NetScreen-Global PRO Report Manager User'

NETSCREEN-GLOBAL PRO EXPRESS
REALTIME MONITOR USER’S GUIDE
Version 4.0
P/N 093-0224-000
Rev.B
Copyright Notice
Copyright © 1998-2002 NetScreen Technologies, Inc. All rights
reserved.
NetScreen, NetScreen Technologies, and the NetScreen logo are
registered trademarks of NetScreen Technologies, Inc. and
NetScreen-5, NetScreen-5XP, NetScreen-10, NetScreen-25,
NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208,
NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen5400, NetScreen-Global PRO, NetScreen-Global PRO Express,
NetScreen-Remote, GigaScreen, and NetScreen ScreenOS are
trademarks of NetScreen Technologies, Inc. All other trademarks
and registered trademarks are the property of their respective
companies.
Information in this document is subject to change without notice.
No part of this document may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose,
without receiving written permission from NetScreen
Technologies, Inc.
NetScreen Technologies, Inc.
350 Oakmead Parkway
Sunnyvale, CA 94085 U.S.A.
www.netscreen.com
FCC Statement
The following information is for FCC compliance of Class A
devices: This equipment has been tested and found to comply with
the limits for a Class A digital device, pursuant to part 15 of the
FCC rules. These limits are designed to provide reasonable
protection against harmful interference when the equipment is
operated in a commercial environment. The equipment generates,
uses, and can radiate radio-frequency energy and, if not installed
and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful
interference, in which case users will be required to correct the
interference at their own expense.
The following information is for FCC compliance of Class B
devices: The equipment described in this manual generates and
may radiate radio-frequency energy. If it is not installed in
accordance with NetScreen’s installation instructions, it may cause
interference with Radio and television reception. This equipment
has been tested and found to comply with the limits for a Class B
digital devices in accordance with the specifications in part 15 of
the FCC rules. These specifications are designed to provide
reasonable protection against such interference in a residential
installation. However, there is no guarantee that interference will
not occur in a particular installation.
If this equipment does cause harmful interference to radio or
television reception, which can be determined by turning the
equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
•
Reorient or relocate the receiving antenna.
•
Increase the separation between the equipment and
receiver.
• Consult the dealer or an experienced radio/TV technician
for help.
•
Connect the equipment to an outlet on a circuit different
from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the
user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR
THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE
INFORMATION PACKET THAT SHIPPED WITH THE
PRODUCT AND ARE INCORPORATED HEREIN BY THIS
REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT
YOUR NETSCREEN REPRESENTATIVE FOR A COPY.
Table of Contents
Audience .................................................................................................................. ix
New Features ............................................................................................................ ix
Other Related Software Documents.......................................................................... ix
Publication Record ................................................................................................... ix
Conventions............................................................................................................... x
Contacting Technical Support................................................................................... x
Chapter 1 Introduction to Realtime Monitor.................................................................................... 1
Realtime Monitor Overview .......................................................................................2
Realtime Monitor Console ............................................................................... 2
Monitor Console .............................................................................................. 3
Benefits of Using Realtime Monitor ............................................................................4
Real-Time Monitoring of Your Security Infrastructure ........................................ 4
Tracking Device Status ................................................................................4
Tracking VPN Status .....................................................................................4
Tracking High Availability (HA) Status ...........................................................4
E-mail Notification of Alerts .............................................................................. 4
Reliable Data Transfer Using TCP/IP.................................................................. 5
Role-Based Administration ............................................................................... 5
Device Troubleshooting................................................................................... 5
New Features in Realtime Monitor 4.0 ......................................................................6
Support for ScreenOS 4.0 ................................................................................ 6
Zone-based Monitoring ................................................................................... 6
Real-time Monitoring of Active Sessions........................................................... 6
VPN Monitoring Enhancements ....................................................................... 6
How Realtime Monitor Works .....................................................................................7
NetScreen Devices .......................................................................................... 7
Realtime Monitor Server................................................................................... 8
Data Collector ............................................................................................8
Realtime Monitor Data ................................................................................8
Master Controller ........................................................................................9
Realtime Monitor User Interface ...................................................................... 9
Realtime Monitor Communications ............................................................... 10
Securing Communications .......................................................................11
Next Steps ...............................................................................................................12
NetScreen-Global PRO Express Realtime Monitor User’s Guide
iii
Table of Contents
Chapter 2 Installing Realtime Monitor ........................................................................................... 13
Hardware and Software Requirements ...................................................................14
Hardware Requirements ...........................................................................14
Software Requirements .............................................................................14
Installation Process ..................................................................................................15
Installing the NetScreen-Global PRO Express Server ...............................................16
Configuring the Express Server ...................................................................... 16
Installing the NetScreen-Global PRO Express Client ................................................18
Troubleshooting the Upgrade ........................................................................ 18
Testing the Realtime Monitor Console ........................................................... 19
Starting the Realtime Monitor Console .......................................................... 19
Configuring Realtime Monitor For the First Time ......................................................21
Adding Devices ............................................................................................. 21
Checking Your System Health........................................................................ 22
Uninstalling Realtime Monitor ..................................................................................23
Chapter 3 Getting Started ............................................................................................................. 25
Logging In To Realtime Monitor For the First Time ...................................................26
Default Realtime Monitor User ....................................................................... 26
Default User Privileges ...............................................................................26
Adding a User................................................................................................ 27
Logging In as a Different User........................................................................ 28
Using the Monitor Console For the First Time ...........................................................29
Refreshing the Display ................................................................................... 30
Getting Help .................................................................................................. 30
Checking What Realtime Monitor Version You Are Running .......................... 31
Exiting the Realtime Monitor Console ............................................................ 31
Chapter 4 Configuring Realtime Monitor....................................................................................... 33
Realtime Monitor Configuration Overview ..............................................................34
Using the Realtime Monitor Console .......................................................................36
About the Realtime Monitor Console............................................................. 37
Control Pane .............................................................................................37
List Pane ....................................................................................................37
Sorting Names in the List Pane ..................................................................37
Details Pane ..............................................................................................37
Adding and Configuring Groups ............................................................................38
Privileges........................................................................................................ 38
Device Read/Write Privileges ....................................................................38
Administrative Privileges ............................................................................38
iv
NetScreen-Global PRO Express
Assigning Group Privileges............................................................................. 39
Adding a Group ............................................................................................ 39
Assigning a Group to a Device ..................................................................... 40
Assigning a Group to a Virtual System ........................................................... 41
Assigning a Group to a Device Group .......................................................... 42
Configuring Administrative Privileges............................................................. 42
Assigning a User to a Group .......................................................................... 43
Removing a User from a Group ..................................................................... 44
Adding and Configuring Users ................................................................................45
Adding a User................................................................................................ 45
Configuring User Contact Information ........................................................... 45
Modifying User Privileges ............................................................................... 46
Deleting a User .............................................................................................. 46
Adding and Configuring Devices ...........................................................................47
Importing Devices ......................................................................................... 47
Configuring Mapped IP Addresses ...........................................................47
Importing a device list ..............................................................................47
Importing Device Information from a Text File ..........................................48
Adding a Device ........................................................................................... 48
Configuring Devices ...................................................................................... 48
Configuring Polling Attributes ....................................................................49
Configuring the Device to Send Specific Information ...............................49
Realtime Monitor Configuration Priority .....................................................50
Deleting a Device ......................................................................................... 50
Exporting a Device List .................................................................................. 50
Viewing All Devices........................................................................................ 50
Adding and Configuring Device Groups ................................................................51
Example Describing How to Group Devices .................................................. 51
Adding a Device Group ................................................................................ 51
Assigning a Device or Virtual System to a Device Group .............................. 51
Removing a Device or Virtual System from a Device Group ......................... 52
Deleting Device Groups ................................................................................ 52
Configuring Server Properties ..................................................................................53
Mapped IP Address ....................................................................................... 53
Polling Intervals.............................................................................................. 54
E-mail Alerts ................................................................................................... 55
Chapter 5 Monitoring Real Time Information................................................................................. 57
Using the Monitor Console ......................................................................................58
About the Monitor Console Panes ................................................................. 59
Device Status Summary ............................................................................59
Event Summary .........................................................................................59
Display Filter pane ....................................................................................59
Monitor pane ............................................................................................59
NetScreen-Global PRO Express Realtime Monitor User’s Guide
v
Table of Contents
Customizing the Monitor Console Interface .................................................. 60
Adding or Removing Columns ..................................................................60
Adjusting Console or Column Borders .......................................................61
Moving the Toolbar ...................................................................................61
Hiding Toolbar Names ..............................................................................62
Sorting All Columns ........................................................................................ 62
Sorting Individual Columns .......................................................................63
Searching for Specific Information ................................................................ 64
Monitoring Device Status ........................................................................................65
Sorting Devices by Status............................................................................... 65
Configuring Visual and Audible Event Alerts.................................................. 65
Acknowledging an Event Alert ..................................................................66
Monitoring Additional Device Details ......................................................................67
Monitoring Device Status ............................................................................... 67
Monitoring Event Summaries ...................................................................................69
Customizing Event Summary Information....................................................... 69
Configuring Severity Levels .......................................................................70
Realtime Monitor will display a dialog prompting you to restart your Monitor
Console for your changes to take effect. Click Yes to proceed ...............71
Adjusting Severity Level Colors ..................................................................71
Setting the Total Number of Event Summary Views ...................................73
Adjusting the Time That Events Are Displayed In .......................................73
Managing Event Summaries.......................................................................... 74
Using the Monitor Filter................................................................................... 74
Default Event Summary View ....................................................................74
Stopping and Starting the Monitor Filter ....................................................75
Creating Display Filters .................................................................................. 75
Configuring Display Filter Conditions ........................................................77
Applying the Display Filter .........................................................................80
Managing Display Filters ............................................................................... 80
Renaming Display Filters ...........................................................................80
Deleting Display Filters ..............................................................................80
Monitoring Event Information ..................................................................................81
Sorting Events by Count................................................................................. 81
Event-specific Information ............................................................................. 81
Adding Event Information Notes .................................................................... 82
Exporting Event Logs...................................................................................... 83
Using Quick Filters .......................................................................................... 83
Creating a Quick Filter ..............................................................................83
Configuring a Quick Filter .........................................................................83
Monitoring Individual Device Statistics ....................................................................86
Viewing the Device Summary........................................................................ 87
Device-Specific Views ................................................................................... 88
Managing Multiple Device Views .................................................................. 90
Tiling Multiple Views ..................................................................................90
vi
NetScreen-Global PRO Express
Cascading Multiple Views ........................................................................91
Viewing Device Traffic Distribution ................................................................. 92
Viewing Traffic Distribution by Policy .........................................................92
Adjusting Data Depicted Graphically .......................................................93
Viewing Traffic Distribution by Protocol .....................................................95
Adjusting Data Depicted Graphically .......................................................96
Viewing Traffic Distribution by VPN (if applicable) .....................................97
Adjusting VPN Tunnels Depicted Graphically ............................................98
Adjusting Data Depicted Graphically .......................................................98
Viewing VPN-specific Information .............................................................98
Viewing Active VPN Information ..............................................................100
Viewing Traffic Logs .................................................................................101
Viewing Interface Statistics .......................................................................... 102
Viewing Ethernet Statistics .......................................................................102
Viewing Flow Statistics .............................................................................105
Viewing Attack Statistics ..........................................................................106
Viewing Zone Statistics................................................................................. 110
Viewing System Statistics.............................................................................. 110
Viewing Resource Statistics (if applicable) ..............................................110
Viewing Active Statistics ..........................................................................111
Viewing Self Logs ....................................................................................111
Viewing System Alerts ..............................................................................112
Troubleshooting ........................................................................................... 112
Viewing Active Sessions ............................................................................... 113
Using the Session Filter ............................................................................114
Configuring the Session Filter ..................................................................115
Configuring a Session Display Filter ........................................................116
Viewing High Availability (HA) Statistics (if applicable) ................................. 117
Monitoring VPN Status ...........................................................................................118
Viewing the VPN Status Summary................................................................. 118
About VPN Tunnels ..................................................................................119
Controlling VPN Information ....................................................................119
Configuring a VPN Display Filter ..............................................................120
Viewing Active VPN Details .......................................................................... 121
Viewing Device-Specific VPN Information.................................................... 122
Viewing VPN Events...................................................................................... 123
Monitoring NSRP Statistics ......................................................................................124
About Clusters.............................................................................................. 125
Viewing NSRP Summary Information ............................................................ 125
Viewing NSRP Details ................................................................................... 126
Viewing VSD/RTO Information....................................................................... 127
Viewing VSD/RTO-specific Details................................................................. 127
Viewing VSD/RTO Configuration Details ...................................................128
Viewing VSD Counter Details ...................................................................128
Viewing RTO Counter Details ...................................................................129
Viewing VSD/RTO Events ..........................................................................129
NetScreen-Global PRO Express Realtime Monitor User’s Guide
vii
Table of Contents
Chapter 6 Performance Tuning ................................................................................................... 131
Disabling Information Sent From the Device .........................................................132
Performance Tuning the Monitor Console .............................................................133
Configuring the Monitor Filter ...................................................................... 133
Applying the Monitor Filter ......................................................................135
Limiting Table Sorting................................................................................... 135
Limiting the Amount of Traffic/Self Logs........................................................ 135
Increasing the Device Statistics Polling Interval ........................................... 136
Decreasing the Event Viewer Cache Size.................................................... 136
Chapter 7 Troubleshooting .......................................................................................................... 139
Troubleshooting Realtime Monitor .........................................................................140
Using the System Health Console ................................................................ 140
Using Device Debug Information................................................................. 140
Checking System Health .......................................................................................141
Maintaining The System ........................................................................................142
Server Management Scripts ........................................................................ 142
Resetting the System Password ...............................................................142
Changing the Authentication ID .............................................................142
Troubleshooting the Device ..................................................................................144
Issuing Commands To a Device .................................................................. 144
Chapter 8 Upgrading Realtime Monitor ...................................................................................... 145
Upgrading from 3.x to 4.0 .....................................................................................146
Migration Path ............................................................................................. 146
Upgrade Process ......................................................................................... 146
Backing Up Your Previous Installation .......................................................... 146
Backing Up the Console .........................................................................146
Upgrading the Appliance ........................................................................... 146
Upgrading the Client ................................................................................... 147
Troubleshooting the Upgrade ...................................................................... 148
Glossary .......................................................................................................................................... A-I
Index
viii
.................................................................................................................. 1-i
NetScreen-Global PRO Express
Preface
This guide provides information describing how to install, configure and use NetScreenGlobal PRO Express Realtime Monitor.
AUDIENCE
The NetScreen-Global PRO Express Realtime Monitor User’s GuideTM is intended
primarily for network and security administrators responsible for installing, configuring,
and using Realtime Monitor.
NEW FEATURES
Realtime Monitor version 4.0 includes the following new features.
•
Zone-based Monitoring
•
Real-time Monitoring of Active Sessions
•
VPN Monitoring Enhancements
•
Support for ScreenOS 4.0
OTHER RELATED SOFTWARE DOCUMENTS
To obtain technical documentation for any NetScreen product, visit www.netscreen.com/
support/manuals.html. To access the latest NetScreen documentation, see the Current
Manuals section. To access archived documentation from previous releases, see the
Archived Manuals section.
To obtain the latest technical information on a NetScreen product release, see the release
notes for that release. To obtain release notes, visit www.netscreen.com/support and
select Software Download. Select the product and version, then click Go. To perform
this download, you must be a registered user.
If you find any errors or omissions in the following content, please contact us at the
following e-mail address: techpubs@netscreen.com
PUBLICATION RECORD
NetScreen-Global PRO Express Realtime Monitor software version: 4.0
NetScreen-Global PRO Express Realtime Monitor User’s Guide
ix
Preface
Document date: Wednesday, December 11, 2002.
Specifications and information in this document is subject to change.
CONVENTIONS
The following defines the notation conventions we have used throughout this guide:
•
All command lines appear in courier font.
•
Anything inside < > is a variable.
•
IP addresses are represented by <a.b.c.d> and <w.x.y.z>.
•
A subnet mask is represented by <A.B.C.D>.
CONTACTING TECHNICAL SUPPORT
Technical support is available to registered users of NetScreen-Global PRO Express.
•
Web site: http:// support.netscreen.com
•
E-mail: support@netscreen.com
•
Fax: 1 (408) 730-6100
•
Voice: 1-800-638-8296
When contacting NetScreen Technologies, Inc. for technical support, please provide us
with the following information:
•
Your Service Level Agreement ID number.
•
Your Name, Company and Telephone Number.
•
Your fax number and an e-mail address.
•
Equipment Type and Serial Number.
•
Detailed description of the problem or conditions of failure.
The Technical Assistance Center (TAC) is staffed with highly trained Customer Service
Engineers ready to provide technical troubleshooting assistance for our integrated
Internet security appliances and software products. NetScreen's preferred partners and
authorized partners support the entire product line and should be your first point of
contact for addressing technical product information.
International customers are supported by NetScreen's in-country partners.
Customers without telephone support contracts can purchase support by the hour on a
major credit card over the phone from 6am to 6pm PT (Pacific Time) weekdays. To
purchase, please specify part number NS-CS5-001.
x
NetScreen-Global PRO Express
Technical Support Availability
Standard Hours: 6:00am to 6:00pm PT (Pacific Time) Monday through Friday.
Premium Hours: 24 hours per day, seven days a week.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
xi
Preface
xii
NetScreen-Global PRO Express
Chapter 1
Introduction to Realtime
Monitor
1
Welcome to NetScreen-Global PRO Express Realtime Monitor, the security monitoring
tool for NetScreen devices. Use Realtime Monitor to proactively monitor key details about
your NetScreen security system including the up/down status of your NetScreen devices,
security-related events, protocol and policy usage trends, and performance baselines. up/
down status of your NetScreen devices. From the Realtime Monitor, you can also view and
monitor device polling and protocol distribution statistics, events, VPN and NSRP status.
This chapter provides an introduction to the many benefits and features available in the
4.0 release of Realtime Monitor. It also includes an overview of the architecture and
concepts allowing you to better understand how the Realtime Monitor works.
Its main sections include:
•
Realtime Monitor Overview
•
Benefits of Using Realtime Monitor
•
New Features in Realtime Monitor 4.0
•
How Realtime Monitor Works
•
Next Steps
NetScreen-Global PRO Express Realtime Monitor User’s Guide
1
Chapter 1 Introduction to Realtime Monitor
REALTIME MONITOR OVERVIEW
Realtime Monitor is the monitoring software component for NetScreen-Global PRO
Express. You can use Realtime Monitor to proactively monitor key details about your
NetScreen security system including the up/down status of your NetScreen devices,
security-related events, protocol and policy usage trends, and performance baselines.
There are two main user interfaces that you will use in Realtime Monitor:
•
Realtime Monitor Console
•
Monitor Console
Realtime Monitor Console
The Realtime Monitor Console is the main interface that you will use to add, configure
and administer your groups, users, devices and device groups in the Realtime Monitor
system.
2
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Realtime Monitor Overview
Monitor Console
The Monitor Console is the main interface that you will use to monitor the up/down status
of your NetScreen devices in real-time. You can also use the Monitor Console to monitor
the following in real-time:
•
VPN
•
NSRP Status
•
Events
•
Device Statistics such as policy status, protocol status etc...
NetScreen-Global PRO Express
3
Chapter 1 Introduction to Realtime Monitor
BENEFITS OF USING REALTIME MONITOR
Realtime Monitor provides the following key benefits:
•
Real-Time Monitoring of Your Security Infrastructure
•
E-mail Notification of Alerts
•
Reliable Data Transfer Using TCP/IP
•
Role-Based Administration
•
Device Troubleshooting
Real-Time Monitoring of Your Security Infrastructure
Realtime Monitor allows you to monitor all aspects of your NetScreen security
deployment in real-time.
Tracking Device Status
Through the Monitor Console you can view the up/down status of all your NetScreen
devices at-a-glance. Realtime Monitor also allows you to configure individual display
filters allowing you to view a graphical summary of events as they occur on your devices.
From the graphical view, you can access more detailed information describing those
events. You can also access additional information describing the distribution of network
traffic on each device by policy and protocol, event logs, alarms, and system alerts.
Tracking VPN Status
If you are implementing virtual private networks, you can use the VPN Monitor to view
the up/down status of your VPN tunnels at-a-glance. You can also view security
associations (SAs) related to each VPN tunnel, and other statistics.
Tracking High Availability (HA) Status
If you are implementing NetScreen Redundancy Protocol (NSRP) for the purpose of
deploying clusters in your NetScreen security system, you can use the NSRP Monitor to
get an at-a-glance status of your NetScreen systems that are in “clusters.” From this view,
you can track information related to virtual security devices (VSDs) and run-time objects
(RTOs) that have been attached to each cluster.
E-mail Notification of Alerts
Realtime Monitor alerts you of critical events as they occur on your network security
system. You can also configure Realtime Monitor to send you an e-mail to notify you when
alerts occur.
4
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Benefits of Using Realtime Monitor
Reliable Data Transfer Using TCP/IP
Realtime Monitor uses a TCP/IP based protocol called NetScreen Server Protocol (NSP) to
ensure reliable data transfer to and from each system component.
Role-Based Administration
Use Realtime Monitor’s advanced configuration management tools to assign privileges to
your users and administrators according to their specific roles.
Device Troubleshooting
Realtime Monitor allows you to communicate using Telnet or a Secure Command Shell to
query on the status of a device. You can use this capability to issue a “get” Telnet
command to a NetScreen device or a NetScreen CLI command to the SCS (Secure
Command Shell) on the device to troubleshoot problems.
NetScreen-Global PRO Express
5
Chapter 1 Introduction to Realtime Monitor
NEW FEATURES IN REALTIME MONITOR 4.0
Realtime Monitor 4.0 provides the following new features:
•
Support for ScreenOS 4.0
•
Zone-based Monitoring
•
Real-time Monitoring of Active Sessions
•
VPN Monitoring Enhancements
Support for ScreenOS 4.0
Realtime Monitor 4.0 supports NetScreen devices running the latest version of ScreenOS
4.0.
Zone-based Monitoring
You can view all interface-related statistics (i.e., Policy Summary, Protocol Summary,
Ethernet Statistics, Flow Statistics, and Interface Attacks) based on zone information.
Real-time Monitoring of Active Sessions
There is now an additional view called “Active Sessions” in the Monitor Console Active
Statistics View. You can use the Active Sessions view to monitor currently active sessions
on a device at the virtual system level.
VPN Monitoring Enhancements
The VPN Monitor now allows you to select and view VPN information and statistics
according to VPN tunnel. Previous versions of Realtime Monitor only allowed you to view
VPN status according to device.
6
NetScreen-Global PRO Express Realtime Monitor User’s Guide
How Realtime Monitor Works
HOW REALTIME MONITOR WORKS
Realtime Monitor is built around a three-tier architecture that consists of the following:
•
NetScreen Devices
•
Realtime Monitor Server
•
Realtime Monitor User Interface
NetScreen Devices
NetScreen devices that you have implemented for firewall, VPN, and bandwidth
management services provide all the information that you can monitor using Realtime
Monitor.
NetScreen Devices
NetScreen-Global PRO Express
7
Chapter 1 Introduction to Realtime Monitor
Realtime Monitor Server
The Realtime Monitor server is primarily responsible for collecting and storing all the
data that is provided by each NetScreen device. There are several components in the
Server tier that make this possible:
•
Data Collector
•
Master Controller
Data Collector
A Data Collector (DC) is a stand-alone server that collects performance and fault-related
statistics from each NetScreen device. The Data Collector polls each device periodically to
obtain device statistics, such as protocol distribution and policy statistics.
Realtime Monitor Data
The following table lists all the types of data that Realtime Monitor polls from the devices.
Polled Data
Description
Protocol distribution table
Statistics collected on a per interface/vsys basis for bytes
and packets distribution on a per protocol basis.
Policy distribution table
Statistics collected on a per policy basis for bytes, packets,
and number of connections.
Ethernet statistics table
Statistics collected for each physical interface.
Flow statistics table
Statistics related to flow level counters on a per virtual
interface basis.
Attack statistics table
Statistics collected for all the IDS counters on a per virtual
interface basis.
VPN Monitoring statistics
VPN statistics for each tunnel that includes SA request,
establishment and teardown times, bytes/packets info,
availability, latency, users etc.
NSRP monitoring statistics All statistics related to NSRP including VSD and RTO
data.
8
Device resources statistics
Utilization, memory and session-related statistics for the
device.
SA Monitor statistics
SA statistics and related information used in real-time
monitoring.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
How Realtime Monitor Works
The Data Collector will also receive information that is pushed to it from each device
whenever such information becomes available. The following table lists all the types of
data that are pushed from the device to Realtime Monitor.
Pushed Data
Description
Traffic logs
Traffic logs are generated when a session has terminated.
Traffic alarms
Traffic alarms are generated based on preset thresholds.
Attack alarms
Attack alarms are generated based on preset thresholds or
configuration.
Event alarms
Event alarms are related to VPN tunnel events or device
events such as fan failure, CPU utilization threshold
crossed etc.
Configuration logs
Any configuration-related event generates a log.
Information logs
Information logs are related to VPN/IKE or other events
that are informational.
Self logs
logs of traffic that terminate at the device.
Device status
indicates the up/down status of the device.
In the case of traffic alarms, traffic logs and attack alarms, multiple messages are
multiplexed into one.
The Data Collector is responsible for sending this information to the Realtime Monitor
Console with real-time performance statistics and log data. It also forwards information
to the Master Controller for storage.
The Data Collector also performs the following additional functions as well:
•
Message consolidation (de-duplication of repeated events and consolidating
them)
•
Role based administration
•
E-mail event alerts and global message filtering
•
Monitor filtering for consoles on specific events or severity levels
Master Controller
A Master Controller (MC) communicates with the Data Collector(s) and the Realtime
Monitor Console. It is primarily responsible for transferring information to and from the
Data Collector and Monitor Console.
Realtime Monitor User Interface
The Realtime Monitor user interface provides access to device data using various views.
The Realtime Monitor Console includes two interfaces:
NetScreen-Global PRO Express
9
Chapter 1 Introduction to Realtime Monitor
•
Realtime Monitor Console interface allowing you to configure and administer
your NetScreen devices for Realtime Monitor, manage role-based
administrators, and access information on the system’s health.
•
Monitor Console interface allowing you to monitor the up/down status of your
devices in real-time. You can also use the Monitor Console to monitor a
graphical representation of event summaries.
You can access both the Realtime Monitor Console and the Monitor Console when you
launch the Realtime Monitor application.
Realtime Monitor Communications
The Realtime Monitor uses a TCP/IP-based communication layer called NetScreen Server
Protocol (NSP) to transfer data to and from each component.
10
NetScreen-Global PRO Express Realtime Monitor User’s Guide
How Realtime Monitor Works
Securing Communications
NSP is not an encrypted protocol. To secure the data transfer, it is highly recommended
that you run a VPN tunnel for each pair of connections.
NetScreen Devices
NSP/IP Sec
DC/MC/DB
Realtime Monitor Server
NSP/IP Sec
Console
Realtime Monitor User Interface
NetScreen-Global PRO Express
11
Chapter 1 Introduction to Realtime Monitor
NEXT STEPS
Now that you have reviewed how the Realtime Monitor works, you are ready to install,
configure and use Realtime Monitor.
12
For more information on...
Refer to...
Installing Realtime Monitor
Chapter 2
Getting Started Using Realtime
Monitor
Chapter 3
Configuring Realtime Monitor
Chapter 4
Monitoring real-time information
Chapter 5
Tuning Realtime Monitor
Chapter 6
Troubleshooting
Chapter 7
Upgrading from Realtime Monitor
3.x to 4.0
Chapter 8
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Chapter 2
Installing Realtime Monitor
2
This chapter contains information that describes how to install and setup an initial
working Realtime Monitor system. This process includes installing and configuring the
NetScreen-Global PRO Express server and client. You must then configure your devices
and users in the Realtime Monitor system.
After successful installation, you will be able to get real-time monitoring information for
the devices that you have configured.
This chapter includes the following sections:
•
Hardware and Software Requirements
•
Installation Process
•
Installing the NetScreen-Global PRO Express Server
•
Installing the NetScreen-Global PRO Express Client
•
Configuring Realtime Monitor For the First Time
•
Uninstalling Realtime Monitor
NetScreen-Global PRO Express Realtime Monitor User’s Guide
13
Chapter 2 Installing Realtime Monitor
HARDWARE AND SOFTWARE REQUIREMENTS
Use the following hardware and software requirements to identify the computer on which
you plan to install Realtime Monitor. Before you begin the process of installing the
Realtime Monitor, you must verify that each computer meets minimum system
requirements.
Hardware Requirements
The following minimum hardware requirements must be met to install Realtime Monitor.
Component
Hardware Requirements
Realtime Monitor Console
IBM-compatible PC
256 MB RAM
Software Requirements
The following minimum software requirements must be met to install Realtime Monitor.
14
Component
Software Requirements
Realtime Monitor Console
Microsoft Windows 2000 with Service Pack 1 or
Microsoft Windows NT 4.0 Workstation or Server with Service Pack 6a
NetScreen device
NetScreen-OS 2.6.0 or higher
NetScreen-OS 4.0 (recommended)
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Installation Process
INSTALLATION PROCESS
The process of installing Realtime Monitor includes the following steps. For typical
installations, you can expect to complete each step in the amount of time suggested. These
times however, may vary for each installation:
Step
Description
Expected time
to complete
1
Install and configure the NetScreen-Global PRO Express server.
20 min.
2
Install the Realtime Monitor Console software. Start the Realtime
Monitor Console.
5 min.
3
Add and configure your devices in the Realtime Monitor system.
Will vary
depending on the
number of
devices you
have.
The NetScreen-Global PRO Express server is pre-configured and requires minimal
installation. The server must be installed before you can download and install the
Realtime Monitor Console.
NetScreen-Global PRO Express
15
Chapter 2 Installing Realtime Monitor
INSTALLING THE NETSCREEN-GLOBAL PRO EXPRESS SERVER
The NetScreen-Global PRO Express server is pre-configured and requires minimal
installation.
Configuring the Express Server
1.
Place the server in the rack and connect the following:
• Power cord
• Network cable in the Net 0 port
• Serial cable in the A LOM port
2.
Open your OS emulation software (i.e., HyperTerminal). Set the Port Setting to
9600 bps and leave the other fields set to the defaults. Press <Enter>, if
necessary, to receive a command prompt.
3.
Turn on the server. Server startup details will scroll down the screen.
4.
Enter the root UserName and Password at the
netscreen.global.provisioner console login. For example, you
would enter:
• name: root
• password: netscreen
Change the console root password by entering the passwd command at the
prompt. When instructed, enter the new password, and confirm.
Note: It is recommended that the server be placed in an Uninterruptable Power
Supply (UPS) in case of power failure.
5.
Change the server IP address and update the database by running netsetup and
specifying the new IP address, netmask, and gateway. For example, you would
enter the following:
netsetup “cn=Directory Manager” netscreen <IP address>
<netmask> <gateway>
Netsetup is located in /usr/netscreen/policymg/bin.
Note: Do not use IFCONFIG to change the IP address. It will not update all the
necessary components.
6.
16
Set the Customer Authentication ID. You can create any Customer
Authentication ID you like, but you must consistently use the same Customer
Authentication ID for all components. Run setauthid. Enter the following
command, supplying the relevant information:
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Installing the NetScreen-Global PRO Express Server
setauthid <Customer Authentication ID>
SetauthID is located in /usr/netscreen/RealtimeMt/startup.
7.
Change the Directory Manager password by running rdnpasswd. Enter the following
command, supplying the relevant information:
rdnpasswd “cn=Directory Manager” netscreen <New
Password>
rdnpasswd is located in /usr/netscreen/policymg/startup.
8.
At the prompt, turn off the server using the toggle switch located on the back.
9.
Once the fan has stopped, the front panel light is off, and the lom> prompt appears on the
screen, it is safe to restart the server.
10.
If you are accessing Policy Manager and/or Realtime Monitor through a firewall,
it is necessary to open the following ports to the appliance on the firewall:
11.
–
RTM: TCP 15400/15404/15403
–
PM: TCP 1099/11111/80
–
UDP 69
Using your web browser, navigate to your server IP address. This starts the
console installation process.
Note: Do not hold the toggle switch down for more than seven seconds. Holding
the switch down enables debugging mode, which shuts down the server
improperly.
NetScreen-Global PRO Express
17
Chapter 2 Installing Realtime Monitor
INSTALLING THE NETSCREEN-GLOBAL PRO EXPRESS CLIENT
1.
Open a web browser and enter the IP address to the computer where you have
installed NetScreen-Global PRO Express. For example, if the IP address to the
Express box is 10.150.150.42, you would enter the following in your browser
Address bar:
http://10.150.150.42
The NetScreen-Global PRO Express installation page appears.
2.
Click “Yes” on the two security warning screens.
3.
Click either “Download Installer for Windows” or “Download Realtime Monitor”
to start loading the NetScreen-Global PRO Express client.
4.
The licensing agreement screen appears. Please scroll through and read before
continuing.
5.
An Important information screen appears regarding installation components
and requirements.
6.
Select the Installation or upgrade folder and click Install. The default location
is: C:\Program Files\NetScreen/Realtime Monitor
A number of splash screens appear as NetScreen-Global PRO Express installs
the components on your system. You can monitor the progress via the task bar
at the bottom of the screen.
7.
Enter the Master Controller IP address and Authentication ID as instructed.
Note: The initial Authentication ID selection is arbitrary but must be consistent
for all components of the suite. This should be a unique password, containing
both letters and characters. This becomes encrypted and permanent.
8.
Click Next.
The Realtime Monitor icon appears on the desktop when installation completes. The new
default directory path is: \Program Files\NetScreen\Realtime Monitor.
Troubleshooting the Upgrade
A common error that is made during the installation process is entering an incorrect IP
Address for the Master Controller or data collector. If you have done this, remember that
you cannot update your configuration parameters using IFCONFIG. To change the IP
Address, you must first stop the data collector and/or Master Controller, then use the
netsetup command. Refer to Configuring the Express Server for more information on
using netsetup.
18
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Installing the NetScreen-Global PRO Express Client
Testing the Realtime Monitor Console
Before verifying that the Realtime Monitor Console is operating properly, it is
recommended that you send a ping to the NetScreen appliance running the Master
Controller to see if you can connect to it.
Starting the Realtime Monitor Console
1.
After starting the Master Controller, you can start the Realtime Monitor
Console by double-clicking on the Realtime Monitor application icon. The
Realtime Monitor Console Login window will appear prompting you to enter
your User Name and Password and the IP address of the host server running the
Master Controller.
2.
Enter your User Name and Password, and specify the IP Address of the
Master Controller to establish communication between the Monitor Console and
the Master Controller.
Note: If you are logging in for the first time, you will use the default User Name
(“netscreen”) and Password (“netscreen”).
3.
Check the Save User Name and IP Address checkbox to save these settings
for the next time you log in. Realtime Monitor stores the profile settings for all
users who log on to Realtime Monitor in a local configuration file.
4.
Click on the Login button. If you are logging in for the first time, Realtime
Monitor will display a window prompting you to change your password.
5.
Change your password. Click OK to proceed. The Realtime Monitor application
will launch.
NetScreen-Global PRO Express
19
Chapter 2 Installing Realtime Monitor
When you launch Realtime Monitor for the first time, the first screen that you will see is
the Realtime Monitor Console.
20
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Configuring Realtime Monitor For the First Time
CONFIGURING REALTIME MONITOR FOR THE FIRST TIME
Once you have installed Realtime Monitor, you will need to configure it to work properly
within your specific environment.
Adding Devices
You must add and configure each device in Realtime Monitor in order to receive and
monitor information from that device.
Note: You can expect the process of adding a device in Realtime Monitor to take
approximately 10 minutes.
1.
Click on the Devices button in the Control pane.
2.
Click on the Add icon that appears in the toolbar. Alternatively, you can rightclick in the List pane, and select Add. You can also click on the Edit menu and
select Add. A template allowing you to configure a new device appears in the
Details pane.
NetScreen-Global PRO Express
21
Chapter 2 Installing Realtime Monitor
3.
From the Information tab, enter the Serial #, User Name, Password, and
any applicable comments. You will need to provide the serial number and
password for a device to allow Realtime Monitor to identify and authenticate the
device.
Note: You can obtain the serial number for a device on the bottom of the
NetScreen device itself, the NetScreen device packing slip, from within Policy
Manager. You can also issuing a “Get Config” command from the command line
interface (CLI).
4.
Use the pull-down menu to specify a Contact Administrator (optional).
5.
Click on the Save icon that appears in the toolbar to save your changes. The new
device appears in the List pane. Or, you can click on the Undo icon to cancel your
changes.
Repeat this process for each device in your system that you wish to monitor using
Realtime Monitor. Once you have added your devices, you can assign them to a group.
Grouping your devices will make it easier for you to manage all the devices in your
system. Refer to Adding and Configuring Device Groups in Chapter 4 for more
information.
Note: Once you have added a device to the Realtime Monitor system, the Monitor Console
will automatically launch every time you start the Realtime Monitor application.
Checking Your System Health
After adding your devices in the Realtime Monitor Console, it is recommended that you
check on the status of the Master Controller and Data Collector by viewing the System
Health window. Click on the System Health button in the Realtime Monitor Console
Control Pane to launch the System Health view.
22
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Uninstalling Realtime Monitor
UNINSTALLING REALTIME MONITOR
To remove the Realtime Monitor Console software, use the Uninstall Realtime Monitor
Console command from the Start menu. Alternatively, you can use the Add/Remove
Programs utility in your Windows Control Panel.
This removes all the software but leaves any data that you may created.
NetScreen-Global PRO Express
23
Chapter 2 Installing Realtime Monitor
24
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Chapter 3
Getting Started
3
Once you have successfully installed Realtime Monitor, you can get started using
Realtime Monitor to monitor your devices.
This chapter provides information describing how you to get up and running with
Realtime Monitor quickly. Its main sections include:
•
Logging In To Realtime Monitor For the First Time
•
Using the Monitor Console For the First Time
NetScreen-Global PRO Express Realtime Monitor User’s Guide
25
Chapter 3 Getting Started
LOGGING IN TO REALTIME MONITOR FOR THE FIRST TIME
To begin using Realtime Monitor, you will first need to start the application and login
using a valid User Name and Password. Refer to Starting the Realtime Monitor Console
in Chapter 2 for more information on starting and logging into Realtime Monitor.
Default Realtime Monitor User
When you first login to Realtime Monitor, you will do so using the User Name and
Password of the Realtime Monitor default user. Realtime Monitor includes one default
user and one default group. The default user is called “Netscreen”, and it is assigned to
the default group called “Admin”.
Default User Privileges
As the default user, you are granted special privileges to perform all administrative tasks
in Realtime Monitor by default. For security reasons, it is highly recommended that you
use the default user to create and configure your initial user account only. Once you have
created a user name and password for yourself, you should logout of Realtime Monitor
and re-login using your own user account.
26
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Logging In To Realtime Monitor For the First Time
Adding a User
Your first task as the initial Realtime Monitor user is to create a unique User Name and
Password for yourself in Realtime Monitor. You will use the Realtime Monitor Console to
create, configure and administer your users and devices in Realtime Monitor.
To add a user:
1.
From the Realtime Monitor Console, click on the Users button in the Control
pane. Realtime Monitor displays a list of all current users created in the system
in the List pane.
2.
Click on the Add icon that appears in the Realtime Monitor Console tool bar.
Alternatively, you can right-click in the List pane and select Add. You can also
click on the Edit menu and select Add. A template allowing you to configure
details for a new user appears in the Details pane.
3.
Enter a user name for the user.
4.
Assign the user a password and re-enter it in the Confirmed Password field.
5.
Enter any appropriate contact information.
6.
Click on the Save icon in the Realtime Monitor Console toolbar to save your
changes. The user now appears in the List pane. Or, click on the Undo icon to
cancel your changes.
You can later configure additional properties for the user including specific
administrative access privileges and group assignments. Refer to Adding and Configuring
Users in Chapter 3 for more information.
NetScreen-Global PRO Express
27
Chapter 3 Getting Started
Logging In as a Different User
Once you have created a unique User Name for yourself, you should logout of Realtime
Monitor as the default user and log back in using your own user name.
To log into Realtime Monitor as a different user:
1.
Click on the Logout icon in the toolbar.
Alternatively, you can use File menu, and select Logout. Realtime Monitor will
prompt you with a logout confirmation dialog to confirm that you want to logout.
2.
Click Yes to confirm that you want to logout. The Realtime Monitor Login
window will appear prompting you to enter a new User Name, Password, and
Master Controller IP Address.
3.
Enter the new User Name and Password, and specify the IP Address of the
Master Controller to which you wish to establish a connection.
4.
Click the Login button.
You are now ready to begin using Realtime Monitor to proactively monitor your
NetScreen devices.
28
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Using the Monitor Console For the First Time
USING THE MONITOR CONSOLE FOR THE FIRST TIME
Once you have added a device to the Realtime Monitor system, the Monitor Console will
automatically appear every time you start the Realtime Monitor application. Use the
Monitor Console to quickly monitor the up/down status of your NetScreen devices in realtime. You can also use the Monitor Console to monitor Event Summary, a histogram view
of events according to severity levels for selected events/devices.
Event alert icons and color-coded bar graphs notify you of potential issues. From the
Monitor Console, you can also access other consoles for more detailed information on your
devices, the events that are occurring on them, your VPN, and NSRP.
Use the Device Status Summary to get an at-a-glance status of the up/down status of your
NetScreen devices.
Use the Event Summary to get an at-a-glance summary view of events by their severity
levels that are occurring on your NetScreen devices in real-time. Events are categorized
according to their assigned severity and displayed in color-coded bar graphs allowing you
to easily detect and identify event trends.
Refer to the section titled Using the Monitor Console in Chapter 5 for more information.
NetScreen-Global PRO Express
29
Chapter 3 Getting Started
Refreshing the Display
Use the View menu and select Refresh to manually refresh the display. Alternatively,
you can click on the Refresh button that appears in the Realtime Monitor toolbar.
Getting Help
If you need help using the Realtime Monitor, use the Help menu and select Help Topics.
Alternatively, you can click on the help button that appears in the Realtime Monitor
toolbar. The Realtime Monitor online help will appear in a separate window. Click on the
one of the topics in the table of contents or use the Index to find a specific answer to your
question.
For more context sensitive help, click on any of the help buttons that appear in the user
interface.
Click on the Help button to
access the Realtime Monitor online help.
30
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Using the Monitor Console For the First Time
Checking What Realtime Monitor Version You Are
Running
Use the Help menu and select About Realtime Monitor Console to check what version
of Realtime Monitor you are running.
Exiting the Realtime Monitor Console
1.
From the File menu, select Exit. Realtime Monitor will prompt you with an Exit
confirmation dialog to confirm that you want to exit.
2.
Click Yes to confirm that you want to exit.
NetScreen-Global PRO Express
31
Chapter 3 Getting Started
32
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Chapter 4
Configuring Realtime Monitor
4
Realtime Monitor provides you the flexibility to configure and manage the system to work
the way you want. Depending on your own specific business needs, you can add and delete
users and devices and organize them into groups. You will perform all of these
administrative tasks from the Realtime Monitor Console.
The Realtime Monitor Console provides you a central location where you can add,
configure and manage all the users and devices in your Realtime Monitor system. You can
also access a Tools menu that allows you to configure server properties. This chapter
provides information that describes the Realtime Monitor Console. It provides step-bystep procedures and examples describing how you can use it to configure Realtime
Monitor.
This chapter includes the following sections:
•
Realtime Monitor Configuration Overview
•
Using the Realtime Monitor Console
•
Adding and Configuring Groups
•
Adding and Configuring Users
•
Adding and Configuring Devices
•
Adding and Configuring Device Groups
•
Configuring Server Properties
NetScreen-Global PRO Express Realtime Monitor User’s Guide
33
Chapter 4 Configuring Realtime Monitor
REALTIME MONITOR CONFIGURATION OVERVIEW
You must add and configure all the objects in Realtime Monitor for them to work properly.
During installation, you needed to add your devices in Realtime Monitor in order to
establish communications with them.
You can configure your devices to send specific information to Realtime Monitor. You can
also adjust the intervals with which information is polled from the device. Refer to Adding
and Configuring Devices for more information on configuring your devices.
You will also need to add and configure your users in Realtime Monitor. Anyone that
wants to use Realtime Monitor must have a valid user name and password in the
Realtime Monitor system. It is recommended that you begin adding and configuring your
users in Realtime Monitor by first organizing them into logical groupings. You can group
your users in any number of ways depending on their department, job function or
administrator role.
Security NOC Manager
Security Admin
1st Lvl Support
-Jack
-Bob
-Simon
-Nancy
-Jerry
-Sergei
Escalation
-Steve
-Tan
Groups
34
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Realtime Monitor Configuration Overview
You can also organize your devices into logical groupings called Device Groups in a
similar manner. You can group your devices in any number of ways depending on their
region, customer relationship, service level, security level).
Asia
Device Group
Europe
Device Group
You will use the Realtime Monitor Console to add and configure your users, devices and
device groups.
NetScreen-Global PRO Express
35
Chapter 4 Configuring Realtime Monitor
USING THE REALTIME MONITOR CONSOLE
The Realtime Monitor Console provides you with a central location from which you can
administer and manage all users, groups, devices and device groups in Realtime Monitor.
The Control pane allows you to create and modify groups,
users, devices and device groups in the Realtime Monitor
system.
Click to access the System Health and Monitor
Console.
36
The List pane displays all existing
groups, users, devices and device
groups.
The Details pane allows you to view and modify
groups, users, devices and device groups.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Using the Realtime Monitor Console
About the Realtime Monitor Console
The Realtime Monitor Console has the following main components:
• Control Pane
• List Pane
• Details Pane
In addition, a status bar that appears at the bottom of the Realtime Monitor Console
displays the currently active user’s status.
Control Pane
Use the Control pane to access the configuration list and details panes allowing you to
configure groups, users, devices, and device groups.
List Pane
Use the List pane to select the appropriate groups, users, devices, and device groups you
want to configure.
Sorting Names in the List Pane
You can sort the names that appear in the List pane by clicking on the List pane header.
Details Pane
Use the Details pane to fill in configuration details for all objects (users, groups, devices,
and device groups) in the Realtime Monitor system.
NetScreen-Global PRO Express
37
Chapter 4 Configuring Realtime Monitor
ADDING AND CONFIGURING GROUPS
It is recommended that you begin adding and configuring your users in Realtime Monitor
by first organizing them into logical groupings. To do this, use the Realtime Monitor
Console to add user groups and then assign your users to them. Assigning your users to
groups will allow you to more easily view and manage privileges for users in Realtime
Monitor.
Privileges
Users are allowed to view and manage information in Realtime Monitor based on the
privileges that they either receive explicitly or inherit as a member of a group.
There are two types of privileges that you may assign to a group or user in Realtime
Monitor:
•
Device Read/Write Privileges
•
Administrative Privileges
Device Read/Write Privileges
You must assign a group or user to a specific device in order for that group or user to view
information from that device. You can assign read and/or write privileges on a device to a
group or user:
•
Read privileges on a device allow a group or user to view logs/alarms and other
tables for the device.
•
Write privileges on a device allow a group or user to modify the Global PRO
Express parameters on the device such as: protocol distribution polling interval,
policy polling interval, enable/disable specific logs/alarms.
You can assign similar read/write privileges to a group or user in Realtime Monitor for
virtual systems and device groups that you have created.
Note: Please note that the Realtime Monitor Console does not allow the creation of a
virtual system, thus, Realtime Monitor users cannot alter the parameters for Global PRO
Express for a virtual system through the Realtime Monitor Console.
Administrative Privileges
Users who are responsible for performing administrative tasks will need additional
administrative privileges. The following table describes administrative privileges that you
can assign to a group or user:
Privilege
38
Allows a user to...
Administer Database
N/A for Express users.
Create User/Group
Add, delete or modify users and group profiles. Also allows association
of users to groups (i.e., adding and deleting users to and from a group.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Adding and Configuring Groups
Assign Privilege
Assign privileges to users and groups in Realtime Monitor.
Add/Delete Device
Add or delete devices.
Assigning Group Privileges
Once you have added a group in Realtime Monitor, you can assign specific privileges to
that group. As you assign users to the group, those users will effectively inherit the
privileges assigned to the group. For example, let’s say you create a group called
Engineering and assign “Create User/Group” privileges to it; you later assign a user
named Jack to that group. Jack now effectively inherits the “Create User/Group”
privilege.
Users who are assigned to more than one group will inherit the collective privileges of all
the groups that they are assigned. For example, let’s say you assign “Create User/Group”
privileges to those users in the Engineering group; and you also assign “Assign Privilege”
privileges to those users in the Marketing group. If you assign Jack to both the
Engineering and Marketing groups, he inherits both Create User/Group and Assign
Privilege privileges.
Assign Privilege
Create User/Group
Marketing
Engineering
Create User/Group
Jack
Assign Privilege
Jack inherits the collective privileges of all the groups that he is assigned.
Adding a Group
Use the Realtime Monitor Console to add a group.
NetScreen-Global PRO Express
39
Chapter 4 Configuring Realtime Monitor
1.
Click on the Groups button in the Control pane. Realtime Monitor displays a
list of all current groups created in the system in the List pane.
2.
Click on the Add button. Alternatively, you can right-click in the List pane and
select Add. You can also click on the Edit menu and select Add. A template
appears in the Details pane allowing you to configure a group.
3.
Enter a name for the group in the Group name field. You can optionally enter a
description of the group in the Description field.
4.
Click on the Save icon in the Realtime Monitor Console toolbar to save your
changes. The group now appears in the List pane. Or, click on the Undo icon to
cancel your changes.
Assigning a Group to a Device
You must assign a group or user to a specific device in order for that group or user to view
information from that device.
40
1.
Click on the Groups button in the Control pane.
2.
Select the desired group from the List pane. The group’s profile appears in the
Details pane.
3.
Select the Devices tab in the Details pane. Realtime Monitor lists the available
devices with the following device information: Device Name, Serial Number,
Device Type, Device IP Address.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Adding and Configuring Groups
4.
Select a device from the list of Available Devices, and then click Add. The device
now appears in the list of Selected Devices.
5.
Check in the Read checkbox to enable read privileges on the device. Check in
the Write checkbox to enable write privileges on the device.
6.
To remove a device, select it from the list of Selected Devices and click Remove.
The device now appears in the list of Available Devices.
7.
Click on the Save button in the Realtime Monitor Console tool bar to save your
changes. Or, click the Undo button to cancel your changes.
Assigning a Group to a Virtual System
You must assign a group or user to a specific virtual system in order for that group or user
to view information from that virtual system.
1.
Click on the Groups button in the Control pane.
2.
Select the desired group from the List pane. The group’s profile appears in the
Details pane.
3.
Select the Virtual System tab in the Details pane. Realtime Monitor lists the
available virtual systems with the following virtual system information: Device,
Serial Number, Device Type, Device IP Address, Virtual System.
Note: Virtual Systems are only available with the NetScreen-500, NetScreen1000, and NetScreen 5000 series.
4.
Select a virtual system from the list of Available Virtual Systems, and then click
Add. The virtual system now appears in the list of Selected Virtual Systems.
NetScreen-Global PRO Express
41
Chapter 4 Configuring Realtime Monitor
5.
Check in the Read checkbox to enable read privileges on the virtual system.
Check in the Write checkbox to enable write privileges on the virtual system.
6.
To remove a virtual system, select it from the list of Selected Virtual Systems
and click Remove. The virtual system now appears in the list of Available
Virtual Systems.
7.
Click on the Save button in the Realtime Monitor Console tool bar to save your
changes. Or, click the Undo button to cancel your changes.
Assigning a Group to a Device Group
Device Groups are logical groupings of devices allowing you to more easily manage and
configure multiple devices. You must assign a group or user to a specific device group in
order for that group or user to view information from that device group.
1.
Click on the Groups button in the Control pane.
2.
Select the desired group from the List pane. The group’s profile appears in the
Details pane.
3.
Select the Device Groups tab.
4.
Select a device group from the list of Available Device Groups and click the Add
button. The device group now appears in the list of Selected Device Groups.
Note: The group’s privileges change when adding or removing Device Groups
with differing privileges associated with them.
5.
Check in the Read checkbox to enable read privileges on the device group.
Check in the Write checkbox to enable write privileges on the device group.
6.
To remove a Device Group from a group, select it from the list of Selected Device
Groups and click Remove. The device group now appears in the list of Available
Device Groups.
7.
Click on the Save icon in the Realtime Monitor Console toolbar to save your
changes. Or, click the Undo button to cancel your changes.
Configuring Administrative Privileges
42
1.
Click on the Groups button in the Control pane.
2.
Select the desired group from the List pane. The group’s profile appears in the
Details pane.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Adding and Configuring Groups
3.
Check the corresponding checkbox(es) to assign administrative privileges to the
group.
4.
Uncheck the corresponding checkbox(es) to deny administrative privileges to the
group.
5.
Click on the Save icon in the Realtime Monitor Console tool bar to save your
changes. Or, click the Undo button to cancel your changes.
Assigning a User to a Group
Once you have created and configured your groups, you can assign users to them. You can
assign a user to as many groups as you want.
1.
Click on the Groups button in the Control pane. Realtime Monitor displays a
list of all current groups created in the system in the List pane.
2.
Select the desired group from the List pane. The group’s profile appears in the
Details pane.
3.
Select the Users tab.
NetScreen-Global PRO Express
43
Chapter 4 Configuring Realtime Monitor
4.
Select the desired user from the list of Available Users and click the Add button.
The user now appears in the list of Selected Users.
The user’s privileges change when adding or removing groups with differing
privileges associated with them.
Note: To select multiple users, use the [Shift] key (to select users appearing together), or
[Ctrl] key (to select users that do not appear together).
5.
Click on the Save button in the Realtime Monitor Console tool bar to save your
changes. Or, click the Undo button to cancel your changes.
Removing a User from a Group
The process of removing a user from a group is similar to the procedure described for
assigning a user to a group. To remove a user from a group, use the Remove button in the
Users tab to remove the user from the list of Selected Users.
44
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Adding and Configuring Users
ADDING AND CONFIGURING USERS
Anyone that wants to use Realtime Monitor must have a valid user name and password in
the system.
Adding a User
Use the Realtime Monitor Console to add your users. Refer to Adding a User in Chapter 3
for more information on adding a user.
Configuring User Contact Information
Once you have added a user, you can provide additional contact information describing
the user. You can add the following contact information:
•
First Name, Last Name
•
Phone Number
•
E-mail Address
•
Street, City, State, Zip Code, Country
NetScreen-Global PRO Express
45
Chapter 4 Configuring Realtime Monitor
Modifying User Privileges
You can assign additional privileges to an individual user account. Individual user
privileges allow you to extend a specific user’s privileges beyond those privileges the user
inherits from its membership in a group.
To assign or modify user privileges:
1.
Click on the Users button in the Control pane. Realtime Monitor displays a list
of all current users created in the system in the List pane.
2.
Select the desired user from the List pane. The user’s profile appears in the
Details pane.
3.
Check the checkbox corresponding to the privileges that you wish to assign to
the user.
4.
Uncheck the checkbox corresponding to the privileges that you wish to deny the
user.
5.
Click on the Save button in the Realtime Monitor Console tool bar to save your
changes. Or, click the Undo button to cancel your changes.
Deleting a User
46
1.
Click on the Users button in the Control pane.
2.
Select the desired user from the List pane. The user’s profile appears in the
Details pane.
3.
Click on the Delete button. Alternatively, you can right-click in the List pane
and select Delete. You can also click on the Edit menu and select Delete. A
message appears asking you to confirm your choice.
4.
Confirm your selection, and then click Yes
5.
Click on the Save icon in the Realtime Monitor Console tool bar to save your
changes. Or, click the Undo button to cancel your changes.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Adding and Configuring Devices
ADDING AND CONFIGURING DEVICES
Use the Realtime Monitor Console control pane to first add, and then configure your
devices in Realtime Monitor.
Importing Devices
If you are using Realtime Monitor together with NetScreen-Global PRO Policy Manager,
you can import information describing all your devices within a specific domain from a
device list. A device list is a file that you can export from Policy Manager that contains
information about your NetScreen devices (i.e., serial number, host name, IP Address
etc...).
Note: Refer to the NetScreen-Global PRO Policy Manager documentation for additional
information describing how to export a device list.
Configuring Mapped IP Addresses
If your Data Collector is located on a computer behind a firewall you may need to provide
the mapped IP address for the Data Collector. The mapped IP file uses the following
format:
Original IP Address = Mapped IP Address
For example: 10.150.12.24 = 192.111.23.25
To automatically map a Data Collector’s IP address:
1.
From the Import Device List window, click in the Use Mapped IP for Data
Collector checkbox. The Load Map File button appears active.
2.
Click on the Load Map File button. A window will appear allowing you to
browse to the map file.
3.
Browse to the map file and open it. The Import Device List reappears.
4.
Click on the Start Import button to import the file.
When the import completes, Realtime Monitor adds the original IP address and the
mapped IP address to the device, and communicates with the device to import the data
needed from it. Once it reads the information, it adds the device to Realtime Monitor.
Importing a device list
1.
From the File menu, select Import Device List. The Import Device List
window appears.
2.
Click in the Telnet or SCS checkbox to select a method with which to
communicate with the devices for importing configuration information.
3.
Click on the Start Import button. A window will appear allowing you to browse
to the exported device list file.
NetScreen-Global PRO Express
47
Chapter 4 Configuring Realtime Monitor
4.
Browse to the exported device list file and open it. The serial numbers and IP
addresses of all the devices that were exported in the device list will appear in
the Devices field with a corresponding import result. The status of the operation,
for each device imported, is displayed in the Result field. Realtime Monitor
displays any errors that may have occurred during the import in the Error
Description field.
5.
Click Close when you are done.
Importing Device Information from a Text File
You can also import a device list from a text file. If you are creating a text file to import
device information into Realtime Monitor, you should enter the following information on a
single line for each device:
•
Serial Number
•
Primary Data Collector
•
Secondary Data Collector
•
IP Address
•
User Name
•
Password
For example you would create the following entry:
SN=03000203,HN=ns100,PDC=10.150.41.233,SDC=172.16.10.250,IP=1
0.150.41.232,User=netscreen,Password=netscreen
Note that it is not necessary to populate every field. For example, you could create the
following entries:
IP=10.150.41.232,User=netscreen,Password=netscreen
SN=03000203,HN=,PDC=10.150.41.233,SDC=,IP=,User=,Password=
SN=03000203,HN=ns100,PDC=10.150.41.233,SDC=10.150.41.240,IP=
10.150.41.232,User=netscreen,Password=netscreen
Adding a Device
You can also manually add the devices that you want to monitor in Realtime Monitor.
Refer to Adding Devices in Chapter 2 for more information on adding a device.
Configuring Devices
Once you have added a device, you can configure polling attributes determining how the
device works with Realtime Monitor.
48
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Adding and Configuring Devices
Configuring Polling Attributes
The Data Collector polls its devices every 60 seconds for protocol distribution and policy
table information by default. This polling interval is configurable. It is recommended that
you not set the polling interval below 60 seconds.
To modify the polling interval:
1.
Select a device from the List pane. The device profile appears in the Details
pane.
2.
From the Information tab, click in the Poll Devices every <n> seconds for
Protocol Distribution field and enter the desired polling interval for protocol
distribution tables.
3.
Click in the Poll Devices every <n> seconds for Policy Table field enter the
desired polling interval used for policy tables.
4.
Click on the Save icon in the Realtime Monitor Console toolbar to save your
changes; or click the Undo icon to cancel your changes.
Configuring the Device to Send Specific Information
To improve your overall system performance, you can also control the types information
that a device will send to Realtime Monitor. Refer to Disabling Information Sent From the
Device in Chapter 6 for more information on tuning the device.
Read-only Device Attributes
NetScreen-Global PRO Express
49
Chapter 4 Configuring Realtime Monitor
You can not configure the device details and contact information that appear in the Device
Profile. Device Details and Contact Information are both collected from the device
automatically after the device connects to the Data Collector.
Realtime Monitor Configuration Priority
Realtime Monitor will overwrite any changes that you make to the device configuration
outside of Realtime Monitor.
Deleting a Device
1.
Click on the Devices button in the Control pane. Realtime Monitor displays a
list of all current devices created in the system in the List pane.
2.
Select the device that you want to delete from the List pane.
3.
Click on the Delete icon in the Realtime Monitor Console toolbar. Alternatively,
you can also delete a device by right-clicking in the List pane and selecting
Delete; or by using the Edit menu and selecting Delete. A message appears
asking you to confirm your choice.
4.
Confirm your selection, and then click Yes.
Note: Deleting a device from Realtime Monitor will not effectively remove the device
from the Policy Manager configuration.
Exporting a Device List
Exporting a device list allows you to keep a copy of your current device list in case you
need it later to import.
1.
From the File menu, select Export Device List. A window appears allowing
you to browse to a destination directory where you want to save the export list.
2.
Browse to the desired file and click Save.
Viewing All Devices
Once you add a device in the Realtime Monitor system, Realtime Monitor stores all the
information that you have configured for the device.
50
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Adding and Configuring Device Groups
ADDING AND CONFIGURING DEVICE GROUPS
Once you have added your devices, you can then map them into logical groupings. This
will allow you to more easily view and manage your devices in Realtime Monitor. To do
this, use the Realtime Monitor Console to add device groups and then assign your devices
to them.
Example Describing How to Group Devices
For example, you could create a device group for the devices that you have implemented
for each customer or region. You can later assign privileges to specific users allowing them
access to their own groups.
Adding a Device Group
1.
Click on the Device Groups button in the Control pane. Realtime Monitor
displays a list of all current Device Groups created in the system in the List
pane.
2.
Click the Add button in the Realtime Monitor Console tool bar. Alternatively,
you can right-click in the List pane and select Add. You can also click on the
Edit menu and select Add. A template allowing you to configure a new Device
Group appears in the Details pane.
3.
Enter any applicable information in the Contacts tab.
4.
Click on the Save icon in the Realtime Monitor Console toolbar to save your
changes. The device group now appears in the List pane. Or, click on the Undo
icon to cancel your changes.
Assigning a Device or Virtual System to a Device
Group
1.
Select a Device Group from the List pane.
2.
Click on the Devices tab. Select the devices that you want to add to the Device
Group from the list of available devices. Click on the Add button to add them.
The device(s) now appears in the list of Selected Devices.
3.
Click on the Virtual Systems tab. Select the virtual systems that you want to
add to the Device Group from the list of Available Virtual Systems. Click on the
Add button to add them. The virtual system(s) now appears in the list of
Selected Virtual Systems.
4.
Click on the Save icon in the Realtime Monitor Console toolbar to save your
changes. The device group now appears in the List pane. Or, click on the Undo
icon to cancel your changes.
NetScreen-Global PRO Express
51
Chapter 4 Configuring Realtime Monitor
Removing a Device or Virtual System from a Device
Group
The process of removing a device or virtual system from a Device Group is similar to the
procedure described for assigning a device/virtual system to a device group. To remove a
device/virtual system from a device group, use the Remove button in the Devices or
Virtual Systems tab to remove the device/virtual system from the list of Selected Devices/
Virtual Systems.
Deleting Device Groups
1.
Click on the Device Groups button in the Control pane. Realtime Monitor
displays a list of all current device groups created in the system in the List pane.
2.
Click on the Delete icon in the Realtime Monitor Console tool bar. Alternatively,
you can also delete a device group by right-clicking in the List pane and selecting
Delete; or by using the Edit menu and selecting Delete. A message appears
asking you to confirm your choice.
3.
Confirm your selection, and then click Yes.
Warning: Deleting a Device Group will not delete any device history.
52
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Configuring Server Properties
CONFIGURING SERVER PROPERTIES
You can configure the Realtime Monitor server to perform the following additional
functions:
•
Mapped IP Address
•
Polling Intervals
•
E-mail Alerts
Mapped IP Address
If the Realtime Monitor server is located on a computer behind a firewall you will need to
provide the mapped IP address for the server computer. To configure the mapped IP
address, you can use the Information tab in the Server Properties window. You can access
the Server Properties window from the Tools menu in the Realtime Monitor Console.
NetScreen-Global PRO Express
53
Chapter 4 Configuring Realtime Monitor
Polling Intervals
For tuning purposes, you can also configure the intervals with which Realtime Monitor
polls its devices for certain statistics.
To configure e-mail alert notifications:
1.
From the Server Properties window, Information tab, configure the polling
intervals using the following pull-down menus:
• Poll Device Statistics every - this is the time interval, in seconds, that the
Realtime Monitor will poll its devices for device-specific statistics. The
default is 300 seconds.
• Poll VPN Statistics every - this is the time interval, in seconds, that
Realtime Monitor will poll its devices for VPN statistics. The default is 300
seconds.
• Poll NSRP Statistics every - this is the time interval, in seconds, that
Realtime Monitor will poll its devices for NSRP statistics. The default is 300
seconds.
• Poll Interface Statistics every - this is the time interval, in seconds, that
Realtime Monitor will poll its devices for interface statistics (i.e., Ethernet,
Flow, and Attack statistics). The default is 30 seconds.
2.
54
Click OK to save your changes.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Configuring Server Properties
E-mail Alerts
You can also configure the server to notify you by e-mail of alerts or other system events.
To configure e-mail alert notifications:
1.
From the Server Properties window, select the Email Settings tab.
2.
Click in the Enable Email Alert check box.
3.
Enter the following e-mail properties:
• SMTP Server Name - this is the SMTP server address for sending e-mail
notifications. For example: 172.16.10.212.
• Sender’s Email Address - this is the sender’s e-mail address that Realtime
Monitor will use to send e-mail alerts.
• Receiver’s Email Address - this is the e-mail address to which Realtime
Monitor will send e-mail alerts.
• Suppress Duplicate Messages for - this is the time interval, in seconds,
that Realtime Monitor will suppress duplicated error messages. The default
is 3600 seconds (one hour). This means that the server will not send a similar
e-mail message within the specified time interval. The server does this by
comparing the timestamp on duplicate messages. If the difference in time is
less than the event resend interval, the server will suppress the message.
NetScreen-Global PRO Express
55
Chapter 4 Configuring Realtime Monitor
• Check for Events to be mailed every - this is the time interval, in
seconds, that the server will flush or send out email messages. The default is
five seconds.
• Num of Messages Per Minute - this is the maximum number of e-mail
messages that the server can send per minute. This allows you to set a limit
on the total number of messages you may receive every minute.
• Num. of Events Per Email Message - this is the number of events that the
server will group and send in a single email. The default is one. So, by
default, the server will send an e-mail for every event.
56
4.
Click in the Enable more detailed information checkbox if you want the
server to include more detailed information in the e-mail message (i.e., host
name, event severity level, event summary, first and last occurrence of the
event, and the repeat count).
5.
Use the Include events of Severity Level pull-down menu to select the
severity level of events at which an e-mail is generated. The server will send you
an e-mail whenever any “critical” event occurs by default.
6.
Check the checkbox corresponding to the specific types of alarms that you wish
to receive an e-mail notification in the And these events field. You can choose
to receive an e-mail notifying you of a traffic alarm, attack alarm or any other
misc. alarm. For example, if you check the traffic alarm checkbox, you will
receive an e-mail notifying you of all traffic alarms in addition to those events
that match the severity level you set in the Email Severity Level.
7.
Click OK to save your changes.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Chapter 5
Monitoring Real Time
Information
5
Realtime Monitor allows you to proactively monitor the status of your NetScreen security
system from a central location, the Monitor Console. Through the Monitor Console, you
can monitor real-time information about your NetScreen devices including the up/down
status of your NetScreen devices, protocol and policy usage trends, performance baselines
and security events.
This chapter provides information that describes the Monitor Console and how you can
use it to monitor your NetScreen devices effectively. It describes how you can create and
modify Display Filters that allow you to monitor event summaries. It also provides
information describing how you can access more detailed device, event and traffic
information using other consoles including the Device Monitor and Event Monitor; as well
as the VPN Monitor and NSRP Monitor where you can monitor the status of any VPN
and/or NSRP that you may have implemented.
This chapter includes the following sections:
•
Using the Monitor Console
•
Monitoring Device Status
•
Monitoring Additional Device Details
•
Monitoring Event Summaries
•
Monitoring Event Information
•
Monitoring Individual Device Statistics
•
Monitoring VPN Status
•
Monitoring NSRP Statistics
NetScreen-Global PRO Express Realtime Monitor User’s Guide
57
Chapter 5 Monitoring Real Time Information
USING THE MONITOR CONSOLE
Once you have added a device in Realtime Monitor, the Monitor Console will
automatically launch. Use the Monitor Console to quickly monitor the up/down status of
your NetScreen devices in real-time. You can also use the Monitor Console to monitor an
Event Summary, which provides a histogram view of events that are occurring on your
devices.
Event alert icons and color-coded bar graphs notify you of potential issues. From the
Monitor Console, you can also access other consoles for more detailed information on your
devices, the events that are occurring on them, your VPN, and NSRP.
Device Status Summary - displays
a summary status of each of your
NetScreen devices.
Display Filter - list of display
filters that you have currently
configured.
Control Pane - allows access to other monitoring consoles.
58
Event Summary - graphical display
summarizing events categorized by se
verity level as they occur on each devi
Status Bar displays the currently active display filter.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Using the Monitor Console
About the Monitor Console Panes
The Monitor Console has four main components:
• Device Status Summary
• Event Summary
• Display Filter pane
• Monitor pane
In addition, a status bar that appears at the bottom of the Monitor Console displays the
currently active display filter and any query that is in progress.
Device Status Summary
Use the Device Status Summary to get an at-a-glance view of the up/down status of each
of your NetScreen devices in real-time. Devices that are up and running are indicated in
green; devices that are down are indicated in red. You can also configure event alert icons
to appear as relevant events occur on each device. Double-click on a specific device to
launch the Device Monitor where you can view additional details about a device.
Event Summary
Use the Event Summary to get an at-a-glance view of the events that are occurring on
your NetScreen devices in real-time. Create and apply additional display filters to
summarize the events you want to see on the devices that you are interested in. Each
display filter provides a color-coded bar graph making it easy for you to detect events by
severity level. Double-click on a specific event summary view to launch the Event Monitor
where you can view additional details about those events.
Display Filter pane
Use the Display Filter pane to view a list of all the display filters that are currently
configured and applied. The display filter that is currently active appears highlighted.
Monitor pane
Use the Monitor Pane to access more detailed information on devices (Device Monitor),
events (Event Monitor), VPN (VPN Monitor), and NSRP (NSRP Monitor).
NetScreen-Global PRO Express
59
Chapter 5 Monitoring Real Time Information
Customizing the Monitor Console Interface
You can customize the following elements of the Monitor Console interface according to
your viewing preferences:
•
Adding or Removing Columns
•
Adjusting Console or Column Borders
•
Moving the Toolbar
•
Hiding Toolbar Names
Adding or Removing Columns
60
1.
Use the View menu and select Column. The Configure Columns window
appears.
2.
To add a column from the Monitor display, select the column that you want to
view from the list of Available Columns, then click the Add button. The column
that you selected will now appear in the list of Selected Columns.
3.
To remove a column, select the column that you want to remove from the list of
Selected Columns, then click the Remove button. The column that you selected
will now appear in the list of Available Columns.
4.
Click OK when you are done.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Using the Monitor Console
Adjusting Console or Column Borders
You can adjust the size of the console and any column by placing your mouse over the
console or column border. Arrows will appear indicating the direction in which you can
move the border. Click and drag the console or column border to the length or width that
you wish.
Click and drag on any console or
column border to the length or
width that you wish.
Moving the Toolbar
You can move the toolbar that appears at the top of the Monitor Console to any part of the
desktop. Click on the toolbar pane that appears to the left of the toolbar buttons and drag
the toolbar anywhere on the desktop.
Click on the toolbar pane and drag the toolbar to
your desired location anywhere on the desktop.
NetScreen-Global PRO Express
61
Chapter 5 Monitoring Real Time Information
Hiding Toolbar Names
You can also hide the toolbar names that appear at the top of the Monitor Console. From
the View menu, select Toolbar Names. Notice that the titles no longer appear on the
Exit and Display Filter buttons.
Sorting All Columns
You can sort any column by manually clicking on the column header. Realtime Monitor
sorts the column data in ascending order by default. You can customize the Monitor
Console to sort all tables automatically every time a new record is added. You can also
choose to sort all tables in descending order.
Warning: If you select the Sort-Always option, you may experience some degradation in
Console performance. It is recommended that you disable the Sort-Always option for
optimum performance.
To change the way Realtime Monitor sorts columns:
62
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Using the Monitor Console
1.
Use the Tools menu and select Customize. The Customize window appears.
2.
If you want Realtime Monitor to sort columns automatically every time a new
record is added, check the Sort - Always checkbox.
3.
If you want Realtime Monitor to sort columns in descending order, uncheck the
Ascending Order checkbox.
4.
Click OK to save your changes; click Cancel to cancel your changes.
Sorting Individual Columns
You can also right-click on any column in the Monitor Console and specify how that
particular column will sort (i.e., once or always, in ascending or descending order).
Alternatively, you can use the View menu and select Sort.
NetScreen-Global PRO Express
63
Chapter 5 Monitoring Real Time Information
Searching for Specific Information
1.
Use the View menu and select Search. The Search window appears.
2.
Click in the Find field and enter the exact text that you are searching for in the
Find What field.
Note: The text string that you enter in the Find What field must be case-sensitive.
64
3.
Use the Search On pull-down menu if you want to narrow your search to a
specific information field. If you are unsure which field to search on, select All
Fields.
4.
Click on the Next button to continue. Realtime Monitor will highlight all search
results in the display. If the search produces no results, a dialog will appear
indicating that Search cannot find the specified pattern.
5.
Click on the Previous button if you wish to view the previous search result.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Device Status
MONITORING DEVICE STATUS
Use the Device Status Summary to get an at-a-glance view of the up/down status of your
NetScreen devices. Devices that are up and running are listed by device name and appear
by default at the top of the summary pane colored green. Devices that are down are listed
by the device’s serial number and are colored red.
If you have configured a NetScreen device to act as a virtual system, you will notice that
they appear below the device in the tree hierarchy and are colored lavender.
Realtime Monitor totals the number of devices that are either up
and running or down
and displays that total
next to the corresponding status.
Devices that are up
and running appear in
green; devices that are
down appear in red.
Click on the blue arrow to
sort all devices according to
their status.
Sorting Devices by Status
You can sort all devices according to their status by clicking on the blue arrow that
appears in the summary header.
Configuring Visual and Audible Event Alerts
You can configure Realtime Monitor to alert you both visually and audibly of certain
events as they occur on each device. When an event of a specified frequency occurs a set
number of times, a red exclamation point icon will appear on the device icon in the Device
Status Summary. You can also configure Realtime Monitor to sound an audible alert
when an event occurs.
NetScreen-Global PRO Express
65
Chapter 5 Monitoring Real Time Information
1.
From the Edit menu, select Alert Settings. The Alert Settings window will
appear.
2.
Use the Severity Level pull-down menu to select the severity level of the event
that you wish to receive an alert.
3.
Click in the Number of Events field and enter in the number of occurrences of
an event that will trigger an event alert.
4.
Click in the Audible Alert checkbox to have Realtime Monitor alert you audibly
whenever an alert event occurs.
5.
Click OK to apply your changes; click Cancel to cancel your changes.
Acknowledging an Event Alert
Once you receive an event alert, you can remove it by right-clicking on the device icon and
selecting Acknowledge. Alternatively, you can also use the Edit menu, and select
Acknowledge.
66
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Additional Device Details
MONITORING ADDITIONAL DEVICE DETAILS
Use the Device Monitor to view additional details on all your devices. Click on the Device
Monitor button in the Monitor pane to launch the Device Monitor.
Monitoring Device Status
From the Device Monitor, you can view the following details about the status of all the
NetScreen devices that you have configured in Realtime Monitor:
•
key details describing the device (i.e., SN#, type, operation mode)
•
up/down status
•
time-related statistics (i.e., last connect, reboot etc...)
The following table describes all of the information that is available from the Device
Monitor:
Item
Displays...
Serial No
the serial number of the device.
Operation Mode
the current operation mode of the device. This can be either NAT,
Transparent, or Route.
Last Known Connect Time
the last time the device connected to the Data Collector. Use this to
determine how long a device was down.
Last Reboot Time
the last times the device was rebooted. Use this to determine how long a
device was down.
NetScreen-Global PRO Express
67
Chapter 5 Monitoring Real Time Information
Item
Displays...
Last Known Uptime
the last time the device was up-and-running (only if a device is down).
GMT Time Offset (hours)
whether or not the device is set to Greenwich Mean Time.
DayLight-Saving
whether or not daylight savings time is enabled.
Hostname/IP (Address)
set host name and IP Address of the device.
Status
whether or not the device is up or down.
Type
the type of device.
Firmware Version
the firmware version of the device.
Note: If an N/A appears in a column, then that device might have an older ScreenOS
version.
Realtime Monitor also allows you to view additional information that may help you to
diagnose and troubleshoot a problem with your NetScreen security system.
For additional statistical information on a device, refer to the section titled Monitoring
Individual Device Statistics. For additional information on events occurring on your
devices, refer to the sections titled Monitoring Event Summaries and Monitoring Event
Information.
68
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Summaries
MONITORING EVENT SUMMARIES
Use the Event Summary to get an at-a-glance summary view of events that are occurring
on your NetScreen devices in real-time. Events are categorized according to their
perceived severity and displayed in color-coded bar graphs allowing you to easily detect
and identify event trends.
There are six pre-defined severity levels:
•
Critical
•
Major
•
Minor
•
Warning
•
Indeterminate
•
Clear
Point your cursor over the bar graph to get a
count of the messages summarized.
Customizing Event Summary Information
You can customize the look and feel of the Event Summary pane by:
•
Configuring Severity Levels
•
Adjusting Severity Level Colors
•
Setting the Total Number of Event Summary Views
•
Adjusting the Time That Events Are Displayed In
NetScreen-Global PRO Express
69
Chapter 5 Monitoring Real Time Information
Configuring Severity Levels
Realtime Monitor assigns each event type a specific severity level by default. Depending
upon your specific business requirements, you can change the severity level assigned to
each event.
1.
70
From the Realtime Monitor Console, select System Options from the Tools
menu. The System Options window appears.
2.
Click on the + icon to expand and view the event sub types for each event type.
3.
Use the Severity Level pull-down menu and select the severity level you wish
to assign to the event sub-type.
4.
Click OK when you are done; Click Cancel to cancel your changes.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Summaries
Realtime Monitor will display a dialog prompting you to restart your Monitor Console for
your changes to take effect. Click Yes to proceed
Adjusting Severity Level Colors
Realtime Monitor displays event categories in different colors according to their severity
level. For example, Realtime Monitor displays Critical events by default in red; Clear
events by default in green. You can change these color associations to suit your own
personal preference.
1.
From the Tools menu, select Customize. The Customize window will appear.
2.
Select the Severity Level - Color tab. The Severity Level - Color window will
appear.
3.
Click on the down arrow that appears to the right of the color and severity level
that you wish to adjust. The Select Color window will appear.
4.
From the Swatches tab, click on the color that you wish to use. A sample of the
color that you have chosen will appear in the Preview panel. The Recent section
displays colors that you have previously sampled. The last color saved is
displayed in the upper, half of the color bar sample. Click Reset to return to the
color shown in the color bar sample.
5.
If you wish to adjust the hue, saturation, and brightness of the color, click on the
HSB tab. Click and drag on the sliding scale to adjust the HSB to your
preference.
6.
If you wish to adjust the red, green, and blue attributes of the color, click on the
RGB tab. Click and drag on the sliding scales to adjust the RGB to your
preference.
7.
Click OK when you are done.
8.
Click OK to apply your changes; or click Cancel to cancel your changes.
NetScreen-Global PRO Express
71
Chapter 5 Monitoring Real Time Information
For example, if you wanted to adjust the
color associated with the Clear severity
level from green to blue, you would set
the Color Mapping as follows:
Click on the down arrow that appears
right of the color and severity level that
you wish to adjust.
Click on the color that
you want to use.
Select the HSB
or RGB tabs to
fine tune your
selected color.
72
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Summaries
Setting the Total Number of Event Summary Views
The maximum number of active event summary views that you can display in the Event
Summary is four by default. If you exceed the specified number, you will receive an error
message. Realtime Monitor allows you to increase or decrease the number of event
summary views displayed in the Event Summary depending upon your preference.
1.
From the Tools menu, select Customize. The Customize window will appear.
2.
From the Options tab, click in the Number of Summary Views field and
enter the number of views you wish to allow.
3.
Click OK to apply your changes; or click Cancel to cancel your changes.
For example, if you wanted to increase the number of event summary views from
4 to 6, you would set the Number of Summary Views as follows:
Adjusting the Time That Events Are Displayed In
Realtime Monitor also allows you to view the time in which events occur in your local time
zone or in greenwich mean time (GMT).
1.
From the Tools menu, select Customize. The Customize window will appear.
2.
From the Options tab, check the Display Time in GMT zone (All Events)
checkbox.
3.
Click OK to apply your changes; or click Cancel to cancel your changes.
NetScreen-Global PRO Express
73
Chapter 5 Monitoring Real Time Information
Managing Event Summaries
Depending upon the size and type of your NetScreen security system, your devices can
generate literally thousands of conditions and events (i.e., alarms, logs, etc.) on a daily
basis.
Using the Monitor Filter
To help manage the amount of information sent to and viewed on the Monitor Console,
Realtime Monitor initially applies a Monitor filter to the data that is received from each
Data Collector. The Monitor Filter allows you to set certain criteria defining which
information is allowed to pass from the Data Collector to the Monitor Console.
The Monitor Filter is initially set to allow events for all devices, event types, and severity
levels. You may want to reconfigure the Monitor Filter to better manage the total amount
of information received by the Console. Refer to Configuring the Monitor Filter in Chapter
6 for more information on configuring the Monitor Filter.
Default Event Summary View
Realtime Monitor summarizes the event information from the Monitor Filter in an initial
event summary view called Default.
Note: You cannot change or delete the Default filter.
74
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Summaries
Stopping and Starting the Monitor Filter
If for any reason, you want to stop the Monitor Filter from collecting information, use the
Monitor Filter menu, and select Stop Receiving Logs. When you want to re-apply the
Monitor Filter, use the Monitor Filter menu, and select Start Receiving Logs.
Creating Display Filters
If you wish to monitor more specific information about your devices and virtual systems,
you can create additional display filters. A display filter allows you to further sort and
summarize events from the set of information already being collected by the Monitor
Filter.
1.
From the Display Filter menu, select New. The Display Filter Definition
window appears.
2.
Click in the Filter Name field and enter a specific name for the filter.
NetScreen-Global PRO Express
75
Chapter 5 Monitoring Real Time Information
3.
76
If you wish to view information from a specific time, check the Timestamp
check box and enter the desired time.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Summaries
4.
Click on the Save button. Alternatively you can use the File menu and select
Save Filter. A dialog will prompt you to specify a file name for the filter and a
directory path where you want to save the filter.
Realtime Monitor saves each display filter as an.ndf (NetScreen Display Filter) file. The
file is saved in a folder called “Display Filter” on your local drive by default.
Configuring Display Filter Conditions
1.
Select the desired display filter from the Display Filter pane.
2.
From the Display Filter menu, select Modify. Alternatively, you can also
right-click on the desired filter, and select Modify. The Display Filter Definition
window appears.
3.
Click on the Add icon. Alternatively, you can use the Edit menu, and select Add
Condition.
4.
Enter the new Condition Name.
5.
Select the device(s) that you wish to monitor. Double-click on All Devices to
view all available devices. Click the + or - icon to expand or collapse the list of
devices.
6.
Select the events or event type that you wish to monitor. Double-click on All
Events to view all available events. Click the + or - icon to expand or collapse
the list of events.
NetScreen-Global PRO Express
77
Chapter 5 Monitoring Real Time Information
7.
78
Use the And/Or drop-down to include events of a certain severity level. Use the
Severity drop-down to select a specific severity level.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Summaries
8.
Click on the Add icon to add another condition.
When you have more than one condition configured
in a display filter, Realtime Monitor will display the
events that match each condition’s criteria.
Note: When you have more than one condition configured in a display filter,
Realtime Monitor will display all the events that match either individual
condition’s criteria. For example, if you have one condition that specifies critical
events and another that specifies minor events, Realtime Monitor will display
events that match either criteria, in this case - critical and minor events.
9.
Click on the Save button. Alternatively you can use the File menu and select
Save Filter.
NetScreen-Global PRO Express
79
Chapter 5 Monitoring Real Time Information
Applying the Display Filter
Once you have created your display filter, you will need to apply it. Click on the Apply
button or use the File menu and select Apply Filter. The new display filter appears in
the Event Summary pane.
Managing Display Filters
Once you have created a display filter, you can later rename, modify, or delete it.
Renaming Display Filters
1.
Select the desired display filter from the Display Filter pane.
2.
From the Display Filter menu, select Rename. Alternatively you can also
right-click on the desired filter, and select Rename. A Rename Filter pop-up
window appears.
3.
Enter a new name for the display filter.
4.
Click OK to apply your changes; click Cancel to cancel your changes.
Deleting Display Filters
80
1.
Click to select the desired display filter.
2.
From the Display Filter menu, select Delete. Alternatively you can also rightclick on the desired filter, and select Delete. A pop-up window will appear
prompting you to confirm the deletion.
3.
Click Yes to confirm the deletion. Click No to cancel the deletion.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Information
MONITORING EVENT INFORMATION
If the Event Summary pane indicates a potential issue, you can use the Event Monitor to
view more specific information about the events summarized in each display filter. To
launch the Event Monitor for a specific display filter: click to select a display filter from
the Display Filter pane or Event Summary pane, then click on the Event Monitor button
to launch the Event Monitor. Alternatively, you can use the View menu, and select Event
Monitor.
Sort events by count by clicking on the blue
arrow that appears in the Count header.
Sorting Events by Count
You can sort all events according to the number of times that they have occurred by
clicking on the blue arrow that appears in the Count header.
Event-specific Information
From the Event Monitor, you can view the following details about each event that
matched the criteria you set in your display filter:
•
key details describing the device (i.e., host name, IP address)
•
type and subtype of the event that occurred
•
number of times that the event actually occurred
•
time-related information (i.e., first and last occurrence date and time)
NetScreen-Global PRO Express
81
Chapter 5 Monitoring Real Time Information
The following table describes all of the information that is available from the Event
Monitor:
Item
Displays...
Hostname/IP
the hostname and IP address of the NetScreen device.
Event Type
the main type of event that occurred.
Event Sub Type
more information on the type of event that occurred.
First Occurrence
the date and time that the event first occurred.
Last Occurrence
the date and time that the event last occurred.
Severity
the severity level of the event.
Summary
a description of the event.
Count
the number of times that the event has occurred.
Adding Event Information Notes
If you want to add additional information regarding a specific event:
1.
Double-click anywhere in an event. The Event Notes window appears.
2.
Click in the Additional Information section and enter your information.
3.
Click OK to apply your changes; or click Cancel to cancel your changes.
Add any additional information that you may have on
an event here.
82
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Information
Exporting Event Logs
Realtime Monitor allows you to transfer event information to an Excel file where you can
further analyze or track the data. To begin the export process, you will need to pause the
flow of data to the Event Monitor.
1.
From the Event Monitor, click on the Pause button. Alternatively, you can use
the View menu, and select Pause. This temporarily stops the flow of event
information to the Event Monitor.
2.
Click on the Save button. Alternatively, you can use the File menu and select
Save. A standard Save dialog opens in a default directory.
3.
Enter a name for the file and click Save. Realtime Monitor saves the file as a
.csv file.
Using Quick Filters
While in the Event Monitor, you can automatically create a display filter that matches the
conditions that produced a specific event. The display filter that you create “on-the-fly”
from an event is called a quick filter.
Creating a Quick Filter
From the Event Monitor, right-click on an event and select Quick Filter. Alternatively
you can select an event, use the Edit menu and select Quick Filter. Realtime Monitor
launches a new Event Monitor view with the events that match the type that you selected
for all devices, and adds the new display filter to the Event Summary pane.
Configuring a Quick Filter
When you create a quick filter, Realtime Monitor creates a display filter with conditions
that match the selected event type, severity level, and device specified by default. You can
change the way that Realtime Monitor creates a quick filter to have it create a display
filter with conditions that match all events, devices, or severity levels.
NetScreen-Global PRO Express
83
Chapter 5 Monitoring Real Time Information
84
1.
From the Monitor Console, use the Tools menu and select Options. The
Options window appears.
2.
Click on the Quick Filter tab.
3.
Click in one of the Devices radio buttons to specify that you want to create a
quick filter for all devices or only the selected device.
4.
Click in one of the Events radio buttons to specify that you want to create a
quick filter for all devices or only the selected device.
5.
Use the Selected Severity Level pull-down menu and select the AND option to
specify that you want to create a quick filter condition that events must also
match the severity level of the event selected. Select the OR option to specify
that you want to create a quick filter condition that events do not need to match
the severity level of the event selected.
6.
Click OK when you are done.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Event Information
A quick filter automatically launches an event
monitor view displaying events that match the type
that you selected for that device by default.
NetScreen-Global PRO Express
The quick filter also adds a
display filter in the Event
Summary pane.
85
Chapter 5 Monitoring Real Time Information
MONITORING INDIVIDUAL DEVICE STATISTICS
Use the Device Statistics window to access additional information about traffic, interface,
zone, and system-related statistics on a specific device. To view Device Statistics,
double-click on an individual device in the Device Status Summary. Alternatively, you can
right-click on the device, and select Device Statistics.
The Device Statistics window provides basic information about a device
including the device type, version, # of events by type etc....
Click to access traffic, interface, zone or system-related information on the device.
Note: If you are not running ScreenOS 3.1.0-NSRP or later, some real-time monitoring
features such as NSRP monitoring, enhanced VPN monitoring, deltas etc. will not be
available. Check the “Device” row in the Summary view to see a device’s ScreenOS version.
86
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Viewing the Device Summary
From the Device Statistics Summary, you can view the following details about a specific
device:
•
key details describing the device or virtual system (i.e., SN#, IP address)
•
summary of events, alarms and logs on the device
•
time-related statistics (i.e., last connect, reboot etc...)
The following table describes all of the information that is available from the Device
Statistics Summary
Item
Displays...
Device
Device: Displays the name, serial number and IP address of the device.
Vsys: Displays just the serial number of the device.
Vsys
the name of the virtual system (if applicable).
Version
the device’s build, model, and operation mode (this is not displayed in the
Vsys view).
DC IP
the IP Address of the Data Collector the device is contacting (this is
not displayed in the Vsys view).
Critical Events
the total number of Critical events that occurred.
Major Events
the total number of Major events that occurred.
Minor Events
the total number of Minor events that occurred.
Warning Events
the total number of Warning events that occurred.
Intermediate Events
the total number of Intermediate events that occurred.
Clear Events
the total number of Clear events that occurred.
Attack Alarms
the number of attack alarms for this device.
Traffic Alarms
the number of traffic alarms for this device.
Misc. Alarms
the number of misc. alarms for this device.
Configuration Logs
the number of configuration logs for this device.
Information Logs
the number of information logs for this device.
Traffic Logs
the number of traffic logs for this device.
Self Logs
the number of self logs for this device.
Interface Information
the employed interfaces. For example, Trust, Untrust, and Self.
Vsys Information
the virtual systems associated with this device (this is not displayed in the
Vsys view).
Last Known Connect
Time
the last time the device connected to the Data Collector (this is not
displayed in the Vsys view).
Device Status
whether the device is currently up or down (this is not displayed in the Vsys
view).
Last Reboot Time
the last time the system was restarted (this is not displayed in the Vsys
view).
NetScreen-Global PRO Express
87
Chapter 5 Monitoring Real Time Information
Item
Displays...
Last Known Uptime
If device is “down,” this entry lists the last time it was “up.” Used to
determine how long a device was down (this is not displayed in the Vsys
view).
GMT Time
Offset(Hours)
hour the device is set from Greenwich Mean Time (this is not displayed in
the Vsys view).
Daylight-Savings
whether or not daylight-savings time is enabled (this is not displayed in the
Vsys view).
Device-Specific Views
From the Device Statistics view, you can also access additional views allowing you to
monitor key data on a specific device.
View Type
View
Allows you to...
Traffic
Policy Distribution
View traffic on the device distributed by policy. Allows you to
view a chart of the traffic distribution by policy.
Protocol Distribution
View traffic on the device distributed by protocol. Allows you
to view a chart of the traffic distribution by protocol.
VPN Distribution
View the up/down status and active statistics of VPNs on the
device (if applicable). Allows you to view a chart of the VPN
distribution by VPN tunnel.
Traffic Logs
View traffic log information generated when sessions
terminate on the device.
Ethernet Statistics
View device traffic over specific interfaces. Allows you to
view a chart of the utilization distributed by interface.
Flow Statistics
View device traffic on flow counters over specific interfaces.
Allows you to view a chart of flow statistics distributed by
interface.
Attack Statistics
View all of the attacks that have occurred on a device over
specific interfaces. Allows you to view a chart of attacks
distributed by interface.
Ethernet Statistics
View device traffic from specific zones. Allows you to view a
chart of the traffic distributed by zone.
Flow Statistics
View device traffic on flow counters over specific zones.
Allows you to view a chart of flow statistics distributed by
zone.
Attack Statistics
View all of the attacks that have occurred on a device from
specific zones. Allows you to view a chart of the attacks
distributed by zone.
Interface
Zone
88
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
View Type
View
Allows you to...
System
Resource Statistics
View CPU utilization and memory allocation statistics on the
device. Allows you to view CPU, Memory and Session
Utilization trends.
Active Statistics
View administrator and user activities; active VPNs; and
authenticated users on a device. Also allows you to view a
snapshot of the ongoing active sessions on the device.
Self Logs
View self logs generated on the device.
System Alerts
View information related to low memory and high device
CPU usage generated on the device.
Troubleshooting
Send troubleshooting commands over Telnet or SCS to a
specific device.
NSRP Statistics
View NSRP statistics related to clusters created on the
device.
HA
NetScreen-Global PRO Express
89
Chapter 5 Monitoring Real Time Information
Managing Multiple Device Views
To view multiple device views at once, you can choose to either to tile or cascade views.
Tiling Multiple Views
To view multiple views in the Tile view, use the Window menu and select Tile.
90
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Cascading Multiple Views
To view multiple device views in the Cascade view, use the Window menu and select
Cascade.
NetScreen-Global PRO Express
91
Chapter 5 Monitoring Real Time Information
Viewing Device Traffic Distribution
You can view statistics describing the traffic on a specific device including how the traffic
is distributed (i.e., either by policy, protocol, or virtual system (if applicable)). You can use
this information to help you identify those policies, protocols and VPN tunnels that are
most and least frequently being used on a device.
Viewing Traffic Distribution by Policy
Click on the Policy Distribution button to view device traffic that matches the access
policies configured for a device. Realtime Monitor first displays a bar graph (under the
Chart tab) depicting the distribution of data by policy. The graph uses a percentage of the
absolute number of bytes traveling using the top 10 policies by default.
The following table describes all of the information that is available from the Policy
Distribution view..
92
Item
Displays...
Policy ID
the number assigned to the access policy when the policy was added to
the NetScreen device.
Policy Name
the name of the policy.
Source Zone
Zone of the host generating the connection.
Destination Zone
Zone of the host receiving the connection.
VPN Name
Name of the Virtual Private Network.
Source IP
the IP address of the host generating the connection.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Item
Displays...
Source IP Mask
the IP address mask for the host or network generating the connection.
Destination IP
the IP address of the host receiving the connection.
Destination IP Mask
the IP address mask for the host or network receiving the connection.
Service
the application or service associated with the policy. Examples include
Mail, FTP, SNMP, AOL, Telnet, and LDAP.
Action
the activity to be performed, such as Permit, Deny, Tunnel, etc.
Total Connections
the total number of data connections.
Connection Rel%
the relative percentage of connections.
Delta Connection
the total numerical difference between the current connection value and
the previous connection value.
Total Bytes
the total number of data bytes.
Bytes Rel%
the relative percentage of bytes.
Delta Bytes
the total numerical difference between the current bytes value and the
previous bytes value.
Total Packets
the total number of data packets.
Packets Rel%
the relative percentage of packets.
Delta Packets
the total numerical difference between the current bytes value and the
previous packets value.
Note: Some options are not available for devices running older ScreenOS versions. Check
the “Device” row in the Summary view to see a device’s ScreenOS version.
Adjusting Data Depicted Graphically
You can adjust all elements depicted in the graph including the policies, data values (i.e.,
absolute or delta), and type of data (bytes in or out, packets in or out, utilization).
To adjust policies depicted graphically:
NetScreen-Global PRO Express
93
Chapter 5 Monitoring Real Time Information
1.
Right-click within the chart and select Configure Policies. A pop-up allowing
you to select which policies to view appears.
2.
Click to uncheck the Default checkbox.
3.
Click to select the policies that you wish to view on the graph from the list of
Available Policies. Click Add to add the policies that you want to the list of
Selected Policies.
4.
Click to select the policies that you no longer wish to view on the graph from the
list of Selected Policies. Click Remove to remove the policies from the list of
Selected Policies.
5.
Click OK to apply your changes; or click Cancel to cancel your changes.
To adjust data and data types depicted graphically:
94
1.
Right-click on the Chart view and select Data, and either Delta or Absolute.
2.
Right-click on the Chart view and select Data Type, and either Connections,
Bytes, or Packets.
3.
Click OK to apply your changes; or click Cancel to cancel your changes.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Viewing Traffic Distribution by Protocol
Click on the Protocol Distribution button to view device traffic that matches the access
protocols configured for a device. Protocols are predefined services (such as, HTTP,
SNMP, or Telnet) that are enabled for each device. You can view up to ten protocols.
Realtime Monitor displays a bar graph similar to the one presented for viewing traffic
according to policy distribution. The graph uses a percentage of the absolute number of
bytes traveling using the top 10 protocols by default.
The following table describes all of the information that is available from the Protocol
Distribution view:
Item
Displays...
Protocol
the name of the predefined service (like HTTP, SNMP, or Telnet)
operating on the selected interface.
Interface
the type of interface under which the protocol is operating.
Bytes In
the number of incoming bytes handled by the protocol through the
NetScreen device.
Bytes In Rel%
Relative percentage of all incoming bytes.
Delta Bytes In
the total numerical difference between the current bytes in value and the
previous bytes in value.
Bytes Out
the number of outgoing bytes handled by the protocol through the
NetScreen device.
Bytes Out Rel%
Relative percentage of all outgoing bytes.
NetScreen-Global PRO Express
95
Chapter 5 Monitoring Real Time Information
Item
Displays...
Delta Bytes Out
the total numerical difference between the current bytes out value and
the previous bytes out value.
Packets In
the number of incoming packets handled by the protocol through the
NetScreen device.
Packets In Rel%
Relative percentage of all incoming packets.
Delta Packets In
the total numerical difference between the current packets in value and
the previous packets in value.
Packets Out
the number of outgoing packets handled by the protocol through the
NetScreen device.
Packets Out Rel%
Relative percentage of all outgoing packets.
Delta Packets Out
the total numerical difference between the current packets out value and
the previous packets out value.
Util. (Absolute)
the total number of the utilization of the current device.
Util. (Delta)
the total numerical difference between the current utilization value and
the previous utilization value.
Zone
the name of the zone associated with the protocol.
Note: Some options are not available for devices running previous versions of ScreenOS.
Check the “Device” row in the Summary view to identify the version of ScreenOS that the
device is running.
Adjusting Data Depicted Graphically
You can adjust the interfaces (i.e., Trust, Untrust, Management, NSRP, and Self) and
data depicted graphically in the same way that you adjust the Policy Distribution graphs.
Note: Additional options allow you to adjust the data types in the Protocol Distribution
graph by Bytes In, Bytes Out, Packets In, Packets Out, or Utilization, and by Interface.
96
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Viewing Traffic Distribution by VPN (if applicable)
If you are using your devices to implement VPNs, Realtime Monitor allows you to view
how traffic is being distributed across each different VPN tunnel on the device. Realtime
Monitor first displays a bar graph (under the Chart tab) depicting the distribution of data
traveling to and from each VPN tunnel. The graph uses a percentage of the absolute
number of bytes traveling in to the top 10 VPN tunnels by default.
You can adjust all elements depicted in the graph including the VPN tunnels, data values
(i.e., absolute or delta), and type of data (bytes in or out, packets in or out, utilization).
NetScreen-Global PRO Express
97
Chapter 5 Monitoring Real Time Information
Adjusting VPN Tunnels Depicted Graphically
1.
Right-click on the Chart view and select Configure VPNs. A pop-up allowing
you to select VPNs appears.
2.
Click to uncheck the Default checkbox.
3.
Click to select the VPN tunnel that you wish to view on the graph from the list of
Available VPN tunnels. Click Add to add the VPN tunnel to the list of Selected
VPN tunnels.
4.
Click to select the VPN tunnel that you no longer wish to view on the graph from
the list of Selected VPN tunnels. Click Remove to remove the VPN tunnel from
the list of Selected VPN tunnels.
5.
Click OK to apply your changes; or click Cancel to cancel your changes.
Adjusting Data Depicted Graphically
1.
Right-click on the Chart view and select Data, and either Delta or Absolute.
2.
Right-click on the Chart view and select Data Type, and either Bytes In, Bytes
Out, Packets In Packets Out, Utilization, Last Session Duration, Avg Latency,
Availability.
3.
Click OK to apply your changes; or click Cancel to cancel your changes.
Viewing VPN-specific Information
Click on the VPN Monitor Table tab to view specific information about your VPN. From
the VPN Monitor Table, you can view the following details about a specific VPN:
•
98
key details describing the VPN (i.e., name, Policy IP, group and user
associations, VPN type)
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
•
Security Association (SA) information
•
total number of data traveling through a tunnel (i.e., bytes in/out, packets in/out,
utilization)
The following table describes all of the information that is available from the VPN
Monitor Table:
Item
Displays...
Name
the name of the VPN.
VPN Type
Type of tunnel: Site-to-site or dial-up.
SA Id
the Security Association (SA) identification for the VPN at both ends of
the tunnel.
Policy Id--In/Out
A unique identifier specified when the policy was configured.
Tunnel
up/down status of the VPN tunnel.
SA Status
whether or not the current SA has been established.
Time-SA Status Change
time that the SA status last changed
Last SA Session Duration
duration of last SA session
Group
Group associated with the VPN.
User
User associated with the VPN.
DN Name
Distinguished Name (DN) of the VPN.
Avg. Latency
A rolling average of latency, presented in milliseconds.
Availability
Percentage of the time a tunnel is available over the last thirty samples.
Bytes In
the number of incoming bytes handled by the protocol through the
NetScreen device.
Delta Bytes In
Total numerical difference between the current bytes in value and the
previous bytes in value.
Bytes Out
the number of outgoing bytes handled by the protocol through the
NetScreen device.
Delta Bytes Out
Total numerical difference between the current bytes out value and the
previous bytes out value.
Packets In
the number of incoming packets handled by the protocol through the
NetScreen device.
Delta Packets In
Total numerical difference between the current packets in value and the
previous packets in value.
Packets Out
the number of outgoing packets handled by the protocol through the
NetScreen device.
Delta Packets Out
Total numerical difference between the current packets out value and the
previous packets out value.
Util. (Absolute)
Total number of the utilization of the current device.
Util. (Delta)
Total numerical difference between the current utilization value and the
previous utilization value.
NetScreen-Global PRO Express
99
Chapter 5 Monitoring Real Time Information
Viewing Active VPN Information
Click on the Active VPN tab to view specific information about your active VPNs. From
the Active VPN, you can view the following details about your active VPNs:
•
key details describing the VPN (i.e., name, Policy IP, local and peer gateway IDs
and IP addresses)
•
security established on the active VPN
•
time-related statistics (i.e., lifetime, latency)
The following table describes all of the information that is available from the active VPN:
100
Item
Displays...
Name
the name of the active VPN.
VPN Type
Type of tunnel: Site-to-site or dial-up.
Policy Id--In/Out
A unique identifier specified when the policy was configured.
Tunnel
whether the tunnel for the active VPN is UP or Down.
Ave Latency
A rolling average of latency, presented in milliseconds.
Last Latency
the average of successful ping responses over the last 30 attempts.
Availability
Percentage of the time a tunnel is available over the last thirty samples.
Local GW Id
the local gateway Id for the active VPN.
Peer GW Id
the peer gateway Id address for the active VPN.
Local GW IP
the local gateway IP address for the active VPN.
Peer GW IP
the peer gateway IP address for the active VPN.
Local Address
the local IP address for the device associated to the active VPN.
Peer Address
the peer IP address for the device connected to the active VPN.
Monitor
whether a monitoring capability for the VPN is ON or OFF.
IPSec
the IPSec (IP security) protocol for the active VPN; for example, AH
(Authentication Header) or ESP (Encapsulating Security Payload).
SPI In
the SPI (Security Parameter Index) key into the active VPN. This is an
encryption method.
SPI Out
the SPI (Security Parameter Index) key out of the active VPN. This is an
encryption method.
Encryption
Algorithm used when a user encrypts communication between the
NetScreen device and the server. Listed as either SDI or DES.
Authentication
A second algorithm used when a user encrypted communication
between the NetScreen device and the server.
Key
Type of key associated with the VPN: Auto IKE (Internet Key Exchange)
or manual key.
Lifetime P1
Time listed in seconds before re-keying.
Lifetime P2
Time reported in remaining bytes before re-keying. Independent from
Lifetime P1.
Life Size
the predefined duration of the tunnel.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Item
Displays...
P1 Status
whether the P1 (phase 1) status for tunnel negotiation is enabled/
disabled.
P2 Status
whether the P2 (phase 2) status for tunnel negotiation is enabled/
disabled.
P1 Auth
Associated with Auto IKE. This column displays the P1 (phase 1)
authentication for the active VPN.
Viewing Traffic Logs
Click on the Traffic Logs button to view specific traffic information that appears in the
log messages generated for a device. You can enable logging for any defined policy.
Whenever a connection is completed using that policy, a log message is generated. The
following table describes all of the information that is available from the Traffic Logs
view:
Item
Displays...
Time
Time the event occurred.
Source IP: Port
IP address of the sending node of the connection being logged.
Destination IP: Port
IP address of the receiving node of the connection being logged.
Translated IP:Port
Translated IP Port.
Duration (sec)
Length in seconds of the connection session.
Application
the name of the application to which the traffic log belongs. The
application is determined by the protocol, source port, and destination
port.
Policy ID
A unique identifier specified when the policy was configured. None
means no name was specified during policy configuration.
Policy Service
the types of service allowed by the policy; for example, FTP, HTTP, and
Telnet
ICMP Type
the type of ICMP protocol.
Bytes In
the total number of bytes sent in.
Bytes Out
the total number of bytes sent out.
Total Packets
the total number of packets sent.
Count
the number of times this event has occurred.
NetScreen-Global PRO Express
101
Chapter 5 Monitoring Real Time Information
Viewing Interface Statistics
You can also view traffic information as it is processed by a device over a specific
interface.
Viewing Ethernet Statistics
Click on the Ethernet Statistics button to view traffic information as it is processed by a
specific physical interface on a device. Depending upon the specific NetScreen device, the
following interfaces will apply including:
•
Trust and Untrust interfaces on all NetScreen devices.
•
DMZ interface on NetScreen-10, NetScreen-25, NetScreen-50, NetScreen-100 and
NetScreen-500 devices; the NetScreen-5, NetScreen-5XP, and NetScreen-1000
devices have no DMZ interface.
•
HA interface and the management interface on NetScreen-100, NetScreen-500,
and NetScreen-1000 devices.
Ethernet Statistics apply only to devices, and not to virtual systems.
Note: Some options are not available for devices running previous versions of ScreenOS.
Check the “Device” row in the Summary view to identify the version of ScreenOS that the
device is running.
102
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Realtime Monitor displays a bar graph similar to the one presented for viewing device
traffic to depict utilization across each physical interface. Right-click within the chart to
select a desired Interface (i.e., Ethernet or HA). The active interface is listed below the
graph. The graph will also provide the total errors in a graphical form. You can view up to
12 samples in the chart.
Note: The save and pause functions are not available in a summary view.
The following table describes all of the information that is available from the Ethernet
Statistics view:
Item
Displays...
Interface
the data for each interface.
Bytes In
the number of bytes of incoming traffic processed through the
NetScreen device over the selected interface.
Delta Bytes In
the total numerical difference between the current bytes in value and
the previous bytes in value.
Bytes Out
the number of outgoing bytes handled by the protocol through the
NetScreen device.
Delta Bytes Out
the total numerical difference between the current bytes out value and
the previous bytes out value.
Packets In
the number of incoming packets handled by the protocol through the
NetScreen device.
NetScreen-Global PRO Express
103
Chapter 5 Monitoring Real Time Information
104
Item
Displays...
Delta Packets In
the total numerical difference between the current packets in value and
the previous packets in value.
Packets Out
the number of outgoing packets handled by the protocol through the
NetScreen device.
Delta Packets Out
the total numerical difference between the current packets out value
and the previous packets out value.
Broadcast
the number of broadcast-type packets processed through the
NetScreen device over the selected interface.
CRC Errors
the number of packets generating a cyclic redundancy code error
processed through the NetScreen device over the selected interface.
Alignment Errors
the number of Frame Checksum (FCS) errors.
ShortFrame
the number of frames that are not of the correct length.
RXCollision
the number of times that two packets collide, resulting in damage to
both. This indicates that the network is overloaded.
Speed (Mbps)
This is useful in calculating the interface utilization.
Status
whether the device is currently Up or Down.
Direction
whether the device is in half/full duplex mode.
Zone
the name of the zone associated with the interface.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Viewing Flow Statistics
Click on the Flow Statistics button to view data on the flow counter for a specific device
or virtual interface. For each device, Realtime Monitor separates the data and statistics
by all available interfaces.
Note: Some options are not available for devices running older ScreenOS versions. Check
the “Device” row in the Summary view to see a device’s ScreenOS version.
The following table describes all of the information that is available from the Flow
Statistics view:
Item
Displays...
Interface
the name of the virtual interface.
Bytes In
the number of bytes of incoming traffic processed through the NetScreen
device over the selected interface.
Bytes Out
the number of bytes of outgoing traffic processed through the NetScreen
device over the selected interface.
Packets In
the number of incoming packets processed through the NetScreen
device over the selected interface.
Packets Out
the number of outgoing packets processed through the NetScreen
device over the selected interface.
VLAN In
the number of VLAN packets received through the NetScreen device;
applies to virtual systems.
NetScreen-Global PRO Express
105
Chapter 5 Monitoring Real Time Information
Item
Displays...
VLAN Out
the number of VLAN packets sent through the NetScreen device; applies
to virtual systems.
Connections
the number of connections that occurred for a given Vsys interface.
Packets Dropped
the number of incoming packets dropped by a given Vsys interface.
Packets Denied
the number of incoming packets denied on the virtual interface by the
policy.
Authentication Failed
the number of packets dropped because of an authentication failure.
URL Blocking Dropped
the number of packets dropped because of URL blocking.
IPSec Dropped
the number of packets dropped because of an IPSec encryption failure.
Zone
the name of the zone associated with the interface.
Viewing Attack Statistics
Click on the Attack Statistics button to view all of the attacks that have occurred on a
specific device. The view separates the data and statistics by all available interfaces.
Note: Some options are not available for devices running older ScreenOS versions. Check
the “Device” row in the Summary view to see a device’s ScreenOS version.
106
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
The following table describes all of the information that is available from the Attack
Statistics view:
Item
Displays...
Interface
Name of the interface.
SYN Attack
SYN packets overwhelm a network by initiating so many connection attempts or
information requests that the network can no longer process legitimate
connection requests, resulting in a Denial of Service.
Tear Drop
When the first and second parts of a fragmented packet overlap, the server
attempting to reassemble the packet can crash. If the NetScreen device sees
this discrepancy in a fragmented packet, it drops the packet.
Source Route
This option applies in an IP header and allows an attacker to enter a network
with a false IP address and have data sent back to the attacker’s real address.
Ping of Death
Intentionally oversized or irregular ICMP packets can trigger a Denial of Service
condition, freezing, or other adverse system reactions. You can configure a
NetScreen device to detect and reject oversized or irregular packet sizes.
Address Spoofing
You can enable a NetScreen device to guard against spoofing attacks by
checking its own route table. If the IP address is not in the route table, traffic
through the NetScreen device is not allowed.
Land Attack
Combining a SYN attack with IP spoofing, a Land attack occurs when an
attacker sends spoofed SYN packets containing the IP address of the victim as
both the destination and source IP address. This creates an empty connection.
Flooding a system with such empty connections can overwhelm the system,
causing a Denial of Service. NetScreen devices automatically blocks any
attempt of this nature and records such attempts as a Land attack.
ICMP Flood
ICMP pings can be so numerous that they overload a system with so many
echo requests that the system expends all its resources responding until it can
no longer process valid network traffic. If you set a threshold to invoke ICMP
flood attack protection when exceeded, ICMP flood attacks are recorded as
statistics.
UDP Flood
Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent
with the purpose of slowing down the system to the point that it can no longer
handle valid connections. After enabling the UDP flood protection feature, you
can set a threshold that once exceeded invokes the UDP flood attack protection
feature. (The default threshold value is 1000 packets per second.) If the
threshold is exceeded, the NetScreen device ignores further UDP packets for
the remainder of that second.
WinNuke
WinNuke can cause any computer on the Internet running Windows to crash.
WinNuke introduces a NetBIOS anomaly that forces Windows to restart.
NetScreen devices can scan any incoming Microsoft NetBIOS Session Service
packets, modify them, and record the event as a WinNuke attack.
Port Scan
Port scan attacks occur when packets are sent with different port numbers with
the purpose of scanning the available services in hopes that one port will
respond. The NetScreen device internally logs the number of different ports
scanned from one remote source. If a remote host scans 10 ports in 0.3
seconds, NetScreen flags this as a port scan attack, and rejects further packets
from the remote source.
NetScreen-Global PRO Express
107
Chapter 5 Monitoring Real Time Information
108
Item
Displays...
IP Sweep
This is the same as an address sweep attack, and similar to a port scan attack.
It occurs when an attacker sends ICMP echo requests (or pings) to different
destination addresses hoping that one will reply, thus uncovering an address to
a target. If a remote host pings 10 addresses in 0.3 seconds, the NetScreen
device flags this as an address sweep attack and drops the connection.
Block Java/ActX
Malicious Java or ActiveX components can be hidden in Web pages. When
downloaded, these applets install a Trojan horse on your computer. Similarly,
Trojan horses can be hidden in compressed files such as .zip, .gzip, and .tar,
and executable (.exe) files.
SYN Frag
A SYN fragment attack floods the target host with SYN packet fragments. The
host catches the fragments, waiting for the remaining packets to arrive so it can
reassemble them. By flooding a server or host with connections that cannot be
completed, the host's memory buffer eventually fills. No further connections are
possible, and damage to the host's operating system can occur. The NetScreen
device drops ICMP packets when the protocol field indicates ICMP packets,
and the fragment flag is set to 1 or an offset is indicated.
TCP no Flag
TCP packet that does not have any bits set in the flags.
Unknown Prot
The NetScreen device drops packets where the protocol field is set to 101 or
greater. These protocol types are reserved and undefined at this time.
Bad IP Opt
Triggered when the list of IP options in the IP datagram header is incomplete or
malformed.
IP Rec Route
The NetScreen device blocks packets where the IP option is 7 (Record Route).
This option is used to record the route of a packet. A recorded route is
composed of a series of internet addresses, which an outsider can analyze to
learn details about your network's addressing scheme and topology.
IP Timestamp
The NetScreen device blocks packets where the IP option list includes option 4
(Internet Timestamp).
IP Security
This option provides a way for hosts to send security, compartmentation, TCC
(closed user group) parameters, and Handling Restriction Codes compatible
with DOD requirements.
IP Loose Src
The NetScreen device blocks packets where the IP option is 3 (Loose Source
Routing). This option provides a means for the source of a packet to supply
routing information to be used by the gateways in forwarding the packet to the
destination. This option is a loose source route because the gateway or host IP
is allowed to use any route of any number of other intermediate gateways to
reach the next address in the route.
IP Strict Src
The NetScreen device blocks packets where the IP option is 9 (Strict Source
Routing). This option provides a means for the source of a packet to supply
routing information to be used by the gateways in forwarding the packet to the
destination. This option is a strict source route because the gateway or host IP
must send the datagram directly to the next address in the source route, and
only through the directly connected network indicated in the next address to
reach the next gateway or host specified in the route.
IP Stream
The NetScreen device blocks packets where the IP option is 8 (Stream ID). This
option provides a way for the 16-bit SATNET stream identifier to be carried
through networks that do not support the stream concept.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Item
Displays...
ICMP Frag
When the protocol field indicates ICMP packets, and the fragment flag is set to
1 or an offset is indicated.
Large ICMP
An ICMP packet with a length greater than 1024.
SYN n FIN
Both the SYN and FIN flags are not normally set in the same packet. However,
an attacker can send a packet with both flags set to see what kind of system
reply is returned and thereby determine what kind of system is on the receiving
end. The attacker can then use any known system vulnerabilities for further
attacks. Enable this option to have the NetScreen device drop packets that
have both the SYN and FIN bits set in the flags field.
FIN no ACK
TCP packet with a FIN set but no ACK set in the flags field.
Mal URL
When you enable Malicious URL Detection, the NetScreen device monitors
each HTTP packet and detects any URL that matches any of several userdefined patterns. The device automatically drops any such packet.
Limit Session
NetScreen devices can limit the number of sessions that can be established by
a single IP address. For example, session resources on a Web server can be
exhausted if there are many requests from the same client. This option defines
the maximum number of sessions the NetScreen device can establish per
second for a single IP address. (The default threshold is 128 sessions per
second per IP address.)
SYN-ACK-ACK
N/A
Block Frag
As packets traverse different networks, it is sometimes necessary to break a
packet into smaller pieces (fragments) based upon the network's maximum
transmission unit (MTU). IP fragments may carry an attacker's attempt to exploit
the vulnerabilities in the packet reassembly code of specific IP stack
implementations. When the target system receives these packets, the results
range from not processing the packets correctly to crashing the entire system.
When you enable the NetScreen device to deny IP fragments on a security
zone, the device blocks all IP packet fragments that it receives at interfaces
bound to that zone.
Zone
the name of the zone associated with the attack.
NetScreen-Global PRO Express
109
Chapter 5 Monitoring Real Time Information
Viewing Zone Statistics
Realtime Monitor now allows you to view traffic information as it is processed by a device
over specific zones.
You can view ethernet statistics, flow statistics and attack statistics in the same manner
that you viewed them in the Interface statistics according to zone.
Viewing System Statistics
You can also view system-related information for a device.
Viewing Resource Statistics (if applicable)
Click on the Resource Statistics button to view the resources for a device. The following
table describes all of the information that is available from the Resource Statistics view:
110
Item
Displays...
Avg. CPU Utilization
the average CPU usage of the device.
Memory Allocated
the current memory allocation to device.
Memory Left
the remaining usable memory.
No. of Fragment Blocks
a percentage of blocks that are fragmented.
Active Sessions
the number of active sessions.
Allocated Sessions
the number of allocated sessions.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Item
Displays...
Max. Sessions Allowed
the maximum sessions allowed.
Failed Sessions
the number of sessions that failed.
Viewing Active Statistics
Click on the Active Statistics button to view administrator and user activities for a
device. The Administrators tab displays information about the administrators including,
when, where and how they logged in to the system. The following table describes all of the
information that is available from the Administrators view:
Item
Displays...
Administrator ID
the administrator’s logon ID.
IP Address
the administrator’s IP address.
Service Used
the type of service, for example, Console, Web, or Telnet.
Time
the time that the administrator logged on.
The following table describes all of information that is available from the Authenticated
Users view:
Item
Displays...
User ID
User log in ID.
Source IP Address
Source IP address.
Time
Time that the user logged on.
You can also access VPN information from the Active VPN view, and Active Session
information from the Active Sessions view. Refer to Viewing Active VPN Information for
more information that is available from the Active VPN view. Refer to Viewing Active
Sessions for more information on Active Sessions.
Viewing Self Logs
Self logs contain NetScreen device-specific logs. Click on the Self Logs button to view
information related to identical traffic to the device itself; for example, who logged in and
from where. The following table describes all of the information that is available from the
Authenticated Users view:
Item
Displays...
Time
the date and time the event occurred.
Source IP:Port
the IP address of the device transmitting the traffic.
Destination IP:Port
the IP address of the device receiving the traffic.
Duration (sec)
the length in seconds of the connection session.
NetScreen-Global PRO Express
111
Chapter 5 Monitoring Real Time Information
Item
Displays...
Application
the name of the application to which the traffic log belongs. The application
is determined by the protocol, source port, and destination port.
Count
Viewing System Alerts
Click on the System Alerts button to view information related to low memory and high
device CPU usage. The following table describes all of the information that is available
from the System Alerts view
Item
Displays...
Event Type
the type of alert or system alarm.
Event Sub Type
the type of alert or system alarm.
First Occurrence
the first occurrence of this event.
Last Occurrence
the most recent occurrence of this event.
Severity
the severity of the event; that is, from critical to clear.
Summary
a brief synopsis of the event.
Count
the number of times this event has occurred.
Troubleshooting
Realtime Monitor allows you to communicate using Telnet or a Secure Command Shell to
query on the status of a device. You can use this capability to issue a “get” Telnet
command to a NetScreen device or a NetScreen CLI command to the SCS (Secure
Command Shell) on the device to troubleshoot problems.
Refer to Troubleshooting the Device in Chapter 5 for more information.
112
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Viewing Active Sessions
A new feature in Realtime Monitor is the ability to view a snapshot of ongoing active
sessions on the device. You can view active sessions from the System: Active Statistics
view.
When you click on the Active Sessions tab, Realtime Monitor provides you with a short
form view of the active sessions allowing you to monitor basic information (i.e., source IP,
destination IP, translated IP (if applicable), source port, destination port, translated port
(if applicable), policy ID, time the session starts, and protocol type) about the active
sessions on the device by default. You can also view extended information about the
session (i.e., session id, icmp type (if applicable), total incoming bytes, total outgoing
bytes, total packets count, how long the session has been active).
The following table describes all of the information that is available from the Active
Sessions view:
Item
Displays...
Session ID
A unique identifier specified with the active session.
Source IP
IP address of the sending node of the connection.
Source Port
Port number of the sending node of the connection.
Destination IP
IP address of the receiving node of the connection.
Destination Port
Port number of the receiving node of the connection.
Translated IP
Translated IP address.
Translated Port
Translated port number.
NetScreen-Global PRO Express
113
Chapter 5 Monitoring Real Time Information
Item
Displays...
Duration (sec)
Length in seconds of the connection session.
Policy ID
A unique identifier specified when the policy was configured. None
means no name was specified during policy configuration.
Protocol ID
A unique identifier specified when the protocol was configured.
ICMP Type
the type of ICMP protocol.
Bytes In
the total number of bytes sent in.
Bytes Out
the total number of bytes sent out.
Total Packets
the total number of packets sent.
Duration
the length in seconds of the connection session.
Start Time
the time that the session started.
Using the Session Filter
You can control the information that is provided in the Active Sessions view by
configuring the session filter. The Session Filter allows you to fetch specific sessions on a
device that match specific criteria that you set. Like the Monitor Filter for the Event
Summary View, there is only one Session Filter and it defines the overall data set that
you can view from the Active Sessions view. Once you have configured and applied the
Session Filter, you can then configure additional session display filters to view more
specific session information.
114
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
Configuring the Session Filter
1.
Use the Options menu, and select Session Filter. The Session Filter Dialog
will appear.
2.
Click in the Long Form checkbox to display additional information about the
Active Session.
3.
Click in the Maximum number of sessions to retrieve checkbox and enter
the total number of sessions you want the Session Filter to retrieve.
4.
Specify criteria for the sessions that you would like to view. You can specify an
active session according to the following:
• Source, Destination, and Translated IP (IP Address, Net Mask, and Port
Range)
• Session Duration
• Session Start Date and Time
• Policy ID
• Session Type
• Protocol ID
NetScreen-Global PRO Express
115
Chapter 5 Monitoring Real Time Information
• Policy with Logging
5.
Click on the More button to view additional criteria.
6.
Click on the Reset to Default button to reset all criteria back to their default
settings.
7.
Click OK when you are done.
8.
Click on the Refresh button to apply the criteria to the active session table
view.
Configuring a Session Display Filter
Once you have defined the Session Filter, you can apply a session display filter to view
only specific active sessions.
116
1.
Use the Options menu, and select Session Display Filter. The Session Filter
Dialog will appear.
2.
From the Source tab, you can specify the sessions that you want to view
according to the Source IP Address and Port number, or Port Range.
3.
Click in the Destination tab to specify the sessions that you want to view
according to Destination IP Address and Port number, or Port Range.
4.
Click in the Translated tab to specify the sessions that you want to view
according to Translated IP Address and Port number, or Port Range.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring Individual Device Statistics
5.
Click in the Protocol tab specify the sessions that you want to view according to
protocol.
6.
Click in the Other tab specify the sessions that you want to view according to
Session Duration, Session Start Time or Policy ID.
7.
Click OK when you are done.
8.
Click on the Refresh button to apply the Session Display criteria to the active
session table view.
Viewing High Availability (HA) Statistics (if applicable)
You can view NSRP Statistics related to clusters (this view only appears if a virtual
system is associated with the device). The following table describes all of the information
that is available from the NSRP Statistics view:
Item
Displays...
VSD Group ID
the group ID that is associated with the VSD (or RTO).
Number of Units
the number of units associated with the VSD (or RTO).
State Change Counter
the number of times a device changes operational states.
Init Counter
the transient state of a VSD (or RTO) group member while it was in the
process of joining the VSD (or RTO) group.
Master
the number of Master devices.
Primary BackUp
the number of primary backup devices.
BackUp
the total number of backup devices.
Ineligible
Notes that an administrator purposefully assigned a device so that it
cannot participate in the selecting a new master device.
InOperable
Notes that a VSD (or RTO) group device has an internal problem.
Master Conflict
the number of conflicts that occurred on the master device.
Primary Backup Conflict
the number of conflicts that occurred on the primary backups device.
Tx Heartbeat
the number of transmitted heartbeats on the devices.
Rx Heartbeat
the number of received heartbeats on the devices.
NetScreen-Global PRO Express
117
Chapter 5 Monitoring Real Time Information
MONITORING VPN STATUS
If you have implemented a virtual private network or VPN, you can use the VPN Monitor
to get an at-a-glance status of the up/down status of every VPN tunnel as well as other
statistics relevant to your VPN. To launch the VPN Monitor, click on the VPN Monitor
button.
Viewing the VPN Status Summary
The VPN Monitor lists a summary of all the VPN tunnels that have been implemented in
your system. It includes visual indicators that depict whether an existing VPN tunnel is
either Up, Down, or Not Monitored. VPN tunnels that are up are colored green; down are
colored in red; and those not configured for monitoring in orange. The Summary also
includes information describing the VPN name, VPN type, Source, Destination, Security
Parameter Index., IP Address, and Protocol.
118
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring VPN Status
About VPN Tunnels
The VPN Monitor displays a variety of information about a virtual private network
(VPN), including the type of “tunnels” deployed. By definition, VPN tunnels are used to
manage and provide security for a virtual system, and to allow remote users the ability to
connect to a virtual system. You can use tunnels to manage and provide security for a
virtual system. Tunnels also allow remote users the ability to connect to the virtual
system. There are two distinct types of VPN tunnels:
•
•
Site-to-site: Also known as a LAN-to-LAN connection, site-to-site VPNs are
further characterized as:
–
Static site-to-site VPN, Manual Key tunnel.
–
Static site-to-site VPN, AutoKey IKE tunnel.
–
Dynamic site-to-site VPN, AutoKey IKE tunnel.
Dial-up: Other VPNs are deployed as a simple dial-up connection, with either a
static IP address to secure an IPSec tunnel with a NetScreen-Remote client, or
with another NetScreen device using a dynamic IP address acting as a DHCP or
PPPoE client.
Controlling VPN Information
You can control the information that is provided in the VPN Monitor by configuring a
display filter. The display filter works exactly like the display filter used to manage event
summary information.
NetScreen-Global PRO Express
119
Chapter 5 Monitoring Real Time Information
Configuring a VPN Display Filter
120
1.
Use the Options menu, and select Display Filter. The VPN Filter Dialog will
appear.
2.
If you know the type of VPN you want to view, click either the Site to Site or
Dialup type radio button.
3.
If you know the status of the VPN tunnel you want to view, click either the Up,
Down or Not Monitored status radio button.
4.
If you know the device or virtual system associated with the VPN tunnel, click to
add the device/vsys from the list of Available Devices/(Vsys) and click on the Add
button. The device/vsys will appear in the list of Selected Devices/(Vsys). Click to
remove the device/vsys from the list of Selected Devices/(Vsys) and click on the
Remove button. The device/vsys will appear in the list of Available Devices/
(Vsys). Click in the Include all selected Devices radio button to include the
devices selected. Click in the Exclude all selected Devices to exclude the devices
selected.
5.
Click OK when you are done.
6.
Click on the Refresh button to apply the Session Display criteria to the active
session table view.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring VPN Status
Viewing Active VPN Details
To view the details on the active VPN, click to select the VPN, use the View menu and
select Active VPN Details (alternatively, you can also right-click on the VPN tunnel and
select Active VPN Details).
Refer to Viewing Active VPN Information for more information on the Active VPN Details
table.
NetScreen-Global PRO Express
121
Chapter 5 Monitoring Real Time Information
Viewing Device-Specific VPN Information
Right-click on the VPN tunnel and select Monitor Data, and then the device to view
device-specific information about your VPN. A Monitor info window appears where you
can access the VPN Monitor table, Active VPN table, and a chart allowing you to view the
distribution of VPN tunnels on the device.
122
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring VPN Status
Viewing VPN Events
To view the events on a VPN, click to select the VPN, use the View menu and select VPN
Events (alternatively, you can also right-click on the VPN tunnel and select Events).
The following table describes all of the information that is available from the VPN Events
window:
Item
Displays...
Hostname/IP
the hostname and IP address of the NetScreen device.
Vsys
the name of the virtual system (if applicable).
Event Type
the type of the event.
Event Sub Type
the sub-type of the event.
First Occurrence
a timestamp of the first occurrence of this event.
Last Occurrence
a timestamp of the most recent occurrence of this event.
Severity
the severity of the event; that is, from critical to clear.
Summary
a brief synopsis of the event.
Count
the number of times this event has occurred.
NetScreen-Global PRO Express
123
Chapter 5 Monitoring Real Time Information
MONITORING NSRP STATISTICS
If you have implemented NetScreen Redundancy Protocol (NSRP) for the purpose of
deploying clusters in your NetScreen security system, you can use the NSRP Monitor to
get an at-a-glance status of your NetScreen systems that are in “clusters.” These systems
include both the NetScreen-500 and the NetScreen-1000. To launch the NSRP Monitor,
click on the NSRP Monitor button.
124
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring NSRP Statistics
About Clusters
Traffic flow on a network must remain uninterrupted and moving, even in the event of a
network failure. Clusters solve the problem of network failure. Clusters represent a
logical grouping of devices. In a cluster, devices are linked together to form a redundant
group; one device acts as the master, while the others act as a backup. This guarantees
that your network is running at all times. NSRP is the protocol that is used to implement
and manage clusters.
Note: ScreenOS 3.1.0-NSRP is available for NetScreen-500 platforms, only. If you are not
running ScreenOS 3.1.0-NSRP or later, the enhanced VPN monitoring feature is not
available. Check the “Device” row in the Summary view to verify a device’s ScreenOS
version.
Viewing NSRP Summary Information
Double-click on an NSRP device to view a summary of the top-level information on the
selected cluster. From the NSRP Summary, you can view the following details about a
specific cluster:
•
key details describing the cluster (i.e., ID, # of VSDs, # of RTOs)
•
security details
•
the total number and type of events
The following table describes all of the information that is available from the NSRP
summary:
Item
Displays...
Cluster
ID of this cluster.
No of VSD’s
the total number of Virtual Security Devices (VSD) that are attached to this
cluster.
No of RTO’s
the total number of Run Time Objects (RTO) that are attached to this cluster.
Encryption
whether or not encryption has been enabled/disabled.
Authentication
whether or not authentication has been enabled/disabled.
No. of Gratuitous arps
the number of gratuitous arps.
Critical Events
the total number of Critical events that occurred.
Major Events
the total number of Major events that occurred.
Minor Events
the total number of Minor events that occurred.
Warning Events
the total number of Warning events that occurred.
Intermediate Events
the total number of Intermediate events that occurred.
Clear Events
the total number of Clear events that occurred.
NetScreen-Global PRO Express
125
Chapter 5 Monitoring Real Time Information
Viewing NSRP Details
Right-click the top-level cluster to view additional NSRP details.
From the NSRP Details view, you can view information that you would commonly see in
the Event Monitor:
•
key details describing the cluster (i.e., host name, IP address)
•
type and subtype of events that have occurred
•
number of times that an event has occurred
•
time-related information (i.e., first and last occurrence date and time)
The following table describes all of the information that is available from the NSRP
Details view:
126
Item
Displays...
Hostname/IP
the name and IP address of the devices associated with the cluster.
Vsys
the virtual systems associated with this cluster.
Event Type
the type of event.
Event Sub Type
the type of event.
First Occurrence
a timestamp of the first occurrence of this event.
Last Occurrence
a timestamp of the most recent occurrence of this event.
Severity
the severity of the event; that is, from critical to clear.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring NSRP Statistics
Item
Displays...
Summary
a brief synopsis of the event.
Count
the number of times this event has occurred.
Viewing VSD/RTO Information
Double-click on the cluster device icon or click on the + icon that corresponds to the cluster
device icon to view the virtual security devices (VSD) and run-time objects (RTO) that
have been attached to this cluster.
Click on the VSD or RTO icon and Realtime Monitor to display summary information
describing the object. The following table describes all of the information that is available
from the VSD/RTO summary:
Item
Displays...
Cluster ID
the cluster ID associated with this VSD.
VSD(RTO) ID
the ID of this VSD (or RTO).
No of Devices
the total number of devices that are associated with this VSD.
Init Hold Time (sec)
the initial hold time state (in seconds) of the VSD.
Heartbeat Interval (ms)
the time interval (in milliseconds) between each heartbeat.
Heartbeat Lost Threshold (ms) threshold level required to change over to the backup device.
Master
the Master NetScreen System.
Primary Backup
the primary NetScreen System.
Critical Events
the total number of Critical events that occurred.
Major Events
the total number of Major events that occurred.
Minor Events
the total number of Minor events that occurred.
Warning Events
the total number of Warning events that occurred.
Intermediate Events
the total number of Intermediate events that occurred.
Clear Events
the total number of Clear events that occurred.
Viewing VSD/RTO-specific Details
For more information on a VSD device, click to select the device, then click on the Details
icon. Alternatively, you can use the View menu, and select Details; or right-click on the
icon and select Details. The Cluster Details view appears. Realtime Monitor again
displays summary information for the VSD/RTO.
NetScreen-Global PRO Express
127
Chapter 5 Monitoring Real Time Information
Viewing VSD/RTO Configuration Details
Click on the Configuration tab to view specific information about your VSD configuration.
From the Configuration tab, you can view the following details about a specific VSD:
•
key details describing the VSD (i.e., SN#, member ID)
•
status information (i.e., whether the VSD is the master or primary device)
The following table describes all of the information that is available from the VSD/RTO
configuration view:
Item
Displays...
Device
the serial number associated with this VSD (or RTO).
Member ID
the member identification associated with this VSD (or RTO).
Status (N/A for RTO)
the whether the device is the master or primary device
Priority (N/A for RTO)
the list priority for this device.
Preempt (N/A for RTO)
whether the device is set to the preempt mode.
Viewing VSD Counter Details
Click on the Counters tab to view specific information about your VSD counters. The
following table describes all of the information that is available from the VSD counters
view:
128
Item
Displays...
Device
the device(s) that are associated with the VSD (or RTO).
Number of Units
the number of units associated with the VSD (or RTO).
State Change Counter
the number of times a device changes operational states.
Init Counter
the transient state of a VSD (or RTO) group member while it was in the
process of joining the VSD (or RTO) group.
Master
the number of Master devices.
Primary BackUp
the number of primary backup devices.
BackUp
the total number of backup devices.
Ineligible
Notes that an administrator purposefully assigned a device so that it
cannot participate in the selecting a new master device.
InOperable
Notes that a VSD (or RTO) group device has an internal problem.
Master Conflict
the number of conflicts that occurred on the master device.
Primary Backup Conflict
the number of conflicts that occurred on the primary backups device.
Tx Heartbeat
the number of transmitted heartbeats on the devices.
Rx Heartbeat
the number of received heartbeats on the devices.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Monitoring NSRP Statistics
Viewing RTO Counter Details
Click on the Counters tab to view specific information about your RTO counters. The
following table describes all of the information that is available from the RTO counters
view:
Item
Displays...
Device
the device(s) that are associated with the RTO.
Member ID
the member identification associated with this RTO
Status
the current status of the RTO: Active or Down.
Direction
the direction of the RTO: In or Out.
Lost Heartbeat
the number of heartbeats not received from the RTOs peers.
Counter to Active
the number of times that the RTO was placed to “active”
Counter to Set
the number of times that the RTO was placed to “set”
Counter to Lost Peer
the number of times that the RTO was placed to Lost Peer.
Counter to Group
Detach
the number of times that the RTO was placed to Group Detach.
Viewing VSD/RTO Events
From the VSD/RTO events view, you can view information that you would commonly see
in the Event Monitor:
•
key details describing the VSD/RTO (i.e., host name, IP address)
•
type and subtype of events that have occurred
•
number of times that an event has occurred
•
time-related information (i.e., first and last occurrence date and time)
The following table describes all of information that is available from the VSD/RTO
events view:
Item
Displays...
Hostname/IP
the name and IP address of the devices associated with the VSD or RTO.
Vsys
the virtual systems associated with this cluster.
Event Type
the type of event.
Event Sub Type
the type of event.
First Occurrence
a timestamp of the first occurrence of this event.
Last Occurrence
a timestamp of the most recent occurrence of this event.
Severity
the severity of the event; that is, from critical to clear.
Summary
a brief synopsis of the event.
Count
the number of times this event has occurred.
NetScreen-Global PRO Express
129
Chapter 5 Monitoring Real Time Information
130
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Chapter 6
Performance Tuning
6
Depending upon your specific monitoring needs, Realtime Monitor provides you with the
flexibility to control and manage the flow of information from your devices to the Monitor
Console allowing you to improve your overall system performance.
This chapter provides recommendations that describe how you can tune Realtime Monitor
for better performance. It includes the following sections:
•
Disabling Information Sent From the Device
•
Performance Tuning the Monitor Console
NetScreen-Global PRO Express Realtime Monitor User’s Guide
131
Chapter 6 Performance Tuning
DISABLING INFORMATION SENT FROM THE DEVICE
One way to improve your overall system performance is to reduce the overall amount of
information that is sent from each device to the Realtime Monitor Console. For example,
you may want to consider disabling configuration logs on a specific device. This is because
Policy Manager keeps this information at a higher level than does the device. This makes
it difficult to correlate the two.
Although you may use ScreenOS to configure each device to initially send specific types of
information to Global-PRO, you will want to use the Realtime Monitor Console anytime
you want to reconfigure these settings. The settings that you configure in Realtime
Monitor will overwrite any previous settings on the device.
To disable information sent from a device:
132
1.
From the Realtime Monitor Console, click on the Devices button in the Control
pane.
2.
Select a device from the List pane. The profile for the device appears in the
Details pane.
3.
Click to select the Device Settings tab.
4.
Uncheck the checkbox corresponding to the message type that you want to
disable in the Enable the Following Tables section. Click the Clear All button to
disable all message types; click the Select All button to enable all message
types.
5.
Click on the Save button in the Realtime Monitor Console toolbar to save your
changes; or click the Undo button to cancel your changes.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Performance Tuning the Monitor Console
PERFORMANCE TUNING THE MONITOR CONSOLE
Realtime Monitor also allows you to control and manage the flow of information to the
Monitor Console. You can accomplish this in the following ways:
•
Configuring the Monitor Filter
•
Limiting Table Sorting
•
Limiting the Amount of Traffic/Self Logs
•
Increasing the Device Statistics Polling Interval
•
Decreasing the Event Viewer Cache Size
Configuring the Monitor Filter
The Monitor Filter allows you to set certain criteria defining which information is allowed
to pass from the Data Collector to the Monitor Console. To optimize the performance of
the Monitor Console, you can configure the monitor filter to limit the flow of information
to the Monitor Console. For example, if you were only interested in information from 1
device group, you could configure the Monitor Filter to pass only this information to the
Monitor Console.
To configure the Monitor Filter:
NetScreen-Global PRO Express
133
Chapter 6 Performance Tuning
134
1.
From the Monitor Filter menu, select New. The Monitor Filter Definition
window appears.
2.
Click in the Filter Name field and enter a specific name for the filter. You cannot
reconfigure or delete the default filter.
3.
If you wish to view information from a specific time, check the Timestamp
check box and enter the desired time.
4.
Click in the Condition Name field and enter a specific name for the Condition.
Naming a condition will make it easier for you to configure multiple conditions
in a display filter. You cannot reconfigure or delete the default condition.
5.
Select the device(s) that you wish to monitor. Double-click on All Devices to
view all available devices. Click the + or - icon to expand or collapse the list of
devices.
6.
Select the event type(s) or event(s) that you wish to monitor. Double-click on All
Events to view all available events. Click the + or - icon to expand or collapse
the list of events.
7.
Use the And/Or drop-down to include events of a certain severity level. Use the
Severity drop-down to select a specific severity level.
8.
Click on the Update icon when finished.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Performance Tuning the Monitor Console
Realtime Monitor saves the Monitor Filter as a .nmf (NetScreen Monitor Filter) file. The
file is saved in a folder called “Monitor Filter” on your local drive by default.
Applying the Monitor Filter
Saving the Monitor filter does not automatically apply the filter to the data. Click on the
Apply icon to apply the Monitor filter to the device data. After clicking Apply, the Filter
becomes “Active” and is displayed in the Display Filter and Event Summary panes.
Limiting Table Sorting
Realtime Monitor sorts the data in all its tables every time a new record is added by
default. To improve performance on the Console, you can configure Realtime Monitor to
sort tables only when you click on the column header.
To limit table sorting:
1.
From the Monitor Console, use the Tools menu and select Customize. The
Customize window will appear.
2.
From the Options tab, uncheck the Sort - Always checkbox.
3.
Click OK to apply your changes; click Cancel to cancel your changes.
Limiting the Amount of Traffic/Self Logs
Realtime Monitor also allows you to limit the total number of traffic and self logs that will
appear on the Monitor Console.
To limit the amount of traffic/self logs:
NetScreen-Global PRO Express
135
Chapter 6 Performance Tuning
1.
From the Monitor Console, use the Tools menu and select Options. The
Options window will appear.
2.
From the Preferences tab, click in the Number of Traffic/Self Logs section, and
decrease the number of traffic/self logs that Realtime Monitor caches. The
default maximum logs kept is 2000.
3.
Click OK to apply your changes; click Cancel to cancel your changes.
Increasing the Device Statistics Polling Interval
If your need for device statistics is not immediate, you can further improve the
performance of the Monitor Console by increasing the interval time with which the
Monitor Console polls devices for device statistics.
To increase the device statistics polling interval:
1.
From the Monitor Console, use the Tools menu and select Options. The
Options window will appear.
2.
From the Preferences tab, click in the Device Statistics Polling Interval
section, and increase the number of seconds with which Realtime Monitor polls
all devices. The default interval is 120 seconds (or 2 minutes).
3.
Click OK to apply your changes; click Cancel to cancel your changes.
Decreasing the Event Viewer Cache Size
Much in the same way that you can improve the performance of a Data Collector by
decreasing the number of events that it must store in cache, you can similarly improve the
performance of the Monitor Console by decreasing the size of its cache.
To decrease the event viewer cache size:
136
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Performance Tuning the Monitor Console
1.
From the Monitor Console, use the Tools menu and select Options. The
Options window will appear.
2.
Select the Event tab.
3.
Click in the Number of Records checkbox, and decrease the maximum number
of records that Realtime Monitor caches. The default number of records is
10,000.
4.
Click in the Memory Usage checkbox, and decrease the size of the cache
memory used by Realtime Monitor. The default memory usage is 5 Mb.
5.
Click OK to apply your changes; click Cancel to cancel your changes.
NetScreen-Global PRO Express
137
Chapter 6 Performance Tuning
138
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Chapter 7
Troubleshooting
7
Realtime Monitor provides several tools that will help you to diagnose and troubleshoot
common errors that you may experience while using Realtime Monitor. This chapter
describes these tools and how you can use them to troubleshoot problems with Realtime
Monitor.
Its main sections include:
•
Troubleshooting Realtime Monitor
•
Checking System Health
•
Maintaining The System
•
Troubleshooting the Device
NetScreen-Global PRO Express Realtime Monitor User’s Guide
139
Chapter 7 Troubleshooting
TROUBLESHOOTING REALTIME MONITOR
Realtime Monitor provides you with several tools to help you diagnose and troubleshoot
common problems.
Using the System Health Console
From the Realtime Monitor Console, you can access the System Health window. The
System Health window is a read-only view indicating the status of the Data Collector and
Master Controller configured in your Realtime Monitor system.
Refer to Checking System Health for more information.
Using Device Debug Information
You can also configure the device to produce debug information. Refer to the ScreenOS
documentation for more information on enabling debug information on the device.
140
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Checking System Health
CHECKING SYSTEM HEALTH
Use the System Health window to view the health of each server component at-a-glance.
Click on the System Health button in the Realtime Monitor Console to launch the
System Health window.
Use the System Health window to view the status of the
Data Collector and Master Controllers.
The System Health window provides the following information
Item
Identifies...
Name
Name of the component when added to the system.
IP
IP Address of the component.
Type
the Realtime Monitor server component as a Data Collector or Master
Controller.
Last Heartbeat
Most recently recorded heartbeat for the Data Collector and Master
Controller.
Interval (in seconds)
Length of time between the current time and the last heartbeat. If the
current time is greater than the specified interval, it displays the server
as down.
CPU Load (%)
the percentage CPU utilization by the server component.
JVM Free Mem. (%)
(Java Virtual Machine) Remaining percentage of allotted memory still
free.
NetScreen-Global PRO Express
141
Chapter 7 Troubleshooting
MAINTAINING THE SYSTEM
It is recommended that you perform a cleanup operation on the system on a monthly
basis. You can do this by running a command called “vacuum“ on the NetScreen-Global
PRO Express appliance.
1.
Login to the appliance as the “realtime” user.
2.
Navigate to the pgsql subdirectory on the appliance. For example, you would
run the following command:
cd /usr/netscreen/RealtimeMt/scripts/pgsql
3.
Run the vacuum command. For example, you would enter the following:
#> vacuum
Server Management Scripts
On occasion, it may become necessary to change specific system parameters including the
system password and authentication ID. Realtime Monitor includes the following scripts
to perform these tasks.
Resetting the System Password
1.
Login to the appliance as the root user.
2.
Navigate to the pgsql subdirectory on the appliance. For example, you would
run the following command:
cd /usr/netscreen/RealtimeMt/scripts/pgsql
3.
Run the following set_db_pass.pl script. For example, you would enter the
following:
./set_db_pass.pl
4.
Reboot the system for your changes to take effect.
Changing the Authentication ID
The Customer Authentication ID can be a unique password, containing both letters and
characters. It must however match all components of the suite for Realtime Monitor to
work. The ID that you enter will be encrypted and used for authentication.
1.
Login to the appliance as the root user.
2.
Navigate to the startup subdirectory on the appliance. For example, you would
run the following command:
cd /usr/netscreen/RealtimeMt/startup
3.
142
Run the following set_authid command specifying the new authentication ID.
For example, you would enter the following:
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Maintaining The System
setauthid <Authentication ID>
4.
Reboot the system for your changes to take effect.
NetScreen-Global PRO Express
143
Chapter 7 Troubleshooting
TROUBLESHOOTING THE DEVICE
Realtime Monitor allows you to communicate using Telnet or a Secure Command Shell to
query on the status of a device. You can use this capability to issue a “get” Telnet
command to a NetScreen device or a NetScreen CLI command to the SCS (Secure
Command Shell) on the device to troubleshoot problems.
Note: Refer to NetScreen CLI Reference Guide for more information on CLI commands.
Issuing Commands To a Device
144
1.
From the Monitor Console, use the View menu and select Device Statistics for
the device that you want to query.
2.
Click on the Troubleshooting view.
3.
Click in the Telnet or SCS radio button to specify how you want to
communicate with the device.
4.
Enter a command in the Get Command field. Alternatively, you can click on
any of the available shortcuts from the list of Shortcuts.
5.
Click on the Execute Command button. Information from the query appears in
the display field. The command is logged in the History field.
6.
Click on the Add to Shortcut to add the command to the Shortcuts field.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Chapter 8
Upgrading Realtime Monitor
8
This chapter provides information that describes how to upgrade your existing version of
NetScreen-Global PRO Express Realtime Monitor 3.x to version 4.0.
Its main sections include:
•
Upgrading from 3.x to 4.0
•
Migration Path
•
Upgrade Process
•
Backing Up Your Previous Installation
•
Upgrading the Appliance
•
Upgrading the Client
•
Troubleshooting the Upgrade
NetScreen-Global PRO Express Realtime Monitor User’s Guide
145
Chapter 8 Upgrading Realtime Monitor
UPGRADING FROM 3.X TO 4.0
This section contains procedures for upgrading your existing version of NetScreen-Global
PRO Express Realtime Monitor 3.x to version 4.0.
Migration Path
To upgrade to 4.0, you must be running the latest version of Realtime Monitor 3.x. If you
are running a previous version of Realtime Monitor, you must follow the migration path
that leads to the latest version before proceeding to upgrade to 4.0.
Refer to the NetScreen-Global PRO Express Realtime Monitor v3.x Installer’s Guide and
the release notes for all later versions of Realtime Monitor 3.x for more information on
how to upgrade previous versions of Realtime Monitor to the latest version.
Upgrade Process
The process of upgrading your existing installation of Realtime Monitor to 4.0 is as
follows:
•
Backing Up Your Previous Installation
•
Upgrading the Appliance
•
Upgrading the Client
Backing Up Your Previous Installation
It is very important that you make a backup copy of your existing Realtime Monitor data
before proceeding to upgrade. This is to ensure that you will not lose any data saved
should any problems occur during the upgrade procedure.
Backing Up the Console
1.
Navigate to the Realtime Monitor installation directory (i.e., C:\Program
Files\NetScreen\Realtime Monitor).
2.
Copy all the contents of the Realtime Monitor folder.
Upgrading the Appliance
You can download the latest version of NetScreen-Global PRO Express server from the
NetScreen Worldwide Service and Support corporate web site. The web URL address to
the NetScreen Worldwide Service and Support page is:
http://www.netscreen.com/support/index.html
Use your Internet web browser to navigate to the site, and follow the instructions
provided to download the latest software and upgrade your existing appliance.
146
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Upgrading from 3.x to 4.0
Upgrading the Client
1.
Open a web browser and enter the IP address to the computer where you have
installed NetScreen-Global PRO Express. For example, if the IP address to the
Express box is 10.150.150.42, you would enter the following in your browser
Address bar:
http://10.150.150.42
The NetScreen-Global PRO Express installation page appears.
2.
Click “Yes” on the two security warning screens.
3.
Click either “Download Installer for Windows” or “Download Realtime Monitor”
to start loading the NetScreen-Global PRO Express client. The installer displays
the Realtime Monitor License Agreement.
4.
Review the License Agreement, and if you accept the terms, click in the
checkbox indicating that you accept the terms of the License Agreement. Click
Next to continue. The installer next displays important information regarding
installation components and requirements.
5.
Review the information and click Next to continue. The installer displays a
screen prompting you to specify a folder in which it will save the Realtime
Monitor software files. The installer will create a subdirectory tree including
subdirectories for “NetScreen” and “Realtime Monitor” in the Program Files
directory on your local C:\ drive by default (i.e., C:\Program
Files\NetScreen\Realtime Monitor).
6.
Select the default location, edit the field and enter a different installation
location, or click Choose... to browse to a different location. Click Install to
continue.
The installer displays a series of informational screens as it installs the
Realtime Monitor. You can monitor the progress via the task bar at the bottom
of the screen. When finished, the installer displays a screen prompting you to
enter the IP address for the Master Controller, and your Customer
Authentication ID.
7.
Enter the Master Controller IP address and the Customer Authentication
ID information. Click Next to continue.
Note: The initial Authentication ID selection is arbitrary but must be consistent
for all components of the suite. This should be a unique password, containing
both letters and characters. This becomes encrypted and permanent.
8.
Click Done to exit the installer. You will notice that a shortcut to launch
Realtime Monitor now appears on the desktop.
NetScreen-Global PRO Express
147
Chapter 8 Upgrading Realtime Monitor
Troubleshooting the Upgrade
A common error that is made during the upgrade is entering an incorrect IP Address for
the Master Controller. If you have done this, remember that you cannot update your
configuration parameters using IFCONFIG. To change the IP Address, you must use the
netsetup command. Refer to Configuring the Express Server in Chapter 2 for more
information on using netsetup.
148
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Appendix A
A
Glossary
Term
Description
Absolute Value
Absolute refers to the cumulative value since the device restart.
Access Policies
Access Policies provide the initial protection mechanism for the
firewall, allowing you to determine what traffic passes across it
based on IP session details. They protect the Trusted network from
outsider attacks, such as the scanning of Trusted servers. Access
Policies create an environment in which you set up security Policies to monitor traffic attempting to cross your firewall.
Address Spoofing
You can enable a NetScreen device to guard against spoofing
attacks by checking its own route table. If the IP address is not in
the route table, traffic through the NetScreen device is not allowed.
Advanced Encryption Standard (AES)
An emerging encryption standard which, when adopted by Internet
infrastructures worldwide, will offer greater interoperability with
other network security devices. This version of AES uses a 128-bit
key.
Authentication
Authentication ensures that digital data transmissions are delivered
to the intended receiver. Authentication also assures the receiver of
the integrity of the message and its source (where or whom it came
from). The simplest form of authentication requires a user name
and password to gain access to a particular account. Authentication
protocols can also be based on secret-key encryption, such as DES,
or on public-key systems using digital signatures.
Authentication Header (AH)
See ESP/AH
Bastion Host
A hardened system taken one step further - configured with the
minimal software to support a single network service.
Broadcast Out.
The number of broadcast-type packets processed through the
NetScreen device over the selected interface.
Bytes In
The number of bytes of incoming traffic processed through the
NetScreen device over the selected interface.
Bytes Out
The number of bytes of outgoing traffic processed through the
NetScreen device over the selected interface.
Circuit-level Proxy
Proxy or Proxy Server is a technique used to cache information on
a Web server and acts as an intermediary between a Web client and
that Web server. It basically holds the most commonly and recently
used content from the World Wide Web for users in order to provide quicker access and to increase server security.
CLI
The command line interface.
Data Encryption Standard (DES)
A cryptographic block algorithm with a 56-bit key.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
B-I
Appendix A Glossary
Term
Description
CRC Errors
The number of packets generating a cyclic redundancy code error
processed through the NetScreen device over the selected interface.
Data Encryption Standard (DES)
A 40- and 56-bit encryption algorithm that was developed by the
National Institute of Standards and Technology (NIST). DES is a
block encryption method originally developed by IBM. It has since
been certified by the U.S. government for transmission of any data
that is not classified top secret. DES uses an algorithm for privatekey encryption.
Data Encryption Standard-Cipher Block
Chaining (DES-CBC)
Until recently, the most significant use of triple-DES (3DES) was
for the encryption of single DES keys, and there was really no need
to consider how one might implement various block cipher modes
when the block cipher in question is actually one derived from multiple encryption. However, as DES nears the end of its useful lifetime, more thought is being given to an increasingly widespread
use of triple-DES.
Delta Value
Delta refers to the rate of change. For instance the difference
between the last set of counter values and the current set of counter
values.
De-Militarized Zone (DMZ)
From the military term for an area between two opponents where
fighting is prevented. DMZ Ethernets connect networks and computers controlled by different bodies. They may be external or
internal. External DMZ Ethernets link regional networks with routers.
Denial of Service (DoS) Attack
An attack designed to disrupt a network service. Typically in a DoS
attack, a flood of information from the attacker will overwhelm a
serving system’s resources, causing it to be unable to field valid
network requests. Other DoS attacks can cause the serving process
to crash, also denying the service.
Device Group Authentication ID
The initial Device Group authentication ID is arbitrary but must be
consistent for all components. This should be a unique password,
containing both letters and characters. You can create any Device
Group Authentication ID you like, but you must consistently use
the same Device Group Authentication ID for all components. The
system permanently encrypts it.
DHCP
The Dynamic Host Configuration Protocol used to dynamically
assign IP addresses to networked computers.
Distributed Denial of Service (DDoS) Attack A DoS attack (typically a flood) from multiple source points. This
is more effective than a DoS attack, as it is no longer one computer
against one server in an effort to overwhelm the server.
DNS
B-II
The Domain Name System maps domain names to IP addresses.
NetScreen-Global PRO Express
Appendix A Glossary
Term
Description
ESP/AH
The IP level security headers, AH and ESP, were originally proposed by the Network Working Group focused on IP security
mechanisms, IPSec. The term IPSec is used loosely here to refer to
packets, keys, and routes that are associated with these headers.
The IP Authentication Header (AH) is used to provide authentication. The IP Encapsulating Security Header (ESP) is used to provide confidentiality to IP datagrams.
Firewall
A device that protects and controls the connection of one network
to another, for traffic both entering and leaving. Firewalls are used
by companies that want to protect any network-connected server
from damage (intentional or otherwise) by those who log in to it.
This could be a dedicated computer equipped with security measures or it could be a software-based protection.
GBIC
A Gigabit Interface Connector (GBIC) is the kind of interface module card used on the NetScreen-2/500 for connecting to a fiber optic
network.
GMT (Greenwich Mean Time)
The Greenwich, England mean solar time. Also known as Universal Time, it is used for calculating time throughout most of the
world.
Hardened System
A server with all appropriate security patches and bug fixes that has
been configured securely. These systems are designed to resist penetration.
Histogram
A vertical graph in which different amounts are represented by
thin, color-coded bands or bars. These bars represent a frequency
distribution; heights of the bars represent observed frequencies.
ICMP Flood
ICMP pings can be so numerous that they overload a system with
so many echo requests that the system expends all its resources
responding until it can no longer process valid network traffic. If
you set a threshold to invoke ICMP flood attack protection when
exceeded, ICMP flood attacks are recorded as statistics.
Internet Control Message Protocol (ICMP).
Occasionally a gateway or destination host will communicate with
a source host, for example, to report an error in datagram processing. For such purposes the protocol, the Internet Control Message
Protocol (ICMP), is used. ICMP uses the basic support of IP as if it
were a higher level protocol, however, ICMP is actually an integral
part of IP, and must be implemented by every IP module. ICMP
messages are sent in several situations.
Internet Key Exchange (IKE)
The method for exchanging keys for encryption and authentication
over an unsecured medium, such as the Internet.
Internet Protocol (IP)
An Internet standard protocol that defines a basic unit of data called
a datagram. A datagram is used in a connectionless, best-effort,
delivery system. Internet protocol defines how information gets
passed between systems.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
B-III
Appendix A Glossary
B-IV
Term
Description
IP Address Spoofing
Depending on the circumstances, a spoofed IP can be used to perform difficult-to-trace DDoS attacks, hiding their true address in a
clutter of bogus addresses, or in rare occasions taking advantage of
IP address related trusted relationships between two hosts. The
attacker sends Crafted Packets (Packets made from the ground up,
and not created and processed normally through the IP Stack) that
have source IP addresses other than what has been assigned to the
interface.
IP Gateway
Also called a router, a gateway is a program or a special-purpose
device that transfers IP datagrams from one network to another
until the final destination is reached.
IP Security (IPSec)
Security standard produced by the Internet Engineering Task Force
(IETF). It is a protocol suite that provides everything you need for
secure communications—authentication, integrity, and confidentiality—and makes key exchange practical even in larger networks.
See also DES-CBC, ESP/AH.
IP Sweep
This is the same as an address sweep attack, and similar to a port
scan attack. It occurs when an attacker sends ICMP echo requests
(or pings) to different destination addresses hoping that one will
reply, thus uncovering an address to a target. If a remote host pings
10 addresses in 0.3 seconds, the NetScreen device flags this as an
address sweep attack and drops the connection.
ISAKMP
The Internet Security Association and Key Management Protocol
(ISAKMP) provides a framework for Internet key management and
provides the specific protocol support for negotiation of security
attributes. By itself, it does not establish session keys, however it
can be used with various session key establishment protocols to
provide a complete solution to Internet key management.
Land Attack
Combining a SYN attack with IP spoofing, a Land attack occurs
when an attacker sends spoofed SYN packets containing the IP
address of the victim as both the destination and source IP address.
This creates an empty connection. Flooding a system with such
empty connections can overwhelm the system, causing a Denial of
Service. The NetScreen device blocks any attempts of this nature
and records such attempts as a Land attack.
Load balancing
Load balancing is the mapping (or re-mapping) of work to processors, with the intent of improving the efficiency of a concurrent
computation.
MD5
Message Digest (version) 5, an algorithm that produces a 128-bit
message digest (or hash) from a message of arbitrary length. The
resulting hash is used, like a “fingerprint” of the input, to verify
authenticity.
NetScreen-Global PRO Express
Appendix A Glossary
Term
Description
Packet Filtering
A router/firewall process that contains access control lists (ACL)
that restrict flow of information through it based upon protocol
characteristics such as source/destination IP address, protocol or
port used. Generally, packet-filtering routers do not track sessions
through them unless the router is also doing a NAT process, and the
NAT process would track the session for NAT purposes.
Ping of Death
Intentionally oversized or irregular ICMP packets can trigger a
Denial of Service condition, freezing, or other adverse system reactions. You can configure a NetScreen device to detect and reject
oversized or irregular packet sizes.
Policies
See Access Policies.
Port Scan
A port scan attack occurs when packets are sent out to different port
numbers, for the purpose of scanning the available services in
hopes that one port will respond. If a remote host scans 10 ports in
0.3 seconds, the NetScreen device flags this as a port scan attack
and drops the connection.
Protocols
Protocols are pre-defined services (like HTTP, SNMP, or Telnet)
that are enabled for the NetScreen device.
RADIUS
Remote Authentication Dial-In User Service is a service for
authenticating and authorizing dialup users.
Receive Collisions
The number of collisions on the line detected by the Carrier Sense
Multiple Access Collision Detection (CSMA/CD) protocol.
Security Association
The combination of a Security Parameters Index and a destination
address. Required for both Authentication Header and Encapsulating Security Payload protocols. See also Security Parameters
Index.
Security Parameters Index (SPI)
The SPI is a hexadecimal value which uniquely identifies each tunnel. It also tells the NetScreen device which key to use to decrypt
packets.
Server Farm
A server farm is a network where clients install their own computers to run Web servers, e-mail, or any other TCP/IP based services
they require, making use of leased permanent Internet connections
with 24-hour worldwide access. Instead of expensive dedicatedline connections to various offices, servers can be placed on server
farm networks to have them connected to the Internet at high-speed
for a fraction of the cost of a leased line.
SHA-1
Secure Hash Algorithm-1, an algorithm that produces a 160-bit
hash from a message of arbitrary length. (It is generally regarded as
more secure than MD5 because of the larger hashes it produces.
Short Frames
The number of frames containing less than 64 bytes of data.
Source Route
The Source Route option applied in an IP header can allow an
attacker to enter a network with a false IP address and have data
sent back to the attacker’s real address.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
B-V
Appendix A Glossary
Term
Description
Stateful Inspection
A firewall process that checks the TCP header for information on
the session’s state. The process checks whether it is initializing
(SYN), ongoing (SYN/ACK), or terminating (FIN). A stateful
inspector firewall will typically track each session flowing through
it. Packets from unknown sessions that appear to be part of an
ongoing or illegal session are dropped. All NetScreen network
security devices are stateful inspectors.
SYN Attack
SYN packets overwhelm a network by initiating so many connection attempts or information requests that the network can no
longer process legitimate connection requests, resulting in a Denial
of Service.
Tear Drop Attack
When the first and second parts of a fragmented packet overlap, the
server attempting to reassemble the packet can crash. If the
NetScreen device sees this discrepancy in a fragmented packet, it
drops the packet.
Transmission Control Protocol/Internet Pro- A set of communications protocols that support peer-to-peer contocol (TCP/IP)
nectivity functions for both local and wide area networks. A communications protocol which allows computers with different
operating systems to communicate with each other. Controls how
data is transferred between computers on the Internet.
B-VI
Triple DES (3DES)
A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key. DES provides
a significant performance savings but is considered unacceptable
for many classified or sensitive material transfers.
Trojan Horse
A program with functionality (typically malicious) not made
known to an end-user. A common example of this would be a game
received as an email attachment. This ‘Trojaned’ program might
also secretly install a remote administration (known as a back door)
program that allowed an attacker access to your computer.
Trunk Port
A trunk port allows a switch to bundle traffic from several VLANs
through a single physical port, sorting the various packets by the
VLAN identifier (VID) in their frame headers.
User Datagram Protocol (UDP)
A protocol in the TCP/IP protocol suite, the User Datagram Protocol or UDP allows an application program to send datagrams to
other application programs on a remote machine. Basically UDP is
a protocol that provides an unreliable and connectionless datagram
service where delivery and duplicate detection are not guaranteed.
It does not use acknowledgments, or control the order of arrival.
UDP Flood
UDP packets are sent with the purpose of slowing down the system
to the point that it can no longer handle valid connections. If you
set a threshold to invoke UDP flood attack protection, when
exceeded, UDP flood attacks are recorded as statistics.
NetScreen-Global PRO Express
Appendix A Glossary
Term
Description
Universal Resource Locator (URL)
A standard way developed to specify the location of a resource
available electronically.Also referred to as a location or address,
URLs specify the location of files on servers. A general URL has
the syntax protocol://address. For example, http://
www.srl.rmit.edu.au/pd/index.html specifies that the protocol is
http and the address is www.srl.rmit.edu.au/pd/index.html.
Virtual-Interface Object (VIF)
TBC. See also SIF.
Virtual Local Area Network (VLAN)
A logical rather than physical grouping of devices that constitute a
single broadcast domain. VLAN members are not identified by
their location on a physical subnetwork but through the use of tags
in the frame headers of their transmitted data. VLANs are
described in the IEEE 802.1Q standard.
VLAN Identifier (VID)
TBC.
Virtual Private Network (VPN)
A VPN is an easy, cost-effective and secure way for corporations to
provide telecommuters and mobile professionals local dial-up
access to their corporate network or to another Internet Service Provider (ISP). Secure private connections over the Internet are more
cost-effective than dedicated private lines. VPNs are possible
because of technologies and standards such as tunneling, screening,
encryption, and IPSec.
Virtual System (Vsys)
A feature unique to the NetScreen-1000, a Virtual System is a subdivision of the main system that appears to the user to be a standalone entity. Virtual Systems reside separately from each other in
the same NetScreen-1000 device. Each one can be managed by its
own Virtual System Administrator.
WinNuke Attack
WinNuke can cause any computer on the Internet running Windows to crash. WinNuke introduces a NetBIOS anomaly that forces
Windows to restart. The NetScreen device can scan any incoming
Microsoft NetBIOS Session Service packets, modify them, and
record the event as a WinNuke attack.
Worm
A self-replicating attack program. Worms differ from typical
viruses in that they are completely automatic – no interaction with a
user is required. When a vulnerable target is found, it immediately
and automatically infects the new host with the code. The newly
infected host starts this process all over again. Each infected host
will attempt to infect more hosts.
NetScreen-Global PRO Express Realtime Monitor User’s Guide
B-VII
Appendix A Glossary
B-VIII
NetScreen-Global PRO Express
Index
Index
A
About Realtime Monitor Console
accessing 31
accessing
online help for Realtime Monitor Console 30
acknowledging
event alert 66
active sessions
information available 113–114
overview 6
session display filter, configuring 116
session filter, using 114
viewing 113–117
Active Statistics
device-specific view, described 89
active statistics
viewing 111
active VPN details
viewing 121
adding
columns to MC view 60
device 21–22
device group 51
event information notes 82
group 38, 39
user 27
adjusting
console or column borders 61
administer database
privilege, described 38
administrative privileges
configuring 42
described 38
alerts
configuring to notify of events 65–66
applying
display filter 80
architecture
Realtime Monitor, described 7–11
assign privilege
NetScreen-Global PRO Express
privilege, described 39
assigning
group privileges 39
group to a device 40
group to a device group 42
group to a virtual system 41
user to a group 43
attack
alarms, described 9
statistics, viewing 106–109
Attack Statistics
device-specific view, described 88
Attack statistics table
described 8
B
benefits
using Realtime Monitor 4.0 4–5
benefits in Realtime Monitor
device troubleshooting 5
e-mail notification of alerts 4
real-time monitoring 4
reliable data transfer using TCP/IP 5
role-based administration 5
tracking device status 4
tracking VPN status 4
C
cascading
multiple views 91
checking
System Health 22
clusters
described 125
columns
configuring 60
sorting 62–63
communications protocol
used in Realtime Monitor 10
configuration logs
i
Index
described 9
configure
interface statistic polling interval 54
NSRP statistic polling interval 54
configuring
administrative privileges 42
columns 60
device 47–50
device group 51–52
device statistic polling interval 54
display filter conditions 77
display filter, VPN 120
display time 73
e-mail alert notification 55–56
event alerts 65–66
event severity levels 70
event summary views 73
group 38–44
mapped IP address 47, 53
NetScreen-Global PRO Express Server 16–17
polling Intervals 54
server properties 53–56
session display filter 116–117
session filter for active sessions 115–116
severity level colors 71
user 45–46
user contact information 45
VPN statistic polling interval 54
console
Monitor 10
contact information
configuring for a user 45
create user/group
privilege, described 38
creating
display filter 75
quick filter 83
customizing
Monitor Console Interface 60
D
data collector
described 8
status, checking 22
default
ii
event summary view 74
Realtime Monitor user 26
Realtime Monitor user privileges 26
deleting
device 50
device group 52
display filter 80
user 46
device
adding 21–22
deleting 50
removing from a device group 52
sorting by status 65
viewing 50
device group
assigning a group to 42
deleting 52
removing device 52
device list
exporting 50
importing 47–48
Device Monitor
available information 67–68
using to view device details 67
device privileges
read/write, described 38
Device resources statistics
described 8
Device Statistics
using to view device-specific information 86–91
device status
described 9
Device Status Summary
used to monitor up/down device status 65
device troubleshooting
benefits using Realtime Monitor 5
display filter
applying 80
conditions, configuring 77
creating 75
deleting 80
editing 77
renaming 80
VPN 120
display time
configuring 73
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Index
E
G
editing
display filter 77
e-mail alert notification
benefits using Realtime Monitor 4
configuring 55–56
Ethernet Statistics
device-specific view, described 88
ethernet statistics
viewing 102–104
Ethernet statistics table
described 8
event
alarms, described 9
alerts, configuring 65–66
logs, exporting 83
monitoring 81–85
notes, adding 82
sorting by count 81
summary view, default 74
summary views, configuring 73
Event Monitor
available information 82
using to view events 81
exiting
Realtime Monitor 31
exporting
device list 50
event logs 83
GMT
see greenwich mean time 73
greenwich mean time
setting display time 73
group
adding 38, 39
assigning to a device group 42
assigning to a virtual system 41
configuring 38–44
privileges, assigning 39
removing a user 44
F
features
Realtime Monitor 4.0 6
filter
display for VPN 120
display, described 75
Monitor, described 74
quick, using 83
Flow Statistics
device-specific view, described 88
flow statistics
viewing 105–106
Flow statistics table
described 8
NetScreen-Global PRO Express
H
HA
see High Availability
hardware
requirements for installing 14
help
see online help
High Availability
device-specific views, described 89
High Availability (HA) statistics
viewing 117
high availability(HA)
tracking 4
I
importing
device information from a text file 48
device list 47–48
devices 47
information logs
described 9
installation
process 15
installing
hardware requirements 14
NetScreen-Global PRO Express Server 16
Realtime Monitor 18
software requirements 14
Interface
device-specific views, described 88
Interface statistics
iii
Index
viewing 102
described 124
NSRP
see NetScreen Redundancy Protocol
NSRP Monitor
using to view NSRP statistics 124–129
NSRP monitoring statistics
described 8
NSRP Statistics
device-specific view, described 89
NSRP statistics
monitoring 124–129
L
logging in
as a different user 28
initial 26
logging out
of Realtime Monitor 28
M
maintaining
system 142
managing
multiple views 90
mapped IP address
configuring 53
Master Controller
described 9
MC
see Master Controller
Monitor Console
tuning 133–137
using 58–129
Monitor Console Interface
customizing 60
Monitor Filter
stop receiving logs 75
using to manage information on Monitor Console 74
monitoring
benefits 4
data collector status 22
device details 67
device statistics 86
device status 67–68
event information 81
event summaries 69–80
events 81–85
Master Controller status 22
NSRP statistics 124–129
VPN Status 118–123
N
NetScreen Redundancy Protocol (NSRP)
iv
O
online help
accessing from Realtime Monitor Console 30
P
Policy Distribution
device-specific view, described 88
policy distribution
described 8
viewing 92–94
poll device statistics
configuring 54
poll interface statistics
configuring 54
poll NSRP statistics
configuring 54
poll VPN statistics
configuring 54
polling intervals
configuring 54
privileges
assigning to a group 39
described 38
for default Realtime Monitor user 26
see also administrative privileges
see also device privileges
user, editing 46
Protocol Distribution
device-specific view, described 88
protocol distribution
described 8
viewing 95–96
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Index
Q
S
quick filter
creating 83
using 83–85
SA Monitor statistics
described 8
searching
text 64
securing
Realtime Monitor server communications 11
Self Logs
device-specific view, described 89
self logs
described 9
viewing 111
server properties
configuring 53–56
session display filter
configuring 116–117
session filter
configuring to view active sessions 115–116
creating to view active sessions 114
severity level colors
configuring 71
severity levels
configuring 70
software
requirements for installing 14
sorting
columns 62–63
devices by status 65
events by count 81
names in the RM Console List Pane 37
tables 62–63
starting
Monitor Filter query 75
Realtime Monitor 19
stopping
Monitor Filter query 75
support for ScreenOS 4.0
in Realtime Monitor 4.0 6
System
device-specific views, described 89
system
maintenance 142
System Alerts
device-specific view, described 89
system alerts
R
Realtime Monitor
architecture 7
communications, described 10
exiting 31
installing 18
server, described 8
starting 19
testing installation 19
uninstalling 23
upgrading 147, 147–148
version, checking 31
real-time monitoring
benefits using Realtime Monitor 4
refreshing
display 30
reliable data transfer using TCP/IP
benefits using Realtime Monitor 5
removing
columns from MC view 60
device from a device group 52
see also deleting
user from a group 44
renaming
display filter 80
requirements
hardware for installing 14
software for installing 14
Resource Statistics
device-specific view, described 89
resource statistics
viewing 110–111
role-based administration
benefits using Realtime Monitor 5
RTO
see run-time objects
run-time objects (RTO)
viewing 127
NetScreen-Global PRO Express
v
Index
viewing 112
System Health
checking 22
using to view server status 22
System Options
using to configure severity levels 70
system password
resetting 142
system statistics
viewing 110
T
tables
sorting 62–63
testing
Realtime Monitor installation 19
tiling
multiple views 90
Tools menu option
Customize, using to adjust display time 73
Customize, using to adjust severity level colors
71–72
Customize, using to set summary views 73
Traffic
device-specific views, described 88
traffic alarms
described 9
traffic log
described 9
viewing 101
Traffic Logs
device-specific view, described 88
Troubleshooting
device-specific view, described 89
troubleshooting
device, benefits using Realtime Monitor 5
device, overview 112
devices 144
sending commands 144
tuning
Monitor Console 133–137
U
uninstalling
Realtime Monitor, described 23
vi
upgrading
from 3.x to 4.0, described 146
Realtime Monitor 147–148
user
adding 27
assigning to a group 43
configuring contact information 45
default 26
deleting 46
privileges, editing 46
removing from a group 44
using
Monitor Console 58–129
Realtime Monitor Console 36–37
V
version of Realtime Monitor you are running
checking 31
viewing
active sessions 113–117
active statistics 111
Active VPN Details 121
Active VPN information 100
attack statistics 106–109
device summary information 87
device traffic distribution 92
devices 50
ethernet statistics 102–104
flow statistics 105–106
High Availability (HA) statistics 117
interface statistics 102
policy distribution 92–94
resource statistics 110–111
self logs 111
system alerts 112
system statistics 110
traffic distribution by policy 92
traffic distribution by protocol 95
traffic distribution by VPN 97–101
traffic logs 101
VPN events 123
zone statistics 110
virtual security devices (VSD)
viewing 127
virtual system
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Index
assigning a group to 41
VPN
display filter, configuring 120
monitoring enhancements in Realtime Monitor
4.0 6
monitoring status 118–123
VPN Distribution
device-specific view, described 88
VPN Monitor
using to view VPN status 118–123
VPN Monitoring statistics
described 8
VPN tunnel types
NetScreen-Global PRO Express
dial-up 119
site-to-site 119
VSD
see virtual security devices
Z
Zone
device-specific views, described 88
zone statistics
viewing 110
zone-based monitoring
overview 6
vii
Index
viii
NetScreen-Global PRO Express Realtime Monitor User’s Guide
Download PDF
Similar pages