Scrutinizer 10.1 Administrator`s Guide

Scrutinizer 10.1 Administrator`s Guide
Scrutinizer 10.1
Administrator’s Guide
| 1
© 2012 Dell Inc.
Trademarks: Dell™, the DELL logo, SonicWALL™, SonicWALL GMS™, SonicWALL ViewPoint™, Aventail™,
Reassembly-Free Deep Packet Inspection™, Dynamic Security for the Global Network™, SonicWALL Aventail Advanced End Point Control™ (EPC™), SonicWALL Aventail Advanced Reporting™, SonicWALL Aventail Connect Mobile™, SonicWALL Aventail Connect™, SonicWALL Aventail Native Access Modules™,
SonicWALL Aventail Policy Zones™, SonicWALL Aventail Smart Access™, SonicWALL Aventail Unified Policy™, SonicWALL Aventail™ Advanced EPC™, SonicWALL Clean VPN™, SonicWALL Clean Wireless™,
SonicWALL Global Response Intelligent Defense (GRID) Network™, SonicWALL Mobile Connect™, SonicWALL SuperMassive™ E10000 Series, and all other SonicWALL product and service names and slogans are
trademarks of Dell Inc.
2012 – 11
P/N 232-001347-00
Rev. A
Table of Contents
Introduction ............................................................................................................................. 1
Overview .............................................................................................................................. 1
Resources ............................................................................................................................. 1
Admin Tab ............................................................................................................................... 3
Data Aggregation - What is 'Other' Traffic? .................................................................................. 3
Overview ............................................................................................................................ 3
Report Designer ..................................................................................................................... 4
Overview ............................................................................................................................ 4
Admin Tab............................................................................................................................. 4
Overview ............................................................................................................................ 4
SNMP Device View .................................................................................................................. 8
Individual Exporters ................................................................................................................ 9
Overview ............................................................................................................................ 9
Vitals Main View .................................................................................................................... 10
Overview ........................................................................................................................... 10
Flow Analytics.......................................................................................................................... 13
Flow Analytics ....................................................................................................................... 13
Overview ........................................................................................................................... 13
Flow Hopper ......................................................................................................................... 17
System .................................................................................................................................. 19
404 Error ............................................................................................................................. 19
500 Error ............................................................................................................................. 19
Access Denied ....................................................................................................................... 19
Database Connection Failure .................................................................................................... 19
Overview ........................................................................................................................... 19
Distributed Collectors ............................................................................................................. 19
Overview ........................................................................................................................... 19
Flowalyzer ............................................................................................................................ 20
Installing Adobe Flash............................................................................................................. 20
Overview ........................................................................................................................... 20
Language Translations ............................................................................................................ 21
Overview ........................................................................................................................... 21
Scrut_util ............................................................................................................................. 21
Overview ........................................................................................................................... 21
Search Tool .......................................................................................................................... 25
Overview ........................................................................................................................... 25
Multi Tenancy Module ............................................................................................................. 25
Dell SonicWALL Scrutinizer 10.1 Admin Guide
Overview ........................................................................................................................... 25
Systrax ................................................................................................................................ 25
Troubleshooting..................................................................................................................... 26
Getting Started Guide .......................................................................................................... 26
Web Server Port .................................................................................................................... 26
Overview ........................................................................................................................... 26
Introduction
Overview
Welcome to the Dell SonicWALL Scrutinizer 10.1 Administrator's Guide. This manual
provides the information you need to successfully activate, configure, and administer the
Dell SonicWALL Scrutinizer.
Resources
•
For troubleshooting procedures, Click Here.
•
There are also online webcasts which give quick overviews (i.e. 2 - 5 minutes each)
of specific features.
•
For Scrutinizer frequently asked questions, Click Here.
•
For procedures on globally configuring NetFlow, Click Here.
•
For timely resolution of technical support questions, visit Dell SonicWALL on the
Internet at: http://www.sonicwall.com/us/en/support.html
Adobe® Flash® Player. Copyright(c) 1996-2012. Adobe Systems Incorporated. All Rights Reserved. Patents pending in the United States and other
countries. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries. Please reference the End User
License Agreement for more information on using Adobe® Flash® Player in Scrutinizer.
1
Admin Tab
Data Aggregation - What is 'Other' Traffic?
Overview
What is other traffic? Other traffic is traffic that didn't make it into the top 10. Some important details
should be understood when trying to comprehend Other traffic.
The collector saves 100% of all data in raw format to the 1 minute conversations tables for each router.
Every hour it creates a new 1 minute interval table per router. Every 5 minutes, it creates higher intervals
using the smaller intervals. This process is called "roll ups".
When the roll ups occur for 5 Min, 30 Min, 2 Hr, 12 Hr, 1 Day and 1 week, two tables are created:
1.
2.
Totals: The total in and out byte counts are saved per interface before the data for the
conversations table is calculated. This table allows the reporting front end to display accurate total
throughput per interface over time and allows the front end to operate with no dependency on
SNMP yet still provide accurate total utilization reporting.
Conversations: All flows for the time period (e.g. 5 minutes) are aggregated together based on a
tuple. Once all flows are aggregated together, the top 1000 (i.e. default) flows based on byte count
are saved. The non top 1000 flows are dropped. Remember: the total tables ensure a record of the
total in / out utilization per interface over time.
When a report is run on an individual interface within 1 minute intervals, the totals table isn’t needed
because the conversations table contains 100% of the data. When a report is run on an individual interface
with no filters in 5 minute or higher intervals, both the Conversations and Total tables are used in the
report. When reporting, the Total tables are used to display the total in and out utilization of the interface
and the top 10 from the Conversations table are subtracted out from the total and added back in color.
IMPORTANT: In some cases, a report that doesn't utilize the Total tables can understate the actual
utilization of the interface.
The Total tables are not used when:
•
•
•
•
Reporting across All interfaces of a device
A report is run on multiple interfaces from different devices regardless of filters
Looking at data from a single template (e.g. using a single or multiple Medianet templates).
Looking at 1 minute intervals in a report. One minute intervals contain 100% of all data exported
for the template as no roll ups have occurred. As a result, no Total tables are created for 1 minute
intervals.
The Total tables are only being used when
•
•
•
Looking at 5 minute intervals and higher
The "Flow Templates" section of the report filter indicates "Available Templates".
Looking at a single interface without any additional filters
Remember: Only the top 1000 (default) conversations are saved in the roll ups by default. If the server has
the available disk space, try increasing the Maximum Conversations under Admin Tab - Settings - Data
History to 10,000 and see if it improves the accuracy. Don’t configure it right away for the maximum of
100K rather, ease up the number of conversations saved over a few days. Some reports may render more
slowly when the Maximum conversations is increased, this is the result of the tables being larger.
A Word about sFlow
When collecting sFlow, make sure the packet samples and the interface counters are both being exported to
the collector. The collector will save the packet samples to the Conversation tables and the Interface
counters to Total tables even at 1 minute intervals.
3
Dell SonicWALL Scrutinizer 10.1 Admin Guide
WARNING:
If the flow device (e.g. router) is exporting multiple templates for different flows it is
exporting, utilization could be over stated if the flows contain the same or nearly the same information. The
front end of Scrutinizer will render reports using data from all templates with matching information. Be
careful when exporting multiple templates from the same device! If you find this to be the case, use the
filters to select a single template.
Report Designer
Overview
The Report Designer requires an Advanced Reporting license and is used to create new reports that are not
part of the core reporting solution. It can be used against any flow template even when byte counts are not
available. These new report types only appear on devices that are exporting the necessary elements in
templates. The steps to design a new report is as follows:
1.
2.
3.
4.
Copy and existing report design or select 'New'.
Enter a name for the new report design.
Select a device that is exporting the template that is needed for the report.
Select an element in the template for the first column.
1. Specify the column name.
2. Specify the width. In most cases use 'Dynamic' as specifying pixels is generally used to cut off long
element names.
3. Specify the treatment. Don't confuse 'Count' with 'Sum'. Count counts the number of entries whereas
Sum adds up the values. This option may lead to further drop down boxes.
4. Rate Vs. Total
1. Rate : trend the data by rate per second. Total is not an option in the drop down box.
2. Total : trend the data by total per interval. Rate is not an option in the drop down box.
3. Rate (default) / Total : trend the data by rate per second. Total is an option in the drop down
box.
4. Rate / Total (default) : trend the data by total per interval. Rate is an option in the drop down
box.
5.
Stack or Unstacked
1. Stacked : trend the data as a stacked trend. Non Stacked is not an option in the
drop down box.
2. Non Stacked : trend the data as an unstacked trend. Stack trend is not an option
in the drop down box.
3. Stacked (default) / Non Stacked : trend the data as a stacked trend. Non Stacked
is an option in the drop down box.
4. Stacked / Non Stacked (default) : trend the data as an unstacked trend. Stack
trend is an option in the drop down box.
The new report will show up in the category Designed Reports when the device template(s) contain the
elements necessary for the report.
NOTE: The report will not work outside of one minute intervals if rollups are not being performed on the
template in a format that is supportive of the report created.
Admin Tab
Overview
The Settings page is primarily left to the administrators.
Settings:
4
Admin Tab
•
Alarm Notifications: enable additional system alarms
•
Alarm Settings: modify settings to optimize syslog and SMTP processing.
•
CrossCheck: Specify the thresholds for changing color and the syslog threshold that the Fault
Index must reach to trigger a syslog.
•
Data History: Specify how long each flow interval is saved.
•
Historical 1 Min Avg: Saves 100% of all flows received. Make sure the server has enough
disk space to save significant quantities of the raw flows. The 1 minute intervals consume
the most disk space as it is not aggregated and flows are in raw format.
•
Historical 5 minute - 1 week Avg: These intervals only save the specified Maximum
Conversations after aggregation per interval.
•
Maximum Conversations: Used when creating large intervals (e.g. 5 minute) from prior
intervals (e.g. 1 minute). All flows are aggregated together per router. The top 10,000
(default) based on bytes are saved.
•
Denika Connections: integration with Denika SNMP Performance Trender for SNMP details to
represent link status.
•
Email Server: Necessary for on demand and scheduled emailed reports. Make sure the test is
successful.
•
Flow Analytics: configure advanced algorithms (e.g. DDoS, Nefarious Activity, etc.)
•
LDAP Credentials: The web interface has the capability of integrating with Mircrosoft Active
Directory so that users can simply log in to the web interface by using their windows domain
authentication. When a user logs in for the first time, a new account is created in Scrutinizer and
given “Guest” access by default. The Scrutinizer administrator can then grant that user further
reaching capabilities if desired.
•
Requirements for LDAP integration:
•
1) The name or IP Address of the LDAP server
•
2) An account with one of the following permissions to the LDAP server:
•
•
•
a. Account Operators (must also be a member of “Distributed COM Users”
for remote WMI Access)
•
b. Administrators
•
c. Domain Admins
•
d. Enterprise Admins
3) The account chosen must have WMI Read access to \root\Directory\LDAP
Instructions to Integrate Scrutinizer with LDAP: There is a wizard utility which makes the
process easier. To activate LDAP configuration wizard:
•
1) Open a command prompt on the server
•
2) Change directories to the \scrutinizer\bin\ directory
•
3) Run “scrut_util –ldapwizard” and follow the instructions
•
4) Enter the IP or Hostname of LDAP server
•
5) Enter LDAP Binding Account Username:
•
6) Enter LDAP Binding Account Password, then verify by retyping
•
7) Is it configured to use LDAPS or LDAP over SSL? Answer “y” or “n”
5
Dell SonicWALL Scrutinizer 10.1 Admin Guide
•
•
•
8) If successful, the wizard returns LDAP configurations that will be saved to the
database. The next step is to use a typical account to test connectivity
•
9) Enter a Username of a LDAP account that will be used to log into the Scrutinizer
Web Interface
•
10) Enter a password and then verify by retyping
•
11) If successful, the wizard will display the success of the connection and update
the configuration
Users should now be able to log in to the web interface with their LDAP account. If
unsuccessful, contact support.
Licensing:Enter the license key for Flow Analytics and or the Multi-Tenancy module
•
Flow Analytics
•
Mailinizer
•
Multi-Tenancy Module
•
Mapping Configuration: Customization for both Flash and Google maps (e.g. connections, text
boxes, etc.). Learn more about mapping.
•
Mobile IAM: Specify the settings on how to attach to the Enterasys Mobile IAM authentication
server.
•
Proxy Configuration: Setup the server to work with a proxy server
•
Syslog Notifications: Configure the syslog server, port and priority
•
System Preferences: Other options
Definitions:
6
•
3rd Party Integration: Create links to 3rd party applications and pass variables in URLs
•
Applications: Setup and modify applications using ranges of ports and IP addresses. This feature
is useful for properly labeling in house applications.
•
Autonomous Systems: Setup and modify Autonomous Systems that are shipped with the
software.
•
Device Details: Displays the SNMP details of the devices sending flows. Allows custom device and
interface names to be defined which override the defaults. Notice that in and out speeds can be
configured.
•
Host Names: Setup and modify known hosts. Use this option to statically assign host names to IP
addresses that will not age out. It can also be used to label subnets in the Subnet report types.
There are three Resolve DNS options:
1.
Current - has been or attempted to be resolved already (will expire in whatever days are
set in the serverprefs)
2.
Queued - ready to be resolved by the resolver. User can set it to queued to force a DNS
resolve again on the host.
3.
Never - a permanent address that was manually added by the user. Users can make
names permanent by switching this to never. It’s not purged.
•
IP Groups: Define ranges of IP address that belong in a specific group (e.g. Marketing, sales,
phones, etc.). Run a report on an interface to see the IP Group reports.
•
Languages: use this interface to update languages or create new translations.
•
Manage Exporters: Details on the devices sending flows. Options include:
Admin Tab
•
•
Listener Ports are listed in the top left: 2055 2056 4432 4739 6343 9991 9994 9995 9996.
These ports change color:
•
Green: all devices sending flows on that port are active and sending flows. Click on
the port to view the vitals.
•
Yellow: one or more devices has recently stopped sending flows. Click on the port
to view the vitals.
•
Red: all devices once sending to this port have stopped. Click on the port to view
the vitals.
Per Device:
•
Delete: This check box can be used to remove the device from the Status tab
device tree. The device will be rediscovered immediately if the collector is still
receiving flows from the device. Also, templates and interfaces from devices that
stop sending flows are aged out.
•
Icons:
•
Status: tells if the device is currently receiving flows (i.e. green) or not
receiving flows (i.e. red).
•
Device Details: click to view the Device Details.
•
Configure NetFlow Via SNMP: Use the wizard to re-configure the NetFlow
exporting on the device.
•
Current protocol exclusions: Specify which protocols will be dropped for
collector, selected device or selected interface on a selected device. Visit
the Device View for more details and to learn about Protocol Exclusions per
device/interface.
•
Click on the edit icon to modify the default name used for the device.
•
Credentials: Select a community string to use on this device.
•
Status: Modify status from Active (accept flows) to Inactive (drop all flows from
device). NOTE: the flows are still being received but, are being ignored by
Scrutinizer (i.e. not saved).
•
Update SNMP: force an immediate SNMP query for Device Details. Checking this off
ensures that the Device Details will be updated every night automatically.
•
MIB Import: Manage SNMP MIB files that have been compiled for SNMP traps
•
Notification Manager: Configure notifications to be applied to Policies in the Alarms tab
•
Policy Manager: List all of the Policies that are configured for the Alarms Tab
•
SNMP Credentials: Configure the SNMP Credentials used on each flow exporter. SNMP v1, v2 and
v3 are supported.
•
Type of Service (ToS): Configure the ToS and DSCP values displayed in the reports. Be sure to
Define the "ToS Family" under System Preferences.
•
Well Known Ports: define port names. In the Well Known Ports report, the following logic is used:
•
Which port is lower the source port or the destination port
•
If the source port is lower and defined, use this as the well known port
•
else, use the destination port if defined as the wellknown port
•
else, display the lower port as the wellknown port
Security:
7
Dell SonicWALL Scrutinizer 10.1 Admin Guide
•
•
User Groups: Specifies what a Group login account can access. Limited to 10 Group accounts
without a Multi-Tenancy license key. Some permissions require further explanation:
•
Device Status: Grants permission to see the status of the device (i.e. Flow exporter).
Device icons appear blue in maps if the “Device Group” permission is granted without this
permission. Mailinizer devices show up here.
•
Interface Statistics: Grants permission to see the statistics of an interface. Mailinizer does
not show up here.
•
Device Groups: Grants permission to see a Group (i.e. map). Devices (i.e. Flow Exporters)
appear blue and interfaces black unless permission is granted in “Device Status” and
“Interface Statistics”.
User Accounts: Configure login preferences for individual accounts. User Accounts must be a
member of one or more User Groups. By default, they are placed in a default (e.g. Guest) User
Group. Permissions are inherited by all User Groups a User Account is a member of.
Reports:
•
Report Folders: Manage Saved Report Folders found in the Status tab under saved reports. Notice
the Membership drop down box:
•
Folders: Select a folder and add or remove reports from it.
•
Reports: Select a report and add or remove folders it can be found in.
•
Scheduled Reports: Manage Scheduled Reports, delete, etc.
•
Top Saved Syslogs: The top devices sending syslogs.
•
Top Syslog Orphans: The top devices sending syslogs that don't match policies.
•
Vitals: View vital information on how well the server is handling the NetFlow and sFlow volume.
More details can be found in the Vitals Tab.
NetFlow Help:
•
Activating NetFlow, J-Flow, sFlow, NetStream, IPFIX, etc.
SNMP Device View
Using this interface, selected interfaces can be hidden from the reporting GUI. The SNMP community string
used to communicate with the device can be altered.
Notice at the top: there is a drop down box with all the flow sending devices. Under the devices is a drop
down box to select the SNMP community string/credential for the selected device. Next to the community
string is a check box for SNMP Enabled. If SNMP Enabled is checked, the Watcher Service will attempt to poll
and update SNMP information for the device. By default, the automatic SNMP discovery occurs once a night.
The user can disable the automatic SNMP capability by unchecking "Auto SNMP Update" from the Admin
Tab, Settings -> System Preferences.
There are several columns displayed for each interface on the NetFlow capable router/switch. Some of them
include:
•
•
•
•
8
Instance
Custom Description: A custom interface name can be entered.
ifAlias
ifName
Admin Tab
•
•
•
ifDescr
ifSpeed: Custom speeds can be specified both inBound and outBound per interface.
Direction: tells us if NetFlow is collected INGRESS, EGRESS or BOTH on this interface.
Scrutinizer will attempt to build the drop down boxes based on whether or not the following information is
available in this order:
•
•
•
•
•
Instance and Custom Name
Instance, ifAlias and ifDescr
Instance, ifDescr and ifName
Instance and ifDescr
Instance
This interface relies on devices that support the SNMP standard MIB II. SNMP Enterprise MIBs may require
3rd party software or customized scripts to correlate the enterprise instances to match the MIB II instances.
If SNMP is not available, the collector will look for an interface names option template. Some vendors
export an interface names option template using NetFlow or IPFIX. This option template contains the names
of the interfaces. In Cisco IOS v 12.4(2)T or greater, the command is:
Router(config)# ip flow-export interface-names
SonicWALL and other vendors export a similar options template.
If the Custom Description is filled in, it will over ride the use of the SNMP descriptions. This is also true when
the Custom (Mb) is filled in, they will over ride the use of the SNMP ifSpeed. Enter a 0 in the Custom (Bits)
ifSpeed to force the Status tab to display the interface in bits in lieu of % utilization.
If any updates are applied to a router or switch, be sure to go back to the device interface and run an
update by clicking on the Update button else, the default evening update will take effect.
Direction: Displays how the flows are collected and reported on for the interface. Values are INGRESS,
EGRESS or BOTH and are not updated until the collector is restarted. If Direction is unset '-' this means
NetFlow is not exporting for this interface.
If the interface row is white then the interface number and traffic values are inferred from NetFlow exported
from another interface. If the interface row is gray then the interface number was discovered via SNMP and
there will be no traffic values.
Protocol Exclusions are performed to avoid traffic from being counted twice on a given interface.
Generally over reporting is caused by VPNs or tunnel traffic. Exclusions can be made per exporter (e.g.
router, switch, etc.) or per interface per exporter. They can also be excluded globally across all exporters.
Click on the (-) icon to launch the Protocol Exclusions modal.
VERY IMPORTANT By default, the flow collector nightly SNMP polls the switches and routers it is receiving
flows from. This software was engineered to be a passive collection tool with minimal SNMP requirements.
The best way to update the SNMP information including the information on the interfaces is to click on the
"Update" button. NetFlow v9 option templates can be used in place of SNMP to gather interface names and
speeds.
Individual Exporters
Overview
When clicking on a port number (e.g. 2055, 6343, etc.) in the Vitals report, the total Datagrams, Flows and
MFSN (Missed Flow Sequence Numbers) are displayed. This is the aggregate for all flow devices exporting
on this port.
9
Dell SonicWALL Scrutinizer 10.1 Admin Guide
Click on one of the three trends to view the daily, weekly, monthly and year trends. The statistics for the
port (e.g. 2055) are displayed. Statistics include Datagrams, Flows and MFSN for each exporter sending on
the selected port.
When navigating to this page by clicking on Flow version from the Status tab, only the 3 reports (i.e.
Datagrams, Flows and MFSN) are displayed for the selected device. Sometimes values like MFSN will show
up as 10m or 400m. To get the dropped flows per second, divide the value by 1000ms. A value of 400m is
.4 of a second. 1 / .4 = 2.5 second. A flow is dropped every 2.5 seconds or 120 (i.e. 300 seconds/2.5)
dropped flows in the 5 minute interval displayed in the trend.
NOTE: there can be as many as 30 flows per NetFlow v5 datagram and up to 24 flows per NetFlow v9
datagram. With sFlow, as many as 1 sample (i.e. flow) or greater than 10 samples can be sent per
datagram.
Vitals Main View
Overview
The Vitals page provides insight on the health of the server that is receiving the flows (e.g. CPU, Memory
usage, Hard drive space available, etc.).
•
•
•
•
•
•
•
•
•
•
•
•
•
10
CPU: Average CPU utilization for the computer the NetFlow Collector is installed on.
Avail Mem: Available Memory displays how much memory is being consumed by all programs on
the computer. It is not specific to NetFlows being captured.
• NOTE: The flow collector will continue to grab memory depending on the size of the
memory bucket it requires to save data and it will not shrink unless the machine is
rebooted. This is not a memory leak.
Avail HDD: Available Hard Drive displays the amount of disk space that is available. After an initial
period of a few weeks/months, this should stabilize providing that the volume of NetFlow stays
about the same. This statistic is best viewed by clicking on the trend. A historical report will pop up
providing a better idea on how long the disk storage will hold out.
Datagrams: Average Datagrams per second in a 5 minute interval trend.
Flows: Average Flows per second in a 5 minute interval trend: This is a measure of the number of
conversations being observed. Each Netflow packet (i.e. UDP datagram) sent can contain
information on as many as 30 flows.
MFSN: Missed Flow sequence Numbers. This is an aggregate across all flows sending devices. At
the top of the page, click on individual ports to get an MFSN report per listening port and per device
exporting flows.
Syslogs Received: The average number of syslogs received per second.
Syslogs Processed: The average number of syslogs processed per second.
Connections: Tracks the number of connections that are being opened on the MySQL server.
Excessive connections results in reduced performance. NOTE: other applications sharing the same
mysql will cause this number to increase.
DB Queries: Tracks the number of queries made to MySQL. The more queries indicates heavier
load to the MySQL server. Generally there will be spikes at intervals of 5 minutes, 30 minutes, 2
hours, 12 hour intervals, etc. This indicates the rolling up of statistics done by the stored
procedures. This vital is important to watch if the NetFlow collector is sharing the MySQL server with
other applications.
KRR: Key Read Requests - The number of requests to read a key block from the cache. A high
number requested means the server is busy.
KWR: Key Write Requests - The number of requests to write a key block to the cache. A high
number of requests means the server is busy.
Cached Queries: The query cache stores the select query and the resulting data that was sent to
the client. If an identical statement is received later, the server retrieves the results from the query
cache rather than requesting the data again from the database. The query cache is shared across all
Admin Tab
•
•
•
database connections, which means the results generated by one connection can be utilized by
another connection. For more information, please reference the MySQL Documentation.
Cached Memory: The total amount of memory available to query caching. Contact support if you
find that your query cache is presently under 1 MB. For more information, please reference the
MySQL Documentation.
Threads: Threads are useful to help pass data back and forth between Scrutinizer and the database
engine. The MySQL Server currently manages whether or not to utilize the configured amount of
threads. For more information, please reference the MySQL Documentation.
KBU: Key Buffers Used - indicates how much of the allocated key buffers are being utilized. If this
vital begins to consistently hit 100%, it indicates that there is not enough memory allocated.
Scrutinizer will compensate by utilizing swap on the disk. This can cause additional delay retrieving
data due to increased disk I/O. On larger implementations, this can cause performance to degrade
quickly. Users can adjust the amount of memory allocated to the key buffers by modifying the
\scrutinizer\mysql\my.ini file and adjusting the key_buffer_size setting. A general rule of thumb is
to allocate as much RAM to the key buffer as you can, up to a maximum of 25% of system RAM
(e.g. 1GB on a 4GB system). This is about the ideal setting for systems that read heavily from keys.
If you allocate too much memory, you risk seeing further degradation of performance because the
system has to use virtual memory for the key buffer.
Listener Ports
The flow collector can listen on multiple ports simultaneously. The defaults are 2055, 2056, 4432, 4739,
9995, 9996 and 6343 however, more can be added. Click on the different listener ports to view total packet
rate per port. Click on any trend for a daily, weekly, monthly and year trend.
11
Flow Analytics
Flow Analytics
Overview
Flow Analytics (i.e. FA) is the commercial add on to Scrutinizer. FA brings the following additional features to
Scrutinizer:
•
Functions as a Network Behavior Analysis system by constantly monitoring all flows for
behaviors that could be compromising the health of the network (networks scans, illegal
applications, P2P, etc.). It interrogates every flow from every host from selected flow exporting
devices for suspicious patterns and anomalies. All flows across selected flow sending devices are
monitored at all times.
•
Performs the NetFlow aggregations so that data can be saved beyond 24 hours. Scrutinizer
drops data every night just after midnight. Flow Analytics 'FA' does the archiving for Scrutinizer.
•
Numerous additional reports that provide more detailed information on the flows received.
•
DNS is run constantly to help with performance in the front end. Without Flow Analytics,
Scrutinizer performs DNS resolutions on the as needed. DNS entries will age out as configured in
the Admin tab -> Settings -> System Preferences. This feature will place additional load on the
server. Be careful when enabling it.
•
Performs threshold watches for saved reports. FA can monitor for nearly any combination of flow
characteristics and export a syslog if a match or a high/low threshold is reached.
•
Contact your vendor for the "NetFlow Challenge" document which outlines what is and isn't free.
FA Navigation
The navigation for FA is via gadgets in the Dashboard tab. The primary gadget "Flow Analytics
Configuration" should be added to Dashboard.
•
At the top, it displays the overall time to run all algorithms and the total count of violations across
all algorithms.
•
Name: This is the name of the algorithm that is checking for abnormal behaviors.
•
Time: This is the amount of time the algorithm takes to run across all selected routers/switches.
•
Count: This is the number of violations found the last time the algorithm ran. Click on the trend to
view graphs for longer time periods.
•
Time exceeded: Algorithms that exceed the configured run time will be cancelled.
Algorithms and Gadgets
FA Algorithms may or may not include gadgets. Some algorithms are enabled by default. Others need to
have selected flow exporting devices added to them. A few algorithms need to have thresholds configured or
modified from the defaults.
FA Gadgets that can be added to Dashboard:
•
Custom Filters: Saved reports that are run constantly and compared to acceptable thresholds.
•
Exclude Hosts: Exclude hosts from selected algorithms to help prevent false positives. Some
hosts will constantly violate the threshold of certain algorithms. This interface helps prevent false
13
Dell SonicWALL Scrutinizer 10.1 Admin Guide
positive alarms by allowing selected hosts (i.e. IP addresses) to be excluded from violating one or
more algorithms. The "Exclude Hosts" gadget 'scrut_fa_exclusions.cgi' is not necessary in
Dashboard as it is bested utilized as a popup.
•
Flow Analytics Configuration: The overall status of all algorithms and the total runtime and
count of violations across all algorithms. Algorithms can be ordered alphabetically or by order of
execution. LEDs in this gadget are as follows (refresh the gadget in the upper right corner):
o
Yellow - incomplete run (time limit caused the algorithm not to run during the last cycle)
o
Lite Green - successfully completed on the last run
o
Gray - disabled
o
Trend - actively executing the algorithm
o
Dark Green - successfully completed on the current run
•
Flow Analytics Run Time Thresholds: The time given to each algorithm to run. Some algorithms
need more time to run depending on the number of flow exporting devices included.
•
Network Volume: The scale of the traffic traversing through the core network. It lists the volume
of unique traffic on the network for the last 5 minute Vs. last 30 hours. Only include a few core
routers/switches.
•
Select Flow Devices: Select the flow exporting devices that each algorithm will run against. Enter
text and click 'Filter' to find specific devices. Click the 'Clear' button to remove the filter and display
all devices. Some algorithms are run against all tables created by flow exporting devices while
others are only run against one or two tables (e.g. routers). The "Select Flow Devices" gadget
'scrut_fa_devices.cgi' can be added to Dashboard however it is not necessary because it is best
utilized as a popup.
•
Top Subnets and IP Violation: Define the subnets allowed on the network and Scrutinizer will
notify for any flow that occurs outside of these ranges. This algorithm is on by default across all
flow exporting devices that are exporting the necessary fields.
•
Threats Overview: Gives Network Administrators an idea on the frequency that each Flow
Analytics algorithm is being violated. The colors indicate the frequency within each time interval:
Last 5 min, Last Hour and All.
•
Top Applications: Top Applications on the network. This algorithm is on by default across all flow
exporting devices that are exporting the necessary fields.
•
Top Conversations: Top Conversations across selected flow exporting devices. This algorithm is on
by default across all flow exporting devices that are exporting the necessary fields.
•
Top Countries: Top Countries across selected flow exporting devices. This algorithm is on by
default across all flow exporting devices that are exporting the necessary fields.
•
Top Domains: Top Domains across selected flow exporting devices.
•
Top Flows: Top Flow sending end systems across selected flow exporting devices.
•
Top Hosts: Top Hosts sending data across selected flow exporting devices. It is also responsible
for executing the Unfinished Flows Violation algorithm. This algorithm is on by default across all flow
exporting devices that are exporting the necessary fields.
•
Top Networks: Top IP Subnets across selected flow exporting devices. This algorithm is on by
default across all flow exporting devices that are exporting the necessary fields.
•
Top Protocols: Top Transport Layer Protocols across selected flow exporting devices. Alarms
trigger for protocols that appear that haven't been approved. This algorithm is on by default across
all flow exporting devices that are exporting the necessary fields.
•
Top Well Known Ports: Top ports be they the source or destination port.
NOTE: Some include algorithms that should only run against core routers/switches. Watch the Flow
Analytics Overall Status gadgets for algorithms that need more time to run.
14
Flow Analytics
Setting Up Flow Analytics (FA):
FA algorithms run sequentially. By default, they do not run against any NetFlow exporters until the NetFlow
exporters are added to the selected algorithms. To add routers to algorithm, visit Dashboard > Configure
Flow Analytics > Flow Analytics Configuration (Gadget):
•
Click on the + icon at the top for "Flow Analytics Overall Status" and uncheck "Disable all".
A license key is necessary for evaluation.
•
Expand an algorithm by clicking on the + icon
•
Uncheck Disable
•
Click on the number (e.g. 0) below the blue router icon. This will bring up the "Devices in
Flow Analytics" gadget which is also displayed on this page. See IMPORTANT NOTES below.
•
Click on the number (e.g. 0) below the two people icon. This will bring up the "Flow
Analytics Exclusions" gadget which is also displayed on this page. Use this window to
include hosts to be excluded from selected algorithms. It is generally easier to add them
from the Alarms tab once they violate an alarm.
•
Continue selecting Algorithms and adding NetFlow exporters as outlined below.
IMPORTANT NOTES:
•
All algorithms are intended to be run against non internet border routers (i.e. internal
NetFlow exporters).
•
Add only a few routers to a few algorithms initially and start off slowly. Pay attention to the
Vitals of the server. After 15-30 minutes add few more routers to selected algorithms and
slowly ramp up the FA deployment.
•
FA has only 300 seconds (i.e. 5 minutes) to finish all enabled algorithms. If it can't finish in
300 seconds, it will stop where it is and start over. All algorithms must finish within 5
minutes as the process repeats every 5 minutes. Optimize performance by paying attention
to the Time each algorithm takes to run as well as the overall time shown at the very top of
the Flow Analytics Configuration gadget.
FA Algorithms that don't include Gadgets:
Be sure to exclude certain hosts from select algorithms to avoid false positives. This can easily be done from
the alarms tab as well by clicking on the host. The interface will prompt for the exclude confirmation.
•
Breach Attempts Violation: Looks for many small flows from one source to one destination. This
can indicate things such as a brute force password attack. A typical scenario would be a dictionary
attack on an SSH server. The default threshold is 100. This algorithm is on by default across all
flow exporting devices that are exporting the necessary fields.
•
Custom Reports Thresholds: Any saved reports that have an inbound threshold are executed
sequentially by this algorithm. Clicking on the name of this algorithm in the Flow Analytics
Overview gadget, will launch the Custom Filters gadget.
•
DDoS Violation: Identifies a Distributed Denial of Service attack such as those that can be
launched by a BOTNET. Visit Admin -> Settings -> Flow Analytics to set the threshold.
•
DNS Violation: Alerts when a host initiates an excessive number of DNS queries. This can help to
identify hosts that may be infected with a mailer worm or other issues that require an inordinate
number DNS lookups. The default threshold is 100.
•
FIN Scan: The FIN scan's "stealth" frames are unusual because they are sent to a device without
first going through the normal TCP handshaking. The default threshold is 100 and the minimum
that can be set is 20.
15
Dell SonicWALL Scrutinizer 10.1 Admin Guide
•
ICMP Destination Unreachable: This is a message that comes back from the router to the
requesting host stating that it doesn't have a route to the destination network of the target host.
The default threshold is 100 and the minimum that can be set is 20.
•
ICMP Port Unreachable Algorithm: This is a message that comes back from the destination
server stating that it will not open communication on the specified port requested by the host. The
default threshold is 100 and the minimum that can be set is 20.
•
Internet Threats: This algorithm goes out to an Internet site every hour and downloads an
updated list of known hosts that end systems on the network should not be communicating with.
Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic.
This list is updated by several Internet Service Providers. The default threshold minimum that can
be set is 1. This algorithm is on by default across all flow exporting devices that are exporting the
necessary fields.
•
Multicast Traffic Violation: Any multicast traffic that exceeds the threshold that isn't excluded will
violate this algorithm. The default threshold is 1,000,000 and the minimum that can be set is
100,000.
•
Nefarious Activity Violation: Looks for hosts communicating with many hosts with a low number
of flows. An example would be a port 80 scan of an entire subnet. Visit Admin -> Settings -> Flow
Analytics to set the threshold.
•
NULL Scan: The null scan turns off all flags, creating a lack of TCP flags that should never occur.
•
Peer to peer: P2P (includes BitTorrent) connections are monitored by this algorithm. The default
threshold is 100 and the minimum that can be set is 100.
•
RST/ACK: RST/ACK packets are connection denials that come back from destinations to the
originating hosts. This alarm can be caused by network scanning. The default threshold is 100 and
the minimum that can be set is 20. Print servers can cause false positives with this algorithm and
often need to be excluded.
•
SYN scan/flood: SYN packets are sent out in an attempt to make a network connection with a
target host. This alarm can be caused by network scanning. The default threshold is 100 and the
minimum that can be set is 20.
•
Unfinished Flows Violation: Executed by the Top Flows Algorithm, helps identify hosts that have
a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured
applications on a host. The default threshold is 100 and a minimum threshold can also be
configured. Visit Admin -> Settings -> Flow Analytics to set the threshold.
•
XMAS Tree scan: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH,
and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off
in the flags byte (00101001), much like the lights of a Christmas tree.
IMPORTANT NOTE: Hosts can easily be excluded from certain algorithms by clicking on the IP address in
the Alarm Tab. This will popup the Exclude Hosts table where the IP address can then be excluded from
other algorithms as well.
Optimizing FA
Flow Analytics can be optimized in several different ways:
1. Modify the number of flow exporting devices included in the algorithm
2. Disable selected Algorithms
3. Utilize a second or third copy of Scrutinizer with FA.
4. Contact your vendor to learn about the minimum hardware requirements.
16
Flow Analytics
Flow Hopper
Flow Hopper provides end to end visibility into the path a flow took through the network on a router hop by
hop basis. Because multiple paths exist between devices, leveraging traceroute or routed topology
information may not provide the exact path taken by an end to end flow. Flow Hopper displays the correct
path at the time of the flow.
This connection solution requires that most if not all of the flow exporting devices in the path be exporting
NetFlow v5 or more recent to the collector. This feature requires nexthop routing information as well
as read only SNMPv2 or v3 access to the router.
If Flow Hopper determines that an asymmetric flow path exists (i.e. a different route is taken on the return
path), the GUI will draw out the connection accordingly. Admins can click on each router or layer 3 switch in
the path and view all details exported in the flow template. Changes in element values (e.g. DSCP, TTL,
octets, etc.) between ingress and egress metered flows are highlighted.
This feature requires a Flow Analytics license key.
17
System
404 Error
We are sorry, the page you requested cannot be found. Please contact support directly for more information
about your query.
500 Error
Internal Server Error: Please contact support.
Access Denied
The Administrator has denied your user account from accessing this tool.
Database Connection Failure
Overview
The system is having trouble connecting to the database. Please contact support directly for more
information about your query.
Distributed Collectors
Overview
Scrutinizer supports a distributed architecture where several servers can collect and report on flows received
locally and simultaneously display data from all collectors. One or all collectors can act as and display the
Central Interface.
Central Interface
The distributed architecture provides a central interface via MyView to view all interfaces from several
separate NetFlow & sFlow collectors.
•
•
•
•
•
•
Navigate to the MyView tab and create a new MyView then give it a name (e.g. Central View).
On the right hand side of the page, click ont he (+) icon and a menu will appear.
Click on the icon at the top to the right of the drop down menu.
Enter a Title (e.g. Server 1)
Take the default height and Width. These can be adjusted later in the dashboard.
Enter the URL:
19
Dell SonicWALL Scrutinizer 10.1 Admin Guide
•
http://10.10.10.10/statusGadget.html?type=ti&limit=10&percent=1
•
http://10.10.10.10/statusGadget.html?type=ti&limit=10
You can also pass authentication:
•
http://10.10.10.10/statusGadget.html?type=ti&limit=10&percent=1&user=<USERNAME>&
pass=<PASS>
•
http://10.10.10.10/statusGadget.html?type=ti&limit=10&user=<USERNAME>&pass=<PAS
S>
To fit more gadgets into view without scrolling, increase your screen resolution or display settings to 1440 x
900 or greater.
Flowalyzer
Flowalyzer is a free NetFlow and sFlow Tool Kit (TM) for testing flow technologies. This utility has several
tabs each with a unique function:
•
•
•
•
•
•
Listener: The Listener is used to determine whether or not NetFlow or sFlow is being received and
what ports they are being received on. Any application currently listening on the same port as
Flowalyzer will cause conflicts. Conflicting applications must stop using the ports Flowalyzer is
trying to listen on.
Generator: The Generator is used to send NetFlow packets with specified flows. Up to 30 flows can
be sent with NetFlow version 5 or up to 24 flows with NetFlow version 9 and IPFIX. If a range of
bytes and packets is specified, Flowalyzer will randomly assign these values between the ranges
specified in each flow packet sent out. The Flow Time range can also be randomized. Reference the
NetFlow v5 format or read RFC 3954 to learn more about NetFlow v9. You can also read the
Charter on IPFIX.
Configuration: The Configurator is used to configure NetFlow v5 and v9 on Cisco routers or
NetFlow v9 on Enterasys hardware (switches and routers).
Communicator: The Communicator is used to ping destination hosts with specified ports using
ICMP, TCP or UDP. It can also perform trace routes.
Poller: Polls Devices found in Scrutinizer or devices can be manually added. The availability and
response time for each device polled is sent off to the flow collector in IPFIX datagrams.
Trender: Polls devices for SNMP counters and trends the values returned.
The Flowalyzer page can provide additional information on this free NetFlow and sFlow testing utility. This
utility is fully compatible with most NetFlow and sFlow reporting tools.
Installing Adobe Flash
Overview
Scrutinizer requires that the correct version of Adobe Flash player for the server's OS (e.g. Windows 2008)
be installed on the Scrutinizer server itself (i.e. not just the end user browser).
IMPORTANT: Download and install the Flash Player (e.g. 10) for Windows Other Browsers. The Windows
Internet Explorer version will not work! The Other Browsers version is required even if others browsers
20
System
are not installed on the server (e.g. Firefox, Safari, Opera, etc.). Here is the download URL.
This must be done because the server converts the Flash graphs to .jpg files for emailed reports.
Language Translations
Overview
This software can be translated to another language. To translate or localize Scrutinizer to another
language, navigate as follows:
1. Admin Tab -> Definitions -> Language
2. Select a language and make updates. Notice the pagination at the bottom, there are well over 1000
translations.
3. languages are saved as ~scrutinizer/files/localize_LANGUAGENAMEHERE.xls
4. Contact support and they will create a file that can be imported into Scrutinizer to support your language.
Scrut_util
Overview
In the \scrutinizer\bin\ directory there is a command line utility used for many advanced administrative
tasks. The executable is called scrut_util.exe. Here is a list of available command line arguments: (e.g.
scrut_util -checkversion).
-appgroups_conflict_check
Checks to see if there are any existing application group conflicts.
-checkversion
Checks to see if there is a newer version of Scrutinizer.
-cleanall
Runs all maintenance tasks in one easy command.
-clean_bulletin_board
Removes bulletin board events older than the number of days specified in Admin -> Settings -> Logalot.
-clean_orphans
Removes orphaned alarm events older than the number of days specified in Admin -> Settings ->
Logalot.
-clean_scheduled_reports
Expires Logalot alarm reports flag for expiration.
-collect_summary_stats
Collects and generates event summary data reports.
21
Dell SonicWALL Scrutinizer 10.1 Admin Guide
-create_logalot_history
Manually checks and creates (if necessary) logalot history tables.
-db_clean
This command removes any temporary databases created by the graphing engine. Executing it will
perform an on demand clean up. By default, it is a scheduled event.
-dbconnect [DB_SERVER] [DB_TCP_PORT] [DB_USER] [DB_PASSWORD]
Changes the way Scrutinizer connects to a MySQL Database. Whether local or remote. Note the
[DB_USER] must exists and capable of remote connection. This command assumes that your plixer
database has already been migrated to the new database server. To specify no password, use "" as the
password.
-delete_all_orphans
Use this command to remove all orphaned alarm events.
-dnscachedump [all]
Expires entries in the DNS Cache that are older than X days as specified in the server preferences. If all is
included, then it will empty the entire cache regardless of expiry.
-expire_history
Expires historical data as specified in the server preferences.
-expire_logalot_history_info
Expires Logalot alarm history flagged as INFO events as specified in the server preferences.
-expire_logalot_history
Expires Logalot alarm history from table as specified in the server preferences.
-fixNBAR
Renames NBAR_APPLCATION_ID to applicationTag per: draft-claise-export-application-info-in-ipfix-03.
This needs to be run after a 9.0 upgrade for NBAR reports to work with historical data.
-fix_priority_order
With some professional services and automated policy creation, some policy IDs have been known to get
out of wack (or duplicated). This tool will make sure the priority order is correctly stored.
-fix_tables
Alters history that were created with incorrectly sized octetDeltaCount
-flowalarms [Thresholds|DevFlow|Diskspace|AvailMem]
Checks for general conditions and anomalies caused by the flow data currently received from Scrutinizer.
The options list defines which details to check. No list indicates all reports. To customize the list, comma
delimit the report parameters. Do not put spaces between commas.
-get_miam
Collects Enterasys Mobile IAM data and caches it locally. Server settings are specified under Admin ->
Settings -> Mobile IAM.
-hostimport
Imports a host file (hosts.txt) into Scrutinizer's host tables. Host file can contain IPv4 and IP v6
addresses. The host file MUST be placed in the <SCRUT INSTALL DIR>\files\ directory. e.g. c:\program
files\scrutinizer\files\hosts.txt. Host descriptions are not required.
example of hosts file:
IP
Hostname
Host Description
192.168.1.1 example.com
172.16.2.1 Mike-PC
22
This is an example entry
Another example
System
-hostmigrate
Imports CUSTOM host information from v7 into v8. This DOES NOT bring over hostnames resolved
automatically by the DNS resolver service.
-hwsummary [SHOW]
Creates a hardware summary of the Scrutinizer server that is used for vitals. By default, this event is
automatically executed routinely. If the optional parameter SHOW is used, the profile will be printed to the
screen.
-ifinfo_clean
This will purge all entries in the plixer.ifinfo table that are not in the plixer.activeif table. We keep ifinfo
entries so that custom port speed and interface descriptions will not be lost when a device stops exporting
flows. Running this option will help with the performance of the Multi-Tenancy Module interface permissions
interface.
-ifpurge
Deletes information for interfaces that are no longer sending flows. If any interface removed had a
custom description or port speed, it will need to be customized again if the interface resumes sending flows.
Typically, interfaces that have not sent flows in over 24 hours will fall into this category.
-inactiveFlowDrop
Expires interfaces from the interface view that have stopped sending flows. Entries are expired based on
the number of hours specified in the Scrutinizer Server Preferences. (Settings -> Server Preferences)
-interfaces [all|cisco|huawei|sonicwall]
This call will try alternative methods to retrieve interface descriptions. For Cisco and SonicWALL that
means using Netflow data. For Huawei, that means using SNMP and referencing their vendor specific MIBs.
-ldap [USERNAME] [PASSWORD]
Test an LDAP connection based on the LDAP Credentials configured via the front end. This command line
is intended as a test only. Required params are the user name and password. If password is blank, pass a ""
-ldapwizard
Use this wizard to guide you through the steps to configure LDAP or LDAPS authentication.
-install [HOMEDIR]
Executes the install or upgrade procedure. This should only be executed with the assistance of Plixer
Support.
-localize [LANGUAGE_NAME]
The LANGUAGE_NAME parameter is required. If the language exists, then it will create a CSV that shows
the english and LANGUAGE_NAME keys. If the language does not exists, a blank template will be created.
-maint [OPTION] [DB] [PWD]
Valid options are ANALYZE, CHECK, OPTIMIZE, and REPAIR, The database (DB) to perform the desired
action, and the root password of the database. If PWD is blank, pass a double quote (i.e. "") as the
parameter.
-opstats
Polls vitals for Scrutinizer. By default, this event is automatically executed routinely.
-optimizeCommon
Optimizes tables that are commonly inserted and deleted. This action keeps things neat and clean for the
database.
-remote [on|off]
This command will toggle remote access to the database.
-remove
23
Dell SonicWALL Scrutinizer 10.1 Admin Guide
Executes the uninstall procedure. This should only be executed with the assistance of Plixer Support.
-removehostpartitions
This removes table partitioning from the host_X tables. This should only be executed with the assistance
of Plixer Support.
-reset_admin_password [USERNAME]
The USERNAME is the name of the Scrutinizer user account to modify.
-reset_mysql_password
Changes the MySQL root account password.
-reset_scrutdb_password
Changes the other MySQL scrutinizer user account passwords.
-reset_vitals
Resets all vital tab statistics. Once reset, old statistics will no longer be available. Use with caution.
-routeTables
Collects routing tables for all active devices.
-ssl [ON|OFF] [TCPPORT] [COUNTRY] [STATE] [CITY] [ORG] [EMAIL] [COMMON]
Enable or disable SSL support in Scrutinizer. It only work with the local Apache Server bundled with
Scrutinizer. All fields are required when [ON]is used.
NOTE: Make sure to put " " around the parameters that have white spaces.
Name Field
Explanation
-------------------------------------------------------------------------Country Name
The two-letter ISO abbreviation for your country US = United States
State/Province The state/province where your organization is located. Can not be abbreviated. ex:
Maine
City/Locality
The city where your organization is located. ex: Atlanta
Organization
Inc.
Email Address
Common Name
The exact legal name of your organization. Do not abbreviate. ex: Plixer International,
The email address for the CA (who to contact)ex: someone@your.domain
URL that you wish to attach the certificate. ex: 10.1.1.10 or scrutinizer.company.com
-snmp_discover
Performs an SNMP discovery on exporters flagged for auto SNMP update.
-testSNMP
This command will try to get SysObjectID for all devices. If SNMP connected succesfully, it will return the
credential object. Otherwise, it will return the error message.
-tmp_clean
This command removes any temporary files created by the graphing engine. Executing it will perform an
on demand clean up. By default, it is a scheduled event.
-update_httpd_port [TCPPORT]
Use this command to change the apache web port. Do not edit the httpd.conf manually or certain
functionality will not work properly.
-update_plixerini_mysqlroot
Use this command to update the plixer.ini database root user password. Scrutinizer and the database root
password must be in sync. To change the database root password use -reset_mysql_password instead.
24
System
-voip [on|off]
When enabled, the command will define all even and odd ports appropriately as VoIP RTCP or VoIP RTP.
When toggled off, those definitions will be rest to undefined.
Search Tool
Overview
The Search Tool is launched by clicking on the binocular icon in the upper right hand corner. It is used to
perform a quick search for:
•
IP address or DNS host name
•
Well known port (e.g. http, 80, etc.) across all protocols (e.g. TCP, UDP, etc.)
Select a date range. Then select the flow exporting devices that the query will be run against.
NOTE: Only the 1 minute interval tables contain 100% of all flows collected. To make sure you are
querying 1 minute interval data, limit the search to under 1 hour of time. Visit the Admin tab -> Settings ->
Data History to increase the "Maximum Conversations" saved per interval to increase the volume of flows
saved per interval. Be aware that this may require more hard disk space. Visit the Admin Tab -> Reports > Vitals to view how much hard drive space is being consumed.
Multi Tenancy Module
Overview
The Multi Tenancy module must be installed and licensed to access the following features:
1. Create more than 10 User Groups
2. Apply permissions to User Groups per Interface
3. Apply permissions to User Groups per Device
The Multi Tenancy module is useful to companies who need to give customers a unique login and restrict
what they see to specific devices and or interfaces.
Systrax
The Help tab is a link to http://www.systrax.com. This site is the on-line support community and is used to
bring subjects of interest directly to customers and evaluators. This is done in several ways, some of which
include:
•
A frequently updated blog
•
The on-line support forum
Posting a comment or question requires membership. Click here to join.
25
Dell SonicWALL Scrutinizer 10.1 Admin Guide
Troubleshooting
Getting Started Guide
Contact Support: For assistance setting up the server or the collector or for navigation techniques.
How to enable NetFlow or sFlow on various hardware.
System LEDs: Familiarize yourself with these. They should all be green.
FAQ: This page lists many common questions we have received over the years.
Webvideos: These are short 2-5 minute videos that offer good general help with different areas of the
software.
Web Server Port
Overview
This software runs on the Apache Web Server.
Follow these steps to change the web server port Scrutinizer is running on.
1. Stop the "plixer_apache" service
2. Edit the ~\SCRUTINIZER\apache\conf\httpd.conf
3. Search for the line "listen 80" or "server name" or "127.0.0.1:80" or "localhost:80"
4. Change the 80 to whatever you want
5. Restart the Plixer apache web server service
SSL Support
Please contact support to acquire the SSL version of Scrutinizer.
To configure SSL, run ~\SCRUTINIZER\bin\scrut_util -ssl and follow the instructions provided.
26
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising