You can configure details relevant to monitoring charts and the monitoring data that is collected. You can configure how the data is displayed, how the traffic is analyzed for monitoring purposes, which order of resolution methods are tried when resolving IPInternet protocol addresses to hostnames, whether data is collected, and whether collected data is deleted.
For configuring how data is to display, you can specify how many items are shown in the data tables, how many items are shown in the pie charts, and how many characters to show in the URLs.
For analyzing traffic, you can specify whether to recognize traffic according to layer 7 or layer 3 definitions, and how sensitive (or aggressive) to be when attempting to recognize BitTorrent, eDonkey, Skype, and flowthe network traffic between network objects detection.
For analyzing traffic for specific application types (Application Specific Analysis Modules (ASAM)), you can specify whether to extract data from Citrix, http, and SSL traffic, whether to identify anonymous proxies in the traffic, whether to analyze VoIP traffic, whether to calculate the performance and health of connections, whether to collect connection symmetry information, and whether to log every URL seen in the traffic.
For resolving IP addresses to hostnames, you can specify which methods are tried first, second and so on: network objecta logical definition created and stored in the Exinda lilbrary, can represent any network component, DSN, NetBios name lookup, and IP address.
For collection of monitoring data, you can specify whether to collect data for subnets and virtual circuits, and whether to collect detailed records for applications, hosts, URLs, users, conversations and subnets, and whether to collect data for traffic between internal network objects.
For deleting monitoring data, you can selectively delete various types of data collected by the appliance.
Go to Configuration > System > Setup > Monitoring tab - Monitoring Options form.
The following fields allow you to modify display options.
- Table Items - Sets the maximum number of top items displayed in the monitoring tables. Acceptable values are 1-1000.
- Chart Items - Sets the maximum number of top items to displayed in the chart and graphs. Acceptable values are 1-10. Note that this value will apply universally to ALL options on the Monitor menu.
- Maximum URL Size - Sets the maximum length of URLs displayed on the Real Time report tables.
- Graph Display Options - Specifies whether the graphs display in Flash or non-Flash format. The default is flash.
- Display for application details per subnet - In a scheduled report, specifies whether the application chart within a subnet displays as a Time series chart (line chart), or as a Pie graph. When this option is selected, the Applications per subnet chart displays in the scheduled report as a line chart whereas all other charts continue to display as a pie graph. The default is Time series chart.
- Sort Subnets by Name - Subnets are sorted by name within scheduled reports if the Enable checkbox is checked; otherwise the subnets are sorted by data volume.
- Dual-bridge bypass - Specifies whether to show flows that touch multiple bridges as separate items per bridge in the real time monitor. If enabled, the same flow will be tracked separately on each bridge. This allows you to see the different policies and transfer rates that are being applied on each bridge, which may be desirable for accelerated backhauled traffic. If disabled, the same flow through two different bridges will be shown as one merged flow. The real-time monitor will only show the policy of the last packet processed. This is preferred for load balancing, load failover, link bonding, or when seeing asymmetric routes (either locally or in a HA cluster). For more information refer to Dual Bridge Bypass.
Go to Configuration > System > Setup > Monitoring tab - Monitoring Options form.
The following fields allow you to specify how sensitive the traffic classification analysis should be.
- Layer 7 Inspection - Controls whether to analyze the application signatures within a packet to further classify the traffic within the reports. For example, when analyzing HTTP and FTP traffic and an MPEG file is detected within the packets, the application associated with the connection is changed to MPEG. When disabled, the Layer 7 signatures within packets are not analyzed and any application detection objects with Layer 7 rules are ignored.
- Monitor IPv6 Link Local Traffic - Indicates whether to monitor IPv6 link local traffic, that is, non-routable traffic that is only valid on the single network segment. The default is to not monitor this traffic as it is not representative of your network user's traffic. It is mostly used for network discovery.
- OpenVPN Detection - Indicates the sensitivity for detecting OpenVPN traffic. Setting this to 'aggressive' is the default, however, may result in some false positives. Setting this to 'safe' may result in false negatives.
- Bittorent Sensitivity - Setting this to 'high' is recommended for most service provider environments. Setting it to 'low' is recommended in cases of high false positives.
- EDonkey Sensitivity - Setting this to 'high' is recommended for most service provider environments. Setting it to 'low' is recommended in cases of high false positives.
- Skype Sensitivity - Setting this to 'high' is recommended for most service provider environments.
- Reporting Sensitivity - Controls the minimum number of packets needed to be seen on a flow before it is recorded in the database. Acceptable values are between 1 and 10, with 10 being the lowest sensitivity. Setting this to a low value is not recommended in high load environments. When the sensitivity is set to a low value such as 9, flows that contain less than nine packets over a five minute period are not stored in the database. This prevents port scans from loading hundreds of unnecessary rows of data into the database.
Go to Configuration > System > Setup > Monitoring tab - ASAM form.
The Exinda appliance analyzes traffic and attempts to match it against criteria specific to the traffic type. The criteria for matching traffic is defined within Application Specific Analysis Modules (ASAM). Enable and disable the modules that are important for your network.
The following ASAM modules are available:
- Anonymous Proxy - When enabled, the system attempts to anonymous proxies by matching the HTTP hostname and SSL common name against the list of anonymous proxy URLs downloaded by the appliance daily. Disable this module if it appears that an applications is being misclassified as anonymous proxy.
- DCE/RPC - When enabled, this module categorizes client requests for Microsoft services such as MAPI and SMB. This should always be enabled.
- HTTP - When enabled, this module attempts to further analyze connections identified as HTTP and attempts to extract information such as the host, URL, request type, and content type.
- Performance Metrics - When enabled, this module calculates the network delay, server delay, round trip time (RTT), loss, efficiency, and TCPTransmission Control Protocol health for TCP connections. Disable this module if the RAM or CPU usage is increasing and affecting the performance of the appliance. For more information refer to RAM Usage Report and CPU Usage Report.
- SSL - When enabled, this module extracts public certificates from connections identified as SSL and decodes the information from those certificates (such as common name and organization unit).
- VoIP - When enabled, this module extracts VoIP related information such as code type and call quality information (MoS and rFactor scoring) from connections identified as RTP.
- Asymmetric route - When enabled, this module collects connection symmetry information. Disable this module if the network regularly has asymmetric routes, as it is unnecessary to alert administrators that asymmetrical connections are occurring.
- URL Logging - When enabled, every URL seen by the appliance is logged to the database. Specify how long (in days) the data will be saved. This module is disabled by default.
Go to Configuration > System > Setup > Monitoring tab - Host Resolution Method form.
There are multiple host resolution methods that can be used to resolve IP addresses to hostnames. The system will attempt to resolve the hostname using one of the methods. If that method fails it will try another method. You can determine the order of host resolution methods that the system will use by ranking the first method as 1, the next as 2, and so on.
The options for host resolution methods are the following:
- Network Object - The IP addresses will be resolved according to the configured network objects.
- DNSDomain Name Server - The IP addresses will be resolved according to the DNS mappings.
- IP Address (no resolution) - The IP addresses will NOT be resolved to hostnames.
- NetBIOS Name Lookup - The IP addresses will be resolved to NetBIOS names.
Go to Configuration > System > Setup > Monitoring tab
Various types of data is collected for traffic passing through the network. If the appliance is not performing as expected, data collection can be disabled to improve performance.
The following data collection can be disabled:
- Subnets(shown in the Statistics Collection form) - If disabled, data is not collected for subnet reporting.
- Virtual Circuits(and Applications) (shown in the Statistics Collection form) - If disabled, data is not collected for virtual circuitlogical definitions that partition a a physical network circuit and used to determine what traffic passes through it and how much reporting. The collection of global application statistics also will not be collected since the global application statistics are derived from the virtual circuit stats. Note that application reporting within a subnet is not affected by this setting. That is, if data collection is enabled for subnets and is disabled for virtual circuits, then the applications within a subnet will reported, but the applications reported across the entire appliance or within a virtual circuit will not be reported.
- Internal Hosts(shown in the Statistics Collection form) - If disabled, data is not collected for internal hosts. You can disable this option to control the amount of data collected in situations where you have many hosts and want to ensure you do not run out of storage room. To view the amount of storage space allocated and how much is free, see Allocate Disk Storage for System Services. Ensure you enable this option if you want to monitor or produce reports for internal host data or to display internal host data on the Application Performance screens in the Solution Center.
- External Hosts for Subnets(shown in the Statistics Collection form) - Specify one or more network objects to collect external host data for specific network objects only. In cases where you have created a custom network object related to a specific set of IP Addresses, you can choose the network object to collect only the required data, rather than extraneous data from all objects.
The amount of statistics collected increases for each network object you specify, which may also increase the amount of time necessary to generate reports that collect external host details. A large number of network objects selected may also increase the usage of the monitoring disk partition.
- Detailed Record Retention(shown in the Monitoring Options form) - Controls whether detailed monitoring records (Applications, Hosts, URLs, Users, Conversations and Subnets) are stored. If there are excessive traffic flows through the appliance, disabling this option will reduce CPU usage. However, the detailed records will no longer be collected and drill down information for Applications, Hosts, Conversations will no longer be available.Summary information, that is totals for the entire appliance, will be available for Applications, Hosts, and Conversations.
- Ignore Internal-to-Internal(shown in the Monitoring Options form) - Your network may have network objects on the WANWide Area Network side of the appliance that have been configured as Internal objects, for example a router or firewall. Enabling the Ignore Internal-to-Internal option prevents traffic between internal network objects being included in the reports.
Go to Configuration > System > Setup > Monitoring tab - Clear Monitoring Records form.
If the appliance is running out of disk space, you can delete collected data.
The following record types can be deleted:
- All Interface Records - Deletes all data associated with the Interfaces charts - Interface Throughput and Interface Packets Per Second charts.
- All Network Summary Records - Deletes all data associated with the Network Summary charts.
- All Control/Policy Records - Deletes all data associated with the Control charts - Policies, Discard, and Prioritization Ratio charts.
- All Optimization Records - Deletes all data associated with the Optimization charts - Reduction and Edge Cache charts.
- All SLA Records - Deletes all data associated with Network Response (SLA) chart.
- All APSApplication Perfromance Score Records - Deletes all data associted with Application Performance Score (APS) summary chart.
- All APM Records - Deletes all data associated with Application Performance Metric (APM) charts, which are the detailed metric charts for the APS monitor.
- All Detailed Monitor Records - Deletes all detailed data, that is, deletes all the drill down data for applications, hosts, URLs, users, conversations. Summary information, that is, the totals for the entire appliance will still be available.
- All Appliance Records - Deletes all data associated with the system charts - Connections, Accelerated Connections, CPU Usage, CPU Temperature, RAM Usage, Disk IO, and Swap Usage charts.
- All Subnet Records - Deletes all data associated with subnet charts.
All check boxes can be selected by clicking in the checkbox in the header area.
This will permanently delete the selected records from the monitoring database.