dstas!=5124 |
fwextcode | =, != | Forwarding Extended Code. | fwextcode='out-of-memory' |
fwevent | =, != | Forwarding Event. | fwevent!='Flow Deleted' |
tgsource | =, <> | Traffic Group Source. | fwextcode<>'My network 1' |
tgdest | =, <> | Traffic Group Destination. | tgdest<>'Other' |
Located at Reports > First Packet Response.
First Packet Response (FPR) is a useful diagnostic tool, allowing you to compare the difference between the first packet time-stamp of a request flow and the first packet time-stamp of the corresponding response flow from a server. By comparing the FPR of a transaction with historical data, you can troubleshoot unusual application performance.
On loading, this page displays any First Packet Response information available for Monitored Servers.
Figure: The First Packet Response reports page
To set up a monitored server, go to Configuration > Server Subnets.
The displayed information includes:
On loading, this page displays any First Packet Response information available for Monitored Servers.
Figure: The First Packet Response reports page
To set up a monitored server, go to Configuration > Server Subnets.
The displayed information includes:
Click the Ticker check box next to a device to enable a ticker in the table below with live response times in milliseconds.
A network audit report is a standard-format JSON object that contains a summary of all the devices registered by GigaFlow that belong to a particular subnet.
Network audit reports are enabled for a particular subnet at Reports > System Wide Reports > Subnet List. Enabling a network audit runs the network audit script for the selected subnet(s). You can view the network audit script at System > Event Scripts.
Server configuration happens at Configuration > Server Subnets.
Located at Reports > Saved Reports.
Newly generated reports of interest can be saved for reference. Click Save in the top right corner.
Once a report has been saved it can be viewed in two ways: (i) open. This opens without running. More filters can be added; (ii) open and run.
Saved Reports are listed with the following information:
Each automatically discovered server is listed here with:
Clicking on a device brings up detailed information for that server.
Details about each discovered server are shown here, with information about its behaviour as a source and destination for traffic. Two tables are shown on screen.
Located at Reports > System Wide Reports.
These are static reports produced by GigaFlow. From the Reports menu, the System Wide Reports option expands to display a further five options:
Located at Reports > System Wide Reports > SYN Forensics Monitoring.
GigaFlow monitors all TCP flows where only the SYN bit is set. In normal network operations, this indicates that a flow has not seen a reply packet while active in a router's Netflow cache.
A lonely SYN can be an indicator that:
GigaFlow creates an alert when:
On the SYN Forensics Monitoring page, you can find two tables of information:
Each table lists the following information:
See also System > Alerting
Located at Reports > System Wide Reports > Device Connections.
This page lists all known network connected devices. This list is used as a look-up for Layer-2 to Layer-3 connectivity.
The table lists:
Clicking the export icon beside the page title creates a .csv file for download or printing.
Located at Reports > System Wide Reports > MAC Address Vendors
This page shows information about devices associated with particular MAC vendors on your network; GigaFlow displays:
Click on Count to populate the second table, MAC Addresses. These are the individual devices associated with that vendor. For each device, the table shows:
The Subnet List report summarises all the subnets automatically discovered using SNMP. The details listed are:
This report summarises infrastructure devices by flow rate, showing a graph and table listing, for each device:
Located at Reports > SQL Report.
Select how many of the most recent SQL Queries to view from the drop-down menu, i.e. the most recent 10, 50, 100 or All.
The table lists the following information:
Located at Reports > User Events.
Select how many of the most recent User Events to view, i.e. the most recent 50, 100, 250 or 500 events.
This table gives information about:
GigaFlow's IpViewer2 uses MapBox to visualise the physical location of IP addresses
Figure: The Configuration menu
GigaFlow comes loaded with a standard set of application port and protocol definitions. Flow records are associated with application names if there is a match.
Users can define their own application names within the software and have that application ID (Appid) available within the flow record. There are 3 techniques used, applied in order:
Flow Objects are defined by:
IP addresses, MAC addresses, Ports and Traffic Groups can also be defined as both Source/Destination.
You can add ANDd existing profile(s) to the new Flow Object, i.e. the new definitions are added to the existing profile(s).
You can also select alternative existing profile(s) that this new profile also maps to (ORd), i.e. the new Flow Object uses either the new definitions or the existing Flow Object definitions.
To ANDd or ORd profile(s), use the drop-down menu in the Flow Object definitions and click the +.
As an example, a printer installation at a particular location connected to a particular router can be defined by a Flow Object that consists of:
Or
A second Flow Object can be defined that will have its flow checked against the Allowed profile; this is an Entry profile.
To add a protocol or port application, click the Add protocol/port application icon and enter:
Click Save.
Already defined applications are listed here. Existing applications can be edited to associate icons.
Already defined flow objects are listed here.
Already defined protocol/port applications are listed here. Existing protocol/port applications can be edited to associate icons.
Located at Configuration > Attributes.
Attributes are aliases used to help with identification of network infrastructure and users. Assigning an attribute category to a MAC address, user, IP, device or interface allows different user groups easily tag and identify your network infrastructure. For example, a network engineer may prefer to alias a device with a name or category appropriate to their view of your network. The security team may prefer a different categorisation.
The categories are:
The aim is to facilitate rapid identification of network infrastructure and user groups.
If you want to add a new device attribute:
Located at Configuration > GEOIP.
You can change the geolocation and IP settings here.
To add new GEOIP overrides:
"Start IP,End IP,Country ISO Code,Region Name,Latitude,Longitude"
"IP/MaskBits,Country ISO Code,Region Name,Latitude,Longitude.
A table of existing GEOIP overrides is shown in the table below this.
You can select the number of items to show from the dropdown menu above the table; the default is 50 items.
Information displayed includes:
You can also search by entering a country code or clicking on the map below the table.
Located at Configuration > Infrastructure Devices.
To add a new infrastructure device:
To bulk-add new devices, i.e. more than one device at a time:
ip
ip, communityString
ip, communityString, deviceName
Use a new line for each new device added.
Recheck Forensics by clicking Refresh .
This shows a more detailed version of the Existing Devices table, with additional statistics for each device.
The Existing Device(s) table lists all connected infrastructure devices.
You can select how many of the devices to view, i.e. the most recent 10, 25, 50, 100 or all devices.
At the top of the table, the total number of infrastructure devices is given. You can also search for a particular device. Each column is sortable. The table displays interactive information, including:
The Device SNMP Mapping table displays:
Located at Configuration > Infrastructure Devices > Detailed Device Information.
By clicking any device IP address in the Existing Devices table, you can bring up a detailed overview of that device.
On loading, the device name, device IP address and device ID are given across the top of the page.
Below this information, you will see the SNMP Settings panel. SNMP information is listed here. This includes:
To change the device name:
To change SNMP version and/or community:
To test SNMP settings and status:
All other device information is populated automatically from the device and cannot be edited.
To add attributes to the device:
There are quick-links to useful tools, including:
And links to associated integrations (Integrations) and servers (Server Discovery). See also System > Global for more about integrations.
See Reports > Forensics for more.
In this panel, you can view and make changes to the device information storage settings:
At the bottom of the detailed infrastructure device settings page, there are several tabs:
The Interfaces tab consists of an editable table with the following information:
The Subnets tab displays a list of SNMP discovered subnets. See also Reports > System Wide Reports > Subnet List.
The Flow Templates tab displays a list of the Netflow templates used, e.g.:
The Stats tab consists of a list of the number of VLAN, ARP and CAM entries.
The VLANs tab consists of a list of VLANs.
The Bridge Ports tab consists of a list of bridge ports.
The Bridge PortNumbers To ifIndex tab consists of a list of bridge ports.
The Application Mapping tab displays a list of mapped applications with the key, appid and application listed for each mapping.
Enter:
Enter:
Located at Configuration > Profiling.
This is where you can create profiles that define the normal behaviour of your network.
To get going, create your first profile.
Step one is then to create a new Flow Object at Configuration > Applications. To create a flow object:
To create a new Profiler (this term is used interchangeably with profile):
This table displays a list of existing profiles.
Located at Configuration > Reporting.
One of the difficult aspects of reporting on network flows is the number of possible field combinations, with 25+ fields in the extended range. GigaFlow records all fields for all flows with no summarization and no deduplication. GigaFlow allows you to create exactly the report you want.
You can change reporting settings here, in the General and Forensics Reports panels.
Allows you to add new entries to be displayed in the left hand navigation under the Reports option.
You can enter:
Allows you to import a JSON representation of new entries to be displayed in the left hand navigation under the Reports option.
You can edit the general reporting settings in this panel:
See Appendix > Forensic Report Types for a complete description of the different report types. See also Reports > Forensics for the Direct Filtering Syntax used by GigaFlow.
You can view and clone built-in forensics reports in this panel.
From the Report drop-down menu, select the report type to view or clone. The default selection is Application Flows. In the panel below, you can view:
select srcadd as srcadd,dstadd as dstadd,appid as appid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd,dstadd,appid ORDERBY LIMITROW
bits_total
select FIRSTSEEN as afirstseen,srcadd as srcadd,dstadd as dstadd,appid as appid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd,dstadd,appid order by srcadd,dstadd,appid,afirstseen
afirstseen
bits_avgsec
srcadd__dstadd__appid
To clone a report:
To add a new DSCP name:
Lists the existing user defined report URLS that are available from the left hand navigation under the Reports option.
The table lists:
Located at Configuration > Server Subnets. See also Reports > First Packet Response.
To begin using First Packet Response (FPR), you must specify the server subnets and ports that you would like to monitor. FPR monitors TCP and UDP traffic, e.g. DNS 53/UDP, and is inherently multi-threaded by device.
To add a new server subnet:
This tab allows you to view a list of existing monitored server subnets and to add new subnets. The main table displays the following information:
Actions, i.e. edit or delete a subnet. Editing a subnet allows you to specify a particular port to monitor.
This tab allows you to view a list of identified servers on the monitored server subnets. The main table displays a list of the infrastructure devices, routers, involved in transactions to or from the server subnets and associated servers.
This tab allows you to view a list of infrastructure devices, routers, involved in transactions to or from the server subnets and associated servers.
You can select the number of items to show from the drop-down menu above the table; the default is 10 items.
Located at Configuration > Traffic Groups.
Traffic groups are subnet and IP range aliases.
To define a new traffic group:
To add a new traffic group:
Sometimes, it can be useful to define a traffic group by subnet and by infrastructure device. For example, a corporate network could have a subnet served by more than one router. To create a granular view of flow through each router, a separate traffic group could be created for each router, defined by the IP range of the subnet as well as the device name. You can type to filter the device list.
To add a device to a traffic group:
To bulk-add new traffic groups, i.e. more than one group at a time:
name,description,startip,endip,natted(y/n),deviceIP
Use a new line for each new traffic group.
To edit a traffic group definition, click Configuration > Traffic Groups and click on the traffic group name or on the adjacent drill down icon . This will bring up a new page for that traffic group where you can edit the group definition.
The table of traffic groups shows:
To edit a traffic group definition, click Configuration > Traffic Groups and click on the traffic group name or on the adjacent drill down icon . This will bring up a new page for that traffic group where you can edit the group definition.
For each SNMP discovered subnet, the table displays:
Figure: The System Settings menu
This is where you can make changes to the system settings.
Located at System > Alerting.
Configure GigaFlow to alert you when something happens. Syslog or mail alerts can be set up for any of the following:
To configure a system log alert:
172.16.254.1, 172.16.254.2
IP_Address:Port:Facility:Level
e.g. 172.21.40.1:515:4:23,172.21.40.2:516:23:4
Sample Syslog Message Types
{"Application":"HTTPS TCP/443","Eventer":"172.0.0.1","Profile":"Facebook","appid":393659,"bytes":1447,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1","dstport":50561,"duration":288,"eventname":"Profiler","flags":26,"fwevent":0,"fwextcode":0,"inif":12,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":10,"proto":6,"srcadd":"172.0.0.1","srcport":443,"time":1475147589242,"timeH":"29-Sep-2016 12:13:09.242","tos":40,"user":""}
{"Application":"BitTorrent TCP/6881","Black List":"http://lists.blocklist.de/lists/bots.txt","Black List
Type":"Source","Eventer":"172.0.0.1","appid":400097,"bytes":120,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1",
"dstport":63533,"duration":1380, "eventname":"Black List Src","flags":20,"fwevent":0,"fwextcode":0,"inif":12,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":3,"proto":6,"srcadd"
{"Application":"TCP/49755","Eventer":"172.0.0.1","Syn Type":"Source","appid":442971,"bytes":152,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1","dstport":54350,"duration":1804,"eventname":"Syn Src Network Sweep", "flags":2,"fwevent":0,"fwextcode":0,"inif":30,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":12,"packets":3,"proto":6,"srcadd":"172.0.0.1","srcport":49755,"time":1475147666238,"timeH":"29-Sep-2016 12:14:26.238","tos":0,"user":""}
{"Application":"TCP/34056","Eventer":"172.0.0.1","Syn Type":"Destination","appid":427272,"bytes":152,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1","dstport":34056,"duration":1124,"eventname":"Syn Dst Port Sweep","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":3,"proto":6,"srcadd":"172.0.0.1","srcport":57058,"time":1475147662254,"timeH":"29-Sep-2016 12:14:22.254","tos":0,"user":""}
The IP addresses in these sample Syslog messages have been replaced with 172.0.0.1.
To configure a system email alert:
Toggle the Yes or No options for any of alert situations.Click Save to store the server address.
This table lists different possible event triggers with options to: (i) create and event and (ii) trigger a script to run.
The event triggers include:
Located at System > Event Scripts.
This is where you can add your own scripts to create new workflows. A table lists existing scripts with the following information:
To add a script:
Located at System > GigaFlow Cluster.
A single GigaFlow server can be configured to search for IP addresses across many remote GigaFlow servers directly from Viavi's Apex system. This feature is useful for large organisations that may have many GigaFlow servers monitoring different networks within the organisation, e.g. in different regions. The central administrator may want a view across the entire network, e.g. to determine if a particular suspect IP address has been recorded by routers on different networks.
In this example, assume that you are the main administrator and you want visibility on several remote GigaFlow servers.
The set-up is:
Figure: Defining a GigaFlow cluster
Log in to GigaFlow Server #0, the Pitcher, and navigate to System > GigaFlow Cluster.
In the This Server panel, you will see a pre-generated unique secret. Leave this as is.
In another browser tab or window, log into Receiver 1 (GigaFlow Server #1). Copy the unique secret from Receiver 1's This Server panel. You do not need to do anything with the New Cluster Server panel on the receivers.
Figure: This Server panel
Switch back to the Pitcher (GigaFlow Server #0). In the New Cluster Server panel:
Figure: New Cluster Server panel
Repeat this process for Receiver 2 and Receiver 3.
The cluster server feature is flexible; a receiver in one cluster can be a pitcher for another.
The Cluster Access panel shows cluster access status. The table lists:
Following the search link from Apex, you will be brought to a new tab and the log in screen for the Pitcher machine. After logging in, you will be brought to the GigaFlow Cluster report page. This displays a list of hits for this IP address across the cluster; in this example, the IP address might be found on devices monitored by all three receivers. Clicking on a receiver name brings up the forensics report summary for that IP address from that receiver in the table at the bottom of the summary page. Alongside each receiver on the results page is a link out to that particular server.
Figure: Conducting a GigaFlow Cluster search
See also Reports > Cluster Search.
Communication between all clients in a Gigaflow cluster is IP to IP, i.e. unicast. The traffic is routed over https, using TLS based on certificates.
New icons along top.
Located at System > Global.
You can find most of the system-wide settings here.
Along the top of the page are quick links to the different settings options. These are:
In the General settings box, you can change:
Before you can authenticate users using LDAP or AD, you must set the LDAP (Lightweight Directory Access Protocol) server.
Examples for an LDAP server integration :
Examples for Active Directory server integration :
In the SSL settings box, you can view and select or change:
Saving will restart the HTTPS service which may take up to one minute.
The Import and Export windows allow you to easily import or export all of your GigaFlow configuration and system settings.
To import GigaFlow configuration and system settings:
To export your GigaFlow configuration and system settings:
Save ZeroMQ Settings.
Save Kafka Settings.
Save Syslog Settings.
Click the second icon from the left, above the main tabs, to add an SNMP v2 Settings Commuity.
SNMP allows GigaFlow to poll sending devices. GigaFlow supports multiple concurrent pollers. Each device is serviced every 30 minutes. SNMP polling is used to retrieve:
In the SNMP V2 settings box, you can add or delete new SNMP V2 community strings. To add or delete a community string:
Click the third icon from the left, above the main tabs, to add an SNMP v3 Settings Commuity.
SNMP allows GigaFlow to poll sending devices. In the SNMP V3 settings box, you can view and delete SNMP v3 community strings.
In the Log settings box, you can view the log file and change the logging level:
These are the proxy settings used to access GigaFlow's homeworld server. The information is required for several reasons: (i) to allow GigaFlow to call home and register itself; (ii) to let us know that your installation is healthy and working; (iii) to update blacklists. All calls home are in cleartext. See System > Licences for more.
Click the fourth icon from the left, above the main tabs, to add a MAC Vendor. To add a new vendor prefix:
Existing vendor prefixes are displayed in the table below alongside the date created and available actions, i.e. modify or delete.
If you are using email alerts, you can configure email here. To set up email:
In the Storage settings box, you can make changes to the following settings:
To commit changes, click Save Storage Settings.
The following information is given for each flow device:
Netflow
The minimum Forensics Storage is 21 days. Forensics data is stored in tables for up to four hours to speed up search and reporting. These tables are rolled into one-day tables after the Forensics Rollup Age period; this is four days by default. (see System > Global.) This is a minimum period.
It is important to set aside space for drive monitoring. GigaFlow will fill the disk drives until the pre-defined minimum amount of free space is left. GigaFlow caps the storage that any particular device is using for forensics data; this is 50 GB by default. This cap can be changed globally and on a per device basis which in turn sets an overall cap on the amount of space used by GigaFlow.
Type | Resolution | Table Duration (default) | Retention | Setting Involved |
---|---|---|---|---|
Raw Flows | millisecond | 1 hour-1 day | 21 days | Min Free Space, Default Device Storage Space, Min Forensics Storage, Forensics Rollup Age. |
IP Search | millisecond | 1 day | 21 days | IP Search Duration. |
Events | millisecond | 4 hour | 100 days | Event Storage Period, Event Summary Storage Period. |
ARP | millisecond | 1 day | 100 days | ARP Storage Period. |
CAM | millisecond | 1 day | 100 days | CAM Storage Period. |
Interface Summaries | Minute | 2 day | 200 days | Interface Summary Storage Period. |
Traffic Summaries | Hour | 7 day | 200 days | Interface Summary Storage Period. |
An integration allows you to call defined external web pages or scripts directly from the Device Interface Overview page. To add an integration, navigate to System > Global. In the Integrations settings box, you can add or change an integration.
There are two types of integration:
To add an integration:
Example 1
In the code below, the populated field tells the software that you want to populate the device field with the IP address and the ifindex field with the ifindex. These fields (device and ifindex) will be passed to the target. We also have required fields, which are fields which the user is required to populate.
{'populated':{'device':'flow_device','ifindex':'flow_ifindex'}, 'required':[{'name':'user','display':,'type':'text','value':},{'name':'password','display':'Password','type':'password'},{'name':'macro','display':'What Macro?','type':'select','data':['macro1','macro2','macro3','macro4']}
]}
Example 2:
var ProcessBuilder = Java.type('java.lang.ProcessBuilder');var BufferedReader = Java.type('java.io.BufferedReader');var InputStreamReader= Java.type('java.io.InputStreamReader');output.append(data);output.append("Device IP:"+data.get("device")+"");output.append("IFIndex:"+data.get("ifindex")+""); try { // Use a ProcessBuilder //var pb = new ProcessBuilder("ls","-lrt","/"); //linux var pb = new ProcessBuilder("cmd.exe", "/C", "dir"); //windows output.append("Command Run"); var p = pb.start(); var is = p.getInputStream(); var br = new BufferedReader(new InputStreamReader(is)); var line = null; while ((line = br.readLine()) != null) { output.append(line+""); } var r = p.waitFor(); // Let the process finish. if (r == 0) { // No error // run cmd2. } output.append("All Done"); } catch ( e) { output.append(e.printStackTrace()); } log.warn("end")
Click the Add Observer GigaStor icon; this is the last icon at the top of the page. Then enter:
And click Save.
Located at System > Licenses.
Here you can view all the licences associated with GigaFlow.
The GigaFlow License table lists:
The license is also viewable as a JSON object at the bottom of the page.
All 3rd party licenses are listed in the next table. These are:
All communications between your installation of GigaFlow and our servers are carried out in cleartext over HTTP; you have complete visibilty. You can view call home data at System > Licenses.
All communications between your installation of GigaFlow and our servers are carried out in cleartext; you have complete visibilty. You can view call home data at System > Licenses.
A typical response to a call home might look like. You can view call home response data at System > Licenses.
You can view all call home errors at System > Licenses.
JSON object version of GigaFlow license.
Add Port and Netflow Processing Threads links at top of page.
Located at System > Receivers.
Here you can view and edit GigaFlow's defined Netflow receivers.
It is important to ensure that the installation is ready to listen. Senders on your network will be configured to send to the GigaFlow server address and to a defined port; these must match the receivers.
GigaFlow is built to receive and process flow records and session-based syslogs. GigaFlow can also process syslog messages relating to specific user or IP authentication details.
Flow records are processed automatically into the flow databases. The records are also checked against blacklisted IPs and against defined Profilers. See System > Blacklists and Profiling.
The syslog messages are sent to the syslog processor for parsing.
Here you can see the existing listener ports available and if they are receiving flows or syslogs.
You can select the number of ports to show from the dropdown menu above the table, i.e. 10, 25, 50, 100 or all. The default is 50 items. The total number of ports is displayed at the top of the table. The information displayed includes:
To add a new port, click the + icon at the top of the page. Then:
To edit the number of Netflow processing threads, enter the new number and click Save.
The Port Threads table displays summary information about the port threads. This includes:
Infrastructure visibility is achieved using session-based Syslog. Located at System > Syslog Parsers.
System log parsing rules can be viewed and edited here.
All existing syslog parser patterns are listed here. Information displayed includes:
Default system Syslog parser patterns are listed here. Information displayed includes:
Click + to add the corresponding Syslog parser from the drop-down menu.
System Syslog exceptions are listed here. Information displayed includes:
Located at System > System Health.Here you can find timelines of:
Located at System > System Status.
This page displays memory performance. The start time and uptime are displayed prominently at the top of the page.
The main table lists:
The Stats sections details:
This page displays the performance of database connections. The database start time and uptime are displayed prominently at the top of the page.
The DB connections table lists the most recent database connections. See PostgreSQL documentation for more.
Select how many entries to view from the drop-down menu, i.e. the 10, 50, 100 or All. The default selection is 50.
The table lists:
You can view any PostgreSQL database deadlocks to help with troubleshooting performance problems. See PostgreSQL documentation for more. The table lists:
This page displays named table performance. The start time and uptime are displayed prominently at the top of the page. See PostgreSQL documentation for more.
Select how many entries to view from the drop-down menu, i.e. the 10, 50, 100 or All. The default selection is 10. You can also search for specific tables.
This page displays prepared table performance. The start time and uptime are displayed prominently at the top of the page. See PostgreSQL documentation for more.
Select how many entries to view from the drop-down menu, i.e. the 10, 50, 100 or All. The default selection is 10. You can also search for specific tables.
Located at System > Users.
New Add links along top of page.
Here you can view and edit information for all GigaFlow users and user groups. There are three categories of user on GigaFlow:
Select how many entries to view from the drop-down menu, i.e. the 10, 50, 100 or All. The default selection is 10. You can also search for specific usernames or IDs using the search box.
All users are listed here. Information displayed includes:
To add a new local user:
To add a new user group:
This table lists all existing user groups along with associated abilities.
For each user group:
Information displayed includes:
Enter the domain name and ID of the user you want to allow to log into the system. They will be added as normal users.
To add a new LDAP user:
To add a new LDAP user group:
Information displayed includes:
Information displayed includes:
To add a new portal user:
This table lists all of the currently configured Data Access Groups.
For each Data Access Group:
This function allows you to apply a filter to the data a user requests automatically. These filters are based on Traffic Groups and a user can have access to many Traffic Groups using this feature.
To add a new Data Access Group:
Once added, you can edit the group to control which Traffic Groups are assigned to it, in the Users own settings you can then assign them to any available Data Access Group.
Located at System > Watchlists.
GigaFlow uses a blacklist compiled from multiple online sources. These lists are retrieved every hour and merged into a list of about 30,000 potentially dangerous IP addresses. Your GigaFlow system checks this hourly-updated list every five minutes and updates the local list when necessary.
We are reviewing our code watchlist terminology and will update this documentation to reflect any changes.
This table lists the online blacklists available with relevant information. Information includes:
To add a new blacklist source:
To refresh blacklists automatically, select Yes.
GigaFlow can alert on flow entries that match known bad IP addresses, scanning or outside profiles. Whitelisting provides the facility to tell the checking mechanism in GigaFlow that particular IPs or subnets should not raise an exception on any of the defined conditions. When defining a whitelist you should specify a reason for excluding a host or hosts. If you set the IP address to that of the infrastructure device and the mask to zero, GigaFlow will whitelist all traffic for the device.
The whitelist table shows a list of the current whitelisted items, including the following information:
You can select the number of items to show from the dropdown menu above the table; the default is 50 items.
To add a new whitelist entry:
The locally defined blacklist table shows a list of the existing locally-defined blacklists, including the following information:
To add a new local blacklist:
Adding a noproxy=true flag to a watchlist URL allows the system to bypass proxy servers and access the list directly, i.e.
{URL to file}?NOPROXY=true
© Copyright 2019 Anuview. All rights reserved. VIAVI and the VIAVI logo are trademarks of VIAVI Solutions Inc. ("VIAVI"). All other trademarks and registered trademarks are the property of their respective owners. No part of this guide may be reproduced or transmitted, electronically or otherwise, without the written permission of the publisher.
Reproduction and distribution of this guide is authorized for Government purposes only.