GenieATM ISPEdition UserManual v5.3.2 Eng (NetStream) PDF [PDF]

Zitiervorschau

GenieATM™ User Manual Version 5.3

Copyright 2009 belongs to Genie Network Resource Management Inc. Copyright Reserved For the main contents contained in these written materials, Genie Network Resource Management Inc. owns the patent right, patent priority right, trademark right, copyright and other intellectual property rights. No part of the manual may be added, omitted, edited, copied, altered, or faked without the prior written permission of Genie Network Resource Management Inc.

Network Resource Management Inc. reserves the right to alter the contents of this publication without advance notice. All the examples in this publication are used to assist the administrators or the users to operate the system easily. The regulations of copyright law should be obeyed when using the software. On the premise of not violating the copyright laws, without the prior written permission of Genie Network Resource Management Inc., no parts of this publication can be reproduced or used in any form or by any means (electronic or mechanical, including photocopying and recording) on any type of information storing and retrieval system.

Product Serial Number： Date of Purchase：

Contents 1

Introduction.................................................................................................................1

2

System and Functions Overview ...............................................................................2 2.1 2.2

2.3

3

System Overview ................................................................................................2 System Screen Overview ....................................................................................3 2.2.1

System Screen........................................................................................................... 3

2.2.2

System Functions Overview ...................................................................................... 6

System Login/Logout......................................................................................... 11 2.3.1

Login the system.......................................................................................................11

2.3.2

Logging out the system............................................................................................ 12

System Admin Function ...........................................................................................13 3.1

3.2

3.3

User ..................................................................................................................13 3.1.1

Local User Account .................................................................................................. 13

3.1.2

Privilege Template.................................................................................................... 18

3.1.3

Online User .............................................................................................................. 20

3.1.4

Remote Authentication............................................................................................. 21

Device ...............................................................................................................22 3.2.1

Controller ................................................................................................................. 22

3.2.2

Collector ................................................................................................................... 24

3.2.3

MSP Server.............................................................................................................. 27

3.2.4

Flow Load Balancers ............................................................................................... 29

Network.............................................................................................................33 3.3.1

3.3.1.1

Home Network ............................................................................................. 33

3.3.1.2

ATD White List.............................................................................................. 35

3.3.2

Dark IP ..................................................................................................................... 36

3.3.3

Router ...................................................................................................................... 37

3.3.3.1

Router........................................................................................................... 38

3.3.3.2

Interfaces...................................................................................................... 43

3.3.3.3

Recomm. to Add/Edit ................................................................................... 47

3.3.3.4

Recomm. to Remove ................................................................................... 48

3.3.4

Internet Boundary .................................................................................................... 49

3.3.5

Backbone Links........................................................................................................ 53

3.3.6

Neighbor .................................................................................................................. 55

3.3.7

Sub-Network ............................................................................................................ 57

3.3.8

Server....................................................................................................................... 66

3.3.9

MSP Customer......................................................................................................... 72

3.3.9.1

MSP Customer ............................................................................................. 72

3.3.9.2

Boundary Template ...................................................................................... 75

3.3.9.3

MSP User Account ....................................................................................... 77

3.3.9.4

Privilege Template ........................................................................................ 77

3.3.10

I

Home Network ......................................................................................................... 33

Filter ....................................................................................................................... 79

3.3.10.1

Factor ......................................................................................................... 79

3.3.10.2

Filter ........................................................................................................... 84

3.3.10.3

Filter Batch ................................................................................................. 93

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.3.11

Application ............................................................................................................. 96

3.3.12

Anomaly ............................................................................................................... 100

3.3.12.1

Protocol-Misuse Anomaly......................................................................... 101

3.3.12.2

Application Anomaly................................................................................. 102

3.3.13

3.4 3.5

3.6

Template .............................................................................................................. 108

3.3.13.1

Baseline Template .................................................................................... 108

3.3.13.2

Sub-Network Boundary .............................................................................117

3.3.13.3

Server-farm Boundary.............................................................................. 120

3.3.13.4

Server TopN Report ................................................................................. 122

Configuration...................................................................................................125 Mitigation.........................................................................................................129 3.5.1

Blackhole ............................................................................................................... 129

3.5.2

Device .................................................................................................................... 133

3.5.2.1

Guard ......................................................................................................... 133

3.5.2.2

Eudemon .................................................................................................... 137

3.5.2.3

Global ......................................................................................................... 141

Preferences.....................................................................................................142 3.6.1

Status ..................................................................................................................... 142

3.6.2

Storage................................................................................................................... 143

3.6.3

Report .................................................................................................................... 146

3.6.4

Notification ............................................................................................................. 148

3.6.4.1

System Notification .................................................................................... 149

3.6.4.2

Router Notification...................................................................................... 151

3.6.4.3

Sub-Network Notification............................................................................ 152

3.6.4.4

MSP Customer Notification ........................................................................ 153

3.6.4.5

Filter Notification ........................................................................................ 154

3.6.5

Name Mapping....................................................................................................... 155

3.6.5.1

Services...................................................................................................... 156

3.6.5.2

Protocols .................................................................................................... 157

3.6.5.3

ASNs .......................................................................................................... 158

3.6.5.4

Area............................................................................................................ 160

3.6.5.5

IP to Area.................................................................................................... 161

3.6.6

Group ..................................................................................................................... 163

3.6.6.1

User............................................................................................................ 163

3.6.6.2

Router......................................................................................................... 166

3.6.6.3

Sub-Network .............................................................................................. 168

3.6.6.4

Server-farm ................................................................................................ 170

3.6.6.5

Neighbor..................................................................................................... 172

3.6.6.6

Filter ........................................................................................................... 175

3.6.6.7

MSP Customer User .................................................................................. 177

3.6.7

Baseline History ..................................................................................................... 179

3.6.7.1

Sub-Network Baseline History ................................................................... 179

3.6.7.2

MSP Customer Baseline History................................................................ 180

3.6.7.3

Filter Baseline History ................................................................................ 182

3.6.8

Offline Report ......................................................................................................... 183

3.6.8.1

Scheduler Template ................................................................................... 183

3.6.8.2

Sub-Network .............................................................................................. 185 © 2009 Genie Network Resource Management Inc. All Rights Reserved.

II

3.6.9

3.7 4

Report Rebuild ................................................................................................188

Status.......................................................................................................................191 4.1

4.2

4.3

Summary.........................................................................................................191 4.1.1

Global..................................................................................................................... 191

4.1.2

MSP Server............................................................................................................ 193

4.1.3

Anomaly ................................................................................................................. 193

4.1.4

System ................................................................................................................... 195

4.1.5

Resources .............................................................................................................. 198

Anomaly Console ............................................................................................199 4.2.1

Global..................................................................................................................... 199

4.2.2

MSP Server............................................................................................................ 206

Log..................................................................................................................207 4.3.1

Alert Log................................................................................................................. 207

4.3.2

Mitigation Log......................................................................................................... 208

5

Snapshot .................................................................................................................210

6

Mitigation.................................................................................................................218 6.1 6.2

7

Blackhole ........................................................................................................218 Hardware Mitigation ........................................................................................221 6.2.1

Guard ..................................................................................................................... 221

6.2.2

Eudemon................................................................................................................ 225

Report ......................................................................................................................227 7.1

Internet............................................................................................................227 7.1.1

Summary Report.................................................................................................... 227

7.1.2

Breakdown Report ................................................................................................. 229

7.1.2.1

Sub-Network .............................................................................................. 229

7.1.2.2

Origin ASN.................................................................................................. 230

7.1.2.3

Peer ASN.................................................................................................... 231

7.1.2.4

Peering Analysis......................................................................................... 231

7.1.2.5

AS Path Length .......................................................................................... 231

7.1.3

7.2

Attribute Report...................................................................................................... 232

7.1.3.1

Application.................................................................................................. 232

7.1.3.2

Protocol ...................................................................................................... 234

7.1.3.3

Protocol+Port ............................................................................................. 234

7.1.3.4

TOS ............................................................................................................ 235

7.1.3.5

Packet Size ................................................................................................ 235

Neighbor .........................................................................................................236 7.2.1

Summary Report.................................................................................................... 236

7.2.1.1

Compare..................................................................................................... 236

7.2.1.2

Detail .......................................................................................................... 237

7.2.2

III

Remote Update...................................................................................................... 187

Breakdown Report ................................................................................................. 239

7.2.2.1

Sub-Network .............................................................................................. 239

7.2.2.2

Neighbor..................................................................................................... 239

7.2.2.3

AS Path Length .......................................................................................... 240

7.2.2.4

BGP Message ............................................................................................ 240

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.2.2.5 7.2.3

7.3

7.4

7.5

7.6

Origin ASN.................................................................................................. 242

Attribute Report...................................................................................................... 242

7.2.3.1

Application.................................................................................................. 242

7.2.3.2

Protocol ...................................................................................................... 243

7.2.3.3

Protocol+Port ............................................................................................. 243

7.2.3.4

TOS ............................................................................................................ 244

7.2.3.5

Packet Size ................................................................................................ 245

Backbone ........................................................................................................246 7.3.1

Summary Report.................................................................................................... 246

7.3.2

Core Router ........................................................................................................... 247

7.3.2.1

Compare..................................................................................................... 247

7.3.2.2

Detail .......................................................................................................... 248

Router .............................................................................................................250 7.4.1

Traffic ..................................................................................................................... 250

7.4.2

Performance .......................................................................................................... 251

7.4.3

BGP Message ........................................................................................................ 252

7.4.4

BGP Next Hop ....................................................................................................... 254

7.4.5

MPLS ..................................................................................................................... 255

7.4.5.1

Summary Report ........................................................................................ 255

7.4.5.2

Class of Services ....................................................................................... 256

7.4.5.3

Egress PE .................................................................................................. 257

Interface ..........................................................................................................258 7.5.1

Compare ................................................................................................................ 258

7.5.2

Detail ...................................................................................................................... 259

7.5.3

Top Talker............................................................................................................... 261

7.5.4

Attribute Report...................................................................................................... 262

7.5.4.1

Application.................................................................................................. 262

7.5.4.2

Protocol ...................................................................................................... 263

7.5.4.3

Protocol+Port ............................................................................................. 263

7.5.4.4

TOS ............................................................................................................ 264

7.5.4.5

Packet Size ................................................................................................ 264

Sub-Network ...................................................................................................265 7.6.1

Summary Report.................................................................................................... 265

7.6.1.1

Compare..................................................................................................... 265

7.6.1.2

Detail .......................................................................................................... 266

7.6.2

Breakdown Report ................................................................................................. 268

7.6.2.1

Sub-Network .............................................................................................. 268

7.6.2.2

Sub-Network Matrix.................................................................................... 269

7.6.2.3

Neighbor ASN ............................................................................................ 270

7.6.2.4

Neighbor Matrix .......................................................................................... 270

7.6.2.5

Origin ASN.................................................................................................. 271

7.6.2.6

Top Talker ................................................................................................... 271

7.6.3

Attribute Report...................................................................................................... 272

7.6.3.1

Application.................................................................................................. 272

7.6.3.2

Protocol ...................................................................................................... 272

7.6.3.3

Protocol+Port ............................................................................................. 273

7.6.3.4

TOS ............................................................................................................ 274 © 2009 Genie Network Resource Management Inc. All Rights Reserved.

IV

7.6.3.5

7.7

Server .............................................................................................................275 7.7.1

Compare..................................................................................................... 275

7.7.1.2

Detail .......................................................................................................... 276 Sub-Network .............................................................................................. 278

7.7.2.2

Neighbor ASN ............................................................................................ 279

7.7.2.3

Origin ASN.................................................................................................. 280

7.7.2.4

Area............................................................................................................ 280 Application.................................................................................................. 281

7.7.3.2

Protocol ...................................................................................................... 281

7.7.3.3

Protocol/Port .............................................................................................. 282

7.7.3.4

TOS ............................................................................................................ 282

7.7.3.5

Packet Size ................................................................................................ 283

TopN Report........................................................................................................... 283

Rule-based Report ..........................................................................................285 7.8.1

Summary Report.................................................................................................... 285

7.8.1.1

Compare..................................................................................................... 285

7.8.1.2

Detail .......................................................................................................... 286

7.8.2

TopN Report........................................................................................................... 288

MSP Customer ........................................................................................................290 8.1 8.2

Anomaly Console ............................................................................................290 Report .............................................................................................................296 8.2.1

Traffic ..................................................................................................................... 296

8.2.2

Boundary Traffic..................................................................................................... 297

8.2.3

Top Talker............................................................................................................... 298

8.2.4

Attribute Report...................................................................................................... 299

8.2.4.1

Application.................................................................................................. 300

8.2.4.3

Protocol/Port .............................................................................................. 302

8.2.4.5

Packet Size ................................................................................................ 303

8.2.5

TopN Report........................................................................................................... 303

Anomaly Activities..................................................................................................305 9.1

9.2

V

Attribute Report...................................................................................................... 281

7.7.3.1

7.7.4

9

Breakdown Report ................................................................................................. 278

7.7.2.1

7.7.3

8

Summary Report.................................................................................................... 275

7.7.1.1 7.7.2

7.8

Packet Size ................................................................................................ 274

Dark IP ............................................................................................................305 9.1.1

Summary Report.................................................................................................... 305

9.1.2

Breakdown Report ................................................................................................. 306

9.1.2.1

Infected Hosts ............................................................................................ 306

9.1.2.2

Victim Hosts ............................................................................................... 308

9.1.2.3

Interface ..................................................................................................... 309

9.1.2.4

Sub-Network .............................................................................................. 309

Worm .............................................................................................................. 311 9.2.1

Summary Report.....................................................................................................311

9.2.2

Breakdown Report ................................................................................................. 312

9.2.2.1

Infected Hosts ............................................................................................ 312

9.2.2.2

Interface ..................................................................................................... 314

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

9.2.2.3

Sub-Network .............................................................................................. 314

Appendix (A) -- NetFlow Device Configuration.............................................................315 Appendix (B) -- sFlow Device Configuration.................................................................316 Appendix (C) -- Installing SSL in Controller for Enabling Secure Web Access ..........317 Appendix (D) -- Booting GenieATM™ from TFTP Server..............................................319 Appendix (E) -- Dictionary of IETF Radius Client Attributes Supported by GenieATM .........................................................................................................................................320

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

VI

List of Figures Figure 2.3.1-1 System Login Window.....................................................................................................11 Figure 2.3.1-2 Default System Operation Window ................................................................................ 12 Figure 2.3.1-3 Login/Logout Alert Message Window............................................................................. 12 Figure 3.1.1-1 System Admin / User / Local User Account Management Window ............................... 14 Figure 3.1.1-2 System Admin / User / Local User Account -- Add Local User Account Window .......... 14 Figure 3.1.1-3 System Admin / User / Local User Account -- Edit Local User Account Window .......... 16 Figure 3.1.1-4 System Admin / User / Local User Account -- View Local User Account Window ......... 17 Figure 3.1.2-1 System Admin / User / Privilege Template Management Window ................................. 18 Figure 3.1.2-2 System Admin / User / Privilege Template -- Add User Privilege Template Window ..... 18 Figure 3.1.2-3 System Admin / User / Privilege Template -- Edit User Privilege Template Window ..... 19 Figure 3.1.2-4 System Admin / User / Privilege template -- View User Privilege Template Window .... 20 Figure 3.1.3-1 System Admin / User / Online User Management Window ........................................... 20 Figure 3.1.4-1 System Admin / User / Remote Authentication Management Window .......................... 21 Figure 3.1.4-2 System Admin / User / Remote Authentication / Edit – Remote Authentication Window (Radius Server) .............................................................................................................. 21 Figure 3.2.1-1 System Admin / Controller Management Window ......................................................... 22 Figure 3.2.1-2 System Admin / Controller -- Edit Controller Window .................................................... 23 Figure 3.2.2-1 System Admin / Collector Management Window........................................................... 24 Figure 3.2.2-2 System Admin / Collector -- Add New Collector Window............................................... 24 Figure 3.2.2-3 System Admin / Collector -- Edit Collector Window ....................................................... 25 Figure 3.2.2-4 System Admin / Collector -- View Collector Window ..................................................... 26 Figure 3.3.1-1 System Admin / Network / Home Network / Home Network Management Window...... 33 Figure 3.3.1-2 System Admin / Network / Home Network / Home Network – Edit Local IP Address Window........................................................................................................................... 34 Figure 3.3.1-3 System Admin / Network / Home Network / Home Network – Edit Local AS Number Window........................................................................................................................... 34 Figure 3.3.1-4 System Admin / Network / Home Network / ATD White List Management Window ...... 35 Figure 3.3.1-5 System Admin / Network / Home Network – Edit ATD White List Window .................... 35 Figure 3.3.2-1 System Admin / Network / Dark IP Management Window............................................. 36 Figure 3.3.2-2 System Admin / Network / Dark IP -- Edit Dark IP & Non-Dark IP Addresses Window . 36 Figure 3.3.3-1 System Admin / Network / Router / Router Management Window ................................ 37 Figure 3.3.3-2 System Admin / Network / Router / Router -- Add Router Window................................ 38 Figure 3.3.3-3 System Admin / Network / Router / Router -- Edit Router Window................................ 41 Figure 3.3.3-4 System Admin / Network / Router / Router -- View Router Window .............................. 42 Figure 3.3.3-5 System Admin / Network / Router / Interface Management Window............................. 43 Figure 3.3.3-6 System Admin / Network / Router / Interface -- Interface Discovery with SNMP Window......... 44 Figure 3.3.3-7 System Admin / Network / Router / Interface -- Add Interface Window ......................... 44 Figure 3.3.3-8 System Admin / Network / Router / Interface -- Edit Router Interface Window ............. 45 Figure 3.3.3-9 System Admin / Network / Router / Interface -- View Interface Window........................ 46 Figure 3.3.3-10 System Admin / Network / Router / Recomm. to Add/Edit Window ............................. 47 Figure 3.3.3-11 System Admin / Network / Router / Recomm. to Remove Window ............................. 48 Figure 3.3.4-1 System Admin / Network / Internet Boundary Management Window ............................ 49 Figure 3.3.4-2 System Admin / Network / Internet Boundary -- Change Boundary Type Window (with VII

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Segment Cut Illustration)................................................................................................ 49 Figure 3.3.4-3 System Admin / Network / Internet Boundary -- Change Boundary Type Window (with Circular Cut Illustration).................................................................................................. 50 Figure 3.3.4-4 System Admin / Network / Internet Boundary -- Add Internet Boundary Window.......... 50 Figure 3.3.4-5 System Admin / Network / Internet Boundary -- Edit Internet Boundary Window.......... 51 Figure 3.3.5-1 System Admin / Network / Backbone Links Management Window ............................... 53 Figure 3.3.5-2 System Admin / Network / Backbone Links -- Add Backbone Links Window ................ 54 Figure 3.3.6-1 System Admin / Network / Neighbor Management Window .......................................... 55 Figure 3.3.6-2 System Admin / Network / Neighbor -- Add Neighbor Window ...................................... 55 Figure 3.3.6-3 System Admin / Network / Neighbor -- Edit Neighbor Window ...................................... 56 Figure 3.3.6-4 System Admin / Network / Neighbor -- View Neighbor Window .................................... 56 Figure 3.3.7-1 System Admin / Network / Sub-Network Management Window .................................... 57 Figure 3.3.7-2 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by CIDR) ....................................................................................................................................... 58 Figure 3.3.7-3 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by AS Number) ......................................................................................................................... 59 Figure 3.3.7-4 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by AS Path Regular Expression) .............................................................................................. 59 Figure 3.3.7-5 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by BGP Community String).......................................................................................................... 59 Figure 3.3.7-6 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by Interface) ........................................................................................................................ 59 Figure 3.3.7-7 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by Private Network) ......................................................................................................................... 60 Figure 3.3.7-8 System Admin / Network / Sub-Network -- Edit Sub-Network Learning Interface Window ....................................................................................................................................... 61 Figure 3.3.7-9 System Admin / Network / Sub-Network -- Edit Sub-Network Boundary Window ......... 63 Figure 3.3.7-10 System Admin / Network / Sub-Network -- Edit Sub-Network Window ....................... 64 Figure 3.3.7-11 System Admin / Network / Sub-Network -- View Sub-Network Window ...................... 65 Figure 3.3.8-1 System Admin / Network / Server – Server-farm Management Window ....................... 66 Figure 3.3.8-2 System Admin / Network / Server -- Add Server-farm Window...................................... 67 Figure 3.3.8-3 System Admin / Network / Server -- Edit Server Boundary Window ............................. 69 Figure 3.3.8-4 System Admin / Network / Server -- Adding TopN Report to the Server-farm ............... 69 Figure 3.3.8-5 System Admin / Network / Server -- Edit Server-farm Window...................................... 70 Figure 3.3.8-6 System Admin / Network / Server -- View Server-farm Window .................................... 71 Figure 3.3.9-1 System Admin/Network/MSP Customer -- MSP Customer Management Window ....... 72 Figure 3.3.9-2 System Admin/Network/MSP Customer/MSP Customer – Adding MSP Customer Window........................................................................................................................... 73 Figure 3.3.9-3 System Admin/Network/MSP Customer/MSP Customer -- Add Boundary Routers Window........................................................................................................................... 74 Figure 3.3.9-4 System Admin/Network/MSP Customer/ MSP Customer Boundary Template Management Window .................................................................................................... 75 Figure 3.3.9-5 System Admin/Network/MSP Customer/Boundary Template – Adding MSP Customer Boundary Template Window .......................................................................................... 76 © 2009 Genie Network Resource Management Inc. All Rights Reserved.

VIII

Figure 3.3.9-6 System Admin/Network/MSP Customer/MSP User Account – MSP User Account Window........................................................................................................................... 77 Figure 3.3.9-7 System Admin/Network/MSP Customer/Privilege Template -- Privilege Template Management Window .................................................................................................... 77 Figure 3.3.9-8 System Admin / Network/ MSP Customer / Privilege Template -- Edit User Privilege Template Window........................................................................................................... 78 Figure 3.3.10-1 System Admin / Network / Filter / Factor Management Window ................................. 79 Figure 3.3.10-2 System Admin / Network / Filter / Factor -- Add Factor Window (IP Factor)................ 80 Figure 3.3.10-3 System Admin / Network / Filter / Factor -- Add Factor Window (BGP Community Factor) ....................................................................................................................................... 80 Figure 3.3.10-4 System Admin / Network / Filter / Factor -- Add Factor Window (AS Number Factor) 81 Figure 3.3.10-5 System Admin / Network / Filter / Factor -- Add Factor Window (AS Path Factor)...... 81 Figure 3.3.10-6 System Admin / Network / Filter / Factor -- Add Factor Window (Application Factor) . 81 Figure 3.3.10-7 System Admin / Network / Filter / Factor -- Edit Factor Window.................................. 83 Figure 3.3.10-8 System Admin / Network / Filter / Factor -- View Factor Window ................................ 84 Figure 3.3.10-9 System Admin / Network / Filter / Filter Management Window.................................... 84 Figure 3.3.10-10 System Admin / Network / Filter / Filter -- Add Filter Window .................................... 85 Figure 3.3.10-11 System Admin / Network / Filter / Filter -- Add Filter Expression Window ................. 86 Figure 3.3.10-12 System Admin / Network / Filter / Filter -- Edit Filter Expression Window ................. 88 Figure 3.3.10-13 System Admin / Network / Filter / Filter -- View Filter Expression Window................ 88 Figure 3.3.10-14 System Admin / Network / Filter / Filter -- Add Filter TopN Window........................... 89 Figure 3.3.10-15 System Admin / Network / Filter / Filter -- Edit Filter TopN Window........................... 90 Figure 3.3.10-16 System Admin / Network / Filter / Filter -- Edit Filter Window .................................... 91 Figure 3.3.10-17 System Admin / Network / Filter / Filter -- View Filter Window................................... 92 Figure 3.3.10-18 System Admin / Network / Filter / Filter Batch Management window ........................ 93 Figure 3.3.10-19 System Admin / Network / Filter / Filter Batch – Batch Add Filter Window ................ 94 Figure 3.3.11-1 System Admin / Network / Application Management Window...................................... 96 Figure 3.3.11-2 System Admin / Network / Application -- Add System Application Window ................. 97 Figure 3.3.11-3 System Admin / Network / Application -- Edit System Application Window ................. 99 Figure 3.3.11-4 System Admin / Network / Application -- View System Application Window................ 99 Figure 3.3.12-1 System Admin / Network / Anomaly / Protocol-Misuse Anomaly Management Window ..................................................................................................................................... 100 Figure 3.3.12-2 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Outgoing Protocol-Misuse Anomaly Detection Window .................................錯誤 錯誤! 錯誤 尚未定義書籤。 尚未定義書籤。 Figure 3.3.12-3 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Protocol-Misuse Anomaly-Default for Home and User-defined Resources Window.............................. 101 Figure 3.3.12-4 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Protocol-Misuse Anomaly-Non-Home Window....................................................................................... 102 Figure 3.3.12-5 System Admin / Network / Anomaly / Application Anomaly Management Window ... 103 Figure 3.3.12-6 System Admin / Network / Anomaly / Application Anomaly -- Edit Detection Scope Window......................................................................................................................... 103 Figure 3.3.12-7 System Admin / Network / Anomaly / Application Anomaly -- Add Application Anomaly Window......................................................................................................................... 104 Figure 3.3.12-8 System Admin / Network / Anomaly / Application Anomaly -- Edit Application Anomaly IX

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Window......................................................................................................................... 106 Figure 3.3.12-9 System Admin / Network / Anomaly / Application Anomaly -- View Application Anomaly Window......................................................................................................................... 107 Figure 3.3.13-1 System Admin / Network / Template / Baseline Management Window ..................... 108 Figure 3.3.13-2 System Admin / Network / Template / Baseline-- Add Baseline Template Window (Interface Traffic Type) ................................................................................................. 109 Figure 4.4.11-3 System Admin / Network / Template / Baseline – Add Baseline Template Window (BGP Update Message Type) ................................................................................................. 111 Figure 3.3.13-4 System Admin / Network / Template / Baseline – Add Baseline Template Window (Traffic Anomaly Type) ..................................................................................................113 Figure 3.3.13-5 System Admin / Network / Template / Baseline – Add Baseline Template Window (Traffic Anomaly - Filter Type) .......................................................................................114 Figure 3.3.13-6 System Admin / Network / Template / Baseline – Add Baseline Template Window (Router Performance) ...................................................................................................115 Figure 3.3.13-7 System Admin / Network / Template / Baseline -- Edit Baseline Template Window ...115 Figure 3.3.13-8 System Admin / Network / Template / Baseline -- View Baseline Template Window..116 Figure 3.3.13-9 System Admin / Network / Template / Sub-Network Boundary Template Management Window..........................................................................................................................117 Figure 3.3.13-10 System Admin / Network / Template / Sub-Network Boundary -- Add Sub-Network Boundary Template Window .........................................................................................117 Figure 3.3.13-11 System Admin / Network / Template / Sub-Network Boundary -- Edit Sub-Network Boundary Template Window .........................................................................................118 Figure 3.3.13-12 System Admin / Network / Template / Sub-Network Boundary -- View Sub-Network Boundary Template Window .........................................................................................119 Figure 3.3.13-13 System Admin / Network / Template / Server-farm boundary Template Management Window......................................................................................................................... 120 Figure 3.3.13-14 System Admin / Network / Template / Server-farm boundary -- Add Server-farm boundary Template Window......................................................................................... 120 Figure 3.3.13-15 System Admin / Network / Template / Server-farm boundary -- Edit Server-farm boundary Template Window......................................................................................... 121 Figure 3.3.13-16 System Admin / Network / Template / Server-farm boundary -- View Server-farm Boundary Template Window ........................................................................................ 122 Figure 3.3.13-17 System Admin / Network / Template / TopN Report -- TopN Report Template Window ..................................................................................................................................... 123 Figure 3.3.13-18 System Admin / Network / Template / TopN Report -- Add Server-farm TopN Report Template Window......................................................................................................... 123 Figure 3.3.13-19 System Admin / Network / Template / TopN Report -- Edit Server-farm TopN Window ..................................................................................................................................... 124 Figure 3.4-1 System Admin / Configuration Management Window..................................................... 125 Figure 3.4-2 System Admin / Configuration – Dispatch Network Configuration and Save Window.... 126 Figure 3.4-3 System Admin / Configuration -- Upload Configuration Window .................................... 128 Figure 3.5.1-1 System Admin / Mitigation / Blackhole Management Window ..................................... 129 Figure 3.5.1-2 System Admin / Mitigation / Blackhole -- Edit Blackhole Window................................ 129 Figure 3.5.1-3 System Admin / Mitigation / Blackhole -- Add Blackhole Policy Window ..................... 130 © 2009 Genie Network Resource Management Inc. All Rights Reserved.

X

Figure 3.5.2-1 System Admin / Mitigation / Device / Device Management Window ........................... 133 Figure 3.5.2-2 System Admin / Mitigation / Device / Cisco Guard -- Add Guard Window................... 133 Figure 3.5.2-3 System Admin / Mitigation / Device / Cisco Guard -- Edit Guard Window................... 135 Figure 3.5.2-4 System Admin / Mitigation / Device / Cisco Guard -- View Guard Window ................. 136 Figure 3.5.2-5 System Admin / Mitigation / Device / Eudemon -- Eudemon Management Window ... 137 Figure 3.5.2-6 System Admin / Mitigation / Device / Eudemon -- Add Eudemon Window .................. 137 Figure 3.5.2-7 System Admin / Mitigation / Device / Eudemon -- Edit Eudemon Window .................. 139 Figure 3.5.2-8 System Admin / Mitigation / Device / Eudemon -- View Eudemon Window ................ 140 Figure 3.5.2-9 System Admin / Mitigation / Global / SSH Public Key Window.................................... 141 Figure 3.5.2-10 System Admin / Mitigation / Global / SSH Public Key Window.................................. 141 Figure 3.6.1-1 System Admin / Preferences / Status Parameter Management Window..................... 142 Figure 3.6.1-2 System Admin / Preferences / Status -- Edit Status Parameter Window ..................... 142 Figure 3.6.2-1 System Admin / Preferences / Storage Management Window .................................... 143 Figure 3.6.2-2 System Admin / Preferences / Storage -- Edit Disk Usage Window ............................ 143 Figure 3.6.2-3 System Admin / Preferences / Storage -- Edit Report Data Window ........................... 144 Figure 3.6.2-4 System Admin / Preferences / Storage -- Edit Alert Log Window ................................ 144 Figure 3.6.2-5 System Admin / Preferences / Storage -- Edit Anomaly Log Window.......................... 145 Figure 3.6.2-6 System Admin / Preferences / Storage -- Edit Login Log Window............................... 145 Figure 3.6.3-1 System Admin / Preferences / Report Parameter Management Window.................... 146 Figure 3.6.3-2 System Admin / Preferences / Report -- Edit Pre-defined TopN Report Parameter Window......................................................................................................................... 146 Figure 3.6.3-3 System Admin / Preferences / Report -- Edit Report Parameter Window ................... 147 Figure 3.6.3-4 System Admin / Preferences / Report -- Edit Rule-Based Report Label Window........ 147 Figure 3.6.3-5 System Admin / Preferences / Report -- Edit Detail Anomaly Traffic Analysis Report Parameter Window....................................................................................................... 147 Figure 3.6.4-1 System Admin / Preferences / Notification / System Notification Configuration Window ..................................................................................................................................... 148 Figure 3.6.4-2 System Admin / Preferences / Notification / System -- Edit Email Notification Window ..................................................................................................................................... 149 Figure 3.6.4-3 System Admin / Preferences / Notification / System -- Edit Trap Notification Window 150 Figure 3.6.4-4 System Admin / Preferences / Notification / Router Notification Configuration Window ..................................................................................................................................... 151 Figure 3.6.4-5 System Admin / Preferences / Notification / Router -- Edit Router Notification Configuration Window .................................................................................................. 151 Figure 3.6.4-6 System Admin / Preferences / Notification / Sub-Network Notification Configuration Window......................................................................................................................... 152 Figure 3.6.4-7 System Admin / Preferences / Notification / Sub-Network -- Edit Sub-Network Notification Configuration Window .................................................................................................. 152 Figure 3.6.4-8 System Admin/Preference/Notification/MSP Customer – MSP Customer Notification Configuration Window .................................................................................................. 153 Figure 3.6.4-9 System Admin/Preference/Notification/MSP Customer – Edit MSP Customer Notification Configuration Window .................................................................................................. 153 Figure 3.6.4-10 System Admin / Preferences / Notification / Filter Notification Configuration Window ..................................................................................................................................... 154 XI

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.6.4-11 System Admin / Preferences / Notification / Filter -- Edit Filter Notification Configuration Window......................................................................................................................... 154 Figure 3.6.5-1 System Admin / Preferences / Name Mapping / Service Management Window ......... 155 Figure 3.6.5-2 System Admin / Preferences / Name Mapping / Service -- Add Service Name Window ..................................................................................................................................... 156 Figure 3.6.5-3 System Admin / Preferences / Name Mapping / Service -- Edit Service Name Window ..................................................................................................................................... 156 Figure 3.6.5-4 System Admin / Preferences / Name Mapping / Protocol Management Window........ 157 Figure 3.6.5-5 System Admin / Preferences / Name Mapping / Protocol -- Add Protocol Name Window ..................................................................................................................................... 157 Figure 3.6.5-6 System Admin / Preferences / Name Mapping / Protocol -- Edit Protocol Name Window ..................................................................................................................................... 158 Figure 3.6.5-7 System Admin / Preferences / Name Mapping / ASN management Window.............. 158 Figure 3.6.5-8 System Admin / Preferences / Name Mapping / ASN -- Add ASN Window................. 159 Figure 3.6.5-9 System Admin / Preferences / Name Mapping / ASN -- Edit ASN Name Window ...... 159 Figure 3.6.5-10 System Admin / Preferences / Name Mapping / Area Management Window ........... 160 Figure 3.6.5-11 System Admin / Preferences / Name Mapping / Area -- Add Area management Window ..................................................................................................................................... 160 Figure 3.6.5-12 System Admin / Preferences / Name Mapping / Area -- Edit Area management window ..................................................................................................................................... 161 Figure 3.6.5-14 System Admin / Preferences / Name Mapping / IP to Area – Import IP-to-Area management Window .................................................................................................. 162 Figure 3.6.6-1 System Admin / Preferences / Group / User Group Management Window................. 163 Figure 3.6.6-2 System Admin / Preferences / Group / User -- Add User Group Window.................... 163 Figure 3.6.6-3 System Admin / Preferences / Group / User -- Edit User Group Window.................... 164 Figure 3.6.6-4 System Admin / Preferences / Group / User -- View User Group Window .................. 165 Figure 3.6.6-5 System Admin / Preferences / Group / Router Group Management Window.............. 166 Figure 3.6.6-6 System Admin / Preferences / Group / Router -- Add Router Group Window ............. 166 Figure 3.6.6-7 System Admin / Preferences / Group / Router -- Edit Router Group Window ............. 167 Figure 3.6.6-8 System Admin / Preferences / Group / Router -- View Router Group Window............ 167 Figure 3.6.6-9 System Admin / Preferences / Group / Sub-Network Group Management Window ... 168 Figure 3.6.6-10 System Admin / Preferences / Group / Sub-Network -- Add Sub-Network Group Window......................................................................................................................... 168 Figure 3.6.6-11 System Admin / Preferences / Group / Sub-Network -- Edit Sub-Network Group Window ..................................................................................................................................... 169 Figure 3.6.6-12 System Admin / Preferences / Group / Sub-Network -- View Sub-Network Group Window......................................................................................................................... 169 Figure 3.6.6-13 System Admin / Preferences / Group / Server-farm Group Management Window ... 170 Figure 3.6.6-14 System Admin / Preferences / Group / Server-farm -- Add Server-farm Group Window ..................................................................................................................................... 170 Figure 3.6.6-15 System Admin / Preferences / Group / Server-farm -- Edit Server-farm Group Window ..................................................................................................................................... 171 Figure 3.6.6-16 System Admin / Preferences / Group / Server-farm -- View Server-farm Group Window ..................................................................................................................................... 171 © 2009 Genie Network Resource Management Inc. All Rights Reserved.

XII

Figure 3.6.6-17 System Admin / Preferences / Group / Neighbor Group Management Window........ 172 Figure 3.6.6-18 System Admin / Preferences / Group / Neighbor -- Add Neighbor Group Window.... 172 Figure 3.6.6-19 System Admin / Preferences / Group / Neighbor -- Edit Neighbor Group Window.... 173 Figure 3.6.6-20 System Admin / Preferences / Group / Neighbor -- View Neighbor Group Window .. 174 Figure 3.6.6-21 System Admin / Preferences / Group / Filter Group Management Window .............. 175 Figure 3.6.6-22 System Admin / Preferences / Group / Filter -- Add Filter Group Window................. 175 Figure 3.6.6-23 System Admin / Preferences / Group / Filter -- Edit Filter Group Window................. 176 Figure 3.6.6-24 System Admin / Preferences / Group / Filter -- View Filter Group Window ............... 176 Figure 3.6.6-25 System Admin / Preferences / Group / MSP Customer User -- MSP Customer User Group Management Window ....................................................................................... 177 Figure 3.6.6-26 System Admin / Preferences / Group / MSP Customer User -- Edit MSP Customer User Group Window ............................................................................................................. 178 Figure 3.6.6-27 System Admin / Preferences / Group / MSP Customer User -- View MSP Customer User Group Window..................................................................................................... 178 Figure 3.6.7-1 System Admin / Preferences / Baseline History / Sub-Network Baseline History Window ..................................................................................................................................... 179 Figure 3.6.7-2 System Admin / Preferences / Baseline History / Sub-Network -- View Baseline History Window......................................................................................................................... 179 Figure 3.6.7-3 System Admin / Preferences / Baseline History / MSP Customer Baseline History Window......................................................................................................................... 180 Figure 3.6.7-4 System Admin / Preferences / Baseline History / MSP Customer -- View Baseline History Window......................................................................................................................... 181 Figure 3.6.7-5 System Admin / Preferences / Baseline History / Filter Baseline History Window ...... 182 Figure 3.6.7-6 System Admin / Preferences / Baseline History / Filter -- View Baseline History Window ..................................................................................................................................... 182 Figure 3.6.8-1 System Admin / Preferences / Offline Report / Scheduler Template Management Window ..................................................................................................................................... 183 Figure 3.6.8-2 System Admin / Preferences / Offline Report / Scheduler -- Edit Schedule Template Window (Daily Schedule Type) .................................................................................... 184 Figure 3.6.8-3 System Admin / Preferences / Offline Report / Scheduler -- View Schedule Template Window......................................................................................................................... 184 Figure 3.6.8-4 System Admin / Preferences / Offline Report / Sub-Network Offline Report Management Window......................................................................................................................... 185 Figure 3.6.8-5 System Admin / Preferences / Offline Report / Sub-Network-- Edit Sub-Network Offline Report Window............................................................................................................. 185 Figure 3.6.8-6 System Admin / Preferences / Offline Report / Sub-Network -- View Sub-Network Offline Report Window ............................................................................................................. 186 Figure 3.6.9-1 System Admin / Preferences / Remote Update Management Window ....................... 187 Figure 3.6.9-2 System Admin / Preferences / Remote Update -- Edit Default Configuration of Remote Update Window............................................................................................................ 187 Figure 3.7-1 System Admin / Report Rebuild Window ........................................................................ 188 Figure 3.7-2 System Admin / Report Rebuild – Adding a New Request Window ............................... 188 Figure 3.7-3 System Admin / Report Rebuild – Rawdata File Window ............................................... 189 Figure 3.7-4 System Admin / Report Rebuild – Looking Up Last Request Status Window ................ 190 XIII

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.7-5 System Admin / Report Rebuild – Aborting Last Request Window................................. 190 Figure 4.1.1-1 Status / Summary / Global Window ............................................................................. 192 Figure 4.1.2-1 Status / Summary / MSP Server Window .................................................................... 193 Figure 4.1.3-1 Status / Summary / Anomaly Window .......................................................................... 194 Figure 4.1.4-1 Status / Summary / System Window............................................................................ 195 Figure 4.1.4-2 Status / Summary / System / Controller Hardware’s Status Report............................. 196 Figure 4.1.4-3 Status / Summary / System / Controller Hardware’s Event Report.............................. 196 Figure 4.1.4-4 Status / Summary / System / Controller’s Status Window ........................................... 197 Figure 4.1.5-1 The Resource Summary Viewing List .......................................................................... 198 Figure 4.1.5-2 The Further Viewing List of Collector Resource .......................................................... 198 Figure 4.2-1 Status / Anomaly Console / Anomaly Console Querying Window .................................. 199 Figure 4.2-2 Status / Anomaly Console / Summary Anomaly Report Window (Sub-Network Resource Type) ............................................................................................................................ 202 Figure 4.2-3 Status / Anomaly Console / Detail Anomaly Report Window (Sub-network Resource Type) ..................................................................................................................................... 203 Figure 4.2-4 Status / Anomaly Console / Detail Anomaly Report -- ACL Generate Tool Window ....... 205 Figure 4.2-5 Status / Anomaly Console / Summary Anomaly Report Window (Filter Resource Type) 205 Figure 4.2-6 Status / Anomaly Console / MSP Server Anomaly Console Querying Window.............. 206 Figure 4.3.1-1 Status / Alert Log / Alert Log Querying Window ........................................................... 207 Figure 4.3.2-1 Status / Log -- Mitigation Log Querying Window.......................................................... 208 Figure 4.3.3-1 Status / Log / Login Log Querying Window.................................................................. 209 Figure 5-1 Traffic Snapshot Management Window ............................................................................. 210 Figure 5-2 Snapshot -- Device Interface Management Window.......................................................... 212 Figure 5-3 Snapshot -- Instant Top N Report....................................................................................... 216 Figure 5-4 Snapshot -- Instant Top N Report / Latest 100 Raw Flows ................................................ 217 Figure 6.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation Action Management Window ... 218 Figure 6.1-2 Mitigation / Hardware Mitigation - Add Hardware Mitigation Action Window .................. 219 Figure 6.1-3 Mitigation / Blackhole - View Blackhole Mitigation Action Management Window ........... 220 Figure 6.2.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation: Guard Management Window 221 Figure 6.2.1-2 Mitigation / Hardware Mitigation - Add Guard Mitigation Action Window..................... 221 Figure 6.2.1-3 Mitigation / Hardware Mitigation - Hardware Mitigation Traffic Report......................... 223 Figure 6.2.1-4 Mitigation / Hardware Mitigation - Hardware Mitigation Attack Report......................... 224 Figure 6.2.2-1 Mitigation / Hardware Mitigation / Eudemon Management Window ............................ 225 Figure 6.2.2-2 Mitigation / Hardware Mitigation/Eudemon - Add Eudemon Mitigation Window.......... 225

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

XIV

1

Introduction This manual describes the traffic analysis functions of GenieATM system. In the following section, the framework of this manual is addressed to give users a summary of this user manual.

● System and Functions Overview To ensure full use of the system functions in observing and analyzing flow traffic status, this section introduces the features, functions, and design concepts of the system, so that users can understand the basic functional framework of the system before operating it, and also can use all system functions with greater flexibility.

●System Functions Descriptions To facilitate users to properly use all system functions, the following sections (section 3 to section 9) will introduce the operation procedure for individual function in details accompanied with clear illustrations, so that users can operate and set up every system function more easily.

● Appendix (A) -- NetFlow Device Configuration This appendix shows users how to configure various NetFlow devices for enabling NetFlow devices to export NetFlow data to GenieATM Flow Collector.

● Appendix (B) -- sFlow Device Configuration This appendix shows users how to configure sFlow devices for enabling sFlow devices to export sFlow data to GenieATM Flow Collector.

● Appendix (C) -- Installing SSL in GenieATM™ for Enabling Secure Web Access This appendix introduces how to install SSL in GenieATM for enabling secure web access.

● Appendix (D) – Booting GenieATM™ from TFTP Server This appendix introduces the operations about how to boot GenieATM from TFTP server. With this feature, users can verify if the system image is sound before updating the software.

● Appendix (E) – Dictionary of IETF Radius Client Attributes Supported by GenieATM This appendix provides overall detailed Radius Client attributes (supported by GenieATM) information for users to configure their remote user accounts on their Radius server.

1

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

2

System and Functions Overview

2.1

System Overview

As a network operator, it is a torture when facing troublesome daily maintenance and a sudden DOS/DDOS attack. It is a tough situation when the operators are unable to find out the causes of unusual network traffic. Therefore, to immediately solve unusual problems with real-time traffic reports instead of analyzing historical traffic logs after troubles occur would be a great help. Besides, being short of precise traffic analysis for business management support no matter peering strategy or capacity planning is an urgent issue for the operators to improve network performance. Today, most network management equipments monitor only the status of connection, up or down, without providing the scalability and performance reports of network traffic. Monitoring only the facilities status is very insufficient for network management operators to solve the problems without analysis for the network performance and qualities. Most traffic analysis tools only analyze the traffic volume and few well-known applications, and are not able to create reports, such as the reports about volumes of packets and sessions, or all TCP/UDP ports. They are also deficient in precise traffic analysis for BGP information, which can provide peering and transit traffic for network managers to do significant business decisions. GenieATM series provides an intelligent Network Traffic Modeling that can precisely classify traffic flows and cooperate with the built-in reports to generate various related traffic statistics. This intelligent Network Traffic Modeling sufficiently knows the hierarchical network structure that adopted by most of xSPs, so that it can analyze traffic appropriately. With the accurate analysis reports of GenieATM, network operators can easily and efficiently monitor their networks. GenieATM series also provides a traffic snapshot tool which can be used for “instant flow analysis” and presents the instant flow status of the specified network range in a TOP N report. With the configuration of analysis criteria, users can sieve out some specific traffic from the entire traffic for Top-N analysis. Furthermore, in order to provide more flexible traffic analysis comparing with Network Traffic Modeling analysis, GenieATM also equips rule-based Filter traffic analysis function. With user-defined Factor and Filter elements, users can locate traffic with greatly flexibility. In addition, the Anomaly Traffic Detection function in the GenieATM system can effectively detect and timely notify DoS/DDoS attacks, routing mis-configurations, and endangered network devices before they undermine network availability, performance, and Sub-Network satisfactions. GenieATM series adopts the network structure of distributed-deployment & centralized-management which can collect the largest scope of network flows, simplify the management and configuration of the system, and cut down user's TCO (Total Cost of Ownership). It collects network flows from core switches/routers through the Collectors deployed on regional networks, and then delivers the collected network flows (after analyzing) to the Controller for data aggregation. With the Controller, therefore, network operators can manage the distributed Collectors, aggregate the analyzed traffic data, monitor the entire network traffic, and read the analysis reports. GenieATM series equips a BGP module that can provide the monitoring about the BGP update message of neighbor ASes. Once the statistic of BGP update message has abnormal changes, network operators can adjust their routing policy according to this reliable statistic information. In addition, the BGP module also can detect and issue alert notifications for BGP Hijack. In security, GenieATM provides the BGP encryption of TCP MD5 Signature that can efficiently prevent the BGP communication between GenieATM and BGP routers from malicious attacks. GenieATM series products developed by GenieNRM Inc. are state of the art flow analyzing systems. It provides full functions of statistics and analysis for traffic, such as 24 hours flow monitoring, warning for over the traffic threshold, issuing anomaly & alert notifications, snapshot (instant) analysis through TOP N sorting, various traffic model lings analyses, rule-based Filter traffic analysis, BGP traffic analysis, common attribute analyses, online WEB reports for query, and DB storage management. Network operators can utilize the traffic analysis reports and statistics to manage their network resources and plan the future network topology. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

2

2.2

System Screen Overview

This section highlights the system screen and various function keys to assist users to understand the system framework and basic operation. For an optimal viewing, IE 6.0 or higher browser with 600x800 (or 1024x768) screen resolution is highly recommended.

2.2.1

System Screen

The following section describes the location and function briefs of GenieATM. Please refer to Figure 3.2.1-1. 6. Logout Button 5. System Version 7. Help 3. Path 4. Sub Menu Tab

8. Configuration View List

1. System Menu Tree 2. Action Buttons

Figure 2.2.1-1 System Operation Screen

1. System Menu Tree List systems main functions and users can click on the item to expend the sub-main function or enter the window of the function. 2. Action Buttons There are two kinds of action buttons: one is text-form, like “ Add ”, “ Edit ”, and so on; the other is icon-form, like “ ”(Edit), “ ”(Delete), and so on. With these action buttons, users can manage setup data. The following table lists all kinds of action buttons and their meanings. Action Buttons / Meanings “ Abort Last Request ”
To terminate the processing request of report rebuilding “ Abort Prefix Learning ”
To terminate the processing request of prefix’s auto learning “ Add ”
To create an object “ Add New Request ”
To add a report-rebuilt request “ Add Via Learning ”
To add objects via system auto-learning “ Browse ”
To look through all detailed objects

3

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

“ Cancel ”
To stop the uncompleted settings and exit the management window “ Check ”
To check the information to see if there is any difference “ Close ”
To close the window “ Delete ”
To delete an object “ Delete All ”
To delete all listed objects “ Dispatch Network Configuration and Save ”
To dispatch the current configuration in Database to the Collectors and then save it as a DB configuration file. “ Download ”
To copy a DB configuration file from the Controller to the local host “ Edit ”
To edit the content of an object “ Get Last Request Status ”
To get the detail information of the last request status “ Get Learning Status ”
To get the detail information of the last or processing request status of prefix’s auto-learning “ Get Synchronizing Status ”
To get the detail information of the last dispatch status “ Go ”
To submit the query conditions “ Reset ”
To get back to original settings “ Restore and Dispatch ”
To restore a saved DB configuration file into Database and then dispatch it to the Collectors. “ Save ”
To save the configuration “ Start Prefix Learning ”
To start a prefix learning request “ Submit ”
To send the settings to the system “ Upload ”
To copy the configuration file from the local host to the system “ View ”
To view the profile of an object “ View History ”
To view historical statuses of prefix’s auto-learning requests “ View Result ”
To view the result of last prefix’s auto-learning request

“ ”
To unfold the under sub menus “ ”
To fold the under sub menus “

”
To enter an operation/management window of the menu

“ ”
To edit the content of an object “ ”
To delete an object 3. Path Path indicates where the current operating page locates. It is relative to the System Menu Tree. 4. Sub Menu Tab Sub Menu Tabs are used to access the different sections of a sub menu that has multi-functions. Please refer to the table in System Menu Tree section. 5. System Version Show the running version of the Controller. 6. Logout Button It is located at the right top corner of the screen. Users must click on the Logout button to exit the system. When users click on the button, the system will automatically record their login and logout time. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

4

7.

Help It is a glossary located under the Logout button and provides information to help users to understand the operations of GenieATM.

8. Configuration View List All the setup data will be displayed in the view list after the configuration is completed. Users can click on the action buttons, which are being displayed in front of the configurations, to modify or delete items.

5

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

2.2.2

System Functions Overview

The system operating structure basically includes system management and report presentation two major parts. The system management contains functions: User, Device, Network, Configuration, Mitigation, Preferences, and Report Rebuild; the report presentation contains parts: Internet, Neighbor, Backbone, Router, Interface, Sub-Network, Server, Rule-based Report, MSP Customer and Anomaly Activities. Except the MSP Customer and Anomaly Activities report menus, others are converged on the Report main menu. Not to include the Anomaly Activities report menu is due to anomaly events focus. In addition, a Status, a Snapshot, and a Mitigation functions are also provided to report the summary statistics of detected anomalies, issued alerts and the system profiling, to carry the powerful diagnostic and troubleshooting capabilities into execution, and to actually execute actions for stopping or mitigating impacts from the detected anomaly activities. The following section outlines all the configurations of individual system functions to help users to quickly and easily configure system functions.

● Web-based Interface The system offers easy-to-use web-based user interface.

● Command Line Interface Users can use terminal, Telnet, or SSH2 to access GenieATM to do configuration setup.

● User Account Management User menu allows users to manage local user accounts, to enable the remote authentication function, to constrainedly terminate the login session of online users, and to query the history of user loggings in the system. — Local User Account The system offers local users’ authentication and authority control functions:
User Authority Users are divided into three privilege groups: Administrator, Sub-Network user and defined bye template. The administrator is assigned with the authority of accessing all functions and managing user accounts. The Sub-Network user can read the reports of the specified Sub-Network entity, query anomaly events of the assigned Sub-Network entity, and use the Snapshot function within the traffic scope of the assigned Sub-Network entity. Defined by template is use for users to specify the roles that only can access some system functions. The factory default privileges in the defined template are superuser and user for viewing only. The superuser can access most functions except some in the System Admin menu (Including: User, Device, Mitigation and Status, Storage, Report, Name Mapping and Remote Update of “Preferences”). The user for viewing only can only read the reports and is not allowed to use the System Admin and Mitigation functions.
System Default Account * admin: administrator privilege — Privilege Template The system support that users can define the accessing group and those who belong to the specified role group only can access the specified functions. The factory default privileges are Administrator, Superuser, and user for viewing only. — Online User The system allows users with administrator authority to terminate the connection of any online users. — Remote Authentication The system supports the remote authentication for those user accounts not registered in the GenieATM system. ● Device Management The Device menu provides users to management Controller, Collector, MSP servers (value-added function) and Flow Load Balancer (value-added function). — Controller The system will display the detail information of the Controller module here.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

6

— Collector All Collectors managed by the Controller will be displayed here. Administrators have to configure any new Collector once they are added into the system. — MSP Server Allow users to define the MSP server to collect customers’ traffic and provide portal site for customers to maintain system and browse kinds of traffic reports. This function will show when the system support the MSP module (value-added function). — Flow Load Balancer The Flow Load Balancer devices are used to receive the flows from the routers and forward them to multiple ATM collectors according to the policy configured. Note  Support Flow Record GenieATM collects NetFlow (V1, V5, V7, V9), NetStream, and sFlow (V2, V4, V5) records from different Flow exporters and can perform statistics and analysis of such records.

● Network GenieATM utilizes the definition of “Network Boundary” to implement the concept of “Network Cut” and provides the built-in Network Model lings to analyze network traffic. Users need to configure some mandatory entities and then the analysis will operate effectively. — Home Network Users need to provide all address prefixes belonging to Home with CIDR format and Home Network AS numbers. This function also allows users to define prefix-based network entities without traffic detection. — Dark IP Users can define dark or non-dark IP address prefixes with CIDR format for Dark IP Detection. — Router Users need to provide all related information of their desire routers and interfaces for traffic and hardware monitoring. — Internet Boundary Users need to define their Internet boundary for traffic analysis between users’ networks and the Internet. — Backbone Links Users need to register their entire backbone links for GenieATM to auto identify backbone routers and backbone boundary. — Neighbor Users need to provide their entire neighbor ASes (AS: Autonomous System) for traffic analysis between users’ networks and their neighboring networks. — Sub-Network Users should define sub-networks for traffic analysis of some specific network entities. These specific network entities could be a POP, a Sub-Network’s network, or a server farm, and might be either inside (internal) or outside (external) Home Network. — Server Users can define their server farm, which includes several servers to the system, so that they can gain variety of reports relevant to the server traffic. — MSP Customer Users can define the MSP customers and generate their traffic. Therefore, the MSP customers can access the MSP server to manage system function and view their traffic reports. — Filter The system provides rule-based traffic analysis for users to locate traffic by themselves. 7

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

— Application Users can gather different services (protocol + port), which all belong to one kind of network application, to form a group. The system will adopt the application group configured to classify traffic for the Attribute Application reports. — Anomaly The system provides default Protocol-Misuse & Application anomaly signatures which are used to define the traffic characteristics of known anomalies. Users are allowed to modify the default Protocol-Misuse & Application anomaly signatures and also are allowed to create new Application anomaly signatures. In addition, this menu also provides the latest definition of system anomaly signatures download from GenieATM definition update servers. — Template Users can create templates for the baseline and boundary (including Sub-Network boundary and Server-farm boundary) that can be quickly applied to some configurations of network entities.

● Configuration The system offers configuration backup, restoration, and dispatching for the settings of Network menu.

● Mitigation This Mitigation sub menu (under Network menu) is for users to configure essential mitigation elements for two system mitigation methods supported (Hardware Mitigation and Blackhole). Before adding mitigation actions, there are some required elements must be provided for each mitigation method. — Blackhole Users can configure basic elements for Blackhole mitigation method and this should be done before adding Blackhole mitigation actions. — Device Users can configure basic elements for Hardware Mitigation method and also manage Guard devices and Eudemon device here. Before adding Hardware mitigation actions, users should make sure that the related mitigation devices have been configured.

● Preferences — Status Users can control the refreshed time of the Status page, and the maximum number of the most recent ongoing anomalies and alerts displayed. — Storage Users can control the duration for storage of analysis reports and logs. — Report Users can set the parameter about the maximum displayed entries of pre-defined TopN report. — Notification Users can configure the settings of the system alert and anomaly event notifications. — Name Mapping Users can maintain the built-in name mapping, including services, protocols, ASNs (Autonomous System Numbers) Area, and IP to Area. — Group Users can aggregate multiple resource entities as a group, such as user group, router group, sub-network group, server-farm group, neighbor group, filter group and MSP customer group. — Baseline History The system provides users the historical results of dynamic anomaly detection baseline buildings of all existing Sub-Network, MSP Customer, and Filter entities in the system. Users are allowed to reset the historical detected traffic baseline values for manually excluding improper statistics. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

8

— Offline Report Users can configure schedule template, which decides when to send out offline reports, enable the generation of offline reports for Sub-Network entities, and delete the added offline reports. — Remote Update Users can configure the definition update server of GenieATM system anomaly signatures for the latest definition download.

● Report Rebuild The system provides a convenient function allowing users to rebuild rule-based Filter reports of a specific time period.

● Status — Summary Summary function presents some significant traffic statistics and information in these tabs: Global: Anomaly Statistics, Ongoing Anomalies, and Most Recent Alerts; MSP Server: Anomaly Statistics and Ongoing Anomalies of MSP Servers; Anomaly: Summary Report; System: System Status, and Cisco Guard Status. The reason to gather these data that users might want to know urgently together is to ensure that users can presently understand the entire situation. The refreshing time period of this page is decided by the configuration of “Status Page Refresh Period” in the Preferences/Status function. The configurable values are from 1 minute to 10 minutes. Resources: display the number of configured resources and the maximum number that the system supports. — Anomaly Console The system presents a variety of anomaly events detected, provides summary and detailed traffic characteristics of detected anomaly events, and is able to generate appropriate ACL (Access Control List) commands as suggestions for network operators. — Log  Alert Log When there is any significant status change or failure, the system will send a notification to users according to the configuration, and record all alerts issued and recovered.  Mitigation Log The system will record the logs of the mitigation actions.  Login Log The system will record the users of logging into the system.

● Report — Internet The system provides various built-in reports for traffic analysis between the Internet and Home Network. — Neighbor The system provides various built-in reports for traffic analysis for Neighbor ASes (Autonomous Systems). — Backbone The system provides various built-in reports for Backbone traffic analysis. — Router The system provides various built-in reports for the traffic analysis of each router configured in the system. — Interface The system provides various built-in reports for the traffic analysis of each interface on the routers configured in the system. — Sub-Network The system provides various built-in reports for traffic analysis within a sub-network itself, between a sub-network and other sub-networks, and through each Neighbor AS to/from a specific sub-network. — Server The system provides the reports within Server farms, between a server farm to other server farm, and through sub-networks, Neighbors and Areas. 9

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

— Rule-based Report The system provides traffic analysis reports for rule-based Filters which are configured in the system and based on users’ definitions. There are two types of analysis reports for Filter traffic, Summary Report and TopN Report.

● MSP Customer — Anomaly Console Provide anomaly statistic and ongoing reports of MSP customers. — Report Provide various traffic reports of MSP customers, including traffic report, boundary traffic report, top talker report, attribute report, topn report and son on.

● Anomaly Activities — Dark IP The system provides various built-in dark IP traffic analysis reports, such as overall dark IP traffic, each infected host traffic, each victim host traffic, into/out of each interface traffic, and into/out of each SUB-NETWORK entity. — Worm The system provides various built-in application anomaly traffic analysis reports, such as overall application anomaly traffic, each infected host traffic, into/out of each interface traffic, and into/out of each SUB-NETWORK entity.

● Snapshot Users can define the analysis scope, analysis criteria, aggregation method, and the number of value for TOP N sorting. The system provides two kinds of analyzed data sources, cache and rawdata files. The rawdata source provided can meet the needs on analyzing a specific time period in the past. Analysis Scope Users can specify a specific network entity configured in the system as the analysis scope of the inspected traffic. Analysis Criteria Users can define the range of analysis with criteria. The system will ignore the flow outside the range during analysis. Aggregation Method Users can define up to three aggregation keys to generate the snapshot report. The selected keys are such as source or destination IP address, Source or Destination protocol/port, Application on Source or Destination, TCP Flag, TOS Value, Protocol, Input or Output Interface, Router, and etc. Detect the Distributed Denial of Service This system is capable of analyzing the traffic flow in real time. When an attack flood occurs, the system can accurately trace the source. Even when the router or switch fails after the attack, the system still can analyze the last output data to trace the source of attack.

● Mitigation The Mitigation menu (on the Main Menu tree) provides users mitigation methods to execute mitigation actions for protecting their network resources or filtering anomaly traffic. — Blackhole The system utilizes limited BGP announcement to conduct anomaly traffic to a setup honey pot or blackhole device. Before adding any blackhole mitigation action, the related configuration requested should be done in the System Admin / Mitigation / Blackhole function. — Hardware Mitigation The system integrates with a traffic-cleaning device (such as Guard, Eudemon and etc) to wash out attacking traffic and forward clean traffic back to their original destination. Before adding any hardware mitigation action, the related configuration requested should be done in the System Admin / Mitigation / Device function. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

10

2.3

System Login/Logout

The system is using web-based operation and configuration interfaces, so that users can configure all system functions, and view system reports on the Internet. This section will show users how to login and logout the system.

2.3.1

Login the system

1. Run the browser and enter URL at http://xxx.xxx.xxx.xxx/ or https://xxx.xxx.xxx.xxx/ to open the system login window (as presented in Figure 2.3.1-1). Note 1. xxx.xxx.xxx.xxx refers to the IP address of the Controller. 2. The secure web access (https) to GenieATM will only be available after you enable it in CLI interface of the Controller. Please refer to the Appendix (C) – Installing SSL in Controller for Secure Web access for how to enable https. 3. Both https and http are supported after https was enabled in GenieATM.

Figure 2.3.1-1 System Login Window 2. Enter username and password, and then click on the system operation window (as presented in Figure 2.3.1-2).

button to enter the default

Note The default username/password to login this system is admin/admin.

11

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 2.3.1-2 Default System Operation Window 3. If a Login/Logout Alert Message window appears (as presented in Figure 2.3.1-3), it means that one of the following conditions occurs. First, the user who login this system with this ID/password did not properly logout the system. Second, another online user already login to this system with the same ID/password and is still online without logout the system. In this case, you may select Kick the user out and force into system to login the system or click on Closed to exit. The system will check the connection status of the ID and password when someone logins the system. If the user clicks on Kick the user out and force into system while another user is online, the system will remove the connection of the existing user.

Figure 2.3.1-3 Login/Logout Alert Message Window

2.3.2

Logging out the system

Click on the button at the right top corner of the Window to logout GenieATM (as presented in Figure 2.3.1-2).

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

12

3

System Admin Function System Admin menu is designed for the system management of GenieATM. The system management includes managing user accounts, specifying devices, configuring the related system settings and preferences, and the essential mitigation elements, and defining various network boundaries, factors and filters for rule-based reports, anomaly-monitored objects and anomaly signatures. When users click on the unfolding mark of System Admin, all sub menus will be unfolded including User, Device, Network, Configuration, Mitigation, Preferences, and Report Rebuild. Note Only administrators can operate all functions of System Admin. Other users with non-administrator’s authority can only access limited functions. Please refer to the User section for details.

3.1

User User menu allows users to manage local user accounts, to specify the privilege group for login account, to constrainedly terminate the login session of online users, and to enable the remote authentication function, GenieATM supports the remote authentication for those user accounts not registered in the GenieATM system. In order to avoid confusion, the user accounts registered in the system are called local user accounts. After clicking the User menu displayed on the Sub Menu tree of System Admin at the left side of the screen, users will enter the Local User Account window (the default entered window) and see the sub-menu tabs, Local User Account, Privilege Template, Online User, and Remote Authentication, appearing above the screen. (See Figure 3.1.1-1) The following sections (Local User Account, Privilege Template, Online User, and Remote Authentication) are going to introduce how to mange local user accounts, how to specify the privilege template, how to terminate the login session of an online user, and how to enable the Radius-Server remote authentication. Note Only the user with the privilege of “administrator” can access all sub-functions of the User menu. The Sub-Network user and the defined by template, superuser and viewing only user, cannot access anyone of them.

3.1.1

Local User Account Users can manage local user account such as add, edit, delete, or view a local user and assign users different authorities for system management and security control. Besides, they also can check the current status of each account in the Local User Management window.

Click on the User menu to enter the Local User Management window. (As presented in Figure 3.1.1-1) Users can use the sorting symbol in columns to decide the sorting of the view list; “ ” is ascending and “ ” is descending.

13

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.1.1-1 System Admin / User / Local User Account Management Window

To add a new local user account Users can create new local user accounts, so that the users can use the created local user accounts to login GenieATM system by web interface. Click on “ Add ” button to enter the action window and start the input. (As presented in Figure 3.1.1-2)

Figure 3.1.1-2 System Admin / User / Local User Account -- Add Local User Account Window 1. Enter user information in all fields: (The asterisk "" indicates a mandatory field.)
User ID: Account name used for login GenieATM. It is a mandatory field. All characters are accepted except space and special characters. The number of inputted characters must be between 2 and 40. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

14


First Name: All characters are accepted except space and special characters. The number of inputted characters must be between 1 and 80.
Last Name: All characters are accepted except space and special characters. The number of inputted characters must be between 1 and 80.
Password: It is a mandatory field. The password is at least 4 characters and at most 40 characters with no space inside. Be aware that the password is case sensitive.
Confirm Password: Re-type the password and make sure it is exactly the same as the one typed previously.
Phone: Please enter the contact phone number. Only numerical characters and the dash (“-“) are accepted.
Email: It is a mandatory field. Please follow the format [email protected] with no space inside.
Privilege: Administrator may assign different authority to different user accounts with these types of roles. A Sub-Network entity must be specified if the Sub-Network user role is assigned. (I) administrator Users have the highest authority and can use all system functions. (II) Sub-Network user The account with sub-network privilege only can view the reports of the specified sub-network, which can be selected from the dropped-down list or Browse button. Besides, administrators can define the authority for each sub-network account by using the Privilege Template. (III) defined by template Administrators can define the specified authority for the account by using the Privilege Template to operate the parts of the system’s functions. Note The built-in account, admin (default password: admin), belongs to the default privilege template, Administrator, which can operate all system functions.
Privilege template If the “Privilege” type of the account is “Sub-Network user” or “defined by template”, a privilege template should be assigned to that account. The system will list all defined templates, including system default privilege templates and user defined ones, in the drop down list for users to select. In addition, users can define a new template via clicking on the Define button, or specifying it in the Privilege Template tab in System Admin/User Function. The configuration steps please refer to the section, Privilege Template, in the System Admin/User function. Note There are two default privilege templates, “superuser” and “user for viewing only”. (a) superuser Users can access most functions except some in the System Admin menu (Including: User, Controller, Collector, Flow Load Balancers, Mitigation and Status, Storage, Report, Name Mapping and Remote Update of “Preferences”). (b) user for viewing only Users can only read the reports. They are not allowed to use the Mitigation and System Admin function.
Language: GenieATM offers language options: English, Traditional Chinese, Simplified Chinese and Japanese. Users may choose a proficient one as their system language.
Status: There are two kinds of account statuses, Active and Inactive. This item can be the 15

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

control of accounts for activating and inactivating.
Remark: Enter additional information for the user account. The inputted characters are allowed to 64 the most.
User Group (Optional): Assign this created user account to a user group if necessary. Once the user account is assigned to a user group, any email notifications associated with this user group will be sent to this user. Here, GenieATM will not provide any error check or restriction for the user account with different privileges. In other words, a user account can be added into any user group without the privilege check. Clicking on “” or “Remove All” button to remove the added user groups from the text box. 2. Click on “ Submit ” button to complete the configuration.

To edit a local user account Users can modify the contents and authority of the local user to facilitate the maintenance of a local user account.

Figure 3.1.1-3 System Admin / User / Local User Account -- Edit Local User Account Window 1. Click on the edit icon “ ” to modify the account information. A page with Edit Local User Account title will be shown. 2. Modify the content or change the role. The input information for each field, please refer to the section, “To add a new local user account“, for details. To change the password: only need to enter a new password in both fields of “Password” and “Confirm Password”. 3. Click on “ Submit ” button to complete the modification.

To delete a local user account Users can delete a local user to take this user account out of the system. 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the local user from the system.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

16

To view the profile of a local user account Users can view the local user account information in detail (See Figure 3.1.1-4). The detail information includes user’s ID, first name, last name, phone number, email address, privilege, language, status, remarks, user group, online, last login and last logout.

Figure 3.1.1-4 System Admin / User / Local User Account -- View Local User Account Window 1. Click on a local user ID to enter the View Local User Account window. When you move the cursor to the user account listed in the “User ID” column, the color of the pointed username will turn into blue. 2. Besides, users can click on the “ View “ button at the “Privilege” row to view which function is enabled for this account (See Figure 3.1.1-5). 3. Click on “ Back to List ” button to return to the User management window. Note If the status of a user account is “Inactive”, users will be unable to login the system with that user ID. However, all information saved under this ID will still be preserved in the system. This information will be gone from the system only with the Delete command executed.

Figure 3.1.1-5 System Admin / User / Local User Account -- View Privilege Template of Local User Account Window

17

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.1.2

Privilege Template

Users can add, edit, delete, or view a privilege template and specify authorized system functions for each privilege template. Click on the Privilege Template tab to enter the Privilege Template window. (As presented in Figure 3.1.2-1)

Figure 3.1.2-1 System Admin / User / Privilege Template Management Window

To add a new privilege template Users can create new privilege templates, so that administrators can apply these templates to the created local user accounts. Click on “ Add ” button to enter the Add Privilege Template window and start the input. (As presented in Figure 3.1.2-2) Note There are default privilege templates listed in the table and they are Administrator, Superuser and user for viewing only. User can click on the “No.” or “Name” to view the authorized system functions. Besides, these default privilege templates are unable to edit or delete.

Figure 3.1.2-2 System Admin / User / Privilege Template -- Add User Privilege Template Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

18

1. Enter privilege template information in all fields: (The asterisk "" indicates a mandatory field.)
Name: Input a name of the Privilege Template.
Coverage: select the coverage, whole network or sub-network, for the privilege template. Note When the role is set as sub-network user, only “Anomaly Console”, “Sub-network Reports”, “Snapshot” functions and Profile Management can be assigned in the Authority.
Remarks: Enter additional information for the Privilege Template. The inputted characters are allowed to 64 the most.
Authority: Check the system functions that are allowed to be executed by this role. Click on the “ ” to extend the function tree for selecting the sub functions (As presented in Figure 3.1.2-2). 2. Click on “ Submit ” button to complete the configuration.

To edit a user privilege Template Users can modify the operating system functions of the privilege template.

Figure 3.1.2-3 System Admin / User / Privilege Template -- Edit User Privilege Template Window 1. Click on the edit icon “ ” to modify the privilege template information. A page with Edit Use Privilege Template will show. (As presented in Figure 3.1.2-3) 2. Modify the name or change the authorization of the system functions. The input information for each field or setup steps, please refer to the section, “To add a new privilege template”, for details. 3. Click on “ Submit ” button to complete the modification. Note The user accounts who are assigning to this privilege template will list in the Applied table below.

19

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To view a user privilege template Users can view the privilege template information in detail (See Figure 3.1.2-4). The detail information includes name, remarked and the authorized system functions.

Figure 3.1.2-4 System Admin / User / Privilege template -- View User Privilege Template Window 1. Click on a privilege template No. or name to enter the View User Privilege Template window. When you move the cursor to the name listed in the “ID” or “Name” column, the color of the pointed username will turn into blue. 2. Click on “ Back to List ” button to return to the User Privilege Template window.

3.1.3

Online User Click on Online User tab to enter the Online User management window. (See Figure 3.1.3-1) With this function, users can view all online users at a time and terminate their login sessions. The default sorting way to list online users is descending according to the login time. Users can also sort the online users according to the user ID, or logout IP either ascending or descending by clicking on “ ” or “ ”.

Figure 3.1.3-1 System Admin / User / Online User Management Window Terminating a Login Session 1. Click on a radio button in front of the online user whose connecting session that you want to terminate. The only one online user you cannot terminate is yourself. So, there is no radio button in front of your User ID row. 2. Click on “ Kick out ” button after you selected an online user.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

20

3.1.4

Remote Authentication So far, GenieATM only supports the remote authentication for the Radius server. The users logging on the Web UI via Radius authentication may be assigned with the “administrator”, “Sub-Network user”, or “defined by template” authority without a user group. Once the remote user has successfully logged on the system via Radius authentication, some attributes will be carried with this user such as “Privilege”, “Language”, and “Sub-Network ID” (if the assigned privilege is “Sub-Network user”). For detailed configuration of Radius server, please refer to Appendix (E) – Dictionary of IETF Radius Client Attributes Supported by GenieATM. Click on Remote Authentication tab to enter the Remote Authentication management window. (See Figure 3.1.4-1)

Figure 3.1.4-1 System Admin / User / Remote Authentication Management Window

Enabling the Radius Authentication 1. Click on “ Edit ” button at the right side of the Radius Server block area, a management window will pop up. (See Figure 3.1.4-2) 2. Select “Enable” from the Radius Authentication drop-down list to enable this function. 3. Enter the primary IP address of the Radius server in the Primary IP Address field. This configuration is mandatory to enable the Radius authentication function. The inputted format is “xxx.xxx.xxx.xxx”. 4. Enter the secondary IP address of the Radius server in the Secondary IP Address field. (Optional) This configuration is optional. The inputted format is “xxx.xxx.xxx.xxx”. 5. Enter the printable ASCII string in the Secret field. This configuration is mandatory. At least 1, up to 80 characters should be inputted. 6. Enter the authentication port number in the Authentication Port Number field. This configuration is mandatory and its default value is 1812. 7. Click on “ Submit ” button to complete the modification

Figure 3.1.4-2 System Admin / User / Remote Authentication / Edit – Remote Authentication Window (Radius Server)

21

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.2

Device The sub menus under Device menu will turn up when users click on the unfolding mark of Device. These sub menus include Controller, Collector, MSP Server, and Flow load Balancers. The Device menu mainly provides configuration interfaces of devices’ attributes. Please refer to the following sections to get the detail information. Note 1. Only the user assigned to the privilege template, administrator, can access the Device menu. 2. The tab, MSP Server, will not show when the system does not support the MSP module (value-added service).

3.2.1

Controller

Controller menu mainly provides some information about the Controller. After clicking on Controller menu displayed on the Sub Menu tree of System Admin/Device at the left side of the screen, a page with the Controller Management title will show the detail information about the Controller. (See Figure 3.2.1-1) Users can edit the Controller’s name, community string, and remark information manually. The information displayed of CLI configuration is retrieved through SNMP protocol from the SNMP agent of the Controller.

Figure 3.2.1-1 System Admin / Controller Management Window  Name: This name is only for identification purpose. (It is not relevant to the CLI command.) The default name is “Controller”. The number of inputted characters must be between 1 and 40. You may modify it with your preference.  Re-type Community String Configured in CLI: The password to connect with the Controller. The default value is “genie”. The number of inputted characters must be between 1 and 40.  CLI Configuration: The information about the Controller retrieved by SNMP protocol, including Controller ID, Model Number, and Operation Status.  Remarks: The additional information for the Controller. The inputted characters are allowed to 400 the most.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

22

To edit the Controller’s information Users can modify the Controller’s name, update the community string, and edit the remark information. Click on “ Edit ” button to enter the Edit Controller window. (See Figure 3.2.1-2)

Figure 3.2.1-2 System Admin / Controller -- Edit Controller Window (Please refer to the previous section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Enter a new Controller name if you desire. 2. Enter the read-only community string that you configured in CLI. If you have changed the community string, please re-type the same string here. Please note that it will fail to get the SNMP information if the read-only community string you provided is not correct. The number of inputted characters must be between 1 and 40. 3. Enter additional information in the Remarks field if necessary. The inputted characters are allowed to 400 the most. 4. Click on “ Submit ” button to complete the modification.

23

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.2.2

Collector

Collector menu allows users to manage the Collectors under the system. After clicking on Collector menu displayed on the sub menu tree of System Admin/Device at the left side of the screen, the Collector Management window will be presented and display all the Collectors controlled by the Controller (As presented in Figure 3.2.2-1). The latest configured Collector will be displayed at the first row of the list. A message next to the “ Add ” button is the last version of dispatched Network configuration, which is convenient to compare with the current version of each Collector. Note • Only the user assigned to the privilege template, administrator, can access the Collector menu. • There is a built-in Collector in the Controller, called Collector1. It is displayed at the last row in the view list.

Figure 3.2.2-1 System Admin / Collector Management Window

To add a new Collector Users should add (register) new Collectors in Web UI Management System after they have finished the hardware installation and setup of the Collectors. The added Collectors will be under control of the Controller after the registration. After clicking on “ Add ” button located at the top of the Collector view list, a page with the Add New Collector title will be shown on the screen. (See Figure 3.2.2-2)

Figure 3.2.2-2 System Admin / Collector -- Add New Collector Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

24

1. Enter Collector information in all fields: (The asterisk "" indicates a mandatory field.)
Collector Name: The Collector name defined here is for easy identification for multiple Collectors controlled under the same Controller. You can give a meaningful name for the new Collector. Only the default name of the First Collector (The one built in the Controller) is “Collector1”; others are “Collector”. The number of inputted characters must be between 1 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...).
SNMP IP Address: The IP address of the SNMP agent to get Collector’s information. Every Collector has its own built-in SNMP agent, so please enter the IP address setup at the Collector. The inputted format is “xxx.xxx.xxx.xxx”. Note Only the First Collector (The one built in the Controller) has a default SNMP IP address, “127.0.0.1”, that means the IP address of the local host itself, here namely the Controller. Other new adding Collectors do not have a default SNMP IP address.
Read Community String: The password to connect with the Collector. The default value is “genie”. If you have changed the community string in CLI, please enter the same string here. Please note that it will fail to get Collector’s information if the read-only community string you provided is not correct. The number of inputted characters must be between 1 and 40.
SNMP Version: The current SNMP version.
CLI Configuration: The information about the Collector retrieved through SNMP protocol, including Collector ID, Model Number, Admin Status, Operation Status, and Configuration Version. Click on the “ SNMP WALK >> ” button to get the current information of the Collector. All the latest configurations will be firstly displayed in the SNMPWALK Information block area of the right side, users have to click on “ > ” button. If the “Configuration Version” displayed is not the same as the latest dispatched configuration version, you can synchronize it by clicking on “ Synchronize Network Configuration ” button. 5. Enter additional information in the Remarks field if necessary. 6. Click on “ Submit ” button to complete the modification.

To delete a Collector Users can delete a Collector from the system except the First Collector built in the Controller. 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. Note that if the Collector you are deleting has applied to any configurations, the system will not allow you to delete it and the “ Submit ” button will be unavailable. You have to change the applied configurations to another Collector before you delete this Collector. 2. Click on “ Submit ” button to remove the Collector from the system.

To view the profile of a Collector Users can view the Collector information in detail. The detail information includes Collector’s name, SNMP IP address, community string, remarks, controlled routers (exporters), and CLI configurations, including the Collector’s ID, model number, operation status, and configuration version. (See Figure 3.2.2-4)

Figure 3.2.2-4 System Admin / Collector -- View Collector Window 1. Click on a Collector ID/name to enter the View Collector window. When you move the cursor to the ID/name listed in the “ID”/”Name” column, the color of the pointed ID/name will turn into blue. 2. Click on “ Back to List ” button to return to the Collector Management window. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

26

3.2.3

MSP Server

MSP Server menu allows users to manage the MSP server (GenieATM 6110 device) under the system. After clicking on MSP Server menu displayed on the Sub Menu tree of System Admin/Device at the left side of the screen, the MSP Server Management window will be presented and all the MSP Servers controlled by the Controller will be displayed (see the figure 3.2.3-1). The MSP Server can generate customers’ reports and provides a portal site for end users to view themselves reports. Note This function will not show when the system does not support the MSP module (value-added service).

Figure 3.2.3-1 System Admin/Device/MSP Server -- the MSP Collector Management window

To add a new MSP Server Users can add new MSP Servers in Web UI Management System after they have finished the hardware installation and setup of the MSP Servers. The added MSP Servers will be under control of the Controller after the registration. After clicking on “ Add ” button located at the top of the MSP Server view list, a page with the Add New MSP Server title will be shown on the screen (see the figure 3.2.3-2). 1. Enter MSP Server information in all fields: (The asterisk "" indicates a mandatory field.)
Name: The MSP Server name defined here is for easy identification for multiple MSP Servers controlled under the same Controller. You can give a meaningful name for the new MSP Server. All characters are accepted except space and special characters (!@#$%^&?”’...).
SNMP IP Address: The IP address of the SNMP agent to get MSP Server’s information. Every MSP Server has its own built-in SNMP agent, so please enter the IP address setup at the MSP Server. The inputted format is “xxx.xxx.xxx.xxx”.
Re-type Community String Configured in CLI : Input the password used to connect with the MSP Server. The default value is “genie”. If you have changed the community string in CLI, please enter the same string here. Please note that it will fail to get MSP Server’s information if the read-only community string you provided is not correct. The number of inputted characters must be between 1 and 40.
SNMP Version: The current SNMP version.
CLI Configuration: The information about the MSP Server retrieved through SNMP protocol, including Collector ID, Model Number, Admin Status, Operation Status, and Configuration Version. Click on “ SNMP WALK >> ” button to get the current information of the MSP Server. All the latest configurations will be firstly displayed in the SNMPWALK Information block area of the right side, users have to click on “ > ” button to get the current information of the Flow Load Balancer. All the latest configurations will be firstly displayed in the SNMPWALK Information block area of the right side, users have to click on “ > button. The detail pleases refer to the following description.


Flow Dispatching: this setting provides the way for users to specify the load balance policy performing on the selected collectors. The available collectors will list in the Collector table. 

Load Balance Policy: there are three types of Load Balance Policy for users to specify and they are Round-Robin, Model-based Round-Robin and Weighted Round-Robin. The factory default is Model-based Round-Robin.


When Round-Robin is specified, the weights of the selected collectors are equal.




When the Model-based Round-Robin is selected, the weight shall be assigned by 1




1

the system according to the model number of the selected collectors. When the Weighted Round-Robin is set, users can manually specify the weighted value of each selected collectors. Note that the total weighted value of flow policy is 100% in Weighted Round-Robin Policy.

The Weight assigned by GenieATM is according to the model number of GenieATM Collector.

Model

Flows/s

Model

Flows/s

Model

Flows/s

Model

Flows/s

Model

Flows/s

Model

Flows/s

6105

10K f/s

6133

20K f/s

6165

50K f/s

6323

20K f/s

6333

20K f/s

6365

50K f/s

6123

20K f/s

6135

30K f/s

6167

70K f/s

6325

30K f/s

6335

30K f/s

6367

70K f/s

6125

30K f/s

6169

90K f/s

6369

90K f/s

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

30

Note The system will automatically relay traffic to other FLB devices when one of the FLB devices is down. 

Collector: click on the check box before the listed in the Assigned row to add the collector to the Load Balance Policy. If the load balance policy is set as “Weighted Round-Robin”, users have to specify the percentage value of the flow dispatched.


Collector BGP Configuration: select the set of the BGP connection for the FLB. The factory default is disabled. This parameter is used to let user select “FLB BGP Module” as the reference of the parameter “Use BGP Table of Another Router” in the BGP Lookup configuration of the System Admin/Router/Router function. If users set enable, the following parameters users have to define.  BGP MD5 Secret: Enter the string. The number of inputted characters must be between 0 and 40.  Remote AS Number: Enter the AS number of BGP router with which the FLB’s BGP module to establish the BGP connection.  Local AS Number: Enter the AS number of the FLB to establish the BGP connection with the BGP router.

To edit a flow load balancer Click on “ ” icon to enter the Edit Flow Load Balancers window. (See Figure 3.2.4-3)

Figure 3.2.4-3 System Admin / Flow Load Balancers / Edit Flow Load Balancers Window (Please refer to the previous “To add a flow load balancer” section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Provide new information to those fields that you like to modify. 2. Click on “ Submit ” button to complete the modification.

31

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To delete a flow load balancer 1. Click on the Delete icon “ ” A Delete page with detailed configuration will show. 2. Click on “ Submit ” button to remove the configuration from the system.

To view the profile of a flow load balancer The detail information of the flow load balancer displays. (See Figure 3.2.4-4)

Figure 3.2.4-4 System Admin / Flow Load Balancers / View Flow Load Balancers Window

1.

Click on an No./Name to enter the View Flow Load Balancer window. When you move the cursor to the No./Name listed in the “No.” or “Name” column, the color of the pointed No./Name will turn into blue. The Applied block area shows the information of the Flow Load Balancer.

2.

Click on “ Back to List ” button to return to the Flow Load Balancer management window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

32

3.3

Network A string of sub menus under Network menu will turn up when users click on the unfolding mark of Network. These sub menus include Home Network, Dark IP, Router, Internet Boundary, Backbone Links, Neighbor, Sub-Network, Server, MSP Customer, Filter, Application, Anomaly, and Template. The Network menu mainly provides configuration interfaces of network attributes for users to build their own network traffic modeling and anomaly detection environment. Through this Network menu, users can also establish user-defined traffic analysis reports which can meet users’ needs different from pre-defined network modeling reports. Note • Only the user with the authority of “administrator” or defined by privilege, superuser, can access the Network menu.

3.3.1

Home Network Home Network menu provides two main configuring functions. One is to define the Home Network area and the other is to define router-based anomaly traffic detection prefix scopes. After clicking on Home Network menu displayed on the Sub Menu tree of System Admin/ Network at the left side of the screen, the Home Network management window (the default entered window) will be shown. Users can see the sub-menu tabs, Home Network and ATD White List, appearing above the screen. (See Figure 3.3.1-1)

Figure 3.3.1-1 System Admin / Network / Home Network / Home Network Management Window

3.3.1.1

Home Network

Home Network sub-menu tab is to specify the local network area by IP address prefixes and AS numbers. All network areas directly controlled by users belong to the local network area namely “Home Network”. After clicking on Home Network menu displayed on the Sub Menu tree of Network at the left side of the screen, a page with the Home Network title will be shown. (See Figure 3.3.1-1 above) Specifying all IP addresses and AS numbers of the Home Network is an essential procedure.

33

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To specify Home Network IP addresses 1. Click on “ Edit ” button at the bottom of the IP Address Prefix column, a management window will pop up. (See Figure 3.3.1-2) 2. Enter all local IP addresses of your home network with CIDR format in the IP Addresses list box. You can enter one IP address prefix in a line (use Enter key to create different lines) or separate multi-prefixes with commas. Please note that the overlaps between the prefixes are not allowed. Note The maximum # of prefixes of “Home“ can be up to 128. 3. Click on “ Submit ” button to complete the configuration.

Figure 3.3.1-2 System Admin / Network / Home Network / Home Network – Edit Local IP Address Window

To specify Home Network AS numbers 1. Click on “ Edit ” button at the bottom of the ASN List column, a management window will pop up. (See Figure 3.3.1-3) 2. Enter all your AS numbers. You can enter one AS number in a line (use Enter key to create lines) or separate multi-ASNs with commas. The maximum number of AS can be up to 300. 3. Click on “ Submit ” button to complete the configuration.

Figure 3.3.1-3 System Admin / Network / Home Network / Home Network – Edit Local AS Number Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

34

3.3.1.2

ATD White List

All IP prefixes/addresses specified in the white list will not be ignored when the system perform the Protocol-Misuse and Application Anomalies anomaly detection. Click on the ATD White List sub-menu tab to enter the management window. (See Figure 3.3.1-4)

Figure 3.3.1-4 System Admin / Network / Home Network / ATD White List Management Window

To specify ATD White List Refer to the following steps to specify the ATD White List. 1. Click on “ Edit ” button at the bottom of the IP Address Prefix column, a management window will pop up. (See Figure 3.3.1-5) 2. Enter all local IP addresses of your home network with CIDR format in the IP Addresses list box. You can enter one IP address prefix in a line (use Enter key to create different lines) or separate multi-prefixes with commas. Please note that the overlaps between the prefixes are not allowed. The adopted matching logic is sequential match. 3. Click on “ Submit ” button to complete the configuration.

Figure 3.3.1-5 System Admin / Network / Home Network – Edit ATD White List Window

35

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.3.2

Dark IP Dark IP menu allows users to specify dark IP addresses and non-dark IP addresses. As long as an IP address matches any inputted IP address defined as dark IP or non-dark IP, the system will consider it as dark IP or non-dark IP. The adopted matching logic is longest match. Once any dark IP is detected, it will be accounted for threshold violation checking. After clicking on Dark IP menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen, a page with the Dark IP title will be shown (See Figure 3.3.2-1).

Figure 3.3.2-1 System Admin / Network / Dark IP Management Window

To specify Dark IP or /and Non-Dark IP addresses 1. Click on “ Edit ” button at the bottom of the columns, a management window will pop up (See Figure 3.3.2-2). 2. Enter the dark IP address with CIDR format in the Dark IP list box. You can enter one IP address prefix in a line (use Enter key to create different lines) or separate multi-prefixes with commas. 3. Enter the non-dark IP address in the Not Dark IP list box. For those private IP addresses allocated and used in your networks, you may need the system not to identify them as dark IP. You can enter one IP address prefix in a line (use Enter key to create lines) or separate multi-prefixes with commas. Note The maximum # of prefixes of “Dark IP plus Not Dark IP” is up to 128. 4. Click on “ Submit ” button to complete the configuration.

Figure 3.3.2-2 System Admin / Network / Dark IP -- Edit Dark IP & Non-Dark IP Addresses Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

36

3.3.3

Router Router menu allows users to add routers to the system for monitoring. This function provides the configuration parameters about the router and the interfaces on the router. Users can add both routers and interfaces to the system configuration. Besides, the “Recomm. to Add/Edit” sub-menu tab provide user to add/edit the interface which is unspecified/updated and “Recomm. to Remove” sub-menu tab list interfaces that the system recommends users to delete. After clicking on Router menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen, the Router management window (the default entered window) will be shown. Users can see the sub-menu tabs, Router, Interface, Recomm. to Add/Edit and Recomm. to Remove, appearing above the screen. (See Figure 3.3.3-1)

Figure 3.3.3-1 System Admin / Network / Router / Router Management Window

37

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.3.3.1

Router

Once you click on Router menu, you will directly enter the Router management window. The latest added router will be displayed at the first row of the list. The following sections are going to introduce how to add, edit, and delete a router, and how to view the profile of a router.

To add a router Click on “ Add ” button at the top of the Router view list to enter the Add Router window. (See Figure 3.3.3-2)

Figure 3.3.3-2 System Admin / Network / Router / Router -- Add Router Window 1. Provide router information to the following fields: (The asterisk "" indicates a mandatory field.) © 2009 Genie Network Resource Management Inc. All Rights Reserved.

38

Basic Information
Name: Give a name for this router. (It is only for the purpose of identification.) The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...).
SNMP IP Address: The IP address of the SNMP agent to get the router’s information. Please enter the IP address from which setup at the router. The inputted format is “xxx.xxx.xxx.xxx”.
Read Community String: The password to connect with the Router. Enter router’s SNMP read community string. Please note that it will fail to get the router’s information if the read-only community string you provided is not correct. The number of inputted characters must be between 1 and 40.
SNMP Version: Select the SNMP version which to contact with router. Note that this item is available only if the SNMP IP address and its community string are provided. After you select the version, click on “ SNMP WALK >> ” button to get the current router’s information. The results of SNMP query will be displayed in a yellow block at the upper-right side of the screen, including router’s system description, name, contact, location, and total memory. You have to manually enter a correct value of the total memory (unit is megabyte) if without a query result.
Time Out of SNMP Polling: Select a time from the drop-down list. Users are allowed to manually configure the waiting time length for each SNMP polling request. Available time selections are 3, 4, 5…., to 15 (seconds) and the default value is “5” seconds.
Retries of SNMP Polling: Select a preference setting from the drop-down list. Users can also configure the frequency of retrying SNMP polling. Once the collector does not get SNMP polling response from routers exceeding the configured time out, the system will try to send a SNMP polling request again. Available selections are 1, 2, and 3 (times) and the default value is “2” times.
Anomaly Traffic Detection: Select “Enabled” or “Disabled” from the drop-down list. The factory default is enabled.
Rawdata: Select the “Enabled” or “Disabled” from the drop-down list. The factory default is enabled and it allows the system to store the rawdata.
SNMP Polling (CPU, Memory):  SNMP Polling (CPU, Memory): Select “Disabled” or “Enabled” from the drop-down list to disable or enable the monitoring of usage for device’s CPU & memory. This item is available only if the SNMP IP address and its community string are provided and correct.  CPU SNMP OID: input the SNMP OID of the device’s CPU. Note that be sure the inputted OID is the device’s CPU because the system does not check the contents of the OID that is the information of the CPU. If users do not input the value, the system will accord to the factory default OID to get the information. After inputting the OID, users can click on the “ Check ” button to verify the SNMP connection is successful. If 



the connection is successful, the “ ” button shows otherwise the “ ” button shows. Memory SNMP OID: input the SNMP OID of the device’s Memory. Note that be sure the inputted OID is the device’s Memory because the system does not check the contents of the OID that is the information of the Memory. If users do not input the value, the system will accord to the factory default OID to get the information. Besides, Users still have to manually enter a correct value of the total memory (unit is megabyte) in the SNMPWALK Information field at the top right side of the page. Baseline of CPU and Memory: Select the base line from the dropped down list if it is needed. The baseline of the CPU and Memory is specified in the Baseline function System Admin/Network/Template.

NetFlow/SFlow Information
Flow Exporter IP Address: Enter the IP address of the flow exporter from which flow data is collected. The inputted format is “xxx.xxx.xxx.xxx”. If the IP address is incorrect, the Collector will be unable to collect flow data.
Flow Receiving Port Number: Enter the port number to which flow data are exported. The value is between 1025 and 65534. The port number must be the same with the one set up at the flow exporter. We strongly recommend that you give each configured router with different port number for receiving the traffic flow. 39

© 2009 Genie Network Resource Management Inc. All Rights Reserved.


Sampling Rate: Specify a method of defining your sampling rate. Basically, the system provides two types of sampling rate, one is dynamic and the other is fixed. Dynamic sampling rate is to use the sampling rate inside the flow records received and will be changing all the time. Fixed sampling rate is to use a constant sampling rate specified by users. Choose dynamic sampling rate by clicking on “Adopt the Sampling Rate carried in flows” radio button or fixed sampling rate by click on “Adopt the Sampling Rate Defined Manually” radio button. If you choose fixed sampling rate, please enter a number between 1 and 32768 in the blank. For example, if you want to take one from ten, please enter “10”. If the value you entered is “1”, that means the packet sampling function is disabled.
Age-out Time (V9): Enter an age-out time if the flow type is NetFlow V9. Its unit is “second” and the available value is 0 or from 30 to 1800.
Flow Relay:  Flow Relay IP Address: Enter the IP address of flow collector to which flow data will be relayed. The inputted format is “xxx.xxx.xxx.xxx”.  Flow Relay Port Number: Enter the port number to which flow data will be relayed. The value is between 1 and 65534.  Flow Relay Sampling Rate: Enter the sampling rate. The value is between 1 and 1024. The factory default is 1. For example, if you want to take one from fifteen, please enter “15”. If the value you entered is “1”, that means the packet sampling function is disabled. Note Netflow v9 Templates are not guaranteed to be relayed.

Collector/FLB
Collector/FLB: Select the Collector’s IP address, MSP Server or FLB device from the drop-down list, which displays all Collectors, MSP Servers and FLB devices under control of the Controller. The Collector you selected will collect NetFlow records from the router you are configuring. Note The selected entries, MSP-xxx, will not show when the system does not support the MSP module (value-added service).
BGP Lookup: Choose to activate the service of BGP lookup or not. If you do not want to use this service, just click on the “Disabled” radio button. Please note that this will lead to no AS path information generated in the report. If the router you are configuring is not a BGP router but you want to analyze its BGP information, please click on the “Enabled” radio button and provide the following information needed.  NetFlow ASN: Select a method for the adopted ASN information in the NetFlow records from the drop-down list. There are three options: “Overwritten by BGP module lookup” means all ASN information in the NetFlow records will be replaced by BGP lookup; “Keep them as Peer ASN” means to keep the ASN information of NetFlow records as Peer ASN; “Keep them as Origin ASN” means to keep the ASN information of NetFlow records as Origin ASN.  Use BGP Table of Another Router: Select a router from the drop-down list. The drop-down list will show the routers configured under the same Collector and also must activate the BGP lookup service. Once this option is used, the BGP hijack and BGP update message monitoring won’t be available.  Connect to BGP Router IP Address: Enter the IP address of BGP router for the Collector’s BGP module to create a BGP peering session. If you want to look up BGP information from an external BGP router, you can use this function. Please provide the following information needed:  BGP MD5 Secret: Enter the string. The number of inputted characters must be between 0 and 40.  Remote AS Number: Enter the AS number of BGP router with which the Collector’s BGP module to establish the BGP connection. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

40

 Local AS Number: Enter the AS number of the Collector by which the Collector’s BGP module will use to establish the BGP connection.  BGP Hijack Detection: Click on the Disabled or Enabled radio button for the BGP hijack detection. (Default is “Disabled”.)  BGP Update Message Monitoring: Select a threshold template from the drop-down list for the monitoring of update BGP message. All threshold templates of router configured in the Template/Baseline function of the Network menu will be shown at here. (Default is “Disabled”.) 2. Click on “ Submit ” button to complete the configuration.

To edit a router Click on “ ” icon to enter the Edit Router window. (See Figure 3.3.3-3)

Figure 3.3.3-3 System Admin / Network / Router / Router -- Edit Router Window (Please refer to the previous “To add a router” section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Provide new information to those fields that you like to modify. 2. Click on “ Submit ” button to complete the modification. 41

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To delete a router 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. The system will remind you that all configurations are using this router will be affected if the router is deleted. 2. Click on “ Submit ” button to remove the router from the system.

To view the profile of a router The detail information of the router can be reviewed (See Figure 3.3.3-4).

Figure 3.3.3-4 System Admin / Network / Router / Router -- View Router Window 1. Click on an ID/Name to enter the View Router window. When you move the cursor to the ID/Name listed in the “ID/Router Name” column, the color of the pointed ID/Name will turn into blue. The Applied block area shows the information of Filters to which this viewed router applied. 2. Click on “ Back to List ” button to return to the Router Management window. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

42

3.3.3.2

Interfaces

Click on Interface sub-menu tab to enter the Interface management window. (See Figure 3.3.3-5) There are drop-down lists presented at the below of the sub-menu tabs. One is the Router Group drop-down list from which you can choose the router group (if any router groups are configured in the Preferences/Group function of System Admin); the other is the Router drop-down list which will display all routers that belong to the selected Router Group. A message about the current-selected router will be presented at the top of the view list. The latest added interface will be displayed at the first row of the list. The following sections are going to introduce how to add, edit, and delete an interface. (Note that the interface indicates the router interface.)

Figure 3.3.3-5 System Admin / Network / Router / Interface Management Window

To add an interface GenieATM monitors and collects link-layer traffic statistics from the interfaces added here. Users can add an interface manually or through the SNMP query to get the interfaces information of the router. After selecting the router from which users can start the adding procedures below. Adding via SNMP discovery When users click on “ Discover via SNMP ” button, a Router Interface Discovery with SNMP window will pop up and the system will trigger the SNMP walk to retrieve the interface inventory table from the router (See Figure 3.3.3-6). The interfaces with a red check mark represent they have been added in Web UI Management System. 1. Select a preferred interface by checking on the check box. A green check mark will appear once you check on the check box. 2. Enter a new name for the interface if you desire. After you checked on the check box, the Interface name field will be available. The number of inputted characters must be between 1 and 64. All characters are accepted except space and special characters (!@#$%^&?”’...). The default Interface Name depends on what kind of system version is supported by the router. If the router supports V1, Interface Name will be the value of “Router Name” plus “SNMPWalk ifDescr”. If the router supports V2c, Interface Name will be the value of “SNMPWalk ifAlias”; however, if the value of “SNMPWalk ifAlias” is empty, the system will use the value of “Router Name” plus “SNMPWalk ifDescr” as Interface Name, then. 3. Select a baseline template for the monitored SNMP traffic. All baseline templates of interface configured in the Template/Baseline function of the Network menu will be shown at here. The system will issue alert logs once the SNMP traffic is against the specified baseline template. If you select no baseline template for the SNMP polling, then, no alert logs will be issued. Note The factory default of the SNMP Polling function is enabled and users can change the status to disable.

43

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

4. Select the action of Flow aggregation. Note The factory default of the Flow Aggregation function is enabled and users can disable the function. In addition, what common attribute reports are activated can be specified via editing the interface. 5. Click on “ Submit ” button to complete the configuration.

Figure 3.3.3-6 System Admin / Network / Router / Interface -- Interface Discovery with SNMP Window

Adding by manual If the SNMP query is failed or SNMP community string is not available, users can manually add interface. When users click on “ Add ” button, the Add Interface window will pop up. (See Figure 3.3.3-7) Under the title, the router to which the interface belongs is indicated including its name and IP address.

Figure 3.3.3-7 System Admin / Network / Router / Interface -- Add Interface Window 1. Provide router information to the following fields: (The asterisk "" indicates a mandatory field.)
Interface Name: Give a name for this interface. The number of inputted characters must be between 1 and 64. All characters are accepted except space and special characters (!@#$%^&?”’...).
ifIndex: Enter the interface index. Please refer to the realistic value of the router. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

44


ifDescr: Enter the description for this interface. The number of inputted characters must be between 1 and 256.
ifAlias: Enter the alias name of the interface.
ifSpeed: Enter the interface speed. The unit is “bps” (bits per second). Please refer to the realistic configuration of the router.
ifType: Enter the interface type. Value “6” represents “ethernet” and “22” represents “serial”. Please refer to the realistic configuration of the router.
Flow ifIndex: Enter the flow interface index carried in flow packet. Except manually entering the above information one by one, you can also use “ SNMP WALK >> ” button (will be available when the value of “ifIndex” is inputted) to get interface’s information configured in the router automatically and then click on “

” button: to go to the next page.

• “

>|

” button: to go to the end page.

• The Page drop-down list: to go to a specific page selected from the drop-down list. The numerator represents the page you are going to list and the denominator represents the total pages. 3. Entries/Page drop-down list: to control the displayed entries per page of the Application view list. There are six options to select: 12, 25, 50, 100, 150, and 250. The number “25” with an asterisk means the default value.

Figure 3.3.7-1 System Admin / Network / Sub-Network Management Window

57

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To add a sub-network Click on “ Add ” button at the top of the Sub-Network view list to enter the Add Sub-Network window. (See Figure 3.3.7-2) It is allowed to add up to 600 sub-networks to the system.

Figure 3.3.7-2 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by CIDR) 1. Enter the name of the sub-network in the Name field. This name must be unique among sub-network in the system. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Select CIDR, AS Number, AS Path Regular Expression, BGP Community String, Interface (Prefixes Daily Learned) or Private Network from the Defined By drop-down list for the sub-network area. The default type is “CIDR”. If you select the AS Number/AS Path Regular Expression/BGP Community String/Interface/Private Network type, the screen will be transferred to another window for configuring the AS number/AS path/BGP community string/Interface (Prefixes Daily Learned). (See Figure 3.3.7-3 / Figure 3.3.7-4 / Figure 3.3.7-5 / Figure 3.3.7-6/ Figure 3.3.7-7) © 2009 Genie Network Resource Management Inc. All Rights Reserved.

58

Figure 3.3.7-3 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by AS Number)

Figure 3.3.7-4 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by AS Path Regular Expression)

Figure 3.3.7-5 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by BGP Community String)

Figure 3.3.7-6 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by Interface) 59

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.3.7-7 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by Private Network) 3. Enter all IP addresses to define the sub-network with IP prefixes (CIDR) or IP ranges in the CIDR text box if you select the CIDR type on Step 2. You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not specify permit or deny keyword, the IP prefix or range will be considered as Permit. The sequence does matter and works like an ACL. You can enter one IP address prefix in a line (use Enter key to create different lines) or separate multi-prefixes with commas. The maximum # of prefixes can be up to 200. Enter all AS numbers to define the sub-network in the AS Number text box if you select the AS Number type on Step 2. They are not allowed to be duplicable. Both singular AS number and successive range are acceptable. You can enter up to 40 elements of AS numbers (separated by commas; and between 1 and 65535) in a sub-network entity. Enter the AS path to define the sub-network in the AS Path Regular Expression text box if you select the AS Path Regular Expression type on Step 2. You can define the sub-network with one AS path regular expression. An AS path regular expression is used for displaying BGP routes by a list of AS numbers (concatenating one or more AS numbers). Three types of token expressions are supported by the system: digital token, “*” token, and “[]” token; and a space character is needed between every AS number and “*”/”[]” token. • A digital token is a number which range is from 0 to 9; • A “*” token represents zero or multiple AS numbers, i.e. 32 * 123 means any AS path with Peer ASN 32 and Origin ASN 123; • A “[]” token represents a union relationship between all the AS numbers inside “[]”. Once an AS number in the AS path in the specified location equals any one AS number in the union-ship, this token is considered matched, e.g. [13 439 302] * means any AS path with Peer ASN 13,439 or 302. The total length of the AS path regular expression string can be up to 200 characters. Enter the BGP community to define the sub-network in the BGP Community String text box if you select the BGP Community String type on Step 2. You can define the sub-network with up to 12 BGP communities with wildcards. A BGP community string consists of two token sets, separated by a colon “:”, and must be cascaded together without space or tab in between. A token set includes 5 digits from 0 to 9 and three types of token expressions are supported: digital token, “?” token, and “[]” token. • A digital token is a number which range is from 0 to 9; • A “?” token represents one digit with any value from 0 to 9, e.g. 21829:1290? means from 21829:12900 to 21829:12909; • A “[]” token represents a container that can hold up to 10 digits. A digit matched any digit inside the token, this token is matched, e.g. 23910:391[0 2]4 means 23910:39104 and 23910:39124. The 0 digit can be skipped if they do not affect the value, for example, 00023:12802 can be replaced by 23:12802. The total length of a BGP community-with-wildcard string is up to 120 characters. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

60

Add interfaces (which connect to your sub-network) to define the sub-network in the Interface text box if you select the Interface type on Step 2. The interfaces you select here will form a border which is used to auto learn prefixes for the defined sub-network. Once you use auto-learning interfaces to define your sub-network, then you don't need to define a sub-network boundary in the next step. Using the previous four defining methods ("CIDR", "AS Number", "AS Path Regular Expression", "BGP Community String") to define a sub-network entity must manually specify IP Spaces and Boundary Cut but the "Interface" and “Private Network” defining method has merged these two elements. Therefore, with "Interface" and “Private Network” defining method, you will only need to specify the Boundary Cut manually and then the system will learn the IP Spaces automatically. There are some differences to use auto-learning interfaces on defining the Boundary Cut. Firstly, you could select the interface which is connected to backbone but not sub-network as the border. In this way, you can simplify the configuration when there are more interfaces connecting to the sub-network and less to the backbone. Secondly, the flow traffic calculation is always two-way, so you don't have to specify the traffic direction for interfaces. After clicking on “ Edit ” button next to the Interface text box, the Edit Sub-Network Learning Interface window will pop up (See Figure 3.3.7-8). Please follow the steps below for configuring your sub-network auto-learning interfaces.

Figure 3.3.7-8 System Admin / Network / Sub-Network -- Edit Sub-Network Learning Interface Window (1)

(2)

(3)

61

Select a router group from the Router Group drop-down list. All router groups configured in the Group/Router function of Preferences will be shown in this drop-down list. (Default is “All Routers”) Select a router from the Router drop-down list. After you selected a router group, all routers belong to the router group you selected will be shown in this Router drop-down list. Here will change according to the router group you selected. Select an interface from the Interface drop-down list. It is same as the router selection above. Here will change according to the router you selected. All interfaces belong to the router you selected will be shown in this Interface drop-down list. In addition, users still can add the interface via click on the ”Browse“ button and a interface list table shows for specifying.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Note If users add the interface via the step, clicking on the ” Browse “ button, they have to specify “traffic direction” ( step (4) below) before clicking on the “ Add ” button (below the list table ). When users click on the “ Add ” button (below the list table ) the selected interface will be added to the Learning Interface text box, and users can skip the step (4) and (5). (4)

(5)

Select the traffic direction by clicking on the radio button. According to your physical interface connection to select which type of network entity it connects to. Click on “ Add ” button to add the specified interface into the Learning Interface text box one by one. Note If user add the interface via the step, clicking on the ” Browse “ button, this step can be ignored. Otherwise, the error message “duplicate” may show.

(6)

After adding all interfaces desired, please click on “ Submit ” button to complete the configuration.

Add Private Network (which connect to your sub-network) to define the sub-network in the Interface text box if you select the Private Network on Step 2. The “Private Network” defining method is the same as the method of “Interface”, please refer to the above steps to set the sub-network via defining Private Network. 4. Define the boundary of the sub-network. You can use the existing boundary templates as the sub-network boundary or manually define a new one right away by clicking on the radio button. Please ignore this step if you have used auto-learning interfaces to define your sub-network in the previous step. • If you use the existing boundary templates, please select a template from the Use Boundary Template drop-down list. Both the templates defined in the Template/ Sub-Network Boundary function of Network and the Internet boundary will be shown here. • If you want to define a new one, please click on “ Edit ” button (will be selectable after clicking on the Defined radio button) to start the configuration. You will see the Edit Sub-Network Boundary window pop up. (See Figure 3.3.7-9) After selecting the router group, router, and interface from each drop-down list, and specifying the traffic direction, you click on “ Add ” button to add the link (one by one) to the Sub-Network Boundary text box. In addition, users still can add the interface via click on the ”Browse“ button and a interface list table show for specifying. After you finish adding links, you click on the “ Submit ” button and the links you added will form the boundary of this sub-network. Note 1.

2.

Traffic Directions: Input – the flow will be included for traffic counting if the interface ifindex appears in “Input Interface” field of the flow record. Output – the flow will be included for traffic counting if the interface ifindex appears in “Output Interface” field of the flow record. Both – the flow will be included for traffic counting if the interface ifindex appears in “Input Interface” or “Output Interface” field of the flow record. If users add the interface via the step, clicking on the ” Browse “ button, they have to specify the “Traffic Direction” before clicking on the “ Add ” button (below the list table) to add the selected interface into the Learning Interface text box.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

62

Figure 3.3.7-9 System Admin / Network / Sub-Network -- Edit Sub-Network Boundary Window 5. Set the parameters for generating Report data. Select reports that you want to generate by checking on the check boxes. There are two types of the reports for selection. One is “Advanced Traffic Analysis” report including Breakdown Report and Top Talker report, and the other is “Command Attribute Report” including Application, Protocol, Protocol+Port, TOS, and Packet Size reports. The default set of command attribute report is “Enabled” except TOS report. 6. Set the Offline Report Scheduler This function defines whether the sub-network provides the offline report function for the users whose privilege is belong to this sub-network to set its own offline report. Select Enabled from the dropped-down list to enforce the Offline report function for the sub-network; otherwise keep the default value, Disabled. The default set is Disabled. Note 1.

2.

If this function of the sub-network is enabled, the user whose privilege is specified to this sub-network can set all types offline reports in the Report/Sub-network function. The ways to set the offline report please refer to the Report/Sub-Network section. The language type of the received offline reports can specify in the Global in the System Admin/Preference/Offline Report function.

7. Set the actions to anomaly detection. There are two Anomaly Detection modules here, Traffic Anomaly and Protocol-Misuse Anomaly Detection modules. • Traffic Anomaly Detection: it is divided into two parts, Incoming and Outgoing. You can individually configure them in two different directions (Incoming & Outgoing) by select the baseline template form the drop-down list. • DDoS and Worm Detection: select “Enabled” or “Disabled” from the drop-down list (default is “Disabled”). Note When users disable “DDoS and Worm Detection”, the detection of Protocol-Misused anomalies and Application anomalies will not work. If the anomaly detection is enabled, the anomaly report of this sub-network will display in Status/Anomaly Console function. The factory defaults of anomaly detection actions are disabled. 8. Enter additional information for the sub-network in the Remarks field. The inputted characters are allowed to 400 the most. 9. Click on “ Submit ” button to complete the configuration. 63

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To edit a sub-network Click on “ ” icon to enter the Edit Sub-Network window. (See Figure 3.3.7-10)

Figure 3.3.7-10 System Admin / Network / Sub-Network -- Edit Sub-Network Window (Please refer to the previous “To add a sub-network” section for the following steps of your modification.) 1. Provide new information to those fields/options that you like to modify. 2. Click on “ Submit ” button to complete the modification.

To delete a sub-network 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. Note that if the sub-network you are deleting has applied to any configurations, the system will not allow you to delete it and the “ Submit ” button will be unavailable. You have to change the applied configurations to another sub-network before you delete this sub-network. 2. Click on “ Submit ” button to remove the sub-network from the system. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

64

To view the profile of a sub-network The detail information of the sub-network can be reviewed (See Figure 3.3.7-11).

Figure 3.3.7-11 System Admin / Network / Sub-Network -- View Sub-Network Window

1. Click on an ID or Name to enter the View Sub-Network window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. The Applied block area shows the information of Filters to which this viewed sub-network applied. 2. Click on “ Back to List ” button to return to the Sub-Network Management window.

65

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.3.8

Server Server menu allows users to define server farm, which includes several servers. Users can define their server farm to the system, so that they can gain variety of reports relevant to the server traffic. After clicking on Server menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen, the Server-farm Management window will be shown. (See Figure 3.3.8-1)

Note 1. A searching function is provided. It is located next to the “ Add ” button and above the view list. Users can utilize multiple searching filters (ID, Name/Remarks, IP Space) to quickly find out a specific Server-farm from plenty of listed server entries. Select a type of searching filter in the Searching drop-down list, input key word in the “for” blank, and then click on the “ Go ” button. 2. Page-control buttons are next to the “ Go ” button. • “ | < ” button: to go to the first page. • “ > ” button: to go to the next page. • “ > | ” button: to go to the end page. • The Page drop-down list: to go to a specific page selected from the drop-down list. The numerator represents the page you are going to list and the denominator represents the total pages. 3. Entries/Page drop-down list: to control the displayed entries per page of the Application view list. There are six options to select: 12, 25, 50, 100, 150, and 250. The number “25” with an asterisk means the default value.

Figure 3.3.8-1 System Admin / Network / Server – Server-farm Management Window

To add a server-farm Click on “ Add ” button at the top of the Server view list to enter the Add Server-farm management window (See Figure 3.3.8-2). Please check the resource limitation for server farm entries in Status/Summary/Resources function.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

66

Figure 3.3.8-2 System Admin / Network / Server -- Add Server-farm Window 1. Name: Enter the name of the server in the Name field. This name must be unique among server in the system. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. CIDR: Enter all IP addresses to define the server with IP prefixes (CIDR) or IP ranges in the CIDR text box. You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not specify permit or deny keyword, the IP prefix or range will be considered as Permit. The sequence does matter and works like an ACL. You can enter one IP address prefix in a line (use Enter key to create different lines) or separate multi-prefixes with commas. The maximum # of prefixes can be up to 200. 3. Protocol/Port: Define the Protocol/Port of the Server-farm. You can set any or define the value of Protocol/Port to Server-farm. Select the protocol/port by clicking on the radio button, then enter the port number or the message type/code, and then click on “ ” or “ Remove All ” button to remove the added configuration from the text box.

67

© 2009 Genie Network Resource Management Inc. All Rights Reserved.




Protocol/Port: select protocol/port from the drop-down list and define the port number. You can enter a port range (continuous port numbers) at one time. For adding a port range, you should enter the first number of the range in the previous field and the last number of the range in the back field. For adding a port number, you can select “Port Number” and enter the number in the text box.




ICMP: the system allows you to set the message type and code further for various services of ICMP. You have to enter the message type and code if ICMP is selected.

4. Boundary Links: Define the boundary of the server-farm. You can use the existing boundary templates as the server-farm boundary or manually define a new one right away by clicking on the radio button. • If you use the existing boundary templates, please select a template from the Use Boundary Template drop-down list. The templates defined in the Template/ Server-farm Boundary function of Network will be shown here. • If you want to define a new one, please click on “ Edit ” button (will be selectable after clicking on the Defined radio button) to start the configuration. You will see the “Edit Server Boundary” window pops up. (See Figure 3.3.8-3) After selecting the router group, router, and interface from each drop-down list, and specifying the traffic direction, you click on “ Add ” button to add the link (one by one) to the Server Boundary text box. In addition, users still can add the interface via click on the “Browse” button and an interface list table show for specifying. After you finish adding links, you click on the “ Submit ” button and the links you added will form the boundary of this server-farm. Note


Traffic Directions: Input – the flow will be included for traffic counting if the interface ifindex appears in “Input Interface” field of the flow record. Output – the flow will be included for traffic counting if the interface ifindex appears in “Output Interface” field of the flow record. Both – the flow will be included for traffic counting if the interface ifindex appears in “Input Interface” or “Output Interface” field of the flow record.




If users add the interface via the step, clicking on the “ Browse ”

button, they have to

specify the “Traffic Direction” before clicking on the “ Add ” button (below the list table) to add the selected interface into the Server Boundary text box.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

68

Figure 3.3.8-3 System Admin / Network / Server -- Edit Server Boundary Window 5. Generate Report Data: Set the parameters for generating Report data. Select reports that you want to generate by checking on the check boxes. There are two types of the reports for selection. One is “Advanced Traffic Analysis” report including Breakdown Report, and the other is “Command Attribute Report” including Application, Protocol, Protocol+Port, TOS, and Packet Size reports. The default set of command attribute report is “Enabled” except Protocol and TOS report. 6. TopN Report: Enable TopN report. A TopN report of a server is to sort the analyzed traffic results of a specified server farm with aggregation elements. All listed TopN reports are predefined in the TopN Report function of the System Admin/ Network/ Template function. The operation describes as follows:
Adding a TopN Report Click on the “ Add ” button to list the aggregation reports of TopN. Check the needed reports and then click on the “ Add ” button to create the TopN reports of the server farm. In addition, users can redefine the fields, Name, TopN # and Status, when adding a TopN Report.

Figure 3.3.8-4 System Admin / Network / Server -- Adding TopN Report to the Server-farm





69

Editing a TopN Report Click on the “ Edit ” button to modify the specified TopN entries. Users can edit these fields, Name, TopN # and Status, and then click on the “ Edit ” button when completing the modification. Delete a TopN Report Click on the “ Delete ” to list the specified TopN entries. Check the TopN entries that users want to delete and then click on the “ Delete ” button to delete them.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7. Remarks: Enter additional information for the server-farm in the Remarks field. The inputted characters are allowed to 400 the most. 8. Click on “ Submit ” button to complete the configuration.

To edit a server-farm Click on “ ” icon to enter the Edit Server-farm window. (See Figure 3.3.8-5)

Figure 3.3.8-5 System Admin / Network / Server -- Edit Server-farm Window (Please refer to the previous “To add a server-farm” section for the following steps of your modification.) 1. Provide new information to those fields/options that you like to modify. 2. Click on “ Submit ” button to complete the modification.

To delete a server-farm 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. 2. Click on “ Submit ” button to remove the configuration from the system.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

70

To view the profile of a server-farm The detail information of the Server-farm can be reviewed. (See Figure 3.3.8-6)

Figure 3.3.8-6 System Admin / Network / Server -- View Server-farm Window 1. Click on an ID or Name to enter the View Server-farm window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. 2. Click on “ Back to List ” button to return to the Server Management window.

71

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.3.9

MSP Customer

MSP Customer menu allows users to manage MSP customers, to specify the boundary template, to configure the MSP user account, and set privilege template for user account. After clicking on the MSP Customer menu displayed under the Sub Menu tree of System Admin/Network at the left side of the screen, users will enter the MSP Customer Management window (the default-entered window) and see its sub-menu tabs, MSP Customer, Boundary Template, MSP User Account, and Privilege Template. (See Figure 3.3.9-1) The following sections are going to introduce how to configure MSP customer, how to define the boundary template, how to manage MSP user account, and how to specify the privilege template. Note This function will not show when the system does not support the MSP module (value-added function). 3.3.9.1 MSP Customer Users can specify the MSP customers to a MSP server, and assign the MSP user with the administrator privilege, can log into the MSP server to view/manage its traffic reports. After clicking on MSP Customer menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen, a page with the MSP Customer Management title will be shown (see the figure 3.3.9-1). Note A searching function and page-control buttons are provided and the detail descriptions please refer to the Sub-Network sub-menu of System Admin/Network function.

Figure 3.3.9-1 System Admin/Network/MSP Customer -- MSP Customer Management Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

72

To add a MSP Customer Click on “ Add ” button at the top of the MSP Customer view list to enter the Add MSP Customer Management window (see the figure 3.3.9-2). Users can add up to 100 MSP Customers for each Collector registered in the system. It is allowed to add up to 1000 MSP Customers to the system.

Figure 3.3.9-2 System Admin/Network/MSP Customer/MSP Customer – Adding MSP Customer Window 1. Name: Enter the name of the MSP Customer in the Name field. This name must be unique in the system. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. MSP Server: select the MSP Server to which the customer belongs. 3. CIDR: Enter all IP addresses to define the MSP Customer with IP prefixes (CIDR) or IP ranges in the CIDR text box. You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not specify permit or deny keyword, the IP prefix or range will be considered as Permit. The sequence does matter and works like an ACL. You can enter one IP address prefix in a line (use Enter key to create different lines) or separate multi-prefixes with commas. The maximum number of prefixes can be up to 200. 73

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

4. Define the Boundary Routers of the MSP customer. You can use the existing boundary templates or manually define a new one right away by clicking on the radio button. • If you use the existing boundary templates, please select a template from the Use Boundary Template drop-down list. The templates defined in the Boundary Template function of MSP Customer in the System Admin/Network function. • If you want to define a new one, please click on “ Define ” button (will be selectable after clicking on the Defined radio button) to start the configuration. You will see the Add MSP Customer window pops up. (See Figure 3.3.9-3) After selecting the Collector, and checking routers, you click on “ Add ” button to add the boundary routers to the text box. After you finish adding boundary routers, you click on the “ Submit ” button and the set routers you added will form the boundary of this MSP customer.

Figure 3.3.9-3 System Admin/Network/MSP Customer/MSP Customer -- Add Boundary Routers Window 5. Select the Anomaly Detection features for the configured Customer. There are Anomaly Detection modules here, Traffic Anomaly Detection and DDoS and Worm Detection modules. Traffic Anomaly Detection is divided into two parts: Incoming and Outgoing. You can individually configure them in two different directions (Incoming & Outgoing). Configurations are as follows:  Traffic Anomaly Detection: Incoming: select one traffic anomaly baseline template (Default is “Disabled”). Outgoing: select one traffic anomaly baseline template (Default is “Disabled”). 

DDoS and Worm Detection: Anomaly Detection: select “Enabled” or “Disabled” (Default is “Enabled”). Users can reset the action for each detection via click on the “ Advance ” button and click on “ Submit ” button to complete the modification. When users disable “DDoS and Worm Detection”, the detection of Protocol-Misused anomalies and Application anomalies will not work. 6. Administrator User Account: set the account with the administrator role for the MSP customer. This account can manage the system profiles on the portal site of the MSP Server. The asterisk "" indicates a mandatory field. The descriptions of fields please refer to the Local User Account function in the System Admin/User menu. Except the “Notification for Anomalies” field is different, others fields are the same. The factory default of Notification for Anomalies is “Enabled”. 7. Enter additional information for the MSP Customer in the Remarks field. The inputted characters are allowed to 400 the most. 8. Click on “ Submit ” button to complete the configuration.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

74

To edit a MSP Customer Click on “ ” icon to enter the Edit MSP Customer window. (Please refer to the previous “To add a MSP Customer” section for the following steps of your modification.) 1. Provide new information to those fields/options that you like to modify. 2. Click on “ Submit ” button to complete the modification.

To delete a MSP Customer 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. 2. Click on “ Submit ” button to remove the MSP Customer from the system.

To view the profile of a MSP Customer The detail information of the MSP Customer can be reviewed. 1. Click on an ID or Name to enter the View MSP Customer Management window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. Besides, users can click on “ Advance ” button to view detailed configurations of DDoS and Worm Detection in the View MSP Customer window. 2. Click on “ Back to List ” button to return to the MSP Customer Management window.

3.3.9.2

Boundary Template Click on the Boundary Template tab to define the routers to a boundary template used in MSP Customer function in System Admin/Network/MSP Customer. After clicking on Boundary Template tab, a page with the MSP Customer Boundary Template Management title will be shown (see the figure 3.3.9-4). The following sections will introduce how to add, edit, delete, and view the routers in a boundary template.

Figure 3.3.9-4 System Admin/Network/MSP Customer/ MSP Customer Boundary Template Management Window

To add a Boundary Template Click on “ Add ” button at the top of the Boundary Template view list to enter the Add MSP Customer Boundary Template window in System Admin/Network/MSP Customer (see the figure 3.3.9-5).

75

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.3.9-5 System Admin/Network/MSP Customer/Boundary Template – Adding MSP Customer Boundary Template Window 1. Name: Enter the name of the Boundary Template in the Name field. This name must be unique in the system. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Boundary Routers: select the collector from the dropped-down list and its related routers lists below. Check the router and click on “ > ” button to remove the added configuration from the text box. 3. Click on the “ Submit ” button to complete the configuration.

To edit a Boundary Template Click on “ ” icon to enter the Edit MSP Customer Boundary Template window. (Please refer to the previous “To add a Boundary Template” section for the following steps of your modification.) 1. Provide new information to those fields/options that you like to modify. 2. Click on “ Submit ” button to complete the modification.

To delete a Boundary Template 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. Note that if the boundary template you are deleting has applied to any configurations, the system will not allow you to delete it and the “ Submit ” button will be unavailable. You have to change the applied configurations to another boundary template before you delete this boundary template. 2. Click on “ Submit ” button to remove the boundary template from the system.

To view the profile of a Boundary Template The detail information of the Boundary Template can be reviewed. 1. Click on an ID or Name to enter the View Boundary Template window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. The Applied block area shows the information of MSP Customer to which this viewed Boundary Template applied. 2. Click on “ Back to List ” button to return to the Boundary Template Management window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

76

3.3.9.3 MSP User Account Click on MSP User Account tab to enter the MSP User Account Management window (see the figure 3.3.9-6). The MSP User Account management window lists all MSP user accounts specified to all MSP collectors. Note 1.

The account with the privilege template, Customer Admin, is specified in the MSP Customer function of System Admin / Network / MSP Customer menu in the Controller system, but the account with other privileges, such as Customer Superuser or Customer Viewer, are set in the specified MSP Server by its admin account.

2.

The access authority of Privilege template is defined in Privilege Template function in the System Admin/ Network / MSP Customer menu in the Controller system.

Figure 3.3.9-6 System Admin/Network/MSP Customer/MSP User Account – MSP User Account Window

3.3.9.4 Privilege Template Users can edit, or view a privilege template and specify authorized functions for the privilege template. Click on the Privilege Template tab to enter the Privilege Template window. (As shown in Figure 3.3.9-7)

Figure 3.3.9-7 System Admin/Network/MSP Customer/Privilege Template -- Privilege Template Management Window

77

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To edit a user privilege Template There are three default types of privilege templates, Customer Admin, Customer Superuser and Customer Viewer, for users to modify.

Figure 3.3.9-8 System Admin / Network/ MSP Customer / Privilege Template -- Edit User Privilege Template Window 1. Click on the “ ” icon to modify the information in the privilege template. A page with Edit User Privilege Template will show. (As presented in Figure 3.3.9-8) 2. Change the authorization of the system functions by checking the box. 3. Click on “ Submit ” button to complete the modification. Note The user accounts who are assigned to this privilege template will list in the Applied table below.

To view a user privilege template Users can view the privilege template information in detail. 1. Click on a privilege template No. or name to enter the View User Privilege Template window. When you move the cursor to the name listed in the “ID” or “Name” column, the color of the pointed username will turn into blue. 2. Click on “ Back to List ” button to return to the User Privilege Template window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

78

3.3.10 Filter Filter menu allows users to manage Factors and Filters, which are two significant elements used to implement the Rule-based report. Factors can be basic building components used in an expression inside a Filter. Filters are basic units which allow users to locate traffic to analyze. Through Factors and Filters, users can analyze traffic elastically to make up the deficiency of pre-defined reports. After clicking on Filter menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen, the Factor Management window (the default entered window) will be shown. Users can see sub-menu tabs, Factor and Filter, appearing above the screen. (See Figure 3.3.10-1)

Figure 3.3.10-1 System Admin / Network / Filter / Factor Management Window

3.3.10.1

Factor

Once you click on Filter menu, you will directly enter the Factor Management window. There are categories of Factors: one is System Factor like Home network, Sub-Network entities, and applications already defined in the system; another is User-defined Factor. The following sections are going to introduce how to add, edit, and delete a Factor, and how to view the profile of a Factor. Note 1. 2.

3.

A searching function and page-control buttons are provided. Please refer to the Note descriptions in Sub-Network sub menu of Network function for the operation. The “ Export ” button are use for backup the Factor configurations to local host. After clicking on the “ Emport ” button, the download configuration field shows. There are two file formats, XML Schema and XML Data, to download. However, users have to perform the CLI command “factor encoding” in the global configuration mode before exporting the Factor configurations. The “ Import ” are use for load the Factor configurations from the local host. After clicking on the “ Import ” button, the Upload configuration field shows and users have to click on the “ Browser… ” button to select the factor configuration file for uploading.

To add a Factor Click on “ Add ” button at the top of the Factor view list to enter the Add Factor window. (See Figure 3.3.10-2) There are five different types of user-defined Factors. Each type of them has its maximum entities in a Controller. Factor Type IP Factor BGP Community Factor AS Number Factor AS Path Regular Expression Factor Application Factor 79

Maximum Entities 1024 256 256 256 256

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.3.10-2 System Admin / Network / Filter / Factor -- Add Factor Window (IP Factor) 1. Enter the name of the Factor in the Name field. This name must be unique among Factors in the system. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Input additional information in the Remarks field if desired. The inputted characters are allowed to 400 the most. 3. Select IP, BGP Community, AS Number, AS Path or Application from the Type drop-down list for the Factor. The default type is “IP”. If you select the BGP Community/AS Number/AS Path /Application type, the screen will be transferred to another window for configuring the IP/BGP Community/AS Number/AS Path. (See Figure 3.3.10-3 / Figure 3.3.10-4/ Figure 3.3.10-5 / Figure 3.3.10-6)

Figure 3.3.10-3 System Admin / Network / Filter / Factor -- Add Factor Window (BGP Community Factor)

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

80

Figure 3.3.10-4 System Admin / Network / Filter / Factor -- Add Factor Window (AS Number Factor)

Figure 3.3.10-5 System Admin / Network / Filter / Factor -- Add Factor Window (AS Path Factor)

Figure 3.3.10-6 System Admin / Network / Filter / Factor -- Add Factor Window (Application Factor)

81

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

4. Enter all IP addresses to define the IP Factor with IP prefixes (CIDR) or IP ranges in the IP text box if you select the IP type on Step 3. You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not specify permit or deny keyword, the IP prefix or range will be considered as Permit. The sequence does matter and works like an ACL. You can enter one IP address prefix in a line (use Enter key to create different lines) or separate multi-prefixes with commas. The maximum # of prefixes in one Factor can be up to 128. Enter the BGP community to define the BGP community Factor in the BGP Community String text box if you select the BGP Community type on Step 3. You can define the Factor with one BGP community with wildcards. A BGP community string consists of two token sets, separated by a colon “:”, and must be cascaded together without space or tab in between. A token set includes 5 digits from 0 to 9 and three types of token expressions are supported: digital token, “?” token, and “[]” token. • A digital token is a number which range is from 0 to 9; • A “?” token represents one digit with any value from 0 to 9, e.g. 21829:1290? means from 21829:12900 to 21829:12909; • A “[]” token represents a container that can hold up to 10 digits. A digit matched any digit inside the token, this token is matched, e.g. 23910:391[0 2]4 means 23910:39104 and 23910:39124. The 0 digit can be skipped if they do not affect the value, for example, 00023:12802 can be replaced by 23:12802. The total length of a BGP community-with-wildcard string is up to 120 characters. Enter all AS numbers to define the AS Number factor in the AS Number text box if you select the AS Number type on Step 3. They are not allowed to be duplicable. Both singular AS number and successive range are acceptable. You can enter up to 40 elements of AS numbers (separated by commas; and between 1 and 65535) in a factor. Enter the AS path to define the AS path Factor in the AS Path text box if you select the AS Path type on Step 3. You can define the Factor with one AS path regular expression. An AS path regular expression is used for displaying BGP routes by a list of AS numbers (concatenating one or more AS numbers). Three types of token expressions are supported by the system: digital token, “*” token, and “[]” token; and a space character is needed between every AS number and “*”/”[]” token. • A digital token is a number which range is from 0 to 9; • A “*” token represents zero or multiple AS numbers, i.e. 32 * 123 means any AS path with Peer ASN 32 and Origin ASN 123; • A “[]” token represents a union relationship between all the AS numbers inside “[]”. Once an AS number in the AS path in the specified location equals any one AS number in the union-ship, this token is considered matched, e.g. [13 439 302] * means any AS path with Peer ASN 13,439 or 302. The total length of the AS path regular expression string can be up to 200 characters. Specify applications and channel numbers to define the application Factor in the text box if you select the Application type on Step 3. You can select an application via using the Application drop-down list or clicking on “ Browse ” button (Please refer to the Browse Helper part in Snapshot for details. They have the same operation.). After selecting the application, you also have to select its channel number from the Channel No. drop-down list and then click on “ Add ” button to add the selected application and channel number into the text box. The combination of an application and a channel number is called an application definition. Up to 16 entries of application definitions can be added into one application Factor. Note that the “*” symbol represents all channels. Once the “*” is added, any other channel with the same application will unable to be added into the text box. You can delete an added application definition entry or all from the text box by using “ Remove One ” or “ Remove All ” button. 5. Click on “ Submit ” button to complete the configuration. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

82

To edit a Factor Click on “ ” icon to enter the Edit Factor window. (See Figure 3.3.10-7)

Figure 3.3.10-7 System Admin / Network / Filter / Factor -- Edit Factor Window (Please refer to the previous “To add a Factor” section for the following steps of your modification.) 1. Provide new information to those fields/options that you like to modify. 2. Click on “ Submit ” button to complete the modification.

To delete a Factor 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. Note that if the Factor you are deleting has applied to any configurations, the system will not allow you to delete it and the “ Submit ” button will be unavailable. You have to change the applied configurations to another Factor before you delete this Factor. 2. Click on “ Submit ” button to remove the Factor from the system.

83

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To view the profile of a Factor The detail information of the Factor can be reviewed. (See Figure 3.3.10-8)

Figure 3.3.10-8 System Admin / Network / Filter / Factor -- View Factor Window 1. Click on an ID or Name to enter the View Factor window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. The Applied block area shows the information of Filters to which this viewed Factor applied. 2. Click on “ Back to List ” button to return to the Factor Management window.

3.3.10.2

Filter

Click on Filter sub-menu tab of Filter to enter the Filter Management window (See Figure 3.3.10-9). The latest added Filter will be displayed at the first row of the list. The following sections are going to introduce how to add, edit, and delete a Filter, and how to view the profile of a Filter. Note A searching function and page-control buttons are provided. Please refer to the Note descriptions in Sub-Network sub menu of Network function for the operation.

Figure 3.3.10-9 System Admin / Network / Filter / Filter Management Window © 2009 Genie Network Resource Management Inc. All Rights Reserved.

84

To add a Filter Click on “ Add ” button at the top of the Filter view list to enter the Add Filter window. (See Figure 3.3.10-10)

Figure 3.3.10-10 System Admin / Network / Filter / Filter -- Add Filter Window 1. Enter the name of the Filter in the Filter Name field. This name must be unique among Filters in the system. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Specify the traffic scope for analysis. First, select a network scope type from the Scope drop-down list and then specify a network entity from another drop-down list. There are several types of network scopes to select and the drop-down list of network entity will display different network entities according to different network scope types selected, except the “ANY” and “Home” (they has no need to specify a network entity). The supported boundary scope includes Internet, and Sub-network boundaries. The inspected traffic will be restricted by the specified traffic scope (i.e. only traffic flows belong to the scope specified will be inspected by the traffic analysis of Filter). A Browse function is provided here. Please refer to Browse Helper part in Snapshot for details. 3. The drop-down list shows the IPv4 and there is no other parameter for select. 4. Select “Disabled” or “Enabled” from the Status drop-down list. This function allows you to flexibly activate or inactivate the Filter in any time of need. Once you select to disable the Filter, all traffic reports and applied scope related to this Filter will be unavailable, including its TopN reports configured. 5. Enter additional information in the Remarks field if necessary. The inputted characters are allowed to 400 the most. 6. Configure expressions for constructing the Filter. Expressions are basic elements internal the Filter and used to sift traffic flows. In other words, they are sort of criteria configured in the Filter. Totally, up to 2048 expressions are allowed to configure in the system. This step will introduce how to add, edit, delete, and view an expression.

85

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To add an expression Click on “ Add ” button above the Expression table list to open the Add Filter Expression window. (See Figure 3.3.10-11)

Figure 3.3.10-11 System Admin / Network / Filter / Filter -- Add Filter Expression Window
No.: select a number from the No. drop-down list for the sequence of expression configured. The number you select is the sequence of the created expression among all expressions. You do not have choice for the first created expression since it does not have sequence issue. Only when the second expression and upward are creating, the system will allow you to decide their sequence. The rule to match multiple expressions in a Filter is “First Match in the Sequence”.
Matching Rule: select to permit or deny the expression from the Matching Rule drop-down list. The default value is “Permit”. The following is provided to define expressions.
Src. IP: available selections for source IP address have Home, a sub-network, an IP Factor, and a BGP community Factor. Select Home from the Src. IP drop-down list or click on “ Browse ” button next to the drop-down list to select a Factor, or a sub-network. Specify the source IP by clicking on the radio and “ Submit ” buttons (Destination IP can be selected at the same time through the “ Browse ” button). You can refer to Browse Helper part in Snapshot for further operation.
Dst. IP: same as Src. IP. Please refer to its description above. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

86


Src. AS Path: select an AS Path Factor for source AS path from the Src. AS Path drop-down list. All AS Path Factors configured in the system will be displayed here.
Dst. AS Path: same as Src. AS Path. Please refer to its description above.
Src. Application: select an application or an Application Factor from the Src. Application drop-down list. All applications defined and Application Factors configured will be displayed here. Or click on “ Browse ” button next to the drop-down list to select the source application by clicking on the radio and “ Submit ” buttons (Destination application can be selected at the same time through the “ Browse ” button). You can refer to Browse Helper part in Snapshot for further operation.
Dst. Application: same as Src. Application. Please refer to its description above.
Router: select a router from the Router drop-down list. After you selecting a router, the Input Flow ifIndex and Output Flow ifIndex fields will be available. You can enter flow ifIndexes directly or click on “ Browse ” button next to the fields to select the source and destination flow ifIndexes by clicking on the radio and “ Submit ” buttons.
TOS Value: check on the check box and then the drop-down lists of all values will be configurable. Select the value for each bit of the TOS field in IP header. Note There are three values representing different meanings for users to set, X—Ignore, 1—Flag On, and 0—Flag Off (Ignore：the system will not check this bit value; On : the system will collect the traffic information about the IP packets with the bit “On” in TOS field; Off : the system will collect the traffic information about the IP packets with the bit “Off” in TOS field).
TCP Flag: check on the check box and then the drop-down lists of all flags will be configurable. Select the value for each flag. Note There are six types of TCP flags (URG, ACK, PSH, RST, SYN, and FIN in TCP header) and three values representing different meanings for users to set each flag. Three values are : X—Ignore, 1—Flag On, and 0—Flag Off (Ignore : the system will not check this bit value; On : the system will collect the traffic information about the TCP packets with the bit “On” in TOS field; Off : the system will collect the traffic information about the TCP packets with the bit “Off” in TOS field).
IPv4 Next Hop: enter a next hop IP addresses in the Next Hop field.
IPv4 BGP Next Hop: enter a BGP next hop IP addresses in the BGP Next Hop field.
Avg. Packet Size: select an average packet size from the Avg. Packet Size drop-down list. The packet size segments are: 1536.
ACL-Based sFlow Flag: select the value shown in the drop down list to the sFlow flag. Three values representing different meanings for users to set each flag. They are: X—Ignore, 1—Flag On, and 0—Flag Off.

To edit an expression Click on a radio button in the Expression table list and press the “ Edit ” button above to open the Edit Filter Expression window. (See Figure 3.3.10-12)

87

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.3.10-12 System Admin / Network / Filter / Filter -- Edit Filter Expression Window (Please refer to the previous “To add a Filter” section for your modification.) Provide new information to those fields/options that you like to modify and then Click on “ Submit ” button to complete the modification. To delete an expression Click on a radio button in the Expression table list and press the “ Delete ” button above to remove the expression from the table list. Once the “ Delete ” button is pressed, the selected expression will be deleted right away. To view the profile of an expression Click on a radio button in the Expression table list and press the “ View ” button above to open the View Filter Expression window. (See Figure 3.3.10-13)

Figure 3.3.10-13 System Admin / Network / Filter / Filter -- View Filter Expression Window The detail information of the expression can be reviewed. Click on “ Cancel ” button to close the View Filter Expression window. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

88

7. Enable the traffic report and monitor for the Filter (Optional). You can choose to enable the traffic report or not to by selecting “Enabled” or “Disabled” from the Report drop-down list located in the Traffic Report and Monitor block area (See Figure 4.64). The default value is “Disabled”. Once Traffic Report is enabled, the system will generate traffic reports for the Filter namely the Summary reports in Rule-based Report. If Traffic Report is not enabled, the system will not generate traffic reports but will still collect the filtered traffic and save it in database for Snapshot’s utilization. As soon as you enable Traffic Report, its monitoring feature will be also available. Select a type of baseline template configured in the system from the Baseline Template drop-down list next to the Report drop-down list for the Filter traffic report. If there is any traffic violation, an anomaly will be generated and tracked by the system. You can enable the anomaly notification for the Filter through the Preferences/Notification/Filter function of System Admin. In addition, the system can also provide an opposite direction report contrary to the Filter traffic report. Select “Enabled” from the Opposite Direction Report drop-down list and a type of baseline template from the next Baseline Template drop-down list to generate the opposite direction report if desired. 8. Configure TopN reports of a Filter (Optional). A TopN report of a Filter is to sort the analyzed traffic results of a specific Filter with aggregation elements of Source / Destination / Directionless. A configured and enabled TopN report can be viewed in the TopN Report sub menu of Rule-based Report. Totally, up to 1024 rule-based TopN reports are allowed to configure in the system. This step will introduce how to add, edit, delete, and view a TopN report of a Filter.

To add a TopN report of a Filter Click on “ Add ” button above the TopN Report table list to open the Add Filter TopN window. (See Figure 3.3.10-14)

Figure 3.3.10-14 System Admin / Network / Filter / Filter -- Add Filter TopN Window
Name: input a name for the TopN report. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...).
Status: select “Disabled” or “Enabled” from the Status drop-down list. This function allows you to flexibly activate or inactivate the rule-based TopN report in any time of need.
Aggregation Keys: select an aggregation element from the text box. The aggregation elements include such as Source/Destination IP, Source/Destination Protocol/Port, Application on Source/Destination, TCP Flag, TOS Value, Protocol, Input/Output Interface, Router, and so on.
Number of Top-N: select a number for the N value of Top-N, that traffic statistics will be saved into database and will be also displayed in Rule-based reports, from the Number of Top-N drop-down list. The available selections are 16 (default), 32, 64, 128, and 256. 89

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To edit a TopN report of a Filter Click on a radio button in the TopN Report table list and press the “ Edit ” button above to open the Edit Filter TopN window. (See Figure 3.3.10-15)

Figure 3.3.10-15 System Admin / Network / Filter / Filter -- Edit Filter TopN Window (Please refer to the previous “To add a TopN report of a Filter” section for your modification.) Note that the aggregation elements cannot be changed once the TopN report has been created. You have to create a new one to replace the one whose aggregation elements you want to change. Provide new information to those fields/options that you like to modify and then Click on “ Submit ” button to complete the modification. To delete a TopN report of a Filter Click on a radio button in the TopN Report table list and press the “ Delete ” button above to remove the TopN report from the table list. Once the “ Delete ” button is pressed, the selected TopN report will be deleted right away. 9. Select a Filter from the Total Traffic calculated on Filter drop-down list to replace the calculated total traffic of the configuring Filter’s TopN reports. (Optional) The default value is “Self”, which means not to replace the calculated total traffic with any other Filter’s. If users choose to use other Filter’s total traffic, each TopN’s percentage value will be derived from the replaced total as divisor. With this function, users can easily utilize two Filters to customize an integrated report by defining some identical criteria but sieving out specific traffic to sort. For instance, two Filters “A” and “B” are configured with same expressions (i.e. same network cuts) but one more expression is added to Filter “A” to sieve out traffics of specific source ASNs. Therefore, by replacing the calculated total traffic of Filter A with Filter B’s, users can obtain a TopN report of those specific ASNs, but remain the traffic percentage as the proportion of defined network cuts. 10. Click on “ Submit ” button to complete the configuration.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

90

To edit a Filter Click on “ ” icon to enter the Edit Filter window. (See Figure 3.3.10-16)

Figure 3.3.10-16 System Admin / Network / Filter / Filter -- Edit Filter Window (Please refer to the previous “To add a Filter” section for the following steps of your modification.) 1. Provide new information to those fields that you like to modify. 2. Click on “ Submit ” button to complete the modification. Note Users still can add a new filter via clicking on the button " Save As New Filter " after editing the filter.

To delete a Filter 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the Filter from the system.

91

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To view the profile of a Filter The detail information of the Application anomaly can be reviewed. (See Figure 3.3.10-17)

Figure 3.3.10-17 System Admin / Network / Filter / Filter -- View Filter Window 1. Click on an ID or Name to enter the View Filter window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. 2. Click on “ Back to List ” button to return to the Filter Management window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

92

3.3.10.3

Filter Batch

Filter Batch function provides users to generate batch filters. Click on Filter Batch sub-menu tab of Filter to enter the Filter Management window (See Figure 3.3.10-18). The latest added entry will be displayed at the first row of the list. The following sections are going to introduce how to add, and delete an entry.

Figure 3.3.10-18 System Admin / Network / Filter / Filter Batch Management window

To Add Batch Filters Click on “ Add ” button at the top of the Filter view list to enter the Batch Add Filter window. (See Figure 3.3.10-19)

93

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.3.10-19 System Admin / Network / Filter / Filter Batch – Batch Add Filter Window

1. Specify the traffic scope for analysis. First, select a network scope type from the Scope drop-down list and then specify a network entity from another drop-down list. There are eight types of network scopes to select: Any, Any (Non-ACL-based sFlow), Home, Neighbor, Sub-network, Server-farm, Boundary and ACL-based sFlow. The drop-down list of network entity will display different network entities according to different network scope types selected, except the “ANY”, “Any (Non-ACL-based sFlow)”, “Home”, ACL-based sFlow (they has no need to specify a network entity). The supported boundary scope includes Internet, and Sub-network boundaries. The inspected traffic will be restricted by the specified traffic scope (i.e. only traffic flows belong to the scope specified will be inspected by the traffic analysis of Filter). A Browse function is provided here. Please refer to Browse Helper part in Snapshot for details. 2. Configure expressions for constructing the Filter. Expressions are basic elements internal the Filter and used to sift traffic flows. In other words, they are sort of criteria configured in the Filter and the criteria are configured factors (except its type is Application Faction) listed in the Available Factors box. Select the available factors and click on the “ Add ” button next to the text box, Factors for the Source IP criteria, to add the factor as a source criterion. Multiple factors can be selected at the same time. After adding factors as source criteria, perform the same action to add the factors as the destination criteria. 3. Specify the direction of Origin ASN for the Origin ASN TopN report of each filter. Select the direction from the drop down list for Origin ASN TopN report of each filter. 4. Click on the “ Submit ” button to complete the configuration. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

94

The filters within the factor-crossing will be generated. The generated way of the filter is a source factor with a destination factor. In other words, when users specified three source factors and two destination factors to generate batch filters, there will be six filters created.

To Delete Batch Filters 1. Check the box to select one or multiple filters and then click on the “ Delete ” button. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the Filter from the system.

95

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.3.11 Application Application menu allows users to organize several services (protocol + port) into an application. For example, users can define a FTP application which includes ftp-data (20/TCP, 20/UDP) and ftp (21/TCP, 21/UDP). The application defined here will be used for the Common Attribute Application reports. After clicking on Application menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen, a page with the Application Management title will be shown (See Figure 3.3.11-1). Users can see some default applications provided by the system. The Protocol/Port column is presented with a list box and it allows users to read the data by rolling the scroll bar. The following sections will introduce how to add, edit, delete, and view an application. Note 1. A searching function is provided. It is located next to the “ Add ” button and above the view list. Users can utilize multiple searching filters (ID, Application No., Channel No., Name, Port, or NPC Application ID) to quickly find out a specific application from plenty of listed applications. Select a type of searching filter in the Searching drop-down list, input key word in the “for” blank, and then click on the “ Go ” button. 2. Page-control buttons are next to the “ Go ” button. • “ | < ” button: to go to the first page. • “ > ” button: to go to the next page. • “ > | ” button: to go to the end page. • The Page drop-down list: to go to a specific page selected from the drop-down list. The numerator represents the page you are going to list and the denominator represents the total pages. 3. Entries/Page drop-down list: to control the displayed entries per page of the Application view list. There are six options to select: 12, 25, 50, 100, 150, and 250. The number “25” with an asterisk means the default value.

Figure 3.3.11-1 System Admin / Network / Application Management Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

96

To add an application Click on “ Add ” button at the top of the Application view list to enter the Add System Application window. (See Figure 3.3.11-2)

Figure 3.3.11-2 System Admin / Network / Application -- Add System Application Window 1. Provide the application name. There are two ways to decide the application name. You can input a new application name, which is not defined in the system, in the New Application Name field. Note that the number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). Or you can select an existing application name, from the Using Application Name drop-down list. Check on the radio boxes to decide which way you are going to use. The name for the application you are adding is actually a combination. It is combined with an application name and a channel name. 2. Enter the channel name in the Channel Name field. The number of inputted characters must be between 0 and 40. All characters are accepted except special characters (!@#$%^&?”’...). This channel name and the application name you entered or selected in the previous step will form a combination name, and this combination name must be unique in the system. The channel name has to be provided but it can be a blank space once for one application name because the combination of the name must be unique in the system. 3. Select “Enabled” or “Disabled” from the Pre-defined Report drop-down list. This function allows you to flexibly activate or inactivate the applications in any time of need. Once you select to disable the applications, the Application traffic analyses of all attribute reports will not appear the traffic statistics relevant to the disabled applications. 97

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

4. Enter additional information for the application in the Remarks field (Optional). The inputted characters are allowed to 400 the most. 5. Enter the application ID defined in the GenieNPC exporter. Once a GenieNPC application ID configured for identifying an application, GenieATM will try to classify the Application traffic by matching the application ID information in the flow packets exported by GenieNPC. The available range is from 1 to 65535. 6. Adding the services (protocol + port) for this application. Select the protocol by clicking on the radio button, then enter the port number or the message type/code, and then click on “ ” or “ Remove All ” button to remove the added service from the text box. • Select a protocol from the drop-down list and click on the radio button to specify the port number. For adding one port number, you can just select “Port Number” and enter the number. You also can enter a port range (continuous port numbers) at one time via selecting “Port Range”. For adding a port range, you should enter the first number of the range in the first field and the last number of the range in the second field. • The system allows you to set the message type and code further for various services of ICMP. You have to enter the message type and code if ICMP is selected. 7. Enter the IP prefixes/ranges desired (Optional). GenieATM provides IP prefixes/ranges as an extra criterion to define an application service, which means the system will classify the traffic by matching both the configured service (protocol + port) and IP prefixes/ranges. Up to 128 IP prefixes or ranges are supported. You can enter one IP prefix in a line (use Enter key to create different lines) or separate multi-prefixes with commas. Please note that the overlaps between the prefixes are not allowed. 8. Click on “ Submit ” button after you finish adding all services to complete the configuration.

To edit an application Click on “ ” icon to enter the Edit System Application window. (See Figure 3.3.11-3)

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

98

Figure 3.3.11-3 System Admin / Network / Application -- Edit System Application Window (Please refer to the previous “To add an application” section for the following steps of your modification.) 1. Provide new information to those fields/options that you like to modify. Note that you can only enable or disable the Pre-defined Report function, and modify the IP prefixes/ranges information for the system built-in applications, but are not allowed to modify their Detail settings. 2. Click on “ Submit ” button to complete the modification.

To delete an application 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. Note that if the user-defined application you are deleting has applied to any configurations, the system will not allow you to delete it and the “ Submit ” button will be unavailable. You have to change the applied configurations to another application before you delete this user-defined application. 2. Click on “ Submit ” button to remove the user-defined application from the system.

To view the profile of an application The detail information of the application can be reviewed (See Figure 3.3.11-4).

Figure 3.3.11-4 System Admin / Network / Application -- View System Application Window 1. Click on an ID or Name to enter the View System Application window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. 2. Click on “ Back to List ” button to return to the Application Management window.

99

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.3.12 Anomaly Anomaly menu allows users to manage anomaly signatures, which is used to define the traffic characteristics of known anomalies. For the purpose of directly locating attacking and infected hosts, GenieATM adopts host-based anomaly traffic detections to target each host IP address to collect and analyze anomaly traffic. There are two kinds of anomaly signatures provided here, Protocol-Misuse Anomaly and Application Anomaly. As implied by the name, the Protocol-Misuse anomaly signature is used to verify the anomaly traffic that caused by the misuse of communication protocols and the Application anomaly signature is used to verify the anomaly traffic that caused by the abnormal applications. After clicking on Anomaly menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen, the Protocol-Misuse Anomaly Management window (the default entered window) will be shown. Users can see two sub-menu tabs, Protocol-Misuse Anomaly and Application Anomaly. (See Figure 3.3.12-1)

Figure 3.3.12-1 System Admin / Network / Anomaly / Protocol-Misuse Anomaly Management Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

100

3.3.12.1

Protocol-Misuse Anomaly

Once you click on Anomaly menu, you will directly enter the Protocol-Misuse Anomaly Management window. There are two parts in the management window. First part is “Default for Home and User-defined Resources” which defines default Protocol-Misuse anomalies for the detection scopes of Home and user-defined resources; second part is “Non-Home” which defines Protocol-Misuse anomalies for the detection scopes of those not belonging to Home and user-defined resources. The information displayed in the Protocol-Misuse Anomaly view list includes two latency settings (Severity & Recover) and other information for each anomaly (No., ID, Name, Status, Event Threshold, and Unit). The Protocol-Misuse anomalies are system built-in and users are unable to add or delete them. The built-in Protocol-Misuse anomalies of the system are as follows: ♦ TCP SYN Flooding, ♦ IP Protocol Null, ♦ TCP Flag Null or Misuse, ♦ TCP Fragment, ♦ UDP Fragment, ♦ ICMP Misuse, ♦ Land Attack, ♦ TCP RST Flooding. ♦ UDP Flooding ♦ Host Total Traffic The following section is going to introduce how to edit Protocol-Misuse anomalies of “Default for Home and User-defined Resources” and “Non-Home” parts.

To edit Protocol-Misuse anomalies for Default for Home and User-defined Resources part Click on “ Edit ” button of the Default for Home and User-defined Resources part to enter the Edit Protocol-Misuse Anomaly-Default for Home and User-defined Resources window. (See Figure 3.3.12-2) Note that the configurations here will be default settings of any new-added user-defined anomaly detection resource (Sub-network) but users can overwrite these default settings for each individual resource through its management window.

Figure 3.3.12-2 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Protocol-Misuse Anomaly-Default for Home and User-defined Resources Window 1. Select a time from the Severity Latency drop-down list. Severity Latency is a time period parameter used to control when an anomaly severity becomes RED from YELLOW. Once the detected traffic rate is higher than the event threshold configured, an anomaly event will be generated with the anomaly severity as YELLOW. If the detected event maintains in YELLOW level for a period, which is longer than the severity latency configured, the anomaly severity will become RED. The configurable values are from 2 to 30 (minutes), and Forever (Default is “3” minutes). If the severity latency is configured as Forever, there will be no RED anomaly. 101

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

2. Select a time from the Recover Latency drop-down list. Recover Latency is a time period parameter used to control when an anomaly severity becomes recovered from YELLOW. When the detected traffic rate is lower than the anomaly threshold configured and maintains longer than the recover latency, the anomaly status will be changed to “Recovered”. Its configurable values are from 2 to 30 (minutes). 3. Select “Disabled” from the Status drop-down list for a desired anomaly signature. This function allows you to flexibly activate or inactivate a Protocol-Misuse anomaly in any time of need. Once you select to disable the anomaly, the system will not verify this type of anomaly when analyzing the received traffic flows. 4. Modify the Event Threshold value for the desired anomaly. Input the Event Threshold value (Only integers from 1 to 65535 will be accepted) and also to select the unit from the Unit drop-down list (pps: packet per second; Kpps: kilopacket per second; Mpps: megapacket per second; Gpps: gigapacket per second). We recommend you not to change the default settings for built-in system anomalies unless necessary. 5. Click on “ Submit ” button to complete the modification.

To edit Protocol-Misuse anomalies for Non-Home part Click on “ Edit ” button of the Non-Home part to enter the Edit Protocol-Misuse Anomaly-Non-Home window. (See Figure 3.3.12-3) Please refer to the “To edit Protocol-Misuse anomalies for Default for User-defined Resources” part above for details.

Figure 3.3.12-3 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Protocol-Misuse Anomaly-Non-Home Window

3.3.12.2

Application Anomaly

Application Anomaly Detection is designed with a global detection threshold for each application anomaly, which is different from Protocol-Misuse Anomaly Detection allowing users to overwrite default settings for each individual resource. In other words, users can overwrite the default settings of application anomalies and the changes will be applied to all host IP addresses of the configured detection scope but not for some individual resource. In addition, this function also provides the latest definition of system application anomaly signatures download from GenieATM definition update servers. Click on Application Anomaly sub-menu tab of Anomaly to enter the Application Anomaly Management window. (See Figure 3.3.12-4) There are three parts displaying in this window, Anomaly Update, Detection Scope, and Application Anomaly view list. The Anomaly Update part indicates if there are any new anomalies to update. The Detection Scope part shows the presently configured detection scope. The latest added application anomaly will be displayed at the first row of the list. The following sections are going to introduce how to edit detection scope; how to update system application anomaly signatures; how to add, edit, and delete an application anomaly, and how to view the profile of an application anomaly. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

102

Figure 3.3.12-4 System Admin / Network / Anomaly / Application Anomaly Management Window Note There are four built-in Application anomalies in the system: MS Blaster, Sasser, Code Red, and SQL Slammer. These four system built-in Application anomalies are irremovable from the system. Only when it is necessary, otherwise, we DO NOT recommend users to modify the definition of the system built-in Application anomalies.

To Update System Application Anomaly Signatures GenieATM system provides not only the built-in system application anomaly signatures but also the remote update function for users to download the newest definition from GenieATM definition update servers. In the Anomaly Update block area (See Figure 3.3.12-4), you can see a update information telling any new anomaly definitions available to download or not and two action buttons, “ Update ” and “ Check ”, used to do the updating and checking jobs. If the auto-checking function is enabled (please refer to the Remote Update menu in the Preferences function), then the system will daily auto check if there is any new update, or you can manually execute checking job by clicking on “ Check ” button. Clicking on “ Update ” button to download the latest system anomaly signature definitions when the system shows there are new definitions available. The new system anomaly signature definitions will be added into the view list after downloading and will be effective after a system configuration dispatching is executed.

To edit Application Anomaly’s Detection Scope Click on “ Edit ” button of the Detection Scope part to enter the Edit Detection Scope window. (See Figure 3.3.12-5)

Figure 3.3.12-5 System Admin / Network / Anomaly / Application Anomaly -- Edit Detection Scope Window 1. Check on a radio button to select a desired detection scope. There are three detection scopes provided, User-defined Resources Only, Home, and Whole Internet. The User-defined Resources Only scope indicates only user-defined resources in the system including “Sub-Network” entity; the Home scope indicates entire Home network; the Whole Internet scope, as implied by the name, indicate whole Internet. The default setting is “Home”. 2. Click on “ Submit ” button to complete the modification. 103

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To add an Application anomaly Click on “ Add ” button at the top of the Application Anomaly view list to enter the Add Application Anomaly window. (See Figure 3.3.12-6)

Figure 3.3.12-6 System Admin / Network / Anomaly / Application Anomaly -- Add Application Anomaly Window 1. Enter the channel name in the Channel Name field. It must be provided at least 4 up to 64 characters. All characters are accepted except space and special characters (!@#$%^&?”’...). Give a channel name that can be easily recognized which type of traffic attack the Application anomaly is. (Application No. : Channel No.: the application and channel numbers that the system uses to identify what kinds of the application and channel are. The application number for a Protocol-Misuse anomaly is “20000”.) 2. Select “Disabled” or “Enabled” from the Status drop-down list. This function allows you to flexibly activate or inactivate the Application anomaly in any time of need. Once you select to disable the anomaly, the system will not verify this type of anomaly when analyzing the received traffic flows. 3. Enter additional information in the Remarks field if necessary. The inputted characters are allowed to 400 the most. 4. Specify the Attack Type, Worm or DDoS, form the dropped-down list. If the “Attack Type” is set worm and the status is enabled, user can view the worm reports in the Anomaly Activities/Worm function. 5. Define the following traffic characteristics for the Application anomaly you are configuring.
Number of Packets Per Flow: check on the check box and then the drop-down list of (=, >, , , ” button to get the current Guard’s information. The results of SNMP query will be displayed in a yellow block at the upper-right side of the screen, including Guard’s system object ID, description, name, and rhNESw version.
Time Out of SNMP Polling: Select a time from the drop-down list. Users are allowed to manually configure the waiting time length for each SNMP polling request. Available time selections are 1, 2, 3, 4, 5…., to 15 (seconds) and the default value is “5” seconds.
Retries of SNMP Polling: Select a preference setting from the drop-down list. Users can also configure the frequency of retrying SNMP polling. Once the collector does not get SNMP polling response from Guard exceeding the configured time out, the system will try to send a SNMP polling request again. Available selections are 1, 2, and 3 (times) and the default value is “2” times. Auto-Mitigation:
Auto-mitigation: Select the “Enabled” to perform the mitigation automatically, otherwise select the “Disabled”. The default set is “Disabled”.
Triggered Severity: Select the severity, red or yellow, to trigger the auto-mitigation, if the auto-mitigation function is enabled.
Bandwidth: Set the capacity of the Guard device. Once the volume of attacking traffic exceeds the capacity of Guard device, the mitigation action will not to be executed.
Time Out: Set the time-out duration to stop the mitigation action. 2. Click on “ Update ” button displayed at the top of Zone Table to get the latest configured zone information on Guard. The Zone Table information includes No., Zone ID, Zone Name, Prefix #, Prefix, Status and Auto. Each zone has its one auto control. The system default is disable. 3. Click on “ Submit ” button to complete the configuration.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

134

To edit a Guard Click on “ ” icon to enter the Edit Guard window. (See Figure 3.5.2-3)

Figure 3.5.2-3 System Admin / Mitigation / Device / Cisco Guard -- Edit Guard Window (Please refer to the previous “To add a Guard” section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Provide new information to those fields that you like to modify. 2. Click on “ Submit ” button to complete the modification.

To delete a Guard 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. The system will remind you that all configurations are using this Guard will be affected if the Guard is deleted. 2. Click on “ Submit ” button to remove the Guard from the system.

135

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To view the profile of a Guard The detail information of the Guard can be reviewed. (See Figure 3.5.2-4)

Figure 3.5.2-4 System Admin / Mitigation / Device / Cisco Guard -- View Guard Window 1. Click on an ID/Name to enter the View Guard window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. 2. Click on “ Back to List ” button to return to the Guard management window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

136

3.5.2.2

Eudemon

Click on Eudemon sub-menu to enter the Eudemon management window (See Figure 3.5.2-5). The latest added Eudemon will be displayed at the first row of the list. The following sections are going to introduce how to add, edit, and delete a Eudemon device, and how to view the profile of a Eudemon.

Figure 3.5.2-5 System Admin / Mitigation / Device / Eudemon -- Eudemon Management Window

To add a Eudemon Click on “ Add ” button at the top of the Eudemon view list to enter the Add Eudemon window (See Figure 3.5.2-6).

Figure 3.5.2-6 System Admin / Mitigation / Device / Eudemon -- Add Eudemon Window 1. Provide Eudemon information to the following fields: (The asterisk "" indicates a mandatory field.)
Name: Give a name for this Eudemon. (It is only for the purpose of identification.) The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). Note The name specified in the Blackhole or Device function can not be duplicated. 137

© 2009 Genie Network Resource Management Inc. All Rights Reserved.


IP Address: The IP address of the Eudemon. The inputted format is “xxx.xxx.xxx.xxx”.
Device Type: Select the device type from the dropped down list.
SSH:  User Name: Enter the user name used to connect the Eudemon device via ssh tool.  Password: Enter the password of the user name.  Port: Enter the connecting port used by ssh tool.
SNMP:  Read Community String: The password to connect with Eudemon. Enter Eudemon’s SNMP read community string. Please note that it will fail to get Eudemon’s information if the read-only community string you provided is not correct. The number of inputted characters must be between 2 and 64.  SNMP Version: Select the SNMP version which to contact with Eudemon. Note that this item is available only if the IP address and its community string are provided. Click on “ SNMP WALK >> ” button to get the current Eudemon’s information. The results of SNMP query will be displayed in a yellow block at the right side of the screen, including Eudemon’s system object ID, description, and name.  Time Out of SNMP Polling: Select a time from the drop-down list. Users are allowed to manually configure the waiting time length for each SNMP polling request. Available time selections are 1, 2, 3, 4, 5…., to 15 (seconds) and the default value is “5” seconds.  Retries of SNMP Polling: Select a preference setting from the drop-down list. Users can also configure the frequency of retrying SNMP polling. Once the collector does not get SNMP polling response from Eudemon exceeding the configured time out, the system will try to send a SNMP polling request again. Available selections are 1, 2, and 3 (times) and the default value is “2” times.
Auto-Mitigation:  Auto-mitigation: Select the “Enabled” to perform the mitigation action automatically, otherwise select the “Disabled”. The default set is “Disabled”.  Triggered Severity: Select the severity, red or yellow, to trigger the auto-mitigation, if the auto-mitigation function is enabled.  Bandwidth: Set the capacity of the Eudemon device. Once the volume of attacking traffic exceeds the capacity of Eudemon device, the mitigation action will not to be executed.  Time Out: a time period parameter used to control when to stop the mitigation action. When the traffic drop rate of victim IP is extremely low and maintains longer than the recovery latency configured, the mitigation action will end.  Protect zone: Input the IP Prefix for protection. 2. Click on “ Submit ” button to complete the configuration.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

138

To edit a Eudemon Click on “ ” icon to enter the Edit Eudemon window (See Figure 3.5.2-7).

Figure 3.5.2-7 System Admin / Mitigation / Device / Eudemon -- Edit Eudemon Window (Please refer to the previous “To add a Eudemon” section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Provide new information to those fields that you like to modify. 2. Click on “ Submit ” button to complete the modification.

To delete a Eudemon 1. Click on the delete icon “ ”. A Delete page with detailed configuration will be shown. The system will remind you that all configurations using this Eudemon will be affected if the Eudemon is deleted. 2. Click on “ Submit ” button to remove the Eudemon from the system.

139

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To view the profile of a Eudemon The detail information of the Eudemon can be reviewed (See Figure 3.5.2-8). 1. Click on an ID/Name to enter the View Eudemon window. When you move the cursor to the ID/Name listed in the “ID or Name” column, the color of the pointed ID/Name will turn into blue. 2. Click on “ Back to List ” button to return to the Eudemon management window.

Figure 3.5.2-8 System Admin / Mitigation / Device / Eudemon -- View Eudemon Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

140

3.5.2.3

Global

Click on Global sub-menu tab to enter the SSH Public Key Generation window (See Figure 3.5.2-9). If users want to use SSH access to their mitigation device, the SSH key generated here should be copied into both the mitigation device and GenieATM. In GenieATM, users should copy the key into the Host Key field of mitigation device management window (such as Guard management Window). After clicking on “ Generate SSH Key Pair ” button, the system will take couple minutes to generate the SSH key and a message will tell the generation is processing, completed, or failed. If the generation is completed, a new set of SSH key will be displayed in the SSH Public Key text field then and a time stamp will appear to tell when the key is generated. Please see Figure 3.5.2-10 for a completed example.

Figure 3.5.2-9 System Admin / Mitigation / Global / SSH Public Key Window

Figure 3.5.2-10 System Admin / Mitigation / Global / SSH Public Key Window

141

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6

Preferences Preferences menu allows users to define the preferred parameters and templates which can be applied in the system including ten sub menus: Status, Storage, Report, Notification, Name Mapping, Group, Baseline History, Offline Report, and Remote Update. These sub menus will turn up when users click on the unfolding mark of Preferences. Note Only the user with the authority of “administrator” can access all functions of the Preferences menu. The user with the authority of defined by template, “superuser”, can access only the Notification, Group, Baseline History, and Offline Report functions in Preferences, and the viewing only user & Sub-Network user cannot access any of them.

3.6.1

Status The Status menu here indicates the sub-function in Preferences (not the Status menu on the Main Menu tree). This function allows administrators to set the parameter for the Status Summary page (under the Main Menu tree of Status). Click on Status menu displayed on the Sub Menu tree of Preferences at the left side of the screen to enter the Status Parameter management window. (As presented at Figure 3.6.1-1)

Figure 3.6.1-1 System Admin / Preferences / Status Parameter Management Window

To edit the Status preferences Click on “ Edit ” button at the right side, a management window will pop up. (See Figure 3.6.1-2) 1. Select your preferred time period from the Status Page Refresh Period drop-down list. The selected time period decides how frequently the Status Summary page is refreshed. The selectable values for the time period are from 1, 2, 3 … to 10 (The unit is “minute”; the default is “1” minute). 2. Select your preferred maximum displayed entries of the latest ongoing Anomalies from the Maximum Number of Most Recent Ongoing Anomalies drop-down list. The selectable values for the maximum Anomalies displayed are from 3, 4, 5 … to 20 (Default is “5”). 3. Select your preferred maximum displayed entries of the latest alerts from the Maximum Number of Most Recent Alerts Displayed drop-down list. The selectable values for the maximum alerts displayed are from 3, 4, 5 … to 30 (Default is “10”). 4. Click on the check box to enable the system to play the alarm sound if it is need. 5. Select the time from the drop-down list for system to detect the new anomaly. 6. Click on “ Submit ” button to complete the modification.

Figure 3.6.1-2 System Admin / Preferences / Status -- Edit Status Parameter Window © 2009 Genie Network Resource Management Inc. All Rights Reserved.

142

3.6.2

Storage Storage menu provides administrators a tool to manage the store of analysis report and log. It can prevent the system from running out of disk storage space. There are five parts: Disk Usage, Report Data, Alert Log, Anomaly Log, and Login Log. The Disk Usage part is to configure the parameters of when the auto DB purging process will be triggered and till when the purging process halted. The Report Data part is to configure for how long different types (daily, weekly, monthly, and yearly) of reports will be preserved in DB once the auto DB purging process is triggered. The preservation durations of different period-type reports can be configured respectively. The report data is preserved according to various different time periods: daily, weekly, monthly, and yearly. The Alert Log part is to configure the maximum preservative period and amount for system alert logs. The Anomaly Log part is to configure the maximum preservative period and amount for anomaly event logs. The Login Log part is to configure the maximum preservative period and amount for login logs. The following sections are going to tell users how to set up the parameters of these five parts. Click on Storage menu displayed on the Sub Menu tree of Preferences at the left side of the screen to enter the Storage Management window. (As presented at Figure 3.6.2-1)

Figure 3.6.2-1 System Admin / Preferences / Storage Management Window

To edit the preferences for Disk Usage 1. Click on “ Edit ” button at the right side of the Disk Usage block area, a management window will pop up. (See Figure 3.6.2-2) 2. Enter a percentage in the “When the Disk Usage Is More Than” field. The percentage by which system will start the auto purging process once the DB usage space percentage reaches the percentage configured. The default value is 90% (the upper limit of disk storage usage). 3. Enter a percentage in the “Purge Data Until” field. The percentage by which system will stop the DB purging process once the DB usage space percentage is no higher than the percentage configured. The default value is 60%. 4. Click on “ Submit ” button to complete the modification.

Figure 3.6.2-2 System Admin / Preferences / Storage -- Edit Disk Usage Window 143

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To edit the preferences for Report Data 1. Click on “ Edit ” button at the right side of the Report Data block area, a management window will pop up. (See Figure 3.6.2-3) 2. Select your preferred duration of each period type of the reports from the drop-down lists. Those numbers with an asterisk represents a default value. Daily reports are allowed to be preserved from 1 to 45 days (Default is “10” days). Weekly reports are allowed to be preserved from 1 to 52 weeks (Default is “8” weeks). Monthly reports are allowed to be preserved from 1 to 24 months (Default is “12” months). Yearly reports are allowed to be preserved from 1 to 5 years (Default is “1” years). 3. Click on “ Submit ” button to complete the modification.

Figure 3.6.2-3 System Admin / Preferences / Storage -- Edit Report Data Window

To edit the preferences for Alert Log 1. Click on “ Edit ” button at the right side of the Alert Log block area, a management window will pop up. (See Figure 3.6.2-4) 2. Select your preferred duration of preservation of alert logs from the Preserved Alert Log drop-down list. Alert logs are allowed to be preserved from 1 to 180 days (Default is “14” days). 3. Select your preferred maximum number of preserved alert log entries from the drop-down list. The configurable values for the maximum logs are from 1000, 2000, 3000 … to 10000 (Default is “3000”). 4. Click on “ Submit ” button to complete the modification. Note Users can query all the alert logs stored in the database via the Alert Log function of Status.

Figure 3.6.2-4 System Admin / Preferences / Storage -- Edit Alert Log Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

144

To edit the preferences for Anomaly Log 1. Click on “ Edit ” button at the right side of the Anomaly Log block area, a management window will pop up. (See Figure 3.6.2-5) 2. Select your preferred duration of preservation of anomaly logs from the Preserved Anomalies drop-down list. Anomaly logs are allowed to be preserved from 1 to 12 months (Default is “1” month). 3. Select your preferred maximum number of preserved anomaly log entries from the drop-down list. The configurable values for the maximum logs are from 1000, 2000, 3000 … to 10000 (Default is “1000”). 4. Click on “ Submit ” button to complete the modification. Note Users can query all the anomaly logs stored in the database via the Anomaly Console function of Status.

Figure 3.6.2-5 System Admin / Preferences / Storage -- Edit Anomaly Log Window

To edit the preferences for Login Log 1. Click on “ Edit ” button at the right side of the Login Log block area, a management window will pop up. (See Figure 3.6.2-6) 2. Select your preferred duration of preservation of login logs from the Preserved Login Log drop-down list. Notification logs are allowed to be preserved from 30 to 180 days (Default is “30” days). 3. Select your preferred maximum number of preserved login log entries from the drop-down list. The configurable values for the maximum logs are from 1000, 2000, 3000 … to 10000 (Default is “1000”). 4. Click on “ Submit ” button to complete the modification.

Figure 3.6.2-6 System Admin / Preferences / Storage -- Edit Login Log Window

145

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.3

Report Report menu allows administrators to set the parameters about the maximum displayed entries of the pre-defined TopN reports (Internet, Neighbor, Backbone, Router, Interface, and Sub-Network), and the detail anomaly traffic analysis report. Click on Report menu displayed on the Sub Menu tree of Preferences at the left side of the screen to enter the Report Parameter management window (As presented at Figure 3.6.3-1).

Figure 3.6.3-1 System Admin / Preferences / Report Parameter Management Window

To edit the Pre-defined TopN Report preferences 1. Click on “ Edit ” button at the right side, a management window will pop up. (See Figure 3.6.3-2) 2. Select your preferred maximum number of displayed entries of the TopN report from the Pre-defined TopN Report drop-down list. The selectable values for the maximum entries displayed are from 10, 20, 25, 30, 35, 40, 45, 50, 75, 100, and 128 (Default is “25”). The maximum number of displayed entries should be up to the configured value. However, if the entries saved in the database does not have that much, then the system will only display the number of entries saved in the database. 3. Click on “ Submit ” button to complete the modification.

Figure 3.6.3-2 System Admin / Preferences / Report -- Edit Pre-defined TopN Report Parameter Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

146

To edit the Default Tab Activated of Report Table Users can select the preferred report table as the default one when displaying a report. 1. Click on “ Edit ” button at the right side, a management window will pop up. (See Figure 3.6.3-3) 2. Select your preferred report table as the default one. The selectable values are Average, Current and Maximum (Default is “Average”). 3. Click on “ Submit ” button to complete the modification.

Figure 3.6.3-3 System Admin / Preferences / Report -- Edit Report Parameter Window

To edit the Rule-Based Report Label 1. Click on “ Edit ” button at the right side, a management window will pop up. (See Figure 3.6.3-4) 2. Type the alphabetic descriptions of the bi-directional Y-axis labels for all report charts displaying in the Rule-Based report. 3. Click on “ Submit ” button to complete the modification.

Figure 3.6.3-4 System Admin / Preferences / Report -- Edit Rule-Based Report Label Window

To edit the Anomaly Traffic Analysis report preferences The GenieATM system provides the detail traffic analysis report for every Anomaly event happened and users can decide the maximum number of displayed entries of the analysis statistics by configuring the preference here. 1. Click on “ Edit ” button at the right side, a management window will pop up. (See Figure 3.6.3-5) 2. Select your preferred maximum number of displayed entries of the TopN report from the Anomaly Traffic Detail Report drop-down list. The selectable values for the maximum entries displayed are from 5 to 16 (Default is “5”). 3. Click on “ Submit ” button to complete the modification.

Figure 3.6.3-5 System Admin / Preferences / Report -- Edit Detail Anomaly Traffic Analysis Report Parameter Window 147

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.4

Notification Notification menu allows administrators to configure the settings of the system alert and anomaly event notifications. There are three kinds of notification methods supported, Email, SNMP Trap, and Syslog notifications. Except Syslog, Email and SNMP Trap can be configured through Web UI. Please refer to the GenieATM CLI Command Reference document for relevant configurations of Syslog. The Notification function is divided into five parts: System Notification -- includes parameters of overall notification sending and system-related alert notifications; Router Notification -provides parameter configurations of router relevant alert and anomaly notifications; Sub-Network Notification -- provides parameter configurations of anomaly notification relevant to Sub-Network; MSP Customer Notification -- provides parameter configurations of anomaly notification relevant to MSP Customers; Filter Notification -- provides parameter configurations of anomaly notification relevant to Filters. Note The MSP Customer tab will not show when the system does not support the MSP module (value-added function). After clicking on Notification menu displayed on the Sub Menu tree of Preferences at the left side of the screen, the System Notification Configuration window (the default entered window) will be shown. Users can see the sub-menu tabs, System, Router, Sub-Network, MSP Customer, and Filter, appearing above the screen (See Figure 3.6.4-1).

Figure 3.6.4-1 System Admin / Preferences / Notification / System Notification Configuration Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

148

3.6.4.1

System Notification

Once you click on Notification menu, you will directly enter the System Notification Configuration window. It includes two parts of configurations, the Email Notification part is to register email sending relevant parameters and; the Trap Notification part is to configure the SNMP community string which will be used for SNMP trap sending.

To edit the Email Notification Click on “ Edit ” button at the right side of the Email Notification block area, a management window will pop up. (See Figure 3.6.4-2)

Figure 3.6.4-2 System Admin / Preferences / Notification / System -- Edit Email Notification Window 1. Set the action, Enabled or Disabled, for receiving the Email Notification. 2. Enter an email address which will be used as the sender of notification email. Please follow the format [email protected] with no space inside. This email account must be valid email account. 3. Enter the IP address of the email (SMTP) server which will be used to send the alert notifications for all events. 4. Enter a user name, which is used to authenticate by the SMTP server. 5. Enter the password of the user name. 6. From the dropped list, select the user group that specified to receive the email notification. The maintainer can specify a “user group” in User function in the System Admin/ Preference/ Group function. 7. Select the displaying way of the notification in the email. There are two ways, Pop up login page and Direct to Report page, for selection and the factory default is “Direct to Report page”. In addition, users can set the way to link the report via HTTP or HTTPS. 8. Select the displaying format, TEXT or HTML, to present the content in the Notification mail. 9. Input the subject’s descriptions of the Notification Mail. 10. Input the subject’s descriptions of the Offline-line Report Mail. 11. Select the language type from the dropped down list. There are four languages for selection and the factory default is Westerm (ISO-8859-1). The specified language is use for the Notification mail and Offline Report mail. 12. 11. Click on “ Submit ” button to complete the configuration.

149

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To edit the Trap Notification Click on “ Edit ” button at the right side of the Trap Notification block area, a management window will pop up. (See Figure 3.6.4-3)

Figure 3.6.4-3 System Admin / Preferences / Notification / System -- Edit Trap Notification Window 1. Select “Disabled” or “Enabled” to disable or enable the notification sending via email from the Email Notification drop-down list. The default value is “Disabled”. 2. Enter the IP address that the system sends traps to. 3. Enter the read-only community string for the SNMP trap which will be applied to all notifications. The number of inputted characters must be between 1 and 40. (Default is “public”) 4. Click on “ Submit ” button to complete the configuration.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

150

3.6.4.2

Router Notification

Click on Router sub-menu tab to enter the Router Notification Configuration window. (See Figure 3.6.4-4) The information displayed in the Router Notification view list includes No., Router Name, IP Address, Email Notification [Enabled; User Group], and Resource Importance. All routers configured in the system (in the Network/Router function of System Admin) will be shown in this view list. Users can edit the notification’s parameters for each router here.

Figure 3.6.4-4 System Admin / Preferences / Notification / Router Notification Configuration Window

To edit a Router Notification Click on “ ” icon to enter the Edit Router Notification Configuration window. (See Figure 3.6.4-5)

Figure 3.6.4-5 System Admin / Preferences / Notification / Router -- Edit Router Notification Configuration Window 1. Select “Disabled” or “Enabled” to disable or enable the notification sending via email from the Email Notification drop-down list. The default value is “Disabled”. 2. Select a user group from the drop-down list of “User Group to Receive Email Notification”. All user groups configured in the Group/User function of Preferences will be shown in this drop-down list. The default value is “None”. Please note that if you have selected to enable the Email notification, you have to choose a user group. Otherwise, the system will send the Email notification to nowhere. 3. Select an importance level for the router from the Resource Importance drop-down list. There are two importance levels, Regular and High (Default is “Regular”). This configuration parameter works with the User Group’s email notification configurations to determine whether the email notification will be sent under different situation. 4. Click on “ Submit ” button to complete the configuration. 151

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.4.3

Sub-Network Notification

Click on Sub-Network sub-menu tab to enter the Sub-Network Notification Configuration window. (See Figure 3.6.4-6) The information displayed in the Sub-Network Notification configuration view list includes No., Name, Email Notification [Enabled; User Group], and Resource Importance. All Sub-network configured in the system (in the Network/Sub-Network function of System Admin) will be shown in this configuration view list. Users can edit the notification’s parameters for each Sub-Network here.

Figure 3.6.4-6 System Admin / Preferences / Notification / Sub-Network Notification Configuration Window

To edit a Sub-Network Notification Click on “ ” icon to enter the Edit Sub-Network Notification Configuration window. (See Figure 3.6.4-7)

Figure 3.6.4-7 System Admin / Preferences / Notification / Sub-Network -- Edit Sub-Network Notification Configuration Window 1. Select “Disabled” or “Enabled” to disable or enable the notification sending via email from the Email Notification drop-down list. The default value is “Disabled”. 2. Select a user group from the drop-down list of “User Group to Receive Email Notification”. All user groups configured in the Group/User function of Preferences will be shown in this drop-down list. The default value is “None”. Please note that if you have selected to enable the Email notification, you have to choose a user group. Otherwise, the system will send the Email notification to nowhere. 3. Select an importance level for the Sub-Network entity from the Resource Importance drop-down list. There are two importance levels, Regular and High (Default is “Regular”). This configuration parameter works with the User Group’s email notification configurations to determine whether the email notification will be sent under different situation. 4. Click on “ Submit ” button to complete the configuration.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

152

3.6.4.4

MSP Customer Notification

Click on MSP Customer sub-menu tab to enter the MSP Customer Notification Configuration window (see the figure 3.6.4-8). Users only can edit the notification’s parameters for sending notifications to the specified MSP Customer.

Figure 3.6.4-8 System Admin/Preference/Notification/MSP Customer – MSP Customer Notification Configuration Window

To edit a MSP Customer Notification Click on " " icon to enter the Edit MSP Customer Notification Configuration window (see the figure 3.6.4-9). 1.

Select the action, “Disabled” or “Enabled”, for the notification sending via email. The default value is “Disabled”.

2.

The system only displays the “default user group” for selecting. The MSP customers with Customer Admin and Customer Superuser Privileges will belong to default user group of this customer. System admin can add or delete the users form default user group listed at System Admin/Preference/Group/MSP Customer User function.

3.

Select an importance level for the Customer entity from the Resource Importance drop-down list. There are two importance levels, Regular and High (Default is “Regular”). This configuration parameter works with the User Group’s email notification to determine what situation the email notification will be sent.

4.

Click on " Submit " button to complete the configuration.

Figure 3.6.4-9 System Admin/Preference/Notification/MSP Customer – Edit MSP Customer Notification Configuration Window

153

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.4.5

Filter Notification

Click on Filter sub-menu tab to enter the Filter Notification Configuration window. (See Figure 3.6.4-10) The information displayed in the Filter Notification view list includes No., Name, Email Notification [Enabled; User Group], and Resource Importance. All Filters configured in the system (in the Network/Filter function of System Admin) will be shown in this view list. Users can edit the notification’s parameters for each Filter here.

Figure 3.6.4-10 System Admin / Preferences / Notification / Filter Notification Configuration Window

To edit a Filter Notification Click on “ ” icon to enter the Edit Filter Notification Configuration window. (See Figure 3.6.4-11)

Figure 3.6.4-11 System Admin / Preferences / Notification / Filter -- Edit Filter Notification Configuration Window 1. Select “Disabled” or “Enabled” to disable or enable the notification sending via email from the Email Notification drop-down list. The default value is “Disabled”. 2. Select a user group from the drop-down list of “User Group to Receive Email Notification”. All user groups configured in the Group/User function of Preferences will be shown in this drop-down list. The default value is “None”. Please note that if you have selected to enable the Email notification, you have to choose a user group. Otherwise, the system will send the Email notification to nowhere. 3. Select an importance level for the Filter from the Resource Importance drop-down list. There are two importance levels, Regular and High (Default is “Regular”). This configuration parameter works with the User Group’s email notification configurations to determine whether the email notification will be sent under different situation. 4. Click on “ Submit ” button to complete the configuration.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

154

3.6.5

Name Mapping Name Mapping menu allows administrators to maintain and configure the name-mapping of Services, Protocols, ASNs (Autonomous System Numbers), Area and IP to Area. (The called “service” is a combination of protocol and port number.) This mapping information will be used in reports. There are built-in mappings provided, but the system also allows users to create and update name mappings. After clicking on Name Mapping menu displayed on the Sub Menu tree of Preferences at the left side of the screen, the Service management window (the default entered window) will be shown. Users can see its sub-menu tabs, Service, Protocol, ASN, Area, and IP to Area appearing above the screen. (See Figure 3.6.5-1) Note 1. A searching function is provided. It is located next to the “ Add ” button and above the view list. Users can utilize multiple searching filters (Protocol, Port, Name, AS Number, Display Name, or Registered Name) to quickly find out a specific service, protocol, or ASN from the view list. Select a type of searching filter in the Searching drop-down list, input key word in the “for” blank, and then click on the “ Go ” button. 2. Page-control buttons are next to the “ Go ” button. • “

|


” button: to go to the next page.

• “

>|

” button: to go to the end page.

• The Page drop-down list: to go to a specific page selected from the drop-down list. The numerator represents the page you are going to list and the denominator represents the total pages. 3. Entries/Page drop-down list: to control the displayed entries per page of the Application view list. There are four options to select: 15, 30, 60, and 120. The number “15” with an asterisk means the default value.

Figure 3.6.5-1 System Admin / Preferences / Name Mapping / Service Management Window

155

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.5.1

Services

Once you click on Name Mapping menu, you will directly enter the Service management window. The information displayed in the Service view list includes No., Protocol, Port, and Name. The following sections are going to introduce how to add, edit, and delete a service.

To add a service Click on “ Add ” button at the top of the Service view list to enter the Add Service Name window. (See Figure 3.6.5-2)

Figure 3.6.5-2 System Admin / Preferences / Name Mapping / Service -- Add Service Name Window 1. Provide service information to the following fields: (The asterisk "" indicates a mandatory field.)
Name: Give a name for this service. The number of inputted characters must be between 1 and 64. All characters are accepted except space and special characters (!@#$%^&?”’...).
Protocol: Enter the protocol number. Only integers from 0 to 255 will be accepted.
Port: Enter the port number. Only integers from 0 to 65535 will be accepted. Note The system will reject your submission if the service (protocol and port) you add is duplicated with existing configurations. 2. Click on “ Submit ” button to complete the configuration.

To edit a service Click on “ ” icon to enter the Edit Service Name window. (See Figure 3.6.5-3)

Figure 3.6.5-3 System Admin / Preferences / Name Mapping / Service -- Edit Service Name Window (Please refer to the previous “To add a service” section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Enter a new name if necessary. 2. Click on “ Submit ” button to complete the modification.

To delete a service 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the service from the system. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

156

3.6.5.2

Protocols

Click on Protocol sub-menu tab to enter the Protocol management window. (See Figure 3.6.5-4) The information displayed in the Protocol view list includes No., Protocol, and Name. The following sections are going to introduce how to add, edit, and delete a protocol.

Figure 3.6.5-4 System Admin / Preferences / Name Mapping / Protocol Management Window

To add a protocol Click on “ Add ” button at the top of the Protocol view list to enter the Add Protocol Name window. (See Figure 3.6.5-5)

Figure 3.6.5-5 System Admin / Preferences / Name Mapping / Protocol -- Add Protocol Name Window 1. Provide protocol information to the following fields: (The asterisk "" indicates a mandatory field.)
Name: Give a name for this protocol. The number of inputted characters must be between 1 and

64.

All

characters

are

accepted

except

space

and

special

characters

(!@#$%^&?”’...).
Protocol: Enter the protocol number. Only integers from 0 to 255 will be accepted. Note The system will reject your submission if the protocol you add is duplicated with existing configurations. 2. Click on “ Submit ” button to complete the configuration. 157

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To edit a protocol Click on “ ” icon to enter the Edit Protocol Name window. (See Figure 3.6.5-6)

Figure 3.6.5-6 System Admin / Preferences / Name Mapping / Protocol -- Edit Protocol Name Window (Please refer to the previous “To add a protocol” section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Enter a new name if necessary. 2. Click on “ Submit ” button to complete the modification.

To delete a protocol 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the protocol from the system.

3.6.5.3

ASNs

Click on ASN sub-menu tab to enter the ASN management window. (See Figure 3.6.5-7) The information displayed in the Protocol view list includes No., AS Number, Display Name, and Registered Name. The following sections are going to introduce how to add, edit, and delete a protocol.

Figure 3.6.5-7 System Admin / Preferences / Name Mapping / ASN management Window © 2009 Genie Network Resource Management Inc. All Rights Reserved.

158

To add a ASN Click on “ Add ” button at the top of the ASN view list to enter the Add ASN Name window. (See Figure 3.6.5-8)

Figure 3.6.5-8 System Admin / Preferences / Name Mapping / ASN -- Add ASN Window 1. Provide AS number information to the following fields: (The asterisk "" indicates a mandatory field.)
Display Name: Give a name for this AS number. This name will be displayed in reports. The number of inputted characters must be between 1 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...).
AS Number: Enter the AS number. Only integers from 0 to 65535 will be accepted.
Registered Name: Enter the registered name of the AS number. The number of inputted characters must be between 1 and 256. Note The system will reject your submission if the AS number you add is duplicated with existing configurations. 2. Click on “ Submit ” button to complete the configuration.

To edit a ASN Click on “ ” icon to enter the Edit ASN Name window. (See Figure 3.6.5-9)

Figure 3.6.5-9 System Admin / Preferences / Name Mapping / ASN -- Edit ASN Name Window (Please refer to the previous “To add a ASN” section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Enter a new display name if desired. 2. Enter a new registered name if necessary. 3. Click on “ Submit ” button to complete the modification.

To delete a ASN 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the protocol from the system. 159

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.5.4

Area

Click on Area sub-menu tab to enter the Area management window. (See Figure 3.6.5-10) The information displayed in the Area view list includes No., Code2, Code3 and Area. The following sections are going to introduce how to add, edit, and delete a configuration of Area.

Figure 3.6.5-10 System Admin / Preferences / Name Mapping / Area Management Window

To add an area Click on “ Add ” button at the top of the Area view list to enter the Add Area management window. (See Figure 3.6.5-11)

Figure 3.6.5-11 System Admin / Preferences / Name Mapping / Area -- Add Area management Window 1. Provide area information to the following fields: (The asterisk "" indicates a mandatory field.)
Code2: Give an abbreviation name for this Area. The number of inputted characters must be between 1 and 5. All characters are accepted except space and special characters (!@#$%^&?”’...).
Code3: Enter the abbreviation name of the Area. The number of inputted characters must be between 1 and 64. All characters are accepted except space and special characters (!@#$%^&?”’...).
Area: enter the area’s full name. Note The system will reject your submission if anyone field you add is duplicated with existing configurations. 2. Click on “ Submit ” button to complete the configuration.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

160

To edit an area Click on “ ” icon to enter the Edit Area management window. (See Figure 3.6.5-12)

Figure 3.6.5-12 System Admin / Preferences / Name Mapping / Area -- Edit Area management window (Please refer to the previous “To add an area” section for the following steps of your modification. The asterisk "" indicates a mandatory field.) 1. Enter a new display data in Code3, or Area field if desired. 2. Click on “ Submit ” button to complete the modification.

To delete an area 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the entry from the system.

3.6.5.5

IP to Area

Click on IP to Area sub-menu tab to enter the IP to Area management window. (See Figure 3.6.5-13) The information displayed in the IP to Area view list includes No., Begin IP, End IP, Area Code and Area. The following section is going to introduce how to import the aggregation data about IP to Area.

Figure 3.6.5-13 System Admin / Preferences / Name Mapping / IP to Area Management Window 161

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To import the ip-to-area database Click on “ Import ” button above the IP to Area view list to enter the Import IP-to-Area management window. (See Figure 3.6.5-14) 1. Click on the “ Browse… ” button and then a popped-up window shows for users to select the CSV file. Note


The web site, http://ip-to-country.webhosting.info/node/view/6, is one of the solutions for users to download the IP-to-Country database. In addition, please make sure that the file size must be less than 8 Mbytes.







The format of imported CSV file is as follows: Field Name

Data Type

Field Description

IP_FROM

numerical (Double)

Beginning of IP address range

IP_TO

numerical (Double)

Ending of IP address range

CODE2

char(2)

Two-character country code based on ISO 3166

CODE3

char(3)

Three-character country code based on ISO 3166

Country Name

varchar(50)

Country name is based on ISO 3166

Note that all IP address ranges recorded in the IP_FROM and IP_TO fields are represented as IP numbers which is the numeric representation of the dotted IP address. The formula to convert an IP Address of the form A.B.C.D to an IP Number is as follows: IP Number = A x (256*256*256) + B x (256*256) + C x 256 + D

2. Click on “ Submit ” button to import the data.

Figure 3.6.5-14 System Admin / Preferences / Name Mapping / IP to Area – Import IP-to-Area management Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

162

3.6.6

Group Group menu allows users to aggregate multiple entities as a resource group, such as user group, router group, sub-network group, server-farm, neighbor group, Filter group and MSP Customer User group. With this function, operating the system and managing the network resources will be easier and more flexible. Every kind of Group has a built-in group called “All”, which contains all created objects of the object type. For instance, The “All” group of User contains all created (registered) user accounts in the system. These “All” groups are not addible, modifiable, or removable by manual. After clicking on Group menu displayed on the Sub Menu tree of Preferences at the left side of the screen, the User Group Management window (the default entered window) will be shown. Users can see the sub-menu tabs, User, Router, Sub-Network, Server-farm, Neighbor, Filter, and MSP Customer User, appearing above the screen. (See Figure 3.6.6-1) Note Except administrators, the user with the authority of defined by template, “superuser”, also can access the Group menu.

Figure 3.6.6-1 System Admin / Preferences / Group / User Group Management Window 3.6.6.1

User

Once you click on Group menu, you will directly enter the User Group Management window. The information displayed in the User Group view list includes No., Group ID, and Group Name, User, and User #. (The User # is the total users of the user group.) The following sections are going to introduce how to add, edit, and delete a user group and how to view the profile of a user group.

To add a user group Click on “ Add ” button at the top of the User Group view list to enter the Add User Group window. (See Figure 3.6.6-2)

Figure 3.6.6-2 System Admin / Preferences / Group / User -- Add User Group Window 163

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

1. Enter a name for this user group in Name field. You can give a meaningful name that can represent the user group you are adding. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Select users for this group from the Available User list box. You can select a user in the Available User list box each time and then click on “ ” button to remove one selected user per time or “ Remove All ” button to remove all selected users at a time from the left-hand Group list box. All registered users in the system will be displayed in the Available User list box. 3. Provide the notification configurations for the user group. • Minimum Severity to Receive Email Notification for High Importance Resource: Select a severity level from the drop-down list of “Minimum Severity to Receive Email Notification For High Importance Resource”. The system will send out email notifications for high importance resources when the event severity level is equal or above the selected level. • Minimum Severity to Receive Email Notification for Regular Importance Resource: Select a severity level from the drop-down list of “Minimum Severity to Receive Email Notification For Regular Importance Resource”. The system will send out email notifications for regular importance resources when the event severity level is equal or above the selected level. • Receive Email for Recovery: Select “Disabled” or “Enabled” to disable or enable system sending email notifications to the user groups from the drop-down list of “Receive Email for Anomaly Recovery”. 4. Click on “ Submit ” button to complete the configuration.

To edit a user group Click on “ ” icon to enter the Edit User Group window. (See Figure 3.6.6-3)

Figure 3.6.6-3 System Admin / Preferences / Group / User -- Edit User Group Window © 2009 Genie Network Resource Management Inc. All Rights Reserved.

164

(Please refer to the previous “To add a user group” section for the following steps of your modification. 1. Enter a new name for the user group if desired. 2. Add/Remove the users for the group if necessary. 3. Modify the Notification configurations for the group if necessary. 4. Click on “ Submit ” button to complete the modification.

To delete a user group 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the user group from the system.

To view the profile of a user group The detail information will show all members information of a user group. (See Figure 3.6.6-4)

Figure 3.6.6-4 System Admin / Preferences / Group / User -- View User Group Window 1. Click on a (User) Group ID or Group Name to enter the View User Group window. When you move the cursor to the ID/Name listed in the “Group ID/Group Name” column, the color of the pointed ID/name will turn into blue. The View User Group window will display the following information: • Name: name of the user group you selected to view. • User ID: user ID of each member in the group. • User Name: detailed user name of each member in the group. • Minimum Severity to Receive Email Notification for High Importance Resource: Please refer “To add a user group” section for details. • Minimum Severity to Receive Email Notification for Regular Importance Resource: Please refer “To add a user group” section for details. • Receive Email for Recovery: Please refer “To add a user group” section for details. 2. Click on “ Back to List ” button to return to the User Group Management window.

165

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.6.2

Router

Click on Router sub-menu tab to enter the Router Group Management window. (See Figure 3.6.6-5) The information displayed in the Router Group view list includes No., Group ID, and Group Name, Router, and Router #. (The Router # is the total routers of the router group.) The following sections are going to introduce how to add, edit, and delete a router group and how to view the profile of a router group.

Figure 3.6.6-5 System Admin / Preferences / Group / Router Group Management Window

To add a router group Click on “ Add ” button at the top of the Router Group view list to enter the Add Router Group window. (See Figure 3.6.6-6)

Figure 3.6.6-6 System Admin / Preferences / Group / Router -- Add Router Group Window 1. Enter a name for this router group in Name field. You can give a meaningful name that can represent the router group you are adding. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Select routers for this group from the Available Router list box. You can select a router in the Available Router list box each time and then click on “ ” button to remove one selected router per time or “ Remove All ” button to remove all selected routers at a time from the left-hand Group list box. All registered routers in the system will be displayed in the Available Router list box. 3. Click on “ Submit ” button to complete the configuration. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

166

To edit a router group Click on “ ” icon to enter the Edit Router Group window. (See Figure 3.6.6-7)

Figure 3.6.6-7 System Admin / Preferences / Group / Router -- Edit Router Group Window (Please refer to the previous “To add a router group” section for the following steps of your modification. 1. Enter a new name for the router group if desired. 2. Add/Remove the routers for the group if necessary. 3. Click on “ Submit ” button to complete the modification.

To delete a router group 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the router group from the system.

To view the profile of a router group The detail information will show all routers information of a router group. (See Figure 3.6.6-8)

Figure 3.6.6-8 System Admin / Preferences / Group / Router -- View Router Group Window 1. Click on a (Router) Group ID or Group Name to enter the View Router Group window. When you move the cursor to the ID/Name listed in the “Group ID/Group Name” column, the color of the pointed ID/Name will turn into blue. The View Router Group window will display the following information: • Name: name of the router group you selected to view. • Router ID: router ID of each member in the group. • Router Name: name of each router in the group. • IP Address: the router’s IP address. 2. Click on “ Back to List ” button to return to the Router Group Management window. 167

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.6.3

Sub-Network

Click on Sub-Network sub-menu tab to enter the Sub-Network Group Management window. (See Figure 3.6.6-9) The information displayed in the Sub-Network Group view list includes No., Group ID, and Group Name, Sub-Network, and Sub-Network #. (The Sub-Network # is the total sub-networks of the sub-network group.) The following sections are going to introduce how to add, edit, and delete a sub-network group and how to view the profile of a sub-network group.

Figure 3.6.6-9 System Admin / Preferences / Group / Sub-Network Group Management Window

To add a sub-network Click on “ Add ” button at the top of the Sub-Network Group view list to enter the Add Sub-Network Group window. (See Figure 3.6.6-10)

Figure 3.6.6-10 System Admin / Preferences / Group / Sub-Network -- Add Sub-Network Group Window 1. Enter a name for this sub-network group in Name field. You can give a meaningful name that can represent the sub-network group you are adding. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Select sub-networks for this group from the Available Sub-Network list box. You can select a sub-network in the Available Sub-Network list box each time and then click on “ ” button to remove one selected sub-network per time or “ Remove All ” button to remove all selected sub-networks at a time from the left-hand Group list box. All registered sub-networks in the system will be displayed in the Available Sub-Network list box. 3. Click on “ Submit ” button to complete the configuration. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

168

To edit a sub-network group Click on “ ” icon to enter the Edit Sub-Network Group window. (See Figure 3.6.6-11)

Figure 3.6.6-11 System Admin / Preferences / Group / Sub-Network -- Edit Sub-Network Group Window (Please refer to the previous “To add a sub-network group” section for the following steps of your modification. 1. Enter a new name for the sub-network group if desired. 2. Add/Remove the sub-networks for the group if necessary. 3. Click on “ Submit ” button to complete the modification.

To delete a sub-network group 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the sub-network group from the system.

To view the profile of a sub-network group The detail information will show all sub-network information of a sub-network group. (See Figure 3.6.6-12)

Figure 3.6.6-12 System Admin / Preferences / Group / Sub-Network -- View Sub-Network Group Window 1. Click on a (Sub-Network) Group ID or Group Name to enter the View Sub-Network Group window. When you move the cursor to the ID/Name listed in the “Group ID/Group Name” column, the color of the pointed ID/Name will turn into blue. The View Sub-Network Group window will display the following information: • Name: name of the sub-network group you selected to view. • Sub-Network ID: sub-network ID of each member in the group. • Sub-Network Name: name of each sub-network in the group. 2. Click on “ Back to List ” button to return to the Sub-Network Group Management window. 169

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.6.4

Server-farm

Click on Server-farm sub-menu tab to enter the Server-farm Group Management window. (See Figure 3.6.6-13) The information displayed in the Server-farm Group view list includes No., Group ID, and Group Name, Server-farm, and Server-farm #. (The Server-farm # is the total server-farms of the server-farm group.) The following sections are going to introduce how to add, edit, and delete a server-farm group and how to view the profile of a server-farm group.

Figure 3.6.6-13 System Admin / Preferences / Group / Server-farm Group Management Window

To add a server-farm group Click on “ Add ” button at the top of the Server-farm Group view list to enter the Add Server-farm Group window. (See Figure 3.6.6-14)

Figure 3.6.6-14 System Admin / Preferences / Group / Server-farm -- Add Server-farm Group Window 1. Enter a name for this Server-farm group in Name field. You can give a meaningful name that can represent the server-farm group you are adding. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Select server-farm for this group from the Available Server-farm(s) list box. You can select a server-farm in the Available Server-farm list box each time and then click on “ ” button to remove one selected server-farm per time or “ Remove All ” button to remove all selected Server-farms at a time from the left-hand Group list box. All registered server-farms in the system will be displayed in the Available Server-farm list box. 3. Click on “ Submit ” button to complete the configuration. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

170

To edit a server-farm group Click on “ ” icon to enter the Edit Server-farm Group window. (See Figure 3.6.6-15)

Figure 3.6.6-15 System Admin / Preferences / Group / Server-farm -- Edit Server-farm Group Window (Please refer to the previous “To add a Server-farm group” section for the following steps of your modification. 1. Enter a new name for the server-farm group if desired. 2. Add/Remove the server-farms for the group if necessary. 3. Click on “ Submit ” button to complete the modification.

To delete a Server-farm group 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the server-farm group from the system.

To view the profile of a Server-farm group The detail information will show all server-farm information of a server-farm group. (See Figure 3.6.6-16)

Figure 3.6.6-16 System Admin / Preferences / Group / Server-farm -- View Server-farm Group Window

171

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

1. Click on a (Server-farm) Group ID or Group Name to enter the View Server-farm Group window. When you move the cursor to the ID/Name listed in the “Group ID/Group Name” column, the color of the pointed ID/Name will turn into blue. The View Server-farm Group window will display the following information: • Name: name of the server-farm group you selected to view. • Server-farm ID: server-farm ID of each member in the group. • Server-farm Name: name of each server-farm in the group. 2. Click on “ Back to List ” button to return to the Server-farm Group Management window.

3.6.6.5

Neighbor

Click on Neighbor sub-menu tab to enter the Neighbor Group Management window. (See Figure 3.6.6-17) The information displayed in the Neighbor Group view list includes No., Group ID, and Group Name, Neighbor, and Neighbor #. (The Neighbor # is the total neighbors of the neighbor group.) The following sections are going to introduce how to add, edit, and delete a neighbor group and how to view the profile of a neighbor group.

Figure 3.6.6-17 System Admin / Preferences / Group / Neighbor Group Management Window

To add a neighbor Click on “ Add ” button at the top of the Neighbor Group view list to enter the Add Neighbor Group window. (See Figure 3.6.6-18)

Figure 3.6.6-18 System Admin / Preferences / Group / Neighbor -- Add Neighbor Group Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

172

1. Enter a name for this neighbor group in Name field. You can give a meaningful name that can represent the neighbor group you are adding. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Select neighbors for this group from the Available Neighbor list box. You can select a neighbor in the Available Neighbor list box each time and then click on “ ” button to remove one selected neighbor per time or “ Remove All ” button to remove all selected neighbors at a time from the left-hand Group list box. All registered neighbors in the system will be displayed in the Available Neighbor list box. 3. Click on “ Submit ” button to complete the configuration.

To edit a neighbor group Click on “ ” icon to enter the Edit Neighbor Group window. (See Figure 3.6.6-19)

Figure 3.6.6-19 System Admin / Preferences / Group / Neighbor -- Edit Neighbor Group Window (Please refer to the previous “To add a neighbor group” section for the following steps of your modification. 1. Enter a new name for the neighbor group if desired. 2. Add/Remove the neighbors for the group if necessary. 3. Click on “ Submit ” button to complete the modification.

To delete a neighbor group 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the neighbor group from the system.

173

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To view the profile of a neighbor group The detail information will show all neighbors information of a neighbor group. (See Figure 3.6.6-20)

Figure 3.6.6-20 System Admin / Preferences / Group / Neighbor -- View Neighbor Group Window 1. Click on a (Neighbor) Group ID or Group Name to enter the View Neighbor Group window. When you move the cursor to the ID/Name listed in the “Group ID/Group Name” column, the color of the pointed ID/Name will turn into blue. The View Neighbor Group window will display the following information: • Name: name of the neighbor group you selected to view. • Neighbor ID: neighbor ID of each member in the group. • Neighbor Name: name of each neighbor in the group. 2. Click on “ Back to List ” button to return to the Neighbor Group Management window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

174

3.6.6.6

Filter

Click on Filter sub-menu tab to enter the Filter Group Management window. (See Figure 3.6.6-21) The information displayed in the Filter Group view list includes No., Group ID, and Group Name, Filter, and Filter #. (The Filter # is the total Filters of the Filter group.) The following sections are going to introduce how to add, edit, and delete a Filter group and how to view the profile of a Filter group.

Figure 3.6.6-21 System Admin / Preferences / Group / Filter Group Management Window

To add a Filter Click on “ Add ” button at the top of the Filter Group view list to enter the Add Filter Group window. (See Figure 3.6.6-22)

Figure 3.6.6-22 System Admin / Preferences / Group / Filter -- Add Filter Group Window 1. Enter a name for this Filter group in Name field. You can give a meaningful name that can represent the Filter group you are adding. The number of inputted characters must be between 2 and 40. All characters are accepted except space and special characters (!@#$%^&?”’...). 2. Select Filters for this group from the Available Filter list box. You can select a Filter in the Available Filter list box each time and then click on “ ” button to remove one selected Filter per time or “ Remove All ” button to remove all selected Filters at a time from the left-hand Group list box. All registered Filters in the system will be displayed in the Available Filter list box. 3. Click on “ Submit ” button to complete the configuration.

175

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To edit a Filter group Click on “ ” icon to enter the Edit Filter Group window (See Figure 3.6.6-23).

Figure 3.6.6-23 System Admin / Preferences / Group / Filter -- Edit Filter Group Window (Please refer to the previous “To add a Filter group” section for the following steps of your modification. 1. Enter a new name for the Filter group if desired. 2. Add/Remove the Filters for the group if necessary. 3. Click on “ Submit ” button to complete the modification.

To delete a Filter group 1. Click on the delete icon “ ”. A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the Filter group from the system.

To view the profile of a Filter group The detail information will show all Filters information of a Filter group. (See Figure 3.6.6-24)

Figure 3.6.6-24 System Admin / Preferences / Group / Filter -- View Filter Group Window 1. Click on a (Filter) Group ID or Group Name to enter the View Filter Group window. When you move the cursor to the ID/Name listed in the “Group ID/Group Name” column, the color of the pointed ID/Name will turn into blue. The View Filter Group window will display the following information: • Name: name of the Filter group you selected to view. • Filter ID: Filter ID of each member in the group. • Filter Name: name of each Filter in the group. 2. Click on “ Back to List ” button to return to the Filter Group Management window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

176

3.6.6.7

MSP Customer User

After clicking on MSP Customer User tab in the System Admin/Preference/Group menu at the left side of the screen, the MSP Customer User Group Management window will be shown (see the figure 3.6.6-25). The fields of MSP Customer User view list include No., Group ID, Group Name, User, and User # (The User # shows the total Users in the User group). Please refer to the following section to modify the contents of the MSP Customer User group.

Figure 3.6.6-25 System Admin / Preferences / Group / MSP Customer User -- MSP Customer User Group Management Window

To edit a MSP Customer User group Click on “ ” icon to enter the Edit MSP Customer User Group window (as shown in the figure 3.6.6-26).

1. Select users from the Available User(s) text box. You can select a user listed in the Available User text box and then click on “ ” button to remove one selected user per time or “ Remove All ” button to remove all selected users at a time from the left-hand Group list box. All users created in the System Admin/User function will be displayed in the Available User list box. Note The admin role of this MSP Customer group lists in the below text box with the white background and it cannot be modify. 2. Provide the notification configurations for the user group.  Minimum Severity to Receive Email Notification For High Importance Resource: Select a severity level from the drop-down list of “Minimum Severity to Receive Email Notification For High Importance Resource”. The system will send out email notifications for high importance resources when the event severity level is equal or above the selected level. 

Minimum Severity to Receive Email Notification For Regular Importance Resource: Select a severity level from the drop-down list for “Minimum Severity to Receive Email Notification For Regular Importance Resource”. The system will send out email notifications for regular importance resources when the event severity level is equal or above the selected level.



Receive Email for Recovery: Select “Disabled” or “Enabled” to disable or enable system sending email notifications to the user groups.

3. Click on “ Submit ” button to complete the configuration. 177

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 3.6.6-26 System Admin / Preferences / Group / MSP Customer User -- Edit MSP Customer User Group Window

To view the profile of a MSP Customer User group All members’ information of a MSP Customer User group will show in detail. 1. Click on a Group ID or Group Name to enter the View MSP User Group window (see figure 3.6.6-27). When you move the cursor to the ID/Name listed in the “Group ID/Group Name” column, the color of the pointed ID/name will turn into blue. 2. Click on “ Back to List ” button to return to the MSP Customer User Group Management window.

Figure 3.6.6-27 System Admin / Preferences / Group / MSP Customer User -- View MSP Customer User Group Window © 2009 Genie Network Resource Management Inc. All Rights Reserved.

178

3.6.7

Baseline History Baseline History menu mainly provides users the historical results of auto-learning traffic baseline in the past N days (up to 30 days) of all existing Sub-Network, MSP Customer, and Filter entities in the system. It also allows users to delete daily auto-learning traffic baseline values which are confirmed as attacks happened in the learning period to manually exclude improper statistics. So that, the auto-learning traffic baseline will not be greatly impacted by happened attacks and can stay a more adaptive nature. After clicking on Baseline History menu displayed on the Sub Menu tree of Preferences at the left side of the screen, the Sub-Network Baseline History window (the default entered window) will be shown. Users can see the sub-menu tabs, Sub-Network, MSP Customer, and Filter appearing above the screen. (See Figure 3.6.7-1) Note • Except administrators, the user with the authority of defined by template, “superuser”, also can access the Baseline History menu. • A searching function and page-control buttons are provided. Please refer to the Note descriptions in Sub-Network sub menu of Network function for the operation.

Figure 3.6.7-1 System Admin / Preferences / Baseline History / Sub-Network Baseline History Window

3.6.7.1

Sub-Network Baseline History

The information displayed in the Baseline History view list of Sub-Network includes No., ID, (Sub-network) Name, Resource Importance, and Traffic Anomaly - Sub-Network [Incoming / Outgoing] (See Figure 3.6.7-1). The activation status in the Incoming / Outgoing field indicates whether the anomaly detection is enabled or disabled for the specific Sub-Network entity. The detected results of traffic anomaly detection will be shown in the Traffic Anomaly Detection table in detail (See Figure 3.6.7-2).

Figure 3.6.7-2 System Admin / Preferences / Baseline History / Sub-Network -- View Baseline History Window

179

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Viewing the baseline history of a Sub-Network 1. Click on a (Sub-Network) ID or Name to enter the View Baseline History window of Sub-Network. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. The View Baseline History window will display the following information: List Table This part is on the top of the screen. It shows the activation status of anomaly detection of the selected Sub-Network entity. Traffic Anomaly Detection View List If the Traffic anomaly detection is enabled for this Sub-Network entity (in System Admin/Network/Sub-Network function) and the baseline template is configured as auto (in Baseline function in System Admin/Network/Template menu), the historical baseline values will be displayed in this area. Here will only show the Traffic Anomaly Detection information because only it can apply to auto-learning (dynamic) traffic baseline. Others, Protocol-Misuse and Application Anomaly Detections can only apply to fixed traffic baseline. In each row of the table displays the historical learned traffic baseline values (in each unit configured in the baseline template) of the last N days (N is the configured Learning Period value of the auto traffic baseline in question). For every daily value learned, there will be a check box for users to select or deselect the value (Default is “selected”). Once users deselect a daily value, that value will not be used as a traffic baseline. In addition, a convenient hyperlink is provided for you to view the detailed configuration of traffic anomaly detection via clicking on Traffic Anomaly Detection’s Incoming / Outgoing. Besides, the button, Clear All Baseline History , can be use for clearing all baseline history. 2. Click on “ Back to List ” button to return to the Baseline History window of Sub-Network.

3.6.7.2

MSP Customer Baseline History

The information displayed in the Baseline History view list of MSP Customer (See Figure 3.6.7-1). The activation status shown in the “Traffic Anomaly-SubNetwork [Incoming / Outgoing]” field indicates whether the anomaly detection is enabled or disabled for the specific MSP Customer entity. The detected results of traffic anomaly detection will be shown in the Traffic Anomaly Detection table in detail (See Figure 3.6.7-3).

Figure 3.6.7-3 System Admin / Preferences / Baseline History / MSP Customer Baseline History Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

180

Figure 3.6.7-4 System Admin / Preferences / Baseline History / MSP Customer -- View Baseline History Window

Viewing the baseline history of a MSP Customer 1. Click on a (MSP Customer) ID or Name to enter the View Baseline History window of MSP Customer. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. The View Baseline History window will display the following information: List Table This part is on the top of the screen. It shows the activation status of anomaly detection of the selected MSP Customer entity. Traffic Anomaly Detection View List If the Traffic anomaly detection is enabled for this MSP Customer entity (in System Admin/Network/MSP Customer function) and the baseline template is configured as auto (in Baseline function in System Admin/Network/Template menu), the historical baseline values will be displayed in this area. Here will only show the Traffic Anomaly Detection information because only it can apply to auto-learning (dynamic) traffic baseline. Others, Protocol-Misuse and Application Anomaly Detections can only apply to fixed traffic baseline. In each row of the table displays the historical learned traffic baseline values (in each unit configured in the baseline template) of the last N days (N is the configured Learning Period value of the auto traffic baseline in question). For every daily value learned, there will be a check box for users to select or deselect the value (Default is “selected”). Once users deselect a daily value, that value will not be used as a traffic baseline. In addition, a convenient hyperlink is provided for you to view the detailed configuration of traffic anomaly detection via clicking on Traffic Anomaly Detection’s Incoming / Outgoing. Besides, the button,

Clear All Baseline History ,

can be use for clearing all baseline history. 2. Click on “ Back to List ” button to return to the Baseline History window of Sub-Network.

181

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.6.7.3

Filter Baseline History

Click on Filter sub-menu tab to enter the Filter Baseline History window. (See Figure 3.6.7-5) The information displayed in the Baseline History view list of Filter includes No., ID, (Filter) Name, Resource Importance, and Baseline Template [Filter; Opposite]. The columns of Filter and Opposite show which baseline templates the Filter Traffic Anomaly used. The detected results of traffic anomaly detections will be shown in the Baseline History table in detail (See Figure 3.6.7-6).

Figure 3.6.7-5 System Admin / Preferences / Baseline History / Filter Baseline History Window

Figure 3.6.7-6 System Admin / Preferences / Baseline History / Filter -- View Baseline History Window

Viewing the baseline history of a Filter 1. Click on a (Filter) ID or Name to enter the View Baseline History window of Filter. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. The View Baseline History window will display the following information: List Table This part is on the top of the screen. It shows the activation statuses of anomaly detection of the selected Filter. Baseline History Area If the Traffic anomaly detection of Filter direction is enabled for this Filter (in Filter function in system Admin/Network/Filter menu) and the adopted baseline template is configured as auto (in Baseline function in the System Admin/Network/ Template menu), the historical baseline values will be displayed in this area. In each row of the table displays the historical learned peak traffic values (in each unit configured in the baseline template) of the last N days (N is the configured Learning Period value of the auto traffic baseline in question). For every daily value learned, there will be a check box for users to select or deselect the value (Default is “selected”). Once users deselect a daily value, that value will not be used as a traffic baseline. In addition, a convenient hyperlink is provided for you to view the detailed configuration of traffic anomaly detection via clicking on Filter’s directions, Filter and Opposite. Besides, users still can click on the button, Clear All Baseline History , to clear all baseline history. 2. Click on “ Back to List ” button to return to the Baseline History window of Filter.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

182

3.6.8

Offline Report Offline Report menu allows users to configure schedule template, which decides when to send out offline reports, to enable the generation of offline reports for Sub-Network entities, and to delete the added offline reports. GenieATM now provides offline reports with HTML format via email delivery only. For most reports under Sub-Network Main Menu, users whose privilege is sub-network can create offline reports with specific conditions (Please go to the Sub-Network menu for creating offline reports). With the Offline Report function, users can conveniently obtain the reports of Sub-Network entities on a regular time schedule via email without on-line access. Note If the sub-network is enabled to generate offline report, the users with the Sub-Network authority can specify the offline reports in the Report/Sub-network function. The configurations of Offline Report please refer to the Report/Sub-Network section. After clicking on Offline Report menu displayed on the Sub Menu tree of Preferences at the left side of the screen, the Scheduler Template management window (the default entered window) will be shown. Users can see three sub-menu tabs, Scheduler and Sub-Network, appearing above the screen. (See Figure 3.6.8-1) Note Except administrators, the user with the authority of defined by template, “superuser”, also can access the Offline Report menu.

Figure 3.6.8-1 System Admin / Preferences / Offline Report / Scheduler Template Management Window

3.6.8.1

Scheduler Template

Click on the Scheduler sub-menu tab to enter the Schedule Template Management window. The information displayed in the Scheduler Template view list includes No., ID, Name, Type, Execution Time, and Offline Report # (including all enabled and disabled offline reports applied to schedule templates). There are three system default schedule templates: Daily, Weekly, and Monthly. Users can change default configurations of these schedule templates, but are not allowed to add new templates or delete the system default templates. The following sections are going to introduce how to edit and view a scheduler template. Note The subject and language type of the Offline Report mail is set in the System in System Admin/Preferences/Notification function.

183

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

To edit a scheduler template Click on “ ” icon to enter the Edit Scheduler Template window. (See Figure 3.6.8-2)

Figure 3.6.8-2 System Admin / Preferences / Offline Report / Scheduler -- Edit Schedule Template Window (Daily Schedule Type) 1. Input a new name to replace the default name in the Name field if desired. The number of inputted characters must be between 1 and 40. All characters are accepted except special characters (!@#$%^&?”’...). 2. Select a time from the drop-down list if desired. The execution time decides when the system executes the work for offline report generation and delivery. Select the “Hour” and “Minute” from the dropped down list. Users still need to select the day of week or the day of month if a weekly or monthly schedule template is modified. 3. Click on “ Submit ” button to complete the modification.

To view the profile of a schedule template The detail information of the router can be reviewed. (See Figure 3.6.8-3)

Figure 3.6.8-3 System Admin / Preferences / Offline Report / Scheduler -- View Schedule Template Window 1. Click on an ID/Name to enter the View Schedule Template window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. The Applied block area shows the information of Sub-Network entities and the number of created offline report to which this viewed template applied. 2. Click on “ Back to List ” button to return to the Schedule Template Management window. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

184

3.6.8.2

Sub-Network

Click on Sub-Network sub-menu tab to enter the Sub-Network Offline Report Management window. (See Figure 3.6.8-4) The information displayed in the Sub-network Offline Report view list includes No., ID, Name, Offline Report Scheduler, Offline Report # [Daily; Weekly; Monthly] and IP Space. The following sections are going to introduce how to enable the offline report generation of a Sub-Network entity, how to delete the added offline reports, and how to view its offline report configuration.

Figure 3.6.8-4 System Admin / Preferences / Offline Report / Sub-Network Offline Report Management Window

To enable the offline report generation of a Sub-Network entity Click on “ ” icon to enter the Edit Sub-Network Offline Report window. (See Figure 3.6.8-5)

Figure 3.6.8-5 System Admin / Preferences / Offline Report / Sub-Network-- Edit Sub-Network Offline Report Window 185

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

1. Select “Enabled” from the Generate Offline Report drop-down list. The enabling action here will activate the generation and email delivery of the added offline reports. The default setting is “Disabled”. 2. Click on “ Submit ” button to complete the configuration.

To delete an added offline report 1. Click on the delete icon “ ” of which offline report you want to delete. (See Figure 3.6.8-5 above) A confirmative dialog box will pop up. 2. Click on “ OK ” button to remove the added offline report from the Sub-Network entity.

To view the offline report configuration of a Sub-Network entity The detail offline report configuration of the Sub-Network entity can be reviewed. (See Figure 3.6.8-6)

Figure 3.6.8-6 System Admin / Preferences / Offline Report / Sub-Network -- View Sub-Network Offline Report Window 1. Click on an ID/Name to enter the View Sub-Network Offline Report window. When you move the cursor to the ID/Name listed in the “ID/Name” column, the color of the pointed ID/Name will turn into blue. The Offline Report block area lists all added offline reports of this viewed Sub-Network entity. 2. Click on “ Back to List ” button to return to the Sub-Network Offline Report Management window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

186

3.6.9

Remote Update Remote Update menu allows users to configure the definition update server of GenieATM system anomaly signatures for the latest definition download. Note that the configuration here is to set the DNS name of the server but not to execute the update job (Please refer to the Anomaly menu in the System Admin / Network function for details). Click on Remote Update menu displayed on the Sub Menu tree of Preferences at the left side of the screen to enter the Remote Update management window. (As presented at Figure 3.6.9-1) Note Except administrators, the user with the authority of defined by user, “superuser”, also can access the Remote Update menu.

Figure 3.6.9-1 System Admin / Preferences / Remote Update Management Window

To edit the Default Configuration of Remote Update 1. Click on “ Edit ” button, a management window will pop up. (See Figure 3.6.9-2) 2. Enable or disable the daily auto-checking of the latest system anomaly signatures by clicking on the Automatically Check For Remote Update check boxes. Default is “Enabled”. 3. Enter the IP address or host name of the server desired in the Remote Server blank. The default server name is “update.genienrm.com”. 4. Click on “ Submit ” button to complete the modification.

Figure 3.6.9-2 System Admin / Preferences / Remote Update -- Edit Default Configuration of Remote Update Window

187

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3.7

Report Rebuild GenieATM provides a convenient function that allows users to rebuild rule-based Filter reports of a specific time period. The rebuilding data source is the saved rawdata in the system. Once users rebuild rule-based reports of a Filter, the TopN reports under the Filter will be also rebuilt and old reports of the Filter within the time period will be overwritten by the rebuilt reports. Click on Report Rebuild menu displayed on the Sub Menu tree of System Admin at the left side of the screen to enter the Report Rebuild window. (As presented at Figure 3.7-1) There are five parts in the Report Rebuild window: • Last Request: this part displays the result and detail information of the latest report-rebuilt request. There are four statuses might display here: Processing, Completed, Aborted, or Failure. • Historical Request: this part displays historical report-rebuilt requests successfully added, and allows users to view the detailed configuration of requests and to delete the added requests. • System: this part will be displayed below the Last Request block area only after users submit a new request. It will show the result of adding the request. • Last Request Status: this part will be displayed below the Last Request block area only after users click on “ Get Last Request Status ” button. It will show the detailed information and processing result of each Collector, which are selected to provide rawdata for the rebuilt report. The Status column has four kinds of statuses: Processing, Completed, Aborted, and Failure. • Abort Last Request: this part will be displayed below the Last Request block area only after users click on “ Abort Last Request ” button. It will show the result of aborting the request. Note Only the user with the authority of “administrator” or “superuser” can access the Report Rebuild menu.

Figure 3.7-1 System Admin / Report Rebuild Window

Adding Report-rebuilt Request Click on “ Add New Request ” button to start the processes of adding a new report-rebuilt request (as presented in Figure 3.7-2). The following descriptions are four main steps needed to complete a new request. Note The system only allows one report-rebuilt request processing at a time. The “ Add New Request ” button will be disabled when a request is processing.

Figure 3.7-2 System Admin / Report Rebuild – Adding a New Request Window © 2009 Genie Network Resource Management Inc. All Rights Reserved.

188

Step 1. Click on “ ” button in the Checking System Configuration block area to check if the current system configuration equals the last dispatched configuration (The symbol “!=” means “not equal”). When the current system configuration is not consistent with the last dispatched configuration, the system will not allow you to add report-rebuilt requests (The “ Browse ” button will be disabled and Step 2 will not be able to proceed). Step 2. Click on “ Browse ” button to specify the Collectors of data source and the time duration for the rebuilt report. After you click on “ Browse ” button, a Rawdata File window will pop up (as presented in Figure 3.7-3). First of all, select year and month from the Date Used to Update drop-down lists to display all Collectors’ daily rawdata status of the entire month (Gray: No Data; Yellow: Incomplete Data; Green: Complete Data). Check on the check boxes to specify Collectors. And then click on a radio button of a date that you want to be your start date of the time duration and then press “ | ” button: to go to the end page. The Page drop-down list: to go to a specific page selected from the drop-down list. The numerator represents the page you are going to list and the denominator represents the total pages. • Entries/Page drop-down list: to control the displayed entries per page of the Application view list. There are five options to select: 10, 20, 30, 60, and 120. The number “20” with an asterisk means the default value. • Radio button: click on the radio buttons to select a wanted or searched object from the view list. • Submit : after selecting the object wanted or searched from the view list, click on this button to send the request. • Cancel : click on this button to close the pop-up window.

3.

211

Specify Analysis Criteria Users can set the analysis criteria basing on their requirements to further restrict the scope of the traffic to be analyzed. The analysis criteria are described as the following: (Note that the configuration field of each analysis criterion will be displayed in the Detail area only when the criterion check box is checked.)

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

(1) Protocol/Port Users can restrict the snapshot traffic to the traffic with specific source, destination, or source & destination combinations of protocol and port. Input the protocols and ports in the Source/Input Interface and Destination/Output Interface of the Protocol/Port fields, and use a comma to separate every two inputs if multiple combinations of protocols and ports are inputted. Example ：Check on the Protocol/Port check box and input tcp/80 in the Source/Input of Protocol/Port field if the www application is required as the analysis criteria of the collected flow data. (2) Interface Users can restrict the snapshot traffic to the traffic with specific source, destination, source & destination interfaces. Please see the following instructions to configure the interface criteria: ● Click on “ Browse… ” to display device interface information (as presented in Figure 5-2). ● Select a router group from the Router Group drop-down list. ● Select a flow exporter (router) from the Router drop-down list. ● Check on check boxes to select input/output interfaces of the flow exporters and click on “ Add ” to add the interface to the Source/Input Interface or Destination/Output Interface of Interface field. To uncheck the check boxes, please click on “ Reset ” button. To close the window, please click on “ Cancel ” button. Example ：If users want to collect the flow data whose source or destination interface is Router1.11 of the device, Router 1 (Router 1 does not belong to any router group), check on the Interface check box, select “All Routers” from the Router Group drop-down list, select the device, “Router 1”, from the Router drop-down list, and click on the input and output check boxes of the interface Router1.11. Then, click on the “ Add ” button to add the interface in the text field.

Figure 5-2 Snapshot -- Device Interface Management Window (3) Application Users can restrict the snapshot traffic to the traffic with specific source, or destination application. Select the application from the Source/Input Interface or Destination/Output Interface of Application drop-down list. Note that users can only specify one of them (source or destination) to analyze. Example ：Select HTTP application from the Destination/Output drop-down list if users want to analyze the web service traffic.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

212

(4) IPv4 When users define the IP version as IPv4 or Both in the Scope field, this field is available for specify. Users can restrict the snapshot traffic to the traffic with specific source, destination, or source & destination IP addresses. Users can configure the IP spaces by a number of IP prefixes. Example ： If users want to set 192.168.3.0-255 as the source IP Block and 192.168.88.0-127 as the destination IP Block for the scope of collected flow data, check on the IP check box, enter 192.168.3.0/24 in the Source/Input Interface of IP field and 192.168.88.0/25 in the Destination/Output Interface of IP field.

(5) IPv6 When users define the IP version as IPv6 or Both in the Scope field, this field is available for specify. Users can restrict the snapshot traffic to the traffic with specific source, destination, or source & destination IP addresses. Users can configure the IP spaces by a number of IP prefixes. Example ： If users want to set fe80::5efe:192.168.38.168/128 as the source IP Block and ::1/128 as the destination IP Block for the scope of collected flow data, check on the IP check box, enter fe80::5efe:192.168.38.168/128 in the Source/Input Interface field and ::1/128 in the Destination/Output Interface field.

(6) BGP Community Users can restrict the snapshot traffic to the traffic with source, destination, source & destination BGP community strings. Example ： If users want to set 21829:12900 to 21829:12909 as the source BGP communities and 23910:39104 & 23910:39124 as the destination BGP communities for the scope of collected flow data, check on the BGP Community check box, enter “21829:1290?” in the Source/Input Interface of BGP Community field and “23910:391[0 2]4” in the Destination/Output Interface of BGP Community field. (7) Peer ASN Users can restrict the snapshot traffic to the traffic with specific source, destination, or source & destination Peer AS numbers. Example ： If users want to set UCLA University (AS52) as the source Peer AS Number and Harvard University (AS11) as the destination Peer AS Number for the criteria of collected flow data, check on the Peer ASN check box, enter “52” in the Source/Input Interface of Peer ASN field and “11” in the Destination/Output Interface of Peer ASN field. (8) Origin ASN Users can restrict the snapshot traffic to the traffic with specific source, destination, or source & destination Origin AS numbers. Example ： If users want to set UCLA University (AS52) as the source Origin AS Number and Harvard University (AS11) as the destination Origin AS Number for the scope of collected flow data, check on the Origin ASN check box, enter “52” in the Source/Input Interface of Origin ASN field and “11” in the Destination/Output Interface of Origin ASN field.

213

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

(9) IPv4 BGP Next Hop When users define the IP version as IPv4 or Both in the Scope field, this field is available for specify. Users can restrict the snapshot traffic to the traffic with specific BGP next hop IP addresses. The flow will be counted if any address is matched. Example ：If users want to analyze the traffic whose BGP next hop IP address is 192.168.1.254 and 192.168.38.254, check on the BGP Next Hop check box, and then input “192.168.1.254” and “192.168.38.254” (separate them by “Enter” key) in the BGP Next Hop field. (10) IPv6 BGP Next Hop When users define the IP version as IPv6 or Both in the Scope field, this field is available for specify. Users can restrict the snapshot traffic to the traffic with specific BGP next hop IP addresses. The flow will be counted if any address is matched. Example ： If users want to analyze the traffic whose BGP next hop IP address is fe80::5efe:192.168.38.254, check on the IPv6 BGP Next Hop check box, and then input “fe80::5efe:192.168.38.254” (separate them by “Enter” key) in the IPv6 BGP Next Hop field. (11) TCP Flag Users can restrict the snapshot traffic to the traffic with specific TCP flag value(s). Note There are six bits of a TCP flag (URG, ACK, PSH, RST, SYN, and FIN in TCP header) and each bit can be set as one of three different values: X—Ignore, 1—Flag On, and 0—Flag Off. (Ignore : the system will not check this bit value; On : the system will collect the traffic information about the TCP packets with the bit “On” in TCP flag field; Off : the system will collect the traffic information about the TCP packets with the bit “Off” in TCP flag field). Example ： If users want to analyze the traffic flows with SYN bit set, check on the TCP Flag check box, select “1” from the SYN-bit drop-down list and “X” for others. (12) TOS Value Users can restrict the snapshot traffic to the traffic with specific TOS value(s). Note Each bit of the TOS value field can be set as one of three different values: X—Ignore, 1—Flag On, and 0—Flag Off (Ignore：the system will not check this bit value; On : the system will collect the traffic information about the IP packets with the bit “On” in TOS value field; Off : the system will collect the traffic information about the IP packets with the bit “Off” in TOS value field). Example ：If users want to analyze their ADSL service whose TOS values were configured as “011XXXXX”, check on the TOS Value check box, select “0” from the 8-bit drop-down list, “1” from the 7-bit drop-down list, “1” from the 6-bit drop-down list, and “X” for others. (13) Packet Size Users can restrict the snapshot traffic to the traffic with specific packet sizes. The system supports 16 levels of packet sizes. Example ：If users want to analyze small packets, they can select “32 < Ave. Packet Size < = 64” from the drop-down list. The highest level of packet size is greater than 1536 bytes.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

214

(14) IPv4 Next Hop When users define the IP version as IPv4 or Both in the Scope field, this field is available for specify. Users can restrict the snapshot traffic to the traffic with specific next hop IP addresses. The flow will be counted if any address is matched. Example ：If users want to analyze the traffic whose next hop IP address is 192.168.1.254 or 192.168.38.254, check on the Next Hop check box, and then input “192.168.1.254” and “192.168.38.254” (separate them by “Enter” key) in the Next Hop field. (15) IPv6 Next Hop When users define the IP version as IPv6 or Both in the Scope field, this field is available for specify. Users can restrict the snapshot traffic to the traffic with specific next hop IP addresses. The flow will be counted if any address is matched. Example ： If users want to analyze the traffic whose next hop IP address is fe80::5efe:192.168.38.254, check on the IPv6 Next Hop check box, and then input “fe80::5efe:192.168.38.254” (separate them by “Enter” key) in the IPv6 Next Hop field. (16) Anomaly Users can restrict the snapshot traffic to the traffic matching a specific Protocol-Misuse or Application anomaly signature. Please note that this analysis criterion is only available for the Sub-Network traffic scope type. Example ：If users want to analyze the Sub-Network traffic matching the signature of the TCP Fragment Protocol-Misuse anomaly, check on the Anomaly check box, and select the “Protocol-Misuse Anomaly, TCP Fragment” anomaly signature from the Anomaly drop-down list. (17) ACL-based sFlow Flag Select the value shown in the drop down list to the sFlow flag. Three values representing different meanings for users to set each flag. They are: X—Ignore, 1—Flag On, and 0—Flag Off. 4. Assign Aggregation Method After specifying the traffic scope and analysis criteria, users will need to assign an aggregation method for the Top N analysis (at least one aggregation method option needs to be assigned). Up to three aggregation keys can be specified and the system will aggregate and then sort the instant traffic by the assigned method (including Source/Destination IP, Source/Destination Protocol/Port, Application on Source/Destination, TCP Flag, TOS, Protocol, Input/Output Interface, Peer ASN, Origin ASN, and etc). In addition, users can configure the N value of Top N Report from the Number of Top-N drop-down list. The content of the generated instant Top N report includes three pie charts and detail statistic tables of BPS, PPS, and FPS. Select a number from the Number of Top-N drop-down list to display the Top N report, the configurable values are 10(default), 30, 60, and 120. 5. Click on “ Export ” button to output the configuration (Optional) Users can export and save the analysis configurations of scope, criteria, and aggregation to a local host. Once users need to reuse the exported configurations, they can just easily import and upload the configuration file from the local host by using “ Import ” button after specifying data source. All the original configurations of uploaded file will be automatically loaded on the Snapshot page. 6. Click on “ Submit ” button to complete the configuration The traffic snapshot report will be displayed instantly. To reset the configuration, please click on “ Reset ” button. 215

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Instant Top N Report Descriptions The Instant Top N report includes several parts described below (See Figure 5-3):

Figure 5-3 Snapshot -- Instant Top N Report Timestamps The timestamps indicate the time points of the first and last flow records contributed to the queried instant Top N report. The format is “yyyy-mm-dd hh:mm:ss” (e.g. 2005-08-23 17:40:19). Report Charts Three pie charts by BPS, PPS, FPS will be displayed to visualize the analysis results by percentage of the Top-N objects. With the distinctness of the colors, users can easily read traffic statistics from the detail statistic tables located under the pie charts. • BPS: bits per second • PPS: packets per second. • FPS: flows per second. Detail Report Tables There are three tabs at the left top corner of the table: bps, pps, and fps. The BPS table presents the traffic statistics of bits per second and this one is the default table. The PPS table presents the traffic statistics of packets per second. The FPS table presents the traffic statistics of flows per second. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. The content in each table includes: • Rank: this column displays ranking numbers from “1” to … “N” for the highest to the lowest volume. • BPS/PPS/FPS: this column displays traffic volumes and percentages of the analyzed objects. In the BPS table, this column will be “BPS”; in the PPS table, this column will be “PPS”; in the FPS table, this column will be “FPS”. • Traffic records of the aggregation keys: according to the aggregation keys specified there will up to three columns record traffic counts of each set aggregation keys. For example, if users assign “Application on Source, Input Interface and Protocol” as the aggregation keys, there will three columns, “Application on Source, Input Interface and Protocol”, display. • Check Box: at the end of each ranked object row has a check box which is used to quickly select the attribute value this ranked object as a criterion for the next drill-down snapshot.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

216

Action Buttons The action buttons are located at the bottom of the page, and are described as follows: • “ Back ”: to go back to the Snapshot management window with the previously selected criteria. • “ Generate ACL ”: pressing this button can obtain the system generation ACL commands with the analyzed traffic characteristics. Please refer to the Generating ACL Commands part in Anomaly Console. • “ Snapshot ”: users can utilize this button to perform further drill-down analysis to narrow down the scope of the target traffic. For instance, after performing snapshot on a large analysis scope and loose criteria, users can narrow the scope and tighten the criteria basing on those ranked objects they find and do a next round snapshot. Check on the specific check boxes and then click on this button. Note There is a restriction on using the ranked Applications and Packet Sizes to do snapshot drilldown. Only the highest-ranked objects selected will be default criterion for the next round snapshot since the system does not support multiple selections for Application and Packet Size criteria. For example, after a previous snapshot, users selected top 3 ranked applications (HTTP, FTP, SMTP) to do next round snapshot. The system will only list HTTP application as the default scope criterion after clicking on the “ Snapshot ” button. Besides, the Router aggregation method is unable to be passed back as a criterion. • “ Cancel ”: to go back to the Snapshot management window. • “ Latest 100 Raw Flows ”: users can view the latest 100 raw flow data from a specific collector. Select a collector from the From drop-down list and then click on this button. A Latest 100 Raw Flows window will pop up and the latest 100 records will be displayed (See Figure 5-4).

Figure 5-4 Snapshot -- Instant Top N Report / Latest 100 Raw Flows

217

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

6

Mitigation The Mitigation menu (on the Main Menu tree) mainly provides users mitigation methods to execute mitigation actions for protecting their network resources or filtering anomaly traffic. There are two mitigation methods provided here, Hardware Mitigation and Blackhole. “Hardware Mitigation” is that GenieATM integrates with a traffic-cleaning device (such as Cisco Guard) to wash out attacking traffic and forward clean traffic back to their original destination; “Blackhole” is utilizing limited BGP announcement to conduct anomaly traffic to a setup honey pot or blackhole device. Be aware of getting confused with the Mitigation sub menu of System Admin, which is for configuring essential mitigation elements such as blackhole next hops and mitigation devices. With this function, administrators or defined by template, supersuer, can add, manage, and remove mitigation actions of the system. When users click on the unfolding mark of Mitigation, all its sub menus will be unfolded including Hardware Mitigation and Blackhole.

6.1

Blackhole The Blackhole menu, under the Main Menu tree of Mitigation, is used to manage (add, remove, start, or stop) blackhole mitigation actions. Blackhole mitigation utilizes limited BGP announcement to conduct anomaly traffic to a setup honey pot or blackhole device thus achieving network resources protection. Except the configuration of blackhole mitigation action, users also need to get the Zebra daemon running on GenieATM Controller via CLI (Using “config bgpd” command to enter bgpd mode for running Zebra daemon). Click on Blackhole menu to enter the Blackhole Mitigation management window (See Figure 6.1-1). The information displayed in the Blackhole Mitigation view list includes No., ID, Name, Anomaly ID/Resource Name, Protected Prefix, BGP Next Hop/Community String, Start Time/End Time, Time Out, Status, Action, and Issued By. The following sections will introduce how to add, stop, delete, and view a blackhole mitigation action. Besides, at the top of the report table there is a search function that allows users to list the records, “Ongoing”, “Stop”, or All status. After selecting the status, users have to click on the “ Go ” button to list the records.

Figure 6.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation Action Management Window

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

218

To add a blackhole mitigation action After clicking on “ Add ” button located at the top of the Hardware Mitigation Action view list, a page with the Add Hardware Mitigation title will be shown on the screen. (See Figure 6.1-2)

Figure 6.1-2 Mitigation / Hardware Mitigation - Add Hardware Mitigation Action Window 1. Enter blackhole mitigation action information required in all fields: (The asterisk "" indicates a mandatory field.)
Method: Select the method form the drop down list.
Name: Give a name for this action. The number of inputted characters must be between 2 and 64. All characters are accepted except space and special characters (!@#$%^&?”’...).
Protected Prefix: Input prefixes that you want to protect with CIDR format. Duplicated IP prefixes are not allowed in both all Hardware and Blackhole mitigations. Note If you are adding a blackhole mitigation action through Anomaly Console Report, then there will be a drop-down list for you to select a desired protected prefix. After selecting the prefix and clicking on “ Protect ” button, the selected prefix will be copied to the Protected Prefix field.
Blackhole Policy: select the policy from the drop-down list. Note Users who are with the administrator authority can specify the mitigation policy in the System Admin/Mitigation/Blackhole function.
Time Out: Input a time value in this field. The configured blackhole mitigation action will automatically stop when the time configured here is expired. Available range is from 5 to 1440 (minutes) and the factory default value is 120 minutes.
BGP Next Hop: this field is unable to input. The list information is bind with the blackhole policy.
Community: this field is unable to input. The list information is bind with the blackhole policy. 219

© 2009 Genie Network Resource Management Inc. All Rights Reserved.


Router: this field is unable to input. The list information is bind with the blackhole policy.
Protected Zone: this field is unable to input. The list information is bind with the blackhole policy.

To stop a blackhole mitigation action Users can stop an active mitigation action. 1. Click on “ Stop ” button (in the Action column of Blackhole Mitigation Action view list). A Stop Blackhole page with all detailed configuration and related information will be shown, and the Status will be displaying “Inactive”. Note that you are not allowed to delete an active mitigation action and it will not have a delete icon “ ” displayed. 2. Click on “ Submit ” button to stop the action after confirming the information are all correct. A completed message will tell if the submitting is completed or failed.

To delete a blackhole mitigation action Users can delete a mitigation which status is stopped from the system. Only the status of a mitigation action is stop, it will have a delete icon “ ” displayed. Therefore, users will not be able to delete an ongoing mitigation action. 1. Click on the delete icon “ ”. A Delete Blackhole page with detailed configuration and related information will be shown. 2. Click on “ Submit ” button to remove the action from the system. Note The factory default records shown on the Mitigation management window is with its status as Ongoing, and users can change the status as All or Stop, at the top of the view list, to display the stopped mitigation records.

To view the profile of a blackhole mitigation action Users can view the mitigation action’s information in detail. The detail information includes action’s name, protected prefix, time out, next hop, community, routers, and status (See Figure 6.1-3). If the action was added via Anomaly Console Report, then there will be two more information displayed, anomaly ID and resource name.

Figure 6.1-3 Mitigation / Blackhole - View Blackhole Mitigation Action Management Window 1. Click on an action ID/name and show a popped-up View Blackhole window. When you move the cursor to the ID/name listed in the “ID”/”Name” column, the color of the pointed ID/name will turn into blue. 2. Click on “ Close ” button to close the popped-up window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

220

6.2

Hardware Mitigation The Hardware Mitigation menu, under the Main Menu tree of Mitigation, is used to manage (add, remove, start, or stop) hardware mitigation actions, and also provides brief overall traffic statistics and detailed attacking traffic for each action. Hardware mitigation cooperates with a traffic-cleaning device (such as Guard or Eudemon) to protect a specific IP address/prefix. After clicking on Hardware Mitigation menu displayed on the Sub Menu tree of Mitigation at the left side of the screen, the Guard management window (the default entered window) will be shown. Users can see two sub-menu tabs, Guard, and Eudemon, appearing above the screen.

6.2.1

Guard

Click on Hardware Mitigation menu to enter the Hardware Mitigation management window (See Figure 6.2.1-1). The information displayed in the Guard view list includes No., ID, Name, Anomaly ID/Resource Name, Protected IP/Prefix, bps/pps (In, Dropped, Passed), Start Time/End Time, Status, Action, Issued By and Report. Besides, at the top of the report table there is a search function that allows users to list the records, “Ongoing”, “Stop”, or All status. After selecting the status, users have to click on the “ Go ” button to list the records. The following sections will introduce how to add, stop, delete, and view a hardware mitigation action, and how to read its report. Note If the mitigation is added from the anomaly console report, users can click on the anomaly ID to view the anomaly console report.

Figure 6.2.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation: Guard Management Window

To add a Guard mitigation action After clicking on “ Add ” button located at the top of the Guard view list, a page with the Add Mitigation title will be shown on the screen. (See Figure 6.2.1-2)

Figure 6.2.1-2 Mitigation / Hardware Mitigation - Add Guard Mitigation Action Window 1. Enter Guard mitigation action information required in all fields: (The asterisk "" indicates a mandatory field.)
Method: Select the method form the drop down list.
Name: Give a name for this action. The number of inputted characters must be between 2 and 64. All characters are accepted except space and special characters (!@#$%^&?”’...). 221

© 2009 Genie Network Resource Management Inc. All Rights Reserved.


Protected Host: Input an IP address that you want to protect. The inputted IP address must be within the selected Zone’s IP range. If you leave this field blank, then all the IP addresses of the selected Zone will be protected. Note If you are adding a hardware mitigation action through Anomaly Console Report, then there will be a drop-down list for you to select a desired protected IP address. After selecting the IP address and clicking on “ Protect ” button, the selected IP address will be copied to the Protected IP Address field.
Time Out: Provide time-out information for action expiration. You can set the time-out as forever by clicking on the Forever radio button. Using this way, the action will not be terminated until you manually stop it through the “ Stop ” button of Web UI or CLI. Or, you can choose to input a time value yourself. The configured hardware mitigation action will automatically stop when the time configured here is expired. Available range is from 10 to 65535 (seconds).
Device: Select a traffic-cleaning device from the Device drop-down list. All devices configured in the System Admin / Mitigation / Device / Cisco Guard function will be displayed here.
Zone: Select a zone from the Zone drop-down list. The selections here will be converted according to which device is selected. Once you select a device, all zones configured in the device will be displayed here. The text box will display all IP addresses configured in the selected zone. GenieATM will execute SNMP polling every minute to get the latest zone information from Cisco Guard.

To stop a Guard mitigation action Users can stop an active mitigation action. 1. Click on “ Stop ” button (in the Action column of Guard Mitigation view list). A Stop Mitigation page with all detailed configuration and related information will be shown, and the Status will be displaying “Inactive”. Note that you are not allowed to delete an active mitigation action and it will not have a delete icon “ ” displayed. 2. Click on “ Submit ” button to stop the action after confirming the information are all correct. A completed message will tell if the submitting is succeeded or failed. Note The factory default records shown on the Guard Management Window are with their status as Ongoing, and users can change the status as All or Stop, at the top of the view list, to display the stopped mitigation records.

To delete a Guard mitigation action Users can delete a stop mitigation action from the system. If the status of a mitigation action is stopped, a delete icon “ ” will display. Therefore, users can delete a stopped mitigation action. 1. Click on the delete icon “ ”. A Delete Hardware Mitigation page with detailed configuration and related information will be shown. 2. Click on “ Submit ” button to remove the action from the system.

To read the reports of a Guard mitigation action There are two types of hardware mitigation action reports provided. One is Traffic Report which compiles statistics of the passed, dropped, and total traffic for the action; another is Attack Report which allows users to retrieve the list of available attack reports regarding to the related zone. Click on “ Report ” button at the end of each row, a Hardware Mitigation Report window will pop up and it will be displaying two sub-menu tabs, Traffic and Attack Report. Please see the following sections for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

222

Traffic Click on the Traffic sub-menu tab to enter the traffic report window. (See Figure 6.2.1-3)

Figure 6.2.1-3 Mitigation / Hardware Mitigation - Hardware Mitigation Traffic Report

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains action’s information and condition options below:
Name: the name of hardware mitigation action.
Protected: the time that the hardware mitigation action was started.
Unit: bps (bit per second) and pps (packet per second). Time Period: daily, and weekly. Two fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list.
Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. Users can specify the end date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Until, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date.
Go: after finishing the query conditions, click on this button to submit the query.
Cancel: click on this button to close the report window.

Report Chart Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors indicate which traffic they are.)

223

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Table Average: the average values during the selected time interval. Current: the values of the last data during the selected time interval. Maximum: the maximum values during the selected time interval. Users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

Attach Report Click on the Attack Report sub-menu tab to enter the attack report window. (See Figure 6.2.1-4)

Figure 6.2.1-4 Mitigation / Hardware Mitigation - Hardware Mitigation Attack Report Report Descriptions There are three parts in the Traffic Report window: Action Information, Action Buttons, and Report Table.

Action Information This part is located on the top of the screen and presents action’s information below:
Name: the name of hardware mitigation action.
Protected: the time that the hardware mitigation action was started

Action Button Get Report List : click on this button to retrieve related attack reports from traffic-cleaning devices. Close : click on this button to close the report window.

Report Table After users execute retrieving attack reports via “ Get Report List ” button, the retrieved reports will be displayed in this table. The information includes NO., Report ID, Attack [Start; Until; Duration], Peak, Report.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

224

6.2.2

Eudemon

Click on Eudemon sub-menu to enter the Eudemon management window (See Figure 6.2.2-1). The information displayed in the Eudemon view list includes No., ID, Name, Anomaly ID/Resource Name, Protected IP Address, bps [Max Legitimate / Malicious], Start Time/End Time, Status, Action, Issued By and Report. Besides, at the top of the report table there is a search function that allows users to list the records by “Ongoing”, “Stop”, or “All” status. After selecting the status, users have to click on the “ Go ” button to list the records. The following sections will introduce how to add, stop, and delete a mitigation action.

Figure 6.2.2-1 Mitigation / Hardware Mitigation / Eudemon Management Window

To add a mitigation action After clicking on “ Add ” button located at the top of the Eudemon view list, a page with the Add Mitigation title will be shown on the screen. (See Figure 6.2.2-2)

Figure 6.2.2-2 Mitigation / Hardware Mitigation/Eudemon - Add Eudemon Mitigation Window 1. Enter the parameters of the mitigation action required in the fields: (The asterisk "" indicates a mandatory field.)
Name: Give a name for this action. The number of inputted characters must be between 2 and 64. All characters are accepted except space and special characters (!@#$%^&?”’...).
Protected Host: Input an IP address that you want to protect. The inputted IP address must be within the selected Zone’s IP range. Note If you are adding a mitigation action through Anomaly Console Report, then there will be a drop-down list for you to select a desired protected IP address. After selecting the IP address and clicking on “ Protect ” button, the selected IP address will be copied to the Protected IP Address field. 225

© 2009 Genie Network Resource Management Inc. All Rights Reserved.


Max Speed Limit: This value is to define the host total traffic profile for Eudemon 8000. The inputted value must be between 1 and 1024 (Mbps). It will be provisioned to Eudemon 8000 device as tcp-max-speed/ udp-max-speed/ icmp-max-speed parameters in CLI command "firewall ddos-policy ip tcp-max-speed INTEGER".
Device: Select a Eudemon device from the drop-down list. All devices configured in the System Admin / Mitigation / Device / Eudemon function will be displayed here.

To stop a mitigation action Users can stop an ongoing mitigation action. 1. Click on “ Stop ” button (in the Action column of Eudemon view list). A Stop Mitigation page with all detailed and related information will pop up, and the Status will be displaying “Inactive”. Note that you are not allowed to delete an active mitigation action and it will not have a delete icon “ ” displayed. 2. Click on “ Submit ” button to stop the action after confirming the information are correct. A completed message will tell if the submitting is succeeded or failed. Note The factory default records shown on the Eudemon view list are with their status as Ongoing, and users can change the status as “All” or “Stop”, at the top of the window, to display all/stopped mitigation records.

To delete a mitigation action Users can delete a stopped mitigation action from the system. There is a delete icon “ ” displayed at the first column of the stopped mitigations and users can delete a stopped mitigation action via clicking on it. 1. Click on the delete icon “ ”. A Delete Mitigation page with detailed and related information will be popped up. 2. Click on “ Submit ” button to remove the action from the system.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

226

7

Report Report menu provides system report presentation including both pre-defined (built-in) and rule-based reports. The system pre-defined reports are included in the Report main menu. When users click on the unfolding mark of Report, all its sub menus will be unfolded including Internet, Neighbor, Backbone, Router, Interface, Sub-Network, Server, and Rule-based Report. Note The viewing report within user-specified parameters (such as network resource, Time Range, Unit, Chart, etc) will be set to other reports in Report function when users switch to browse. However, some of the specified parameters may not support by the switched report, so only the accepted parameters will be set in the switched report.

7.1

Internet Internet menu provides various built-in reports for traffic analysis between the Internet and Home Network, provided that the Home Network area and the Internet boundary must be defined in advance. GenieATM analyzes the collected flow data about the traffic through the interfaces of defined Internet boundary and the BGP routing information, and then generates a variety of Internet traffic analysis reports. There are three types of analysis reports for Internet traffic: Summary Report, Breakdown Report, and Attribute Report. In following sections, we will introduce how to query various Internet traffic reports. When users click on the unfolding mark of Report / Internet, all its sub menus will be unfolded including Summary Report, Breakdown Report, and Attribute Report.

7.1.1

Summary Report The summary report of the Internet traffic presents the traffic analysis between the Internet and Home Network in a macroscopic view. With the Internet summary report, users can briefly know their Internet traffic. Click on the Summary Report sub menu of Report / Internet menu to enter the Summary Report window. The system will display various analysis reports for Internet traffic according to the selected traffic unit, time interval, and traffic type.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the 227

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart This report is presented as a line chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents traffic flow. In the chart, each line represents one kind of traffic and its data will be matching the data listed in Report Table. (The objects with colors next to check boxes indicate what traffic they are.)

Report Table For Internet summary report, this table will display five kinds of traffic statistics: • Internet to Home – If the source IP address does not belong to Home Network and the destination IP address belongs to Home Network, the flow packet will be considered as Internet to Home Traffic. • Home to Internet – If the source IP address belongs to Home Network and the destination IP address does not belong to Home Network, the flow packet will be considered as Home to Internet Traffic. • Internet to Internet – If the source and destination IP addresses both do not belong to Home Network, the flow packet will be considered as Internet to Internet Traffic, also called Transit Traffic. • Into Home – It is the total traffic into Home, namely the sum of Internet to Home Traffic plus Transit Traffic. • Out of Home – It is the total traffic out of Home, namely the Home to Internet Traffic plus Transit Traffic. Average, current, and maximum values will be displayed in the table. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program.

Operation Procedure to Query Reports 1. Select the condition options in Query Bar for generating your report. 2. Select the traffic you want from Report Table by clicking on the check box. 3. Click on “ Submit ” button (in Query Bar) to refresh the screen and generate your report.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

228

7.1.2

Breakdown Report The breakdown report is unlike the macroscopic summary report; it provides the further analysis in some kind of specific traffic. The breakdown report of the Internet traffic includes four types of reports: Sub-Network, Origin ASN, Peer ASN, and Peering Analysis. When users click on the unfolding mark of Breakdown Report under the Report / Internet menu, all its sub menus will be unfolded including Sub-Network, Origin ASN, Peer ASN, and Peering Analysis.

7.1.2.1

Sub-Network

The Sub-Network traffic analysis of Internet breakdown report provides the information about the Internet traffic into/out of each Sub-Network defined in the system. The traffic will be collected from all each Sub-Network boundary. The Top N Report Table will display all sub-networks (N: maximum =300). Each row of Report Table will display ingress, egress and sum traffic for each Sub-Network. Click on the Sub-Network sub menu of Breakdown Report under the Report / Internet menu to enter the Sub-Network Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Home and the lower part represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic 229

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate what traffic they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table This table will display all kinds of traffic analysis statistics of sub-networks that defined in the system. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.1.2.2

Origin ASN

The Origin ASN traffic analysis of Internet breakdown report provides the information about the Internet traffic originated from different ASes. Because the number of ASes is quite large, therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each Origin ASN. Click on the Origin ASN sub menu of Breakdown Report under the Report / Internet menu to enter the Origin ASN Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Internet for details. Except the data listed in Report Table is different, other descriptions are all the same. For Origin ASN reports, the Report Table will display top N Origin ASNs. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

230

7.1.2.3

Peer ASN

The Peer ASN traffic analysis of Internet breakdown report provides the information about the traffic between the Internet and Home Network through each Neighbor AS. Since the number of Neighbor AS won’t be more than 100, at most up to top 128 will be displayed. Each row of Report Table will display ingress, egress and sum traffic for each Neighbor ASN. Click on the Peer ASN sub menu of Breakdown Report under the Report / Internet menu to enter the Peer ASN Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Internet for details. Except the data listed in Report Table is different, other descriptions are all the same. For Peer ASN reports, the Report Table will display top N Peer ASNs. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.1.2.4

Peering Analysis

The Peering traffic analysis of Internet breakdown report provides the Peering traffic of top 128 ASN in and out of Home Network. Actually the Neighbor AS will be listed within the list most of the time because they are the major Transit traffic providers of the Home Network. If there is a Neighbor AS (defined in the system) appearing in the Neighbor column of Report Table, the traffic is between this Neighbor and Home Network. However, if there is no Neighbor AS appearing in the Neighbor column of Report Table, the traffic is between an AS (not a Neighbor AS) and Home Network. Each row of Report Table will display ingress(through, from), egress(through, to) and sum traffic for each AS. The value of Thru(Through) in the Into Home column means the traffic is through the AS to Home. The value of From in the Into Home column means the traffic originates from the AS to Home. Conversely, the value of Thru(Through) in the Out of Home column means the traffic is from Home through the AS to other ASes. And, the value of To in the Out of Home column means the traffic is from Home to the AS. Click on the Peering Analysis sub menu of Breakdown Report under the Report / Internet menu to enter the Peering Analysis Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Internet for details. Except the data listed in Report Table is different and Bar & Pie Charts are not supported, other descriptions are all the same. For Peering Analysis reports, the Report Table will display top N Peering Analyses (that will be relative to a Neighbor AS or an Origin AS). Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.1.2.5

AS Path Length

The AS Path Length traffic analysis of Internet breakdown report provides the information about the ingress/egress (Into Home/Out of Home) traffic from a specific AS, which is aggregated according to the BGP AS Path length. The system will ignore the length longer than 30. Each row of Report Table will display ingress, egress and sum traffic for each AS path length. 231

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

This report can help users understand the routing efficiency of their networks and review their routing policies. Click on the AS Path Length sub menu of Breakdown Report under the Report / Internet menu to enter the AS Path Length Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Internet for details. Except the data listed in Report Table is different, other descriptions are all the same. For AS Path Length reports, the Report Table will display the traffic aggregated according to different lengths of AS path for the Internet AS passed through. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.1.3

Attribute Report The attribute report provides the analysis information about some common attributes. With common attribute reports, users can really understand how their network resources are actually been using. The attribute report of the Internet traffic has five kinds: Application, Protocol, Protocol+Port, TOS, and Packet Size. When users click on the unfolding mark of Attribute Report under the Report / Internet menu, all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and Packet Size.

7.1.3.1

Application

The Application traffic analysis of Internet attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic aggregated according to the user defined application groups on source and destination ports separately for different traffic directions. Up to top 128 applications will be saved to DB. The top N (N: default = 25) applications will be displayed and each in a row. In this report, users can obtain not only the traffic Into Home and Out of Home for applications but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are items selectable, Inside, and Outside. “Inside” means the server is inside the entity (Home Network, Sub-Network…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Application sub menu of Attribute Report under the Report / Internet menu to enter the Application Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below:

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

232

• Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. Both • Service: once the bar chart or pie chart is selected, the Service drop-down list will be shown for users to select traffic direction of service. There are kinds of traffic directions: Inside, and Outside. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Home and the lower part represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which application they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Ingress, Egress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and Sum traffic statistics. Report Table This table will display top N Applications. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

233

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.1.3.2

Protocol

The Protocol traffic analysis of Internet attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display the Into Home/Out of Home traffic for the protocol and the value in the Sum column is the total amount of the Into Home and Out of Home traffic. Click on the Protocol sub menu of Attribute Report under the Report / Internet menu to enter the Protocol Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Internet for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol reports, the Report Table will display top N Protocols. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.1.3.3

Protocol+Port

The Protocol+Port traffic analysis of Internet attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic aggregated according to protocol plus port number (service) for TCP and UDP (if the ICMP, the traffic will be aggregated according to the code and type of the ICMP). Each row of Report Table will display the Into Home/Out of Home traffic for the protocol+port (service) and the value in the Sum column is the total amount of the Into Home and Out of Home traffic. The top 128 will be stored to database and top N (N: default = 25) will be displayed for report. In this report, users can obtain not only the traffic Into Home and Out of Home for the service (protocol+port), but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are two items selectable, Inside, and Outside. “Inside” means the service is inside the entity (Home Network, Sub-Network…) and represents the data of Request of Ingress traffic or the data of Request of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Protocol+Port sub menu of Attribute Report under the Report / Internet menu to enter the Protocol+Port Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Application section of Attribute Report of Report / Internet for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol+Port reports, the Report Table will display top N Protocol+Port (services). Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

234

7.1.3.4

TOS

The TOS traffic analysis of Internet attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic aggregated according to the 256 TOS values. Each row of Report Table will display the Into Home/Out of Home traffic for the TOS and the value in the Sum column is the total amount of the Into Home and Out of Home traffic. Totally, top 128 TOS will be stored to database and top N (N: default = 25) will be displayed for report. Click on the TOS sub menu of Attribute Report under the Report / Internet menu to enter the TOS Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Internet for details. Except the data listed in Report Table is different, other descriptions are all the same. For TOS reports, the Report Table will display top N TOSes. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.1.3.5

Packet Size

The Packet Size traffic analysis of Internet attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic aggregated according to the packet size. The packet size is calculated by dividing the bytes with number of packets. The packet size segments are: 1536. Click on the Packet Size sub menu of Attribute Report under the Report / Internet menu to enter the Packet Size Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Internet for details. Except the data listed in Report Table is different, other descriptions are all the same. For Packet Size reports, the Report Table will display all segments of Packet Size. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

235

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.2

Neighbor Neighbor menu provides various built-in reports for traffic analysis between Neighbor ASes and Home Network, provided that the Home Network area, the Internet boundary, and the Neighbor AS must be defined in advance. Since border routers in Home AS can connect to Neighbor AS via external interfaces, the Neighbor boundary shares the same boundary with the Internet boundary. GenieATM Collector receives the flow data from the border routers to analyze and reports the results related the Neighbor AS list when BGP module is enabled. There are three types of analysis reports for Neighbor traffic: Summary Report, Breakdown Report, and Attribute Report. In following sections, we will introduce how to query various Neighbor traffic reports. When users click on the unfolding mark of Report / Neighbor, all its sub menus will be unfolded including Summary Report, Breakdown Report, and Attribute Report.

7.2.1

Summary Report The summary report of the Neighbor traffic presents the traffic analysis between the Neighbor ASes and Home Network in a macroscopic view. With the Neighbor summary report, users can briefly know not only the total traffic of each Neighbor AS into/out of Home Network but also the detail traffic analysis for each Neighbor AS. When users click on the Summary Report sub menu of Report / Neighbor, there are two sub menus will be shown: Compare and Detail.

7.2.1.1

Compare

The Compare traffic analysis of Neighbor summary report provides users the information about the ingress/egress (Into Home/Out of Home) traffic for each Neighbor AS to compare the differences with the total amount. The Top N Report Table will display all Neighbor ASes (N: maximum = 128). Click on the Compare sub menu of Summary Report under the Report / Neighbor menu to enter the Compare Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Neighbor Group: All Neighbors (default) and the defined Neighbor groups (All Neighbor groups defined in the Group menu of System Admin / Network / Preferences will be shown here. If you select one specific group, Report Table will only display the traffic analyses for the Neighbor ASes configured in this group. Otherwise, it will display all Neighbor ASes configured in the system.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

236

• Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Home and the lower part represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which Neighbor they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table This table will display the traffic analyses statistics for all Neighbor ASes that configured in the system or some if you selected some specific group in the Neighbor Group drop-down list (In Query Bar) to view. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.1.2

Detail

The Detail traffic analysis of Neighbor summary report provides the information about the ingress/egress (Into Home/Out of Home) traffic aggregated according to different traffic types (Neighbor Transit, Local Transit, Peering, Both Transit, and Unknown) for a specific Neighbor AS. Click on the Detail sub menu of Summary Report under the Report / Neighbor menu to enter the Detail Report window.

237

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Neighbor Group: All Neighbors (default) and the defined Neighbor groups (All Neighbor groups defined in the Group menu of System Admin / Network / Preferences will be shown here. If you select one specific group, Report Table will only display the traffic analyses for the Neighbor ASes configured in this group. Otherwise, it will display all Neighbor ASes configured in the system.) • Neighbor: every Neighbor AS configured in the Neighbor group (It will be converted according to the group selected in the Neighbor Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Home and the lower part represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate what traffic they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table For the Detail traffic analysis of Neighbor summary report, this table will display five types of traffic analysis statistics for a specific Neighbor AS. • Neighbor Transit – It counts all traffic that is transient by the Neighbor AS. • Local Transit – It counts all traffic that origins from the Neighbor AS and is transient to another AS by Home Network. • Peering – It counts all traffic that origins from the Neighbor AS and is delivered to Home Network. • Both Transit – It counts all traffic that is transient by the Neighbor AS and Home Network. • Unknown – It counts those traffic does not match anyone of the four types above. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

238

There are tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.2

Breakdown Report The breakdown report is unlike the macroscopic summary report; it provides the further analysis in some kind of specific traffic. The breakdown report of the Neighbor traffic provides the traffic analysis between one network entity (a Neighbor AS) to another (a Neighbor AS or a sub-network) and has five kinds of reports: Sub-Network, Neighbor, AS Path Length, BGP Message, and Origin ASN. When users click on the unfolding mark of Breakdown Report under the Report / Neighbor menu, all its sub menus will be unfolded including Sub-Network, Neighbor, AS Path Length, BGP Message, and Origin ASN.

7.2.2.1

Sub-Network

The Sub-Network traffic analysis of Neighbor breakdown report provides the traffic information between the Neighbor AS and each Sub-Network defined in the system. Actually, the traffic analyzed in this report is the same as the Neighbor ASN traffic analysis of Sub-Network breakdown report, but only in different statistic perspectives. The Top N Report Table will display all sub-networks (N: maximum = 300). Each row of Report Table will display ingress, egress and sum traffic for each Sub-Network. Click on the Sub-Network sub menu of Breakdown Report under the Report / Neighbor menu to enter the Sub-Network Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For Sub-Network reports, the Report Table will display the traffic between the Neighbor AS specified and each Sub-Network defined in the system. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.2.2

Neighbor

The Neighbor traffic analysis of Neighbor breakdown report provides the traffic information about the traffic “through” a specific Neighbor AS to/from each other Neighbor AS defined in the system. The Top N Report Table will display all Neighbor ASes (N: maximum = 128). Each row of Report Table will display ingress, egress and sum traffic for each Neighbor AS. Click on the Neighbor sub menu of Breakdown Report under the Report / Neighbor menu to enter the Neighbor Report window. 239

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For Neighbor reports, the Report Table will display the traffic between the Neighbor AS specified and each other Neighbor AS defined in the system. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.2.3

AS Path Length

The AS Path Length traffic analysis of Neighbor breakdown report provides the information about the ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is aggregated according to the BGP AS Path length. The system will ignore the length longer than 30. Each row of Report Table will display ingress, egress and sum traffic for each AS path length. This report can help users understand the routing efficiency of their networks and review their routing policies. Click on the AS Path Length sub menu of Breakdown Report under the Report / Neighbor menu to enter the AS Path Length Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For AS Path Length reports, the Report Table will display the traffic aggregated according to different lengths of AS path for the Neighbor AS passed through. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.2.4

BGP Message

The BGP Message traffic analysis of Neighbor breakdown report provides the update information about Peer BGP message for a single Neighbor at a time. For an individual router associated with a specific Neighbor entity, there are several statistic types of BGP messages. Each row of Report Table will display message type, number of message, and total percentage. Click on the BGP Message sub menu of Breakdown Report under the Report / Neighbor menu to enter the BGP Message Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Neighbor Group: All Neighbors (default) and the defined Neighbor groups (All Neighbor groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Neighbor: every Neighbor AS configured in the Neighbor group (It will be converted according to the group selected in the Neighbor Group drop-down list.) • Router Group: All routers (default) and the defined Router groups (All Router groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) © 2009 Genie Network Resource Management Inc. All Rights Reserved.

240

• Router: every router configured in the Router group (It will be converted according to the group selected in the Router Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart There are three line charts displayed here: Neighbor Traffic, Prefixes From Neighbor, and BGP Messages. The first one is the traffic chart for the selected Neighbor entity (Into Home/Out of Home). The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents traffic flow. In the chart, the line represents the traffic of the selected Neighbor into and out of Home. The objects with colors below the chart indicate what traffic they are. The second one displays the number of routes (prefixes) announced through the selected Neighbor entity. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents number of prefixes. The third one displays the variation of different types of messages within the selected time interval. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents number of messages (per 5 minutes). The objects with colors below the chart indicate what message types they are. Report Table For the BGP message information of Neighbor breakdown report, this table will display six statistic types of BGP messages for a specific router with a specific Neighbor. • ANN -- Routes Announced by Peer. • AADIFF -- A route is withdrawn implicitly and replaced with a different route when the original route turns into unreachable, or an alternative path preferred turns into available. AADIFF is classified as forwarding instability. • AADUP -- A route is withdrawn implicitly and replaced with a duplicate of the original route. A duplicate route is defined as a subsequent route announcement that has the same nexthop or AS-path attribute information. AADUP may reflect pathological behavior because a router should only send a BGP update for a change in topology or policy. AADUP may also reflect policy fluctuation as subsequent route announcements may be different in other attributes such as MED and Aggregator. • TUP -- A previously unavailable route is announced as available. This represents a route repair. • TDOWN -- A previously available route is withdrawn. This represents a route failure. • UPDATES -- BGP updates (AADIFF + AADUP+ TUP + TDOWN).

241

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

There are tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of BGP message clearly by unselecting the message type and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.2.5

Origin ASN

The Origin ASN traffic analysis of Neighbor breakdown report provides the information about the traffic from/to the Home Network through a specific Neighbor AS to/from some Origin ASes. This report will list top N Origin ASNs passing through the specific Neighbor AS. Because the number of Origin ASes may be quite large, therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each Origin ASN. Click on the Origin ASN sub menu of Breakdown Report under the Report / Neighbor menu to enter the Origin ASN Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For Origin ASN reports, the Report Table will display top N Origin ASNs. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.3

Attribute Report The attribute report provides the analysis information about some common attributes. With common attribute reports, users can understand how their network resources are actually been using. The attribute report of the Internet traffic has five kinds: Application, Protocol, Protocol+Port, TOS, and Packet Size. When users click on the unfolding mark of Attribute Report under the Report / Neighbor menu, all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and Packet Size.

7.2.3.1

Application

The Application traffic analysis of Neighbor attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is aggregated according to the user defined application groups on source and destination ports separately for different traffic directions. Up to top 128 applications will be saved to DB. The top N (N: default = 25) applications will be displayed and each in a row. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

242

In this report, users can obtain not only the traffic Into Home and Out of Home for applications but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are items selectable, Inside, and Outside. “Inside” means the server is inside the entity (Home Network, Sub-Network…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Application sub menu of Attribute Report under the Report / Neighbor menu to enter the Application Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For Application reports, the Report Table will display top N Applications. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.3.2

Protocol

The Protocol traffic analysis of Neighbor attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display the Into Home/Out of Home traffic for the protocol and the value in the Sum column is the total amount of the Into Home and Out of Home traffic. Click on the Protocol sub menu of Attribute Report under the Report / Neighbor menu to enter the Protocol Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol reports, the Report Table will display top N Protocols. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.3.3

Protocol+Port

The Protocol+Port traffic analysis of Neighbor attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is aggregated according to protocol plus port number (service) for TCP and UDP (if it is for ICMP, the traffic will be aggregated according to the code and type of the ICMP). Each row of Report Table will display the Into Home/Out of Home traffic for the protocol+port (service) and the value in the Sum column is the total amount of the Into Home and Out of Home traffic. The top 128 will be stored to database and top N (N: default = 25) will be displayed for report. In this report, users can obtain not only the traffic Into Home and Out of Home for the service 243

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

(protocol+port), but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are two items selectable, Inside, and Outside. “Inside” means the server is inside the entity (Home Network, Sub-Network…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Protocol+Port sub menu of Attribute Report under the Report / Neighbor menu to enter the Protocol+Port Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol+Port reports, the Report Table will display top N Protocol+Port (services). Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.2.3.4

TOS

The TOS traffic analysis of Neighbor attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is aggregated according to the 256 TOS values. Each row of Report Table will display the Into Home/Out of Home traffic for the TOS and the value in the Sum column is the total amount of the Into Home and Out of Home traffic. Totally, top 128 TOS will be stored to database and top N (N: default = 25) will be displayed for report. Click on the TOS sub menu of Attribute Report under the Report / Neighbor menu to enter the TOS Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For TOS reports, the Report Table will display top N TOSes. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

244

7.2.3.5

Packet Size

The Packet Size traffic analysis of Neighbor attribute report provides the information about the ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is aggregated according to the packet size. The packet size is calculated by dividing the bytes with number of packets. The packet size segments are: 1536. Click on the Packet Size sub menu of Attribute Report under the Report / Neighbor menu to enter the Packet Size Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Detail section of Summary Report of Report / Neighbor for details. Except the data listed in Report Table is different, other descriptions are all the same. For Packet Size reports, the Report Table will display all segments of Packet Size. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

245

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.3

Backbone Backbone menu provides various built-in reports for Backbone traffic analysis, provided that the Home Network area, and the Backbone boundary must be defined in advance. The traffic going through the interfaces on the Backbone boundary is classified as Backbone traffic. Users can realize the traffic delivered through their backbone network and the traffic status of each core router from Backbone traffic reports. Backbone traffic reports include: Summary Report, and Core Router. In following sections, we will introduce how to query various Backbone traffic reports. When users click on the unfolding mark of Report / Backbone, all its sub menus will be unfolded including Summary Report, and Core Router.

7.3.1

Summary Report The summary report of the Backbone traffic presents the traffic analysis about the traffic from the Internet/Home Network through Backbone to the Internet/Home Network in a macroscopic view. With the Backbone summary report, users can briefly know their Internet traffic. Click on the Summary Report sub menu of Report / Backbone menu to enter the Summary Report window. The system will display various analysis reports for Backbone traffic according to the selected traffic unit, time interval, and traffic type.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart This report is presented as a line chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. In the chart, each line represents one kind of traffic and its data will be matching the data listed in Report Table. The data is divided into two parts by the X-axis. The upper part represents the traffic into Home and the lower part represents the traffic out of Home. (The objects with colors next to check boxes indicate what traffic they are.) © 2009 Genie Network Resource Management Inc. All Rights Reserved.

246

Report Table For Backbone summary report, this table will display four kinds of traffic statistics: • Home to Home – If both the source and destination IP addresses of the Backbone traffic belong to the Home Network IP space, the traffic will be considered as Home to Home Traffic. • Internet to Home – If the destination IP address of the Backbone traffic belongs to the Home Network IP space but the source IP address does not belong to the Home Network, the traffic will be considered as Internet to Home Traffic. • Home to Internet – If the source IP address of the Backbone traffic belongs to the Home Network IP space but the destination IP address does not belong to the Home Network, the traffic will be considered as Home to Internet Traffic. • Internet to Internet – If both the source and destination IP addresses of the Backbone traffic do not belong to the Home Network IP space, the traffic will be considered as Internet to Internet Traffic, also call Transit Traffic. Average, current, and maximum values will be displayed in the table. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.3.2

Core Router The report of Core Router of the Backbone traffic presents the traffic analysis related to backbone network from core router’s viewpoint. (The router with any backbone link is the core router.) There are two kinds of reports about the core router. One displays the traffic summary for each core router; another provides the detail traffic information for a specific core router. When users click on the Core Router sub menu of Report / Backbone, there are two sub menus will be shown: Compare and Detail.

7.3.2.1

Compare

The Compare report of Core Router of Backbone traffic analysis provides users the information about the Into Backbone/Out of Backbone (Backbone Boundary to Backbone Links/Backbone Links to Backbone Boundary) traffic for each Core Router to compare the differences with the total amount. The Top N Report Table will display all core routers. Click on the Compare sub menu of Core Router under the Report / Backbone menu to enter the Compare Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. 247

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

• Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Backbone and the lower part represents the traffic out of Backbone. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which router they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table This table will display the traffic analyses statistics for all core routers. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.3.2.2

Detail

The Detail report of Core Router of Backbone traffic analysis provides the information about the Into Backbone/Out of Backbone (Boundary to Backbone/Backbone to Boundary) traffic aggregated according to different traffic types (Local to Local, Local to Backbone, Backbone to Local, and Backbone to Backbone) for a specific Core Router. Click on the Detail sub menu of Core Router under the Report / Backbone menu to enter the Detail Report window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

248

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Core Router: every core router (All routers with a backbone interface, also called backbone link, are the core routers and will be listed in this drop-down list. You can check this information in the Router configuration view list of the System/Network/Router function. ) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query.

Report Chart This report is presented as a line chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. In the chart, each line represents one kind of traffic and its data will be matching the data listed in Report Table. (The objects with colors next to check boxes indicate what traffic they are.) Report Table For the Detail report of Core Router of Backbone traffic analysis, this table will display four types of traffic analysis statistics for a specific Core Router. • Local to Backbone – It counts all traffic only the output interface is backbone link (interface). • Local to Local – It counts all traffic both input and output interfaces are not backbone link (interface). • Backbone to Local – It counts all traffic only the input interface is backbone link (interface). • Backbone to Backbone – It counts all traffic both input and output interface are backbone link (interface). Average, current, and maximum values will be displayed in the table. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details. 249

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.4

Router Router menu provides various built-in reports for the traffic analysis of each router configured in the system. Users can obtain the information of the total ingress/egress traffic, the device utilization of CPU and memory, the BGP message (the BGP lookup function must be enabled), and BGP next hops of each router configured in the system. In following sections, we will introduce how to query various Router traffic reports. For the traffic of each interface on routers, please check out the Report / Interface menu. When users click on the unfolding mark of Report / Router, all its sub menus will be unfolded including Traffic, Performance, BGP Message, and BGP Next Hop.

7.4.1

Traffic The Traffic report of the router presents the traffic analysis for every single router. With this report, users can know the ingress/egress traffic of each router. Click on the Traffic sub menu of Report / Router menu to enter the Traffic Report window. The system will display various analysis reports for Router traffic according to the selected router group, traffic unit, and time interval. The Top N Report Table will display all routers.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Router Group: All routers (default) and the defined router groups (All router groups defined in the Group menu of System Admin / Network / Preferences will be shown here. If you select one specific group, Report Table will only display the traffic analyses for the routers configured in this group. Otherwise, it will display all routers configured in the system.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there is only one type of output report charts provided – Stacked Chart. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart This report is presented as a stacked chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

250

The data is divided into two parts by the X-axis. The upper part represents the traffic into Router and the lower part represents the traffic out of Router. In the chart, each stacked band represents the traffic of a router and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. The objects with colors below the chart indicate which router they are. Report Table This table will display the traffic analyses statistics for all routers. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different routers of traffic clearly by unselecting the router and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.4.2

Performance The Performance report of the router presents the information about the CPU and memory utilization for every configured router. It uses SNMP polling to collect data. With this report, users can take the precaution against any overload in advance. Click on the Performance sub menu of Report / Router menu to enter the Performance Report window. The system will display various analysis reports for Router traffic according to the selected router group, and time interval.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Router Group: All routers (default) and the defined router groups (All router groups defined in the Group menu of System Admin / Network / Preferences will be shown here. If you select one specific group, Report Table will only display the traffic analyses for the routers configured in this group. Otherwise, it will display all routers configured in the system.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. 251

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

• Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart There are two line charts displayed here: CPU Usage, and Memory Usage. The first one is the CPU utilization chart and the second one is the Memory utilization chart for the selected router group. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents the percentage of the utilization. In the chart, the line represents the utilization of the selected router. The objects with colors below the chart indicate which router they are. Report Table This table will display the percentage of CPU and memory utilization for every router in the selected router group. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different routers of utilization clearly by unselecting the router and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.4.3

BGP Message The BGP Message traffic analysis of Router report provides the update information about BGP message for a single Router at a time. This report provides similar statistic information of Neighbor BGP Message report, but it does not display ANN message type statistics. This is because ANN is related to a specific Neighbor. Each row of Report Table will display message type, number of message, and total percentage. Click on the BGP Message sub menu of Report / Router menu to enter the BGP Message Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Router Group: All routers (default) and the defined Router groups (All Router groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Router: every router configured in the Router group (It will be converted according to the group selected in the Router Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

252

• Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart There are two line charts displayed here: All Prefixes on Router, and BGP Messages. The first one displays the total number of routes (prefixes) learned from the router within the selected time interval. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents number of prefixes. The second one displays the variation of different types of messages within the selected time interval. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents number of messages (per 5 minutes). The objects with colors below the chart indicate what message types they are. Report Table For the BGP message information of Router report, this table will display five statistic types of BGP messages for a specific router. • AADIFF -- A route is withdrawn implicitly and replaced with a different route when the original route turns into unreachable, or an alternative path preferred turns into available. AADIFF is classified as forwarding instability. • AADUP -- A route is withdrawn implicitly and replaced with a duplicate of the original route. A duplicate route is defined as a subsequent route announcement that has the same nexthop or AS-path attribute information. AADUP may reflect pathological behavior because a router should only send a BGP update for a change in topology or policy. AADUP may also reflect policy fluctuation as subsequent route announcements may be different in other attributes such as MED and Aggregator. • TUP -- A previously unavailable route is announced as available. This represents a route repair. • TDOWN -- A previously available route is withdrawn. This represents a route failure. • UPDATES -- BGP updates (AADIFF + AADUP+ TUP + TDOWN). There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of BGP message clearly by unselecting the message type and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details. 253

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.4.4

BGP Next Hop The BGP Next Hop traffic analysis of Router report provides the information about BGP next hops of a specific router. This report displays the top N (N: maximum = 128; default = 25) listing for the traffic of looked up BGP next hop with the IP address. The Report Table contains BGP Next Hop IP address, traffic value and total percentage. The Total row is the sum of router’s egress traffic. Click on the BGP Next Hop sub menu of Report / Router menu to enter the BGP Next Hop Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Router Group: All routers (default) and the defined Router groups (All Router groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Router: every router configured in the Router group (It will be converted according to the group selected in the Router Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there is only one type of output report charts provided – Stacked Chart. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart This report is presented as a stacked chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The chart (above the X-axis) represents the traffic out of Router. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which next hop they are.) Report Table This table will display the traffic analyses statistics for all routers. There are three tabs at the right top corner of the table: Average, Current, and Maximum. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

254

• Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different routers of traffic clearly by unselecting the router and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.4.5

MPLS The MPLS traffic analysis of Router report provides both overall and detailed MPLS (Multi-protocol Label Switching) traffic analyses. GenieATM will collect MPLS traffic via retrieving NetFlow V9 packets from each router (NetFlow V9 packets can carry MPLS traffic information). The reports will be presented for each router (since there is no way to know if the router enables NetFlow V9 and MPLS or not) and will be empty if the router does not get NetFlow V9 and MPLS enabled. There are three kinds of reports supported for MPLS traffic including Summary, Class of services, and Egress PE reports. When users click on the unfolding mark of MPLS under the Report / Router menu, all its sub menus will be unfolded including Summary Report, Class of Services, and Egress PE.

7.4.5.1

Summary Report

The summary report of the MPLS traffic presents the traffic analysis for each router’s ingress and egress traffic carried by MPLS packets, and also the total MPLS and non-MPLS traffic of the router. With the MPLS summary report, users can know how much MPLS traffic running on each router. Up to top 64 MPLS labels will be saved to DB and top N (N: default = 25) will be displayed and each in a row. Each row will display the following information: MPLS labels, into router traffic, out of router traffic, sum traffic, and total percentage. Click on the Summary Report sub menu of MPLS under the Report / Router menu to enter the Summary Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Router Group: All routers (default) and the defined Router groups (All Router groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Router: every router configured in the Router group (It will be converted according to the group selected in the Router Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists.

255

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

• Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. Both • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart This report is presented as a stacked chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The chart (above the X-axis) represents the traffic out of router. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which MPLS label they are.) Report Table This table will display the traffic analyses statistics for all routers. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different MPLS label of traffic clearly by unselecting the label and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.4.5.2

Class of Services

There are three class of services used to feature MPLS: CAR, WRED, and WFQ. CAR uses TOS bits in IP header to classify packets according to the input and output transmission rate. Therefore, this report will aggregate the router input traffic according to the SRC_TOS if © 2009 Genie Network Resource Management Inc. All Rights Reserved.

256

MPLS_LABEL_1 exists and the router output traffic according to DST_TOS if MPLS_LABEL_1 exists. Up to top 64 CoS values will be saved to DB and top N (N: default = 25) will be displayed and each in a row. Each row will display the following information: CoS values, into router traffic, out of router traffic, sum traffic, and total percentage. Click on the Class of Services sub menu of MPLS under the Report / Router menu to enter the Class of Services Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Summary Report section of Report / Router / MPLS for details. Except the data listed in Report Table is different, other descriptions are all the same. For Class o Services reports, the Report Table will display top N CoS. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.4.5.3

Egress PE

When the MPLS_TOP_LABEL_IP_ADDR is not zero and label type is LDP, the traffic will be aggregated according to the values of MPLS_TOP_LABEL_IP_ADDR. Up to top 64 IP addresses will be saved to DB and top N (N: default = 25) will be displayed and each in a row. Each row will display the following information: IP addresses, egress traffic, and total percentage. Click on the Egress PE sub menu of MPLS under the Report / Router menu to enter the Egress PE Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Summary Report section of Report / Router / MPLS for details. Except the data listed in Report Table is different, other descriptions are all the same. For Egress PE reports, the Report Table will display top N IP addresses. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

257

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.5

Interface Interface menu provides various built-in reports for the traffic analysis of each interface on routers configured in the system. Users cannot only compare the total traffic in/out of each interface for a specific router but also obtain the detail traffic analysis for each interface of the router. In addition, Interface menu also provides common attribute analysis reports for each interface. In following sections, we will introduce how to query various Interface traffic reports. When users click on the unfolding mark of Report / Interface, all its sub menus will be unfolded including Compare, Detail, Top Talker, and Attribute Report.

7.5.1

Compare The Compare report of Interface traffic analysis provides users the information about the Into Router/Out of Router traffic for each available interface on the router to compare the differences with the total amount. The Top N Report Table will display all interfaces in a router. Click on the Compare sub menu of Report / Interface menu to enter the Compare Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Router Group: All routers (default) and the defined Router groups (All Router groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Router: every router configured in the Router group (It will be converted according to the group selected in the Router Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there is only one type of output report charts provided – Stacked Chart. • Submit : after finishing the query conditions, click on this button to submit the query. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

258

Report Chart This report is presented as a stacked chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Router and the lower part represents the traffic out of Router. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which interface they are.) Report Table This table will display the traffic analyses statistics for all available interfaces on the selected router. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different interfaces of traffic clearly by unselecting the interface and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. (The top 5 interfaces will be the default selections for the line chart. Users can select more (up to 16) interfaces to add them into the report chart. The total row will be the ingress/egress traffic of the selected router.) In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. In addition, users can inspect the detail information via click on “ Snapshot ” button. A Snapshot window with the analysis criteria popped up. The snapshot scope of this page will be locked as the queried criterion and the checked entries in the list table are considered as source parameters. Users also can keep the wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function information. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.5.2

Detail The Detail report of Interface traffic analysis provides the information about the Into Router/Out of Router traffic aggregated according to different traffic types (NetFlow Traffic (bps), SNMP Traffic (bps), NetFlow Traffic(pps), SNMP Traffic (pps), SNMP Discard, SNMP CRC Error, and SNMP Multicast/Broadcast) for each available interface on the router. Note that the traffic data of this report is collected from both the NetFlow records and SNMP Polling. So, users must enable the SNMP Monitor when configuring the interface. Click on the Detail sub menu of Report / Interface menu to enter the Detail Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Router: every router configured in the system. 259

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

• Interface: every available interface on the selected router. (It will be converted according to the router selected in the Router drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart This report is presented as a line chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Interface and the lower part represents the traffic out of Interface. (The objects with colors next to check boxes indicate what traffic type they are.) Report Table For the Detail report of Interface of Router traffic analysis, this table will display seven types of statistics related to “layer 2” & “layer 4” traffic for a specific interface. • NetFlow Traffic (bps) • SNMP Traffic (bps) • NetFlow Traffic (pps) • SNMP Traffic (pps) • SNMP Discard • SNMP CRC Error • SNMP Multicast/Broadcast Average, current, and maximum values will be displayed in the table. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic type and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. (Default types of traffic drawn in the report chart are NetFlow Traffic and SNMP Traffic.) In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

260

7.5.3

Top Talker The Top Talker traffic analysis of Interface report provides the top N listing for the traffic of IP address within interfaces. Because the number of IP addresses may be large, therefore, only top 128 IP addresses will be saved to DB. The top N (N: default = 25) IP addresses will be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each IP address. Click on the Top Talker sub menu of Report / Interface menu to enter the Top Talker Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Router: every router configured in the system. • Interface: every available interface on the selected router. (It will be converted according to the router selected in the Router drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Interface and the lower part represents the traffic out of Interface. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which IP address they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Ingress, Egress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and Sum traffic statistics. 261

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Table This table will display top N IP addresses within the selected interface. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different IP addresses of traffic clearly by unselecting the IP address and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.5.4

Attribute Report The attribute report provides the analysis information about some common attributes. With common attribute reports, users can understand how their network resources are actually been using. The attribute report of the Interface traffic has five kinds: Application, Protocol, Protocol+Port, TOS, and Packet Size. When users click on the unfolding mark of Attribute Report under the Report / Interface menu, all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and Packet Size.

7.5.4.1

Application

The Application traffic analysis of Interface attribute report provides the information about the ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is aggregated according to the user defined application groups on source and destination ports separately for different traffic directions. Up to top 128 applications will be saved to DB. The top N (N: default = 25) applications will be displayed and each in a row. In this report, users can obtain not only the traffic Into Interface and Out of Interface for applications but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are items selectable, Inside, and Outside. “Inside” means the server is inside the entity (Home Network, Sub-Network…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Application sub menu of Attribute Report under the Report / Interface menu to enter the Application Report window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

262

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for details. Except the data listed in Report Table is different, other descriptions are all the same. For Application reports, the Report Table will display top N Applications. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.5.4.2

Protocol

The Protocol traffic analysis of Interface attribute report provides the information about the ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display the Into Interface/Out of Interface traffic for the protocol and the value in the Sum column is the total amount of the Into Interface and Out of Interface traffic. Click on the Protocol sub menu of Attribute Report under the Report / Interface menu to enter the Protocol Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol reports, the Report Table will display top N Protocols. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.5.4.3

Protocol+Port

The Protocol+Port traffic analysis of Interface attribute report provides the information about the ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is aggregated according to protocol plus port number (service) for TCP and UDP (if it is for ICMP, the traffic will be aggregated according to the code and type of the ICMP). Each row of Report Table will display the Into Interface/Out of Interface traffic for the protocol+port (service) and the value in the Sum column is the total amount of the Into Interface and Out of Interface traffic. The top 128 will be stored to database and top N (N: default = 25) will be displayed for report. In this report, users can obtain not only the traffic Into Interface and Out of Interface for the service (protocol+port), but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are two items selectable, Inside, and Outside. “Inside” means the server is inside the entity (Home Network, Sub-Network…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Protocol+Port sub menu of Attribute Report under the Report / Interface menu to enter the Protocol+Port Report window. 263

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol+Port reports, the Report Table will display top N Protocol+Port (services). Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.5.4.4

TOS

The TOS traffic analysis of Interface attribute report provides the information about the ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is aggregated according to the 256 TOS values. Each row of Report Table will display the Into Interface/Out of Interface traffic for the TOS and the value in the Sum column is the total amount of the Into Interface and Out of Interface traffic. Totally, top 128 TOS will be stored to database and top N (N: default = 25) will be displayed for report. Click on the TOS sub menu of Attribute Report under the Report / Interface menu to enter the TOS Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for details. Except the data listed in Report Table is different, other descriptions are all the same. For TOS reports, the Report Table will display top N TOSes. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.5.4.5

Packet Size

The Packet Size traffic analysis of Interface attribute report provides the information about the ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is aggregated according to the packet size. The packet size is calculated by dividing the bytes with number of packets. The packet size segments are: 1536. Click on the Packet Size sub menu of Attribute Report under the Report / Interface menu to enter the Packet Size Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for details. Except the data listed in Report Table is different, other descriptions are all the same. For Packet Size reports, the Report Table will display all segments of Packet Size. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

264

7.6

Sub-Network Sub-Network menu provides various built-in reports for traffic analysis within a sub-network itself, between sub-networks, between a sub-network and other sub-networks, and between a sub-network and Neighbor ASes. The traffic data of Sub-Network report is collected from the Sub-Network boundaries defined in the system. There are three types of analysis reports for Sub-Network traffic: Summary Report, Breakdown Report, and Attribute Report. In following sections, we will introduce how to query various Sub-Network traffic reports. When users click on the unfolding mark of Report / Sub-Network, all its sub menus will be unfolded including Summary Report, Breakdown Report, and Attribute Report.

7.6.1

Summary Report The summary report of the Sub-Network traffic presents the traffic analysis about the sub-network from the viewpoints of comparing the total traffic of each sub-network with a sub-network group and analyzing the detail traffic of one sub-network. With the Sub-Network summary report, users can briefly know not only the total traffic of each sub-network but also the detail traffic analysis for each sub-network. When users click on the Summary Report sub menu of Report / Sub-Network, there are two sub menus will be shown: Compare and Detail.

7.6.1.1

Compare

The Compare traffic analysis of Sub-Network summary report provides users the information about the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for each sub-network itself to compare the differences with the total amount. The Into Sub-Network traffic includes the traffic from Home and the Internet to the sub-network; the Out of Sub-Network traffic includes the traffic from the sub-network to Home and the Internet. The Top N Report Table will display all sub-networks (N: maximum = 300). Click on the Compare sub menu of Summary Report under the Report / Sub-Network menu to enter the Compare Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. 265

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

• Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query.

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into sub-network and the lower part represents the traffic out of sub-network. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which sub-network traffic they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table This table will display the traffic analyses statistics for all sub-networks that configured in the system or some if you selected some specific group in the Sub-Network Group drop-down list (In Query Bar) to view. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different sub-networks of traffic clearly by unselecting the sub-network and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.6.1.2

Detail

The Detail traffic analysis of Sub-Network summary report provides the information about the average/current/maximum traffic aggregated according to different traffic types (Home to Sub-Network, Sub-Network to Home, Internet to Sub-Network, and Sub-Network to Internet) for a specific sub-network. Click on the Detail sub menu of Summary Report under the Report / Sub-Network menu to enter the Detail Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: © 2009 Genie Network Resource Management Inc. All Rights Reserved.

266

• Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Sub-Network: every sub-network configured in the Sub-Network group (It will be converted according to the group selected in the Sub-Network Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart This report is presented as a line chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. In the chart, each line represents one kind of traffic and its data will be matching the data listed in Report Table. (The objects with colors next to check boxes indicate what traffic they are.) Report Table For the Detail traffic analysis of Sub-Network summary report, this table will display four types of traffic analysis statistics for a specific sub-network. • Home to Sub-Network – It counts all traffic that the source IP address belongs to the Home Network area, and the destination IP address belongs to any existing sub-network area. • Sub-Network to Home – It counts all traffic that the destination IP address belongs to the Home Network area, and the source IP address belongs to any existing sub-network area. • Internet to Sub-Network – It counts all traffic that the source IP address does not belong to the Home Network area, and the destination IP address belongs to any existing sub-network area. • Sub-Network to Internet – It counts all traffic that the destination IP address does not belong to the Home Network area, and the source IP address belongs to any existing sub-network area. Average, current, and maximum values will be displayed in the table. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different types of traffic clearly by unselecting the traffic and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

267

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.6.2

Breakdown Report The breakdown report is unlike the macroscopic summary report; it provides the further analysis in some kind of specific traffic. The breakdown report of the Sub-Network traffic provides the traffic analysis between a sub-network and other sub-networks, between a sub-network and other Neighbor entities, between a sub-network and origin ASes, and for top N IP addresses with sub-networks. There are four kinds of breakdown reports: Sub-Network, Neighbor ASN, Origin ASN, and Top Talker. Since the number of sub-networks/Neighbor entities and IP addresses may be very large, the data aggregated will be saved for every 30 minutes. When users click on the unfolding mark of Breakdown Report under the Report / Sub-Network menu, all its sub menus will be unfolded including Sub-Network, Neighbor ASN, Origin ASN, and Top Talker.

7.6.2.1

Sub-Network

The Sub-Network traffic analysis of Sub-Network breakdown report provides the traffic information between a specific sub-network and every other sub-network within a specific sub-network group. Each row of Report Table will display ingress (Into Sub-Network), egress (Out of Sub-Network) and sum traffic for each Sub-Network. And the maximum number for the listed sub-network in Report Table is 300. Click on the Sub-Network sub menu of Breakdown Report under the Report / Sub-Network menu to enter the Sub-Network Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Sub-Network: every sub-network configured in the Sub-Network group (It will be converted according to the group selected in the Sub-Network Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

268

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into sub-network and the lower part represents the traffic out of sub-network from a specific sub-network selected. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which sub-network they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different sub-networks of traffic clearly by unselecting the sub-network and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.6.2.2

Sub-Network Matrix

The Sub-Network Matrix analysis report provides the crossing report of the sub-networks. Click on the Sub-Network Matrix sub menu of Breakdown Report under the Report / Sub-Network menu to enter the Sub-Network Matrix Report window.

Report Descriptions There are two parts in the Traffic Report window: Query Bar, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Period: daily, weekly, and monthly. In this way, three fixed time intervals are provided to present analysis report with an end time specified from the Until drop-down list. • Until: year, month, and date. It represents the end time of report’s time interval. • Unit: bps (bit per second) and pps (packet per second). • Submit : after finishing the query conditions, click on this button to submit the query. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. Report Table The first column shows the sequence number to mark the sub-network and the second shows the sun-network name. Besides, the top row shows the sequence number just like the first column to mark the sub-network. The sub-network listed in the second column is the source sub-network and the sub-network listed in the top row is the direction sub-network. So, users can easily to know the traffic information of a sun-network to all other sub-networks. 269

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.6.2.3

Neighbor ASN

The Neighbor ASN traffic analysis of Sub-Network breakdown report provides the traffic information about the traffic “through” each Neighbor AS (defined in the system) to/from a specific sub-network. And the maximum number for the listed Neighbor ASes in Report Table is 128. Each row of Report Table will display ingress, egress and sum traffic for each Neighbor AS. Click on the Neighbor ASN sub menu of Breakdown Report under the Report / Sub-Network menu to enter the Neighbor ASN Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Sub-Network for details. Except the data listed in Report Table are different, other descriptions are all the same. For Neighbor ASN breakdown reports, the Report Table will display the traffic between a specific sub-network and the Neighbor entities. In addition, users can inspect the detail information via click on “ Snapshot ” button. A Snapshot window with the analysis criteria popped up. The snapshot scope of this page will be locked as the queried criterion and the checked entries in the list table are considered as source parameters. Users also can keep the wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function information. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.6.2.4

Neighbor Matrix

The Neighbor Matrix analysis report provides the crossing report of the sub-networks in the specified sub-network group to all specified Neighbors in the Neighbor group. Click on the Neighbor Matrix sub menu of Breakdown Report which is under the Report / Sub-Network menu to enter the Neighbor Matrix Report window.

Report Descriptions There are two parts in the Traffic Report window: Query Bar, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Neighbor Group: All Neighbors (default) and the defined Neighbors groups (All Neighbors groups defined in the Group menu of System Admin / Network / Preferences will be shown here.) • Period: daily, weekly, and monthly. In this way, three fixed time intervals are provided to present analysis report with an end time specified from the Until drop-down list. • Until: year, month, and date. It represents the end time of report’s time interval. • Unit: bps (bit per second) and pps (packet per second). • Submit : after finishing the query conditions, click on this button to submit the query. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. Report Table The first column shows the sequence number to mark the sub-network and the second shows the sun-network name. Besides, the top row shows the Neighbor’s name. The traffic direction is from a sub-network to all the specified neighbors. So, users can easily to know the traffic information of all sub-networks in the specified sub-network group to all neighbors in the specified neighbor group.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

270

7.6.2.5

Origin ASN

The Origin ASN traffic analysis of Sub-Network breakdown report provides the top N listing for Origin AS traffic into/out of a specific sub-network. Because the number of Origin ASes may be large, therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each Origin ASN. Click on the Origin ASN sub menu of Breakdown Report under the Report / Sub-Network menu to enter the Origin ASN Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Sub-Network for details. Except the data listed in Report Table is different, other descriptions are all the same. For Origin ASN reports, the Report Table will display top N Origin ASNs. In addition, users can inspect the detail information via click on “ Snapshot ” button. A Snapshot window with the analysis criteria popped up. The snapshot scope of this page will be locked as the queried criterion and the checked entries in the list table are considered as source parameters. Users also can keep the wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function information. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.6.2.6

Top Talker

The Top Talker traffic analysis of Sub-Network breakdown report provides the Inside/Outside top N listing for the traffic of IP address within/outside sub-networks. Because the number of IP addresses may be large, therefore, only top 128 IP addresses will be saved to DB. The top N (N: default = 25) IP addresses will be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each IP address. Click on the Top Talker sub menu of Breakdown Report under the Report/Sub-Network menu to enter the Top Talker Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Sub-Network for details. Except the data listed in Report Table is different, other descriptions are all the same. Furthermore, the tab “Usage” is supported here. For Top Talker reports, the Report Table will display inside top N IP addresses within sub-network entities. Besides, the IP addresses which are out of sub-network also can browse when users set “Talker” as outside to view report. In addition, users can inspect the detail information via click on “ Snapshot ” button. A Snapshot window with the analysis criteria popped up. The snapshot scope of this page will be locked as the queried criterion and the checked entries in the list table are considered as source parameters. Users also can keep the wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function information. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

271

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.6.3

Attribute Report The attribute report provides the analysis information about some common attributes. With common attribute reports, users can really understand how their network resources are actually been using. The attribute report of the Sub-Network traffic has five kinds: Application, Protocol, Protocol+Port, TOS, and Packet Size. When users click on the unfolding mark of Attribute Report under the Report / Sub-Network menu, all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and Packet Size.

7.6.3.1

Application

The Application traffic analysis of Sub-Network attribute report provides the information about the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is aggregated according to the user defined application groups on source and destination ports separately for different traffic directions. Up to top 128 applications will be saved to DB. The top N (N: default = 25) applications will be displayed and each in a row. In this report, users can obtain not only the traffic Into Sub-Network and Out of Sub-Network for applications but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are three items selectable, Both, Inside, and Outside. “Both” represents the sum of Request and Response of Ingress or Egress traffic. “Inside” means the server is inside the entity (Home Network, Sub-Network…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Application sub menu of Attribute Report under the Report / Sub-Network menu to enter the Application Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Sub-Network for details. Except the data listed in Report Table is different, other descriptions are all the same. For Application reports, the Report Table will display top N Applications. In addition, users can inspect the detail information via click on “ Snapshot ” button. A Snapshot window with the analysis criteria popped up. The snapshot scope of this page will be locked as the queried criterion and the checked entries in the list table are considered as source parameters. Users also can keep the wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function information. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.6.3.2

Protocol

The Protocol traffic analysis of Sub-Network attribute report provides the information about the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display the Into Sub-Network/Out of Sub-Network traffic for the protocol and the value in the Sum column is the total amount of the Into Sub-Network and Out of Sub-Network traffic. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

272

Click on the Protocol sub menu of Attribute Report under the Report / Sub-Network menu to enter the Protocol Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Sub-Network for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol reports, the Report Table will display top N Protocols. In addition, the snapshot function also provide for user to inspect the detail information. The detail information please refer to Application section of Report/Sub-Network/Attribute Report. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.6.3.3

Protocol+Port

The Protocol+Port traffic analysis of Sub-Network attribute report provides the information about the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is aggregated according to protocol plus port number (service) for TCP and UDP (if the ICMP, the traffic will be aggregated according to the code and type of the ICMP). Each row of Report Table will display the Into Sub-Network/Out of Sub-Network traffic for the protocol+port (service) and the value in the Sum column is the total amount of the Into Sub-Network and Out of Sub-Network traffic. The top 128 will be stored to database and top N (N: default = 50) will be displayed for report. In this report, users can obtain not only the traffic Into Sub-Network and Out of Sub-Network for the service (protocol+port), but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are two items selectable, Inside, and Outside. “Inside” means the server is inside the entity (Home Network, Sub-Network…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Protocol+Port sub menu of Attribute Report under the Report/Sub-Network menu to enter the Protocol+Port Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Sub-Network for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol+Port reports, the Report Table will display top N Protocol+Port (services). In addition, the snapshot function also provide for user to inspect the detail information. The detail information please refer to Application section of Report/Sub-Network/Attribute Report. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

273

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.6.3.4

TOS

The TOS traffic analysis of Sub-Network attribute report provides the information about the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is aggregated according to the 256 TOS values. Each row of Report Table will display the Into Sub-Network/Out of Sub-Network traffic for the TOS and the value in the Sum column is the total amount of the Into Sub-Network/Out of Sub-Network traffic. Totally, top 128 TOS will be stored to database and top N (N: default = 25) will be displayed for report. Click on the TOS sub menu of Attribute Report under the Report / Sub-Network menu to enter the TOS Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Sub-Network for details. Except the data listed in Report Table is different, other descriptions are all the same. For TOS reports, the Report Table will display top N TOSes. In addition, the snapshot function also provide for user to inspect the detail information. The detail information please refer to Application section of Report/Sub-Network/Attribute Report. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.6.3.5

Packet Size

The Packet Size traffic analysis of Sub-Network attribute report provides the information about the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is aggregated according to the packet size. The packet size is calculated by dividing the bytes with number of packets. The packet size segments are: 1536. Click on the Packet Size sub menu of Attribute Report under the Report / Sub-Network menu to enter the Packet Size Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Sub-Network for details. Except the data listed in Report Table is different, other descriptions are all the same. For Packet Size reports, the Report Table will display all segments of Packet Size. In addition, the snapshot function also provide for user to inspect the detail information. The detail information please refer to Application section of Report/Sub-Network/Attribute Report. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

274

7.7

Server Server menu provides various built-in reports for traffic analysis within a server itself, between servers, between a server and other sub-networks, between a server and Neighbor ASes and between a server and Countries. The traffic data of Server report is collected from the Server boundaries defined in the system. There are three types of analysis reports for Server traffic: Summary Report, Breakdown Report, Attribute Report and TopN Report. In following sections, we will introduce how to query various Server traffic reports. When users click on the unfolding mark of Report / Server, all its sub menus will be unfolded including Summary Report, Breakdown Report, and Attribute Report.

7.7.1

Summary Report The summary report of the Server traffic presents the traffic analysis about the server from the viewpoints of comparing the total traffic of each server-farm group and analyzing the detail traffic of server hosts in the server-farm. With the Server summary report, users can briefly know not only the total traffic of each server but also the detail traffic analysis for server. When users click on the Summary Report sub menu of Report / Server, there are two sub menus will be shown: Compare and Detail.

7.7.1.1

Compare

The Compare traffic analysis of Server summary report provides users the information about the ingress/egress (Into Server/Out of Server) traffic for all server-farms to compare the differences with the total amount. The Top N Report Table will display all Server-farms. Click on the Compare sub menu of Summary Report under the Report / Server menu to enter the Compare Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Server-farm Group: All server-farms (default) and the defined server-farm groups (All server-farm groups defined in the Group menu of System Admin / Preferences will be shown here). • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second), pps (packet per second) and conn (connections in 5 minute). 275

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Note 1. 2.

A connection is a connected client-server IP pair where the client builds the connection with the server. Only legal TCP protocol is supported for connection counting. Therefore, when the receiving TCP flow’s flag equals SYN only or SYN+ACK only, the IP pair will not be treated as a legal connection.

• Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query.

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Server-farm and the lower part represents the traffic out of Server-farm. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which server-farm traffic they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table This table will display the traffic analyses statistics for all server-farms that configured in the system or some if you selected some specific server-farm from drop-down list (In Query Bar) to view. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different Server-farms’ traffic clearly by unselecting the Server-farm and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.1.2

Detail

The Detail traffic analysis of Server summary report provides the information about the average/current/maximum traffic aggregated according to each server IP (Into to Server-Farm and Out of Server-Farm) for a specific Server-farm. Click on the Detail sub menu of Summary Report under the Report / Server menu to enter the Detail Report window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

276

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Server-farm Group: All server-farms (default) and the defined server-farm groups (All server-farm groups defined in the Group menu of System Admin / Preferences will be shown here). • Server-farm: every server-farm configured in the Server-farm group (It will be converted according to the group selected in the Server-farm Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second), pps (packet per second) and conn (connections in 5 minute). Note 1. 2.

A connection is a connected client-server IP pair where the client builds the connection with the server. Only legal TCP protocol is supported for connection counting. Therefore, when the receiving TCP flow’s flag equals SYN only or SYN+ACK only, the IP pair will not be treated as a legal connection.

• Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. •

Submit : after finishing the query conditions, click on this button to submit the query.

Report Chart It is a Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Server-farm and the lower part represents the traffic out of Server-farm. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which server-farm traffic they are.)

Report Table There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. 277

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different server hosts of traffic in the server-farm clearly. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.2

Breakdown Report The breakdown report is unlike the macroscopic summary report; it provides the further analysis in some kind of specific traffic. The breakdown report of the Server traffic provides the traffic analysis between a server-farm and other network objects. There are four kinds of breakdown reports: Sub-Network, Neighbor ASN, Origin ASN, and Area. Since the number of sub-networks/Neighbor entities and IP addresses may be very large, the data aggregated will be saved for every 30 minutes. When users click on the unfolding mark of Breakdown Report under the Report / Server menu, all its sub menus will be unfolded including Sub-Network, Neighbor ASN, Origin ASN, and Area.

7.7.2.1

Sub-Network

The Sub-Network traffic analysis of Server-farm breakdown report provides the traffic information between a specific server-farm and sub-networks. Each row of Report Table will display Into Server-farm, Out of Server-farm and sum traffic for each sub-network. And the maximum number for the listed sub-network in Report Table is 300. Click on the Sub-network sub menu of Breakdown Report under the Report/Server menu to enter the Sub-Network Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Server-farm Group: All server-farms (default) and the defined server-farm groups (All server-farm groups defined in the Group menu of System Admin / Preferences will be shown here). • Server-farm: every server-farm configured in the Server-farm group (It will be converted according to the group selected in the Server-farm Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

278

• Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into server-farm and the lower part represents the traffic out of server-farm from a specific sub-network. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which sub-network they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different sub-networks of traffic into/Out of the Server-farm clearly and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.2.2

Neighbor ASN

The Neighbor ASN traffic analysis of Server breakdown report provides the traffic information about the traffic “through” each Neighbor AS (defined in the system) to/from a specific server-farm. And the maximum number for the listed Neighbor ASes in Report Table is 128. Each row of Report Table will display ingress, egress and sum traffic for each Neighbor AS. Click on the Neighbor ASN sub menu of Breakdown Report under the Report / Server menu to enter the Neighbor ASN Report window.

279

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Server for details. Except the data listed in Report Table are different, other descriptions are all the same. For Neighbor ASN breakdown reports, the Report Table will display the traffic between a specific server-farm and the Neighbor entities. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.2.3

Origin ASN

The Origin ASN traffic analysis of Server breakdown report provides the top N listing for Origin AS traffic into/out of a specific server-farm. Because the number of Origin ASes may be large, therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each Origin ASN. Click on the Origin ASN sub menu of Breakdown Report under the Report / Server menu to enter the Origin ASN Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Server for details. Except the data listed in Report Table is different, other descriptions are all the same. For Origin ASN reports, the Report Table will display top N Origin ASNs. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.2.4

Area

The Area in system or the Country is mapped by a group of IP addresses. The Area traffic analysis of Server breakdown report provides Top N listing about the traffic of each Area (specified in the System Admin/Preference/Name Mapping function) into/out of a specific server-farm. And the maximum number for the listed areas in report table is 128. Each row of Report Table will display ingress, egress and sum traffic for each area. Click on the Area sub menu of Breakdown Report under the Report/Server menu to enter the Area Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Server for details. Except the data listed in Report Table is different, other descriptions are all the same. For Area reports, the Report Table will display top N areas. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

280

7.7.3

Attribute Report The attribute report provides the analysis information about some common attributes. With common attribute reports, users can really understand how their network resources are actually been using. The attribute report of the Server traffic has five kinds: Application, Protocol, Protocol+Port, TOS, and Packet Size. When users click on the unfolding mark of Attribute Report under the Report / Server menu, all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and Packet Size.

7.7.3.1

Application

The Application traffic analysis of Server attribute report provides the information about the ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is aggregated according to the user defined application groups on source and destination ports separately for different traffic directions. Up to top 128 applications will be saved to DB. The top N (N: default = 25) applications will be displayed and each in a row. In this report, users can obtain not only the traffic Into Server-farm and Out of Server-farm for applications but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are two items selectable, Inside, and Outside. “Inside” means the server is inside the entity (Home Network, Sub-Network, Server-farm…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Application sub menu of Attribute Report under the Report / Server menu to enter the Application Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Server for details. Except the data listed in Report Table is different, other descriptions are all the same. For Application reports, the Report Table will display top N Applications. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.3.2

Protocol

The Protocol traffic analysis of Server attribute report provides the information about the ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display the Into Server-farm/Out of Server-farm traffic for the protocol and the value in the Sum column is the total amount of the Into Server-farm and Out of Server-farm traffic. Click on the Protocol sub menu of Attribute Report under the Report / Server menu to enter the Protocol Report window.

281

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Server for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol reports, the Report Table will display top N Protocols. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.3.3

Protocol/Port

The Protocol/Port traffic analysis of Server attribute report provides the information about the ingress/egress (Into Server-Farm/Out of Server-Farm) traffic for a specific server-farm, which is aggregated according to protocol plus port number (service) for TCP and UDP (if the ICMP, the traffic will be aggregated according to the code and type of the ICMP). Each row of Report Table will display the Into Server-farm/Out of Server-farm traffic for the protocol/port (service) and the value in the Sum column is the total amount of the Into Server-farm and Out of Server-farm traffic. The top 128 will be stored to database and top N (N: default = 50) will be displayed for report. In this report, users can obtain not only the traffic Into Server-farm and Out of Server-farm for the service (protocol/port), but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are two items selectable, Inside, and Outside. “Inside” means the server is inside the entity (Home Network, Sub-Network, Server-farm…) and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Protocol/Port sub menu of Attribute Report under the Report / Server menu to enter the Protocol/Port Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Server for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol+Port reports, the Report Table will display top N Protocol+Port. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.3.4

TOS

The TOS traffic analysis of Server attribute report provides the information about the ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is aggregated according to the 256 TOS values. Each row of Report Table will display the Into Server-farm/Out of Server-farm traffic for the TOS and the value in the Sum column is the total amount of the Into Server-farm/Out of Server-farm traffic. Totally, top 128 TOS will be stored to database and top N (N: default = 25) will be displayed for report. Click on the TOS sub menu of Attribute Report under the Report / Server menu to enter the TOS Report window. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

282

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Server for details. Except the data listed in Report Table is different, other descriptions are all the same. For TOS reports, the Report Table will display top N TOSes. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.3.5

Packet Size

The Packet Size traffic analysis of Server attribute report provides the information about the ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is aggregated according to the packet size. The packet size is calculated by dividing the bytes with number of packets. The packet size segments are: 1536. Click on the Packet Size sub menu of Attribute Report under the Report / Server menu to enter the Packet Size Report window.

Report Descriptions There are three parts in the Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of Report / Server for details. Except the data listed in Report Table is different, other descriptions are all the same. For Packet Size reports, the Report Table will display Packet Size distribution. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.7.4

TopN Report

The TopN traffic analysis of Server report provides the top N listing for the traffic according to the TopN Report Template. Because the number of data may be large, therefore, only top 256 entries will be saved to DB. The top N (N: default = 64) aggregation keys will be displayed and each in a row. Each row of Report Table will display Into Server-farm, Out of Server-farm and sum traffic for paired of entries. Click on the TopN Report sub menu under the Report / Server menu to enter the TopN Report window.

Report Descriptions There are three parts in the TopN Report window: Query Bar, Report Chart and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Server-farm Group: All server-farms (default) and the defined server-farm groups (All server-farm groups defined in the Group menu of System Admin / Preferences will be shown here). • Server-farm: every server-farm configured in the Server-farm group (It will be converted according to the group selected in the Server-farm Group drop-down list.) • TopN Report: every TopN report configured in the server-farm (The TopN reports of a server-farm are defined in the System Admin/Network/Server function). 283

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

• Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: there three output formats for selection: Show on Web, Download Graph CSV, and Download XML file. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into server-farm and the lower part represents the traffic out of server-farm. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which topN entries they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Egress, Ingress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and Sum traffic statistics. Report Table There are four tabs at the right top corner of the table: Average, Current, Maximum and Usage. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. • Usage: the usage values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different entries’ aggregation traffic into/Out of the Server-farm clearly and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, Maximum and Usage tables into different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

284

7.8

Rule-based Report Rule-based Report menu provides traffic analysis reports for rule-based Filters which are configured in the system and based on users’ definitions. The system provides not only the Compare report which compares each Filter within one same Filter group but also the Detail report which presents detail traffic information of a Filter. In addition, the TopN report analyzed based on Filter’s traffic flow is also provided. There are two types of analysis reports for Filter traffic: Summary Report, and TopN Report. In following sections, we will introduce how to query various Rule-based traffic reports. When users click on the unfolding mark of Report / Rule-based Report, all its sub menus will be unfolded including Summary Report, and TopN Report.

7.8.1

Summary Report The summary report of the Rule-based Filter traffic presents the traffic analysis about the Filter from the viewpoints of comparing the total traffic of each Filter within a Filter group and analyzing the detail traffic of one Filter. With the Rule-based Summary report, users can briefly know not only the total traffic of each Filter but also the detail traffic analysis for each Filter. When users click on the Summary Report sub menu of Report / Rule-based Report, there are two sub menus will be shown: Compare and Detail.

7.8.1.1

Compare

The Compare traffic analysis of Rule-based Summary report provides users the information about the original direction/opposite direction (Filter/Opposite) traffic for each Filter itself to compare the differences with the total amount. The Top N Report Table will display all filters (N: maximum = 1024). Click on the Compare sub menu of Summary Report under the Report / Rule-based Report menu to enter the Compare Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Filter Group: the defined Filter groups (All Filter groups defined in the Group menu of System Admin / Network / Preferences will be shown here, except the default All Filters group.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, 285

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second), pps (packet per second), and fps (flow per second). • Output: users can view the report on the web, download it in the CSV format or XML file by selecting “Show on Web”, “Download Graph CSV”, or “Download XML file” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the total traffic of Filter’s original direction and the lower part represents the total traffic of Filter’s opposite direction. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which Filter they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Filter, Opposite, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Filter, Opposite, and Sum traffic statistics. Report Table This table will display the traffic analysis statistics for all Filters that configured in a specific group in the Filter Group drop-down list (In Query Bar) to view. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different Filters of traffic clearly by unselecting the Filter and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

7.8.1.2

Detail

The Detail traffic analysis of Rule-based Summary report presents the traffic analyses of each Filter’s original and opposite directions for a specific time interval. With this report, users can know the ingress/egress traffic of each Filter displayed by bps, pps, and fps. Click on the Detail sub menu of Summary Report under the Report / Rule-based Report menu to enter the Detail Report window.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

286

Report Descriptions There are two parts in the Detail Report window: Query Bar, and Report Chart. Query Bar This part is located on the top of the screen and contains condition options below: • Filter Group: the defined Filter groups (All Filter groups defined in the Group menu of System Admin / Network / Preferences will be shown here.). • Filter: every Filter configured in the Filter group (It will be converted according to the group selected in the Filter Group drop-down list.) • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Output: users can view the report on the web, download it in the PDF file, CSV format, or XML file by selecting “Show on Web”, “Download PDF file”, “Download Graph CSV”, or “Download XML file” from the drop-down list. • Report Type: there are two kinds of output report types provided – Standard, and Trend. The default setting is “standard”. Note that Trend report is not available for Daily report. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Standard Report Chart. There are three line charts displayed here: bps, pps, and fps. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents the calculation unit of the traffic. The data is divided into two parts by the X-axis. The upper part represents the total traffic of Filter’s original direction and the lower part represents the total traffic of Filter’s opposite direction. In the chart, the average, maximum, and current traffic values are indicated. The objects with colors below the chart indicate which traffic direction they are. • Trend Report Chart. This chart uses historical flow data to generate the average trend line for a specific time period in the past. The trend line can help users to identify potential traffic amount in the near future. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

287

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

7.8.2

TopN Report Rule-based TopN Report presents the TopN analyses and reports which use defined Filters as analysis criteria. Three types of aggregation keys are provided (Source, Destination, and Directionless) and over ten kinds of aggregation methods are available to select (IP, Protocol, Application, Interface…etc.). Up to top 256 top-N objects will be stored in DB and top N (N: 16, 32, 64, 128, or 256) will be displayed for report. With this report, users can easily and quickly obtain top-N origins and targets of the traffic analysis. Click on the TopN Report sub menu of Report / Rule-based Report menu to enter the TopN Report window. The system will display various analysis reports and statistics according to the selected TopN Report defined, traffic unit, and time interval.

Report Descriptions There are three parts in the TopN Report window: Query Bar, and Report Chart. Query Bar This part is located on the top of the screen and contains condition options below: • Filter Group: the defined Filter groups (All Filter groups defined in the Group menu of System Admin / Network / Preferences will be shown here.). • Filter: every Filter configured in the Filter group (It will be converted according to the group selected in the Filter Group drop-down list.) • TopN Report: every enabled TopN report configured in the selected Filter. • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the

OK

button. Or click on the

Cancel button to close the

time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second), and pps (packet per second). • Output: users can view the report on the web, download it in the CSV format or XML file by selecting “Show on Web”, “Download Graph CSV”, or “Download XML file” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. •

Submit : after finishing the query conditions, click on this button to submit the query. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

288

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the original direction’s total traffic of sorted top-N objects and the lower part represents the opposite direction’s total traffic of sorted top-N objects. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which sorted top-N object they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Filter, Opposite, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Filter, Opposite, and Sum traffic statistics. Report Table This table will display the traffic analysis statistics for all TopN reports that configured in a specific Filter in the Filter drop-down list (In Query Bar) to view. There are tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. • Usage: the percentage of the usage during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different sorted top-N objects of traffic clearly by unselecting the sorted top-N objects and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

289

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

8

MSP Customer

The MSP Customer menu includes the sub functions, Anomaly Console, Report and users can click on the unfolding mark of MSP Customer. This function will show when the system support the MSP module (value-added function). Please refer to the following section to get the detail descriptions.

8.1

Anomaly Console

The Anomaly Console function of MSP Customer provides various reports of anomaly events. Anomaly Console allows users to list out a variety of anomaly events detected via several searching filters, provides summary and detailed traffic characteristics for each detected anomaly event, can generate appropriate ACL (Access Control List) commands as suggestions for network operators and snapshots for advanced traffic inspect. After clicking the Anomaly Console sub menu of MSP Customer, users will enter the Anomaly Console window (see the figure 8.1-1). The following sections is going to introduce how to use Anomaly Console function to query anomaly events and read its related reports.

Figure 8.1-1 MSP Customer -- The Anomaly Console Window List Table Description  NO.: a sequence number given by the system to control the listing.  ID: an identification number assigned by the system to recognize anomaly events.  CHK: a check box used to help users to know those anomaly events which have been looked over. Click on the check box in the front of the row to check the anomaly event.  MSP Server: list the name of the MSP Server that specified in the System Admin/Device/MSP server function.  Severity: three pieces of information are shown in this field. Firstly, the severity degree in terms of Yellow/Red of the anomaly is shown; following displays the detected traffic rate at which the event was determined as the previous severity degree; finally the event threshold value configured for this anomaly event is shown.  Status: present the status of an anomaly event that could be ongoing, recovered, obsolete or checked.  Start Time/End Time: the beginning time/close time of an anomaly event. The displaying format is “mm-dd hh:mm” (e.g. 08-26 16:03). If an anomaly event is not recovered, there shows no end time.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

290

 Duration: a time period that represents how long an anomaly event lasts. The displaying format is “00 hours / 00 mins / 00 secs” (e.g. 27 hours / 37 mins / 42 secs).  Direction: the traffic direction of an anomaly event.  Type: a category plus an anomaly type and with a monitored traffic statistic object (e.g. Traffic Anomaly by bps / Protocol-Misuse with TCP SYN Flooding by pps / Application with Code Red by pps).  Resource: the detection scope of a detected anomaly event and its related information. For Traffic anomaly, here will show resource type and the resource name of detection scope only. For Protocol-Misuse and Application anomalies, then here will show anomaly type, resource name, and event-triggered host IP address.

Querying Anomaly Events & Reading Summary/Detail Anomaly Report Specify one or more filters below to search anomaly events you want to query from the following drop-down lists and then click on the “ Go ” button.  Resource Type: list the resource name in the field. Note There is a field appeared right for you to select the specific entity and a “ … ” button will be available to browse.  Category: to define a specific kind of anomaly events. This searching filter will be converted according to the resource type selected.  Anomaly Type: select the type from the drop down list and the default value is “All”.  Traffic Direction: to select a specific traffic direction of anomaly events from the drop down list.  Minimum Severity: to specified the minimum severity degree of anomaly events. For example, when Yellow is selected, all events with Yellow or Red severity level will be shown.  Anomaly Status: to define the status of anomaly events from the drop down list.  Victim/Infect IP: to list all anomaly events with/within a specific victim or infected IP address/range. Please input an IP address or range with CIDR format (eg. 192.168.10.0/25).  Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Time Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists.  Time Period: daily, weekly, monthly, and quarterly. This is another way different from Time Range to specify report’s time interval. In this way, the fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable.  Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable.  Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation.

291

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Action Buttons Description 1. Page-control buttons are above the configuration view list: • “

|


” button: to go to the next page.

• “

>|

” button: to go to the end page.

• The Page drop-down list: to go to a specific page selected from the drop-down list. The numerator represents the page you are going to list and the denominator represents the total pages. 2. An “Anomaly ID” searching function is provided. It is located next to the Page-control buttons and above the configuration view list. Users can input the ID of the anomaly in the Anomaly ID blank and then press the “ View ” button to quickly find out a specific anomaly from plenty of listed anomalies. The Summary Anomaly report of the searched anomaly will pop up. Please refer to the following step, Descriptions of Summary Anomaly Report, for detail. 3. A “Rows per Page” drop-down list is provided to control the displayed entries per page of the Anomaly Console view list. There are five options to select: 10, 15, 20, 25, and 30. The number “10” with an asterisk means the default value.

Descriptions of Summary Anomaly Report Click on an ID number in ID column to read the summary report of the clicked anomaly event. A window with the Summary Anomaly Report title will pop up after the clicking (as shown in the figure 8.1-2). Note The summary anomaly report, which Category field is specified as “Traffic” has no information of Traffic Characteristics and Network Elements fields.

Figure 5.1-2 MSP Customer/Anomaly Console -- the Summary Anomaly Report of the Anomaly Event

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

292




Anomaly Event Brief This part is on the upper area of the screen. It shows the brief information of the clicked anomaly event. There are four buttons located at the right-upper corner and a Cripple Attack check box at the left-upper corner of the screen: “ View Raw Flow ” : this button is used to view all received raw flows of the clicked anomaly event from routers. Once users click on this button, an “Anomaly Raw Flow” pop-up window will show and display raw flows for all routers. Users can use “ Download ” button to download the raw flow file in a desired storage. “ Forced Obsolete ” : this button is used to obsolete an anomaly event when users consider the event not worthy to trace for some exceptional issues. Once users click on this button, the anomaly event will be obsolete. If the traffic detection related to this anomaly is still going and the detected traffic is large than the anomaly threshold, a new anomaly event will be created since the original one has been obsolete. “ Details ” : this button is used to display the detail report of the clicked anomaly event. Once clicking on this button, users will enter the Detail Anomaly Report window. Please refer to the descriptions “The descriptions of Detail Report” below for the detail anomaly report. “ Cancel ” : clicking on this button can close the Detail Anomaly Report pop-up window. “  Cripple Attack” : this check box is used to manually disable the clicked anomaly event. Once users check on this check box, the system will count this event traffic in the calculation of traffic baseline. This function is only applied to tickets triggered by auto-learning baseline.




Traffic Line Chart A traffic line chart with a timer controller is provided for users to query a specific time period traffic statistics of the monitored anomaly event. Select the start time (year/month/date/hour/minute) and the duration (hour) from the drop-down lists, and then click on “ Go ” button to submit the query. The default start time in this time controller is the start time of the queried anomaly event.
Remarks This Remarks column is used to record additional information relevant to the anomaly events. Up to 800 characters are available. The “ Update ” button will be clickable after any characters are inputted.
Traffic Characteristics This part will display the latest top N traffic analysis statistics of traffic characteristics items of the queried anomaly event by bps and pps. There are some certain formulas used to determine the N value. According to different anomaly types, different Traffic Characteristics items will be displayed.
Network Elements This part will display the latest Top N routers with input-interface and routers with output-interface which are most impacted by the traffic of the anomaly event queried. The Top N analysis statistics are provided with bps and pps units.

The descriptions of Detail Report Click on the “ Details ” button to read the detail report of the clicked anomaly event. Please see Figure 8.1-3 and its descriptions below. 293

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Figure 8.1-3 The Detail Anomaly Report of Anomaly Console


Anomaly Event Brief This part is the same as the Anomaly Event Brief in Summary Anomaly Report described above. There are two buttons located at the right-upper corner of the screen: • “ Back ” : clicking on this button can go back the Summary Anomaly Report window. • “ Cancel ” : clicking on this button can close the pop-up window.




Traffic Line Chart GenieATM will combine the traffic statistics from the routers, which enables traffic detection for the queried MSP Customer, in this chart. Therefore, more than one traffic line may be displayed here. Users can compare the differences between multiple routers about the traffic of this Sub-Network. The color marks indicate the traffic from which router. In addition a traffic line chart with a timer controller is provided for users to query a specific time period traffic statistics of the monitored anomaly event. Select the start time (year/month/date/hour/minute) and the duration (hour) from the drop-down lists, and then click on “ Go ” button to submit the query. The default start time in this time controller is the start time of the queried anomaly event.




Traffic Characteristics The system provides view points for users to understand the evolution of the selected anomaly event in terms of its traffic characteristics at different time points (sorting by per minute). © 2009 Genie Network Resource Management Inc. All Rights Reserved.

294

In addition, this Detail report of Summary Anomaly Report window also provides two functions that allow users to link to the Snapshot with the provided anomaly traffic characteristics and view the ACL commands generated by the system. These two functions are implemented by the “ Snapshot ” and “ Generate ACL ” buttons. Please follow the steps below:

Linking to the Snapshot 1.

Decide one or more analyzed traffic characteristics as the snapshot analysis criteria and click on the Lock check boxes (at the end of the rows) of the decided traffic characteristics.

2.

Click on “ Snapshot ” button. A Snapshot window with the analysis criteria you checked will pop up after the clicking. The snapshot scope of this page will be locked as the Customer entity of the queried anomaly event. Since the most operations are the same as the Snapshot main menu, please refer to Snapshot section illustration in the GenieATM User Manual.

Generating ACL Commands 

Decide one or more traffic characteristics as the target that you want to lock and click on the Lock check boxes (at the end of the rows) of the decided traffic characteristics.



Click on “ Generate ACL ” button. An ACL Generate Tool window will pop up after the clicking. The Configuration part in this window will show the traffic characteristics you checked on the previous step. It also allows you to do the tuning by manual configurations here before populating the ACL commands.



Click on “ Update ” button in the ACL Generate Tool window to generate ACL commands. After you press the button, the system will generate appropriate ACL commands according to the traffic characteristics you selected and show the commands in the Result text box. A Router Type drop-down list is provided in order to meet different needs of ACL commands for different router brands (Cisco / Juniper / Foundry). With different router types selected, the system will generate different ACL commands for users. Note that TCP Flag is only available for the Cisco router type.

295

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

8.2

Report

All pre-defined (built-in) and rule-based reports of MSP Customer entities are aggregated into the Report sub menu of MSP Customer for convenience. Including Traffic, Boundary Traffic, Top Talker, Attribute Report, and TopN Report sub menus will be displayed when users click on the unfolding mark of Report under the MSP Customers main menu.

8.2.1

Traffic

The Traffic report of MSP Customer presents the traffic analysis for every MSP Customer entity configured in the system. With this report, users can know the ingress/egress traffic of each MSP Customer entity displayed by bps, and pps. Click on the Traffic sub menu of MSP Customer/Report to enter the Traffic Report window. The system will display various analysis reports for MSP Customer traffic according to the selected MSP Customer entity, and time interval.

Report Descriptions There are two parts in the Traffic Report window: Query Bar, and Report Chart. Query Bar This part is located on the top of the screen and contains condition options below: • MSP Customer: list all MSP Customer entities configured in the system. Note A “ … ” button will be available to browse all listed entries. • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Output: users can view the report on the web or download it in the PDF format by selecting “Show on Web” or “Download PDF File” from the drop-down list. • Report Type: there is the Standard report provided. • Submit : after finishing the query conditions, click on this button to submit the query.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

296

Report Chart Standard Report Chart. There are two line charts displayed here: bps, and pps. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents the calculation unit of the traffic. The upper part represents the traffic into the selected MSP Customer entity and the lower part represents the traffic out of the selected MSP Customer entity. In the chart, the average and maximum traffic values are indicated. The objects with colors below the chart indicate which traffic direction they are. Operation Procedure to Query Reports 1. Select a MSP Customer entity from the MSP Customer dropped down list or through “ Browse ” button. 2. Select “Time Range” or “Period” for specifying report’s time interval. 3. Specify the start/end date and time from the From/Until drop-down lists. 4. Choose “Show on web” or “Download PDF file” from the drop-down list to view. 5. Click on “ Submit ” button to refresh the screen and generate your report.

8.2.2

Boundary Traffic

The Boundary Traffic analysis report provides the information about the average/current/maximum traffic aggregated according to defined elements for a specific MSP server. Click on the Boundary Traffic under the MSP Customer/Report menu to enter the Boundary Traffic Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • MSP Customer: list every MSP customer configured in the MSP Customer menu of System Admin/Network function. • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Submit : after finishing the query conditions, click on this button to submit the query.

297

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Chart This report is presented as a line chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. In the chart, each line represents one kind of traffic and its data will be matching the data listed in Report Table. (The objects with colors next to check boxes indicate what traffic they are.) Report Table This table will display the traffic analyses statistics for all routers bounded into MSP Customer when you select some specific MSP customer in the drop-down list (In Query Bar) to view. There are tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. Users can compare different bounded routers of traffic clearly. An “All” check box for users to select conveniently all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP Customer/Report for details.

8.2.3

Top Talker

The Top Talker traffic analysis of MSP Customer breakdown report provides the top N listing for the traffic of IP address from/to the MSP Customer. Because the number of IP addresses may be large, therefore, only top 128 IP addresses will be saved to DB. The top N (N: default = 25) IP addresses will be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each IP address. Click on the Top Talker sub menu under the MSP Customer/Report to enter the Top Talker Report window. Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • MSP Customer: list all MSP Customer entities configured in the system. • Time Range: a flexible way specifies the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

298

• Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “Stacked Chart”. • Talker: there are two directions of Talker provided: Inside, and Outside. Inside indicates the Top Talker report listing the hosts within the MSP Customer Network. Outside shows the Top Listener report as top N listing of outside hosts which are most visited by the MSP Customer network. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into MSP entity and the lower part represents the traffic out of MSP entity. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which Talkers they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Ingress, Egress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and Sum traffic statistics. Report Table There are four tabs at the right top corner of the table: Average, Current, Maximum, and Usage. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. • Usage: the usage values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. Therefore, users can compare different traffic clearly. An “All” check box for users to select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, Maximum and Usage tables into different worksheets. Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP Customer/Report for details.

8.2.4

Attribute Report

The attribute report of MSP Customers provides the analysis information about some common attributes. With common attribute reports, users can really understand how their network resources are actually been used. The attribute report of the MSP Customers traffic has three kinds: Application, Protocol, Protocol/Port, TOS, and Packet Size. When users click on the unfolding mark of Attribute Report under the MSP Customer/Report main menu, all its sub menus will be unfolded including Application, Protocol, Protocol/Port, TOS, and Packet Size. 299

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

8.2.4.1 Application The Application traffic analysis of MSP Customers attribute report provides the information about the ingress/egress (Into MSP/Out of MSP) traffic for a specific MSP Customer entity, which is aggregated according to the user defined application groups on source and destination ports separately for different traffic directions. Up to top 128 applications will be saved to DB. The top N (N: default = 25) applications will be displayed and each in a row. In this report, users can obtain not only the traffic Into MSP Customer and Out of MSP Customer for applications but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are two items selectable, Inside, and Outside. “Inside” means the server is inside the MSP Customer entity and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the MSP Customer entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Application sub menu of Attribute Report under the MSP Customer/Report main menu to enter the Application Report window. Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • MSP Customer: list all MSP Customer entities configured in the system. • Time Range: a flexible way specifies the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the “Start Time” and “Until” drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the “Until” drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: there are bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • Service: there are traffic directions, Inside or Outside, to specify. • Submit : after finishing the query conditions, click on this button to submit the query.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

300

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into MSP Customer entity and the lower part represents the traffic out of MSP Customer entity. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which application they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Ingress, Egress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and Sum traffic statistics. Report Table There are tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different applications of traffic clearly by unselecting the application and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP Customer/Report for details.

8. 2. 4 .2 P ro t o co l The Protocol traffic analysis of MSP Customer attribute report provides the information about the ingress/egress (Into MSP/Out of MSP) traffic for a specific MSP Customer entity, which is aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 50 protocols will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display the Into Customer/Out of Customer traffic for the protocol and the value in the Sum column is the total amount of the Into Customer and Out of Customer traffic. Click on the Protocol sub menu of Attribute Report under the MSP Customer to enter the Protocol Report window. Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Application section of Attribute Report under the MSP Customer/Report main menu for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol reports, the Report Table will display top N Protocols. Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP Customer/Report function for details. 301

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

8.2.4.3 Protocol/Port The Protocol/Port traffic analysis of MSP Customer attribute report provides the information about the ingress/egress (Into MSP/Out of MSP) traffic for a specific MSP Customer entity, which is aggregated according to protocol plus port number (service). Each row of Report Table will display the Into Customer /Out of Customer traffic for the Protocol/Port (service) and the value in the Sum column is the total amount of the Into Customer and Out of Customer traffic. The top 128 will be stored to database and top N (N: default = 25) will be displayed for report. In this report, users can obtain not only the traffic Into MSP Customer and Out of MSP Customer for the service (Protocol/Port), but also the traffic between the Request side and the Response side. For example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are two items selectable, Inside, and Outside. “Inside” means the server is inside the MSP Customer entity and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. “Outside” means the server is outside the MSP Customer entity and represents the data of Response of Ingress traffic or the data of Request of Egress traffic. Click on the Protocol/Port sub menu of Attribute Report under the MSP Customer/Report main menu to enter the Protocol/Port Report window. Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Application section of Attribute Report of MSP Customer/Report for details. Except the data listed in Report Table is different, other descriptions are all the same. For Protocol/Port reports, the Report Table will display top N Protocol/Port (services). Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP Customer/Report for details. 8. 2. 4 .4 TO S The TOS traffic analysis of MSP Customer attribute report provides the information about the ingress/egress (Into MSP /Out of MSP) traffic for a specific MSP Customer entity, which is aggregated according to the 256 TOS values. Each row of Report Table will display the Into MSP Customer /Out of MSP Customer traffic for the TOS and the value in the Sum column is the total amount of the Into MSP Customer /Out of MSP Customer traffic. Totally, top 50 TOS will be stored to database and top N (N: default = 25) will be displayed for report. Click on the TOS sub menu of Attribute Report under the MSP Customer/Report main menu to enter the TOS Report window. Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Application section of Attribute Report under MSP Customer/Report menu for details. Except the data listed in Report Table is different, other descriptions are all the same. For TOS reports, the Report Table will display top N TOSes. Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP Customer/Report for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

302

8.2.4.5 Packet Size The Packet Size traffic analysis of MSP Customer attribute report provides the information about the ingress/egress (Into MSP /Out of MSP) traffic for a specific MSP Customer entity, which is aggregated according to the packet size. The packet size is calculated by dividing the bytes with number of packets. The packet size segments are: 1536. Click on the Packet Size sub menu of Attribute Report under the MSP Customer/Report to enter the Packet Size Report window. Report Descriptions There are three parts in the Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Application section of Attribute Report under MSP Customer/Report. Except the data listed in Report Table is different, other descriptions are all the same. For Packet Size reports, the Report Table will display the segments of Packet Size that are recorded the traffic data. Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP Customer/Report function for details.

8.2.5

TopN Report

The TopN Report of MSP Customer presents the TopN analyses and reports. Up to top 256 top-N objects will be stored in DB and top N (N: 16, 32, 64, 128, or 256) will be displayed for report. With this report, users can obtain top-N origins easily and quickly and targets of the traffic analysis. Click on the TopN Report sub menu under MSP Customer/Report menu to enter the TopN Report window. The system will display various analysis reports and statistics according to the selected TopN Report defined, traffic unit, and time interval. Note Only the “MSP administrator”, which is defined in the System Admin/Network/MSP Customer/MSP Customer function, can configure the aggregation rule of TopN report to the MSP Collector device. In addition, here only displays defined TopN Reports of the MSP Customers. Click on the unfolding mark of the TopN Report sub menu of MSP Customer/Report to enter the TopN Report window. Report Descriptions There are three parts in the Detail Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • MSP Customer: select the specified MSP customer. • TopN Report: the defined TopN reports configured in the selected MSP customer. • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. 303

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

• Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: there are bps and pps in the drop-down list. • Output: users can view the report on the web, download it in the CSV format, PDF file or XML file by selecting “Show on Web”, “Download Graph CSV”, “Download PDF file”, or “Download XML file” from the drop-down list. • Chart: there are three kinds of output report types provided – Stacked Chart, Bar Chart and Pie Chart. The default setting is “Stacked Chart”. • Submit : after finishing the query conditions, click on this button to submit the query.

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic matched defined filter entity and the lower part represents the opposite direction. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which TopN they are.) • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Ingress, Egress, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Ingress (Filter), Egress (Opposite), and Sum traffic statistics. Report Table This table will display the traffic analysis statistics for all TopN reports that configured in a specific Filter in the Filter drop-down list (In Query Bar) to view. There are four tabs at the right upper corner of the table: Average, Current, Maximum and Usage.    

Average: the average values during the selected time interval. Current: the last values data during the selected time interval. Maximum: the maximum values during the selected time interval. Usage: the usage values during the selected time interval.

Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. Therefore, users can compare different sorted top-N objects of traffic clearly. An “All” check box for users to select all check boxes at once. Please click on “Submit” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, Maximum and Usage tables into different worksheets. Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP Customer/Report for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

304

9

Anomaly Activities Anomaly Activities menu provides overall anomaly traffic reports, different from Report menu which focuses on defined network detection scopes (Internet, Neighbor, Backbone, Router, Interface, Sub-Network, Rule-based Report) to present all their related traffic reports, and also different from Anomaly Console menu which is based on every single anomaly event to present the anomaly traffic report. There are two kinds of anomaly activity reports provided in the system. One is about the Dark IP activity; the other is about the abnormal Application activity. When users click on the unfolding mark of Anomaly Activities, all its sub menus will be unfolded including Dark IP and Worm.

9.1

Dark IP Dark IP menu provides various built-in dark IP traffic analysis reports. The system will base on all detected dark IP traffic to compile various traffic statistics, such as overall dark IP traffic, each infected host traffic, each victim host traffic, into/out of each interface traffic, and into/out of each Sub-Network entity. There are two types of analysis reports for Dark IP traffic: Summary Report, and Breakdown Report. In following sections, we will introduce how to query various Dark IP traffic reports. When users click on the unfolding mark of Anomaly Activities / Dark IP, all its sub menus will be unfolded including Summary Report, and Breakdown Report.

9.1.1

Summary Report The summary report of the Dark IP traffic presents the overall dark IP traffic analysis for entire network of users. With the Dark IP summary report, users can briefly know how much traffic from/to dark IP space, how much traffic of dark IP dropped by the routers, and the number of the infected hosts. Click on the Summary Report sub menu of Anomaly Activities / Dark IP menu to enter the Summary Report window. The system will display various analysis reports for dark IP traffic according to the selected traffic unit, time interval, and traffic type. Click on the Sub-Network sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu to enter the Interface Report window.

Report Descriptions There are two parts in the Traffic Report window: Query Bar, and Report Chart. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down 305

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • IP version: only “Both” shows in the dropped down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart There are three line charts displayed here: infected hosts, bps, and pps. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents the calculation unit of the traffic. In the chart, the average, maximum and current traffic values are indicated. In infected hosts report chart, the number of infected hosts will be shown over time period. The maximum number supported by each Collector is 2000. In bps and pps report charts, the “In” traffic is the traffic into Dark IP space (Destination is a dark IP), the “Out” traffic is the traffic out of dark IP space (Source is a dark IP), and the “Drop” is the traffic dropped by the routers. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

9.1.2

Breakdown Report The breakdown report is unlike the macroscopic summary report; it provides the further analysis in some kind of specific traffic. The breakdown report of the Dark IP traffic includes five types of reports: Infected Hosts, Victim Hosts, Home Prefix, Interface, and Sub-Network. When users click on the unfolding mark of Breakdown Report under the Anomaly Activities / Dark IP menu, all its sub menus will be unfolded including Infected Hosts, Victim Hosts, Interface, and SUB-NETWORK.

9.1.2.1

Infected Hosts

The Infected Hosts traffic analysis of Dark IP breakdown report provides the information about the traffic amount of each infected host in a (Top N) Report Table. Totally, top 64 infected hosts will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display infected host IP, traffic amount, and total percentage. Click on the Infected Hosts sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu to enter the Infected Hosts Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

306

• Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • IP version: only “Both” shows in the dropped down list. • Submit : after finishing the query conditions, click on this button to submit the query.

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents infected host number. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which infected host they are.) • Bar Chart. Bar Chart is presented with horizontal bars and displays Egress traffic statistics for each infected host and the total traffic statistics for all. • Pie Chart. There is one pie chart presented to represent Egress traffic statistics.

Report Table This table will display all kinds of traffic analysis statistics of infected hosts detected. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different infected hosts of traffic clearly by unselecting the host and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

307

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

9.1.2.2

Victim Hosts

The Victim Hosts traffic analysis of Dark IP breakdown report provides the information about the traffic amount of each victim host in a (Top N) Report Table. Totally, top 64 victim hosts will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display victim host IP, traffic amount, and total percentage. Click on the Victim Hosts sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu to enter the Victim Hosts Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • IP version: only “Both” shows in the dropped down list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents victim host number. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which victim host they are.) • Bar Chart. Bar Chart is presented with horizontal bars and displays Ingress traffic statistics for each infected host and the total traffic statistics for all. • Pie Chart. There is one pie chart presented to represent Ingress traffic statistics. Report Table This table will display all kinds of traffic analysis statistics of victim hosts detected. There are three tabs at the right top corner of the table: Average, Current, and Maximum. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

308

• Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different victim hosts of traffic clearly by unselecting the host and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

9.1.2.3

Interface

The Interface traffic analysis of Dark IP breakdown report provides the information about the dark IP traffic of each interface (the traffic sent to the interface from Dark IP space and the traffic sent to Dark IP space from the interface). The system will display Top N (N: maximum = 64; default = 25) interfaces in a (Top N) Report Table. Each row of Report Table will display router name, interface name, into interface traffic, out of interface traffic, and sum traffic for each interface. Click on the Interface sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu to enter the Interface Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Infected Hosts section of Breakdown Report of Anomaly Activities / Dark IP for details. Except the data listed in Report Table is different, other descriptions are all the same. For Interface reports, the Report Table will display top N Interfaces and there is no total percentage statistics provided. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

9.1.2.4

Sub-Network

The Sub-Network traffic analysis of Dark IP breakdown report provides the information about the dark IP traffic of Sub-Network entities defined in the system (the traffic sent to the Sub-Network entity from Dark IP space and the traffic sent to Dark IP space from the Sub-Network entity). The system will display Top N (N: maximum = 64; default = 25) entities in a (Top N) Report Table. Each row of Report Table will display Sub-Network name, into Sub-Network traffic, out of Sub-Network traffic, sum traffic, and total percentage for each Sub-Network. Click on the Sub-Network sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu to enter the Interface Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. 309

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

• Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • IP version: only “Both” shows in the dropped down list. • Submit : after finishing the query conditions, click on this button to submit the query.

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the dark IP traffic into Sub-Network and the lower part represents the traffic out of Sub-Network. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Into-SubNetwork, Out-of-SubNetwork, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Into-SubNetwork, Out-of-SubNetwork, and Sum traffic statistics. Report Table There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare the traffic of the selected entries clearly. An “All” check box to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

310

9.2

Worm Worm menu provides various built-in application anomaly traffic analysis reports. The system will base on all detected abnormal application traffic to compile various traffic statistics, such as overall application anomaly traffic, each infected host traffic, into/out of each interface traffic, and into/out of each Sub-Network entity. There are two types of analysis reports for Application Anomaly traffic: Summary Report, and Breakdown Report. In following sections, we will introduce how to query various Application Anomaly traffic reports. When users click on the unfolding mark of Anomaly Activities / Worm, all its sub menus will be unfolded including Summary Report, and Breakdown Report.

9.2.1

Summary Report The summary report of the Worm traffic presents the overall abnormal application traffic analysis. With the Application Anomaly summary report, users can briefly know how much abnormal application traffic in/out of Home network. Click on the Summary Report sub menu of Anomaly Activities / Worm menu to enter the Summary Report window. The system will display various analysis reports for worm traffic according to the selected traffic unit, time interval, and traffic type.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • IP Version: only “Both” shows in the dropped down list. • Submit : after finishing the query conditions, click on this button to submit the query.

311

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users The Y-coordinate represents traffic flow. The data is divided into two parts by the X-axis. The upper part represents the traffic into Home and the lower part represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. • Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used to separately represent Into-Home, Out-of-Home, and Sum traffic statistics. • Pie Chart. There are three pie charts presented to separately represent Into-Home, Out-of-Home, and Sum traffic statistics. Report Table There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare the traffic of the selected entries clearly. An “All” check box to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

9.2.2

Breakdown Report The breakdown report is unlike the macroscopic summary report; it provides the further analysis in some kind of specific traffic. The breakdown report of the Worm traffic includes three types of reports: Infected Hosts, Interface, and Sub-Network. When users click on the unfolding mark of Breakdown Report under the Anomaly Activities / Worm menu, all its sub menus will be unfolded including Infected Hosts, Interface, and Sub-Network.

9.2.2.1

Infected Hosts

The Infected Hosts traffic analysis of Worm breakdown report provides the information about the traffic amount of each infected host in a (Top N) Report Table. Totally, top 64 infected hosts will be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display infected host IP, traffic amount, and total percentage. Click on the Infected Hosts sub menu of Breakdown Report under the Anomaly Activities / Worm menu to enter the Infected Hosts Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Query Bar This part is located on the top of the screen and contains condition options below: • Worm: select a worm type from the dropped down list. Note All listed worm types are defined and enabled in the Application Anomaly in the System Admin/Network/Anomaly function. © 2009 Genie Network Resource Management Inc. All Rights Reserved.

312

• Time Range: a flexible way to specify the time interval for displaying report. There are two ways provided to specify the time interval in the system: one is Time Range and the other is Period (Please see the description below for details). Once users choose this way, please specify the start time and end time of analysis report from the Start Time and Until drop-down lists. • Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time Range to specify report’s time interval. In this way, five fixed time interval are provided to present analysis report with an end time specified from the Until drop-down list. Once users choose this way, the Start Time drop-down list will be unavailable. • Start Time: year, month, date, and time. This drop-down list represents the start time of report’s time interval. Users can specify the start date of the analysis report from either the year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time, the year-month-date time table will be shown. Specify the year and month from the drop-down lists in the time table, select the date by using your cursor to click on (the selected date will be highlighted), and then click on the OK button. Or click on the Cancel button to close the time table. Specify the time from the time drop-down list after finishing the selections of year, month, and date. If users choose the Period way to specify the report’s time interval, this drop-down list will be unavailable. • Until: year, month, date, and time. This drop-down list represents the end time of report’s time interval. Please refer to the Start Time’s description above for operation. • Unit: bps (bit per second) and pps (packet per second). • Output: users can view the report on the web or download it in the CSV format by selecting “Show on Web” or “Download Graph CSV” from the drop-down list. • Chart: there are three types of output report charts provided – Stacked Chart, Bar Chart, and Pie Chart. The default setting is “stacked chart”. • IP version: only “Both” shows in the dropped list. • Submit : after finishing the query conditions, click on this button to submit the query. Report Chart • Stacked Chart. The X-coordinate represents time and will be converted according to the time interval selected by users. The Y-coordinate represents infected host number. In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors next to check boxes indicate which infected host they are.) • Bar Chart. Bar Chart is presented with horizontal bars and displays Egress traffic statistics for each infected host and the total traffic statistics for all. • Pie Chart. There is one pie chart presented to represent Egress traffic statistics. Report Table This table will display all kinds of traffic analysis statistics of infected hosts detected. There are three tabs at the right top corner of the table: Average, Current, and Maximum. • Average: the average values during the selected time interval. • Current: the values of the last data during the selected time interval. • Maximum: the maximum values during the selected time interval. Users can click on the tabs to view the detail data for each. The blue tab means you are entering the page now. Clicking on the check box in the front of the row means to draw the traffic in Report Chart. So that users can compare different infected hosts of traffic clearly by unselecting the host and leave those they want. An “All” check box for users to conveniently select all check boxes at once. Please click on “ Submit ” button (in Query Bar) to refresh the screen for your selection. In addition, users can use “ Download Excel-XML ” button to download tabular data of the table with XML file, which can be read by the Excel program. The downloaded file will separate the Average, Current, and Maximum tables into three different worksheets. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

313

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

9.2.2.2

Interface

The Interface traffic analysis of Worm breakdown report provides the information about the traffic of each interface. The system will display Top N (N: maximum = 64; default = 25) interfaces in a (Top N) Report Table. Each row of Report Table will display router name, interface name, into interface traffic, out of interface traffic, and sum traffic for each interface. Click on the Interface sub menu of Breakdown Report under the Anomaly Activities / Worm menu to enter the Interface Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Infected Hosts section of Breakdown Report of Anomaly Activities / Worm for details. Except the data listed in Report Table is different, other descriptions are all the same. For Interface reports, the Report Table will display top N Interfaces and there is no total percentage statistics provided. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

9.2.2.3

Sub-Network

The Sub-Network traffic analysis of Worm breakdown report provides the information about the worm traffic of Sub-Network entities defined in the system. The system will display Top N (N: maximum = 64; default = 25) entities in a (Top N) Report Table. Each row of Report Table will display Sub-Network name, into Sub-Network traffic, out of Sub-Network traffic, sum traffic, and total percentage for each Sub-Network. Click on the Sub-Network sub menu of Breakdown Report under the Anomaly Activities / Worm menu to enter the Interface Report window.

Report Descriptions There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table. Please refer to the Report Descriptions part in the Infected Hosts section of Breakdown Report of Anomaly Activities / Worm for details. Except the data listed in Report Table is different, other descriptions are all the same. For Sub-Network reports, the Report Table will display top N Sub-Network entities. Please refer to the Operation Procedure to Query Reports part in the Summary Report section of Report / Internet for details.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

314

Appendix (A) -- NetFlow Device Configuration A-1 Cisco NetFlow Configuration 1. Export NetFlow version 5： ： Router(config)# ip flow-export version 5 origin-as Router(config)# ip flow-export destination [GenieATM’s ipaddr] [v5 port number] Router(config)# ip flow-cache timeout active 1 2. Set command on Interface: Router(config-if)# ip route-cache flow Note Since the router will only perform NetFlow statistics on inbound packets, we strongly suggest users to apply the command on ‘every interface’ for data accuracy to ensure full collection of all flow data. 3. Check NetFlow setting： ： Router# show ip flow export

A-2 Foundr y BigIron NetFlow Configuration 1. Export NetFlow version 5： ： BigIron(config)# ip flow-export enable BigIron(config)# ip flow-export version 5 BigIron(config)# ip flow-export destination [GenieATM’s ipaddr] [v5 port number] 1 Bigiron(config)# ip flow-cache timeout active 1 BigIron(config)# ip flow-export original-as 2. Set command on Interface: Bigiron(config-if)# ip route-cache flow Note Since the router will only perform NetFlow statistics on inbound packets, we strongly suggest users to apply the command on ‘every interface’ for data accuracy to ensure full collection of all flow data. 3. Check NetFlow setting： ： Bigiron# show ip flow export

A-3 Enterasys NetFlow Configuration Note Enable SNMP before starting NetFlow. Do not start NetFlow and RMON at the same time. 1. Export NetFlow： ： xp# netflow enable xp# netflow set port [port lost]/all-ports Note Since the router will only perform NetFlow statistics on inbound packets, we strongly suggest users to apply the command on ‘every interface’ for data accuracy to ensure full collection of all flow data. xp# netflow set collector [GenieATM’s ipaddr] deadtime 120 flow-destination-port [port number] xp# netflow set interval 1 2. Check Netflow setting： ： xp# netflow show all 315

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Appendix (B) -- sFlow Device Configuration B-1 Foundr y Networks sFlow Configuration 1. Export sFlow： ： BigIron(config)# sflow enable (optical) BigIron(config)# sflow sample [decimal] (optical) BigIron(config)# sflow destination [Genie’s ipaddr] [sFlow port number] (optical) BigIron(config)# sflow source [ethernet/loopback/null] (optical) Note The configuration value of “sflow sample” must be the same as the sampling rate setup at GenieATM’s system / Flow Exporter. 2. Check sflow setting： ： BigIron(config)# show sflow

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

316

Appendix (C) -- Installing SSL in Controller for Enabling Secure Web Access The GenieATM supports the security access via browser. Follow steps below to setup the GenieATM support SSL. 1. Enter Global configuration Mode to generate CSR(Certificate Signing Request) file ATM # gencsr Generating RSA private key, 1024 bit long modulus ........................++++++ ....++++++ unable to write 'random state' e is 65537 (0x10001) ... You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]:TW TW State or Province Name (full name) [Some-State]:TAIWAN TAIWAN Locality Name (eg, city) []:TAIPEI TAIPEI Organization Name (eg, company) [Internet Widgits Pty Ltd]:GenieNRM GenieNRM Organizational Unit Name (eg, section) []:TAC TAC Common Name (eg, YOUR name) []:Genie Genie Email Address []:[email protected] [email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: [press enter] An optional company name []: [press enter] enter] ATM (config)# exit 2. Display the ssl-csr files (the shown data is used to apply for the SSL server certificate) ATM # show ssl-csr -----BEGIN CERTIFICATE REQUEST----MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAlRXMQ8wDQYDVQQIEwZUQUlXQU4xDzAN BgNVBAcTBlRBSVBFSTERMA8GA1UEChMIR2VuaWVOUk0xDDAKBgNVBAsTA1RBQzEO MAwGA1UEAxMFR2VuaWUxKDAmBgkqhkiG9w0BCQEWGWpvc2VwaF9jaGVuZ0BnZW5p ZW5ybS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJPErtO+e7P7nGEn 9Th4UA+1kZBgAbJOngbeECjdhFvu0aXaRN0OyE4BUODfbntdcoIvenTWkPMzZrZe paC8gC81XpyTZGrDi2AqELMHA6cFbuDkZgyDvMfuV9Ekvw9l0TwmY1ijNXJSRDo/ jB4orIKmEBNMzByGFORLby4n8JsxAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBj 5SZ9eGdO+dCubupnhtfocRqZO7H3+qLAc0Q3s1uFDzqG630nZYhot0ZR2YvuwCmZ KVzi2KzWQAq4ioXsTCm4EguUhUKOkKDcbYSUXjQF5gAWlelCsZwX3LajZ8Z8P1Sc 9bVUJs/Tgcyf83cZpohcqBA5Eg0A9omsC5+BJ+03BQ== -----END CERTIFICATE REQUEST----ATM #

317

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

3. You have to apply for the SSL server certificates through the Certificate Authorities like Verisign and other independent third parties. Note The certificate authorities may issue the SSL server certificates via email, or a download file or directly displaying contents on a popped up window. Save the content of SSL server certificates as a file, getcacert.cer, for GenieATM download. 4. Download the SSL server certificate issued by the Certificate Authorities to GenieATM. ATM # copy ftp certificate Address of remote host? 192.168.12.100 Source file name? (absolute path, file name with path) /getcacert.cer [Waiting for FTP transmission ...] FTP file from: /getcacert.cer [FTP_STATUS] FTP_SUCCESS, 593 Bytes received [copy ftp certificate ... OK] ATM # 5. Backup SSL files(CRT, CSR, and Key files) to FTP server ATM # copy ssl-files ftp Address of remote host? 192.168.1.1 Destination file path? (The path to store SSL files) /backup [Waiting for FTP transmission ...] FTP file to: /backup/mykey.key [FTP_STATUS] FTP_SUCCESS, 887 Bytes transferred FTP file to: /backup/mysite.csr [FTP_STATUS] FTP_SUCCESS, 700 Bytes transferred FTP file to: /backup/mysite.crt [FTP_STATUS] FTP_SUCCESS, 1098 Bytes transferred [copy ssl-files ftp ... OK] ATM # Note Strongly suggest backup the CRT, CSR and private Key files in case of unexpected situation.

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

318

Appendix (D) -- Booting GenieATM™ from TFTP Server GenieATM provides the function that you are able to boot from a TFTP server. With this mechanism, you can verify if a received GenieATM image file is good without damage before doing a software upgrade. Besides, this function also can help you to recover GenieATM from a failed software upgrade. Refer to the following steps to boot GenieATM from a TFTP server. Step1: Attach one side of the RS232 cable to the RS232 port on GenieATM and connect the other side to a terminal server. The location of RS232 port on GenieATM please refers to the installation guide. Console parameters are as follows: Baud: 9600 bps Data bits: 8 Parity: None Stop bits: 1 Flow control: None Step 2: When the system starts to load OS and the screen displays "Loading..." as shown below, press "b" to interrupt program and enter into boot mode to perform booting from TFTP server. Loading... Press "b" to interrupt system loading processes. Step 3: When the screen prompts "boot>", please type in the command "tftp" to activate TFTP client. boot> tftp Step 4: There are three parameters you have to specify, local TFTP client IP/CIDR, remote TFTP server’s IP address and default gateway for local TFTP client. local-ip> 192.168.10.202/24 remote-ip> 192.168.10.201 default-gw> 192.168.10.254 Step 5: Use the command "ping" and then input the TFTP server IP address to check the network connection between GenieATM and TFTP server. boot> ping target-ip> 192.168.10.201 PING 192.168.10.201 (192.168.10.201): 56 data bytes 64 bytes from 192.168.10.201: icmp_seq=0 ttl=64 time=0.5 ms 64 bytes from 192.168.10.201: icmp_seq=1 ttl=64 time=0.1 ms 64 bytes from 192.168.10.201: icmp_seq=2 ttl=64 time=0.2 ms --- 192.168.10.201 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.2/0.5 ms target-ip> exit Step 6: Type in the command "image" and then input the image name located at TFTP server. boot> image boot-image> image.jffs2 boot> Step 7: Enter the “boot tftp” command to start booting from TFTP server. GenieATM will boot into CLI mode if the image was ok. boot> boot tftp Booting from TFTP(192.168.10.201).... 319

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

Appendix (E) -- Dictionary of IETF Radius Client Attributes Supported by GenieATM This appendix provides overall Radius Client attributes supported by GenieATM. RQ: Request AR: Accept/Reject ST: Start SP: Stop

RQ AR

ST

SP

#

1 1 1 1 1 1 1 1

1 0-1 0-1 0-1 1 0-1 -

1 1 1 1 0-1 1 1

1 1 1 1 0-1 1 1

1 2 3 4 5 9 10 13 14 15 18 19

-

-

1

1

20

-

-

1 1 -

1 1 1

21 24 26

-

-

-

1

29

1

-

1 1

1 1

30 31

1

-

1

1

35

-

0-1

-

-

36

-

0-1 0-1

-

-

37 38

-

0-1

-

-

39

-

0-1

-

-

40

-

0-1

-

-

41

0-1

-

-

-

42

User-Name User-Password NAS-IP-Address NAS-Port Service-Type Login-IP-Host Replay-Message Class Session-Timeout Idle-Timeout Calling-Station-Id NAS-Identifier Acct-Status-Type

2865 2865 2865 2865 2865 2865 2865 2865 2865 2865 2865 2865 2866

1 2 4 5 6 14 18 25 27 28 31 32 40

Type of Value String String Ipaddr Integer Integer Ipaddr String String Integer Integer String String Integer

Acct-Delay-Time Acct-Session-Id Acct-Session-Time Acct-Terminate-Cause

2866 2866 2866 2866

41 44 46 49

Integer String Integer Integer

Enent-Timestamp NAS-Port-Type NAS-Port-ID

2869 2865 2869

55 61 87

Integer Integer Integer

GENIE-USER-ROLE

9926

60

Integer

GENIE-USER-GROUP-ID GENIE-USER-SubNetwork-ID GENIE-USER-LANGUAGE

9926 9926 9926

61 62 63

Integer Integer Integer

GENIE-USER-STATUS

9926

64

Integer

GENIE-CLI-Privilege

9926

80

Integer

GENIE-CLI-Command

9926

81

String

Attribute

Vender

ID

Value User input User input ATM IP Request port Login (1) User IP From RADIUS From RADIUS From RADIUS X User IP (add 0) ATM IP 1: START 2: STOP 0-4 ATM ATM 1: User Request 2: Lost Carrier 4: Idle Timeout 5: Session Timeout 6: Admin Reset 7: Admin Reboot ATM Ethernet (15) 0: eth0 1: eth1 101: ADMINISTRATOR 102: SUPERUSER 103: VIEWING-ONLY 104: Sub-Network-USER

0: WESTERM 1: TRADITIONAL-CHINESE 2: SIMPLIFIED-CHINESE 3: SHIFT-JIS 1: ACTIVE 0: INACTIVE 1: Normal-Mode 2: Enable-Mode 3: Configure-Mode

© 2009 Genie Network Resource Management Inc. All Rights Reserved.

320