HPE IMC NTA/UBA Cisco Network Traffic Monitoring Through NetFlow Configuration Examples

Similar documents
HP IMC User Behavior Auditor

Contents. Lancope The Leader in NetFlow Collection & Analysis. Cisco NetFlow Configuration. Cisco IOS NetFlow Configuration Guide

NetFlow-Lite offers network administrators and engineers the following capabilities:

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

PIX/ASA 7.x with Syslog Configuration Example

Configuring NetFlow Secure Event Logging (NSEL)

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

WhatsUpGold. v NetFlow Monitor User Guide

HP IMC Firewall Manager

CHAPTER 1 WhatsUp Flow Monitor Overview. CHAPTER 2 Configuring WhatsUp Flow Monitor. CHAPTER 3 Navigating WhatsUp Flow Monitor

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Lab - Configure a Windows 7 Firewall

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Chapter 8 Monitoring and Logging

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

Immotec Systems, Inc. SQL Server 2005 Installation Document

How To: Configure a Cisco ASA 5505 for Video Conferencing

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

H3C SSL VPN RADIUS Authentication Configuration Example

Network Load Balancing

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Cisco IOS Flexible NetFlow Technology

HP A-IMC Firewall Manager

Lab - Configure a Windows Vista Firewall

How-To Configure NetFlow v5 & v9 on Cisco Routers

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

SolarWinds Technical Reference

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Configuring Flexible NetFlow

How to Program a Commander or Scout to Connect to Pilot Software

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

How To Configure InterVLAN Routing on Layer 3 Switches

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

SolarWinds Technical Reference

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Network Agent Quick Start

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide

Converting InfoPlus.21 Data to a Microsoft SQL Server 2000 Database

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File

Troubleshooting IP Access Lists

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

Using the VCDS Application Monitoring Tool

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

SolarWinds Technical Reference

Server Configuration. Server Configuration Settings CHAPTER

Unity Error Message: Your voic box is almost full

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

WhatsUpGold. v15.0. Flow Monitor User Guide

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

6.0. Getting Started Guide

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Configuring Security for FTP Traffic

Creating a Client-To-Site VPN. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs.

NetFlow Auditor Manual Getting Started

NetFlow Analytics for Splunk

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

QUANTIFY INSTALLATION GUIDE

F i r e s ec tm F i r e w a l l R u l e b a s e A n a l y s i s T o o l

11.1. Performance Monitoring

Getting Started With Delegated Administration

NetFlow Collection and Processing Cartridge Pack User Guide Release 6.0

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Configuring NetFlow-lite

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Fireware How To Logging and Notification

Flow Monitor for WhatsUp Gold v16.2 User Guide

How To Mirror On An Ipfix On An Rspan Vlan On A Pc Or Mac Or Ipfix (Networking) On A Network On A Pnet (Netnet) On An Uniden (Netlan

Introduction Installation firewall analyzer step by step installation Startup Syslog and SNMP setup on firewall side firewall analyzer startup

H3C SecPath UTM Series Anti-Spam Configuration Example

USER CONFERENCE 2011 SAN FRANCISCO APRIL Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB

Networking Guide Redwood Manager 3.0 August 2013

How to configure an Advanced Expert Probe as NetFlow Collector

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

Configuring Global Protect SSL VPN with a user-defined port

LogLogic Cisco NetFlow Log Configuration Guide

Tunnels and Redirectors

Important Notes for WinConnect Server VS Software Installation:

User's Guide. System Monitor - Performance Monitoring Services 5.0

Scalable Extraction, Aggregation, and Response to Network Intelligence

Quick Start Guide. Sendio System Protection Appliance. Sendio 5.0

HIPAA Compliance Use Case

SolarWinds. NetFlow Traffic Analyzer. Evaluation Guide. Version 4.2

Lab Configuring Access Policies and DMZ Settings

Kepware Technologies Using Wireshark for Ethernet Diagnostics

How do I set up a branch office VPN tunnel with the Management Server?

and reporting Slavko Gajin

There are numerous ways to access monitors:

RSA Security Analytics

Transcription:

HPE IMC NTA/UBA Cisco Network Traffic Monitoring Through NetFlow Configuration Examples Part number: 5200-1413 Software version: IMC NTA 7.2 (E0401) Software version: IMC UBA 7.2 (E0401) The information in this document is subject to change without notice. Copyright 2016 Hewlett Packard Enterprise Development LP

Contents Introduction 1 Prerequisites 1 Restrictions and guidelines 1 Example: Using NTA/UBA to monitor Cisco network traffic through NetFlow 1 Network configuration 1 Software versions used 2 Procedures 2 Adding the Cisco switch to IMC management 2 Configuring NTA/UBA 2 Configuring NetFlow on the switch 5 Verifying the configuration 6 Viewing interface traffic information 6 Auditing user behaviors 9 Troubleshooting NTA/UBA and NetFlow 10 No NetFlow data on the NTA/UBA server 10 No NetFlow data on NTA 10 No audit results on UBA 11 Related documentation 11 i

Introduction This document provides examples for using NTA/UBA to monitor network traffic on a Cisco Nexus 7000 switch in real time through NetFlow. Prerequisites Before you configure NTA/UBA and NetFlow to monitor network traffic, complete the following tasks: Make sure the NTA/UBA server is correctly installed and deployed. Make sure the device can communicate with the NTA/UBA server. Make sure the SNMP service is enabled on the device. Restrictions and guidelines NTA/UBA supports NetFlow log types of NetFlow v5 and NetFlow v9. Example: Using NTA/UBA to monitor Cisco network traffic through NetFlow Network configuration As shown in Figure 1, configure NTA/UBA to analyze and monitor network traffic sent from a Cisco Nexus 7000 switch through NetFlow v9. Figure 1 Network diagram 1

Software versions used This configuration example was created and verified on Cisco NX-OS(tm) n7000, Software (n7000-s1-dk9), Version 6.2(8a) Procedures Adding the Cisco switch to IMC management 1. Click the Resource tab. 2. From the navigation tree, select Resource Management > Add Device. 3. On the page that appears, enter 172.16.0.2 in the Host Name/IP field. 4. Configure the same SNMP, Telnet, and SSH settings as the settings on the device. 5. Click OK. Configuring NTA/UBA Adding the NetFlow device to NTA 1. Click the Service tab. 2. From the navigation tree, select Traffic Analysis and Audit > Settings. The Settings page opens. 3. In the Guide to Quick Traffic Analysis and Audit Management area, click Device Management. The Device Management page opens. 4. Click Add. The Add Device page opens. 5. Configure the NetFlow device parameters, as shown in Figure 2: a. In the Device IP field, click Select to select the device from the IMC platform. (Details not shown.) After you select the device, the following fields are automatically populated: Name, SNMP Community, and SNMP Port. If you manually configure the device IP rather than selecting from the platform, make sure the SNMP community and port settings are the same as the settings on the device. b. Use the default values for other parameters. 2

Figure 2 Adding the NetFlow device to NTA 6. Click OK. Deploying server configuration 1. Click the Service tab. 2. From the navigation tree, select Traffic Analysis and Audit > Settings. The Settings page opens. 3. In the Guide to Quick Traffic Analysis and Audit Management area, click Server Management. The Server Management page opens. 4. Click the Modify icon for the NTA/UBA server with IP address 192.168.1.220. The Server Configuration page opens. 5. Configure the server parameters as needed, as shown in Figure 3: a. In the Traffic Analysis and User Behavior Audit areas, select the switch with IP address 172.16.0.2 as the device to be monitored. b. In the Intranet Monitor Information area, configure 172.0.0.0/8 as the intranet information for the device. (Details not shown.) 3

Figure 3 Configuring the NTA/UBA server 6. Click Deploy. Adding an interface traffic analysis task 1. Click the Service tab. 2. From the navigation tree, select Traffic Analysis and Audit > Settings. The Settings page opens. 3. In the Guide to Quick Traffic Analysis and Audit Management area, click Traffic Analysis Task Management. The Traffic Analysis Task Management page opens. 4. Click Add. The Select Task Type page opens. 4

5. Select Interface and click Next. The Add Traffic Analysis Task page opens. 6. Configure the basic task information and select interface Ethernet 2/14, as shown in Figure 4. This example uses Interface as the task name. Figure 4 Adding an interface traffic analysis task 7. Click OK. Configuring NetFlow on the switch # Configure a flow record. switch#config switch(config)#flow record pw1 switch(config-flow-record)#match ipv4 source address switch(config-flow-record)#match ipv4 destination address switch(config-flow-record)#match ip protocol switch(config-flow-record)#match ip tos switch(config-flow-record)#match transport source-port switch(config-flow-record)#match transport destination-port switch(config-flow-record)#collect transport tcp flags switch(config-flow-record)#collect counter bytes long switch(config-flow-record)#collect counter packets long switch(config-flow-record)#collect timestamp sys-uptime first switch(config-flow-record)#collect timestamp sys-uptime last # Configure the destination address, UDP port number, and log sending port for NetFlow traffic export. 5

switch(config)#flow exporter pw2 switch(config-flow-exporter)#destination 192.168.1.220 switch(config-flow-exporter)#transport udp 9020 switch(config-flow-exporter)#source Ethernet2/14 # Specify the version of the flow exporter. switch(config-flow-exporter)#version 9 # Create a flow monitor. switch(config)#flow monitor pw switch(config-flow-monitor)#record pw1 switch(config-flow-monitor)#exporter pw2 # Enable NetFlow on Ethernet 2/14. switch(config)#interface Ethernet2/14 switch(config-if)#ip flow monitor pw input switch(config-if)#ip flow monitor pw output Verifying the configuration Viewing interface traffic information Viewing summary information for all interface traffic analysis tasks 1. Click the Service tab. 2. From the navigation tree, select Traffic Analysis and Audit > Interface Traffic Analysis Task. The Interface Traffic page opens, as shown in Figure 5. 6

Figure 5 Viewing summary information for interface traffic analysis tasks Viewing traffic information for an individual interface traffic analysis task 1. Click the Service tab. 2. From the navigation tree, select Traffic Analysis and Audit > Interface Traffic Analysis Task. The Interface Traffic page opens. 3. To view traffic information for an interface traffic analysis task, do one of the following: On the Summary List, click the name of the interface traffic analysis task Interface. From the navigation tree, point to the Expand icon next to Interface Traffic Analysis Task and select Interface from the menu that opens. The Interface traffic analysis page displays total traffic information for the interface traffic analysis task, as shown in Figure 6. 7

Figure 6 Viewing traffic information for an interface traffic analysis task Viewing application information for an interface traffic analysis task On the Interface traffic analysis page, click the Application tab. The tab displays application traffic information for the interface traffic analysis task, as shown in Figure 7. Figure 7 Viewing application information for an interface traffic analysis task 8

Viewing session information for an interface traffic analysis task On the Interface traffic analysis page, click the Session tab. The tab displays session information for the interface traffic analysis task, as shown in Figure 8. Figure 8 Viewing session information for an interface traffic analysis task Auditing user behaviors 1. Click the Service tab. 2. From the navigation tree, select Traffic Analysis and Audit > User Behavior Audit. The User Behavior Audit page opens. 3. Specify the audit conditions and click Audit. The Audit Result page opens, as shown in Figure 9. 9

Figure 9 Viewing the log audit result Troubleshooting NTA/UBA and NetFlow No NetFlow data on the NTA/UBA server To resolve the problem: Verify that the same UDP port number for log receiving is configured on the device as configured on the NTA server. Verify that the device and the NTA server can reach each other. Check the firewall status on the NTA server. If the firewall is enabled, disable the firewall, or bring up UDP ports 9020, 9021, and 6343. Check the size of files in the directories $IMC_INSTALL/data/recieverData and $IMC_INSTALL/data/processorData/data. If a large number of files exist in the directories, clear files from the installation directory and the database: a. Stop the processor and receiver processes. b. Delete all files in directories $IMC_INSTALL/data/recieverData and $IMC_INSTALL/data/processorData/data. c. Delete the receivedfile.txt file in directory $IMC_INSTALL/unba/conf. d. Clear the unba_slave.tbl_storing_task table from the unba_slave database. e. Restart the processor and receiver processes. Check the database disk usage on the Service > Traffic Analysis and Audit > Database Space page. If the disk usage has exceeded the usage threshold of the database disk, expand the disk capacity or delete useless data. If the problem persists, contact HPE Support. No NetFlow data on NTA To resolve the problem: Verify that the device uses the same interface index as used in a NetFlow packet. If the interface indexes are different, configure the interface index: 10

a. Click the Service tab. b. From the navigation tree, select Traffic Analysis and Audit > Settings. The Settings page opens. c. In the Guide to Quick Traffic Analysis and Audit Management area, click Traffic Analysis Task Management. The Task Management page opens. d. On the Traffic Analysis Task List, click Add. The Select Task Type page opens. e. Select Interface and click Next. The Add Traffic Analysis Task page opens. f. Configure the basic task information, and then click Select in the Interface Information area. g. On the Add Interface page, click the Configure Manually tab. h. Configure the interface index and click OK. If the problem persists, contact HPE Support. No audit results on UBA To resolve the problem: Check the intranet information on the Server Configuration page. If the IP address of the host that UBA monitors does not belong to the intranet network, the IP address will not be monitored. To add the monitored IP address: a. In the Intranet Monitor Information area, enter the IP address of the monitored host as intranet information. b. Click Add, as shown in Figure 3. The IP address is displayed in the Intranet Information area. c. Click Deploy. Log in to the IMC database and check whether the tbl_flow_yymmddhh table exists. If the table exists, make sure the time setting and time zone of the device are consistent with the setting on the NTA/UBA server. If the table does not exist, the NTA/UBA server cannot receive NetFlow data. For more information about resolving the problem, see "No NetFlow data on the NTA/UBA server." If the problem persists, contact HPE Support. Related documentation HPE IMC Traffic Analysis and Audit Help 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information