Friday, September 20, 2013

How to use Cisco Netflow monitoring in Xian Network Manager 2012

Xian Network Manager 2012 for Microsoft System Center Operations Manager 2012 and 2007 allows users to monitor Cisco Netflow. The Xian NM architecture is intended to make it easy for people new to Netflow, but also give extended functionality to those users that want to control and configure every aspect to fit their needs.
This document is divided into three sections. The first one describes a procedure to help you start monitoring Netflow and the two others will focus on how to customize the filters and rules to adjust for more advanced needs.

I. Starting with Netflow

1. Adding a Netflow device

1. Follow the Cisco procedure in the link below to enable your Cisco Device to send netflow records to Xian NM. Most likely, your Xian NM Installation is on a single machine, use the IP address that belongs to that computer. If not, use the IP address of the machine where the Xian NM Network Manager Server service is running.

Note: Make sure that you enabled Netflow monitoring during the installation procedure.

2. Now that the device has “Netflow” enabled, you need to add it to Xian Network Manager. This is a simple procedure which can be done by clicking on the add device icon in the toolbar. Select Flow in the Select plugin menu that displays and click OK.

3. At this time, the rule wizard window appears. In the Parameters tab, click on the Add button and enter the required device parameters. Make sure to provide the correct IP Address and Port of the device. A mistake might cause the NetFlow records to not be received and processed.

4. Now the device is added and a policy template has been automatically applied to it. At present you are already monitoring the following traffic flows:

Skype incoming traffic. This rule will show you the incoming traffic aggregated towards local IP Addresses.
Source DHCP traffic. This rule will show you the IP address that are broadcasting DHCP.
SQL Server outgoing traffic. Basically shows how much SQL server traffic is being broadcasted by SQL Servers in your network.
Incoming traffic to well-known ports. This rule shows the traffic on the most common ports aggregated by Destination local IP address.
Total traffic by protocols. This shows the traffic usage aggregated by protocol.
Downloaded HTTP Traffic to local IPs: Shows traffic going over port 80 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs
Downloaded HTTPs Traffic to local IPs: Shows traffic going over port 443 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs
Downloaded FTP Traffic to local IPs: Shows traffic going over port 20,21 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs
Incoming traffic inside the local network. Shows the amount of internal traffic aggregated by destination IP addresses
Outgoing traffic from local IPs to public IPs. Shows the traffic going over port 80 and 443 to public IP addresses and is aggregated by destination (public) IP addresses
HTTPs Incoming traffic. Shows the amount of traffic using port 443 that goes around your network independently if it goes or comes from a public or private IP
FTP Incoming traffic. Shows the amount of traffic using port 20 and 21 that goes around your network independently if it goes or comes from a public or private IP
HTTP Incoming traffic. Shows the amount of traffic using port 80 that goes around your network independently if it goes or comes from a public or private IP

5. Now that the first filters and rules are running, the device performance counters and alerts should be available in Operations Manager views.

II. Advanced Netflow configuration: Setting up customized filters

1. To be able to monitor specific traffic flows that are not delivered out of the box by Xian NM, you can create your own filters and create rules using them. First, you need to have a clear idea of what you want to monitor. The following points will help you to define this criteria in an easy way:
  • How do you want to aggregate the data? (for example by port, destination IP address, etc). 
  • Do you want to filter on a specific characteristic? (For example you want to check on a specific source port for an application or a protocol)
 2. To create a filter, right click on the device icon and select properties from the contextual menu, then click on the Filters tab. Here you can see the filters that come out of the box and the ones you manually created. Now click on Add to create your own Filter.

 3. In the filter wizard you’ll find three tabs. Parameters, Aggregations and Filters.

Parameters: In this field you give your filter a name and a short description
Aggregation: In this field you indicate what kind of elements you want to create for monitoring. For example, if you choose Source IP it means that the elements created in operations manager will be based on the source IP. You can also create thresholds for this element. In this way, you can later on create a rule that monitors the amount of traffic for an IP address that is sending data.

Filters: This wizard will allow you to narrow down the traffic monitored. Maybe you’re only interested in port 80 traffic or only a specific protocol. (See appendix 1 for the specific Protocol numbers). Also, you can filter on a specific port which makes it possible to check out the behavior of a specific application. For example port 443 for HTTPS.

III. Advanced Netflow configuration: creating rules

The creation of filters is not enough to start monitoring, you have to activate these filters by creating rules. This is easily done from the device properties window.
1. Go to the Active Rules tab and select a rule on the right side and click on Add.
2. Now choose if you want to add ‘bytes per second’ or ‘packets per second’
3. Now the rule wizard will appear. In the Filter tab you select the filter you want to use as a base for this rule. It can be any filter that came out of the box or one that you created yourself.

4. After you choose the filter, go to the Thresholds tab. If the filter has been running for an extended period of time, it is possible that there are visible elements as you can see in the screen below. However, if not, you can still set up thresholds for the elements that are going to appear. You have the option to set up three kinds of thresholds:
  • Dynamic: This threshold is a moving average over the past N datapoints and can be set with conservative, loose or normal prediction type. 
  • Automatic : This is a threshold that is calculated over a number of datapoints and then set fixed (manual) 
  • Manual: If you opt for this threshold you have the power to decide all aspects pertaining to that threshold.
 5. In the Disable elements tab you have the option to discard elements if the traffic reaches a certain low point. This prevents you from receiving counters and alerts on element that you are not interested in and would only mean a larger work load for Operations Manager and SQL server.

 6. In the Schedule tab you define the intervals in which you want the rule to run. It is recommended not to use too low of an interval because it could cause significant decrease in the server’s performance. A good best practice is a value in between 10 to 30 minutes.

7.  In the active rule options tab you have the option of defining the severity level. This is the alert level that is sent to Operations Manager. It is a good best practice to use critical only for those levels that are set with a manual threshold and warning for the automatic or dynamic ones. This is done to avoid generating false alerts.
Also, in this tab you have the choice to disable the option of sending performance data to Operations Manager. Use this option if you are only interested in the alerts above or under a certain threshold. It can reduce the load on the environment.
In the name field you have the option to add additional information to the rule name. This information is also sent with the alert to Operations Manager. This is useful if you have multiple rules with the same or similar name in order to prevent confusion.

8.  The data optimization tab contains the settings you can use to reduce the amount of data sent to Operations Manager. It is based on an algorithm that identifies a counter that hasn’t changed its value for a determined customizable lapse of time, so Xian NM won’t send this counter repeatedly until the value changes. Instead of sending it every time, it will use the value under performance data heartbeat to send data once every ‘that value’. It will only go into this mode if the past number of Reference counters is within the tolerance change (as defined in the tolerance range field).
Under normal circumstances, it is not required to make any changes to these fields and you should be able to leave them with the default values.

9.  In the device update tab you define what which will be the thresholds for newly discovered elements. If you opt for monitoring new elements, it will use the threshold type which you are using for that rule.
Also, you can define if the disable elements feature should be applied over that new element and with which limit.

If you have any questions, do not hesitate to contact our tech support team.

Wednesday, September 11, 2013

What’s new on our Netflow Monitoring Feature for Xian Network Manager 2012 SP2?

Jalasoft is proud to announce the upcoming release of service pack 2 for Xian Network Manager 2012. Among all the new features and improvements that will be present in SP2, we can highlight several enhancements on the side of Netflow monitoring:

Support for Netflow version 9:
Xian NM can now properly receive and process Netflow traffic from any device that has Netflow version 9 enabled. Xian NM will automatically detect the version and the packets structures, including any custom one, from any V9 templates to obtain the fields and values that can be used to filter data and generate alerts and counters for OpsMgr.
Additionally, Xian NM will still accept Netflow V5 data which will be also automatically detected and accepted. 

You can now create an OpsMgr dashboard that contains performance graphs from the top N elements associated to a default or custom filter. For example, this will allow you to create a filter to monitor YouTube traffic and another to monitor Facebook; you can then generate a management pack that, when imported into OpsMgr, will create a dashboard with 2 widgets containing the traffic performance graphs of the top 10 computers for each website.
In other words, you will be able to create automatic dashboards for each Xian NM filter monitoring your Netflow.

Monitoring of Top N elements:
It is very possible that a scenario may develop where Xian NM needs to monitor many IP addresses or elements through our Netflow feature. This means that each of these elements will be registered in OpsMgr, which in turn may result in many objects visible in the OpsMgr console. To avoid this problem, you can define the top N elements that will be sent to OpsMgr. For example, instead of sending 150 IP addresses to OpsMgr, you can configure Xian NM to only register the 10 IP addresses that have most of the traffic. This list will be automatically adjusted so new elements will be added and old ones removed.

Another new feature in Xian NM 2012 SP2 is Netflow sampling. This aspect lets you chose if all the Netflow packets received from the devices sending their data to Xian NM will be accepted and processed or only a configured percentage. This greatly improves performance and allows Xian NM to receive Netflow packets from many sources.

Wednesday, September 4, 2013

Unsupported SNMP device model

Xian supports most network devices, in case it does not review the following post on unsupported SNMP device models. 

This situation arouses when you run the “add device” rule or the “network scan task” and the device that you’re trying to discover cannot be discovered by Xian NM 2012. The notifications tab view on the Xian NM 2012 console contains a description of the errors that appear. Double click on the error to bring up a detailed description. “Plug-in unsupported device on (IP address)” means that the device is not supported by the current Xian NM 2012 management packs. 

Figure 1: Device not supported by Xian Management Packs.

In order to fix this issue you have to retrieve the SNMP dumps from the device in question using our Jalasoft tech support tool and send the dumps to Jalasoft tech support by opening a ticket here. Tech support will generate a patch for the device and send it to you, along with the steps to apply it.

1. In the installation bundle you will find the folder ‘TechSupportTool
2. Execute the file: ‘XianNetworkManagerIoTechSupportTool.exe’
3. Unselect all the checkboxes in the “Data Requester” tab and click “Next”
4. Provide the IP Address, community string, Timeout and Retries of the device(s) you are requesting a dump from.

Figure 2 Retrieving an SNMP dump using the tech support tool.

5. Once you have added all desired devices, click “Next”.
6. In the “Output Folder” choose a path where you want the dump to be created and click “Next”.
7. After the Tech Support Tool is done creating the folder with the device dump(s) zip the folder and send it to tech support by opening a ticket. Tech Support will then generate a patch for your device model and send it to you within 2-3 working days.