Cascade® Profiler and Cascade® Express

Cascade® Profiler and Cascade® Express
Appliance User’s Guide
Version 10.0
February 2013
© 2013 Riverbed Technology. All rights reserved.
Accelerate®, AirPcap®, BlockStream™, Cascade®, Cloud Steelhead®, Granite™, Interceptor®, RiOS®, Riverbed®, Shark®, SkipWare®,
Steelhead®, TrafficScript®, TurboCap®, Virtual Steelhead®, Whitewater®, WinPcap®, Wireshark®, and Stingray™ are trademarks or
registered trademarks of Riverbed Technology, Inc. in the United States and other countries. Riverbed and any Riverbed product or service
name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The
trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners.
F5, the F5 logo, iControl, iRules and BIG-IP are registered trademarks or trademarks of F5 Networks, Inc. in the U.S. and certain other
countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. VMware, ESX, ESXi are trademarks or registered
trademarks of VMware, Incorporated in the United States and in other countries.
Portions of Cascade® products contain copyrighted information of third parties. Title thereto is retained, and all rights therein are reserved, by
the respective copyright owner. PostgreSQL is (1) Copyright © 1996-2009 The PostgreSQL Development Group, and (2) Copyright © 19941996 the Regents of the University of California; PHP is Copyright © 1999-2009 The PHP Group; gnuplot is Copyright © 1986-1993, 1998,
2004 Thomas Williams, Colin Kelley; ChartDirector is Copyright © 2007 Advanced Software Engineering; Net-SNMP is (1) Copyright ©
1989, 1991, 1992 Carnegie Mellon University, Derivative Work 1996, 1998-2000 Copyright © 1996, 1998-2000 The Regents of The
University of California, (2) Copyright © 2001-2003 Network Associates Technology, Inc., (3) Copyright © 2001-2003 Cambridge Broadband
Ltd., (4) Copyright © 2003 Sun Microsystems, Inc., (5) Copyright © 2003-2008 Sparta, Inc. and (6) Copyright © 2004 Cisco, Inc. and
Information Network Center of Beijing University of Posts and Telecommunications, (7) Copyright © Fabasoft R&D Software; Apache is
Copyright © 1999-2005 by The Apache Software Foundation; Tom Sawyer Layout is Copyright © 1992 - 2007 Tom Sawyer Software; Click
is (1) Copyright © 1999-2007 Massachusetts Institute of Technology, (2) Copyright © 2000-2007 Riverbed Technology, Inc., (3) Copyright
© 2001-2007 International Computer Science Institute, and (4) Copyright © 2004-2007 Regents of the University of California; OpenSSL is
(1) Copyright © 1998-2005 The OpenSSL Project and (2) Copyright © 1995-1998 Eric Young (eay@cryptsoft.com); Netdisco is (1) Copyright
© 2003, 2004 Max Baker and (2) Copyright © 2002, 2003 The Regents of The University of California; SNMP::Info is (1) Copyright © 20032008 Max Baker and (2) Copyright © 2002, 2003 The Regents of The University of California; mm is (1) Copyright © 1999-2006 Ralf S.
Engelschall and (2) Copyright © 1999-2006 The OSSP Project; ares is Copyright © 1998 Massachusetts Institute of Technology; libpq++ is
(1) Copyright © 1996-2004 The PostgreSQL Global Development Group, and (2) Copyright © 1994 the Regents of the University of
California; Yahoo is Copyright © 2006 Yahoo! Inc.; pd4ml is Copyright © 2004-2008 zefer.org; Rapid7 is Copyright © 2001-2008 Rapid7
LLC; CmdTool2 is Copyright © 2008 Intel Corporation; QLogic is Copyright © 2003-2006 QLogic Corporation; Tarari is Copyright © 2008
LSI Corporation; Crypt_CHAP is Copyright © 2002-2003, Michael Bretterklieber; Auth_SASL is Copyright © 2002-2003 Richard Heyes;
Net_SMTP is Copyright © 1997-2003 The PHP Group; XML_RPC is (1) Copyright © 1999-2001 Edd Dumbill, (2) Copyright © 2001-2006
The PHP Group; Crypt_HMAC is Copyright © 1997-2005 The PHP Group; Net_Socket is Copyright © 1997-2003 The PHP Group;
PEAR::Mail is Copyright © 1997-2003 The PHP Group; libradius is Copyright © 1998 Juniper Networks. This software is based in part on the
work of the Independent JPEG Group the work of the FreeType team.
This documentation is furnished "AS IS" and is subject to change without notice and should not be construed as a commitment by Riverbed
Technology. This documentation may not be copied, modified or distributed without the express authorization of Riverbed Technology and
may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or
transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the
Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation qualifies as "commercial computer
software documentation" and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed
Technology assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation.
Individual license agreements can be viewed at the following location: https://<appliance_name>/license.php
This manual is for informational purposes only. Addresses shown in screen captures were generated by simulation software and are for
illustrative purposes only. They are not intended to represent any real traffic or any registered IP or MAC addresses.
Riverbed Technology
199 Fremont Street
San Francisco, CA 94105
Phone: 415.247.8800
Fax: 415.247.8801
Web: http://www.riverbed.com
Part Number
712-00060-12
Contents
Introduction.................................................................................................................................................1
About This Guide ............................................................................................................................................ 1
Types of Users .......................................................................................................................................... 1
Organization of This Guide ...................................................................................................................... 2
Document Conventions ............................................................................................................................ 2
Product Dependencies and Compatibility ....................................................................................................... 3
Hardware and Software Dependencies..................................................................................................... 3
Ethernet Network Compatibility .............................................................................................................. 3
SNMP-Based Management Compatibility ............................................................................................... 4
Contacting Riverbed ........................................................................................................................................ 4
Internet...................................................................................................................................................... 4
Technical Support ..................................................................................................................................... 4
Professional Services................................................................................................................................ 4
Documentation ......................................................................................................................................... 4
Chapter 1 - Overview..................................................................................................................................5
Overview of Profiler and Express appliances.................................................................................................. 5
Information sources ......................................................................................................................................... 6
NetFlow, sFlow, and IPFIX sources ......................................................................................................... 7
Behavior analysis............................................................................................................................................. 7
Alerting and notification.................................................................................................................................. 8
Alerting..................................................................................................................................................... 9
Notification............................................................................................................................................... 9
Traffic profiles ............................................................................................................................................... 10
Host groups.................................................................................................................................................... 10
Port groups......................................................................................................................................................11
Interface groups ..............................................................................................................................................11
Applications....................................................................................................................................................11
Traffic reporting............................................................................................................................................. 12
Shortcuts page ........................................................................................................................................ 12
Cascade Profiler and Cascade Express User’s Guide
iii
Contents
Traffic Report pages ................................................................................................................................12
Quick report box .............................................................................................................................................12
Left-clicking ............................................................................................................................................12
Right-clicking ..........................................................................................................................................13
User interface..................................................................................................................................................13
Home pages .............................................................................................................................................14
Other GUI pages......................................................................................................................................17
Getting help ....................................................................................................................................................19
Chapter 2 - Configuration ........................................................................................................................21
Accessing the user interface ...........................................................................................................................21
Logging in and out...................................................................................................................................21
User interface preferences ..............................................................................................................................22
Data section .............................................................................................................................................23
Autocomplete section ..............................................................................................................................23
Date and Time Formatting section ..........................................................................................................23
Miscellaneous section..............................................................................................................................24
Account Management.....................................................................................................................................24
User Accounts..........................................................................................................................................24
RADIUS Settings ....................................................................................................................................27
ODBC DB Access ...................................................................................................................................29
Passwords .......................................................................................................................................................29
Integration.......................................................................................................................................................30
Mitigation .......................................................................................................................................................30
Flow log ..........................................................................................................................................................30
Flow log disk space balancing.................................................................................................................31
Reporting time frames .............................................................................................................................31
Packet capture (Express 460 only) .................................................................................................................32
Adding a capture job ...............................................................................................................................32
Managing capture jobs ............................................................................................................................35
Exporting a packet capture file................................................................................................................35
Profilers (Express only) ..................................................................................................................................38
Licenses (except Profiler-VE) ........................................................................................................................39
Licenses (Profiler-VE only)............................................................................................................................40
General settings ..............................................................................................................................................41
Management Interface Configuration......................................................................................................42
Name Resolution .....................................................................................................................................42
Aux Interface Configuration (Express only) ...........................................................................................44
Static Routes (Express only) ...................................................................................................................45
Monitor Interface Configuration (Express only).....................................................................................45
Packet Deduplication (Express only) ......................................................................................................45
VoIP Metrics (Express 460 only).............................................................................................................46
Time Configuration .................................................................................................................................46
iv
Cascade Profiler and Cascade Express User’s Guide
Contents
Data Sources (Cascade Express only) .....................................................................................................47
SNMP MIB Configuration ......................................................................................................................48
Outgoing Mail Server (SMTP) Settings ..................................................................................................48
Inside Address Configuration ..................................................................................................................49
Security Module Configuration...............................................................................................................49
Report Data Management........................................................................................................................50
Service Management ...............................................................................................................................50
Chapter 3 - Monitoring Services .............................................................................................................51
Overview.........................................................................................................................................................51
Service dashboard...........................................................................................................................................51
Service Health content block...................................................................................................................52
Service Health by Location content block...............................................................................................53
Service Map content block ......................................................................................................................54
Service reports ................................................................................................................................................55
Overall Performance Report....................................................................................................................55
Service Performance Report....................................................................................................................57
Service Incident Report ...........................................................................................................................59
Location Performance Report..................................................................................................................61
Location Incident Report.........................................................................................................................64
Managing services ..........................................................................................................................................66
Chapter 4 - Definitions .............................................................................................................................69
Applications....................................................................................................................................................69
Layer 7 Fingerprints ................................................................................................................................69
Layer 4 Mappings....................................................................................................................................70
Host groups.....................................................................................................................................................71
Host grouping pages ................................................................................................................................71
Defining host groups ...............................................................................................................................73
Managing host group types .....................................................................................................................75
Interface groups ..............................................................................................................................................75
Port names ......................................................................................................................................................76
Port groups......................................................................................................................................................77
Quality of Service ...........................................................................................................................................77
Sensors/Sharks and Steelheads .......................................................................................................................78
WAN ...............................................................................................................................................................79
Chapter 5 - Enterprise Integration ..........................................................................................................81
Vulnerability scanning ....................................................................................................................................81
Types of vulnerability scans ....................................................................................................................82
Configuring automatic scans ...................................................................................................................82
Manually initiating a vulnerability scan ..................................................................................................84
External links ..................................................................................................................................................84
Cascade Profiler and Cascade Express User’s Guide
v
Contents
Host switch port discovery .............................................................................................................................84
API access.......................................................................................................................................................85
Identity sources...............................................................................................................................................86
Load balancers ................................................................................................................................................86
DHCP integration ...........................................................................................................................................87
Lease data file format ..............................................................................................................................87
Transfer mechanism ................................................................................................................................88
Update intervals.......................................................................................................................................88
Chapter 6 - System Verification...............................................................................................................91
System information.........................................................................................................................................91
Data sources....................................................................................................................................................92
Device/Interface Tree view......................................................................................................................93
Interfaces view.........................................................................................................................................94
Devices view ...........................................................................................................................................95
Audit trail........................................................................................................................................................97
Report Criteria .........................................................................................................................................97
Report results.........................................................................................................................................100
Activity Types and Subtypes .................................................................................................................105
Shutdown/Reboot .........................................................................................................................................111
Update...........................................................................................................................................................112
Backup ..........................................................................................................................................................113
Backup Status ........................................................................................................................................113
Excluded file types ................................................................................................................................113
Backup location .....................................................................................................................................114
Notification............................................................................................................................................114
Running the backup operation...............................................................................................................114
Manual Backup and Restore..................................................................................................................114
Chapter 7 - Service Policies .................................................................................................................. 115
Overview.......................................................................................................................................................115
The Services Policies page ...........................................................................................................................116
Configured Policies section...................................................................................................................116
Tune Policies section .............................................................................................................................118
Chapter 8 - Performance and Availability Policies ..............................................................................123
Overview.......................................................................................................................................................123
Types of policies ...........................................................................................................................................123
Application Availability policies ...........................................................................................................124
Application Performance policies .........................................................................................................125
Link Congestion policies.......................................................................................................................125
Link Outage policies..............................................................................................................................127
vi
Cascade Profiler and Cascade Express User’s Guide
Contents
Managing policies.........................................................................................................................................128
Managing configured policies ...............................................................................................................128
Creating or Editing Performance and Availability policies ...................................................................130
Creating new performance and availability policies ....................................................................................132
Tuning a policy .............................................................................................................................................133
Chapter 9 - User-defined Policies .........................................................................................................135
Overview.......................................................................................................................................................135
Pre-defined policies ......................................................................................................................................136
Defining policies...........................................................................................................................................137
Setting alerting thresholds ............................................................................................................................137
Chapter 10 - Security Policies ...............................................................................................................141
Overview.......................................................................................................................................................141
Security event detection................................................................................................................................142
Security profiles............................................................................................................................................143
Types of security profiles ......................................................................................................................144
Changing security profiles.....................................................................................................................144
Tuning alerting..............................................................................................................................................145
Alerting thresholds........................................................................................................................................145
Specifying alerting thresholds ...............................................................................................................145
Requirements for matching an alerting rule ..........................................................................................146
Precedence of alerting threshold rules...................................................................................................147
Tools for managing alerts .............................................................................................................................147
Notifications of security events ....................................................................................................................147
Chapter 11 - Health Policies ..................................................................................................................149
Sensor Problem.............................................................................................................................................149
Storage Problem............................................................................................................................................150
Chapter 12 - Notifications ......................................................................................................................151
Overview.......................................................................................................................................................151
Adding recipients..........................................................................................................................................152
Assigning notifications to recipients ............................................................................................................153
Chapter 13 - Reporting...........................................................................................................................155
Overview.......................................................................................................................................................156
Quick reports ................................................................................................................................................157
Shortcuts to reports .......................................................................................................................................158
Cascade Profiler and Cascade Express User’s Guide
vii
Contents
Built-in reports.......................................................................................................................................159
Custom reports.......................................................................................................................................159
Service reports ..............................................................................................................................................161
Traffic reports ..............................................................................................................................................161
Report Criteria section...........................................................................................................................162
“Report by” options...............................................................................................................................163
Traffic report section .............................................................................................................................165
WAN Optimization reports ...........................................................................................................................165
Site reports.............................................................................................................................................165
Intersite reports......................................................................................................................................167
Overall reports .......................................................................................................................................168
Top Talkers reports .......................................................................................................................................169
Report Criteria section...........................................................................................................................170
Traffic Report section ............................................................................................................................170
Event reports.................................................................................................................................................171
Report Criteria section...........................................................................................................................172
Event Report section..............................................................................................................................173
Event Details reports.....................................................................................................................................175
Viewing with an Event Viewer account ................................................................................................177
Active Directory Users reports .....................................................................................................................177
Report Criteria section...........................................................................................................................177
Report section........................................................................................................................................178
Saved reports ................................................................................................................................................179
Reports section ......................................................................................................................................180
Templates section ..................................................................................................................................180
General Information reports .........................................................................................................................181
Application Information reports ............................................................................................................181
Interface Information reports.................................................................................................................184
Device Information reports....................................................................................................................186
Interface Group Information reports .....................................................................................................187
Host Information reports .......................................................................................................................188
Host Group Information reports ............................................................................................................189
Server Information reports ....................................................................................................................190
Network Segment Information reports..................................................................................................192
QoS Information reports........................................................................................................................193
Investigation reports .....................................................................................................................................193
Service Level Objective reports ............................................................................................................194
Performance Investigation reports.........................................................................................................197
95th Percentile report ............................................................................................................................199
SDN (Software-defined Networks) Reports.................................................................................................200
VXLAN technology ..............................................................................................................................201
VXLAN Summary Report.....................................................................................................................201
Virtual Network Information Report .....................................................................................................205
Tunnel Endpoint Information Report ....................................................................................................208
VoIP reports ..................................................................................................................................................212
viii
Cascade Profiler and Cascade Express User’s Guide
Contents
VoIP Performance report .......................................................................................................................212
VoIP Dependencies - Signaling report...................................................................................................217
VoIP Dependencies - Calls report..........................................................................................................220
Audit Trail reports.........................................................................................................................................220
Analyzing packet information with Cascade Pilot .......................................................................................222
Prerequisites ..........................................................................................................................................222
Analyzing Cascade Shark or Express 460 packet information .............................................................223
Exporting Cascade Shark packet information .......................................................................................224
Packet reporting and export with Cascade Sensor........................................................................................226
Viewing Sensor packet information ......................................................................................................226
Exporting Sensor packet information....................................................................................................227
Chapter 14 - Mitigation...........................................................................................................................229
Introduction...................................................................................................................................................229
Switch Mitigation ..................................................................................................................................230
Router Mitigation ..................................................................................................................................230
Using the mitigation feature ..................................................................................................................232
Trusted hosts setup........................................................................................................................................232
Switch mitigation setup ................................................................................................................................233
Field descriptions...................................................................................................................................234
Modifying switch setups........................................................................................................................234
Router mitigation setup.................................................................................................................................235
Field descriptions...................................................................................................................................235
Modifying and testing router setups ......................................................................................................236
Enabling mitigation plan generation.............................................................................................................236
Managing mitigation actions ........................................................................................................................237
Activating mitigation actions ................................................................................................................238
Deactivating mitigation actions.............................................................................................................239
Managing mitigation plans ...........................................................................................................................239
Working with Plans and Actions ...........................................................................................................241
Chapter 15 - Appliance Security............................................................................................................243
Overview.......................................................................................................................................................243
Password Security.........................................................................................................................................244
Security Compliance.....................................................................................................................................245
Operational modes.................................................................................................................................245
Accounts ................................................................................................................................................249
Access....................................................................................................................................................250
Encryption Key Management .......................................................................................................................251
Displays and controls on the page .........................................................................................................251
Replacing Keys and Certificates ...........................................................................................................253
Replacing SSH keys .....................................................................................................................................254
Regenerating an SSH key pair...............................................................................................................254
Cascade Profiler and Cascade Express User’s Guide
ix
Contents
Changing SSH key pair .........................................................................................................................254
Replacing SSL certificates............................................................................................................................255
Replacing the MNMP SSL certificate...................................................................................................255
Replacing the Identityd SSL certificate.................................................................................................262
Replacing the Apache SSL certificate ...................................................................................................268
SSL certificate requirements .................................................................................................................271
Appendix A - SNMP Support .................................................................................................................273
Trap summary ...............................................................................................................................................273
Variables common to all Cascade Profiler and Cascade Express traps ........................................................274
Additional trap variables...............................................................................................................................276
Denial of Service/Bandwidth Surge trap variables................................................................................276
Suspicious Connection trap variables....................................................................................................276
New Server Port trap variables..............................................................................................................277
Performance, Availability, and User-defined trap variables ..................................................................277
Service trap variables ............................................................................................................................277
Storage Problem trap variables..............................................................................................................277
Cascade Profiler and Cascade Express appliance MIB ................................................................................278
Versions 1 and 2c...................................................................................................................................278
Version 3................................................................................................................................................278
Examples ...............................................................................................................................................278
Appendix B - Backup and Restore........................................................................................................281
Overview.......................................................................................................................................................281
Profiler and Profiler-VE ...............................................................................................................................281
Backup requirements .............................................................................................................................281
Restore requirements .............................................................................................................................282
Backing up a Standard Profiler or a Profiler-VE...................................................................................283
Restoring a Standard Profiler or a Profiler-VE .....................................................................................284
Backing up an Enterprise Profiler .........................................................................................................285
Restoring an Enterprise Profiler ............................................................................................................286
Express and Express 460 ..............................................................................................................................287
Backup requirements .............................................................................................................................287
Restore requirements .............................................................................................................................288
Backing up an Express ..........................................................................................................................289
Restoring an Express .............................................................................................................................290
Appendix C - Securing the Environment..............................................................................................293
x
Cascade Profiler and Cascade Express User’s Guide
Introduction
Welcome to the Cascade Profiler and Cascade Express Appliance User’s Guide. This guide also covers the Cascade
Profiler Virtual Edition (Profiler-VE), which is a software-only version of the Profiler. The Profiler-VE operates the
same as the hardware-based Profiler appliance except for a small difference in licensing. This is described in Chapter
2, “Configuration.”
Read this introduction for an overview of the information provided in this guide, the documentation conventions used
throughout, the hardware and software dependencies, additional reading, and contact information. This introduction
includes the following sections:

“About This Guide,” next

“Product Dependencies and Compatibility” on page 3

“Contacting Riverbed” on page 4
About This Guide
The Cascade Profiler and Cascade Express Appliance User’s Guide describes how to configure and manage the
Cascade Profiler appliance (Profiler), Cascade Profiler Virtual Edition software (Profiler-VE) and Cascade Express
appliance (Express). It describes configuring the products on the network, defining what is to be monitored, defining
usage policies, alerting on policy violations, and reporting on traffic volumes and policy violations.
The Cascade Profiler and Cascade Express appliances differ in their capacities for handling and storing flow data. They
also differ in their options for receiving data from flow data sources. This guide identifies the differences between the
two products where they impact the procedures or functionality being described. Otherwise, both products, in addition
to the Profiler-VE, are referred to as simply “the appliance” or “the system” throughout the guide.
Types of Users
This guide is written for network operations and security operators, administrators, managers and analysts. It assumes
that you have at least a basic understanding of networking and network management concepts.
Cascade Profiler and Cascade Express User’s Guide
1
Introduction
About This Guide
Organization of This Guide
The Cascade Profiler and Cascade Express Appliance User’s Guide includes the following chapters:

Chapter 1, “Overview,” an overview of the features.

Chapter 2, “Configuration,” configuring the appliance to be accessible on the network to authorized users.

Chapter 3, “Monitoring Services,” defining and monitoring network services.

Chapter 4, “Definitions,” how to define applications, groups, port names and QoS classes so that they can be
tracked, reported, and alerted on.

Chapter 5, “Enterprise Integration,” main features for integrating the appliance into the core infrastructure of
your network.

Chapter 6, “System Verification,” how to ensure that the appliance are properly configured before you begin
routine operational use.

Chapter 7, “Service Policies,” managing the policies created to monitor service performance metrics.

Chapter 8, “Performance and Availability Policies,” capabilities for monitoring the performance and availability
of your network.

Chapter 9, “User-defined Policies,” capabilities for monitoring violations of network usage policies.

Chapter 10, “Security Policies,” capabilities for monitoring violations of network security policies.

Chapter 11, “Health Policies,” capabilities for alerting users to the existence of Sensor problems.

Chapter 12, “Notifications,” capabilities for notifying users or groups of users when network behavior triggers an
alert.

Chapter 13, “Reporting,” reporting features.

Chapter 14, “Mitigation,” capabilities for mitigating the affects of malicious or misconfigured traffic.

Chapter 15, “Appliance Security,” password security, security compliance, and encryption key management.

Appendix A, “SNMP Support,” traps and access to the MIB.

Appendix B, “Backup and Restore.” backing up the Cascade Profiler and Cascade Express logs and restoring the
system from the backup copy.
Document Conventions
This guide uses the following standard set of typographical conventions to introduce new terms, describe command
syntax, and so forth.
Convention
Meaning
italics
Within text, new terms and emphasized words appear in italic typeface.
boldface
Within text, commands, keywords, identifiers (names of classes, objects, constants, events, functions,
program variables), environment variables, filenames, GUI controls, and other similar terms appear in
bold typeface.
Courier
Information displayed on your terminal screen and information that you are instructed to enter appears
in Courier font.
<>
Within syntax descriptions, values that you specify appear in angle brackets. For example:
interface <ipaddress>
2
Cascade Profiler and Cascade Express User’s Guide
Product Dependencies and Compatibility
Introduction
Convention
Meaning
[]
Within syntax descriptions, optional keywords or variables appear in brackets. For example:
{}
Within syntax descriptions, required keywords or variables appear in braces. For example:
{delete <filename> | upload <filename>}
|
Within syntax descriptions, the pipe symbol represents a choice to select one keyword or variable to
the left or right of the symbol. (The keyword or variable can be either optional or required.) For
example:
{delete <filename> | upload <filename>}
ntp peer <addr> [version <number>]
Product Dependencies and Compatibility
This section provides information about product dependencies and compatibility. It includes the following sections:

“Hardware and Software Dependencies,” next

“Ethernet Network Compatibility” on page 3

“SNMP-Based Management Compatibility” on page 4
Hardware and Software Dependencies
The following table summarizes the hardware and software requirements for the Cascade Profiler and Cascade Express
appliances.
Riverbed Cascade Component
Hardware and Software Requirements
chassis
19 inch (483 mm) two or four-post rack.
user interface
Secure Sockets Layer (SSL) capable browser.
The user interface has been successfully tested using Firefox 16 and
Microsoft Internet Explorer 7, 8 and 9.
Note: JavaScript and cookies must be enabled in your Web browser.
command line interface
A computer with a Secure Shell (ssh) client that is connected by an IP
network to the appliance management interface. Free ssh clients include
PuTTY for Windows computers, OpenSSH for Linux.
Ethernet Network Compatibility
The appliance supports the following types of Ethernet networks:

Ethernet Logical Link Control (LLC) (IEEE 802.2 - 2002)

Fast Ethernet 100 Base-TX (IEEE 802.3 - 2002)

Gigabit Ethernet over Copper 1000 Base-T and Fiber 1000 Base-SX (LC connector) (IEEE 802.3 - 2002)
The management port in the appliance is 10 Base-T/100, Base-TX/1000.
The appliance supports VLAN Tagging (IEEE 802.1Q - 2003). It does not support the Cisco ISL protocol.
Cascade Profiler and Cascade Express User’s Guide
3
Introduction
Contacting Riverbed
All copper interfaces are auto-sensing for speed and duplex (IEEE 802.3 - 2002).
SNMP-Based Management Compatibility
The appliance supports a proprietary Riverbed MIB accessible through SNMP. Both SNMP v1 (RFCs 1155, 1157,
1212, and 1215) and SNMP v3 are supported.
SNMP support allows the appliance to be integrated into network management systems such as Hewlett Packard
OpenView Network Node Manager, BMC Patrol, and other SNMP-based network management tools.
Contacting Riverbed
This section describes how to contact departments within Riverbed.
Internet
You can find out about Riverbed products through our Web site at http://www.riverbed.com.
Technical Support
If you have problems installing, using, or replacing Riverbed products contact Riverbed Technical Support or your
channel partner who provides support. To contact Riverbed Technical Support, please open a trouble ticket at https:/
/support.riverbed.com or call 1-888-RVBD-TAC (1-888-782-3822) in the United States and Canada or +1 415 247
7381 outside the United States.
Professional Services
Riverbed has a staff of professionals who can help you with installation assistance, provisioning, network redesign,
project management, custom designs, consolidation project design, and custom coded solutions. To contact Riverbed
Professional Services go to http://www.riverbed.com or email proserve@riverbed.com.
Documentation
We continually strive to improve the quality and usability of our documentation. We appreciate any suggestions you
may have about our online documentation or printed materials. Send documentation comments to
techpubs@riverbed.com.
4
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 1
Overview
This chapter provides an overview of Cascade Profiler and Cascade Express features. It includes the following
sections:

“Overview of Profiler and Express appliances,” next

“Information sources” on page 6

“Behavior analysis” on page 7

“Alerting and notification” on page 8

“Traffic profiles” on page 10

“Host groups” on page 10

“Port groups” on page 11

“Interface groups” on page 11

“Applications” on page 11

“Traffic reporting” on page 12

“User interface” on page 13

“Getting help” on page 19
This chapter assumes you have installed the appliance and performed the installation verification. For installation
information, see the Cascade Installation Guide.
Overview of Profiler and Express appliances
The Profiler and Express appliances provide continuous visibility into the performance and behavior of the
computers, applications, and users on your network. Each appliance collects information from a variety of sources,
analyzes network behavior, and reports current and historical network usage. It also alerts you to significant changes
in the behavior of the network or individual elements of the network.
The information that the appliance provides is useful for managing:

Services

Performance and availability

Security
Cascade Profiler and Cascade Express User’s Guide
5
Overview

Regulatory compliance

WAN optimization

Change management databases

Data center migrations and consolidations
Information sources
Information sources
The appliance collects traffic, application, and user data from multiple sources, including:

Cascade Sensor

Cascade Gateway

Cascade Shark

Steelhead

NetFlow, sFlow, IPFIX, and Packeteer FDR data sources (Cascade Express only)

Microsoft Active Directory domain controllers
The appliance combines and de-duplicates data from all sources to report both detailed and aggregated information
about hosts, ports, interfaces, applications, and users. It also uses this data to identify and alert on changes in network
behavior.
Cascade Sensor and Sensor-VE
Using mirror ports on switches or passive taps on lines, Sensors provide the appliance with statistics for the following
network traffic characteristics:

Connections between hosts on the monitored segments of the network

Source and destination IP addresses and port numbers used in the connections

Protocols

Applications being accessed on hosts

Traffic volumes in connections, packets, bytes, or bits per second

Performance metrics
Sensor communications with the appliance are compressed and encrypted.
Cascade Gateway and Gateway-VE
The Cascade Gateway is deployed in a local or remote network to receive traffic data from sources at that location,
including:

NetFlow, sFlow, or IPFIX sources

Steelhead CascadeFlow sources

Packeteer FDR sources
It aggregates the data, compresses it, encrypts it, and then transmits it to two Profiler or Express appliances.
Additionally, it can forward this data in its native format to two other destinations.
6
Cascade Profiler and Cascade Express User’s Guide
Behavior analysis
Overview
Cascade Shark
The Cascade Shark sends the Cascade Profiler and Cascade Express information about all the traffic it sees on the
network. From within the Cascade Profiler user interface, you can access the Cascade Shark and Pilot for detailed
packet-level analysis.
Steelhead
The Riverbed Steelhead sends CascadeFlow to the Cascade Gateway and Cascade Express. The Profiler or Express
uses this flow information to report the traffic flows and WAN performance associated with the Steelhead appliances.
NetFlow, sFlow, and IPFIX sources
The Cascade Express can use IPFIX or NetFlow data directly from switches, routers, or other devices installed at key
points in the network. The Cascade Profiler can receive this data from Cascade Gateway appliances. The data source
devices must be configured to send their data to the appliance.
The appliance processes data that is compatible with IPFIX and Cisco NetFlow Versions 1, 5, 7, and 9.
Packeteer
The Cascade Profiler and Cascade Express can obtain information about Layer 7 application traffic from Packeteer
devices that are sending Flow Detail Records. The Cascade Express can receive Packeteer data directly. The Cascade
Profiler can receive this data from Cascade Gateway appliances that are receiving it from Packeteer sources.
Microsoft Active Directory domain controllers
The optional user identity feature relies on data obtained from the security event log of one of more Microsoft Active
Directory domain controllers. This data can be sent directly to the appliance or it can be read by a Windows
intermediary host that sends it to the appliance.
The appliance interprets this data to track successful and failed login attempts by domain users on hosts within the
domain. It associates this user identity information with host information to produce reports that identify users as well
as hosts.
Behavior analysis
Profiler and Express employ a variety of techniques for analyzing and evaluating network behavior, including:

Service policies

Performance and availability policies

User-defined policies

Security policies (Security policies are not available if the optional security analytics module is disabled or not
installed.)

Health policies
When the appliance determines that a policy violation or other significant event has occurred, it displays an alert status,
sends an SNMP notification to a management system, or sends an email notification to a specified person or group of
people.
Cascade Profiler and Cascade Express User’s Guide
7
Overview
Alerting and notification
The notification includes a link to a detailed report of the network event that triggered the alert. This report is available
both on the Profiler GUI and on any NMS or SEM product that has been configured to access the Profiler reporting
features. You can examine the report and determine what action to take.
Whether behavior analysis is based on comparisons to absolute thresholds or on advanced analytics using dynamic
modeling of network behavior, the result is the identification of conditions and events that you want to know about.
You can control which events generate alerts by setting tolerance ranges or alerting thresholds for each type of policy.
Events that violate one policy may be more important than events that violate another policy, so you may want them
to generate higher level alerts or to notify different people. The notification includes a link to a detailed report of the
network event that triggered the alert. This report is available both on the appliance GUI and on any NMS or SEM
product that has been configured to access the appliance reporting features. You can examine the report and determine
what action to take.
The appliance enables you to determine who is notified of what type of events and what level of alert (low, medium
or high) is generated for each type of policy violation. The appliance is shipped with several useful policies already
defined. You can activate these, adjust them for your network, or use them as examples for creating new policies.
The appliance uses the following steps to analyze network behavior and alert you to significant network events:
1. Network monitoring - receives traffic information from any combination of a variety of sources. Aggregates, deduplicates and processes traffic data to prepare it for network behavior analysis. Builds profiles of typical network
behavior for specified times.
The Profiler and Express receive data from Sensor or Gateway appliances. The Express can also monitor traffic
directly and receive flow records from other sources.
2. Event detection - compares network behavior to usage policies specified on the Behavior Analysis > Policies
pages. Analyzes compliance with service policies, performance and availability policies, security policies, and
user-defined policies using separate sets of analytics. Assigns each security policy violation event a severity rating
number based on the likelihood of it being a threat to network performance, availability or security.
3. Alert generation - checks the severity of each network event against a set of user-defined tolerance ranges or
alerting thresholds. When the severity of an event exceeds a tolerance or alerting threshold, the appliance alerts
users to the existence of the event by indicating an alert condition and displaying information about the event.
4. Notification - automatically sends email alert messages to designated recipients. Sends SNMP messages to
designated security or operations management systems.
5. Event reporting - saves details of all events that triggered alerts. Event detail reports can be viewed on the user
interface or retrieved by remote management systems for analysis. Refer to the next chapter for descriptions of
reporting.
The appliance follows this sequence of actions for service policies, performance and availability policies, security
policies, and user-defined policies. However, steps for policy definition and tuning vary, depending on the type and
complexity of the policy. These are discussed in the sections that follow.
Alerting and notification
The appliance uses the following mechanisms to notify an operator or management system that a network event has
violated a policy.
8
Cascade Profiler and Cascade Express User’s Guide
Alerting and notification
Overview

Alert level status displays - The appliance displays a “High,” “Medium,” or “Low” alert indication in the
header at all top-level GUI pages. The alert indication is displayed until the alert condition no longer exists or is
temporarily suppressed (“snoozed”) by clicking a control on the event details report for the event.

SNMP notifications - The appliance sends SNMP traps or notification messages to specified network
management systems. The management system receiving the notification might display messages or send email
itself. It can obtain a URL from the message, which allows it access to a report of the event that triggered the
alert. Management systems that will be retrieving Event Detail reports from the appliance based on URLs
attached to SNMP notifications should be given a user account and added to the access control list on the
Integration > API Authorization page.

Email notifications - The appliance sends email notifications to designated users or management systems.
Alerting
The appliance displays an indication of its alert status at the top of the user interface page. The alert status is one of the
following:

OK - The appliance is operating and no alerts are present.

Low - One or more low-severity events are present.

Medium - One or more medium-severity events are present.

High - One or more high-severity events are present.

Unknown - The alert status is unknown when the appliance is offline.
Alerts are triggered by conditions that violate service policies, performance and availability policies, user-defined
policies, or security policies.
If the Alert Level indicator at the top of the page is red (High) or yellow (Medium), click the red or yellow indicator
to run an Event Report. The Event Report lists events that are triggering alerts. Click the Event ID in the Event List to
run an Event Detail Report for an individual event.
You can also investigate the event that triggered the alert by using the Dashboard page, the Report pages, or the Quick
report box at the top of the page.
Figure 1-1. Page Header
Notification
You can specify who is to be notified at the time you define a policy. Alternatively, there is a page for modifying or
specifying all notifications.
Cascade Profiler and Cascade Express User’s Guide
9
Overview
Traffic profiles
Traffic profiles
The appliance collects traffic data from the monitored network and aggregates it into traffic profiles. A traffic profile
can be created for “business hours” or “weekends” or any other time periods you want to specify. Each profile is a
mathematically-derived abstraction of the network behavior that is typical for the time periods it represents. Recent
statistics play a larger role in the traffic profile than older statistics, with each previous time period having a
successively smaller impact on the profile. This allows the appliance to automatically adjust to changes in network
traffic patterns over time. It is responsive to new conditions, yet retains a historical perspective of traffic patterns on
the network.
The appliance compares new traffic to the corresponding profile to detect anomalous behavior. The definition of
anomalous behavior can be tuned to accommodate a wide variety of considerations.
The traffic profile is available to use for event detection when the appliance has collected sufficient data and a userdefinable delay time has ended. There are two types of traffic profiles:

Recurring profiles

Exception profiles
Recurring profiles are developed from traffic during times that occur every week, such as Monday from 8:00 AM to
4:59 PM. Exception profiles are developed from traffic collected during times that occur less frequently than a weekly
schedule, such as ends of quarters or holidays.
Both types of profiles can comprise multiple time period specifications. For example, a Recurring profile named
“Business hours” might be specified to include traffic from 8:00 AM to 4:59 PM every weekday. An Exception profile
called “Ends of Quarters” might be specified to include traffic on March 31, June 30, and so forth.
Recurring profiles are useful for tailoring your system to accommodate known peaks and lulls in weekly traffic.
Exception profiles allow you to treat holidays, quarterly events, or one-time promotional event surges differently from
normal traffic. Using multiple configurable profiles allows you to set alerting thresholds more closely without
significantly increasing false positives.
Host groups
The appliance enables you to assign hosts to groups so that you can track, report and alert on organizationally
meaningful categories of traffic, such as traffic by host function or traffic by host location. This allows you to view the
traffic of the same hosts from multiple perspectives.
For example, a view categorized by functions might include a host group for web servers, another host group for email
servers, and so forth. A second view, categorized by location, might include all hosts in New York in one group, all
hosts in London in another group, and so forth.
Groups are defined in terms of IP addresses or address ranges. You can enter these in the GUI or import a text file
containing group definitions. Alternatively, you can define a host group based on hosts listed in a report table.
Within any group type (such as “by location” or “by function”), you can assign names that identify the membership
criteria for the group. For example, when grouping hosts by their functions, you might assign group names such as:

Desktops

Laptops

Mail_servers

Web_servers
10
Cascade Profiler and Cascade Express User’s Guide
Port groups

Database_servers

Transaction_servers

Routers

Load_balancers

Firewalls
Overview
Port groups
The appliance tracks and reports traffic data both by hosts and by ports. You can define a group of protocol/port
specifications, assign the group a name, and then track and report the usage of ports at the level of port groups instead
of by individual ports.
Reporting port usage by group is especially useful if you have a large number of hosts involved in a particular business
process and it would be impractical to track port usage individually. Aggregating ports into manageable groups can
make reports easier to interpret. You could have many port groups for managing many applications, or just a few
groups, such as “encrypted” and “non-encrypted.”
Port groups are also useful when you are using User-defined policies. Assume, for example, that you want to be alerted
if a desktop host starts running a web server. Because web servers typically run on ports 80, 443, 8080, and 8081, you
could assign these to a port group called “web” and then specify a rule to generate an alert when a host from the host
group “desktops” uses ports in the port group “web.”
Interface groups
The appliance tracks interface traffic volumes and utilization percentages. For networks with a large number of
interfaces, it is often helpful to aggregate interface statistics into groups for reporting and alerting.
You can define policies for interface groups and generate reports on interface groups.
WAN interfaces can be grouped separately to facilitate tracking and reporting for WAN optimization.
Applications
The appliance tracks and reports application traffic. An application can be defined by either a fingerprint or a mapping.

Layer 7 Fingerprints - If the appliance is receiving data from a Sensor, a Packeteer device, or a Cisco device with
the NBAR option, it tracks application traffic based on application fingerprints that are Riverbed-supplied,
Packeteer-supplied, Cisco-supplied, or user-defined.

Layer 4 Mappings - An application can be defined by mapping hosts and ports to an application name. When the
appliance sees a flow that matches the hosts or ports, it classifies that flow as application traffic.
Cascade Profiler and Cascade Express User’s Guide
11
Overview
Traffic reporting
Traffic reporting
The traffic reporting feature supports several approaches to creating reports:

Shortcuts page

Traffic Report pages

Quick report box in header

Left-clicking

Right-clicking
Traffic reports can be saved, emailed, exported and printed.
Shortcuts page
The Shortcuts page provides links for running predefined reports. These have been predefined as far as practical and
named in terms of common tasks to simplify running a report to answer a question about your network.
Traffic Report pages
Traffic reports can be oriented towards hosts, interfaces, or applications. Additionally, an advanced reporting page
provides controls for searching profiles or historical logs for time-series data for specified hosts or ports. Each type of
traffic report provides controls for specifying the time span of the report and the format of the display.
The report displays include controls for changing the subjects and formats of the reports. Up to ten thousand lines of
traffic report data can be exported in comma-separated values (CSV) files for use with other report generating tools or
databases. Reports can also be exported as HTML archive files or PDF files.
Quick report box
The Quick report box appears in the header of each top-level page of the GUI. If you want a report about a specific
entity, you can enter the entity identifier and value in this box and click Go to produce a report without specifying a
query on one of the Report pages.
Left-clicking
Left-clicking a host or host group generates two lists of traffic volumes. These are listed by port for:

Ports served by the host or host group

Ports connected to by the host or host group
Left-clicking a port or port group generates a traffic report of hosts and host groups providing or consuming services
over the port or ports in the port group.
Left-clicking a service runs a service performance report.
Left-clicking the flow ID on a flow list allows you to perform packet-level analysis using a Cascade Pilot and Cascade
Shark appliances.
12
Cascade Profiler and Cascade Express User’s Guide
User interface
Overview
Right-clicking
Right-click menus enable you to obtain additional information without having to switch contexts or go to the report
pages. You can right-click any underlined item in any list or table entry to drill down to additional detail about that
item. You can also right-click any traffic graph on the Dashboard or on any traffic report to obtain additional detail.
Right-clicking a service displays a menu of performance reports that can be run for that service.
The choices for additional information that appear on the right-click menu depend on the item you right-click and the
options that you have configured. For example, if you right-click a host and you have vulnerability scanning
configured, then you will be able to initiate a vulnerability scan from the right-click menu. If you have external links
defined, then the links are listed on the right-click menu, and you can send the item you click to an external program
with just one more click. If you have the user identity feature set up, you will be able to run a user report from the rightclick menu. If the appliance is receiving information from a Sensor or Shark, you can get packet-level reports for the
host. Additionally, you can specify notes to be associated with hosts for future reference.
Menu choices that are grayed out are either not applicable to the item clicked or else not available because they are not
configured.
The report that you generate from the right-click menu retains the context of the report in which you right-clicked the
item. If the table item, list item, or graph you right-clicked is on a dashboard content block or traffic report for a
particular port, protocol, group, time period, etc., then the drill-down report is limited to those same attributes.
User interface
The main page in the appliance user interface is the Dashboard page. The Dashboard page displays high-level
summaries of activity on the monitored network.
The Dashboard page and all other top-level pages of the GUI include a header that displays the:

Alert level

Quick report box

User name under which the browser session is running
Additionally, there is a navigation bar listing the GUI pages that you can go to for detailed information, reports and
configuration settings. The privilege level of your user account determines which pages are available in the navigation
bar. Those with Administrator accounts can navigate to all pages. Those with other types of accounts can access the
pages appropriate to their roles. For a quick display of all available menu options, click the Riverbed logo.
The top-level sections available from the navigation bar include:

Home

Services

Reports

Behavior Analysis

Definitions

Configuration

System
Cascade Profiler and Cascade Express User’s Guide
13
Overview
User interface
Home pages
There are two home pages:

Dashboard - home page for monitoring the network

Navigate Network - starting point for diagnosing network problems from the perspective of interface
performance
Dashboard page
The dashboard page enables you to monitor network performance using your choice of a wide assortment real time
displays of traffic flows, performance metrics and alert conditions. The appliance is shipped with two general purpose
dashboards already defined:

Network Operations

Network Security (available when the optional security analytics module is installed and enabled)
You can customize these dashboards and create your own dashboards to focus on the information you find most useful.
You can:

Define end-to-end application delivery services and monitor their state of health and alert conditions.

Monitor traffic volumes and use the right-click menu to generate reports on traffic by any of a numerous
attributes, including flows, hosts, applications, ports, protocols, QoS classes, users and interfaces.

Drill down to the level of packet analysis by accessing other Cascade devices directly from the right-click menu.
If you prefer to investigate problems from the perspective of the performance of links or interfaces on network devices,
go to the Home > Navigate Network page for a hierarchical view of all the network interfaces known to the Profiler.
There you can run reports on the performance of devices and interfaces.
The Dashboard page is highly customizable.You can create multiple customized versions and switch among them. The
Dashboard page has the following main components:

Navigation panel

Page controls

System messages

Statistics and events displays (content blocks)
The permissions associated with the user account determine the actions that can be taken on the Dashboard page.
Navigation panel
The dashboard navigation panel enables you to select a dashboard to display on the right side of the page. The option
menu (click the down-arrow in the title bar) provides features for creating new dashboards and managing existing
dashboards.
If the navigation panel is not visible, double-click or click-drag the hide/display control at the far left of the main
display area of the page.
Dashboards that are private to the user account are indicated by an icon representing a single person. Dashboards that
have been made public for all users are indicated by an icon representing a group of people.
Dashboard page controls
The menu in the title bar of the Dashboard navigation panel includes options for defining new dashboards and
managing existing dashboards.
14
Cascade Profiler and Cascade Express User’s Guide
User interface
Overview
Figure 1-2. Home > Dashboard page
The selections in the Dashboard Options drop-down menu in the main display area of the page allow you to customize
and manage the information content of the Dashboard page as follows:

Add Content Block – opens a wizard with which you can create a new display for the current page. You specify
the type of information you want to add by selecting a content block. You can specify the format in which it is to
be displayed, the specific kinds of data you want displayed, time spans it is to cover, and, for certain types of
displays, the data you want to use for comparisons. The wizard creates the content block and adds it to the page.

Paste Content Block – copies a content block from one dashboard so you can paste it on to another dashboard.
Each content block has a menu button in the upper right corner. This allows you to copy the block, edit the
display specifications, or delete the block. If you use the Copy choice on this menu to copy the content block, you
can then use the Page Options menu Paste Content Block choice to paste the block on to the currently-displayed
dashboard or on to any other available dashboard.

Copy Dashboard & Save As – saves a copy of the dashboard. You are prompted to enter a name for the saved
dashboard. This name is used to list the dashboard with the other available dashboards.

Edit Dashboard – opens a window in which you can edit the name and description of the dashboard and specify
whether it is available for other users (public) or will be listed only on your list of available pages (private).

Delete Dashboard – deletes the currently-displayed dashboard.
System messages
If the appliance includes a license for the security module and it is enabled on the Configuration > General Settings
page, then system messages are displayed on the Dashboard page when security-related status information changes.
These give a brief statement of security status and may include links to additional information.
You can dismiss system messages for the duration of your browser session. When you dismiss a system message, it
no longer appears on the Dashboard page but continues to be displayed on the System > Information page. When the
system message is no longer relevant, the appliance stops displaying it.
When there are more system messages than you want to dismiss individually, you can use the Dismiss All button to
dismiss them as a group. There are two exceptions to this. The “Welcome...” message and the “Profile data collection
is now complete...” messages must be dismissed individually.
Cascade Profiler and Cascade Express User’s Guide
15
Overview
User interface
Statistics and event displays
You can use the default dashboards as they are or modify them. They are private to your account, so changing yours
does not affect other users. Alternatively, you can copy a default dashboard and save it as a custom dashboard with a
new name, leaving the default dashboard as it was for future reference. You can also create a new dashboard and
populate it entirely with content of your own choosing.
The Dashboard page includes a wizard for creating the following types of content blocks:

Service Health - health of each service, overall and by individual service metric

Service Health by Location - health of each user location, over all and by service

Service Map - status and relationship of components and connections between components of a service

Top Talkers - traffic volumes for the most recent time period of interest

Watched Traffic - traffic you want to watch for the most recent time period of interest

Current and Unacknowledged Events - a quick view of what is currently happening on the network
Each type of content can be displayed in one or more of the following formats, depending on which type of data it is:

Table

Pie chart

Bar chart (vertical)

Bar chart (horizontal)

Line chart

Stacked area chart
When you display information in a table, you can select from a variety of types of data to display and include only the
columns of interest to you.
When creating a watched traffic content block, you can specify the position of high threshold and low threshold lines
on the traffic graph. This enables you to see at a glance if a value is unexpectedly high or low.
When you display a watched content block as a bar chart, you can also display a comparison with traffic from a
previous time span. When displaying applications as a bar chart, you can exclude unknown applications so that the
display scales to the known applications.
Dashboard page permissions
The following rules apply for viewing, modifying and navigating Dashboard pages.

When a user account is created, the account automatically includes two Dashboard pages: the Network
Operations Dashboard page and the Network Security Dashboard page. These are private to the account owner.

Those with Administrator and Operator accounts can create, modify and delete Dashboard pages and follow links
on Dashboard pages. Those with Monitor and Dashboard Viewer accounts cannot. They can only view
Dashboard pages. Those with Event Viewer accounts cannot view Dashboard pages.

Each Dashboard page is owned by the user account in which it was created. Only the owner can change a page,
delete a page, or set a page to be public or private.

A public page can be viewed by Administrators, Operators, Monitors, and Dashboard Viewers. It can be copied
and saved by Administrators and Operators, but not by Monitors and Dashboard Viewers.
Note: When a page is made public, it does not appear in the dashboards menu of other users until they make it
visible using the Manage pages option.
16
Cascade Profiler and Cascade Express User’s Guide
User interface

Overview
When a user account is deleted, all the private pages it owns are deleted. However, its public pages remain
available for other users to view and copy.
Navigate Network page
The Home > Navigate Network page provides an interface-oriented view of the network. It displays a wide variety of
reports about traffic flow collection devices, the devices from which they are collecting flow information, and the
interfaces of those devices. The main section of the page displays reports about the devices or interfaces you select in
the navigation panel on the left.
If the navigation panel is not visible, double-click or click-drag the hide/display control at the far left of the main
display area of the page.
The navigation panel displays expandable tree hierarchies of all devices and their interfaces known to the Profiler or
Express appliance. Hover the mouse pointer over a device or interface to display a popup message with information
about it. Left-click a device to run a Host Information report. Left-click an interface to run an Interface Information
report. Right-click an any item in the tree for a menu of reports that you can run on that item.
Use the View box in the navigation panel to select the interface-oriented view of the network you wish to investigate.
There are two default views:

WAN - shows optimized and non-optimized WAN interfaces

Deployment - shows all other devices and interfaces known to the Profiler appliance

VXLAN - shows VTEPs (virtual tunnel endpoints) and virtual gateways and their physical interfaces
You can define your own views of the network based on attributes that are useful, such as geographic locations or
business units. You can define views and interface groups within views on the Definitions > Interface Groups page.
Other GUI pages
The Dashboard is the main page for monitoring the network. Typically, users start on the Dashboard page; go to other
pages as necessary to run reports, investigate events, change settings, or check status; and then return to the Dashboard
for routine monitoring.
The other GUI pages are described throughout the remainder of this guide. The controls, parameter fields and usage
procedures for all GUI pages that are accessible from the navigation bar are described in the online help system.
Some features are available only if the optional security analytics module is installed and enabled, as noted in the setup
section.
In summary, the GUI includes the following main pages:

Home pages - Dashboard and Navigate Network pages

Services - pages for defining services, running service reports, and managing service policies.

Reports - pages for creating, saving, and viewing reports and templates for reports.
–
Shortcuts - shortcuts for running traffic reports, security reports, and WAN optimization reports.
–
Traffic - provides tabs oriented towards generating reports on hosts, interfaces, and applications. Also
includes an advanced tab for more specific reporting on combinations of categories.
–
WAN Optimization - supports reporting on WAN optimization benefits and opportunities.
–
Top Talkers - generates reports of monitored categories of traffic (hosts, interfaces, applications, etc.) for a
specified time span.
–
Events - lists events and provides links to Event Detail reports.
Cascade Profiler and Cascade Express User’s Guide
17
Overview



–
Users - generates reports on user names and last login dates of users accessing the monitored network. (This
page is not displayed when user identity information is unavailable.)
–
Saved Reports - lists saved reports and report templates.
Behavior Analysis - pages for setting up event detection policies, alerting rules, and alert notifications.
–
Policies - sets parameters for service, application, performance, security, and user-defined policies and the
values controlling when events produce alert messages.
–
Notifications - specifies the destination addresses for email and SNMP notifications of alerts.
–
Events - lists event Detail reports.
Definitions - places hosts or ports into groups for simpler monitoring.
–
Applications - define custom applications by either fingerprints or mappings.
–
Host Groups - manages the grouping of hosts into named groups for ease of monitoring.
–
Interface Groups - allows aggregating interface statistics into groups for reporting and alerting.
–
Port Names - assigns names to ports for ease of tracking. This can be used to facilitate port grouping or to
define ports for other purposes.
–
Port Groups - defines collections of protocol/port specifications so that they can be tracked and reported as
named groups.
–
QoS - defines Quality of Service classes.
–
Sensors/Sharks & Steelheads - identifies sources of information.
–
WAN - defines the WAN by identifying its interfaces.
Configuration - after the appliance has been installed, use these pages to prepare for operational use.
–
UI Preferences - controls the conventions used for displaying names, addresses, units of traffic measurement,
date and time formats, and protocol/port sorting.
–
Account Management - enables Administrators to create and modify user accounts; configures the appliance
for RADIUS authentication and authorization of users who do not have accounts set up on the appliance.
–
Change Password - changes your password. (This page is not displayed for Administrators, who edit
passwords on the Accounts page.)
–
Integration - pages for integration the appliance with other network devices. This includes:
–
18
User interface
–
Vulnerability Scanning - configures vulnerability scanning to be performed automatically or manually.
–
External Links - configures the appliance for contacting other network devices for additional
information about a host or user of interest.
–
Switch Port Discovery - identifies switches so that the appliance can determine which switch port a host
is using.
–
API Access - specifies accounts that can access the appliance via the API.
–
Identity Sources - allows you to disable or delete the use of identity information from selected sources.
Mitigation - configures the appliance to use network devices to mitigate attack traffic. This includes:
–
Plans and Actions - manage mitigation plans and actions.
–
Trusted Hosts - identify hosts whose traffic is not to be blocked.
–
Switching Setup - identify switches that can be used for blocking attack traffic.
–
Routing Setup - identify routers that can be used for blocking attack traffic.
Cascade Profiler and Cascade Express User’s Guide
Getting help

Overview
–
Flow Log - balances or reallocates disk storage space for optimum storage of flow information. Specifies the
reporting time frames at which the appliance automatically switches from using one data resolution to using
another data resolution.
–
Profilers - (Express appliance only) identifies Profilers to which the Express can send traffic information
–
Security Profiles - defines the days and times for which the appliance develops traffic profiles for the security
analytics.
–
Licenses - manages feature and capacity licenses.
–
General Settings - sets parameters necessary for the appliance to connect over the network with users,
Sensors, DNS servers and email servers. Also sets parameters for sending to trap receivers and receiving flow
data. Identifies addresses and address ranges to be tracked individually and what version of MIB browsing to
support.
System - provides status information about the appliance, its data sources, and its users.
–
Information - displays the status of this appliance.
–
Devices/Interfaces - provides several views of information about network devices and device interfaces. In
the tree view, you can view detailed information by rolling over an item with your mouse. In the Interface
List and Device List views, you can review details about all devices known to the appliance. You can also
label device interfaces for easier recognition in reports.
–
Audit Trail - provides an audit trail of the appliance usage.
–
Shutdown/Reboot - allows Administrators to reboot or shut down the appliance.
–
Upgrade - assists with upgrading to future versions.
Getting help
This remainder of this guide describes the appliance primarily at the conceptual level. For detailed information about
controls, parameter fields formats, procedures, or technical considerations, refer to the online help system. This is
available from the Help menu near the upper right-hand corner of all top-level GUI pages.
Additionally, all top-level GUI pages have links to the help system. All top-level pages are described under their names
or functions in the help system. Refer to the help system table of contents, index, and search features.
Cascade Profiler and Cascade Express User’s Guide
19
Overview
20
Getting help
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 2
Configuration
This chapter describes configuring the Cascade Profiler and Cascade Express to be accessible on the network to
authorized users. It includes the following sections:

“Accessing the user interface,” next

“User interface preferences” on page 22

“Account Management” on page 24

“Profilers (Express only)” on page 38

“Integration” on page 30

“Mitigation” on page 30

“Flow log” on page 30

“Profilers (Express only)” on page 38

“Licenses (except Profiler-VE)” on page 40

“Licenses (Profiler-VE only)” on page 40

“General settings” on page 41
The appliance configuration tasks are assumed to be the responsibility of those with Administrator accounts. However,
users with Operator accounts can perform all the tasks described in this section except for managing user accounts.
Accessing the user interface
The appliance can be accessed using a web browser from anywhere on the network that has access to its address. The
user interface has been successfully tested using Firefox 3.6 through 8.1 and Microsoft Internet Explorer 7 and 8.
Internet Explorer 6 is no longer supported.
Logging in and out
To log in to the user interface
1. Ensure that your computer has network access to the management interface of the appliance.
2. Enter the IP address or DNS name of the appliance in your web browser using https.
Cascade Profiler and Cascade Express User’s Guide
21
Configuration
User interface preferences
3. Log in using the account name and password that were set up for you during the product installation.
If a user attempts to log in using incorrect passwords too many consecutive times, the appliance disables logins to the
account for specified time. This lockout is canceled if someone with an Administrator account assigns a new password
to the account.
Logging out differs from simply closing the browser window in that it returns you to the log-in page. You can log out
as one user and log back in as another user without having to reestablish a browser session.
To log out of the user interface

Click the Logout button at the upper right side of the header. This terminates your current user session and returns
to the log in page.
User interface preferences
The Configuration > UI Preferences page controls the display conventions that apply generally throughout the user
interface for a specific user. The page includes four sections: Data, Autocomplete, Date and Time Formatting, and
Miscellaneous.
Figure 2-1. Configuration > UI Preferences page
22
Cascade Profiler and Cascade Express User’s Guide
User interface preferences
Configuration
Data section

Host/Device Name Resolution – chooses one, both, or neither of the following options. Based on your
knowledge of your environment (for example, host names changing as a result of a recent equipment
redeployment, your DHCP server not yet integrated with the Profiler, etc.), you can choose the options that work
the best for your reporting needs.
–
Resolve host and device names – This option is available only if DNS, DHCP or SNMP name resolution has
been enabled on the Configuration > General Settings page.
–
Suppress DHCP/DNS/SNMP search domains () from resolved host and device names – This suppresses
the display of the domain names for hosts in the search domain. If no search domain is specified in the Name
Resolution section of the Configuration > General Settings page, then all resolved hosts are displayed by their
fully qualified names.

Host group – which type of host group is to be displayed in event reports and traffic reports when the reports are
set to display host group membership.

Protocol/Port Sort Options – which sorting order for protocols and ports to use on reports.

Data Unit – units in which statistics are displayed wherever traffic volume is displayed in terms of bandwidth;
bytes or bits.

Percentage Displays on Reports – when to display percent-of-total numbers on reports.
Autocomplete section
In this section you can enable or disable automatic completion of entries in input fields by category. Categories include:

Hosts/Host Groups

Ports/Protocols/Port Groups

Devices/Interfaces/Device and Interface Groups

Applications
You can also clear the autocomplete cache.
Date and Time Formatting section

Date Style - convention for displaying days, months, and years.

Time Style - 12-hour or 24-hour time display.

Time Zone - the default time zone for your user account. This time zone is used for all time displays and time
inputs except on pages:
–
where it is overridden. You can specify a different time zone when scheduling a report, specifying a userdefined policy, or creating a new user account.
–
where system time of the appliance is used. System time is used on the Configuration > Security Profiles
page and the Configuration > Flow Log Storage page.
Note: You can select a time zone using the Continent/City convention, the Country/Zone convention, or the time zone abbreviation.
However, to ensure that the selected time zone is automatically adjusted for summer and winter time changes, it is preferable to
select it using the Continent/City convention instead of the Country/Zone convention or its abbreviation.
Cascade Profiler and Cascade Express User’s Guide
23
Configuration
Account Management
You can display the time zone either by its name or as an offset from UTC. This time zone selection applies to only
your user account. The appliance has its own system time zone setting.
Miscellaneous section

Non-interactive Connection Graph - selects whether connection graphs and service maps allow users to
rearrange the layout by dragging and dropping elements of the display.

Color Palette - selects an alternate color scheme for graphs.

Refresh Rate - specifies the rate at which to refresh the data on the GUI pages. One to ten minutes. The default is
once per minute, which is the lowest rate.

Print/Email - maximum number of rows for printed and emailed tables.

Packet Export from Sensor - the maximum size of the file used to export a tcpdump-style file for a packet
analysis report from the Sensor.
Account Management
The Configuration > Account Management submenu has two options:

User Accounts

RADIUS Settings

ODBC DB Access
User Accounts
The Configuration > Account Management > User Accounts page allows those with Administrator privilege to add,
audit, edit, and delete user accounts and specify global settings affecting password requirements and login actions. This
page does not list users who can log in to the appliance by having an account on a configured RADIUS server, instead
of by having an account on the appliance.
Figure 2-2. Configuration > Account Management > User Accounts page
Account role permissions
To protect the security of the appliance, Administrators should provide users with accounts having the permissions
appropriate to their task responsibilities. The appliance provides five user accounts roles:

24
Administrator - Administrators set up the appliance on the network, set up user accounts, monitor the appliance
status and usage, and perform backup operations. A user with an Administrator account can access all appliance
functionality. Only those with Administrator accounts can specify mitigation actions, view the user activities log,
grant users the ability to run user reports, specify global account settings, manage user accounts, and set
passwords other than their own.
Cascade Profiler and Cascade Express User’s Guide
Account Management
Configuration

Operator - Operators are responsible for the operational configuration of the appliance. This includes managing
groups, alerting thresholds, event detection tuning, traffic reporting and event reporting. Operators can also
modify the appliance network settings, allocate disk storage space for logs, and run vulnerability scans. However,
they cannot specify mitigation actions, view the audit trail page, specify global account settings, or modify user
accounts or other people's passwords.

Monitor - Monitors check the Dashboard page for new events or unexpected activity. They can run traffic reports
and view all Reports pages. They can also view the appliance status page. The only settings pages that Monitors
can change are UI Preferences and Change Password. Typically, a user with a Monitor account is in a network
operations center. If a user is authenticated by a RADIUS server instead of by an account definition in the
appliance database, the user is granted Monitor permission.

Dashboard Viewer - Dashboard viewers can log in and view the displays on the Dashboard page. They cannot
navigate away from the Dashboard page except to go to the UI Preferences and Change Password pages.
Additionally, right-click menus and reporting links are not active for Dashboard Viewer accounts.

Event Viewer - Event Viewers can use their log name and password to view an Event Detail report whose URL
they have obtained from a network management system. They cannot take any actions on the event or navigate
away from the Event Detail report.
Global account settings
User accounts are managed both globally and by user. Global account settings control password requirements and log
in actions that apply to all users (except where they can be exempted on individual accounts).
Figure 2-3. Configuration > Manage Accounts > User Accounts > Global Settings page
On the Configuration > Account Management > User Accounts page, a user logged into an Administrator account can
click Settings to display the Global Account Settings page. This page has three sections:
Cascade Profiler and Cascade Express User’s Guide
25
Configuration
Account Management

Password Requirements – specifies password length, case usage, and requirement for non-alphabetic
characters. Specifies the number (from 1 to 16) of previous passwords the appliance should save and test to
ensure that the user is not recycling a small set of passwords. Also specifies the lifespan of a password. When a
password expires, the user is forced to change it upon their next login.

Login Settings – allows you to:

–
Limit the number of user sessions to one per name/password combination.
–
Require users of new accounts to change their password on their first log in.
–
Specify the number of consecutive failed login attempts the appliance allows before disabling logins for an
account.
–
Specify how long logins are disabled on an account after the allowed number of failed login attempts has
been exceeded. If a user needs access before the lockout period has expired, the Administrator can edit the
account profile to specify a new password for the account.
–
Exempt the admin account from being locked out by repeated unsuccessful login attempts.
–
Specify if the splash screen is dismissed automatically after 5 seconds, is displayed until the user clicks
Acknowledge, or is not displayed.
–
Specify the path to a splash screen, such as a company banner. The appliance uploads the file and saves it
until it is overwritten by a subsequent splash screen file upload. This file can be up to 1 Megabyte in size.
–
Add text to be displayed to a user before they log in, such as an appropriate use statement.
Inactivity Timeout – specifies how long an account can remain inactive before being automatically logged off.
–
This global setting can be overridden by a shorter time set for an individual user account, but not by a longer
time.
–
When the appliance is in the Strict Security mode, this setting is automatically limited to no more than 10
minutes.
–
The timeout can be overridden when the appliance is displaying the main pages used for monitoring the
network.
Settings made on this page are linked to the settings made on the Configuration > Appliance Security > Password
Security page.
Some of the settings on this page are cannot be modified when the appliance is in the Strict Security mode.
New accounts
Administrators create new accounts by clicking New on the Configuration > Accounts page. The New User Profiler
page has sections for specifying the user name, role, time zone and authentication method (local or by RADIUS). It
also controls password characteristics. On this page you can exempt the user account from the strict password
requirements that are defined on the Global Settings page. Additionally, you can grant the account permission to view
user information where it appears in reports.
Security considerations
Administrators should consider the following when configuring the global account settings and creating user accounts:

Create an account having only the permission level appropriate to the user's responsibilities.

Follow your organization's guidelines for password composition and aging.

Use the lowest inactivity timeout value practical for the user role.

Require the user to change the password upon the first login.
26
Cascade Profiler and Cascade Express User’s Guide
Account Management
Configuration
Figure 2-4. Configuration > Manage Accounts > User Accounts > New User Profile page

Do not enable database access unless the user requires external access to the appliance traffic information
database.

Do not enable User Reporting unless the user needs to identify other users by user name.
RADIUS Settings
The Cascade appliance authenticates users before logging them on. The primary means of authentication is the
Cascade appliance local database. If the Cascade appliance does not find account information for the user in its local
database, or if the user account specifies authentication by RADIUS, then the Cascade appliance connects to a
RADIUS server to authenticate the user.
Configuring the Cascade appliance to use RADIUS involves the following tasks (in any order):

Specify the IP address, port number, encryption protocol and shared secret of each RADIUS server that the
Cascade appliance is to use for authenticating users.

Configure the global RADIUS settings that are to apply to all RADIUS servers that the Cascade appliance
connects to.

Map Cascade user roles to RADIUS authorization attributes, if applicable.

Edit the user account profile of existing users that are to be authenticated by RADIUS.

Specify the inactivity timeout for users that are authorized by RADIUS.
RADIUS servers
You can specify multiple RADIUS servers on the Configuration > RADIUS page. The Cascade appliance tries to
connect to each RADIUS server in the order in which it is listed. It sends an authentication request to the first RADIUS
server it is able to connect to. The authentication requests include the information specified in the global RADIUS
settings.
Cascade Profiler and Cascade Express User’s Guide
27
Configuration
Account Management
Server entries can be enabled, disabled, edited, deleted, and tested.
Figure 2-5. Configuration > Manage Accounts > RADIUS Settings > RADIUS page RADIUS Servers tab
Global RADIUS settings
A RADIUS server sees the Cascade appliance as being a Network Access Server (NAS). You can specify if the
Cascade appliance is to send a NAS-Identifier or NAS-IP-Address with the authentication request. You can also
specify the number of seconds that the Cascade appliance waits for a connection attempt to succeed and the number
of times it tries to connect to the RADIUS server before moving on to the next server in the list.
The Global RADIUS Settings page is accessed by clicking Settings on the Configuration > Account Management >
RADIUS Settings > RADIUS page RADIUS Servers tab.
Figure 2-6. Global RADIUS Settings page
RADIUS role mapping
Users who do not have an account on the Cascade appliance must have both their authentication information (login
name, password) and their authorization information (user role indicated by the value of the Class attribute or the
Cascade-User-Role attribute) specified on the RADIUS server. The values of the RADIUS authorization attributes
must be mapped to their corresponding user roles on the Cascade appliance. Refer to the on line help system for
guidance.
Figure 2-7. Configuration > Manage Accounts > RADIUS Settings > RADIUS page Role Mapping tab
28
Cascade Profiler and Cascade Express User’s Guide
Passwords
Configuration
Specifications for which type of authentication the Cascade appliance is to use and the inactivity timeout for a
RADIUS user are made on the Accounts pages.
ODBC DB Access
The Configuration > Account Management > ODBC DB Access page lists user accounts that have been created for
accessing the internal database. These accounts are typically used by scripts or programs that other systems use to
retrieve information from the internal Profiler or Express database.
Use this page to delete an existing database user account or to add a new one.
When the Profiler or Express is in the Strict Security mode, database access is disabled and this page is not displayed.
Figure 2-8. Configuration > Account Management > ODBC DB Access page
Passwords
All users except Event Viewers and Administrators can change their own passwords on the Configuration > Change
Password page. Administrators can replace the password on any account by using the Configuration > Accounts > Edit
feature. Therefore, the Change Password page is not displayed on Administrator accounts.
Figure 2-9. Configuration > Change Password page
Cascade Profiler and Cascade Express User’s Guide
29
Configuration
Integration
Integration
The integration features are accessed from the Configuration > Integration menu. Integration is described in Chapter
5, “Enterprise Integration.”
Mitigation
The mitigation features are accessed from the Configuration > Mitigation menu. Mitigation is described in Chapter 14,
“Mitigation.”
Flow log
The Configuration > Flow Log pages include two tabs:

Disk Allocation - specifies how the appliance uses disk space to store traffic flow data at various data
resolutions. You can reallocate disk space usage. This tab also indicates when the storage space allocated to flow
logs for a particular data resolution can be rebalanced to retain the information for a longer period of time.

Reporting - specifies the reporting time frames at which the appliance automatically switches from using one
data resolution to using another data resolution.
Flow log disk space allocation
The Configuration > Flow Log page Disk Allocation tab displays how the appliance disk storage is being used to store
traffic flow information. The flow logs make it possible to quickly report on historical traffic flows with data
resolutions of 1 minute, 15 minutes, 1 hour, 6 hours, 1 day, 1 week, and 1 month. When viewing historical trends, you
can use a lower data resolution to view a longer time span conveniently. When investigating specific behavior, you can
use full resolution for the highest degree of accuracy.
Figure 2-10. Configuration > Flow Log page Disk Allocation tab
30
Cascade Profiler and Cascade Express User’s Guide
Flow log
Configuration
The tab displays the percent of total disk storage capacity that is allocated to the various flow logs and how long a
period of time the flow data for each data resolution can be retained, using the current allocation, before being
overwritten with newer data. By default, the appliance allocates over half its disk storage space to the highest resolution
flow logs, which contain all the data that is available from the flow data sources. It allocates the remaining disk space
among the flow logs for the other data resolutions.
You can modify this allocation. For example, if you do not anticipate wanting to run reports for time spans of more
than the past two years, then you might want to reduce the allocation for the flow logs with 1-month and 1-week data
resolutions, and reallocate that space to the logs for 15-minute data resolution. This will allow the appliance to store a
longer history of data with a 15-minute resolution.
Flow log disk space balancing
The flow log for each data resolution contains information about all network behavior that the appliance tracks. For
example, the flow log for reporting with 15-minute data resolution contains traffic statistics for each host pair,
interface, etc. during each 15-minute interval that the log covers. It also contains information about each application,
port, and protocol in use during each 15-minute interval it covers.
Depending on the characteristics of your network, the appliance may need more storage space for one attribute of
network behavior, such as host pair traffic, than for another attribute, such as interfaces.
The length of time that a flow log can cover is limited to the disk space required for storing the attribute that requires
the most space. So the retention times displayed on the Disk Allocation tab depend on the balance among the many
types of information the flow logs are storing.
The appliance monitors how well the space allocated to each flow log is being utilized. When it finds that some types
of information are consuming much less or much more disk space than other types, it notifies you that it can increase
the retention time of the log by rebalancing how the log's disk space allocation is being used.
Rebalancing a flow log does not affect the amount of disk space allocated to the log. It just optimizes the use of the
allocated space based on the behavior of your network. This allows you to get a longer retention time out of the same
amount of disk space.
If the balance of activities on your network changes over time, the appliance detects this and notifies you that flow logs
should be rebalanced.
Reporting time frames
The Configuration > Flow Log page Reporting tab allows you to customize the automatic data resolution feature.
When you specify a traffic report, the Data resolution box in the Report Criteria section of the report page has a dropdown list box that lists all the data resolution intervals that are available. It also has a choice for automatic data
resolution. When you choose automatic, the appliance uses the data resolution that corresponds to the time frame of
the report. This correspondence is specified on the Configuration > Flow Log page Reporting tab.
Cascade Profiler and Cascade Express User’s Guide
31
Configuration
Packet capture (Express 460 only)
Figure 2-11. Configuration > Flow Log page Reporting tab
Packet capture (Express 460 only)
The Express 460 includes packet capture and packet export features. You can define capture jobs and export packet
capture (pcap) files just as you would on a Cascade Shark appliance. The packet capture files can be analyzed by
Wireshark or Cascade Pilot software. Additionally, the Cascade Pilot can connect to the Express 460 just as it would
connect to a Cascade Shark. It cannot access the Express 460 web user interface and define capture jobs. But otherwise,
the Express 460 performs the same capture functions as the Shark.
Use the Configuration > Packet Capture page to add, edit, start, stop, view, clear and remove capture jobs and to export
packet capture (pcap) files for analysis.
Figure 2-12. Configuration > Packet Capture page
Adding a capture job
To add a capture job,
1. Go to the Configuration > Packet Capture page and click Add New Job.
2. On the Add New Job page, enter a name for the capture job.
3. Select the network interface that is seeing the traffic that the job is to capture. The Interface list box identifies all
interfaces that are available. See the note below for an explanation of network monitoring interface naming.
32
Cascade Profiler and Cascade Express User’s Guide
Packet capture (Express 460 only)
Configuration
Figure 2-13. Configuration > Packet Capture > Add Capture Job page
4. If desired, specify a BPF filter. A BPF filter can select a subset of network traffic for capturing. For example, the
filter src host 192.168.43.17 captures only packets with a source address of 192.168.43.17. Leave this box
empty to capture all packets. You can find more information on BPF filters at http://wiki.wireshark.org/
CaptureFilters.
A filter specified in this section applies to only the capture job. It does not filter the traffic that the Express 460
reports on the reporting pages.
5. Specify the maximum number of bytes of each packet to capture. Specify 65535 to capture the entire packet.
6. Select the Start new job immediately option to place the job into the Running state as soon as you click Save at
the bottom of the page. Deselect this option if you want to start the job manually.
The status of a new capture job is shown as Stopped until the job is started. Once you start it, its status is Running.
You can delay the start of a capture job by specifying a start time on the Start/Stop tab.
7. Click Save to accept the default data retention and start/stop settings and start the capture job. Alternatively, adjust
the settings and then click Save. See the notes below about Data Retention and Start/Stop settings.
Cascade Profiler and Cascade Express User’s Guide
33
Configuration
Packet capture (Express 460 only)
Monitoring network interface naming
The physical interfaces for monitoring the network are named based on the location of the connectors they use on the
Express 460 chassis. The names and positions of all monitoring interface connectors are indicated on a sticker on the
top of the chassis.
The four built-in copper interfaces are named mon0_0, mon0_1, mon0_2 and mon0_3. If your Express 460 also has a
4-port fiber network interface card, those interfaces are named mon1_0, mon1_1, mon1_2 and mon1_3 if the card is
in traffic monitoring Slot 1.
Additionally, there are virtual interfaces. All the traffic from physical interfaces mon0_0, mon0_1, mon0_2 and
mon0_3 is aggregated into one virtual interface named mon_tcap.
If your Express 460 has a 4-port fiber network interface card, the traffic from this card is aggregated into two virtual
interfaces. For example, the traffic from mon1_0 and mon1_1 is aggregated into mon_bap_1_0-1_1. The traffic from
mon1_2-1_3 is aggregated into mon_bap_1_2-1_3.
Additionally, the tc_tcap virtual interface is the aggregation of all physical interface traffic.
All physical and virtual monitoring interfaces are listed on the Interfaces drop-down list in the Capture Settings section
of the page. You can define a capture job to use any individual (physical) or aggregate (virtual) interface in the list.
Data Retention tab
The Packet Data section of the Data Retention tab specifies the limits of captured packet storage in terms of size,
percent of disk space, number of packets, and seconds of data. When the most constraining limit is met, the oldest data
is discarded to make space for the newest data. Changing the packet capture storage settings on this page has no effect
on the settings for flow data storage specified on the Configuration > Flow Log page.
The Microflow Indexing section of the tab specifies limits for the storage of Microflow indexes. Microflow Indexing
captures summary information about conversations between devices on the network. This information is all that is
needed by the Cascade Pilot software to calculate many of the View metrics that describe the traffic stream. Because
it is already in summary form, processing of Microflow Indexing data for View metrics is very fast.
If you will be connecting to the Express 460 from Pilot, enable Microflow indexing. If you will be using the Express
460 packet capture feature only to export pcap files, disable Microflow indexing to reduce the processing load on the
system.
Enabling Microflow indexing on the Data Retention tab disables the Start/Stop tab. Refer to the Cascade Pilot
documentation for more information about Microflow indexing.
Start/Stop tab
The Start/Stop tab specifies the starting time and stop time of the capture job using the MM/DD/YYYY HH:MM:SS
format to specify times that are local for your web browser session. You can also specify stop criteria in terms of the
Microflow index file size, the percent of disk space consumed, the number of packets saved to packet storage, or the
number of seconds of packet data that have been saved. The capture job stops when the stop time or any of the stop
rule criteria are met.
34
Cascade Profiler and Cascade Express User’s Guide
Packet capture (Express 460 only)
Configuration
Managing capture jobs
Once a capture job has been created, it can be started, stopped, viewed, edited, cleared and removed on the
Configuration > Packet Capture page. Which operations are available on the Packet Capture page depends on whether
the job is running or stopped.
Figure 2-14. Configuration > Packet Capture page
Operations on a Running capture job
The status of a capture job can be Running or Stopped. A job that is running can be viewed or stopped, but not edited,
cleared or removed. To view a running job, click either the name of the job or the View button. This opens the Job
Details page.
The Job Details page displays the capture settings and also the statistics for the capture job at the time you opened the
page. The statistics include:

Start and end time of the job (Start Packets and End Packets respectively)

Current size of the capture job on the disk

Current size of the Microflow Index file on the disk (if enabled)

Number of packets captured in the last second, last minute and last hour

Number of packets dropped if the Express 460 could not capture all of them
The Job Details page for a running job cannot be edited. Only the Packet Export tab is active.
Operations on a Stopped capture job
A job that is stopped can be started, edited, cleared or removed. To edit a stopped job, click either the name of the job
or the Edit button. This opens the Job Details page.
The Job Details page displays the capture settings and also the statistics for the capture job at the time you opened the
page. All the fields are active, so you can edit the capture settings, retention settings and start/stop settings. You can
also export the packet capture to a pcap file.
A stopped job can be cleared or removed by clicking the Clear or Remove button on the Configuration > Packet
Capture page. The Clear operation deletes all the capture data, but leaves the capture job available in the job list to be
started again. The Remove operation deletes the capture data and also deletes the definition of the capture job. The job
is deleted from the job list and no longer available.
Exporting a packet capture file
Data from a capture job can be exported to a pcap file from the Job Details page of either a running job or a stopped job.
Packet data can also be exported from a report by using the right-click menu. Refer to “Analyzing packet information
with Cascade Pilot” in Chapter 13, “Reporting” for information about exporting data about specific traffic flows to
pcap files.
Cascade Profiler and Cascade Express User’s Guide
35
Configuration
Packet capture (Express 460 only)
Figure 2-15. Configuration > Packet Capture > View - Running Job Details page
To export capture job data to a pcap file,
1. Go to the Configuration > Packet Capture page and select the capture job.
2. Select the Packet Export tab.
3. Specify the start and end of the export. See the notes below.
4. Specify the export file format and time stamp resolution. See the notes below.
5. Click either Prepare Export URL or Download Packets Now. See the notes below.
Start Export
From Beginning of Job - The export starts with the earliest data available in the capture job.
36
Cascade Profiler and Cascade Express User’s Guide
Packet capture (Express 460 only)
Configuration
Figure 2-16. Configuration > Packet Capture > View - Stopped Job Details page
Figure 2-17. Exporting Packet Capture files
Cascade Profiler and Cascade Express User’s Guide
37
Configuration
Profilers (Express only)
From Start Time - Specify a time that is local to the web browser session you are using to access the page. The note
under this field displays the offset from UTC time.
End Export
End of Job - If the job is stopped, then the export ends with the last data available when the job was stopped. If the
job is still running, then the export ends at the present time.
At End time - Specify a time that is local to the web browser session you are using to access the page. The note under
this field displays the offset from UTC time.
After - The export includes only enough data to reach the specified byte or packet count.
Export File Format and Timestamp Resolution
If you will analyze the file with Pilot or Wireshark, select the format you want to export. If you will analyze the file
with other software, use the default setting of pcap (microsecond).
Prepare Export URL
Click this button to display a URL from which the pcap file can be downloaded.
Download Packets Now
Click this button to download the pcap file to your local machine.
Profilers (Express only)
The Configuration > Profilers page lists Profiler or Express appliances to which the Express you are logged into can
send information. The Express sends only information that it has developed from inputs it has received, and does not
pass through any unprocessed information.
The Cascade Express can receive:

Processed traffic information from Cascade Sensors

Processed flow data from Cascade Gateways

Network traffic from taps or mirror ports

Flow data from routers and switches
In addition to monitoring and reporting this data to its users, the Express can also send certain types of data to one or
two other Express or Profiler appliances that are identified on the Configuration > Profilers page. It can send them:

Traffic statistics that it develops from monitoring the network from taps or mirror ports.

Aggregated, de-duplicated, encrypted, flow data that it produces from the flow data being sent to it from routers
and switches.
The Express does not forward raw, unprocessed flow data (such as NetFlow) to other destinations. Also, it does not
forward information that it receives from other Cascade devices, such as Sensors and Gateways. To have another
Express or Profiler receive information from Sensors or Gateways, configure the Sensors or Gateways to send their
information directly to the destination Profiler or Express.
38
Cascade Profiler and Cascade Express User’s Guide
Licenses (except Profiler-VE)
Configuration
Figure 2-18. Express Configuration > Profilers page
Licenses (except Profiler-VE)
The Profiler and Express require feature licenses and capacity licenses. Licenses for basic features are included with
the software. Other licenses must be downloaded from the Riverbed licensing web site. All downloaded licenses are
listed on the Configuration > Licenses page.
Figure 2-19. Configuration > Licenses page
For each license, the Configuration > Licenses page lists the license key, license description, installation date and
status. A status of red indicates that the license is not valid. Yellow indicates that the license will expire within 10 days.
Hover the mouse pointer over the status indicator to see the expiration date.
The Enable automatic license download from Riverbed option allows the appliance to automatically connect to the
Riverbed licensing web site and download the licenses that are assigned to it. It downloads licenses at the time it is
installed and then checks for any new licenses once per day thereafter while this option is enabled.
The Fetch Updates Now button causes the appliance to immediately connect to the Riverbed licensing web site and
download any new licenses that you have purchased.
If the appliance does not have Internet connectivity, then you must log in to the Riverbed licensing web site, generate
the license keys, and manually enter them into the list of licenses. The Add License(s) button is for manually entering
license keys that you get from the Riverbed licensing web site.
If you purchase and download a license for a higher capacity than a current license, the appliance uses the license with
the higher capacity.
To delete an obsolete or invalid license, select the check box for the entry and click Delete Selected. This does not
affect the status of the license on the licensing web site.
Cascade Profiler and Cascade Express User’s Guide
39
Configuration
Licenses (Profiler-VE only)
The licensing web site provides the flexibility to assign different feature and capacity licenses to different appliances.
You can ship appliances to remote locations without concern for which appliance is to have which license. When you
have the serial numbers and know where the appliances are deployed in the network, you can make the license
assignments on the Riverbed licensing web site.
When all the appliances are to be licensed for the same features and capacities, the licensing web site handles this
automatically. The appliances can automatically download their licenses without your needing to visit the licensing
web site.
For instructions for generating and downloading license keys, refer to the on line help system or to the Profiler,
Express, Sensor and Gateway Installation Guide.
Licenses (Profiler-VE only)
The Profiler-VE requires feature licenses and capacity licenses. Licenses for basic features are included with the
software. Other licenses must be downloaded from the Riverbed licensing web site. All downloaded licenses are listed
on the Configuration > Licenses page.
Figure 2-20. Profiler-VE Configuration > Licenses page
To activate a license, you enter a token that you receive when you purchase the license. The Profiler-VE generates a
license activation code. You enter this code on the Riverbed licensing website and it generates a license key. You enter
the license key on this page to activate the license. For detailed licensing instructions, refer to the on line help system
or to the Profiler-VE Software Installation Guide.
For each license, the Configuration > Licenses page lists the license key, license description, installation date and
status. A status of red indicates that the license is not valid. Yellow indicates that the license will expire within 10 days.
Hover the mouse pointer over the status indicator to see the expiration date.
If you purchase and download a license for a higher capacity than a current license, the appliance uses the license with
the higher capacity.
To delete an obsolete or invalid license, select the check box for the entry and click Delete Selected. This does not
affect the status of the license on the licensing web site.
40
Cascade Profiler and Cascade Express User’s Guide
General settings
Configuration
General settings
The Configuration > General Settings page includes controls for setting up:

Management Interface Configuration

Name Resolution

Aux Interface Configuration (Express only)

Static Routes (Express only)

Monitor Interface Configuration (Express only)

Packet Deduplication (Express only)

VoIP Metrics (Express 460 only)

Time Configuration

Data Sources (Express only)

SNMP MIB Configuration

Outgoing Mail Server (for alerts and reports sent by the appliance)

Inside Address Configuration

Security Module Configuration

Report Data Management

Service Management
Changing the Network page requires an Administrator or Operator account. Changes you make on the Configuration
> General Settings page take effect when you click Configure now at the bottom of the page.
Note: If someone were to misconfigure the management interface settings, the appliance would become unreachable and it would
be necessary to reinstall the software in order to access it. If other parameters were misconfigured, the appliance might not monitor
traffic and send alerts correctly. It is important to the operation of the appliance for the settings on the General Settings page to be
correct.
Note: If you deploy a Sensor on the same subnetwork as the appliance, and if an intruder can place an unauthorized device on that
subnetwork, then a security risk may exist. Refer to Appendix C, “Securing the Environment.” for a description of securing the
appliance against this type of risk.
Cascade Profiler and Cascade Express User’s Guide
41
Configuration
General settings
Management Interface Configuration
The management interface configuration specifies the name and address of the Profiler or Express appliance. (For the
Enterprise Profiler, this is the address of the UI Module.) You can specify the speed, duplex mode, or auto-negotiate
mode. When you click Configure Now, these values are set into the management interface. Additionally, the current
status of management link is displayed.
Figure 2-21. Management Interface Configuration section of the Configuration > General Settings page
Name Resolution
This section determines how host names and network device names are resolved when Resolve host and device
names is enabled in the Data section of the Configuration > UI Preferences page.
Figure 2-22. Name Resolution section of the Configuration > General Settings page
Search domains
When the Profiler or Express appliance looks up the address of a host name that does not include a domain name, it
appends a specified domain name to the host name in order construct a fully qualified domain name and perform the
search. You can specify multiple search domains as a comma-separated list. The Profiler tries to resolve the host name
using each domain in the search list in the order in which it appears in the list. For example, assume that you specified
a comma-separated list of domain names, such as:
newcompany.com,emea.newcomapny.com,oldcompany.com
42
Cascade Profiler and Cascade Express User’s Guide
General settings
Configuration
Also, assume that you specified “finance_1” in a report criteria field that accepts host names. The appliance would
append the first search domain in the list and use finance_1.newcompany.com in a lookup. Then it would append the
second domain in the list to the host name and use finance_1.emea.newcompany.com in another lookup, and so on. It
would attempt to find the address by looking up the host name and a fully qualified domain name based on each domain
in the search list.
If a host name is registered in more than one domain, the appliance uses the first IP address it obtains. Therefore, it is
best to enter the list of search domains with the most preferred domain first.
DNS servers
Specify the addresses of the DNS servers that the Profiler or Express appliance accesses to look up the host name
associated with an IP address or the IP address associated with a host name. Leaving the primary and secondary DNS
server address fields blank disables the use of DNS.
This section enables DNS name resolution in general. Name resolution can be enabled or disabled for hosts and
network devices separately in their respective sections.
Edit /etc/hosts - opens an editor for modifying the hosts file. This file includes address-name assignments required by
the appliance, which are not editable, and address-name assignments that are user-defined. Assignments that you
define in the /etc/hosts/ file take precedence over DNS lookups. They are not affected by configuration changes. DNS
name resolution must be enabled for this feature to be available.
Host name resolution
Enable DNS name resolution for hosts - Enables DNS name resolution for hosts and sets limits to protect your DNS
server from excessive traffic loads. You can limit the number of host lookups that the Profiler appliance requests at one
time. For example, if you specify that the Profiler is to resolve no more than 1000 hosts at a time, then it will send 1000
DNS lookup requests and wait for all 1000 to be answered or timed out before sending the next thousand.
You can also limit the number of lookups for any one table, graph or list on a report. If the number of hosts in any one
table, graph or list exceeds the specified limit, then all hosts beyond the limit are reported by their addresses instead
of by their host names. This setting applies to Reports pages and the Host Groups page.
Enable DHCP name resolution for hosts managed by DHCP - Enables name resolution for hosts managed by
DHCP. When this option is selected, the appliance looks for the name assignment in its local DHCP data records. This
requires DHCP integration to have been configured.
If both the DNS and DHCP options are selected, then the Profiler first looks in its DHCP data records before
performing a DNS lookup.
When it finds the name of the host, it displays the host name on GUI pages that list hosts. It also displays the domain
to which the host belongs, unless you have selected the Suppress DHCP/DNS search domains option i n the Data
section of the Configuration > UI Preferences page.
Network device name resolution
Enable SNMP name resolution for devices - Allows the Profiler or Express appliance to use SNMP to obtain the
names of network devices that are sending traffic information to it. This requires SNMP polling to be configured.
Enable DNS name resolution for devices
Specifies how often the cache containing the DNS names for network devices is refreshed. Additionally, the following
conditions cause the cache to be cleared and rebuilt:

Enabling or disabling DNS name resolution globally in the Host name resolution section.

Modifying the search domains setting.
Cascade Profiler and Cascade Express User’s Guide
43
Configuration

Modifying the primary or secondary DNS server addresses.

Using the Edit /etc/hosts button to edit the /etc/hosts file.

Clicking the Clear device DNS cache button.
General settings
Precedence - If both SNMP and DNS name resolution for network devices are enabled, you can select which takes
precedence over the other.
Aux Interface Configuration (Express only)
The Configuration > General Settings page Aux interface configuration section allows the Express to use both the
Management and Aux interfaces for processing traffic flow information (NetFlow, sFlow, Packeteer FDR, etc.) and
control information (user sessions, network services and communication with other Cascade devices).
The processing of traffic flow information on these two interfaces can be limited by the Data Sources section of the
page. The Data Sources section can be set to allow or not allow flow data protocols on the Aux interface or the
Management interface or both interfaces. The option to block flow data from being processed on the management
interface enables the Express appliance to support configurations that require network data and network management
functions to be handled by separate subnets for security purposes.
When the Aux interface is enabled, it uses the same incoming connection security requirements as the management
interface, except for protocols used for flow information (NetFlow, sFlow, Packeteer FDR, etc.).
If the flow data forwarding feature is used when the Aux interface and Management interface are configured on
separate subnets, the default behavior is to forward flow data using the interface that is on the same subnet as the
destination address. If the destination address is not on either subnet, the flow data packets are sent to the default
gateway. This default configuration can be overridden by specifying static routes.
Figure 2-23. Aux Interface Configuration section of the Configuration > General Settings page
Configuring interfaces for separate data and control networks
The procedure for setting up separate network data and network control interfaces on the Express appliance assumes
that:

There are two separate networks with non-overlapping IP addresses.

The Express appliance management interface is already connected and the web GUI is accessible.
The general procedure is to:
1. Connect the network for the flow information (NetFlow, sFlow, Packeteer FDR, etc.) to the Aux port of the Express
chassis.
2. Go to the Configuration > General Settings page Aux interface configuration section. Enable the Configure AUX
Interface option and set the IP address, netmask, and interface speed, as required.
3. In the Data Sources section of the page, allow receiving flow protocol traffic on the Aux interface and not on the
Management interface, and enable the flow protocols you want the Express appliance to receive.
44
Cascade Profiler and Cascade Express User’s Guide
General settings
Configuration
4. If you need to override the default configuration, go to the Static Routes section of the page and configure any
necessary static routes.
5. Configure the flow exporting devices to send flow data to the Aux interface address instead of the Management
interface address.
Configuring a single interface for data and control
If the Management and Aux interfaces are already set up and working for split operation and you want to switch to
having both network data and network control traffic on the same subnet, the general procedure is as follows:
1. Go to the Configuration > General Settings page Aux interface configuration section and deselect the Configure
AUX Interface option. This disables the Aux interface.
2. In the Data Sources section of the page, set the Allow on interface selection to allow receiving flow protocols on
the Management interface.
3. If any static routes were added for the configuration that used separate networks for data and control, remove them
in the Static Routes section of the page.
4. Configure flow exporting devices to send flow data to the Management interface address instead of the Aux
interface address.
Static Routes (Express only)
If there are multiple subnets on the Aux interface network, or if you need to use a gateway router other than the default
gateway, it may be necessary to define static routes. Use the Static Routes section of the Configuration > General
Settings page to specify static routes as necessary.
Figure 2-24. Static Routes section of the Configuration > General Settings page
Monitor Interface Configuration (Express only)
If your Express is not a flow-monitoring-only model, then the network monitoring ports, which are labeled Mon0 and
Mon1, must be configured for the speed of the tap or mirror ports they use on the monitored network.
Figure 2-25. Monitor Interface section of the Configuration > General Settings page (Express Only)
Packet Deduplication (Express only)
If the Express is receiving traffic from more than one source in the same network, it may see some of the same packets
more than one time. This can impact the accuracy of reports. For example, duplicated packets can cause over-counting,
and duplicated packets that contain TCP SYNs can interfere with the measurement of performance metrics, such as
RTT.
Cascade Profiler and Cascade Express User’s Guide
45
Configuration
General settings
There can be many causes of packet duplication in a network, and there can be several effects on the accuracy of
reporting by the Express. If you believe that your network configuration might cause the Express to see duplicated
packets, you should enable packet deduplication.
Packet deduplication consumes Express resources and can impact its performance on a busy network. So if your
network configuration does not artificially introduce duplicated packets, it may be desirable to deselect the packet
deduplication option.
Figure 2-26. Packet Deduplication section of the Configuration > General Settings page (Express Only)
VoIP Metrics (Express 460 only)
The Express 460 can compute VoIP and RTP metrics based on the network traffic it monitors. Select this option to
compute metrics for traffic received on all network monitoring interfaces. If you do not need voice quality metrics, you
can leave this option deselected to conserve system resources.
Figure 2-27. VoIP Metrics section of the Configuration > General Settings page (Express 460 Only)
Time Configuration
The Time Configuration section of the Configuration > General Settings page sets the time zone and specifies the time
reference used for timekeeping in the appliance.

Time Zone – sets the time zone in which the appliance itself is operating.

Synchronize to an external NTP server – specifies NTP servers the appliance should use as timing sources. If
the first server specified is unreachable, the appliance attempts to use the second one.
The connection to the NTP server can use SHA1 or MD5 encryption or no encryption. For an encrypted
connection to the NTP server, obtain the encryption key and index from the person who is responsible for
controlling the domain's authoritative time server.
If the appliance is to be operated in the FIPS 140-2 Compatible Cryptography mode, the NTP server connection
must use SHA1 encryption.
Note: When the appliance is switched to the FIPS 140-2 Compatible Cryptography mode, any NTP servers that are currently
configured to use MD5 encryption will be disconnected without notification to the user.

46
Use local clock – selects the internal clock as the time reference for timekeeping in the appliance. To use the local
clock, click Set System Time and edit the time and date as necessary.
Cascade Profiler and Cascade Express User’s Guide
General settings
Configuration
The time configuration is not applied until you click Configure Now at the bottom of the page.
Figure 2-28. Time Configuration section of the Configuration > General Settings page
Note: There is no notification when switching to the FIPS 140-2 Compatible Cryptography mode disconnects NTP connections
using MD5 encryption.
Data Sources (Cascade Express only)
The appliance can be configured to receive traffic flow information from devices using NetFlow (versions 1, 5, 7 and
9), IPFIX, sFlow (versions 2, 4 and 5), and Packeteer (versions 1 and 2). You can specify one or more ports in a commaseparated list for each type of flow data, up to a combined total of 50 ports.
It can also receive network application classification information from Sensor and Packeteer devices. This allows
tracking and reporting of application access and usage.
When the Express is configured to use the Aux and Management interfaces on separate networks, use the Allow on
interface option to control which interface is to receive traffic flow data.
Figure 2-29. Data Sources section of the Configuration > General Settings page
Cascade Profiler and Cascade Express User’s Guide
47
Configuration
General settings
SNMP MIB Configuration
The appliance MIB can be browsed by external applications and devices. Express supports browsing by Version 1, 2c
and 3 clients but can support only one type of client at a time. To limit support to SNMP V1 clients, fill out the
Location, Description, Contact, and Community fields. To support SNMP V3 clients, fill out the authentication and
optional privacy information fields instead of the Community field.
Figure 2-30. SNMP MIB Configuration section of the Configuration > General Settings page
Authentication and Privacy Fields

Username - SNMP security name that the application attempting to browse the appliance MIB must use.

Authentication passphrase - String that the application attempting to browse the appliance MIB must use to
authenticate itself to the appliance.

Authentication protocol - Algorithm that the appliance must use to decipher the authentication passphrase used
by the application attempting to browse the appliance MIB. This can be MD5 or SHA.

Privacy passphrase - String that the application attempting to browse the appliance MIB must use.

Privacy protocol - Algorithm that the appliance must use to decipher the privacy passphrase used by the
application attempting to browse the appliance MIB. The appliance uses DES at this time.
Outgoing Mail Server (SMTP) Settings
This section specifies the IP address or name and port number of the mail server that the appliance uses when it sends
email with alert notifications or reports. You can also specify a “from” address to ensure that the email is allowed
through a firewall.
The appliance supports mail server authentication. To use this, click Use name and password. Then enter the user
name and password that the appliance is to use to gain access to the mail server.
Figure 2-31. Outgoing Mail Server (SMTP) Settings section of the Configuration > General Settings page
48
Cascade Profiler and Cascade Express User’s Guide
General settings
Configuration
Inside Address Configuration
The inside address specification is used by the host group tracking functions and by the security analytics. Host groups
contain only assets within your network. To enable grouping of hosts within your network, you specify all address
ranges used inside your network (from /32 to /0). This includes your public IP address space and all reserved address
space. Addresses that are not included in this list are not valid in host group definitions.
The security analytics compare current network behavior to profiles of typical network behavior. Because the security
analytics focus on what is happening inside your network, internal addresses are tracked individually in the internal
security database. However, external addresses are by default tracked in blocks of /8 within the internal security
database to conserve system resources.
The inside address specification provides for tracking hosts individually within the security profile. It has no effect on
address tracking and reporting for Performance and Availability analytics. All hosts seen or reported to the Profiler or
Express are tracked individually and stored in flow logs for real time and historical reporting, regardless of the inside
address specification. The inside address specification affects only which hosts can be included in host groups and
which hosts are tracked individually in the internal security database.
Figure 2-32. Inside Address Configuration section of the Configuration > General Settings page
Security Module Configuration
If the appliance is equipped with the optional security analytics module, the General Settings page will include the
Security Module Configuration section. This provides a check box for enabling and disabling the module.
Figure 2-33. Security Module Configuration section of the Configuration > General Settings page
When the security analytics module is disabled or not installed, the following security-related features are not
displayed:

Network Security Dashboard

Behavior Analysis > Policies page Security tab

Reports > Shortcuts page Built-in tab Executive Event Summary

Reports > Traffic page Advanced tab “Typical behavior” option in the Report Format section

Reports > Events page “Security” check box in the Triggering policies section

Configuration > Mitigation

Configuration > Security Profiles

Configuration > Integration > Vulnerability Scanning
Cascade Profiler and Cascade Express User’s Guide
49
Configuration
General settings
Report Data Management
Select a check box in this section if you expect to be adding statistics to reports after you run them. Otherwise, leave
the check box deselected for faster reporting.
Figure 2-34. Report Data Management section of the Configuration > General Settings page
When these check boxes are not selected
When you run a report, the appliance collects just the data necessary to display the statistics specified in the template
for the report. This includes the data for the statistics that are displayed and also any data needed to derive those
statistics.
You can modify the report to include additional statistics, such as by using the Column Chooser tool to add a column
to a table. If the statistic that you add is one of those that was already collected for use in deriving a statistic that is
displayed, then it will be displayed immediately. If it is not, then you must refresh the report for the appliance to collect
more data and display the new statistic.
When a check box is selected
When you run a report, the appliance collects data for every statistic that can be displayed on the report. This consumes
more system resources and requires more time for the report display initially. But if you make modifications to the
report, it enables you to see the results of your modifications more quickly.
Service Management
The end-user component of a service is tracked and reported by location. This enables you to examine performance
metrics by location and isolate a problem to a location. In order to perform by-location tracking and reporting, the
Profiler or Express must know the location of each member of the end-user component of the service. It determines
the location of an end user by checking the end user's IP address against the IP addresses defined for the groups in the
group type that is selected in the Service Management section of the Configuration > General Settings page.
Figure 2-35. Service Management section of the Configuration > General Settings page
The default selection is the ByLocation group type. If you want to use the ByLocation group type for determining how
end user components are tracked and reported, then ensure that the groups of that group type associate IP addresses
with the locations you want to track.
If you have a large network, it may be desirable to track and report end users by region, rather than by individual
location. In this case, you may prefer to create a ByRegion group type for managing services. In this new group type
you might define regional groups instead of using smaller geographical locations.
The group type selection you make on the Configuration > General Settings page is applied to all service definitions.
It determines how end-user service components are grouped on dashboards and reports. You should choose this group
type carefully because historical data for services will be lost if you must change the group type later.
50
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 3
Monitoring Services
This chapter describes Cascade Profiler and Cascade Express service monitoring features. It includes the following
sections:

“Overview,” next

“Service dashboard” on page 51

“Managing services” on page 66
Overview
The Cascade Profiler and Cascade Express appliances define a service as all clients, servers, applications and ports
involved in the end-to-end delivery of a network service. A service is composed of one or more service segments that
can be monitored, reported and alerted on individually.
Each service segment comprises a client component, a server component, and the applications and ports in use between
them. The components are groups of user or server machines. The applications and ports in use between components
are treated as connections.
Information about services can be displayed on the dashboard or in the service reports. As part of defining a service,
you can select performance metrics to be monitored for the service. This automatically creates policies that can detect
and alert on excessive changes in the values of the monitored metrics.
Alerts are displayed on the service dashboard and in service reports. Service reports also indicate trends and provide
comparisons and summaries.
Service dashboard
The appliance includes a default Service dashboard with content blocks for displaying the health of services. However,
you must define the services your network provides before their performance metrics can be monitored and displayed
on the dashboard.
The appliance is shipped with a default service dashboard that contains content blocks for displaying the status of
services.
After your services are defined, you can monitor their performance on a default or custom dashboard. Service heath is
displayed in three types of content blocks:
Cascade Profiler and Cascade Express User’s Guide
51
Monitoring Services
Service dashboard
Figure 3-1. Service Dashboard

Service Health - service health by metric category

Service Health by Location - service health by user location

Service Map - service components and the applications and ports in use between them
The content blocks display information as soon as at least one service has been defined and set to monitor at least one
service metric. The Service Health and Service Health by Location content blocks display the status of the service.
After a service is selected in the content block wizard, the Service Map content block displays the relationships among
service components of a service
Service Health content block
The Service Health content block displays the health of each of the following categories of metrics for each service:

Connect - Connectivity

UserExp - User Experience

Effncy - Efficiency
Each metric category represents the state of the metrics that it comprises. When you define a service, you select which
of these metrics are to be monitored for the service. You might monitor only a few, or you might monitor all of them.
When you create a Service Health content block (Dashboard Options > Add Content Block), you can limit the display
to selected services and/or locations. If the content block is not displaying all services for all locations, then a funnel
icon is displayed on the title bar. You can hover the mouse over this to see a list of which services for which service
locations are being displayed.
52
Cascade Profiler and Cascade Express User’s Guide
Service dashboard
Monitoring Services
The health of the metric category (green, yellow, red) indicates the health of the least healthy metric in the category.
So a green (normal) indication for a metric category means that all the metrics in that category that are being monitored
for the service are in normal health. If any one of those metrics were in an alert state (yellow or red), then the metric
category indicator would also display that condition.
Similarly, the Overall indicator displays the health status of the least healthy metric category. So if any one metric in
any one of the metric categories is in an alert condition, this is displayed by the Overall indicator. Note that the Overall
column indicates the overall health of just the services that are shown in the content block. If the definition of the
content block filters out services or locations, these are not included in the status indicated by the Overall indicator.
Each service shown on the service tree can be expanded to show the status of each of its service segments. The service
segment that includes the end users of the service can be further expanded to show the status of each service location
group.
Figure 3-2. Service Health content block
Service Health by Location content block
The Service Health by Location content block provides a view of the health of services by location-based group. Part
of defining a service is specifying the IP addresses or CIDR blocks of addresses of the end users of the service. All
user addresses are specified as end user components of the front end service segments.
This same set of end user IP addresses must also be broken into location-based host groups, using the Definitions >
Host Groups pages.
By default, the Service Health by Location content block reports location groups of the ByLocation group type.
However, you can create a new group type (such as “ByRegion”) and populate it with location groups. Remember to
ensure that this group type is selected in the Service Management section of the Configuration > General Settings page.
The Service Health by Location content block displays the location-based groups that you have defined. For each
location group, it displays health status indicators for each service that has end users in that location. It also displays
and Overall indicator.
When you create a Service Health by Location content block (Dashboard Options > Add Content Block), you can limit
the display to selected services and/or locations. If the content block is not displaying all services for all locations, then
a funnel icon is displayed on the title bar. You can hover the mouse over this to see a list of which services for which
service locations are being displayed.
Cascade Profiler and Cascade Express User’s Guide
53
Monitoring Services
Service dashboard
Each location group can be expanded to display the Connectivity, User Experience and Efficiency metric categories.
When you define a service, you select which of these metrics are to be monitored for the service. You might monitor
only a few, or you might monitor all of them.
The health of the metric category (green, yellow, red) indicates the health of the least healthy metric in the category.
So a green (normal) indication for a metric category for a particular service means that all the metrics in that category
that are being monitored for the service are in normal health. If any one of those metrics were in an alert state (yellow
or red), then the indicator for the metric category for that service would also display that condition.
Similarly, the Overall indicator displays the health status of the least healthy service. So if any one service in one of
the service locations is in an alert condition, this is displayed by the Overall indicator. Note that the Overall column
indicates the overall health of just the services that are shown in the content block. If the definition of the content block
filters out services or locations, these are not included in the status indicated by the Overall indicator.
Figure 3-3. Service Health by Location content block
Service Map content block
A service map illustrates the relationships between the components of the network that are delivering the service and
the connections between them. Services are monitored in terms of service segments, which are used for monitoring,
reporting and alerting. A service segment is defined by a client component, a server component, and the applications
and ports in use between them.
Service segments are displayed on a service map. Each segment is displayed with a label that identifies it. You can
right-click a component or an application/port connection between two components for a menu of reporting options.
The line representing the applications and ports in use between two components can be displayed in color. Lines are
green to indicate normal traffic between components. They are red to indicate high alert levels or yellow to indicate
medium alert levels.
All lines are gray until enough data has been collected to determine their health status. If health monitoring is not
configured, and on reports that do not include health status, the lines are black. You can display the service map in
several layout formats and adjust the layout by dragging and dropping components.
Service maps are available on the Dashboard page and in service reports. When you save, print or email a report that
contains a service map, the display includes any zooming, panning, scaling, or layout modifications that you have
made. The display can be either embedded in the email or attached as a PDF file. The display remains scaled and retains
your layout modifications.
54
Cascade Profiler and Cascade Express User’s Guide
Service reports
Monitoring Services
Figure 3-4. Service Map
Service reports
Service reports provide high-level and detailed views of the performance of network services. The following service
reports can be run from the Services > Reports menu or from the Reports > Shortcuts page:

Overall Performance Report - presents a high-level view of how well all monitored services are performing.

Service Performance Report - reports how well a service or a sub-component of a service has performed. This
shows the current trends of the service and provides historical information about how the service performed over
a specified time such as a week, month, quarter or year.

Service Incident Report - shows the performance of a service or sub-component of a service over a short
duration of time. This is useful for quickly determining why a dashboard traffic light indicator is green, yellow or
red.

Location Performance Report - shows the health of a location, the health of services that include the location,
and the health of front end segments for these services. This report provides quick indications of why a traffic
indicator is green, yellow or red, when problems occurred, and for which components.

Location Incident Report - indicates how well a location has performed across all services over a specific time
range. This report shows current trends in the location as well as performance over time. This is useful for a highlevel view, such as for end-of-quarter reports.
Overall Performance Report
The Overall Performance Report displays comparisons, trends, and summaries by alert conditions by service for the
current or previous week, month, quarter or year. It has four sections:

Report Criteria - Expand the Report Criteria section to choose a time frame for the report and to specify if the
report format is to include breakdowns for all services.

Summary - The Overall Service Health section indicates the percent of the time frame of the report that the
services spent in Normal, Low Alert, and High Alert operation. The Service Health by <time> section displays
this information by smaller units of time than the time frame of the report for which data is available. For
example, the report for a week displays the performance for each day.
Cascade Profiler and Cascade Express User’s Guide
55
Monitoring Services
Service reports

Trends - The Trends section display and lists the percent of the time frame of the report that each service has
been in normal or alert conditions. It lists the five best-performing services and the five worst-performing
services. For a report on a service listed in the table, right-click the name of the service and choose which report
to run. For additional detail, you can add columns to the table from a column chooser tool.

Service Breakdown - If this section is enabled in the Report Criteria section, it displays the performance for all
services. If you have many services, you can limit the length of the table by choosing Change Number of Rows
from the menu for this section. For additional detail, you can add columns to the table from a column chooser
tool.
Figure 3-5. Overall Performance Report
56
Cascade Profiler and Cascade Express User’s Guide
Service reports
Monitoring Services
Service Performance Report
The Service Performance Report indicates how well a service or a sub-component of a service has performed. This
shows the current trends of the service and provides historical information about how the service performed over a
specified time such as a week, month, quarter or year.
The Service Performance Report has three sections:

Report Criteria

Summary

Service Breakdown
All sections have menus for actions that can be performed on the section.
Report Criteria
The Report Criteria section allows you to select a service, service segment, location, metric category, or metric to
report on. You can also limit the report to a time frame and location or metric. The section includes the following
subsections:

Select Service Policy - an expandable and collapsible tree diagram of service, service segment, location, metric
category, and metric policies.

Report on - sets the time frame of the report.

Additional Traffic Criteria - provides lists for limiting the report to a selected location and a selected metric
category.

Report Format - determines whether the report includes a Service Breakdown section.
Summary of Events
The Summary of Events section of the report includes:

Service Summary - this table show the following values for the time frame of the report:

Percent of time the system is available, which is defined as Normal health status.

Number of events that occurred.

Average duration of the events.

Duration of the worst event.

Element of the service that caused the most events.

Service Map - a graphical representation of the service.

Service Health Breakdown - percentage of time that the service was in Normal, Low Alert, or High Alert
operation.

Service Health Breakdown by <time> - percentage of time that the service was in normal or alert conditions,
broken out by smaller units of time than the time frame of the report. For example, the report for a week displays
the performance for each day for which data is available.

Number of Events per <time> - number of events that occurred, broken out by smaller units of time than the
time frame of the report. For example, the report for a week displays the performance for each day for which data
is available.

Average Event Duration by <time> - the average duration of events broken out by smaller units of time than the
time frame of the report.
Cascade Profiler and Cascade Express User’s Guide
57
Monitoring Services
Service reports
Figure 3-6. Service Performance Report
58
Cascade Profiler and Cascade Express User’s Guide
Service reports
Monitoring Services
Service Breakdown
If this section is enabled in the Report Criteria section, it displays the performance of the service, service segment,
location, metric category, and metric in an expandable and collapsible tree table, as selected in the diagram in the
Report Criteria section.
For additional detail, choose Add/Remove Columns from the menu for the section. This opens the column chooser.
Double-click a metric in the column chooser to add it to the table.
The columns in the table are sortable. Additionally, you can right-click the name of a service and run a service report
on it.
Service Incident Report
The Service Incident Report shows the performance of a service or sub-component of a service over a short duration
of time. This is useful for quickly determining why a dashboard traffic light indicator is green, yellow or red.
The Service Incident Report page has three sections:

Report Criteria

Event Summary

Event List

Service Breakdown
All sections have menus for actions that can be performed on the section.
Report Criteria
The Report Criteria section allows you to select a service, service segment, location, metric category, or metric to
report on. You can also limit the report to a time frame and location or metric.
The section includes the following subsections:

Select Policy - an expandable and collapsible tree diagram of service, service segment, location, metric category,
and metric policies.

Time frame - specifies a length of time ending at the present time, or else a To/From time span.

Additional Criteria - provides lists for limiting the report to a selected location and a selected metric category.

Report Format - determines whether the report includes a Service Breakdown section.
Event Summary
The Event Summary section of the report includes:

Summary - this table show the following values for the time frame of the report:

Number of events that occurred.

Duration of the worst event.

Health of the service element you are reporting on. Right-click the health indicator for a list of reports that
you can run for this service.

Service Map - a graphical representation of the service.

Segment Health - displays the health of each segment of the reported service for each metric category. Click any
segment name or health indicator (red, yellow, green) for a menu of reports that are available for it.
Cascade Profiler and Cascade Express User’s Guide
59
Monitoring Services
Service reports
Figure 3-7. Services > Reports > Service Incident report
60
Cascade Profiler and Cascade Express User’s Guide
Service reports

Monitoring Services
Location Health - displays the health of each location of the reported service for each metric category. Click any
location name or health indicator for a menu of reports that are available for it.
Event List
The Event List section presents the events that occurred within the time frame of the report in both graphical and
tabular formats.
Active Events
The graph displays the number of events over time. Left-click and drag over a time period to zoom the graph to that
period. The graph extends beyond the report time frame in order to provide more context for understanding the events.
Event List
The table lists all events that were active during the time frame of the report. By default, the table includes:

Event ID - identifies the event that caused the alert condition. Click this to run an Event Details report.

Policy - provides the full identification of the metric policy that triggered the alert.

Alert Level - Low or High

Metric - the name of the metric that the policy is monitoring.

Start time

Duration

Location

Policy Actions - the Tune link opens the Policy Tuning page for the policy. The Report link runs a Service Level
Objective report for the location.
Many of the columns are sortable. For additional detail, choose Add/Remove Columns from the menu for the section.
This opens the column chooser. Double-click a metric in the column chooser to add it to the table.
For convenience in viewing, you can limit the length of the table by choosing Change Number of Rows from the menu
for this section. The table can also be filtered.
Service Breakdown
This section displays an expandable breakdown of the selected service or service component. The Performance column
displays the percentage of time that each component has been normal (green), in a low alert condition (yellow) and in
a high alert condition (red). You can use the section-level menu to add columns for additional metrics to the table.
Location Performance Report
The Location Performance Report can be run from the Services > Reports menu or from the Reports > Shortcuts page.
It reports how well services and their sub-components at a location have performed. This shows the current trends of
the service and provides historical information about how the service performed over a specified time such as a week,
month, quarter or year.
The Location Performance Report page has three sections:

Report Criteria

Summary

Service Breakdown
Cascade Profiler and Cascade Express User’s Guide
61
Monitoring Services
Service reports
All sections have menus for actions that can be performed on the section.
Report Criteria
The Report Criteria section allows you to select a location, metric category, or metric to report on.
The section includes the following subsections:

Select Policy - an expandable and collapsible tree diagram of location, metric category and metric policies.

Report on - sets the time frame of the report.

Additional Criteria - provides lists for limiting the report to a selected metric category.

Report Format - determines whether the report includes a detailed location breakdown section.
Summary of Events
The Summary of Events section of the report includes:

Location Summary - this table show the following values for the time frame of the report:

Percent of time the system is available, which is defined as Normal health status.

Number of events that occurred.

Average duration of the events.

Duration of the worst event.

Element of the service that caused the most events.

Location Map - a graphical representation of the service by location.

Location Health Breakdown - percentage of time that the service for the location was in Normal, Low Alert, or
High Alert operation.

Location Health Breakdown by <time> - percentage of time that the service for the location was in normal or
alert conditions, broken out by smaller units of time than the time frame of the report. For example, the report for
a week displays the performance for each day for which data is available.

Number of Events per <time> - number of events that occurred, broken out by smaller units of time than the
time frame of the report. For example, the report for a week displays the performance for each day for which data
is available.

Average Event Duration by <time> - the average duration of events broken out by smaller units of time than the
time frame of the report.
Location Breakdown
If this section is enabled in the Report Criteria section, it displays the performance of the metric category and metric
for the location in an expandable and collapsible tree table, as selected in the diagram in the Report Criteria section.
For additional detail, choose Add/Remove Columns from the menu for the section. This opens the column chooser.
Double-click a metric in the column chooser to add it to the table. The columns in the table are sortable. Additionally,
you can right-click the name of a service and run a service report on it.
62
Cascade Profiler and Cascade Express User’s Guide
Service reports
Monitoring Services
Figure 3-8. Services > Reports > Location Performance report
Cascade Profiler and Cascade Express User’s Guide
63
Monitoring Services
Service reports
Location Incident Report
The Location Incident Report can be run from the Services > Reports menu or from the Reports > Shortcuts page. It
reports the health of services and their sub-components at a location. This is useful for quickly determining why a
dashboard traffic light indicator is green, yellow or red.
The Location Incident Report page has four sections:

Report Criteria

Event Summary

Event List

Location Breakdown
All sections have menus for actions that can be performed on the section.
Report Criteria
The Report Criteria section allows you to select a service, service segment, location, metric category, or metric to
report on. You can also limit the report to a time frame and location or metric.
The section includes the following subsections:

Select Policy - an expandable and collapsible tree diagram of service, service segment, location, metric category,
and metric policies.

Time frame - specifies a length of time ending at the present time, or else a To/From time span.

Additional Criteria - provides lists for limiting the report to a selected location and a selected metric category.

Report Format - determines whether the report includes a Service Breakdown section.
Event Summary
The Event Summary section of the report includes:

Summary - this table show the following values for the time frame of the report:

Number of events that occurred.

Duration of the worst event.

Health of the service element for the location you are reporting on. Right-click the health indicator for a list
of reports that you can run for this service.

Service Map - a graphical representation of the service.

Location Health - displays the health of each segment of the reported location for each metric category. Click
any segment name or health indicator (red, yellow, green) for a menu of reports that are available for it.

Location Health - displays the health of each location of the reported service for each metric category. Click any
location name or health indicator for a menu of reports that are available for it.
Event List
The Event List section presents the events that occurred within the time frame of the report in both graphical and
tabular formats.
64
Cascade Profiler and Cascade Express User’s Guide
Service reports
Monitoring Services
Figure 3-9. Services > Reports > Location Incident report
Cascade Profiler and Cascade Express User’s Guide
65
Monitoring Services
Managing services
Active Events
The graph displays the number of events over time. Left-click and drag over a time period to zoom the graph to that
period. The graph extends beyond the report time frame in order to provide more context for understanding the events.
Event List
The table lists all events that were active during the time frame of the report. By default, the table includes:

Event ID - identifies the event that caused the alert condition. Click this to run an Event Details report.

Policy - provides the full identification of the metric policy that triggered the alert.

Alert Level - Low or High

Metric - the name of the metric that the policy is monitoring.

Start time

Duration

Location

Policy Actions - the Tune link opens the Policy Tuning page for the policy. The Report link runs a Service Level
Objective report for the location.
Many of the columns are sortable. For additional detail, choose Add/Remove Columns from the menu for the section.
This opens the column chooser. Double-click a metric in the column chooser to add it to the table. For convenience in
viewing, you can limit the length of the table by choosing Change Number of Rows from the menu for this section.
The table can also be filtered.
Location Breakdown
This section displays an expandable breakdown of service or service components for a selected location. The
Performance column displays the percentage of time that each location or component has been normal (green), in a
low alert condition (yellow) and in a high alert condition (red). You can use the section-level menu to add columns for
additional metrics to the table.
Managing services
The Profiler and Express enable you to monitor the performance of services that your network provides to end users.
A service might be a specific application, such as Exchange, Oracle or SAP, or it might be a combination of
applications integrated through custom software. The appliance monitors the entire application delivery path of each
service.
For services provided by multi-tiered applications, you can identify a series of service segments along the application
delivery paths. This allows you to monitor performance and identify problems with greater resolution. You can receive
an alert and run a report on any segment of the service to isolate a problem to a particular application, server, or link.
The Profiler and Express define a service as all servers, clients, applications and ports involved in the end-to-end
delivery of a network service. A service is composed of one or more service segments that can be monitored, reported
and alerted on individually.
A service segment is composed of two components and the applications and ports in use between them. Each
component is a group of hosts. Once defined, a component can be acting in the role of client in one service segment,
but in the role of server in another service segment.
66
Cascade Profiler and Cascade Express User’s Guide
Managing services
Monitoring Services
For example, in Figure 3-10 the AppServers host group is the server component of the WebApp Service Segment and
also the client component of the AppDB Service Segment. This indicates that hosts in the AppServers component are
connecting to both the web servers and the database servers.
Each service segment comprises:

Client component - a group of hosts that connect in the role of client

Server component - a group of hosts that connect in the role of server

Applications and ports in use between the client component and the server component
Figure 3-10. Service segments
Service segments can be defined by manually specifying the client and server components and manually specifying
the applications and ports in use between them. Alternatively, you can use the service definition wizard to
automatically discover hosts, applications, and ports involved in the service.
The service definition wizard provides many opportunities for manual intervention in adding, deleting, and editing the
various elements comprising the service. You can use the New Component and New Segment buttons to add
components and segments to a defined service manually. However, if you were to define a new service using the most
simple and straightforward path through the wizard, it could proceed as follows:
First you assign a name for the new service. Then you assign a name for the front end server component of the service
and provide the names or IP addresses of the front end servers making up that component.
Next you use the wizard to discover all the applications and ports that the end users use to connect to the server hosts
in the front end component.
Some of the applications and ports the wizard discovers may not be involved in providing the service you want to
monitor. The wizard enables you to review the applications and ports in use, look at the percentage of traffic that they
account for, and decide whether or not they should be tracked as part of the service.
You identify the service segments (that is, the client-application/port-server combinations) that should be monitored
as part of the service and add them to the service. You may be able to merge multiple applications and ports into the
same segment where practical. For example, you might merge all client-server traffic for tcp/80, udp/80, and tcp/443
into one segment named “Web.” Conversely, you can drop or delete those client-application/port-server combinations
that are not related to the delivery of the service.
Using this process of adding service-related traffic definitions and excluding information that should not be tracked as
part of the service, you build up definitions of one or more front end segments.
The front end segments of the service are the starting point for defining additional segments, such as additional backend applications/ports and components. The wizard helps you discover, organize, and label the additional pieces of the
service.
Cascade Profiler and Cascade Express User’s Guide
67
Monitoring Services
Managing services
Once you have identified all the segments of the service, you can specify which performance metrics are to be
monitored for each segment.
When all the segments of the service are named and defined and the monitoring is specified, you commit the new
service. As part of this process, the wizard automatically creates all the service policies necessary for monitoring the
performance of each segment.
For step by step directions for defining a new service, refer to the online video tutorials or the online help system.
68
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 4
Definitions
This chapter describes how to define applications, groups, port names and QoS classes so that they can be tracked,
reported, and alerted on. It includes the following sections:

“Applications,” next

“Host groups” on page 71

“Interface groups” on page 75

“Port names” on page 76

“Port groups” on page 77

“Quality of Service” on page 77

“Sensors/Sharks and Steelheads” on page 78
Applications
Profiler tracks and reports application traffic. An application can be defined by either a Layer 7 fingerprint or a Layer 4
host/port mapping. You can define up to 100 custom applications that can be detected by Layer 7 fingerprints or
Layer 4 mappings. However, the number of Layer 4 mappings you can have is limited to 50.
Layer 7 Fingerprints
The Layer 7 Fingerprints tab of the Definitions > Applications page enables you to:

Search and display the list of applications for which the appliance has fingerprints.

Add a new user-defined application name and specify up to ten Layer 7 fingerprints for it as URLs, alphanumeric
strings, or hexadecimal strings.

Edit a custom application fingerprint.

Copy a custom application fingerprint to use as the basis for defining a new one.

Enable or disable fingerprint-based tracking of a custom application.
Tracking an application based on its fingerprint requires data from a Sensor, a Packeteer device, or a Cisco NBAR
device. You can define custom application names and signatures without having any of these data sources connected.
However, the appliance cannot report on the applications until it receives data from a Sensor, Packeteer, or Cisco
NBAR device. Refer to the online help system for additional details.
Cascade Profiler and Cascade Express User’s Guide
69
Definitions
Applications
Figure 4-1. Definitions > Applications page Layer 7 tab
Layer 4 Mappings
The Layer 4 Mappings tab of the Definitions > Applications page enables you to track and report traffic between
specified hosts and ports as application traffic. You can define a custom application by associating an application name
with connections to a specific host or group of hosts using a specific port or group of ports. The appliance can then
report on that application traffic.
Hosts that have connections that meet the criteria of an application mapping are assumed to be application servers.
Reports that identify servers and clients list these hosts as servers.
Figure 4-2. Definitions > Applications page Layer 4 tab
The Layer 4 Mappings tab of the Definitions > Applications page enables you to:

70
Search and display the list of application mappings.
Cascade Profiler and Cascade Express User’s Guide
Host groups

Define a new custom Layer 4 mapping.

Edit an existing mapping.

Change the priority of a mapping.

Copy a custom mapping to use as the basis for defining a new one.

Enable or disable mapping-based tracking of a custom application.
Definitions
Refer to the online help system for additional details.
Host groups
The appliance enables you to assign hosts to groups so that you can track, report and alert on organizationally
meaningful categories of traffic, such as traffic by host function or traffic by host location. This allows you to view the
traffic of the same hosts from multiple perspectives. For example, email servers in New York could belong to a group
named “email” if you are using the by-function view of the network, or to a group named “New York” if you are using
the by-location view of the network.
You can use any of the following approaches to create a host group:

Manually define a group. You can use an edit box to enter a list of hosts that define a host group.

Create a host group from a table. When you run a report that displays a table with columns for host names or host
IP addresses, you can use the hosts in the table to create a new host group, redefine an existing host group, or
replace an existing host group.

Import a text file. You can identify the members of a group in a text file and then import the file to the appliance
as a group definition.
The number of host groups defined for the host group type used in service monitoring (by default the ByLocation host
group type) should be limited to 500. However, you can define thousands of host groups of other host group types.
Refer to the online help system for details on creating or modifying host groups.
Host grouping pages
The appliance is shipped with three types of grouping already defined: ByFunction, ByInternalHosts and ByLocation.
These group types are listed on the submenu under Definitions > Host Groups.
Each group type is organized on the basis of some common host attribute, such as their function, their address being
inside or outside of your network, or their physical location. Hosts that perform the same function or hosts that are in
the same location can be tracked, reported, and alerted on as groups.
Host groups can be named after the functions, locations, or other attributes of their members. For example, for the
ByFunction view of the network, you organize hosts into groups such as Web, Email, DNS, DMZ, etc. Similarly, for
the ByLocation view, you organize hosts into groups named after their locations.
Host group names must not have spaces or special characters.
The page has two sections: Groups and Members of Group.
Groups
The Groups section can be sorted by host group name or by the size of the group. The Host Count column reports how
many hosts belong to each group.
Cascade Profiler and Cascade Express User’s Guide
71
Definitions
Host groups
Figure 4-3. Definitions > Host Groups page ByFunction view
The Add filter control in the Name column enables you to limit the list of groups to just those groups whose names
match specified filter criteria. The Add filter control in the Host Count column enables you to limit the list of groups
to just those having a specified size. The values (filter phrases) used for filtering the table contents are specified the
same way as for report table filtering.
Left-click or right-click the host group name to run a report about the group. Click View members in the entry for a
host group to display a list of the hosts that belong to the group.
The Edit Groups link in the title bar of the Groups section opens a window in which you can modify the definitions
of the groups of this group type.
Figure 4-4. Definitions > Host Groups page ByFunction view Edit Groups function
Members of Group
The Members of Group section lists the hosts belonging to the group that is highlighted in the Groups section. Click
the Host IP column heading to sort the list of hosts by IP address. If the appliance has DHCP integration configured,
you can also view the members of the group by their host names.
72
Cascade Profiler and Cascade Express User’s Guide
Host groups
Definitions
The View Definitions button in the title bar of the Members of Group section displays the definition of the group
whose members are displayed in that section.
Figure 4-5. Definitions > Host Groups page ByFunction view View Definitions function
Defining host groups
Define host groups by specifying an address range and a group name, using one definition per line. You can use either
or both of two syntaxes for specifying address ranges:

CIDR - an IP address with a prefix that specifies how many bits of the host address much match the group
definition

Subnet mask - an IP address with a subnet mask that indicates just which bits of the host address must match the
group definition
CIDR notation may be simpler if your network organizes addresses consecutively by function. The subnet mask
technique may be better suited to networks with repeating address schemes.
All addresses to be tracked as part of host groups must be within the ranges specified for Inside Addresses on the
Configuration > General Settings page.
Defining host group membership using CIDR notation
On each line, specify the address range using CIDR notation, followed by a space, followed by a group name with no
spaces in it. For example,
10/8 group1
172.168.1.1 group2
192/8 group1
In this example, both 10/8 and 192/8 are assigned to group1.
Note: If you use overlapping IP address ranges in the custom group definitions, the appliance assigns a host to the custom group
whose definitions has the longest matching prefix. For example, if you are specifying custom host groups corresponding to network
segments “net-a” and “net-b,” a specification file containing:
10.0.0.0/8 net-a
10.15/16 net-b
will cause an address such as 10.15.16.23 to be assigned to the net-b group.
Defining host group membership using subnet mask notation
Where greater flexibility is required, you can specify address ranges using standard 4-quad bit mask notation. The bit
mask specifies which bits of a host IP address must match the bits in the group definition in order to be included in the
group.
On each line, specify the address range using bit mask notation, followed by a space, followed by a group name with
no spaces in it. For example,
Cascade Profiler and Cascade Express User’s Guide
73
Definitions
Host groups
192.168.0.100/255.255.0.255 MyServers
Note: If you use overlapping IP address ranges in the custom group definitions and a host address matches more than
one group definition, the appliance applies the following rules of precedence to determine the group under which the
host is tracked.
1. Most matching bits - The host is assigned to the group for which it has the largest number of matching bits.
2. Highest value bits - If both matches involve the same number of bit matches, the appliance assigns the host to the
group for which it has the largest value of matching bits.
3. Higher address - If the number and value of the matching bits are both the same, the appliance assigns the host to
the group with the higher (larger) IP address in its definition.
4. Undefined - If none of these rules can be applied, the appliance assigns the host to one or another of the matching
groups so that its IP address will be tracked.
Examples
CIDR notation technique
The CIDR technique is usually adequate if you organize your hosts such that they have consecutive IP addresses. For
example, assume that addresses are assigned first to email servers and then to database servers:
192.168.1.1 - Boston_mail_server
192.168.1.2 - LA_mail_server
192.168.1.3 - Chicago_mail_server
192.168.2.1 - Boston_database_server
192.168.2.2 - LA_database_server
192.168.2.3 - Chicago_database_server
In this case, you could define two host groups using CIDR notation:
192.168.1.0/24 mail_servers
192.168.2.0/24 database_servers
Subnet mask technique
The subnet mask technique may be required for more complex address assignment schemes. For example, assume that
a company assigns its addresses first by its divisions and then, within each division, by function:
192.168.1.1 - Boston_mail_server
192.168.1.2 - Boston_database_server
192.168.2.1 - LA_mail_server
192.168.2.2 - LA_database_server
192.168.3.1 - Chicago_mail_server
192.168.3.2 - Chicago_database_server
In this case, all the mail server addresses are x.x.x.1 and all the database server addresses are x.x.x.2. So you can use
the subnet mask technique to ignore the third octet of the host IP address, which identifies the division or location but
not the server:
74
Cascade Profiler and Cascade Express User’s Guide
Interface groups
Definitions
192.168.0.1/255.255.0.255 mail_servers
192.168.0.2/255.255.0.255 database_servers
Managing host group types
The Definitions > Host Groups > Manage Host Group Types page lists all the currently defined group types.
Figure 4-6. Definitions > Host Groups > Manage Host Group Types page
The Manage Host Group Types page provides controls that enable you to:

Toggle between Yes and No for saving statistics for a group type so that they that can be displayed in content
blocks on the Dashboard page.

View a list of groups that have been defined for a group type by clicking View in the entry for that group type.
This displays a page listing the groups of the selected group type. On that page you can also view and edit the
members of each group of the group type.

Edit the name or description of a group type by clicking the Edit in the entry for that group type.

Delete a group type by clicking the Delete in the entry for that group type.

Define a new group type (i.e., a new way of viewing hosts on the network) by clicking the New button.
Interface groups
The Profiler and Express appliances track traffic volumes and utilization percentages (where available) on a perinterface basis for all interfaces from which it receives traffic information. For convenience, you can aggregate
interface statistics into groups. You can define policies for interface groups to generate an alert if a specified condition
occurs. You can also generate reports to provide an interface-oriented view of network performance.
To simplify network monitoring and troubleshooting, you can define views of your network based on regions,
locations, business groups, functions or other classification attributes. Each “network view” can include all relevant
interface groups. Each interface group can contain subgroups and individual devices and interfaces. All devices and
device interfaces that are sending traffic information to the appliance can be listed by a search tool for easy selection
and inclusion in an interface group or a network view.
Adding a device to a group adds all the device’s interfaces that are sending data to the appliance. Adding a “reporting
device,” such as the Cascade Gateway appliance, adds all that device's routers and all the routers' interfaces. If
additional interfaces on that device begin sending data to the appliance at some future time, they are automatically
added to the interface group also.
Cascade Profiler and Cascade Express User’s Guide
75
Definitions
Port names
Figure 4-7. Definitions > Interface Groups page
You can use the Definitions > Interface Groups page to:

Define a network view.

Define interface groups within a network view.

Add interfaces and devices to an interface group.

Define subgroups within an interface group.

Add interfaces and devices to a network view.

Move or copy groups, devices or interfaces between groups using drag & drop.

Import or export an interface group or network view.

Delete interfaces, devices, interface groups and network views.
Refer to the online help system for descriptions of each of these procedures. Note that VXLAN views are not editable
except for the names and descriptions assigned to their virtual network identifiers.
After interface groups and network views have been set up, interface performance can be monitored on the Home >
Navigate Network page.
Port names
The Port Names page allows Operators and Administrators to:

View a histogram of the traffic volumes of selected ports or all ports that are using TCP or UDP or both.

Add new ports to the list of ports that the appliance knows by name.

Rename ports. The ports tracked by default correspond to the standard services defined by the Internet Assigned
Numbers Authority (IANA).

Import a standard /etc/services file so that the appliance displays and reports use your custom names for ports.

Specify ports as being server ports.

Identify which ports have been assigned to port groups.
76
Cascade Profiler and Cascade Express User’s Guide
Port groups
Definitions
Figure 4-8. Definitions > Port Names page
Port groups
The appliance can track and report traffic in terms of ports being used. Where a large number of ports are involved, it
can be useful to define collections of protocol/port specifications that can be tracked and reported as named groups.
The Definitions > Port Groups page allows you to create, edit, and delete groups of ports for reporting and alerting. A
port can be assigned to multiple port groups.
The appliance recognizes the port names that are defined on the Definitions > Port Names page. These are standard
IANA names by default. However, you can modify the definitions or import your own services file.
Figure 4-9. Definitions > Port Groups page
Quality of Service
The appliance tracks Quality of Service classes associated with traffic flows in the network. It can report which class
of service tags were seen by devices that report flow data. The presence or absence of specified QoS classes can be
used as reporting and alerting criteria.
All QoS reporting in the appliance is based on the 6-bit Differentiated Services Code Point (DSCP). By default, the
appliance uses a standard set of definitions for DSCP values. You can modify these or define additional names and
descriptions on the Definitions > QoS page.
Cascade Profiler and Cascade Express User’s Guide
77
Definitions
Sensors/Sharks and Steelheads
The QoS page lists QoS classes by their decimal, binary, and hexadecimal values, and by names and descriptions. Click
any column heading to sort by ascending or descending order.
Figure 4-10. Definitions > QoS page
Sensors/Sharks and Steelheads
When links in a network are using WAN optimization, the Profiler or Express must receive data from a Sensor or Shark
monitoring traffic on the LAN side of the Steelhead that is located on the server side of the optimized connection. This
is necessary in order to determine server delay time and network response time.
The Definitions > Sensors/Sharks & Steelheads page enables you to specify Sensors and Sharks that are monitoring
the LAN on the server side of the WAN optimization devices.
Figure 4-11. Definitions > Sensors/Steelheads page
When the WAN optimization is being performed by Riverbed Steelheads, the Profiler or Express requires the
following information in order to measure server delay and compute response time for reporting network performance:
78
Cascade Profiler and Cascade Express User’s Guide
WAN
Definitions

CascadeFlow (Steelhead NetFlow v9) or CascadeFlow-compatible data from the Steelheads at both ends of the
WAN.

Traffic statistics from a Sensor that is monitoring the LAN that the server-side Steelhead is connected to.
The Profiler automatically discovers which Sensors are associated with Steelheads that are acting in the role of being
on the server side of the WAN. It does this whenever it has sufficient data to make the association. It adds these
associations to the Sensors/Sharks & Steelheads section and lists them as “Dynamic” in the type column. They are
dynamic in the sense that the Profiler automatically deletes them when they become stale and reassigns them when
new associations are discovered, based on its analysis of the role that the Steelheads are performing.
The Profiler does not automatically discover which Shark is closest to the LAN side of a Steelhead. For Shark
appliances, and for Sensors that the Profiler did not have enough data to discover automatically, you must make the
association manually as a “Static” assignment. Click New on the Definitions > Sensors/Sharks & Steelheads page to
display a section in which to make the assignment.
When you make a static assignment, your assignment remains in effect until you edit it or delete it. The dynamic
discovery and maintenance features do not affect your static assignments.
For accurate reporting of server delay and response times, use this page to identify all Sensors and Sharks that are
monitoring the LAN-side traffic of Steelheads that are likely to act in the role of server-side Steelhead for optimized
traffic flows.
WAN
In order to analyze WAN performance and identify opportunities for WAN optimization, the Profiler or Express
appliance must know which network interfaces are part of a WAN, which of these are using a WAN optimization
device, and which are not. It automatically creates Optimized and Non-optimized interface groups. It recognizes WAN
interfaces that are on Steelhead devices of version 5.5.3 or higher if the Steelhead is exporting NetFlow 5.1 or
CascadeFlow and automatically adds these Optimized interface group. You can use the Find Steelheads button to
automatically populate the group with Steelhead WAN interfaces. Other WAN interfaces must be added to the groups
using the browse tool.
Figure 4-12. Definitions > WAN page
The WAN interface groups displayed on the Definitions > WAN page are a special case of the entire set of interface
groups displayed on the Definitions > Interface Groups page. You can add, delete and move WAN interfaces the same
way you do other interfaces on the Definitions > Interface Groups page, with the following exceptions:

The WAN view can contain only the Optimized and Non-optimized interface groups. You cannot create other
interface groups, devices or interface subgroups within the WAN network view.

If you move an optimized WAN interface for a Steelhead appliance of version 5.5.3 or higher out of the
Optimized group, the appliance will move it back into the Optimized group the next time it receives flow
information from the Steelhead and recognizes it as a WAN optimization device.
Cascade Profiler and Cascade Express User’s Guide
79
Definitions

80
WAN
If you drag and drop or otherwise move an interface into the Non-optimized group, the appliance will treat it as a
non-optimized WAN interface.
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 5
Enterprise Integration
This chapter describes the main features for integrating the Cascade Profiler and Cascade Express appliances into the
core infrastructure of your network. It includes the following sections:

“Vulnerability scanning,” next

“External links” on page 84

“Host switch port discovery” on page 84

“API access” on page 85

“Identity sources” on page 86

“Load balancers” on page 86

“DHCP integration” on page 87
These features are available from the Integration submenu of the Configuration menu.
Vulnerability scanning
The appliance provides the client side of vulnerability scanning. You must install vulnerability scanning software on
a server that is accessible to the appliance in order to manage scanning from the appliance GUI. Additionally, the
appliance must be equipped with the optional security analytics module.
The appliance provides both manual and automatic vulnerability scans of hosts on the network. You can initiate a scan
manually by right-clicking a host IP address on any report in the appliance and choosing Vulnerability Scan on the
shortcut menu. Alternatively, you can click Run Scan on the Configuration > Integration > Vulnerability Scan page.
You can also set the appliance to automatically initiate a scan in response to any specified traffic event of any specified
severity.
Two types of vulnerability scans can be defined: Quick scans and Deep scans. The Quick scan is intended to use a
shorter list of plugins and perhaps simpler options than the Deep scan. However, their configuration and operation is
otherwise the same. Both can be run while you wait or run in the background. Also, they can be run from different scan
servers.
Vulnerability scan reports are saved in the Completed Reports table of the Reports > Saved Reports page. They can be
viewed, printed, and emailed. They can also be saved indefinitely, like other reports. Vulnerability scan reports are
subject to the same disk space management rules as other reports.
The running of vulnerability scans is recorded in the audit log, which Administrators can view on the System
Information > Audit Trail page.
Cascade Profiler and Cascade Express User’s Guide
81
Enterprise Integration
Vulnerability scanning
Types of vulnerability scans
Vulnerability scan configurations are specified using the Configuration > Integration > Vulnerability Scanning page.
The Vulnerability Scan page has three tabs:

Quick Scan - specifies the connection information, authentication method, and settings for the scanner used for a
Quick Scan.

Deep Scan - same fields and buttons as the Quick Scan tab, except that it specifies the configuration required for
a Deep Scan.

Auto Scan - specifies the event types and alert levels that are to trigger automatic vulnerability scans.
The setup tabs for the Quick scan and the Deep scan are the same. However, they are independent of one another. You
can, for example, have Quick scans performed by a scanner running on one scanner server and Deep scans performed
by another scanner.
The appliance supports Nessus, Rapid7, Qualys, nCircle and Foundstone/McAfee scanners. The appliance offers more
configuration options for Nessus than for the others because the other scanning systems are configured primarily
through their own user interfaces.
Figure 5-1. Configuration > Integration > Vulnerability Scan Setup page Quick Scan tab
Configuring automatic scans
After specifying the Quick Scan and Deep Scan parameters, you can set the appliance to automatically run scans in
response to specified types of alerts.
The Vulnerability Scan Setup page lists the type of network events that cause the appliance to send traffic-related
alerts. For each level of alert these events can trigger, you can specify a scan action to be taken: No Scan, Quick Scan,
or Deep Scan.
Fields near the bottom of the page provide for limiting the volume and rate of scanning to protect your network from
being overwhelmed by scan traffic. The appliance reports up to 256 hosts involved in an event. It runs up to 4 scans
concurrently and up to 12 scans per hour.
The scan traffic is recorded in the appliance flow logs and becomes part of the traffic profile.
82
Cascade Profiler and Cascade Express User’s Guide
Vulnerability scanning
Enterprise Integration
Figure 5-2. Configuration > Integration > Vulnerability Scan Setup page Auto Scan tab
What is scanned
The event that triggers an automatic scan also determines which hosts are scanned, as follows:
Type of event that triggered scan
What is scanned
Denial of Service/Bandwidth Surge
Attacker hosts
Host Scan
Scanner host
New Host
New host
New Server Port
Host that provided or consumed a service over the port
Port Scan
Victim hosts
Suspicious Connection
Source and victim
User-defined Policy
Source and destination or client and server hosts involved in
the event.
Worm
Victim hosts
Only hosts identified as having “inside addresses” are scanned. Inside addresses are specified on the Configuration >
General Settings page.
Cascade Profiler and Cascade Express User’s Guide
83
Enterprise Integration
External links
Manually initiating a vulnerability scan
Operators and Administrators can manually initiate a vulnerability scan by either of two methods:

Click Run Scan on the Quick Scan tab or Deep Scan tab of the Configuration > Integration > Vulnerability
Scanning page.

Right-click the host on a report and choose Vulnerability scan on the shortcut menu.
You can add more hosts if you want to scan hosts in addition to the one you right-clicked, for a total of up to 256.
Note: Manual scans are not subject to the rate limit on the Auto Scan tab. However, they are counted towards the limit when the
next automatic scan runs.
When a scan run in the background is complete, a scan report is automatically saved in the Completed Reports table
of the Reports > Saved Reports page. Reports from foreground scans appear automatically and can be saved, printed,
and emailed. The content and format of a report are determined by the type of scanner you are using. Refer to your
scanner documentation for descriptions of the information contained in the reports. The appearance of a report may
vary from the appearance of the report available from the scanner GUI, depending on the scanner used.
External links
The appliance provides a means for contacting other network devices for additional information about a host or user
of interest. Right-clicking a host name, IP address, MAC address or port number and choosing an external link from
the shortcut menu sends a query to the other network device. A new browser window opens to display the response
from that device.
Likewise, right-clicking a username and choosing an external link from the shortcut menu sends a query on the
username to the other network device and opens a new browser window to display the response.
External links must be specified on the Configuration > Integration > External Links page in order to be available on
the right-click menu. They must be specified using the syntax that the external device expects. Refer to the online help
system for syntax examples.
Figure 5-3. Configuration > Integration > External Links Setup page
Host switch port discovery
As part of the Host Information Report, the appliance identifies the switch port to which a host is connected. This
requires the appliance to know about the switches that the host's traffic passes through. The appliance attempts to find
the outermost switch on which a host was seen. If it knows about all the switches, then this will be the access switch
and the appliance will report the port to which the host is connected.
84
Cascade Profiler and Cascade Express User’s Guide
API access
Enterprise Integration
The Configuration > Integration > Switch Port Discovery page allows you to identify your switches to the appliance
so that the host switch port information will be included in the Host Information Report.
Figure 5-4. Configuration > Integration > Switch Port Discovery page
API access
The information that the appliance collects about network assets, traffic flows, and events is made available for use by
other products through APIs (application program interfaces). Management systems can send requests for information
to the appliance. The appliance will respond by sending the HTML or CSV data for traffic reports or event reports, or
XML data for asset reports.
Figure 5-5. Configuration > Integration > API Access page
Access to the APIs is protected by authentication. The RESTful API can authenticate users by Basic, Session (Cookie)
or OAuth 2.0 authentication. The Reporting, Assets and Event Report APIs use ACLs (access control lists). The
Configuration > Integration > API Access page enables you to generate OAuth 2.0 access codes for the RESTful API
and add users to the access control list for the other APIs. Changing or deleting an ACL specification does not affect
users that are currently logged in until they log out.
The API Authorization page is available to Administrators and Operators.
Cascade Profiler and Cascade Express User’s Guide
85
Enterprise Integration
Identity sources
Identity sources
The appliance can collect user identity information for reports on network users. Identity information sources are listed
on the Configuration > Integration > Identity Sources page.
The appliance receives the identity information from Microsoft Active Directory domain controllers. These are
configured separately from the Profiler setup and administration activities.
Once configured with the Riverbed connection utility, the Active Directory devices send user identity information to
the appliance. If a source produces too much data or data that is not interesting, you can configure the appliance to
ignore identity data that it receives from that source.
If a source is no longer being used, you should disable the collector utility at the source so that it stops sending data.
Then delete the entry for that source from the list on the Configuration > Integration > Identity Sources page.
User identity information is available to user accounts that an Administrator has enabled to view it. You can use the
Configuration > Account Management > User Accounts page to enable or disable user identity viewing, as appropriate.
Figure 5-6. Configuration > Integration > Identity Sources page
Load balancers
Use the Configuration > Integration > Load Balancer page for identifying load balancers as service components. When
a load balancer has been defined as a service component, you can add it from a list when you define a service on the
Services > Manage Services page.
Figure 5-7. Configuration > Integration > Load Balancer page
The page lists load balancers by name, type, address, user name and status. The Status column indicates if the Profiler
or Express appliance was able to query the load balancer for information successfully. The Last Update column lists
the last time the load balancer information was updated. The appliance queries the load balancer for its Virtual IP
Addresses and SNAT configuration. (Currently the appliance obtains this information from only F5 LTM load
balancers. Information for Stingray and other devices must be entered manually when you define a service.)
The Load Balancer page enables you to manage your list with the following features on the Options menu:

Add - Enter the information that the appliance needs to query the load balancer. This includes the name, type,
address, user name and password of the device.

Export to XML - Exports all information in the list of load balancers to an XML file that you can save on your
local machine.

Export to CSV - Exports all information in the list of load balancers to comma-separated-value file that you can
save on your local machine.
86
Cascade Profiler and Cascade Express User’s Guide
DHCP integration

Enterprise Integration
Import - Imports a list of load balancer definitions that you exported from another Profiler or Express appliance
to an XML or CSV file.
Additionally, for each load balancer in the list, you can edit or delete the definition.
Refer to the online help system for additional details.
DHCP integration
If parts of your network are managed by DHCP address allocation, then host machines may be assigned new IP
addresses when their leases expire. In order to develop and display the profile of a host's activity, the appliance must
continue to track the connection behavior of the host when its IP address lease expires and the DHCP server assigns it
a new IP address.
The appliance uses lease information from the DHCP server as the basis for tracking hosts. This requires a mechanism
for transferring lease information from the DHCP server to the appliance. The specifics of the mechanism depend on
the DHCP implementation.
Lease data file format
The appliance accepts DHCP data in two formats.
Alcatel-Lucent QIP-compatible format
This format contains one lease record per line in the following order:
IP Address | MAC address | DNS name | domain | lease-start date time | lease-end date time | status
For example (on one line):
192.168.10.1|aa:bb:cc:dd:0a:01|host-10-1|example.com
|2009-05-01 15:26:15Z|2009-05-08 15:26:15Z|Active
Note that time stamps are expected to be in UTC format. To specify time stamps in local time, use the “20090501
15:26” format instead:
For example:
192.168.10.1|aa:bb:cc:dd:0a:01|host-10-1|example.com
|20090501 15:26|20070508 15:26|Active
ISC-compatible format
This format is compatible with POSIX-compliant DHCP packages distributed by Internet Systems Consortium, Inc.
(www.isc.org).
lease 10.128.2.219 {
starts 2 2008/08/15 16:09:09;
ends 2 2008/08/15 20:09:09;
tstp 2 2008/08/15 20:09:09;
binding state free;
hardware ethernet 00:02:a5:ba:53:9b;
uid "\001\000\002\245\272S\233";
}
lease 192.168.255.100 {
starts 1 2009/02/19 01:28:33;
ends 1 2009/02/19 13:28:33;
tstp 1 2009/02/19 13:28:33;
Cascade Profiler and Cascade Express User’s Guide
87
Enterprise Integration
DHCP integration
binding state free;
hardware ethernet 00:04:23:c4:02:30;
}
Transfer mechanism
When transferring DHCP lease data to the appliance from a DHCP package that uses one of the data formats the
appliance supports, you can transfer the data in its native format to the appliance.
When integrating with a Windows DHCP domain controller, you need to convert the data format. Riverbed provides
a conversion script and instructions for its use. You can download these from the appliance help system.
Typically, the transfer of lease information to the appliance is implemented as follows:
1. Enable the DHCP server to log in to the appliance via SSH. SSH on the appliance must be configured with the
public key of the DHCP server. On the appliance, SSH configuration files are in /usr/mazu/var/dhcp/.ssh. The
appliance supports SSH v2.
2. Set up a script on the DHCP server so that every n minutes, a client process obtains lease information from the
DHCP server and writes it into a file. In the case of a Windows DHCP implementation, use the Riverbed script to
convert the data format before transferring the file to the appliance.
3. Set up a scheduler to execute the scripts to dump, convert (if Windows), and transfer the DHCP lease data
information to the appliance. The lease data file must be transferred to the appliance as a file named data. Typically,
it is transferred into the DHCP data directory on the appliance.
4. After the scheduler has transferred the lease data, it must transfer a file named data-new into the same directory as
the data file. This file indicates to the appliance that the new lease data is available.
The data and data-new files can be transferred using commands such as:
scp <dump_file> dhcp@<appliance_name>:/usr/mazu/var/dhcp/data
scp data-new dhcp@<appliance_name>:/usr/mazu/var/dhcp/data-new
or
scp <dump_file> dhcp@<appliance_name>:./data
scp data-new dhcp@<appliance_name>:./data-new
Both the data and data-new files are removed after the appliance has imported the new lease data. They must be written
again by each subsequent data transfer.
If the appliance receives an IP address in flow data that does not appear in the lease data file, it assumes the address to
be static.
Riverbed provides instructions for integrating the appliance with QIP, ISC, Infoblox, and Windows DHCP software.
Update intervals
The interval for updating the appliance DHCP information can be based on DHCP lease times, lease update intervals
and the times when new leases are most frequently requested on your network. A DHCP client on a network with no
outages may update its lease when half the lease time has expired. That is, it obtains a new lease at an interval of leaselength/2.
Update scheduling can vary widely, depending on network conditions and security policies. Some general guidelines
for sending new DHCP data to the appliance are as follows.

88
If your script for sending DHCP information to the appliance sends incremental updates (i.e., just what has
changed since the last update), have it send the appliance updates every hour.
Cascade Profiler and Cascade Express User’s Guide
DHCP integration

Enterprise Integration
If your script sends complete DHCP lease information for every update, have it send the appliance updates based
on the length of the leases, as follows:
Lease length
Update interval
More than 4 days
1 update per day (around 10:00 AM)
4 days
2 updates per day
24 hours
6 updates per day
12 hours
12 updates per day
6 hours
24 updates per day
Less than 6 hours
24 updates per day
Cascade Profiler and Cascade Express User’s Guide
89
Enterprise Integration
90
DHCP integration
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 6
System Verification
This chapter describes how to ensure that the Cascade Profiler and Cascade Express are properly configured before
you begin routine operational use. It includes the following sections:

“System information,” next

“Data sources” on page 92

“Audit trail” on page 97

“Shutdown/Reboot” on page 111

“Update” on page 112

“Backup” on page 113
System information
The System > Information page lists the status of the appliance. For an Enterprise Profiler, this page lists the status of
the Analysis Module and each Expansion Module.
The page also lists:

Total number of hosts

Currently loaded profile

Licensed flow capacity and usage

Capture job status and interfaces (Express 460 only)

Start and end times of the available traffic flow logs

Start and end times of the available identity information logs

Usage of licensed policy capacity

Storage status

DNS server status

Serial number of the Riverbed Cascade device you are accessing

NTP server status

Active user sessions by name, address, login time, and last access time
Cascade Profiler and Cascade Express User’s Guide
91
System Verification
Data sources

Active OAuth tokens - These can be php, perl, .NET, or other script clients connecting to the Profiler to get data
using the REST API.

Cascade Collect diagnostic tool

System messages
Refer to the online help system for descriptions of each of these.
Data sources
The appliance reports its sources of traffic data on the System Information > Devices/Interfaces page. Using list entries
or mouse-rollover pop-ups, this page provides the following information for devices and their interfaces from which
the appliance is receiving data:


Devices
–
Status
–
IP address
–
Device type (in terms of what type of data is being sent)
–
NTP synchronization (Cascade Sensors and Gateways only)
Device Interfaces
–
Status
–
IP Address:Index of interface
–
Interface name (ifDescr; assigned on the data source device)
–
Interface label (as assigned on the appliance)
–
Interface description (ifAlias; assigned on the data source device; the appliance displays up to 65 characters)
–
MAC address
–
Interface type (e.g., Ethernet CSMA/CD RFC3635)
–
MTU (maximum transmission unit)
–
Traffic rate (traffic in bits per second that the appliance tracks)
–
Utilization (percent of device speed that the appliance currently sees being used)
Much of this information must be obtained from the data source devices. For devices that send flow records directly
to the Express, the Express uses SNMP to obtain the information. For sources that send data to Cascade Gateways, the
Gateways use SNMP to obtain the information. They then send it to the Profiler.
You can specify which version of SNMP and what community name the Express or the Gateways use to contact the
devices. You can assign labels to interfaces. The appliance uses these labels when displaying interface information.
The data source devices must be configured to send data (NetFlow, sFlow, IPFIX) to the Express or to the Gateway.
When the appliance receives data from a device, either directly or via a Gateway, it automatically lists the device IP
address, name, type, and status on the System Information > Devices/Interfaces page.
The Express or the Gateways then attempt to obtain the detailed information using SNMP. Both use the default settings
for SNMP unless you have specified other settings.
The information and controls for monitoring and labeling data sources are displayed in three views of the System
Information > Devices/Interfaces page:
92
Cascade Profiler and Cascade Express User’s Guide
Data sources

Device/Interface Tree

Interface List

Device List
System Verification
Device/Interface Tree view
The format of the System Information > Devices/Interfaces page Device/Interface Tree view displays data source
information in the following format:
Sensor
(Device entry line 1)
Interface
Gateway
(Interface entry line)
(Device entry line 1)
Data source device
(Device entry line 2)
Device interface
(Interface entry line)
Device interface
(Interface entry line)
Shark
(Device entry line 1)
Steelhead
(Device entry line 1)
Third-party device (NetFlow, sFlow, IPFIX)
(Device entry line 1)
Device interface
(Interface entry line)
Device interface
(Interface entry line)
Device entry line 1 identifies the Sensor, Gateway, Shark, Steelhead or flow record source that is sending data to the
appliance.
Device entry line 2 is used in the case of Gateways to identify the devices that are sending data to the Gateways.
The Interface entry lines provide information about each of the devices interfaces. Additionally, each entry has one or
more of the following links and indicators:
Status indicator
Color represents status, as described in the legend. The status color is propagated upward. That is, when the display is
collapsed, the status of the parent entry shows the status of the most degraded child entry.
Name link
Rolling your mouse over a device name or interfaces name displays a summary of information about each. You can
also left-click or right-click the device or interface name links for additional information. The appliance uses SNMP
lookups, if available, to obtain the names of the flow source devices, instead of using DNS name resolution.
Go link
Sensor, Gateway and Shark entries include a Go link that opens the user interface login page of the respective device.
Edit link
On device entries, the Edit link opens a window in which you can edit the SNMP settings that the appliance or the
Gateway use when contacting the data source devices and their interfaces. Refer to “SNMP settings” on page 96.
Cascade Profiler and Cascade Express User’s Guide
93
System Verification
Data sources
Figure 6-1. System > Devices/Interfaces page Tree view
On interface entries, the Edit link opens a window in which you can edit the interface label that the appliance uses
when displaying information about the interface.
Delete link
If a device or interface is no longer carrying traffic, a Delete link is displayed. You can delete the entry for a device
that is no longer sending data. If the device resumes sending traffic information, it will automatically be added to the
list.
Poll link (Cascade Express only)
A Poll link is included on entries for devices that are sending NetFlow, sFlow, or Packeteer Flow Detail Records to the
appliance. Clicking this link causes the appliance to place the device at the head of the polling queue. This allows you
to receive updated information about this device without waiting for its normal turn in the SNMP polling queue.
Cascade Sensors and Gateways do not have Poll links because they are in continuous communication with the
appliance.
Utilization indicator
If the appliance is obtaining utilization information from an interface, then the entry for the interface displays a
utilization indicator. Roll your mouse over this indicator to see the percent utilization of the interface.
Interfaces view
The System Information > Devices/Interfaces page Interface List view displays the following information about each
interface of the data source devices with which the appliance can communicate:
94
Cascade Profiler and Cascade Express User’s Guide
Data sources
System Verification
Figure 6-2. System > Devices/Interfaces page Interfaces list

Status (as explained by the color legend on the right side of the page)

IP address

Host name

Index of the interface

Name of the interface (as defined on the device)

Label (which you can define on this page)

MAC address of the interface

Type of interface

Type name

MTU (maximum transmission unit)

Speed (bits per second)

Utilization (percent of maximum bandwidth utilization)
You can use the search feature to search for particular devices by IP address or CIDR address range. Performing a
search restricts the content of the page to the specified IP address or CIDR address range.
The list can be exported as a CSV file. Additionally, descriptive information can be imported from a CSV file.
Devices view
The System Information > Devices/Interfaces page Device List view displays the following information about each
data source device with which the appliance can communicate:

Status (as explained by the color legend)

IP address
Cascade Profiler and Cascade Express User’s Guide
95
System Verification
Data sources
Figure 6-3. System > Devices/Interfaces page Devices list

Host name

Type of data

Version of the communication link software

NTP Synchronization (Cascade Sensors and Gateways only)

SNMP version that the appliance is to use for obtaining information

SNMP community name that the appliance is to use
On the Cascade Express, the entry for device that is sending NetFlow, sFlow, or Packeteer Flow Detail Records to the
appliance includes a Poll link. Clicking this link causes the appliance to place the device at the head of the polling
queue. This allows you to receive updated information about this device without waiting for its normal turn in the
SNMP polling queue. Cascade Sensors and Gateways do not have Poll links because they are in continuous
communication with the appliance.
You can use the search feature to search for particular devices by IP address or CIDR address range. Performing a
search restricts the content of the page to the specified IP address or CIDR address range.
The interface list can be exported as a CSV file. Additionally, this page allows you to configure the default SNMP
settings that the appliance uses to retrieve device information from data source devices.
SNMP settings
Click the Global SNMP Settings link to display a window in which you can specify the default SNMP version number
and connection information. The appliance uses this setting for contacting all data source devices whose SNMP
Version field is set to Default on this page.
Each device can be identified as using the default settings or specific SNMP version. When a setting for a Gateway is
changed, the change is automatically applied to the settings for all devices that are sending data to that Gateway.
However, you can change the setting for any individual device.
Assume, for example, that you have a Gateway that is set to use the Default SNMP settings when obtaining device
information from each of four devices that are sending it NetFlow data. If you change the SNMP setting for the
Gateway to V2, it will automatically switch to using SNMP Version 2 for contacting all four NetFlow devices.
Continuing this example, you could subsequently set one of the four NetFlow device entries to V1. In this case, the
Gateway would use Version 1 to communicate with that device and Version 2 to communicate with the other three.
96
Cascade Profiler and Cascade Express User’s Guide
Audit trail
System Verification
Audit trail
Changes and activities occurring on the appliance can be recorded and reported. The System > Audit Trail page enables
you to generate a report of all significant configuration and usage activities that have occurred on the appliance. You
can limit the report to activities associated with a specific user name, IP address or event in the appliance during a
specified time frame.
Report Criteria
The Report Criteria section determines what the report will contain, what time frame it will cover, and how it will be
run.
Figure 6-4. System > Audit Trail Report page Report Criteria section
Search for text box
The Search for box accepts a free-form text term. This limits the report to audit records that contain the specified term.
The term can be any:

User host IP address

Module

IP address (for Enterprise Profiler modules)

User

Name

Details (any value that appears in the Details column of the report)
The Search for box requires only enough text to uniquely identify the term.
Time frame
You can specify the time frame of the report relative to the current time or as an absolute time interval.
Relative to the current time
Starting - Specify the most recent number of minutes, hours, days, weeks, months or years that the report is to cover,
ending now. For example, if you specify the Starting value as 1 week ago, then the time frame of the report will start
at this time last week and end now. If you specify 1 year ago, the time frame will start at this time on this date last year
and end now.
Cascade Profiler and Cascade Express User’s Guide
97
System Verification
Audit trail
Previous - Specify the most recently ended full minute, hour, day, week, month or year before the current minute, hour,
day, week, month or year, respectively. For example, if the current time is 10:17 AM Wednesday and you specify the
Previous value as 1 hour, then the time frame of the report will start at 9:00 AM and end at 10:00 AM today. If you
specify the previous 1 week, the time frame will start at 12:00 AM Monday of last week and end at 12:00 AM Monday
of this week. If you specify the previous year, then the time frame will start at 12:00 AM, January 1st of last year and
end at 12:00 AM, January 1st of this year.
As an absolute time interval
From/To - Specify the time frame either by entering dates and times manually or by:

Clicking the date to display a calendar tool, then choosing a date from the calendar.

Clicking a time to display a list box of times, then choosing a time from the list.
The time frame starts at the “From” time and ends at the “To” time.
Additional Activity Criteria
This section further limits the report to activities or events caused by a user specified in the Username box and to types
and subtypes of activities.
Username
The Username can be web interface user account name or shell account user name. Activities caused by the system
itself (not originated by a user) are reported with the user name system.
Placing a user account in the Username box restricts the report to just those activities or events that the user caused.
This is different from placing a user account name in the Search for box. For example, if you put the user name “jdoe”
in the Search for box, the report could include the audit record of an administrator editing jdoe’s user account profile.
In that case the change was made by the administrator, but it will be reported because it involved jdoe.
Activity Type and Subtype
The Activity Type field limits the report to a major category of activity. The Subtype field limits the report to only a
specific sub-category of activities within the selected Activity Type. By default, three System activity subtypes are
disabled:

Encryption and Decryption

Hash Operation

Command Execution
These activity subtypes are considered to be the most chatty. When the FIPS Compatible Cryptography or Strict
Security mode are enabled on the Configuration > Appliance Security > Security Compliance page, logging of all
activity types and subtypes is enabled. However, logging of these three subtypes can be switched off after the appliance
has been booted in the FIPS Compatible Cryptography or Strict Security mode.
Activity types and subtypes are described in a separate section below.
Run now
Click Run now to run the report and display the results as soon as they are available.
98
Cascade Profiler and Cascade Express User’s Guide
Audit trail
System Verification
Run in background
Clicking Run in background opens a window for you to specify the title of the report and select options for saving
and emailing the report. It then runs the report in the background. When the report is ready, it is saved and listed on
the Reports > Saved Reports page.
Figure 6-5. System > Audit Trail Report page Run in Background setup
If an email server has been specified on the Configuration > General Settings page, you can enter a list of email
addresses to which the report will be mailed. You can also enter a message to go into the email and specify if the report
is to be attached as an HTML, PDF or Comma-Separated-Value file.
Audit Settings
This feature determines what types and subtypes of events are logged and for how long. Note that this affects all audit
reports because activities that are not logged cannot be reported.
The default setting is to log all audit events for 90 days. To reduce the number of activities that are logged, select Log
custom set of audit events and select the events that are to be logged.
Figure 6-6. System > Audit Trail Report page Change Audit Settings
When you click OK the settings are applied to future audit logging. Existing logs are not deleted until they reach the
age specified in the Pruning Settings section.
Cascade Profiler and Cascade Express User’s Guide
99
System Verification
Audit trail
Report results
When the report completes it displays an activity list giving the:

Time – the time of an activity is logged in UTC but displayed in local time

Type and Subtype – activities specified in the Report Criteria section

Module Name – if the appliance is an Enterprise Profiler, then this column is displayed by default instead of the
User Host Name column. The Module Name is the resolved name of the Enterprise Profiler module that logged
the activity.

User – the user who originated the activity. This may be a human user or the system.

Successful – indicates if the activity was successful.

Event Count – how many identical events occurred within a 1-minute time frame. Rather than report each event
individually, the report de-duplicates identical events that happened within the same time frame and tells you how
many there were at that time.

Details – additional information about the activity
Figure 6-7. System > Audit Trail Report page - Report results
The following additional columns can be added to the report by choosing Add/Remove Columns... on the Activity
List menu:

Module IP – if the appliance is an Enterprise Profiler, this is the IP address of the module on which the activity
was logged.

Process ID – the ID of the process that originated the activity. This may be a user or the system.

Session ID – the ID of your browser session

User Host Name – the resolved host name of IP address from which the user listed in the activity caused the
activity that was logged.

User IP – the IP address from which the user listed in the activity caused the activity to occur. This could be a
user’s IP address or localhost for system user activities.
All columns except the Details column can be sorted in ascending or descending order.
100
Cascade Profiler and Cascade Express User’s Guide
Audit trail
System Verification
Report controls
The report controls include:

Activity List section menu

Templates menu at the top of the page

Page display control icon at the upper-right corner of the report results section

Report Options menu at the top of the report results section
Activity List section menu
The menu beside the title of the Activity List section of the report offers the following actions:
Add/Remove Columns – opens a column chooser tool that allows you to add more columns to the report where
applicable. This can provide additional detail for some types of activities.
Change Number of Rows – controls how many activity entries are displayed on a page.
Show Filter – displays a filtering tool that allows you to limit the display to specific values appearing in each column.
The use of the filter tool is described in the online help system.
Export to Host Group – uses the IP addresses in the User IP or Module IP column to create a host group. This allows
you to track and alert on a group of IP addresses of interest.
Export to CVS – exports the contents of the report to a comma-separated-value file for use with other tools.
Templates menu
Use the Templates menu to perform any of the following:
Save As/Schedule – opens a page on which you can:

Save the current settings as a template for generating reports.

Schedule the appliance to generate reports (once or periodically) using these settings. The name of the report
template is used with the date of the report as the report name.

Specify whether the generated reports should be saved until you delete them or until the storage space is needed
for new reports. (When the storage capacity is exhausted, the appliance overwrites the oldest reports with new
reports unless you indicate that they should be saved until you delete them.) Saved reports are accessible on the
Reports > Saved Reports page.

Specify who the scheduled reports should be emailed to, and in which format.
Specify an email message to be included when reports are distributed.
If an outgoing mail server has been configured on the Configuration > General Settings page, the Save as/Schedule
page includes a field for entering email addresses to which the report will be sent. The number of rows included in an
email report is set on the Configuration > UI Preferences page.
Save as Default – saves the current Report Criteria settings and any modifications that have been made to a report that
is currently being displayed.
Load Default Template – loads the default report criteria. If you have modified the criteria you can return to what
you have previously saved as the default criteria.
Page display control icon
A small page icon at the upper-right corner of the report results section allows you to run additional reports without
closing the first one. Click this icon to transfer the report in a new window.
Cascade Profiler and Cascade Express User’s Guide
101
System Verification
Audit trail
Figure 6-8. System > Audit Trail Report page Save/Schedule option
Figure 6-9. Page display control
Report Options menu
Use the Report Options menu to perform any of the following:
Save as – saves the report on the Reports > Saved Reports page.
Schedule – opens a page on which you can schedule the running of the report and specify the email distribution list
and file format, as described under “Templates” above.
Print – prints the report using your machine's printing facilities.
Email – emails the report to one or more email addresses. The report is mailed in HTML format or attached to the
email as a PDF or CSV file. If you select the PDF or CSV option, you can specify the name of the attached file. The
name can include characters that will be replaced by the date and time that the email was sent, as follows:
%d is replaced by the date in MMDDYY format. For example, 021509.
%t is replaced by the time in HHMM format. For example, 1536.
This option requires a mail server to have been identified in the Outgoing Mail Server (SMTP) Settings section of the
Configuration > General Settings page.
Export – exports report as CSV (comma-separated values) file, HTML archive file or PDF file.
102
Cascade Profiler and Cascade Express User’s Guide
Audit trail
System Verification
Keeping reports
Reports are normally saved until you delete them or until the limit of the storage capacity is reached. When no storage
capacity is left, the appliance deletes the oldest report to make room for the next one to be saved.
You can modify this behavior with the Keep feature. To ensure that a report does not get deleted, select the check box
for the report and then click Keep/Unkeep. This displays an asterisk beside the report to indicate that it will be saved
indefinitely, until you specifically delete it.
If the storage limit has already been reached, the appliance deletes the oldest report not marked to be kept indefinitely
before saving a new report. If enough reports are saved indefinitely to reach a 10 Gigabyte storage limit, then no more
reports can be saved. That is, you can still view an existing report or run a query on any of the Audit Trail Report page
and view the results. However, the query results will not be saved as a report.
Running a query in the background or scheduling a query to be run in the background automatically saves the report.
Therefore, these background operations are not available if the report storage capacity is completely consumed by
reports marked to be kept. You must first delete enough indefinitely saved reports to free the space necessary for the
new report to be saved. To delete a report, select the check box for the report and then click Delete.
The Report Storage % field indicates what percent of the 10 Gigabyte storage capacity is in use. The rate at which
storage capacity is used depends on the size of your reports.
Time zones for scheduled reports
Reports can be scheduled in terms of the time zone your account uses or in terms of any other time zone, such as the
time zone of the main activity that you are monitoring. If you want a report to be generated at a consistent time of day,
schedule the time of day in terms of the time zone of the activity that you are monitoring.
Each report template can be scheduled independently. For example, one might be scheduled to generate reports at
12:00 AM in London, and another might be scheduled for 12:00 AM in Hong Kong.
When you schedule a time for a report template to generate a report, the schedule becomes part of the report template.
You can modify the template either by choosing Save as/Schedule from the Templates menu on a report or by going
to the Saved Reports page and modifying the template there and clicking Save as/Reschedule in the Templates section.
Both these paths open the Save/Schedule template page.
By default, the Start from and Run at date and time settings on the Save/Schedule template page are based on the
time zone that your account uses.
To use a different time zone:
1. Click Show Time Zones to display a drop-down list of available time zones.
2. Select the time zone in which you want the Run at time to apply.
Note: You can select a time zone using the Continent/City convention, the Country/Zone convention, or the time zone abbreviation.
However, to ensure that the selected time zone is automatically adjusted for summer and winter time changes, it is preferable to
select it using the Continent/City convention instead of the Country/Zone convention or its abbreviation.
Note on run times
Reports always cover the time frame that they are specified to cover. However, they do not start running exactly at the
end of the time frame. It requires several minutes to collect and process the data for the time frame. Therefore, the Run
Time listed in the Reports section is later than the Next Run Time displayed in the Templates section for the template
that generates the report.
Cascade Profiler and Cascade Express User’s Guide
103
System Verification
Audit trail
The Next Run Time corresponds to the end of the time frame that the report is to cover. That is, the report is run “as
of” that time, rather than exactly at that time. However, the Run Time displayed in the Reports section is the time at
which the report actually was run or will be run.
Table filters
Table filters enable you to limit the length of a table to just the entries of interest. On report pages, use the menu to
switch table filters on or off.
On each table where a table filter is enabled, it is displayed in the first row of the table. It offers a drop-down list of
operations that apply to that particular table. Table filtering includes the following operations, depending on the
information that is to be filtered.
Operation
Results of filtering operation
=
Lists only the name, number, address, or other table column entry that exactly matches the filter
phrase. This operation is case-sensitive.
Not=
Lists all table column entries except for the one that exactly matches the filter phrase. This
operation is case-sensitive.
<
Lists only the numeric, date, time, or duration entries in the table column that are less than the
filter phrase.
>
Lists only the numeric, date, time, or duration entries in the table column that are greater than the
filter phrase.
Like
Lists all table column entries that include the filter phrase. For example, “Like 10" lists all table
column entries that have “10” in their IP address or name. This operation is case-insensitive.
Not Like
Lists all table column entries that do not include the filter phrase. For example, “Not Like dep”
lists all entries that do not include the string “dep.” That is, it does not list groups with names that
include “dept” and “department.” This operation is case-insensitive.
Word
Lists all the “words” in a table column that exactly match the filter phrase. A “word” in this case
can be the “tcp” component of “tcp/80” A slash (/) is recognized as a word delimiter. (An
underscore is not recognized as a word delimiter, and spaces in entries are not permitted.) This
operation is case-insensitive.
CIDR
Lists all table column entries that include an address within the CIDR block specified as the filter
phrase. For interfaces, the contents of the table are filtered for the IP address of the device that has
the interface.
Range
Lists all the numbers or dates in the column that are within a specified range. A calendar tool is
provided for choosing start and end dates.
Day
Lists all table column entries that match the date specified in the filter phrase.
Note on run times
Reports always cover the time frame that they are specified to cover. However, they do not start running exactly at the
end of the time frame. It requires several minutes to collect and process the data for the time frame. Therefore, the Run
Time listed in the Reports section is later than the Next Run Time displayed in the Templates section for the template
that generates the report.
The Next Run Time corresponds to the end of the time frame that the report is to cover. That is, the report is run “as
of” that time, rather than exactly at that time. However, the Run Time displayed in the Reports section is the time at
which the report actually was run or will be run.
104
Cascade Profiler and Cascade Express User’s Guide
Audit trail
System Verification
Activity Types and Subtypes
The Audit Trail report can include all activities or be limited to any one of the following types of activities:

Data Change

Notification

User

System
Each of these types of activities includes subtypes, which are more detailed categories of activities. The sections below
identify the Web UI pages for which activities are logged.
Data Change activities
The Data Change activity type includes the following subtypes:
User Change
This subtype reports changes on or related to the following UI pages:

Configuration > Account management > User Accounts

Configuration > Change Password

RADIUS user first log in

Configuration > Account Management > ODBC DB Access
Settings Change
This subtype reports changes on or related to the following UI pages:

System > Devices/Interfaces

Global SNMP Settings

Edit device (edit device SNMP settings)

System > Audit Trail > Audit Settings...

System > Devices/Interfaces > SNMP Settings > Copy to router/switch

Definition > Sensors / Steelheads

Configuration > Packet Capture (Express 460 only)

Configuration > Flow Log > Reallocation and Re-balancing

Configuration > Integration > Identity sources

Configuration > Integration > Load balancers


Add...

Import...

Edit/Delete
Configuration > Integration > Switch port discovery

Add Device...

Import...
Cascade Profiler and Cascade Express User’s Guide
105
System Verification

Audit trail
Edit/Delete

Configuration > Account Management > RADIUS Settings > RADIUS Servers

Configuration > Account Management > RADIUS Settings > Role mapping

Configuration > Account Management > User accounts > Settings...

Configuration > Appliance Security > Password Security

Configuration > Behavior Analysis > Security tab > Security Profile button

Configuration > Appliance Security > Security Compliance

Configuration > General Settings > Edit /etc/hosts...

Configuration > Flow Forwarding (Cascade Gateway only)

Configuration > Profilers (Cascade Sensor and Gateway only)

Configuration > Licenses

Configuration > General Settings > Edit DNS settings

Configuration > General Settings > Edit NTP settings

Configuration > General Settings > Edit SNMP settings

Configuration > General Settings > Edit VoIP metric collection setting (Express 460 only)
Notification Change
This subtype reports changes on or related to the following UI pages:

Behavior Analysis > Notifications

Behavior Analysis > Notifications > Recipients
Policy Change
This subtype reports changes on or related to the following UI pages:

Services > Manage Services > Settings... button

Services > Manage Services > Actions > Tune

Behavior Analysis > Policies > Services > Actions > Tune and “Tune” from the right-click menu

Behavior Analysis > Policies > Performance & Availability > New...

Behavior Analysis > Policies > Performance & Availability > Actions > Tune

Behavior Analysis > Policies > Security & Health tab

Behavior Analysis > Policies > Security & Health tab > Threshold table

Behavior Analysis > Policies > User-defined tab

Event detail report > Snooze

Services – The following service operations are audited:
106

Committing a service into production for the first time - event of type “Created”

Committing a service into production - event of type “Modified”

Deleted service - event of type “Deleted” (whether or not the service was in use)
Cascade Profiler and Cascade Express User’s Guide
Audit trail
System Verification
When the service location group type is changed on the General Settings page or the Host Grouping page, a
Service type configuration change is logged with old name and new name.
Group Change
This subtype reports changes on or related to the following UI pages:

Definitions > Port Groups

Definitions > Host Groups

Definitions > Applications > Application mappings

Definitions > Applications > Application fingerprints

Definitions > Interface Groups

Definitions > Port names

Definitions > QoS

Configuration > Integration > External links
Time Change
This subtype reports that a user changed the Set System Time settings or NTP settings on the Configuration > General
Settings page Time Configuration section.
Topology Change
This subtype reports changes on or related to the following UI pages:

System > Devices/Interfaces – Label, In User Speed, Out User Speed

System > Devices/Interfaces > Interfaces tab


Edit multiple interfaces

Import interfaces info
Any page: right-click Interface and choose View/Edit...
Notification activities
The Notification activity type includes the following subtypes:
Traps Sent
Reports what SNMP notifications the appliance sent to other systems and whether they succeeded or failed.
Email Sent
Reports what email the appliance sent to other systems or users and whether they succeeded or failed.
User activities
The User activity type includes the following subtypes:
Login
Reports login attempts, name, role, time, success or failure; and authentication (appliance database or RADIUS).
Cascade Profiler and Cascade Express User’s Guide
107
System Verification
Audit trail
Logout

Reports account name, session length and time of logout.

Reports when a user cancels a login by clicking Cancel to reject the requirements of a login banner.
Session Timeout
Reports the length of a session that has timed out because of inactivity.
Account Locked
Reports that an account has been locked because of three consecutive unsuccessful login attempts.
Account Unlocked
Reports that a user has successfully logged in after the account had been locked because of three consecutive
unsuccessful login attempts. This is the first successful login after a lockout period.
Secret Verification
Reports that a password change has been verified. This occurs when a:

User account login name or password is created or updated.

User changes a password because it was required on the first or next login.

Shell account password is changed on the Appliance Security>Security Compliance page.
Note: Any verification that occurs on the client side (such as too few characters in a password field) does not trigger an auditing
event.
Re-authentication
Reports that a user has been re-authenticated because they:

Shut down the system on the System > Shutdown/Reboot page.

Changed their password because of a requirement to change it on the first or next login.

Changed their password using the change password feature.
Authentication Check

RADIUS server check – reports the results of a user clicking the Test button on the Configuration > Account
Management > RADIUS Settings > RADIUS Servers page.

RADIUS user check – reports the results of a user clicking the Test User button on the Configuration


> Account Management > RADIUS Settings > Role Mapping page.
Shell password change – reports an attempt to change the password of a shell account on the Configuration >
Appliance Security > Security Compliance page. Successful or unsuccessful.
Audit Access
Reports that a user generated a new audit report or viewed a saved audit report.
108
Cascade Profiler and Cascade Express User’s Guide
Audit trail
System Verification
System activities
The System activity type includes the following subtypes:
Key Generation
When an encryption key is generated on the Configuration > Appliance Security > Encryption Key Management page,
the Audit report includes the:

Name of the application (mnmp, ssh, apache, etc.).

Algorithm used to generate key.

Length of generated key (bits).
Key Destruction
When an encryption key is deleted on the Configuration > Appliance Security > Encryption Key Management page,
the Audit report includes the:

Name of the application (mnmp, ssh, apache, etc.).

Algorithm used to generate key.

Length of generated key (bits).
Key Zeroization
When a key is deleted, the memory where it was stored is overwritten with zeros. The success or error of this operation
is reported.
Certificate Generation
When an encryption certificate is generated on the Configuration > Appliance Security > Encryption Key Management
page, the Audit report includes the:

Name of the application (mnmp, ssh, apache, etc.)

Type of certificate (local or peer)

Certificate authority (always self-signed)

Length of time the certificate is valid (days)

Creator contact information
Certificate Destruction
When an encryption certificate is deleted on the Configuration > Appliance Security > Encryption Key Management
page, the Audit report includes the:

Name of the application (mnmp, ssh, apache, etc.)

Type of certificate (local or peer)

Certificate authority (always self-signed)

Length of time the certificate is valid (days)

Creator contact information
Cascade Profiler and Cascade Express User’s Guide
109
System Verification
Audit trail
Encryption and Decryption
When an encrypted connection is established or closed, the source, type of encryption, and any associated errors are
reported. Additionally, an activity is recorded when the internal use of a password (such as for SNMP or third party
applications) is cloaked or revealed.
Hash Operation
The type and result (success or failure) of hash operations are reported.
Replay
Reports that there was a packet error on an established connection. This could indicate a replay attack on the MNMP
connection with other Cascade appliances.
Test
When the appliance is booted, it performs self-tests. If the results of the tests are anything other than a pass or fail, they
are reported.
Update
Reports that a product update on the System > Update page has started.
Command Execution
Reports the user name, path, and Syslog message when a user or program executes an su, runuser, or sudo command
in a shell account.
Startup and Shutdown
Reports the account name and time that a user has shut down or rebooted the appliance on the System > Shutdown/
Reboot page.
Also reports on internal programs that stop or start services and power off or power on the appliance. For example, a
system reboot shows five events of this type:

Reboot selected (as user account)

Reboot initiated (as system account)

Cascade services stopped (as system account)

System bootup (as system account)

Cascade services started (as system account)
Backup
Reports the time that a backup operation was started on the System > Backup page.
Licenses
Reports that a user has added, deleted or fetched a license key using the Configuration > Licenses page.
110
Cascade Profiler and Cascade Express User’s Guide
Shutdown/Reboot
System Verification
Certificate Expiration
Reports that an encryption certificate has expired or that a user has been notified that a certificate will soon expire.
This includes the:

Name of the application (mnmp, ssh, apache, etc.) that uses the certificate

Certificate Type (Peer, or Local)

The number of days

before expiration, if less than 15
Linux Audit
The appliance runs a modified and extended version of Scientific Linux and reports the following Linux events:

Setting the System Clock – serial number, command and Syscall

User login/logout – serial number, command and terminal

Run level change – serial number, command and old and new value of SYSTEM_RUNLEVEL
NTP Time
Time changes and resynchronizations are recorded and reported.
Shutdown/Reboot
The System > Shutdown/Reboot page enables users with Administrator accounts to shut down or reboot the appliance.
1. Authorize the shutdown or reboot by entering the password of the Administrator account you are currently using.
2. Select the Reboot option if you want to restart the product without powering off the appliance.
3. Click Reboot or Shutdown, as applicable, to initiate the process.
Figure 6-10. System > Shutdown/Reboot page
Note: If you shut down the appliance, do not disconnect chassis power until the appliance has powered off.
Cascade Profiler and Cascade Express User’s Guide
111
System Verification
Update
Update
The System > Update page indicates the current version of the Cascade Profiler and Cascade Express software and
lists any new versions that are available for installation. You can install the update software from this page and specify
who is to receive an email notification of the installation.
If the appliance has been configured to automatically download update packages, then you can perform an update from
the System > Update page whenever you observe that an update package is available.
If you do not use automatic update downloading, then you must download the update package manually.
When the appliance detects that an update package has been downloaded and is ready to run, it displays the update
version on the System > Update page. If it does not detect any updates, then the page displays a message that no updates
are available.
Figure 6-11. System > Update page
You can use the System > Update page to:

Install software update packages that have been downloaded to the Profiler or Express.

Retrieve update packages from the Riverbed downloads web site.

Load update packages from your local machine or from a remote server.

Distribute automatically downloaded updates to Cascade appliances that are connected to this appliance.

Check the current version, available updates, and the revision history.
Refer to the online help system for detailed instructions on managing updates.
112
Cascade Profiler and Cascade Express User’s Guide
Backup
System Verification
Backup
The backup feature securely copies traffic and configuration information to a specified backup system. Express 460
Packet logs, capture jobs, and index files are not backed up.
The System > Backup page displays the current backup status of the appliance and controls what information is backed
up, where it is backed up to, and who is notified when a backup is completed.
Figure 6-12. System > Backup page
Backup Status
This section reports the date that the last backup operation was run and whether it completed successfully or failed. It
also reports if a backup operation is currently in progress.
Excluded file types
Most Profilers have a very large storage capacity. This depends on the expanded memory options (or optional SAN
devices, if applicable). A full backup of all information could require significant time and bandwidth. You can use the
Exclude option to limit the backup to:

System setup and configuration information

User settings that are accessible from the GUI

Saved reports

Analytic and security profiles

Event details
Select the Exclude flow, rollup and identity logs option to exclude the following files from the backup:

Traffic flow logs

Rollup logs (This is the information that makes it possible to report on traffic volumes with selectable data
resolutions.)

Identity logs (These are records of user logins, logouts and login attempts.)
Cascade Profiler and Cascade Express User’s Guide
113
System Verification
Backup
Backup location
The backup machine and account must be fully specified in the format:
admin@backup-server.company.com:/backup/cascade
If the backup machine is not configured for SSH, the Profiler attempts to automatically set up SSH keys before
performing the backup. You will be prompted to enter login information.
The backup operation saves the current set of files plus one previous set in the backup location. That is, the third time
you perform the backup operation, it deletes the first set that was backed up. If you need to save more than two
versions, change the backup location.
Notification
Enter an email address for the person or system to be notified when the backup operation completes. Note that in order
for the Profiler to send email notifications, the Outgoing Mail Server (SMTP) Settings on the Configuration > General
Settings page must be specified.
Running the backup operation
When the backup location and notification information has been entered, click Run Backup to begin the backup
operation. The Backup Status section of the page will indicate that the backup is in progress. A notification of the
success or failure of the backup operation will be emailed when the operation completes. This date and status
information is also displayed in the Backup Status section of the page until the next backup operation is performed.
If the backup machine is not configured for SSH connections from the Profiler, a message is displayed to advise you
that this is a prerequisite for performing the backup operation.
Manual Backup and Restore
Backup and restore operations can be performed manually from the Profiler command line interface. For additional
information, refer to Appendix B, “Backup and Restore” or the online help system.
114
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 7
Service Policies
This chapter describes Cascade Profiler and Cascade Express capabilities for monitoring the services provided by your
network. It includes the following sections:

“Overview,” next

“The Services Policies page” on page 116
Overview
Service policies are created when you configure services to monitor metrics, as described in Chapter 3, Monitoring
Services. A policy is automatically created for each metric that a service segment is configured to monitor. Higherlevel policies are created for all metric categories, front end locations, segments, and services.
Each service segment policy can monitor and alert on multiple service metrics. Each can be tuned individually, except
for the segment that includes the end user components, which has a policy for each end user location. These can all be
tuned individually.
The Profiler and Express provide analytics for monitoring each of the following service metrics:

Active Connections

Bandwidth

New Connections

Number of TCP Resets

TCP Retransmission Bandwidth

Average Application Throughput per Connection

Average Connection Duration

Response Time
Depending on the metric, the analytics can analyze the rate, volume and variability of the metric, and can detect spikes
or dips that exceed normal ranges. You can tune the amount of variability the analytic tolerates before it indicates that
the metric is outside of its normal range.
Policies can be set to generate alerts and notifications when the value of a metric exceeds the range that is normal for
the period being analyzed.
Cascade Profiler and Cascade Express User’s Guide
115
Service Policies
The Services Policies page
The Services Policies page
The Services Policies page provides tools for tuning service policies. It displays the status of all service policies and
provides controls for adjusting the tolerance to change for each metric a policy is monitoring. It can be accessed from
the Services > Service Policies or the Behavior Analysis > Policies menu choices.
The Service Policies page has two sections:

Configured Policies

Tune Policies
For efficient use of display space, opening one section closes the other section.
Figure 7-1. Services > Service Policies page Configured Policies section
Configured Policies section
The Configured Policies section displays a tree diagram of service policies that monitor at least one metric. For each
service policy listed, the diagram is expandable and collapsible, allowing you to show or hide:

Policies for service segments within the service.

Policies for end-user locations (applies to only segments that include an end user component).

Policies for categories of metrics that are monitored for a segment.

Policies for individual metrics within metric categories.
Each entry in the policy tree diagram includes the status of the policy, whether or not it is enabled, and a list of actions
that you can take on the policy, such as disabling it, tuning it and running a report on it.
Status column
Each policy indicates the status of the best of any subordinate policies. For example, if a segment policy includes
several metrics policies, and one of the metric policies is in the Ready (monitoring) condition, then that is the status
that is shown for the segment policy.
The status of each policy is one of the following:

116
Ready (monitoring) – The policy is in effect. Baselines are being updated, reports can be run, and the policy can
detect events and send alerts and notifications.
Cascade Profiler and Cascade Express User’s Guide
The Services Policies page
Service Policies

Ready (baselining) – The policy is ready, the baselines are being updated, and reports can be run. However, the
policy has not been set to detect spikes or dips in metric values, so no events will be detected and no alerts or
notifications will be sent.

Initializing Baseline – The analytics used by the policy are still collecting data and creating a model of normal
network behavior. The policy is not ready for use yet.

Queued – The appliance has queued the request to create a policy, but other tasks must be completed first.

Analytics License Expired – The policy uses one or more analytics for which no current license can be found.

Unknown – This message is very unlikely to occur. It indicates that there is a problem that requires help from
Riverbed Support.

Disabled – The policy has been disabled. The baseline is no longer being updated and no alerts or notifications
will be sent.
Enabled column
The Enabled column indicates Yes, No, or Mixed.

Yes – the policy is enabled. This means that when the status of the policy is Ready (monitoring) or Ready
(baselining), you can run a Service Level Objective Report, Service Incident Report, or Service Performance
Report. For metric policies (the lowest-level or base policies), it also means that the policy can generate alerts and
notifications if the value of the metric is outside the normal baseline behavior by more than a specified tolerance.

No – the policy is disabled. This means that the baselines for the metrics being monitored are not updated and
reports are not available. For metric policies, it also means that no alerts or notifications are generated. Note that
a metric policy continues to count toward your license limit when it is disabled.

Mixed – the policy includes subordinate policies (e.g., a metric policy is subordinate to a metric category policy,
which is subordinate to a segment policy). One or more subordinate policies is enabled and one or more is
disabled.
Actions column
The actions column of each entry in the policy tree diagram provides a drop-down list of actions you can perform on
the policy. The status of a policy determines which actions are available for the policy. The actions include:

Enable – enables this policy and all subordinate polices. This is available for policies that have the Enabled status
of No or Mixed. A message box tells you how many metric policies (the lowest level of the tree hierarchy) will
be enabled if you enable this policy.

Disable – disables this policy and all subordinate polices. This is available for policies that have the Enabled
status of Yes or Mixed. A message box tells you how many metric policies (the lowest level of the tree hierarchy)
will be disabled if you disable this policy.

Tune – opens the Tune <service> Policies section of the page, in which you can modify the operation of the
analytics for each metric that the policy monitors. This option is not available for the service policy, which is the
highest level policy, or for the policy of the segment that includes the end users component. Additionally, this
option is available to only Administrator or Operator accounts. Monitor accounts can view the policy settings, but
not tune them.

View SLO Report – opens a page on which you can run the Service Level Objective report for this policy. This
option is not available for the service policy, which is the highest level policy, or for the policy of the segment that
includes the end users component.

View Incident Report – opens a page on which you can run the Service Incident Report for this policy.

View Performance Report – opens a page on which you can run the Service Performance Report for this policy.
Cascade Profiler and Cascade Express User’s Guide
117
Service Policies
The Services Policies page
The Actions choices are inactive while a policy is being tuned. Exit the policy tuning section by clicking OK or Cancel
to reactivate the Actions choices.
Tune Policies section
The Tune <service> Policies section of the page opens when you choose Tune from the Actions list for a policy. If
you click Tune for the lowest level of the service hierarchy, which contains only service metric policies, then this
section displays controls for tuning individual policies. If you click Tune for a level of the service hierarchy that could
use the same analytic more than once for various elements of the service that it includes, then this section displays
controls for simultaneously tuning multiple policies (bulk tuning).
Tuning an individual service policy
Use the Tune Policy page to edit the tolerance, noise floor and alerting characteristics of individual policies.
Figure 7-2. Service Policies page Tune Policy section
Setting tolerance
The variability tolerance is specified in sigmas (standard deviations) set by the sliders. If the value of the metric differs
from the computed typical value by an amount that exceeds the setting of the lower slider, it triggers a low-level alert.
If it exceeds the setting of the upper pointer, it triggers a high-level alert.
118
Cascade Profiler and Cascade Express User’s Guide
The Services Policies page
Service Policies
Before making any tolerance adjustments, examine the graph for the metric to see how the policy has been performing
for the past week. In particular, consider how often and by how much the plot of actual traffic went beyond the
tolerance range with the current tolerance settings.
Note that multiple excursions outside the tolerance range (“outliers”) might be determined to be part of the same event.
Because of the number of factors analyzed in determining if a policy violation event has occurred, the number of
outliers does not directly indicate how many events will be detected. However, looking at how many outliers would
result from a particular tolerance setting can give you a good sense of whether that setting will produce many events
or few events. In this way the graph can help you tune the tolerance settings to the characteristics that are typical for
your network.
If there are no outliers, or if there are too many, adjust the tolerance sliders for the metric until more or fewer points
on the plot line of actual data lie outside the green tolerance range. The graph will show you how the policy would
have performed over the past week with different tolerance settings.
Decreasing the number of sigmas of tolerance reduces the width of the tolerance range and thereby results in more
outliers. Having more outliers generally means having more policy violation events detected.
Noise floor
If the value of the metric is very regular, then the analytic adjusts to expect only a small range of changes from the
typical value. Therefore, a relatively small change could trigger an alert because it is more than the expected deviation
from typical behavior.
You can prevent this by specifying the minimum amount of change that is to be considered significant. This is the
Noise floor. Setting a lower limit on the amount of change that can be seen as a policy violation allows the tolerance
setting to accommodate both periods of high variability and periods of low variability over the course of the day or
week. Select Show advanced settings to show the Noise floor setting.
Alerting on spikes or dips
Each service policy can alert on a spike (an INCREASE in the value of a metric from what has been baselined) or a
dip (a DECREASE in the value of a metric from what has been baselined) or both. Select Show advanced settings to
enable the options to specify whether the metric policy triggers alerts on spikes, dips or both.
Alerting and Notification
Alerting and notification settings are specified in the service definition and apply to all policies in the service. They
are displayed on this page for reference and are read-only. Click the link to the service definition if it is necessary to
modify these settings.
Tuning service policies as a group
Use the Tune Policies page to edit the tolerance, noise floor and alerting characteristics of all policies at or below the
level of the item you selected. All changes can be undone until you click OK.
Setting tolerance
The tolerance of service policies to changes from baseline levels is specified in sigmas (standard deviations). There
are two methods for adjusting the tolerance settings: Explicit and Relative
Both methods affect all existing policies at or beneath the level at which you are tuning. They do not affect the policies
of other services or of higher-level objects in this service. Also, they do not change the global default settings. New
policies added to this service continue to be given the default settings unless edited in the service definition.
Cascade Profiler and Cascade Express User’s Guide
119
Service Policies
The Services Policies page
Explicit tolerance settings - Tolerances can be set explicitly by sliding the Low or High pointer to the setting you
want to propagate to all policies in this part of the service that are using the metric. If different policies have different
settings, the pointer is positioned to the right side of the slider and labeled Set. Hover the mouse over the Set pointer
to see the range of tolerance values used by the policies for the metric and the global default setting for the metric.
Click Set to set the tolerance to the default value. Alternatively, click the slider at the number of sigmas of tolerance
you want to set for the policies. If you make changes and then decide to revert to the original settings, click Reset to
undo all your changes.
Figure 7-3. Service Policies page Tune Policies section - Explicit tolerance tuning
Relative tolerance settings - When you choose Relative in the Select Tolerance Tuning Method box, the displays
change to show boxes in which you can specify a number of sigmas for Low alerts and High alerts. The relative setting
applies the same amount of change to all policies, regardless of their current settings. For example, if you want to
reduce the number of High alerts by increasing the tolerance settings by 1.5 sigmas, you could use the arrows to
increase the High tolerance by 0.5 sigma at a time. Alternatively, you could enter 1.5. (The number you enter gets
rounded to the nearest one half sigma.) This enables you to increase the tolerance of all policies to 1.5 sigmas above
whatever they are set to now.
Noise floor
If the value of the metric is very regular, then the analytic adjusts to expect only a small range of changes from the
typical value. Therefore, a relatively small change could trigger an alert because it is more than the expected deviation
from typical behavior.
You can prevent this by specifying the minimum amount of change that is to be considered significant. This is the noise
floor. Setting a lower limit on the amount of change that can be seen as a policy violation allows the tolerance setting
to accommodate both periods of high variability and periods of low variability over the course of the day or week.
Select Show advanced settings to show the Noise floor setting.
If different policies have different settings, the Noise floor box says Mixed. Entering a value sets the noise floor of all
the policies to the value you enter. If you make changes and then decide to revert to the original settings, click Reset
to undo all your changes.
120
Cascade Profiler and Cascade Express User’s Guide
The Services Policies page
Service Policies
Figure 7-4. Service Policies page Tune Policies section - Relative tolerance
Alerting on spikes or dips
Each service policy can alert on a spike (an INCREASE in the value of a metric from what has been baselined) or a
dip (a DECREASE in the value of a metric from what has been baselined) or both. Select Show advanced settings to
enable the options to specify whether the metric policy triggers alerts on spikes, dips or both.
If different policies have different settings, the spikes or dips selection box indicates an indeterminate state instead of
a check mark. Selecting or deselecting a box selects or deselects the option for all policies. If you make changes and
then decide to revert to the original settings, click Reset to undo all your changes.
Alerting and Notification
Alerting and notification settings are specified in the service definition and apply to all policies in the service. They
are displayed on this page for reference and are read-only. Click the link to the service definition if it is necessary to
modify these settings.
Cascade Profiler and Cascade Express User’s Guide
121
Service Policies
122
The Services Policies page
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 8
Performance and Availability
Policies
This chapter describes Cascade Profiler and Cascade Express capabilities for monitoring the performance and
availability of your network. It includes the following sections:

“Overview,” next

“Types of policies” on page 123

“Managing policies” on page 128

“Creating new performance and availability policies” on page 132

“Tuning a policy” on page 133
Overview
Performance and availability policies are defined on the Behavior Analysis > Policies page Performance and
Availability tab.
You can define many policies of several types, depending on your license. Each policy specifies a set of traffic to which
it applies, a set of metrics (bytes per second, number of clients per second, etc.) to be monitored, and a set of parameters
within which operation is considered to be acceptable.
Each policy includes a specification for the level of alert (High or Low) that is to be generated if a policy violation
occurs. It also specifies who is to be notified for each level of alert. The level of alert generated is based on the severity
of the event.
The appliance compares current traffic with mathematically derived models of what is expected traffic for the current
time of day and day of the week. Based on the differences, it detects the occurrence of network events that violate your
policy.
Types of policies
The appliance provides analytics for implementing the following types of performance and availability policies:

Application Availability

Application Performance

Link Congestion
Cascade Profiler and Cascade Express User’s Guide
123
Performance and Availability Policies

Types of policies
Link Outage
Application Availability policies
Application Availability policies monitor:

Number of clients per second that meet the criteria of the policy

Average bytes per second of traffic that meet the criteria of the policy
A decrease in either value could indicate that the application is not as available for use as it normally is. The policy
can be set to alert operators to this change and to notify those responsible for the application.
You can limit a policy to specific applications, protocols, ports, Quality of Service classes, servers, and clients. These
can be entered manually or selected from lists using browse tools. You can also adjust the sensitivity of the policy to
changes in the metrics.
Figure 8-1. Behavior Analysis > Policies page Performance & Availability tab - new Application Availability policy
124
Cascade Profiler and Cascade Express User’s Guide
Types of policies
Performance and Availability Policies
Application Performance policies
Application Performance policies monitor specified traffic for:

Decreases in the number of new connections to the application servers

Increases in the average response time experienced by users of applications

Increases in the number of TCP resets

Increases in the number of TCP retransmissions

Increases in the number of Active Connections

Increases or Decreases in Connection Duration

Decreases in Average Connection Application-level Throughput
Unusual changes in any of these measurements could indicate that the application is not performing normally.
You can limit a policy to specific applications, protocols, ports, Quality of Service classes, servers, and clients. These
can be entered manually or selected from lists using browse tools. You can also adjust the sensitivity of the policy to
changes in the metrics.
Link Congestion policies
Link congestion policies monitor traffic on a specified interface for:

Abnormal increases in inbound or outbound bandwidth consumption

Increases in inbound or outbound traffic that exceed a specified interface utilization level
Each link congestion policy applies to one interface. The sensitivity to changes in bandwidth usage and the allowable
level of interface utilization are specified separately for inbound and outbound traffic.
You can limit a policy to specific applications, protocols, ports, Quality of Service classes, and hosts. These can be
entered manually or selected from lists using browse tools.
Cascade Profiler and Cascade Express User’s Guide
125
Performance and Availability Policies
Types of policies
Figure 8-2. Behavior Analysis > Policies page Performance & Availability tab, new Application Performance policy
126
Cascade Profiler and Cascade Express User’s Guide
Types of policies
Performance and Availability Policies
Figure 8-3. Behavior Analysis > Policies page Performance & Availability tab, new Link Congestion policy
Link Outage policies
Link outage policies monitor traffic on a specified interface for:

Abnormal decreases in inbound or outbound bandwidth consumption

Decreases in inbound or outbound traffic that drop below a specified interface utilization level
Each link outage policy applies to one interface. The sensitivity to changes in bandwidth usage and the minimum level
of interface utilization are specified separately for inbound and outbound traffic.
You can limit a policy to specific applications, protocols, ports, Quality of Service classes, and hosts. These can be
entered manually or selected from lists using browse tools.
Cascade Profiler and Cascade Express User’s Guide
127
Performance and Availability Policies
Managing policies
Figure 8-4. Behavior Analysis > Policies page Performance & Availability tab, new Link Outage policy
Managing policies
Performance and availability policies are created and managed on the Behavior Analysis > Policies page Performance
and Availability tab. The tab has a Configured Policies section, which is always visible, and a section for creating,
editing, and viewing policy definitions, which is visible only while you are performing one of those operations.
Figure 8-5. Behavior Analysis > Policies page - Configured Policies section
Managing configured policies
The Configured Policies section of the page lists the name, status, and actions available for each policy. You can sort
the list by the type of analytic the policy uses, by the policy name, or by the policy status. Controls and indicators in
the Configured Policies section include:
128
Cascade Profiler and Cascade Express User’s Guide
Managing policies
Performance and Availability Policies
New button
To create a new policy, click New and choose the type of policy you want to create. This opens a Create New section
in which you can specify what the policy applies to, the settings for the metrics to be monitored, and who is to be
notified of alerts.
Status column
Each policy indicates the status of the best of any subordinate policies. For example, if a segment policy includes
several metrics policies, and one of the metric policies is in the Ready (monitoring) condition, then that is the status
that is shown for the segment policy.
The status of each policy is one of the following:

Ready (monitoring) – The policy is in effect. Baselines are being updated, reports can be run, and the policy can
detect events and send alerts and notifications.

Ready (baselining) – The policy is ready, the baselines are being updated, and reports can be run. However, the
policy has not been set to detect spikes or dips in metric values, so no events will be detected and no alerts or
notifications will be sent.

Initializing Baseline – The analytics used by the policy are still collecting data and creating a model of normal
network behavior. The policy is not ready for use yet.

Queued – The appliance has queued the request to create a policy, but other tasks must be completed first.

Analytics License Expired – The policy uses one or more analytics for which no current license can be found.

Unknown – This message is very unlikely to occur. It indicates that there is a problem that requires help from
Riverbed Support.

Disabled – The policy has been disabled. The baseline is no longer being updated and no alerts or notifications
will be sent.
Enabled column
The Enabled column indicates Yes or No.

Yes – The policy is enabled. When the status of the policy is Ready (monitoring) or Ready (baselining), you can
run a Service Level Objective Report. Also, the policy can generate alerts and notifications if the value of the
metric is outside the normal baseline behavior by more than a specified tolerance.

No – The policy is disabled. The baselines for the metrics being monitored are not updated and reports are not
available. No alerts or notifications are generated. Note that a monitored metric continues to count toward your
license limit when it is disabled.
Actions column
The actions column of each entry in the policy tree diagram provides a drop-down list of actions you can perform on
the policy. The status of a policy determines which actions are available for the policy. The actions include:

Enable – Enables this policy and all subordinate polices. This is available for policies that have the Enabled
status of No or Mixed. A message box tells you how many metric policies (the lowest level of the tree hierarchy)
will be enabled if you enable this policy.

Disable – Disables this policy and all subordinate polices. This is available for policies that have the Enabled
status of Yes or Mixed. A message box tells you how many metric policies (the lowest level of the tree hierarchy)
will be disabled if you disable this policy.
Cascade Profiler and Cascade Express User’s Guide
129
Performance and Availability Policies
Managing policies

Tune – Opens the Edit Service Policy section of the page, in which you can modify the operation of the analytics
for each metric that the policy monitors. This option is not available for the service policy, which is the highest
level policy, or for the policy of the segment that includes the end users component. Additionally, this option is
available to only Administrator or Operator accounts. Monitor accounts can view the policy settings, but not tune
them.

View SLO Report – Opens a page on which you can run the Service Level Objective report for this policy.
Creating or Editing Performance and Availability policies
The Create section of the page is displayed when you click New in the title bar of the Configured Policies section of
the page. It displays editable fields for identifying the policy and which elements of the network it is to monitor.
The Edit section of the page opens when you choose Tune from the Actions list for a policy. It identifies the policy
and displays the analytic settings for the metrics being monitored.
In both the Create mode and the Edit mode, this section has two subsections:

Metrics Being Monitored

Alerting and Notification
Figure 8-6. Behavior Analysis > Policies page - Create New Policy section
Metrics Being Monitored
This section displays the settings of the analytics for each metric that the policy monitors. You can expand and collapse
metric sections to optimize screen space.
The controls and indicators in this section are as follows:
Show advanced settings – Displays or hides the settings options. Depending on the type of policy, the options may
include:
130
Cascade Profiler and Cascade Express User’s Guide
Managing policies

Detect spikes

Detect dips

Noise floor

Detect when interface utilization exceeds a specified percentage
Performance and Availability Policies
In order for the policy to generate alerts and notifications for a metric, one or more of the following options must be
enabled.

Detect spikes

Detect dips

Detect when interface utilization exceeds a specified percentage
This places the policy in the Ready (monitoring) state.
If none of these are selected for a particular metric, then the analytic for that metric continues to update the baseline
of typical behavior, but does not detect or alert on any changes in behavior. The policy remains in the Ready
(baselining) state.
Status – The status of the policy for the individual metric, as described for the Status column above.
Detect spikes – Enables the analytic to detect increases in the value of the metric that exceed the normal or low alert
tolerance ranges.
Detect dips – Enables the analytic to detect decreases in the value of the metric that exceed the normal or low alert
tolerance ranges.
Tolerance – Determines how much variability in the value of the metric is necessary to exceed the normal range and
low alert range of behavior. The upper slider determines the amount of variability tolerated for the normal range, which
is represented in green. The lower slider determines the amount of variability tolerated for the low alert range, which
is represented in yellow. The variability tolerance is specified in sigmas (standard deviations). If the value of the metric
differs from the computed typical value by an amount that exceeds the normal range, a low alert is generated. If it
differs enough to also exceed the low alert range, then a high alert is generated.
Noise floor – Specifies the minimum amount of change that the policy can treat as a deviation from normal behavior.
This may be necessary to avoid having too small a change produce an alert.
Graph – The river graph depicts the computed typical value of the metric as a gray line. The normal range of
variability from the typical value is indicated by the green area. This area is increased or decreased by adjusting the
upper Tolerance slider. The low alert range of variability from the typical value is indicated by the yellow area. This
area is increased or decreased by adjusting the lower Tolerance slider.
Alerting and Notifications section
The Alerting and Notification section indicates who is to be notified of low and high alert conditions. Recipients are
specified on the Behavior Analysis > Notifications page Recipients tab.
Figure 8-7. Behavior Analysis > Policies page - Alerting and Notification section
Cascade Profiler and Cascade Express User’s Guide
131
Performance and Availability Policies
Creating new performance and availability policies
Creating new performance and availability policies
To create a new performance or availability policy,
1. Navigate to the Behavior Analysis > Policies page Performance & Availability tab.
2. Click New and choose the type of policy you want to create. This opens the Create New Policy section of the page.
3. Enter a Policy Name to be displayed in the Configured Policies list.
4. Ensure that Enabled is selected if you want the policy to be operational as soon as it has enough data to be
initialized.
5. If the policy includes a field for limiting it to an interface (Link policies only), enter the interface. Use the Browse
feature to select the interface. Alternatively, you can enter the interface manually. Refer to the online help system
for syntax examples.
6. Specify the Applications that the policy applies to. Use the Browse feature to select the applications. Alternatively,
you can enter the applications manually.
7. If you want to limit the policy to particular protocols or ports, specify them in the Protocols or ports field. Use
the Browse feature to select the protocols or ports. Alternatively, you can enter them manually.
8. If you want to limit the policy to traffic flows that are tagged for particular quality of service (QoS) classes, specify
the classes in the Quality of Service field. Use the Browse feature to select the classes. Alternatively, you can enter
them manually.
9. If the policy includes fields for limiting it to servers, server groups, clients, or client groups (Application policies
only), specify them in the Servers field or Clients field. You can use the Browse feature to select what you want
to limit the policy to.
10. If the policy includes fields for limiting it to hosts or host groups (Link policies only), specify them in the Hosts
field. You can use the Browse feature to select what you want to limit the policy to.
11. In the Metrics being monitored section, you can accept the default setting or modify them. The default settings
have been found to be generally useful. If you have a good understanding of the behavior of your network, you
might want to tune them to your network.
12. In the Alerting and Notification section, select the levels of alerts that the policy should generate and specify who
is to be notified of low and high alert conditions. Recipients are specified on the Behavior Analysis > Notifications
page Recipients tab.
13. Click OK to create the policy.
14. On the Behavior Analysis > Policies page Performance & Availability tab, observe that the policy is listed in the
Configured Policies list. The Status column shows the policy as Queued or Initializing Baseline until it has
collected enough data to begin operating, at which time the status is listed as Ready.
132
Cascade Profiler and Cascade Express User’s Guide
Tuning a policy
Performance and Availability Policies
Tuning a policy
The general procedure for tuning an Availability or Performance policy is as follows:
1. On the Behavior Analysis > Policies page, go to the Performance & Availability tab and select the policy that you
want to tune. Ensure that the policy is Ready and enabled.
2. Choose Tune from the Actions list for the selected policy to open the editing section of the page.
3. Before making any adjustments, examine the preview graph for each metric to see how the policy has been
performing for the past week. In particular, consider how often and by how much the plot of actual traffic went
beyond the tolerance range with the current tolerance settings.
Note that multiple excursions outside the tolerance range (“outliers”) may be determined to be part of the same
event. Because of the number of factors analyzed in determining if a policy violation event has occurred, the
number of outliers does not directly indicate how many events will be detected. However, looking at how many
outliers would result from a particular tolerance setting can give you a good sense of whether that setting will
produce many events or few events. In this way the graph can help you tune the tolerance settings to the
characteristics that are typical for your network.
4. If there are no outliers, or if there are too many, adjust the tolerance slider for the metric until more or fewer points
on the plot line of actual data lie outside the tolerance range. The graph will show you how the policy would have
performed over the past week with different tolerance settings. Decreasing the tolerance reduces the width of the
tolerance range and thereby results in more outliers. Having more outliers generally means having more policy
violation events detected.
5. If desirable, specify the Noise floor value as necessary to avoid having too small a change produce an alert.
6. When you are satisfied with the new tolerance settings, click OK in the editing section. The editing section
becomes a viewing section, in which you can check the results of your editing.
If you want to check the actual performance of the policy for a period of longer than a week, run a Service Level
Objective Report for the time frame of interest.
If you want to change what the policy is monitoring, select the Show advanced settings option in the Metrics being
monitored section of the page.
Cascade Profiler and Cascade Express User’s Guide
133
Performance and Availability Policies
134
Tuning a policy
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 9
User-defined Policies
This chapter describes Cascade Profiler and Cascade Express capabilities for monitoring violations of network usage
policies. It includes the following sections:

“Overview,” next

“Pre-defined policies” on page 136

“Defining policies” on page 137

“Setting alerting thresholds” on page 137
Overview
User-defined policies can be created for monitoring and alerting on changes in metrics for hosts, interfaces, and
response times. The appliance provides several pre-defined policies that have been found to be useful as starting points
and examples. You can modify these and create additional policies to monitor for the occurrence or absence of activity
of interest.
User-defined policies differ from performance and availability policies or security policies in that they compare traffic
to absolute values that you specify, whereas the other policies compare current traffic to profiles of typical traffic or to
combinations of profiles and user-defined settings. Additionally, the severity of a user-defined policy event remains as
you assigned it; it is not adjusted upward or downward in response to traffic conditions.
If any measurement of network behavior meets the event detection conditions of the policy, the appliance determines
that the event has occurred and assigns the event a severity number from 1 to 100.
The severities of events resulting from user-defined policies are compared to user-defined alerting thresholds to
determine if the events should generate alerts and send notifications. If the severity of the event exceeds the Low,
Medium, or High alerting threshold, then the appliance displays an alert message.
Common uses of user-defined policies include generating alerts when:

Connections occur within specified time periods.

Any connection using a specified port occurs (even if only one packet).

Traffic volume of a specific type exceeds an upper or lower limit.

Response time exceeds a specified limit.
Cascade Profiler and Cascade Express User’s Guide
135
User-defined Policies
Pre-defined policies
A user-defined policy is defined on a worksheet page available from the Behavior Analysis > Policies page Userdefined tab. This page lists all user-defined policies. It provides links for creating a new policy and for viewing, editing,
deleting, copying, and enabling or disabling an existing policy.
Figure 9-1. Behavior Analysis > User-defined Policies page
Pre-defined policies
The appliance is shipped with the following user-defined policies included but not enabled:

Firewall Tunneling Activity - detects tunneling activity that may pass through common firewall holes.

P2P Application Activity - detects P2P applications.

P2P Port Activity - detects suspicious activity involving TCP and UDP ports commonly used by P2P networks.

Spambot Activity - detects spam activity from your email servers to the external network.

Tunneled Application Activity - detects suspicious application tunneling.
You can examine the definition of each of these by going to the Behavior Analysis > Policies page User-defined tab
and clicking View in the entry for the rule of interest.
These pre-defined policies should not be enabled until host groups have been defined. (Refer to the Definitions
chapter.)
136
Cascade Profiler and Cascade Express User’s Guide
Defining policies
User-defined Policies
Defining policies
User-defined policies are defined on the Behavior Analysis > Policies page User-defined tab. The New button in the
User-defined Policies section displays a worksheet page on which you can limit the conditions for detecting an event
to very specific combinations of hosts, host groups, ports, protocols, applications, interfaces, interface groups, QoS
classes, and response times. You can also set the severity of the event that is detected and who is to be notified for each
level of alert the event triggers.
Click New in the User-defined Policies section, choose Host Policy, Interface Policy, or Response Time Policy, and
fill in the required fields.

Host Policy - Choose this to define a policy about traffic between hosts or host groups. If the detection criteria
are met, the appliance assigns an event ID and saves a report listing the details of traffic over connections
between host or host groups.

Interface Policy - Choose this to define a policy about traffic volume or utilization percent for devices, interfaces
or interface groups. If the detection criteria are met, the appliance assigns an event ID and saves a report listing
the details of traffic over the interface. The interface policy applies to any or all interfaces on devices that send
the appliance traffic information.

Response Time Policy - Choose this to define a policy about overall response time, server delay, or network
response time. If the detection criteria are met, the appliance assigns an event ID and saves a report listing the
performance details.
Setting alerting thresholds
The level of alert that the event generates (High, Medium, Low) is determined by the:

Severities you specify for the alert levels in the Threshold section of the New User-defined Policy page

Alerting thresholds you have defined on the Behavior Analysis > Policies page User-defined tab.
Click New in the User-defined Policy Alerting Threshold section to open a page on which you can define a new
alerting rule.
Cascade Profiler and Cascade Express User’s Guide
137
User-defined Policies
Setting alerting thresholds
Figure 9-2. Behavior Analysis > User-defined Policies > New User-defined Policy page
Figure 9-3. Behavior Analysis > User-defined Policies page Alerting Thresholds section
138
Cascade Profiler and Cascade Express User’s Guide
Setting alerting thresholds
User-defined Policies
You can specify multiple rules so different hosts or host groups trigger different levels of alerts.
Figure 9-4. Behavior Analysis > User-defined Policies page Alerting Thresholds section
Cascade Profiler and Cascade Express User’s Guide
139
User-defined Policies
140
Setting alerting thresholds
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 10
Security Policies
This chapter describes Cascade Profiler and Cascade Express capabilities for monitoring violations of network security
policies. It includes the following sections:

“Overview,” next

“Security event detection” on page 142

“Security profiles” on page 143

“Tuning alerting” on page 145

“Alerting thresholds” on page 145

“Tools for managing alerts” on page 147

“Notifications of security events” on page 147
Overview
When the optional security analytics module is installed and enabled, the appliance detects network security events by
comparing current network behavior to mathematically-derived profiles of behavior that is typical for the current time
of day and day of the week. The event detection analytics are controlled by a wide variety of traffic metrics settings.
These are pre-set to values that have proven to be most widely useful, and they do not normally require adjustments.
However, you can fine-tune them to your network.
A network event that violates a security policy is dynamically assigned a severity based on the set of metrics and
parameters used by the analytic that detected the event. The severity number (1 to 100) is checked against a userdefinable set of alerting thresholds to determine if the appliance should generate an alert. Events that have a severity
that exceeds a High, Medium, or Low alerting threshold are logged and trigger alert indications and notifications.
The appliance includes the following policies for detecting and alerting on network security events:

DoS/Bandwidth Surge - Significant increase of traffic that conforms to the characteristics of a Denial of Service
attack.

Host Scan - Hosts on the monitored network are being pinged.

New Host - A host that has not been seen before has sent enough traffic to be regarded as having joined the
network.

New Server Port - The appliance has discovered that a host or an Automatic host group is providing or using a
service over a new port.
Cascade Profiler and Cascade Express User’s Guide
141
Security Policies
Security event detection

Port Scan - Ports of a host are being tested for running services or being in a “listening” or “accepting” state.

Suspicious Connection - Communication between two hosts that have been on the monitored network for some
period of time, but which do not normally communicate with one another (for example, a Maintenance
department host connecting to a Finance department host).

Worm - Increase in connections that typically results from the spread of a worm. The appliance traces these
connections over time through the network to identify how the worm spreads from infected hosts to new hosts.
Security policies can be enabled, disabled, and tuned on the Behavior Analysis > Policies page Security tab. Also,
alerting thresholds for events detected by each of these policies are edited using this page.
Figure 10-1. Behavior Analysis > Policies page Security tab
Security event detection
Security policy event detection can be enabled, disabled, and tuned using options on the Behavior Analysis > Policies
page Security tab as follows:

Event detection for each policy can be enabled or disabled individually by selecting the policy and clicking the
Enable control.

Settings that affect all security policy and user-defined policy event detection are available by clicking the Global
Policy Settings button.
Figure 10-2. Behavior Analysis > Policies > Security > Global Policy Settings
142
Cascade Profiler and Cascade Express User’s Guide
Security profiles

Security Policies
Settings that control security and user-defined policy event detection are available (where applicable) by
selecting the policy and clicking the Advanced settings control.
Figure 10-3. Behavior Analysis > Policies > Security > Advanced Settings

Settings that control the profiles against which current network behavior is compared are set on the Security
Profiles page. Click the Security Profiles button to open this page.
Security profiles
The security analytics compare current network behavior to typical network behavior. Typical network behavior is
represented by a security profile. A security profile is a mathematically-derived abstraction of the network behavior
that is typical for the time periods the profile represents. Recent statistics play a larger role in the profile than older
statistics, with each previous time period having a successively smaller impact on the profile. This allows the Profiler
or Express to automatically adjust to changes in network traffic patterns over time. It is responsive to new conditions,
yet retains a historical perspective of traffic patterns on the network.
The appliance collects traffic data from the monitored network and aggregates it into security profiles. A profile can
be created for “business hours” or “weekends” or any other time periods you want to specify.
The security profile is available to the security analytics after the appliance has collected sufficient data and a userdefinable delay time has ended. The appliance compares new traffic to the corresponding profile to detect security
events. The definition of a security event can be tuned to accommodate a wide variety of considerations.
Cascade Profiler and Cascade Express User’s Guide
143
Security Policies
Security profiles
Types of security profiles
There are two types of security profiles:

Recurring profiles

Exception profiles
Recurring profiles are developed from traffic during times that occur every week, such as Monday from 8:00 AM to
4:59 PM. Exception profiles are developed from traffic collected during times that occur less frequently than a weekly
schedule, such as ends of quarters or holidays.
Both types of profiles can comprise multiple time period specifications. For example, a recurring profile named
“Business hours” might be specified to include traffic from 8:00 AM to 4:59 PM every weekday. An exception profile
called “Ends of Quarters” might be specified to include traffic on March 31, June 30, and so forth.
Recurring profiles are useful for tailoring your system to accommodate known peaks and lulls in weekly traffic.
Exception profiles allow you to treat holidays, quarterly events, or one-time promotional event surges differently from
normal traffic. Using multiple configurable profiles allows you to set security alerting thresholds more closely without
significantly increasing false positives.
Changing security profiles
You can create and reconfigure profile schemes on the Security Profiles page.
The appliance is shipped with default profiles for weekdays, weeknights, and weekends. The default weekdays profile,
for example, instructs the appliance to compare weekday traffic to its computed profile for weekday traffic. Operators
and Administrators can create other profile schemes. For example, you could define a recurring profile for days or
times of day when traffic is significantly different from other times, such as Monday mornings. You can also specify
exception profiles to be used on holidays or during anticipated surges.
Traffic data that is collected during an exception time period is used with the exception profile and not with the
recurring profile. Although exception profiles and recurring profiles can have overlapping time periods, only one set
of data is collected. Exception profile data collection takes precedence over recurring profile data collection.
Figure 10-4. Security Profiles page
144
Cascade Profiler and Cascade Express User’s Guide
Tuning alerting
Security Policies
The appliance provides tools for replacing recurring and exception profiles. These are accessed by clicking
Reconfigure Weekly Scheme or Reconfigure Exception Scheme respectively. Refer to the online help system for
descriptions of these tools.
Tuning alerting
For any given set of network conditions, the number of alerts that the appliance generates depends upon the:

alerting thresholds for the event type

criteria used for recognizing anomalous behavior as an event

severity level assigned to that event
Adjusting the alerting thresholds is the basic and simple way to control the number of alerts generated. The lower you
set the alerting thresholds, the more alerts the appliance will generate. The higher the thresholds, the fewer the alerts.
However, there may be circumstances in which you want to consider modifying the event detection criteria and event
severity as well.
For security policies, detection criteria are predefined to be values that have been found to be generally useful. Some
analytics adjust the severity assigned to the event dynamically, based on a variety of parameters that represent current
conditions on the network.
You can tune the event detection analytics by selecting a policy on the Behavior Analysis > Policies page Security tab
and clicking Advanced settings. Only Administrators and Operators with a good understanding of the appliance
should modify the heuristic-based event detection functions.
Alerting thresholds
Thresholds can be set for individual hosts, address ranges of hosts, host groups, ports, and interfaces. You can tailor
the thresholds based on expected behavior.
You can also define multiple alerting rules for a policy so that the occurrence of an event in one group of addresses or
ports produces a higher level of alert than the same type of event in another group. For example, you may want a higher
level of alert for suspicious connections to your financial servers than for suspicious connections to your desktops.
There is a default alerting threshold rule for each policy that has adjustable severity levels. The default rule specifies
the severity levels that must be reached or exceeded to trigger Low, Medium and High alerts. However, you can restrict
particular alerting thresholds to specified source hosts or host groups, destination hosts or host groups, or both,
depending on the type of event.
Select a policy in the Configured Policies section to display the Alerting Threshold section for that policy. You can
add, modify, remove and reorder alerting threshold rules using links in this section. The page also links to pages for
advanced tuning of the security analytics that detect events and assign severity levels to events.
Specifying alerting thresholds
For each policy that has an alerting threshold, you can set Low, Medium, and High alerting thresholds for:

Individual hosts

CIDR blocks of hosts
Cascade Profiler and Cascade Express User’s Guide
145
Security Policies
Alerting thresholds
Figure 10-5. Behavior Analysis > Policies > Security > Alerting Thresholds

Host groups
Additionally, you can set alerting thresholds that are limited to hosts that use or provide services using specific
protocols or ports. Protocol- and port-based alerting thresholds are available for the following event types:

Denial of Service/Bandwidth Surge

Worm

Host Scan

Port Scan

Suspicious Connection
For each policy that supports alerting thresholds, you can set different alerting thresholds for different hosts or host
groups. For example, assume that you set the default alerting threshold for an event type to trigger a low level alert
when the severity of an event of that type reaches or exceeds 60. Then you add a rule specifying that, if any traffic
involved in an event of that type is in the range of 10.0.0.0/16, the appliance should send a Low level alert when the
event severity reaches 40.
The result of this will be that an event with the severity of, for example, 50 will trigger a Low level alert only if traffic
in the range of 10.0.0.0/16 is involved. If all traffic involved in the event is outside this range, the appliance will not
send an alert until the event severity is 60.
Requirements for matching an alerting rule
The following conditions are necessary for an event severity to match an alerting rule:

If the alerting rule specifies source hosts, then all source hosts in the event must be within the source host
specification of the alerting rule.

If the alerting rule specifies destination hosts, then all destination hosts in the event must be within the destination
host specification of the alerting rule.

If the alerting rule specifies protocols or ports, then all protocols or ports in the event must be within the
specification of the alerting rule.
If sources, destinations, protocols or ports are not applicable for the type of event for which the alerting rule is
specified, they are treated as “Any.”
146
Cascade Profiler and Cascade Express User’s Guide
Tools for managing alerts
Security Policies
Precedence of alerting threshold rules
When you create multiple alerting threshold rules for policy, each rule appears in the Alerting Thresholds list on the
page. The appliance checks the severity of events of that event type against each rule in the list in the order in which
the rules appear in the list. When it finds a rule that meets the criteria for an alert, it uses that rule and ignores all
subsequent rules in the list.
You can change the location of a rule in the list by selecting it, then using the up arrow or down arrow at the right of
the list to move the rule up or down in the list. Moving a rule up gives it precedence over the rules that follow it in the
list. An exception to this is the default rule of Any, which always appears last in the list. If none of the other rules in
the list apply, then the appliance uses the default specification.
Tools for managing alerts
The appliance features two tools for helping you manage the number of alerts:

Threshold Advisor - A quick way to deal with non-critical alerts that are appearing more often than is useful.

Event Tuning Analyzer - A tool for getting a better understanding of how threshold settings are impacting the
number of alerts being generated.
Refer to the online help system for descriptions of these tools.
Notifications of security events
You can specify who is to be notified when a security policy event triggers an alert. Specify recipients on the Behavior
Analysis > Notifications page. See “Notifications” on page 151.
Cascade Profiler and Cascade Express User’s Guide
147
Security Policies
148
Notifications of security events
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 11
Health Policies
This chapter describes Cascade Profiler and Cascade Express capabilities for alerting users to the existence of Sensor
problems.
Health policies are defined on the Behavior Analysis > Policies page Health tab. There are currently two health
policies: Sensor problem and Storage Problem.
Figure 11-1. Behavior Analysis > Health Policies page
Sensor Problem
A Sensor problem is detected if:

A Sensor that had been communicating with the Cascade appliance is no longer reachable.

The appliance is attempting to communicate with a Sensor but is not receiving data in the expected format (for
example, not time synchronized).

An interface on the Sensor stopped reporting traffic for longer than a specified number of minutes.

There is a problem with the application identification feature.
Click the Advanced settings link to display a page on which you can enable detection of each of these individually.
Click the Edit link to open a page on which you can enable or disable alert levels.
Sensor problems trigger the alert level that you enable (Low, Medium or High). However, they do not trigger alerts if
you have gone to the Edit page and disabled all three alert levels.
All Sensor problems have a severity of 100.
Cascade Profiler and Cascade Express User’s Guide
149
Health Policies
Storage Problem
Storage Problem
A Storage Problem event is detected if any of the following conditions or events occur:

Disk failed

RAID rebuilding

RAID degraded

Partition is full

Partition unmounted

Partition failed

Partition mounted read-only
A Storage Problem is considered a high severity event and always triggers a high alert.
The status of the storage system is displayed on the System > Information page.
150
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 12
Notifications
This chapter describes Cascade Profiler and Cascade Express capabilities for notifying users or groups of users when
network behavior triggers an alert. It includes the following sections:

“Overview,” next

“Adding recipients” on page 152

“Assigning notifications to recipients” on page 153
Overview
The Behavior Analysis > Notifications page offers several options for notifying management systems or operations
personnel of alert conditions. An alert notification can be delivered as follows:

HTML message in email

PDF message in email

SNMP v1 and v2c trap messages

SNMP v3 trap message

SNMP v3 inform message
Alert notifications are delivered to recipients. A recipient is defined as one or more email addresses and/or one or more
trap or inform addresses that are to receive alert notifications. Defining a recipient allows you to work with multiple
SNMP destinations or email addresses as a single unit.
For security policies and user-defined policies, a recipient can be designated as an owner of one or more groups of one
or more group types. Each level of alert for each type of event can be logged, delivered to a specified recipient, or
delivered to all recipients who have been designated as owners of the groups involved in the event.
To enable the appliance to send notifications of alert conditions, start by completing the applicable fields on the
Behavior Analysis > Notifications page Recipients tab for the Default recipient. This enables the appliance to send all
notifications to the Default recipient. You can rename “Default” to a recipient label of your choosing. Beyond this
minimum requirement, you can:

Specify additional recipients for notifications.
Cascade Profiler and Cascade Express User’s Guide
151
Notifications

Adding recipients
Specify that notifications resulting from particular alert levels (High, Medium, Low) for particular types of events
(DoS, Host Scan, etc.) are to be sent to specific recipients or merely logged.
Note: If your network uses security policies that discard email from unknown sources, you may need to ensure that alert notification
email from the appliance uses a “from” name that is known to your security devices. You can specify the email “from” name on the
Configuration > General Settings page in the Outgoing Mail Server (SMTP) Settings section.
Until you provide specific notification assignments on the Policies tab, the appliance sends all notifications to the
Default recipient or to the first recipient you create. If you do not set up recipients, the appliance logs events but does
not send notifications.
Figure 12-1. Behavior Analysis > Notifications page Recipients tab
Adding recipients
To add more notification recipients, go to the Behavior Analysis > Notifications page Recipients tab and click New.
This displays the New Recipient page. If you anticipate wanting to send notifications to this recipient on the basis of
which groups it owns, click Assign Group Ownership and fill in the page. Note that owner-based notification is not
available for service policies or performance and availability policies.
152
Cascade Profiler and Cascade Express User’s Guide
Assigning notifications to recipients
Notifications
Figure 12-2. Behavior Analysis > Notifications > New Recipient page
Assigning notifications to recipients
Each type of alert notification can be sent either to a recipient or to the owners of host groups involved in the alert.
You can assign delivery destinations to alert notifications on the Policies tab of the Behavior Analysis > Notifications
page.
The Set Recipient drop-down list contains the recipients that you have defined on the Recipients tab. Select:

Log Only - to record and display the alert on the appliance, but not send an alert notification. (This menu
selection is prefixed with an asterisk to distinguish it from actual recipient names.)

Owner - to send all the selected notification types to all recipients who are owners of any group involved in the
alert. This menu selection is prefixed with an asterisk to distinguish it from actual recipient names. Note that
owner-based notification is not available for service policies or performance and availability policies.

<recipient name> - to send the selected notifications to a recipient you have defined. If you have not defined any
recipients, notifications will be sent to the Default recipient (if it has been specified).
Cascade Profiler and Cascade Express User’s Guide
153
Notifications
Assigning notifications to recipients
Figure 12-3. Behavior Analysis > Notifications page Policies tab
154
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 13
Reporting
This chapter describes Cascade Profiler appliance and Cascade Express appliance reporting features. It includes the
following sections:

“Overview,” next

“Quick reports” on page 157

“Shortcuts to reports” on page 158

“Service reports” on page 161

“Traffic reports” on page 161

“WAN Optimization reports” on page 165

“Top Talkers reports” on page 169

“Event reports” on page 171

“Event Details reports” on page 175

“Active Directory Users reports” on page 177

“Saved reports” on page 179

“General Information reports” on page 181

“Investigation reports” on page 193

“SDN (Software-defined Networks) Reports” on page 200

“VoIP reports” on page 212

“Audit Trail reports” on page 220

“Analyzing packet information with Cascade Pilot” on page 222

“Packet reporting and export with Cascade Sensor” on page 226
Cascade Profiler and Cascade Express User’s Guide
155
Reporting
Overview
Overview
In addition to the displays on the Dashboard page, the appliance offers the following reporting features:

Quick reports - creates a report on a selected subject; available at the top of every GUI page listed in the
navigation bar.

Shortcuts - links to pre-defined executive summary reports, service reports, general information reports, traffic
reports, WAN optimization reports, investigation reports, VoIP reports and custom reports.

Service reports


–
Overall Service Performance Report - presents a high-level view of how well all monitored services are
performing.
–
Service Performance Report - reports how well a service or a sub-component of a service has performed. This
shows the current trends of the service and provides historical information about how the service performed
over a specified time such as a week, month, quarter or year.
–
Service Incident Report - shows the performance of a service or sub-component of a service over a short
duration of time. This is useful for quickly determining why a dashboard traffic light indicator is green,
yellow or red.
–
Location Performance Report - shows the health of a location, the health of services that include the location,
and the health of front end segments for these services. This report provides quick indications of why a traffic
indicator is green, yellow or red, when problems occurred, and for which components.
–
Location Incident Report - indicates how well a location has performed across all services over a specific
time range. This report shows current trends in the location as well as performance over time. This is useful
for a high-level view, such as for end-of-quarter reports.
Traffic reports
–
Hosts traffic reports - traffic of hosts, subnets, or groups reported by any tracked parameter.
–
Interfaces traffic reports - traffic over interfaces of devices that are providing traffic data to the appliance.
–
Applications traffic reports - traffic from applications that the appliance recognizes.
–
Advanced traffic reports - customized combinations of host, interface and application traffic.
WAN Optimization reports
–
Site reports - report LAN traffic and WAN traffic for all connections that traverse the WAN between the
specified WAN site and any other site.
–
Inter-site reports - report LAN and WAN traffic for connections that traverse the WAN between two specified
WAN sites.
–
Overall reports - report LAN and WAN statistics for all interfaces in the default WAN interface group.

Top Talkers reports - lists and displays most active members of each category of tracked traffic.

Event reports - summary of events of a specified type.

Event Detail reports - details of a selected event.

Users reports - record of network users.

Saved reports - completed reports and templates for running reports.

Audit reports - reports the appliance usage.

Packet reports - the Cascade Pilot can be opened from the right-click menu to report packet-level detail.
156
Cascade Profiler and Cascade Express User’s Guide
Quick reports
Reporting
Traffic monitoring and reporting tasks are assumed to be the responsibility of those with Operator or Monitor accounts.
However, users with Administrator accounts can also perform all the tasks described in this section.
Quick reports
Each top-level GUI page includes two Quick report boxes for generating reports on specific entities.
Figure 13-1. Quick Report box - Profiler
Figure 13-2. Quick Report box - Express
1. In the first of the two Quick report boxes, select the category of the item you want to query on from the drop-down
list box.
2. In the second box, specify the item as listed in the table that follows.
3. Click Go to generate a report.
Category
Value
Host/Group
Specify a host or a host group. Specify a host to generate a Host Information Report. Specify a
host group to generate a Host Group Information report.
Host - Specify a host by host name, IP address, MAC address, or an address range in CIDR
format.
Host Group - Specify a host group by name and group type, as defined on the Definitions >
Host Groups page, separated by a colon, in the following format: group_name:group_type
For example, email:application_servers
User
Specify the user name under which the user is logged in.
Port/Group
Specify a port or a port group.
Port - Specify a port as:
• port number (e.g., 23)
• protocol/port number combination (e.g., tcp/80)
• protocol/port number range (e.g., tcp/1-100)
• port name (e.g., smtp)
Port Group - Specify a port group by the port group name defined on the Definitions > Port
Groups page.
Application
Specify a built-in or custom application definition by application name. Enter this as it is
listed on either tab of the Definitions > Applications page.
Protocol
Specify a protocol either by name or by number. Refer to http://www.iana.org/assignments/
service-names for protocol names.
Refer to http://www.iana.org/assignments/protocol-numbers for protocol numbers.
Cascade Profiler and Cascade Express User’s Guide
157
Reporting
Shortcuts to reports
Category
Value
Interface/Device/
Group
Specify an interface or interface group.
Interface - Specify an interface by the host name or IP address of the network device being
used as a data source, followed by a colon and an interface identifier in any of the following
formats:
• interface_device:interface_name
• interface_device:interface_index
• interface_device:interface_label
For example, 10.0.0.1:1
These values can be found by going to the System Information > Devices/Interfaces page and
choosing the Device List view.
Interface Group - Specify an interface group name as it is defined on the Definitions >
Interface Groups page.
Alternatively, specify the host name or IP address of a network device being used as a data
source and click Go to generate a traffic report for that device.
QoS
Specify the decimal value, binary value, or class name of a QoS class, as it is identified on
the Definitions > QoS page. This field is case sensitive.
Template
Specify a template for generating a report by entering its name. The field will auto-complete
the template name. The template can be a built-in template or a custom template.
VNI/VNI + Host
VNI - Enter either the actual VNI or the name for the VNI, which is defined on the
Definitions > Interface Groups page.
VNI + Host - Specify a host by host name, IP address, MAC address, or an address range in
CIDR format.
Use a space to separate the VNI and the host: <VNI or VNI name> <space> <host name or address>
VTEP
Specify the host name or IP address of a network device that is hosting a VTEP (virtual
tunnel endpoint).
Shortcuts to reports
The shortcuts listed on the Reports > Shortcuts page are links to predefined report templates. The templates have been
predefined as far as practical and named in terms of common tasks to simplify running a report to answer a question
about your network.
There are shortcuts to two types of reports:

158
Built-in - Summaries of network activity. For Executive Summary reports, you choose a time frame (last day,
week, month, year) for which you want to see a summary of network-wide traffic or security activity. For General
Information reports, you enter a host, group of hosts, interface, network segment, application, or QoS class, and a
time frame for which you want to see summary data. For a software-defined network report, you choose or enter
a VNI or VTEP. For WAN Optimization reports, you choose or enter a time frame for which you want to see how
WAN optimization is benefiting or can benefit the network. For Investigation reports, your enter the time frame
and attributes of interest.
Cascade Profiler and Cascade Express User’s Guide
Shortcuts to reports

Reporting
Custom - Reports that support investigating the traffic volumes, dependencies, or performance of specified hosts,
groups of hosts, interfaces, or applications. Network elements can be specified using the same conventions as
used with the Quick Reports tool or the Reports > Traffic pages. A variety of sample custom reports are
predefined.
To run a shortcut,
1. Click the shortcut link. This opens the applicable report page.
2. Enter the information and time frame that are to be the subject of the report. (Executive Summary reports require
only a time frame.)
3. At the bottom of the Report Criteria section, click Run now.
Built-in reports
The Executive Summary reports are network-wide in scope. They report traffic information or security information for
the entire monitored network for the specified time frame.
The Executive Network Summary report requires the ByLocation host group to have been defined. Define this group
on the Definitions > Host Groups page before running the Executive Network Summary report.
Service reports require at least one service to have been defined.
The General Information reports are designed for network administrators and other operations personnel. In addition
to being accessible on the Reports > Shortcuts page, they can be accessed from the right-click menu on other pages.
Position the cursor over an underlined host, host group, interface or application anywhere in the appliance GUI and
right-click it to access one of these reports.
The WAN Optimization reports provide views into which applications are using the WAN, which sites (WAN
interfaces) are the most active, and where there are potential response time or congestion problems.
The WAN Optimization reports require the WAN to have been defined. Define your WAN on the Definitions > WAN
page before running the WAN Optimization reports.
Custom reports
The Type column identifies the tab of the traffic report page or WAN optimization report page to which the template
applies. For example, Advanced means that the shortcut opens a pre-configured report on the Reports > Traffic page
Advanced tab. WAN Site Optimization means that the shortcut opens a pre-configured report on the WAN
Optimization page Site tab.
The Top Internet Applications report and Top Internet Destinations report require the ByInternalHosts host group to
have been defined. The Application Performance Assessment report requires the ByLocation host group to have been
defined. Define these groups on the Definitions > Host Groups page before running the reports.
You can modify the report specifications, save your modifications as a new template, schedule the running of the
template, save the reports, and have them emailed.
Cascade Profiler and Cascade Express User’s Guide
159
Reporting
Shortcuts to reports
Figure 13-4. Reports > Report Shortcuts page - Built-in reports tab
160
Cascade Profiler and Cascade Express User’s Guide
Service reports
Reporting
Figure 13-5. Reports > Reports Shortcuts page - Custom tab
Service reports
Service reports are run from the Services > Reports menu or the right-click menu. They are described in Chapter 3,
“Monitoring Services.”
Traffic reports
The Reports > Traffic page has four tabs for specifying reports:

Hosts - Reports run from the Hosts tab provide data relative to hosts, subnets, and host groups. They report what
is being served or consumed, or what is being transmitted or received.

Interfaces - Reports run from the Interfaces tab provide data relative to devices (switches or routers), interfaces,
or interface groups. They report traffic volumes or rates coming into or going out of a particular interface.

Applications - Reports application traffic on networks monitored by one or more Cascade Sensors.

Advanced - Reports traffic for any combination of hosts, interfaces, applications, ports, protocols or QoS classes.
Each of these tabs has a Report Criteria section and a Traffic Report section.
Cascade Profiler and Cascade Express User’s Guide
161
Reporting
Traffic reports
Figure 13-6. Reports > Traffic page - Report Criteria section
Report Criteria section
Use this section to:

Limit the report to traffic that meets specified criteria within a specified time frame

Select the format of the report

Save, schedule or run the report

Load templates that have been previously saved
The Report Criteria section provides a box for selecting the subject of the report. It includes an Additional Traffic
Criteria section (except for the Advanced tab) for further limiting the report to more specific criteria. Most traffic
reports include the option for limiting the report to a specified virtual network. If no virtual network is specified, then
the physical network traffic is reported.
Additionally, the Report Criteria box includes the following other controls:

Templates - A menu of options for using the current Report Criteria settings. You can use the current settings as
a template and schedule future reports to be automatically generated using the template.

Report by - Specifies the category of data by which traffic is reported. (See description below.)

Report Format - Specifies the graphical presentation to be used for reporting traffic information. (Options vary
slightly from tab to tab where non-applicable items are omitted.) Individual displays of the completed report can
be modified.

Time frame - The length of time (ending now) or the interval of time (from x to y) that the report is to cover.

Data resolution - The period of time represented by each data point on the report.
162
Cascade Profiler and Cascade Express User’s Guide
Traffic reports
Reporting

Run now - Runs the report and displays the results as soon as they are available. When you run the report using
the Run now control, the Report Criteria section is collapsed to present a better display of the report. You can reopen the Report Criteria, change the settings and run a new report.

Run in background - Opens a window for you to specify the title of the report and the option for saving the
report. It then runs the report in the background. When the report is ready, it is saved and listed on the Reports >
Saved Reports page.
Traffic reports contain multiple sections, depending on the reporting criteria. Each section has controls for modifying
the display or closing the individual section. Tables have options for changing columns, changing the number of rows,
and exporting the data in a Comma-Separated-Value (CSV) file. The Overall Traffic graph can be zoomed for a quick
view of what is happening on the network.
The traffic report has a Report Options menu that enables you to save, schedule, print, email or export the report and
to change the units of measure in the report. The Report-by selection in the Report Criteria section determines which
options are available from the Report Options menu. It also determines which data columns are available in the Add/
Remove Columns feature of the Options menu on a report table.
“Report by” options
The Report by option organizes the report in terms of the information you are most interested in seeing, such as:

Applications

Hosts (IP addresses or resolvable DNS names of all devices accessible on the network)

Peers (what specified machines are connecting to)

Network interfaces and the network segments between them

QoS classes
When you select a category in the “Report by” list, the report criteria and display format automatically change to the
settings of the default template for the selection. Also, the Templates menu lists any other templates that are available
for that Report by selection.
When you specify a host traffic report with the “Report by” option set to any of the following values, it causes the
Report Format section to include a “Separate <reported_entity> served from < reported_entity > consumed” option.

Applications

Applications with Ports

Ports

Port Groups

Protocols
Both the “served” and “consumed” applications, ports, port groups or protocols are reported in reference to the host
that is acting in the server role in a client-server connection. For example, if you set the “Report by” option to Ports,
then:

For hosts that were acting in the role of a server, the “Ports Served” table lists the server ports they used for
serving application data to hosts that were acting in the role of a client.

For hosts that were acting in the role of a client, the “Ports Consumed” table lists the ports they accessed on hosts
that were acting in the role of a server.
Cascade Profiler and Cascade Express User’s Guide
163
Reporting
Traffic reports
Applications
To view traffic volumes and performance metrics for applications across your network, choose one of the following
Report by options:

Applications - Which applications are consuming the most bandwidth.

Application with Ports - Which server ports are in use by which applications.

Ports - Which server ports are carrying the most traffic.

Port Groups - Which port groups are carrying the most traffic.

Protocols - Which protocols are in use and how much traffic volume they account for.
Hosts
To view traffic volumes and performance metrics for hosts on your network, choose one of the following Report by
options:

Hosts - Which hosts are consuming the most bandwidth.

Host Groups - Which host groups are consuming the most bandwidth.

Host Pairs - Which hosts are providing services and which are consuming those services.

Host Pairs with Ports - Which ports are being used for connections between servers and clients.

Host Group Pairs - Which host groups are providing services and which are consuming those services.

Host Group Pairs with Ports - Which ports are being used for connections between host groups.
Peers
To view traffic volumes and performance metrics for hosts that connect to hosts whose addresses you specify, choose
one of the following Report by options:

Peer Hosts - Which hosts are the specified hosts connecting to, whether they are clients or servers, and how much
bandwidth is being consumed by the connections.

Peer Host Groups - Which hosts are the specified hosts or host groups connecting to, whether they are client
groups or server groups, and how much bandwidth is being consumed by the connections.
Network Interfaces and Network Segments
To view traffic volumes for network interfaces and the network segments between them, choose one of the following
Report by options:

Network Interfaces - Which interfaces have the highest traffic volume and the highest or lowest percent of
utilization.

Network Devices - Which network devices (which may have one or more interfaces) have the highest traffic
volume and the highest or lowest percent of utilization.

Network Segments - Which network segment has the highest traffic volume and how it compares with other
network segments.
QoS Classes
To view information about the usage of Quality of Service classes in your network, choose one of the following Report
by options:
164
Cascade Profiler and Cascade Express User’s Guide
WAN Optimization reports
Reporting

QoS - Which Quality of Service classes are in use; how much traffic is being tagged for each.

QoS with Applications and Ports - Which Quality of Service classes are your applications receiving; which
applications are being tagged with more than one QoS class; how are they performing; which ports are associated
with particular QoS classes.

QoS with Interfaces - Which Quality of Service classes are in use on which interfaces; how much traffic is the
interface carrying for each QoS class.
The item you choose is displayed as the first column of the summary table in the report. You can change or rearrange
the columns on the summary table by using the Column Chooser tool.
Traffic report section
Traffic reports contain multiple sections. The contents of a report depend on the tab from which it was run, and the
Report by and Report Format settings in the Report Criteria section. The report has a Report Options menu at the top
for options that act on the entire report, such as saving, scheduling, printing, exporting, emailing, exporting or changing
display units.
There are also controls in each section of each report, which apply to only the individual section. These provide options
for editing graphing options, changing table columns, changing the number of rows in a table, and exporting data from
tables and charts into a Comma-Separated-Value (CSV) files.
Refer to the online help system for detailed descriptions of the formatting requirements for entering report criteria.
WAN Optimization reports
The WAN Optimization page displays traffic volume data for WANs and LANs so that you can see the effects of the
current WAN optimization and identify opportunities for further WAN optimization. Your WAN must be defined on
the Definitions > WAN page before you can run the WAN Optimization reports.
The Reports > WAN Optimization page has three tabs for specifying reports:

Site - Reports run from the Site tab provide data relative to a specified site on the WAN. They report LAN traffic
and WAN traffic for all connections that traverse the WAN between the specified site and any other site.

Intersite - Reports run from the Intersite tab display LAN and WAN traffic for connections that traverse the
WAN between two specified WAN sites.

Overall - Reports run from the Overall tab provide LAN and WAN statistics for all interfaces in the WAN
interface group that has the default name WAN-All. If you have created additional WAN interface groups on the
Definitions > Interface Groups page, then you can select one of them as the subject of the Overall report in the
Additional Traffic Criteria section.
Each of these tabs has a Report Criteria section and a Report section.
The text fields and lookup tools for limiting the report to specific applications, protocols, ports, hosts, subnets, and host
groups have the same labels and functions as for the traffic reports described in the previous section.
Refer to the online help system for detailed descriptions of the formatting requirements for entering report criteria.
Site reports
Site reports provide data relative to a specified site on the WAN. They report LAN traffic and WAN traffic for all
connections that traverse the WAN between the specified site and any other site.
Cascade Profiler and Cascade Express User’s Guide
165
Reporting
WAN Optimization reports
Figure 13-7. Reports > WAN Optimization page - report results section
166
Cascade Profiler and Cascade Express User’s Guide
WAN Optimization reports
Reporting
Figure 13-8. Reports > WAN Optimization page - Site Report Criteria section
The Reports > WAN Optimization page Site tab includes a Report Criteria section for specifying traffic criteria for the
report and a Report section, which displays the report after it is run.
The criteria in the Site box limit the report to traffic that is associated with a list of WAN interfaces, WAN interface
groups, or devices that have at least one WAN interface in a WAN interface group. You can specify these either by
browsing a list or by entering them manually.
Intersite reports
Intersite reports display LAN and WAN traffic for connections that traverse the WAN between two specified WAN
sites.
The Reports > WAN Optimization page Intersite tab includes a Report Criteria section for specifying traffic criteria
for the report and a Report section for displaying the report.
The labels and controls for the Intersite report are the same as those for the Site report except that there are two
specifications for WAN sites:

Primary Site - The criteria in the Primary Site box limit the inter-site report to traffic for which one end of the
connection is associated with the specified primary WAN site. Traffic is always reported relative to the primary
site.
You can specify the primary site either by browsing a list or by manually entering a list of WAN interfaces, WAN
interface groups, or devices that have at least one WAN interface in a WAN interface group.

Secondary Site - The criteria in the Secondary Site box limit the inter-site report to traffic for which the other
(non-Primary) end of the connection is associated with the specified secondary WAN site.
You can specify the secondary site either by browsing a list or by manually entering a list of WAN interfaces,
WAN interface groups, or devices that have at least one WAN interface in a WAN interface group.
Cascade Profiler and Cascade Express User’s Guide
167
Reporting
WAN Optimization reports
Figure 13-9. Reports > WAN Optimization page Intersite Report Criteria section
Overall reports
Overall reports provide LAN and WAN statistics for all interfaces in the WAN interface group that has the default name
WAN. The Reports > WAN Optimization page Overall tab includes a Report Criteria section for specifying traffic
criteria for the report and a Report section for displaying the report.
The labels and functions of the Report Criteria section are the same as for the Site report except that you do not need
to provide a WAN site specification. By default, the report includes all WAN interfaces that are members of the WAN
group indicated in the WAN Group box, except as limited by the other criteria of the report.
If you have created additional WAN interface groups on the Definitions > Interface Groups page, then you can select
one of them as the subject of the Overall report by selecting the desired WAN interface group in the Additional Traffic
Criteria section. The report will use the group you select instead of the default group.
168
Cascade Profiler and Cascade Express User’s Guide
Top Talkers reports
Reporting
Figure 13-10. Reports > WAN Optimization page Overall Report Criteria section
Top Talkers reports
The Top Talkers page displays traffic volume data for the most active:

Hosts

Host Pairs

Host Pairs with Ports (can be broken out into MAC-IP assignments)

Host Groups

Host Group Pairs

Host Group Pairs with Ports

Applications

Application with Ports

Ports

Port groups

Protocols

Network Interfaces

Network Devices
The Reports > Top Talkers page has a Report Criteria section and a Traffic Report section.
Cascade Profiler and Cascade Express User’s Guide
169
Reporting
Top Talkers reports
Report Criteria section
In the Report Criteria section, you can select the category of traffic to be reported. When reporting on host groups, use
the drop-down list box to choose the group type to be included in the report.
Figure 13-11. Reports > Top Talkers page Report Criteria section
In addition to the traffic category selection, the Report Criteria section includes:

Templates - a menu of options for using the current Report Criteria settings. You can use the current settings as a
template and schedule future reports to be automatically generated using the template. You can also load an
existing template for the selected reporting category, if one has been saved.

Time frame - the length of time (ending now) or the interval of time (from x to y) that the report is to cover.

Group type - the host group type, as defined on the Definitions > Hosts Groups pages, that is to be included in
the report.

Run now - runs the report and displays the results as soon as they are available. When you run the report using
the Run now control, the Report Criteria section is collapsed to present a better display of the report. You can reopen the Report Criteria, change the settings and run a new report.

Run in background - opens a window for you to specify the title of the report and the option for saving the
report. It then runs the report in the background. When the report is ready, it is saved and listed on the Reports >
Saved Reports page.
Traffic Report section
When the report is completed and displayed, you can use the Report Options menu to:

Save the report on the Reports > Saved Reports page.

Print the report to a printer or file.

Email the report.

Export the data in a Comma-Separated-Value (CSV) file, HTML archive file, or PDF file.

Display a different unit of measure for traffic volume.

Choose a different Group Type by which to display the report.
You can use Options menu on the table to:

Change the columns included in the report and change their order.

Change the number of rows in the report.
170
Cascade Profiler and Cascade Express User’s Guide
Event reports
Reporting
Figure 13-12. Reports > Top Talkers page report results section
Event reports
Use the Reports > Events page to generate Event Reports. The Event Report displays graphs and a list of events that
have triggered alerts. You can limit the displays to events detected by specific policies or analytics and to events
associated with specific hosts, protocols, ports, or interfaces.
Each item in the event list provides and Event ID and basic information about the event. The Event ID links to an Event
Detail page that provides detailed information about the event. You can specify the time span of the report and how
many events are displayed on one page.
The report includes a Report Criteria section for specifying what is to be reported and an Event Report section for
displaying the graphs and event list.
Cascade Profiler and Cascade Express User’s Guide
171
Reporting
Event reports
Report Criteria section
In the Report Criteria section, Operators, Administrators and Monitors can specify the events to be listed in the report
by specifying either the event properties or the event IDs.
Figure 13-13. Reports > Events page Report Criteria section
Search by Properties
In the Triggering policies section, expand and navigate as necessary to select policies from the Service, Performance
& Availability, User-defined, or Security categories, as necessary. (The Security category of events is not available if
the optional security analytics module is disabled or not installed.)
You can specify additional criteria to further limit the report to hosts, protocols, ports, or interfaces in the Additional
Criteria section. These can be entered by browsing and clicking, or by entering them manually.
Search by Event IDs
The report can be limited to a list or range of event ID numbers. When you specify event IDs, the event properties
criteria are ignored.
Report Format
The report can display pie charts of events reported by:

Alert level - High, Medium, Low

Analytic category - Performance & Availability, User-defined, Security

Analytic - displays events for each type of analytic, such as Link Congestion, Interface, Host Scan.
172
Cascade Profiler and Cascade Express User’s Guide
Event reports
Reporting

Policy - displays events by individual policies, as they are identified by name on the Behavior Analysis > Policies
pages.

Metric - displays events by the monitored metrics that caused alerts.
Additionally, the report can display a list of events. Each event listed has a summary of event information and a link
to an Event Detail report. The detail report displays a summary of the anomalies identified as part of the event and
provides links to additional details.
Additional controls
In addition to the policies, hosts, protocols, ports and interfaces specifications, the Report Criteria section includes:

Time frame - the length of time (ending now) or the interval of time (from x to y) that the report is to cover

Time frame behavior - select among showing events that started within the time frame, events that started
before the time frame, or events that are on-going

Templates - a menu of options for using the current Report Criteria settings. You can use the current settings as a
template and schedule future reports to be automatically generated using the template. You can also load an
existing template for the selected reporting category, if one has been saved.

Run now - runs the report and displays the results as soon as they are available

Run in background - opens a window for you to specify the title of the report and the option for saving the
report. It then runs the report in the background. When the report is ready, it is saved and listed on the Reports >
Saved Reports page.
Event Report section
The Event Report section displays the event list and the pie charts that you selected from the Report Format options in
the Report Criteria section.
The title bar of the Event Report section includes a Report Options control. This enables you to save, print or email
the report.
The title bar of the event list has a menu that enables you to change the columns on the table, change the number of
rows displayed per page, and export the table contents.
Pie charts
The pie charts display events by alert level (High, Medium, or Low) or by the analytic that detected them.
Event list
The event list provides a summary of events, listed by event ID. The list is sortable by column. Additionally, you can
use the Options menu to add, remove or rearrange the columns included in the report. The following columns are
available:

Actions taken - identifies actions that have been taken on this event, including:
–
Email-notified - Email has been sent to the specified recipients.
–
Trap-notified - An SNMP trap has been sent to the designated management system.
–
Vscan-run - A vulnerability scan has been started.

Alert Level - the level of alert the event triggered: High, Medium, or Low.

Analytic - the name of the analytic that detected the event, such as Application Availability, Host Scan, etc.
Cascade Profiler and Cascade Express User’s Guide
173
Reporting
Event reports
Figure 13-14. Reports > Events page report results section

Analytic Category - the category of the analytic that detected the event: Performance & Availability, Security,
User-defined

Destination - host name of the destination device associated with the event. If the name cannot be resolved, the
IP address is displayed.

Destination IP - the IP address of the destination device associated with the event. You can right-click individual
host listings for a list of optional actions.
174
Cascade Profiler and Cascade Express User’s Guide
Event Details reports
Reporting

Destination MAC - the MAC address of the destination device associated with the event. This is available if the
appliance is integrated with DHCP. You can right-click individual host listings for a list of optional actions.

Duration

End Time

Event ID - Each event listed has a link to an Event Details report that displays a summary of the anomalies
identified as part of the event and provides links to additional details.

Interface - the interface in the format of device name:label. If the device name is not available, then the device IP
address is displayed. If the interface label is not available, then the index number is displayed. These are the
interfaces listed on the System Information > Devices/Interfaces pages.

Interface IP - the IP address of the interface, if it has one. Otherwise, the IP address of the device.

Mitigation plan - If a Mitigation Plan has been generated, the number of the plan is displayed.

On going - Yes or No to indicate if the event was ongoing at the time that the report was run.

Policy - the name of the policy as it appears on the Behavior Analysis > Policies pages.

Port/App name - the port name (e.g., tcp/80) followed by the service name in parentheses, followed by the
application name, if available. Application names are listed on the Definitions > Applications pages.

Severity - the severity, on a scale of 1 to 100, of the threat posed by the event.

Source - the host name of the source device associated with the event. If the name cannot be resolved, the IP
address is displayed.

Source IP - the IP address of the source device associated with the event. You can right-click individual host
listings for a list of optional actions.

Source MAC - the MAC address of the source device associated with the event. This is available if the appliance
is integrated with DHCP.

Start Time
Event Details reports
An Event Details report is created and saved for each event that triggers an alert. There are several ways to view the
Event Detail report:

Click the event ID on the Dashboard page.

Go to the Reports > Events page, generate an event report, then click the event ID on the report.

If an event report has already been run and saved, go to the Saved Reports page, view the event report, and click
the event ID on the Event report.

If you are on a remote management system and receive an email or SNMP notification from the appliance, view
the URL included with the message. This requires an Event Viewer account.
The Event Detail report displays detailed information about the event. The details depend on the type of event. The
report provides options to:

Snooze alerts caused by the event - “Snoozing” suppresses the reporting of alerts for the type of event for a time
period that you specify. Snoozed events continue to be reported on the events lists the same way that other events
are.
Cascade Profiler and Cascade Express User’s Guide
175
Reporting
Event Details reports
Figure 13-15. Event Details Report

Learn the event - the appliance “learns” an event by checking the alerting threshold that the event is exceeding
and calculating what the alerting thresholds should be to avoid triggering alerts under the current conditions.

Mitigate the event - If you have configured the appliance for mitigation, you can initiate mitigation by starting
from an event listed in the events list on the Dashboard page.
176
Cascade Profiler and Cascade Express User’s Guide
Active Directory Users reports

Reporting
ACL - If a User-defined policy triggers an alert because an upper limit was exceeded, the Event Details report
provides an ACL button. This opens a dialog box in which you can generate access control list entries. The
appliance generates these by converting host-pair-port information into Cisco ACL syntax. These are compatible
with access list numbers 101 - 199 in most Cisco IOS releases. You can examine the list and determine which
entries to roll up, group, or cut and paste into a router. You can export the list to a file for further analysis.
Additionally, you can print or email the Event Details report.
Viewing with an Event Viewer account
An Event Detail page can be viewed by a user with an Event Viewer account as follows:

Open the email notification of the alert condition (if using email) or use your network management system to
view the URL contained in the SNMP trap message that reported the event.

Click the link in the email message or trap message.

When prompted, enter your user name and password. The appliance displays the Event Detail report.
Event Viewers cannot log in to the GUI or view anything other than the Event Detail report.
Event Detail reports are specific to the type of event that they are reporting. If a vulnerability scan report that includes
the event has been created or is in the process of running, this is noted on the Event Detail report.
Active Directory Users reports
User accounts that have permission can generate reports of user logins and login attempts on the network. This report
requires a source of user identity information to be integrated with the appliance. You can confirm the availability of
an identity information source on the Integration > Identity Sources page.
The user identity reporting feature supports several approaches to creating reports:

Active Directory Users Report page

Quick report box in header

Left-clicking a user name on an Event Report, Host Information Report, or another Active Directory Users
Report

Right-clicking a host or host group to get a shortcut menu
Active Directory Users Reports provide user identification and login information. They can be limited to specified time
spans, users, hosts, or CIDR blocks of hosts.
The page includes a Report Criteria section for specifying user criteria for the report and a results section for displaying
the report.
Report Criteria section
Use the Report Criteria section to:

Limit the report to a comma-separated list of users.

Limit the report to a comma-separated list of hosts.

Include or exclude successful or failed login attempts.
In addition to user and host criteria, the Report Criteria section includes:
Cascade Profiler and Cascade Express User’s Guide
177
Reporting
Active Directory Users reports

Time frame - the length of time (ending now) or the interval of time (from x to y) that the report is to cover

Templates - a menu of options for using the current Report Criteria settings. You can use the current settings as a
template and schedule future reports to be automatically generated using the template. You can also load an
existing template for the selected reporting category, if one has been saved.

Run now - runs the report and displays the results as soon as they are available
Run in background - opens a window for you to specify the title of the report and the option for saving the report. It
then runs the report in the background. When the report is ready, it is saved and listed on the Reports > Saved Reports
page.
Figure 13-16. Reports > Active Directory Users report page Report Criteria section
Report section
When the report is completed and displayed, you can use the Report Options menu to:

Save the report. It will be listed on the Reports > Saved Reports page.

Print the report to a printer or file.

Email the report in HTML, Comma-Separated-Value (CSV), or PDF format.
On the Users List, you can use the Options menu to:

Change Columns using the column chooser.

Change Number of Rows reported on a page.

Export to export the report data in a Comma-Separated-Value (CSV) file, HTML archive file, or PDF file.
178
Cascade Profiler and Cascade Express User’s Guide
Saved reports
Reporting
Figure 13-17. Reports > Active Directory Users report page results section
Saved reports
The Reports > Saved Reports page lists completed reports and report templates that were saved on the Traffic Report
page. It also lists event reports, users reports, and vulnerability scan reports.
Operators, Administrators and Monitors can:

View completed reports.

Create new reports from saved templates, either immediately or in the background.

Reschedule the running of a report template to produce new reports and save the new schedule as a revision to the
original template or as part of a new template.

Delete saved reports and templates.
Cascade Profiler and Cascade Express User’s Guide
179
Reporting
Saved reports
Reports section
The Reports section lists the reports that have been completed, are running, or are waiting to run. Click Refresh to view
the latest status of the reports listed. Click the name of a completed report to view the report.
In the Reports section, you can choose report storage options, and you can sort the list by owner, report name, run time,
status, and size. You can mark a report to keep indefinitely or you can delete it.
The Reports section options menu allows you to filter the list of reports. Also, the option menu allows you to limit the
list to your own reports and to just the most recent days, weeks or months. Additionally, the option menu provides a
feature for pruning the list by deleting reports that are older than a specified date.
Templates section
The Templates section lists templates; their owners, types and names; and their schedule and next run time. You can
sort the templates by any of these attributes. The Templates section options menu allows you to filter the list of
templates to limit the list to your own templates. Additionally, you can prune reports that are older than a specified date.
Figure 13-18. Reports > Saved Reports page
In the Templates section, you can select a template and do one of the following:

Load - Load the template so that you can modify the reporting criteria and then run it in the foreground or
background.

Run in Background - Run a report using the selected template, save it in the Completed Reports section, and
distribute it as configured with the Save as/Reschedule feature.

Save as/Reschedule - Open a page on which you can edit the specifications for how reports that are run using the
selected template are scheduled, saved, and distributed. Each template can be scheduled to generate reports
according to the time in a different time zone.

Delete - Delete the selected template.
Up to 500 report templates can be saved. Templates are not automatically deleted.
180
Cascade Profiler and Cascade Express User’s Guide
General Information reports
Reporting
General Information reports
Detailed information about a specific host, host group, interface, application, QoS class, or network segment is
available by right-clicking the name wherever it is displayed as a link (underlined). These reports are also available
from the Reports > Shortcuts page Built-in tab. Clicking a report shortcut in the General Information Reports section
of this tab prompts you to identify what is to be reported.
The following types of information reports are available:

“Application Information reports” on page 181 - detailed information about the activity of one of more
applications

“Interface Information reports” on page 184 - detailed information about a selected interface

“Device Information reports” on page 186 – detailed information about the traffic volumes and utilization of
selected devices

“Interface Group Information reports” on page 187 – detailed information about the traffic volumes and average
performance of interface groups

“Host Information reports” on page 188 - detailed information about an individual host

“Host Group Information reports” on page 189 - detailed information about a selected host group

“Network Segment Information reports” on page 192 - statistics for traffic between two specified interfaces

“QoS Information reports” on page 193 - information about traffic that is tagged for a specified Quality of
Service class

“Server Information reports” on page 190 - detailed information about a specified server

“Analyzing packet information with Cascade Pilot” on page 222

“Packet reporting and export with Cascade Sensor” on page 226
Information reports include report-level and section-level option menus. Report options allow you to save, print or
email the report. You can also change the display units and, where applicable, change the group type by which host
groups are reported.
Section-level options allow you to modify graphical displays, filter table columns, and export data.
Refer to the on line help system for detailed descriptions of the report contents.
Application Information reports
Application Information reports provide multiple perspectives on the activity of one of more applications. When you
run it from the Shortcuts page, you can limit the report to a list of applications. When you run the report from the rightclick menu, it reports on the application you right-clicked.
The report includes statistics about total application traffic volume, server hosts, client host groups, host pairs and
ports, QoS, and network segments. Overall traffic volume is reported as sent or received relative to the application
servers.
Cascade Profiler and Cascade Express User’s Guide
181
Reporting
General Information reports
Figure 13-19. Reports > Shortcuts > Application Information Report - Report Criteria section
The report provides the following information for the specified applications and time frame:
Summary
This section reports the peak and average transmitted and received traffic for the specified application. It also reports
the peak and average connections per second.
Details
This section graphs the average traffic volume that was transmitted and received by the specified applications over the
selected time frame.
Servers
This section provides the following performance information about the specified applications:

Average server delay for the top ten application servers

Average number of retransmissions by the top ten application servers

Average number of Resets by the top ten application servers

Breakdown of traffic volume by application server
A dashed line in a graph indicates that the plot is missing data points.
Clients
This section provides information by host groups. The information is presented by host group because there are usually
a large number of individual clients. The section includes:

Average response time experienced by the top ten host groups that are clients of the specified application

Breakdown of application traffic by client host group

Host pair connections (click and zoom for details)
Delivery Path
This section provides information about the application delivery path, including:

Server-client host pairs, the ports over which they are communicating, and performance statistics

Breakdown of application traffic by Quality of Service class

Connections by network segments
182
Cascade Profiler and Cascade Express User’s Guide
General Information reports
Reporting
Figure 13-20. Reports > Shortcuts > Application Information Report - results section
Cascade Profiler and Cascade Express User’s Guide
183
Reporting
General Information reports
Interface Information reports
The Interface Information report useful for seeing average and peak percent utilization of the interface over the past
hour or the required time frame. Data is reported as inbound (In) or outbound (Out) relative to the interface. The report
also provides interface configuration information.
When you run the report from the Shortcuts page, you can limit the report to a list of interfaces. You can use the browser
tool to select interfaces or enter them manually using the device:interface format.
You can run the report by right-clicking an interface name or index number. Interface names are available on traffic
reports when you select Network Interfaces for the Report by criteria on the Reports > Traffic pages. Names and index
numbers are also available on the System Information > Devices/Interfaces pages.
Right-click the interface name anywhere it is displayed and select Interface Information Report. This runs the report
for the interface you right-click for the time frame you select from the menu.
Figure 13-21. Reports > Shortcuts > Interface Information Report - Report Criteria section
The report lists the following information for the selected time frame:

Interface Information - identified the interface by its name, type, MTU, speed, and MAC address.

Traffic Summary - lists peak traffic, average traffic, and percent of capacity utilization for input and output.

Interface Groups - If the interface has been assigned to one or more interface groups on the Definitions >
Interface Groups page, then the groups it belongs to are listed.

Traffic Volume by Average % Utilization and Peak % Utilization - Mirror graph showing transmit and
receive percent utilization over the selected time frame.

Top 10 Inbound Applications and Ports by Average - line graph of number of applications and ports using the
interface within the selected time frame.

Inbound Traffic by Application and Port - lists the average and total inbound traffic volumes of applications
and ports using the interface.

Top 10 Outbound Applications and Ports - lists the top 10 average outbound traffic volumes of applications
and ports using the interface.

Alert Level Summary chart - pie chart showing proportions of High, Medium, and Low alerts.

Alert Level Summary table - table listing High, Medium, and Low alerts by number and by percent of total.
184
Cascade Profiler and Cascade Express User’s Guide
General Information reports
Reporting
Figure 13-22. Reports > Shortcuts > Interface Information Report - results section
Cascade Profiler and Cascade Express User’s Guide
185
Reporting
General Information reports
Device Information reports
The Device Information report provides summary and detail information about a specified device. When you run it
from the Shortcuts page, you must specify the device. When you run the report from the right-click menu, it reports
on the device you right-clicked.
Figure 13-23. Device Information report - Report Criteria section
The device can be specified by its name or IP address. You can use the Browse feature to search for a device in an
interface group.
Figure 13-24. Browse tool for looking up a device
Summary section
The Summary section lists:

Device name

Device IP address

Device type
186
Cascade Profiler and Cascade Express User’s Guide
General Information reports

Device version (if applicable)

Number of interfaces in the device

Interface Group to which the device belongs

Description of the device
Reporting
Figure 13-25. Device Information report - Summary section
Details section
The Details section lists or displays:

Traffic volume - displayed as average bits per second

Top 10 network interfaces - displayed as average percent of utilization

Network interfaces - list of the device’s network interfaces with percent utilization and traffic volume
Activity section
The Activity section lists or displays:

Top 10 applications with ports - displayed as average bits per second

Applications with ports - traffic volume and active connections
Quality of Service section
The Quality of Service section lists or displays:

Top 10 Quality of Service classes - traffic volume displayed as average bits per second

Traffic by Quality of Service class - volumes and active connections
Interface Group Information reports
The Interface Group Information report provides summary and detail information about a specified interface group or
subgroup and all the interfaces contained within it.
Figure 13-26. Interface Group Information report - Report Criteria section
Cascade Profiler and Cascade Express User’s Guide
187
Reporting
General Information reports
The interface groups are specified by name. Subgroups are specified by path and name. You can use the Browse feature
to search for an interface group or subgroup. The report includes a Summary section, Details section, Activity section
and QoS section.
Summary section
The Summary section lists:

Interface Group name

Interface Group description

Number of interfaces in the group
Figure 13-27. Interface Group Information report - Summary section
Details section
The Details section lists or displays:

Traffic volume - displayed as average bits per second

Top 10 network interfaces - displayed as average percent of utilization

Network interfaces - list of the device’s network interfaces with percent utilization and traffic volume
Activity section
The Activity section lists or displays:

Top 10 applications with ports - displayed as average bits per second

Applications with ports - traffic volume and active connections
Quality of Service section
The Quality of Service section lists or displays:

Top 10 Quality of Service classes - traffic volume displayed as average bits per second

Traffic by Quality of Service class - volumes and active connections
Host Information reports
The Host Information report provides summarized information for a specified host. When you run it from the Shortcuts
page, you must specify the host. When you run the report from the right-click menu, it reports on the host you rightclicked.
The report includes the name, IP address, and group membership of the host; traffic volumes, client-server
connections, users, and alerts for the past hour. Overall traffic volume is reported as sent or received relative to the
hosts.
The report lists the following information for the selected time frame:
188
Cascade Profiler and Cascade Express User’s Guide
General Information reports
Reporting
Figure 13-28. Host Information report - Report Criteria

Host Information - the name, address, date first seen on the network, and the switch port. (To obtain the switch
port, the switch must have been added on the Integration > Switch Port Discovery page.)

Traffic Summary - average and peak transmitted and received traffic volumes.

Host Groups - If the host has been assigned to one or more host groups on the Definitions > Host Groups page,
then the groups it belongs to are listed.

Traffic Volume by Average Bytes per Second - mirror graph showing transmit and receive time series data.

Top 10 Applications and Ports Served - pie chart of applications and ports served by the hosts.

Traffic Breakdown by Application and Port Served - list of traffic volumes, connections, and response times
by application and port.

Top 10 Applications and Ports Connected To - pie chart of applications and ports that the host has connected
to.

Applications and Ports Connected To - list of applications and ports that the host has connected to.

Host Pair and Port - list of servers and clients that the host being reported is connecting to and the port numbers
over it is connecting.

Peers Summary - list of hosts that are having conversations with host being reported. The peer host's group is
listed. Traffic volumes are listed in descending order.

Traffic by QoS - pie chart and table listing QoS classes in use by traffic volume.

Users - list of users of the host being reported, including time and identity information.

Alert Level Summary chart - pie chart showing proportions of High, Medium, and Low alerts on this host for
the selected time frame.

Alert Level Summary table - table listing High, Medium, and Low alerts by number and by percent of total.
Host Group Information reports
The Host Group Information report provides summarized information for a host group. When you run it from the
Shortcuts page, you can limit the report to a list of hosts, subnets, or host groups. You can also limit it to a selected
host group type.
When you run the report from the right-click menu, it reports on the host group you right-clicked.
The report includes traffic volume for the group, applications or ports served or connected to, group pairs, and alerts
that have occurred within the group during the last hour.
Overall traffic volume is reported as sent or received relative to the hosts. Sections of the report that list what group a
host belongs to identify group membership in terms of group type.
Cascade Profiler and Cascade Express User’s Guide
189
Reporting
General Information reports
Figure 13-29. Host Group Information report - Report Criteria
The report lists the following information for the selected time frame:

Host Group Information - total number of hosts and the average and peak transmitted and received bytes per
second.

Traffic Volume by Average Bytes per Second - mirror graph showing transmit and receive time series data.

Hosts Seen Over Time - line graph of number of hosts over time.

Top 10 Applications and Ports Served - pie chart of applications and ports served by hosts in the host group.

Traffic Breakdown by Application and Port Served - list of traffic volumes, connections, and response times
by application and port.

Top 10 Applications and Ports Connected To - pie chart of applications and ports that hosts in the host group
have connected to.

Host Pair and Port - list of hosts within the group that are connecting to other hosts inside or outside of the
group, and the port number over which they are connecting.

Host Group Pair Summary - list of host groups that the selected host group is having conversations with.

Top Peers Summary - list of hosts that are having conversations with hosts in the selected host group. The peer
host's group is listed. Traffic volumes are listed in descending order.

Traffic by QoS - pie chart and table listing QoS classes in use by traffic volume.

Alert Level Summary chart - pie chart showing proportions of High, Medium, and Low alerts.

Alert Level Summary table - table listing High, Medium, and Low alerts by number and by percent of total.
Server Information reports
The Server Information report provides a comprehensive view of the operation of a specified server. When you run it
from the Shortcuts page, you must specify the server. When you run the report from the right-click menu, it reports on
the server you right-clicked. You can run the report by right-clicking a server name anywhere it is displayed and
selecting Server Information Report from the shortcut menu.
190
Cascade Profiler and Cascade Express User’s Guide
General Information reports
Reporting
Figure 13-30. Server Information report - Report Criteria
The report provides the following information for the specified server and time frame.
Summary
This section reports:

Host Information - the name, address, date first seen on the network, and the switch port. (To obtain the switch
port, the switch must have been added on the Integration > Switch Port Discovery page.)

Traffic Summary - average and peak transmitted and received traffic volumes.

Host Groups - If the server has been assigned to one or more host groups on the Definitions > Host Groups page,
then the groups it belongs to are listed.
Applications
This section reports:

Average traffic volumes of the top ten applications served by the specified server.

Average response time of the top ten applications served by the specified server.

Breakdown of traffic volumes by application and port served.
Clients
This section reports:

Average response time of the top ten peer groups (host groups containing clients of the server).

List of host groups containing clients of the server.
Quality of Service

Pie chart showing the traffic of each QoS class as a percent of total traffic being reported.

Table listing QoS classes in use by traffic volume.
Events
This section reports:

Pie chart showing proportions of High, Medium, and Low alerts on this server for the selected time frame.

Table listing High, Medium, and Low alerts by level and number.
Cascade Profiler and Cascade Express User’s Guide
191
Reporting
General Information reports
Network Segment Information reports
The Network Segment Information report provides a view of the operation of a specified network segment. When you
run it from the Shortcuts page, you must specify the network segment interfaces. When you run the report from the
right-click menu, it reports on the segment you right-clicked.
The report includes statistics about the interfaces that are the endpoints of the segment, traffic volumes over the
segment by application and port, and alerts occurring on the segment.
Figure 13-31. Network Segment Information report - Report Criteria
The report provides the following information for the specified network segment and time frame:
Summary
This section reports:

Segment Information - the addresses of the transmitting interface and receiving interfaces comprising the two
endpoints of the segment; the name, description (if available), index, MTU, type, speed, and MAC address.

Traffic Summary - average and peak traffic volumes across the segment.
Details
This section graphs the average traffic volume that was carried by the specified segment over the selected time frame.
Applications
This section includes:

Graph of average traffic volumes of the top ten applications and ports that have been seen on the segment.

Table listing traffic on the segment by application and port and providing performance statistics, such as
connections, retransmissions, and the percent of total traffic that is retransmissions.
Events
This section includes:

Pie chart showing proportions of High, Medium, and Low alerts on this server for the selected time frame.

Table listing High, Medium, and Low alerts by level and number.
192
Cascade Profiler and Cascade Express User’s Guide
Investigation reports
Reporting
QoS Information reports
The QoS Information reports provide information about the usage of a specified QoS class. When you run the report
from the Shortcuts page, you must specify the QoS class of traffic to be reported. When you run it from the right-click
menu, it reports on the QoS class you right-clicked.
The report includes the QoS definition, a summary of traffic tagged with the specified QoS class, and information
about this traffic for by interface, application, and server host.
Figure 13-32. QoS Information report - Report Criteria
The report lists the following information for the selected time frame:

QoS Definition - the QoS class name, decimal value, binary value, and description. You can modify the standard
definitions of QoS classes and add new definitions on the Definitions > QoS page.

Traffic Summary - traffic volumes are listed for all traffic in the network sent with the specified QoS class and
all traffic received with the specified QoS class.

Interfaces - the table lists the interfaces on which the specified QoS class was seen. It lists the descriptions of the
interfaces, sorts them by traffic volume, and provides performance statistics.

Applications - graphs traffic volumes for the top ten applications that use the specified QoS class. It also lists all
applications and ports using the specified QoS class. It sorts them by traffic volume and provides performance
statistics.

Server - graphs traffic volumes for the top ten servers that use the specified QoS class. It also lists all hosts using
the specified QoS class. It sorts them by traffic volume and provides performance statistics.
Investigation reports
Investigation reports include:

“Audit trail” on page 97 - available from the System > Audit Trail page

“Event reports” on page 171 - available from both the Reports > Shortcuts page and the Reports > Events menu

“Active Directory Users reports” on page 177 - available from both the Reports > Shortcuts page and the Reports
> Users menu

“Service Level Objective reports” on page 194 - information about the operation of a Performance & Availability
policy over time

“Performance Investigation reports” on page 197 - visual indications of the performance of an application
delivery path

“95th Percentile report” on page 199 - shows the 95th percentile level on a graph of interface utilization
Cascade Profiler and Cascade Express User’s Guide
193
Reporting
Investigation reports
Service Level Objective reports
The Service Level Objective Report displays information about the operation of a policy over time. It provides
qualitative graphical feedback on the frequency and magnitude of policy violations that are being detected.
Additionally, it displays typical and actual values of the traffic attributes that the policy is monitoring. It uses the
default time frame of the last week.
The report can be run from:

Reports > Shortcuts page Built-in tab Service Level Objective link.

Behavior Analysis > Policies page, Service tab or Performance & Availability tab, Configured Policies section.

Right-click menu displayed by right-clicking a service policy or a performance and availability policy.
It can be printed, saved, scheduled and emailed. Scheduling the report to be routinely run and emailed can be a useful
way of monitoring on-going traffic behavior as well as policy performance.
The report options and report section options offer the same functions as other reports for saving, printing, emailing
and exporting the report, and for editing the graphical displays.
The report has a Report Criteria section and a Report section.
Report Criteria section
The Report Criteria section includes the following controls:
Select Policy
This box displays an expandable and collapsible tree listing service policies and performance and availability policies.
Expand the tree as necessary to select the service segment or service location policy, or the performance and
availability policy, that you want the report run for.
Figure 13-33. Service Level Objective report - Report Criteria
Time frame
Specify the time frame of the report as relative to the current time or as an absolute time interval:
Relative to the current time can be:
194
Cascade Profiler and Cascade Express User’s Guide
Investigation reports
Reporting

Starting - Specify the most recent number of minutes, hours, days, weeks, months or years that the report is to
cover, ending now. For example, if you specify the Starting value as 1 week ago, then the time frame of the report
will start at this time last week and end now. If you specify 1 year ago, the time frame will start at this time on this
date last year and end now.

Previous - Specify the most recently ended full minute, hour, day, week, month or year before the current minute,
hour, day, week, month or year, respectively. For example, if the current time is 10:17 AM Wednesday and you
specify the Previous value as 1 hour, then the time frame of the report will start at 9:00 AM and end at 10:00 AM
today. If you specify the previous 1 week, the time frame will start at 12:00 AM Monday of last week and end at
12:00 AM Monday of this week. If you specify the previous year, then the time frame will start at 12:00 AM,
January 1st of last year and end at 12:00 AM, January 1st of this year.
For an absolute time interval, use the From/To field. Specify the time frame either by entering dates and times
manually or by:

Clicking the date to display a calendar tool, then choosing a date from the calendar.

Clicking a time to display a list box of times, then choosing a time from the list.
The time frame starts at the “From” time and ends at the “To” time.
Report section
Graphs show the performance of each metric in the policy that has been selected and initialized. Each graph shows the:

Current value of the traffic attribute being monitored.

Typical value of the attribute for this time of the day and day of the week.

Range of variations from the typical value that are tolerated as being normal for the current sensitivity setting.
The solid light green area displays the tolerance range.

Zone where the value of the attribute exceeded the tolerance range. A point outside the tolerance range is referred
to as an “outlier.” The time frame in which an outlier occurred is displayed in yellow or red. Click in the yellow
or red area to run an Event Report for the time frame.
Metric values that lie within the green tolerance range are treated as normal. Those within the yellow tolerance range
indicate a low alert condition. Each instance of the plot of actual traffic behavior going outside the tolerance range is
regarded as an “outlier.” That is, an outlier is a point where actual traffic behavior differs from typical behavior by
more than the amount that you have specified as being within the tolerance of the policy. Values exceeding the green
tolerance range cause a yellow outlier indication. Values exceeding the yellow tolerance range cause a red outlier
indication. The Profiler uses outliers to determine if a policy violation has occurred.
Multiple outliers may be determined to be part of the same event. Because of the number of factors analyzed in
determining if a policy violation event has occurred, the number of outliers does not directly indicate how many events
will be detected.
Cascade Profiler and Cascade Express User’s Guide
195
Reporting
Investigation reports
Figure 13-34. Service Level Objective report - results section
196
Cascade Profiler and Cascade Express User’s Guide
Investigation reports
Reporting
Performance Investigation reports
Performance Investigation Reports provide visual indications of the performance of an application delivery path. You
specify the application delivery path in terms of one or more attributes, such as application, ports, protocols, servers,
clients, and QoS classes. The report displays traffic volumes and performance metrics so that you can visually correlate
changes on multiple aspects of the delivery path performance.
Performance Investigation Reports are available from the General Information Reports section of the Reports >
Shortcuts page Built-in tab. When you run the report from the Shortcuts page, you must specify the reporting criteria.
That is, you use the Report Criteria section to limit the report to the applications, ports, protocols, servers, clients, and
QoS classes that are of interest. Empty fields are interpreted as meaning “all.”
Figure 13-35. Performance Investigation report - Report Criteria
Report-level options allow you to save, print or email the report. You can also change the display units and change the
group type by which host groups are reported.
Section-level options allow you to modify graphical displays, change table columns, filter content, and export data.
The report provides the following information for the specified delivery path elements and time frame:

Application Analysis section – graphs displaying response times in milliseconds and traffic volumes in bits,
packets, or connections per second.

Client Analysis section – graphs displaying the number of clients and the response times and traffic volumes for
the top 10 client groups that are peers of the specified client's host group.

Server Analysis section – graphs displaying response times and traffic volumes for the top 10 server hosts.

Details section – tables listing traffic volumes by application with port and by host pair with port.
Cascade Profiler and Cascade Express User’s Guide
197
Reporting
Investigation reports
Figure 13-36. Performance Investigation report - results section
198
Cascade Profiler and Cascade Express User’s Guide
Investigation reports
Reporting
95th Percentile report
The 95th Percentile report is run from the Investigation Reports section of the Reports > Shortcuts page Built-in tab.
It is a network interface report that displays the 95th percentile of interface usage. By eliminating the high outliers, the
95th percentile display provides a graphical indication of the “water level” and “head room” of your bandwidth
utilization.
By default the report displays peak and average inbound and outbound traffic volumes for the most recent hour and
indicates the 95th percentile level of traffic volume. Just click Run now.
Figure 13-37. 95th Percentile report
After you have run the report, you can choose Edit Settings from the Overall Traffic graph menu and select the 80th
or 90th percentiles for display. You can also use settings in the Report Criteria section to limit the report to traffic on
specific interfaces or with specific QoS values, applications, protocols or ports. Additionally, you can use the Time
Frame control to specify the time the report covers.
By default the report uses 1-minute data resolution and combines five 1-minute records into one 5-minute record. The
graph plots the values of the 5-minute intervals over time. Switching to a longer data resolution interval decreases the
accuracy of the percentile calculations. For data resolution intervals of longer than one minute, 1-minute records are
not combined into 5-minute records.
The menu for the Overall Traffic graph section of the report allows you to export the graph data as a comma-separated
value (CSV) file. The Report Options menu at the upper right side of the page allows you to save, schedule, print, email
or export the entire report.
Cascade Profiler and Cascade Express User’s Guide
199
Reporting
SDN (Software-defined Networks) Reports
Figure 13-38. 95th Percentile report - Report Criteria
SDN (Software-defined Networks) Reports
The Profiler and Express support software-defined networks based on the IETF Internet Draft titled “VXLAN: A
Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks.” The appliances monitor traffic
carried by virtual networks in a VXLAN environment and provides the following reports:

“VXLAN Summary Report” on page 201

“Virtual Network Information Report” on page 205

“Tunnel Endpoint Information Report” on page 208
200
Cascade Profiler and Cascade Express User’s Guide
SDN (Software-defined Networks) Reports
Reporting
VXLAN technology
VXLAN (Virtual Extensible LAN) technology enables multiple virtual networks to coexist as overlays on the same
physical network. Each virtual network is independent of all other virtual networks and of the physical network. Each
can have its own IP address space.
Each virtual network is identified by a VNI, which is a “VXLAN network [segment] identifier” or simply a “virtual
network identifier.” On the Profiler or Express, VNIs can be assigned names and descriptions for convenience.
A hypervisor runs a VXLAN software environment in which a large number of virtual machines serve as virtual hosts
for end users. The virtual hosts can connect to one another within that hypervisor. The hypervisor also runs a tunnel
endpoint, which allows its virtual hosts to connect to virtual hosts running in VXLAN software hosted by other
hypervisors. This is made possible by a UDP tunneling protocol that encapsulates the Ethernet frames of the virtual
traffic in UDP datagrams for transport over the physical network from one tunnel endpoint to another tunnel endpoint.
Additionally, VXLAN-enabled gateway devices enable connections between virtual hosts and hosts on other networks.
If your organization uses VXLAN virtualization technology internally, then you can set up virtual networks for
different departments so that the network for one department is logically isolated from the network for another
department.
If your organization provides network services to outside customers, then you can set up a virtual network for each
customer to ensure that no customer can access another customer's network.
The customer (virtual network user) is considered a tenant. The customer's traffic is referred to as tenant traffic. Tenant
traffic flows between virtual hosts running on the same hypervisor and also, by way of UDP datagrams being tunneled
between hypervisors, to virtual hosts running on other hypervisors. The appliance reports how much tenant traffic is
flowing between virtual hosts on the same hypervisor (intra-machine traffic) and how much traffic is being tunneled
over the physical network between hypervisors (inter-machine traffic).
You can use the Virtual Network Information report to monitor how virtual hosts are communicating over a virtual
network and use the Tunnel Endpoint Information report to monitor how much of a load they are placing on the
physical network.
The VXLAN administrator may be able to reduce the load on your physical network by moving related virtual hosts
to the hypervisor that they would otherwise be tunneling to.
The Profiler also reports the traffic across the physical and virtual interfaces of the hypervisors. The physical interfaces
that a hypervisor uses to communicate with other endpoints are referred to as uplink interfaces. The interfaces that the
virtual hosts use when they need to access virtual hosts on other hypervisors are referred to as access interfaces.
Consult with your VXLAN administrator or designer if you need more information about how virtual machines within
a VXLAN environment communicate with one another and how they might possibly be moved to reduce the load on
the physical network.
VXLAN Summary Report
The VXLAN Summary report can be run from the Reports > Shortcuts page. It provides an overview of the entire
VXLAN environment including tenant traffic and tunneled traffic. It is a good starting point for identifying VXLAN
configuration problems.
The VXLAN Summary report page has four sections:

Report Criteria

Summary of VXLAN Environment

Virtual Network Details: Tenant Traffic

Physical Network Details: Tunnel Traffic
Cascade Profiler and Cascade Express User’s Guide
201
Reporting
SDN (Software-defined Networks) Reports
All sections have menus for actions that can be performed on the section.
Report Criteria
Expand the Report Criteria section to specify if the report format is to include the virtual network and physical network
details sections. You can also choose a time frame for the report.
Figure 13-39. Reports > Shortcuts > VXLAN Summary report - Report Criteria
Summary of VXLAN Environment
The Summary section displays:
Virtual Network Summary

Total Virtual Networks – number of virtual networks seen during the specified time frame

Total Virtual Network <units> – all tenant traffic, whether occurring only between virtual machines on a
hypervisor or being tunneled between virtual machines on different hypervisors

Total Tunnel <units> – traffic on the physical network that is tunneling virtual traffic between hypervisors

% of Virtual-only Traffic – the percent of the traffic in all virtual networks that is intra-machine traffic
Breakdown of Virtual Network Traffic
A pie chart shows the percentages of inter-machine traffic and intra-machine traffic. The larger the percentage of intramachine traffic, the less of a load the virtual network is placing on the physical network. The larger the percentage of
inter-machine traffic (virtual traffic being tunneled between hypervisors), the greater a load the virtual network is
placing on the physical network.
Virtual Traffic Volume by Avg Inter-machine Bytes/s, Avg Intra-machine Bytes/s
A line chart displays the amount of traffic between virtual hosts located on the same hypervisors and traffic between
virtual hosts located on different hypervisors.
Virtual Network Details: Tenant Traffic
A tenant is the organization using a virtual network in a VXLAN environment. Virtual hosts are implemented on
virtual machines in the tenant's virtual network. Traffic between the tenant's virtual hosts is tenant traffic.
Tenant traffic may be between virtual hosts running on the same hypervisor (intra-machine traffic) or it may be
between virtual hosts running on different hypervisors (inter-machine traffic). Inter-machine connections require
tunneling the tenant traffic over the physical network.
A VXLAN environment can support many virtual networks. Each is an independent overlay on the physical network.
That is, one tenant has no knowledge of other tenants or of the physical network.
202
Cascade Profiler and Cascade Express User’s Guide
SDN (Software-defined Networks) Reports
Reporting
Figure 13-40. Reports > Shortcuts > VXLAN Summary report - results section
Cascade Profiler and Cascade Express User’s Guide
203
Reporting
SDN (Software-defined Networks) Reports
This section of the report lists the average traffic volumes for the report time frame for:

Top 10 virtual networks

All virtual networks

Top 10 tunnel endpoints

All tunnel endpoints
The Top 10 lists can be exported to CSV (comma-separated value) files. On the other tables you can:

Add or remove columns. For additional detail, choose Add/Remove Columns from the menu for the section. This
opens the column chooser. Double-click a metric in the column chooser to add it to the table.

Change the number of rows displayed in the table.

Show a filter that allows you to limit the table to virtual networks meeting specific criteria.

Export the table to a CSV file.
Physical Network Details: Tunnel Traffic
This section of the report displays traffic on the physical network that is transporting tunneled virtual traffic from one
tunnel endpoint to another. It indicates the load that each individual virtual network is placing on the physical network.
It reports traffic volumes of the physical network for:

Top 10 virtual networks being tunneled over the physical network

All virtual networks being tunneled over the physical network

Tunnel endpoint pairs - graphical representations of the tunnel endpoints at each end of connections that are
tunneling tenant traffic
The Top 10 lists can be exported to CSV (comma-separated value) files. On the table listing all virtual networks you
can:

Add or remove columns. For additional detail, choose Add/Remove Columns from the menu for the section. This
opens the column chooser. Double-click a metric in the column chooser to add it to the table.

Change the number of rows displayed in the table.

Show a filter that allows you to limit the table to virtual networks meeting specific criteria.

Export the table to a CSV file.
The menu in the title bar of the connection graph enables you to:

Edit settings – control the size and layout format for displaying the network components

Export to CSV – export the data from the display to a file in comma-separated value format

Export to PDF – export the display to an PDF file

Export to SVG – export the display to a file that can be opened and edited by Microsoft Visio

Reroute Edges – clean up the diagram after you have made layout adjustments. This improves the display of
connections between network components without moving the network component displays.
204
Cascade Profiler and Cascade Express User’s Guide
SDN (Software-defined Networks) Reports
Reporting
Virtual Network Information Report
The Virtual Network Information report provides detailed information about a specified virtual network. You must
specify the name or VNI of the virtual network to be reported. You can enter it manually or use the Browse feature to
locate the virtual network.
The report has four sections:

Report Criteria

Summary

Virtual Network Details: Tenant Traffic

Physical Network Details: Tunnel Traffic

All sections have menus for actions that can be performed on the section.
Report Criteria
Use the Report Criteria section to specify the virtual network and if the report format is to include the virtual network
and physical network details sections. You can also choose a time frame for the report.
Figure 13-41. Virtual Network Information report - Report Criteria
Summary
The Summary section displays the following.
Virtual Network Summary

Virtual Network – name of the virtual network (as defined on the Definitions > Interface Groups page)

VNI Description – description of the virtual network (as defined on the Definitions > Interface Groups page)

Total Tunnel Endpoints – number of tunnel endpoints used by the virtual network

Hosts seen – number of virtual hosts seen on the network during the report time frame

Total Virtual Network <units> – all tenant traffic, whether occurring only between virtual machines on a
hypervisor or being tunneled between virtual machines on different hypervisors

Total Tunnel <units> – traffic on the physical network that was tunneling virtual traffic between hypervisors

% of Virtual-only Traffic – the percent of the traffic in this virtual network that was intra-machine traffic
Cascade Profiler and Cascade Express User’s Guide
205
Reporting
SDN (Software-defined Networks) Reports
Figure 13-42. Reports > Shortcuts > Virtual Network Information report - results section
206
Cascade Profiler and Cascade Express User’s Guide
SDN (Software-defined Networks) Reports
Reporting
Virtual Network Traffic Summary
This section lists the total and average traffic statistics for this virtual network for the time frame of the report.
Breakdown of Virtual Network Traffic
A pie chart shows the percentages of inter-machine traffic and intra-machine traffic. The larger the percentage of intramachine traffic, the less of a load the virtual network is placing on the physical network. The larger the percentage of
inter-machine traffic (virtual traffic being tunneled between hypervisors), the greater a load the virtual network is
placing on the physical network.
Virtual Traffic Volume by Avg Inter-machine Bytes/s, Avg Intra-machine Bytes/s
A line chart displays the amount of traffic between virtual hosts located on the same hypervisors and traffic between
virtual hosts located on different hypervisors.
Virtual Network Details: Tenant Traffic
A tenant is the organization using a virtual network in a VXLAN environment. Virtual hosts are implemented on
virtual machines in the tenant's virtual network. Traffic between the tenant's virtual hosts is tenant traffic.
This section of the report lists the average tenant traffic volumes for the report time frame as follows.

Traffic Volume line graph – displays tenant traffic volume for the virtual network. Tenant traffic may be between
virtual hosts running on the same hypervisor (intra-machine traffic) or it may be between virtual hosts running on
different hypervisors (inter-machine traffic). Inter-machine connections require tunneling the tenant traffic over
the physical network.
The menu for the graph section enables you to export the data as a comma-separated value (CSV) file. It also has
an Edit Settings option for modifying the display.
Additionally, you can use the zoom controls to modify the display.

Top 10 Hosts pie chart – displays the percentage of the virtual network traffic attributable to each of the top 10
busiest virtual hosts.

Top 10 Hosts line graph – displays the percentage of the virtual network traffic attributable to each of the top 10
busiest virtual hosts. The menu for this section includes options for exporting the data to a CSV file and editing
the display settings. The Edit Settings option allows you to:
–
Switch between a stacked display and a line display.
–
Switch between linear and logarithmic display scales.
–
Extend the Y-axis to zero. This is useful for retaining perspective when two plots differ by a relatively small
amount.

Hosts table – lists the average traffic volumes for all the virtual hosts seen on the virtual network during the time
frame of the report.

Top 10 Applications with Ports pie chart – displays the percentage of the virtual network traffic attributable to
each of the top 10 busiest applications on the virtual network.

Applications with Ports table – lists the average traffic volumes for all the applications seen on the virtual
network during the time frame of the report.

Top 10 Host Pairs pie chart – displays the percentage of the virtual network traffic attributable to each of the top
10 busiest virtual host pairs on the virtual network.

Host Pairs table – lists the average traffic volumes for all the virtual host pairs seen on the virtual network during
the time frame of the report.
Cascade Profiler and Cascade Express User’s Guide
207
Reporting
SDN (Software-defined Networks) Reports

Virtual Network Host Pairs connection graph – displays connections between virtual hosts on the virtual network.

Virtual Network Flows table – lists all flows seen in the virtual network during the time frame of the report.
When a virtual host connects to a physical host, there are two flows. The first flow is between the virtual host and
the VXLAN-enabled gateway that serves as a proxy for connecting to the physical network. This flow is included
in the Virtual Network Flows table. The second flow is between the gateway and the host in the physical network.
That flow is not included in the Virtual Network Flows table.
This table could be large, so it is deselected in the Report Criteria section by default.
Physical Network Details: Tunnel Traffic
This section of the report displays traffic on the physical network that is transporting tunneled virtual traffic from one
tunnel endpoint to another. It indicates the load that the specified virtual network is placing on the physical network,
as follows:

Traffic Volume line graph – lists traffic on the physical network that is tunneling virtual traffic for the specified
virtual network.
The menu for the graph section enables you to export the data as a comma-separated value (CSV) file. It also has
an Edit Settings option for modifying the display.
Additionally, you can use the zoom controls to modify the display.

Top 10 Tunnel Endpoint pie chart – displays the percentage of the physical network traffic attributable to each of
the top 10 busiest tunnel endpoints.

Top 10 Tunnel Endpoint line graph – displays the percentage of the physical network traffic attributable to each
of the top 10 busiest tunnel endpoints. The menu for this section includes options for exporting the data to a CSV
file and editing the display settings. The Edit Settings option allows you to:
–
Select which tunnel endpoints to include in the graph.
–
Switch between a stacked display and a line display.
–
Switch between linear and logarithmic display scales.
–
Extend the Y-axis to zero. This is useful for retaining perspective when two plots differ by a relatively small
amount.

Tunnel Endpoints table – lists the average traffic volumes for all tunnel endpoints seen on the virtual network
during the time frame of the report.

Tunnel Endpoint Pairs connection table – displays graphical representations of the tunnel endpoints at each end
of connections that are tunneling tenant traffic.

Tunnel Flows table – lists all flows that were tunneling tenant traffic across the physical network during the time
frame of the report. This table could be large, so it is deselected in the Report Criteria section by default.
Tunnel Endpoint Information Report
The Tunnel Endpoint Information report provides detailed information about a specified tunnel endpoint.
The report has four sections:

Report Criteria

Summary

Virtual Network Details: Tenant Traffic

Physical Network Details: Tunnel Traffic
208
Cascade Profiler and Cascade Express User’s Guide
SDN (Software-defined Networks) Reports
Reporting
All sections have menus for actions that can be performed on the section.
Report Criteria
In this section you must specify the tunnel endpoint to be reported. You can optionally limit the report to traffic for a
specified virtual network. Except for requiring the tunnel endpoint, the report runs using default settings unless you
modify the settings in this section.
Figure 13-43. Tunnel Endpoint Information report - Report Criteria
The Report Criteria section includes the following settings:

VXLAN (Optional) – To limit the report to a specified virtual network, open the VXLAN section and browse to a
virtual network.

Tunnel Endpoint – This is a required field. Click Browse to open the lookup tool and search for tunnel endpoints.
In the list of tunnel endpoints, you can mouse over the Details icon to identify the tunnel endpoint you want to
report on. The Paths section of the Details popup identifies the virtual networks that are using the tunnel endpoint.
If you use the Virtual Network field to limit the report to a virtual network, ensure that the selected tunnel
endpoint includes that virtual network.

Report Format – Select which sections of the report to include. The report always includes the Summary section.
It must also include at least one of the following Report Format selections:

Show Virtual Network Traffic Details – Select this to include the Virtual Network Details: Tenant Traffic section
in the report. This requires that you specify a virtual network. If you leave the Virtual Network field empty, then
the Virtual Network Details: Tenant Traffic section does not appear.

Show Tunnel Traffic Details – Select this to include the Physical Network Details: Tunnel Traffic section.

Show Flow List – Select this to include a virtual network flow list in the Virtual Network Details: Tenant Traffic
section and a tunnel flow list in the Physical Network Details: Tunnel Traffic section. This option is deselected by
default because the flow lists may be quite long.

Time Frame – Specify the time frame for the information reported.

Data Resolution – The data resolution determines the granularity of the data points on the graphs. By default it is
set to automatic to optimize the display for the selected time frame.
Cascade Profiler and Cascade Express User’s Guide
209
Reporting
SDN (Software-defined Networks) Reports
Summary
The Summary section includes the following:
Tunnel Endpoint Summary
The Tunnel Endpoint Summary section includes:

Tunnel Endpoint – the IP address of the tunnel endpoint being reported

Total Virtual Networks – the number of virtual networks using the specified tunnel endpoint

Total Physical Switch Ports – the number of physical switch ports used by the tunnel endpoint. The tunnel
endpoints uses these switch ports to communicate with other tunnel endpoints. These are referred to as uplink
ports.

Total Virtual Switch Ports – the number of virtual switch ports in use by the tunnel endpoint. These are referred
to as access ports.

Total Tunnel Endpoints – the number of peer tunnel endpoints this tunnel endpoint communicates with

Total Virtual Network <units> – the total amount of virtual network traffic seen by this tunnel endpoint. This
includes all tenant traffic for the virtual network, whether occurring only between virtual machines on the
hypervisor or being tunneled between virtual machines on different hypervisors. If no virtual network was
specified, then this figure includes the traffic of all virtual networks that used this tunnel endpoint during the time
frame of the report.

Total Tunnel <units> – traffic on the physical network that was tunneling virtual traffic between hypervisors

% of Virtual-only Traffic – the amount of virtual network traffic, expressed as a percent of total virtual network
traffic, that used this tunnel endpoint for intra-machine conversations.
Figure 13-44. Reports > Shortcut > Tunnel Endpoint - Summary section
Breakdown of Virtual Network Traffic
A pie chart shows the percentages of inter-machine traffic and intra-machine traffic for this tunnel endpoint. The larger
the percentage of intra-machine traffic, the less of a load the virtual network is placing on the physical network. The
larger the percentage of inter-machine traffic (virtual traffic being tunneled between physical machines), the greater a
load the virtual network is placing on the physical network.
210
Cascade Profiler and Cascade Express User’s Guide
SDN (Software-defined Networks) Reports
Reporting
Virtual Network Details: Tenant Traffic
A tenant is the organization using a virtual network in a VXLAN environment. Virtual hosts are implemented on
virtual machines in the tenant's virtual network. Traffic between the tenant's virtual hosts is tenant traffic.
Because this is a tunnel endpoint report, the information in this section is limited to tenant traffic that uses the specified
tunnel endpoint. For that traffic, this section reports information about virtual hosts rather than about tunnel endpoints.
It lists the average tenant traffic volumes for the report time frame as follows.

Traffic Volume line graph – displays tenant traffic volume for the tunnel endpoint. Tenant traffic may be between
virtual hosts running on the same hypervisor (intra-machine traffic) or it may be between virtual hosts running on
different hypervisors (inter-machine traffic), which the specified tunnel endpoint is tunneling.
The menu for the graph section enables you to export the data as a comma-separated value (CSV) file. It also has
an Edit Settings option for modifying the display.
Additionally, you can use the zoom controls to modify the display.

Top 10 Hosts pie chart – displays the percentage of the total tenant traffic generated by the top 10 virtual hosts
that are using this tunnel endpoint.

Hosts table – lists the average tenant traffic volumes seen during the time frame of the report. If no virtual
network is specified, then this includes tenant traffic for all virtual networks that include this tunnel endpoint.

Top 10 Applications with Ports pie chart – displays the percentage of the tenant traffic attributable to each of the
top 10 busiest applications seen by the tunnel endpoint.

Applications with Ports table – lists the average traffic volumes for all the applications seen by the tunnel
endpoint during the time frame of the report.

Top 10 Host Pairs pie chart – displays the percentage of the virtual network traffic attributable to each of the top
10 busiest virtual host pairs on the virtual network. If no virtual network is specified, then this includes tenant
traffic for all virtual networks that include this tunnel endpoint.

Host Pairs table – lists the average traffic volumes for all the virtual host pairs seen on the virtual network during
the time frame of the report.

Tunnel Endpoint and Host Pairs connection graph – displays connections between virtual hosts and this tunnel
endpoint.

Virtual Network Flows table – lists flows between entities on the virtual network seen during the time frame of
the report. This table could be large, so it is deselected in the Report Criteria section by default.
Physical Network Details: Tunnel Traffic
This section of the report displays traffic on the physical network that is transporting tunneled virtual traffic from this
tunnel endpoint to other tunnel endpoints, as follows:

Traffic Volume line graph – lists traffic on the physical network over which this tunnel endpoint is tunneling
virtual traffic. This is inter-machine traffic and does not include intra-machine traffic.
The menu for the graph section enables you to export the data as a comma-separated value (CSV) file. It also has
an Edit Settings option for modifying the display.
Additionally, you can use the zoom controls to modify the display.

Top 10 Virtual Networks pie chart – displays the percentage of the total tenant traffic carried by each virtual
network that includes this tunnel endpoint. If the report is limited to a virtual network (specified in the Report
Criteria section), then this chart will show that virtual network as generating 100% of the virtual traffic seen by
the tunnel endpoint.
Cascade Profiler and Cascade Express User’s Guide
211
Reporting

VoIP reports
Top 10 Virtual Networks line graph – displays the percentage of the total virtual network traffic that is
attributable to each of the top 10 busiest virtual networks that include this tunnel endpoint. The menu for this
section includes options for exporting the data to a CSV file and editing the display settings. The Edit Settings
option allows you to:
–
Switch between a stacked display and a line display.
–
Switch between linear and logarithmic display scales.
–
Extend the Y-axis to zero. This is useful for retaining perspective when two plots differ by a relatively small
amount.

Virtual Networks table – lists traffic statistics for the virtual networks that include this tunnel endpoint.

Top 10 Tunnel Endpoint Peers pie chart – displays the percentage of the total physical network traffic attributable
to each of the top 10 tunnel endpoint peers of this tunnel endpoint.

Top 10 Tunnel Endpoint Peers line graph – displays the percentage of the total physical network traffic
attributable to each of the top 10 tunnel endpoint peers of this tunnel endpoint. The menu for this section includes
options for exporting the data to a CSV file and editing the display settings. The Edit Settings option allows you
to:
–
Switch between a stacked display and a line display.
–
Switch between linear and logarithmic display scales.
–
Extend the Y-axis to zero. This is useful for retaining perspective when two plots differ by a relatively small
amount.

Tunnel Endpoints Peers table – lists the average traffic volumes for connections between this tunnel endpoint and
all peer tunnel endpoints during the time frame of the report.

Tunnel Endpoint Pairs connection graph – displays graphical representations of the tunnel endpoints at each end
of connections over which this tunnel endpoint is tunneling tenant traffic.

Tunnel Flows table – lists all flows that this tunnel endpoint was using to tunnel tenant traffic across the physical
network during the time frame of the report. This table could be large, so it is deselected in the Report Criteria
section by default.
VoIP reports
The following pre-defined VoIP reports are available from the Reports > Shortcuts page.

“VoIP Performance report”

“VoIP Dependencies - Signaling report”

“VoIP Dependencies - Calls report”
VoIP Performance report
The VoIP Performance report runs on an Express 460 appliance or on a Profiler or Express appliance that is receiving
VoIP metrics from a Cascade Shark appliance or an Express 460 appliance. It is set by default to report on traffic that
is identified as VoIP and RTP.
Although the Sensor appliance can report VoIP traffic statistics to a Profiler or Express, the Shark appliance or Express
460 appliance is required for reporting voice quality metrics, such as MOS, R-factor, Jitter and RTP packet loss.
212
Cascade Profiler and Cascade Express User’s Guide
VoIP reports
Reporting
Report Criteria section
The Report Criteria section enables you to limit the report to:
Figure 13-45. Reports > Shortcuts > VoIP Performance Report - Report Criteria section

Hosts - IP addresses or resolvable DNS names of all devices accessible on the network. Click Browse to search
for hosts by host group type and host group.

Peers - Peer hosts, subnets or host groups; what specified hosts are connecting to

Applications - For the VoIP Performance report, this field is pre-populated to VoIP-RTP. The dash means “AND”
(VoIP and RTP) while a comma delimiter means “OR.” Limiting the report to VoIP traffic that uses the RTP
protocol excludes control plane traffic and includes only data plane traffic. You can click Browse and search for
other VoIP protocols if necessary.

Protocols or ports used - Limit the report to specified port numbers, port names, port group names for TCP or
UDP protocols

Quality of Service (QoS) classes - Click Browse to search for QoS classes.

Group types - Limit the report to traffic involving hosts in host groups of a specified type.

Time frame - Time frame of the report. Specify a period of time ending in the present or a From/To time span.
Leaving an attribute field blank means “all.”
The Report Criteria section enables you to select or deselect the display of sections of the report. The Report Format
options are:

Show Network Usage Section

Show Call Quality Section

Show QoS Section
Traffic report section
Traffic reports contain multiple sections. The contents of a report depend on the tab from which it was run, and the
Report by and Report Format settings in the Report Criteria section. The report has a Report Options menu at the top
for options that act on the entire report, such as saving, scheduling, printing, exporting, emailing, exporting or changing
display units.
Cascade Profiler and Cascade Express User’s Guide
213
Reporting
VoIP reports
There are also controls in each section of each report, which apply to only the individual section. These provide options
for editing graphing options, changing table columns, changing the number of rows in a table, and exporting data from
tables and charts into a Comma-Separated-Value (CSV) files.
Refer to the on line help system for detailed descriptions of the formatting requirements for entering report criteria.
Network Usage section
The Network Usage section includes:

Traffic Volume by Avg Bits/s

Traffic by Application

Top 10 Host Groups by Avg Bits/s
Figure 13-46. Reports > Shortcuts > VoIP Performance Report - Network Usage section
Call Quality section
The Call Quality section includes:
Traffic Quality by Average MOS

Traffic Quality by Average Jitter (milliseconds)

Traffic Quality by % RTP Loss Packets

Worst 10 Host Groups by Minimum MOS

Traffic by Host Group
214
Cascade Profiler and Cascade Express User’s Guide
VoIP reports
Reporting
Figure 13-47. Reports > Shortcuts > VoIP Performance Report - Traffic Quality by Average MOS
Figure 13-48. Reports > Shortcuts > VoIP Performance Report - Traffic Quality by Average Jitter (milliseconds)
Figure 13-49. Reports > Shortcuts > VoIP Performance Report - Traffic Quality by Percentage of RTP Loss Packets

Host Group Pair by Average MOS

Traffic by Host Group Pair
Quality of Service section
The Quality of Service section includes:

Top 10 QoS by Average Bits/s

Traffic by QoS
Cascade Profiler and Cascade Express User’s Guide
215
Reporting
VoIP reports
Figure 13-50. Reports > Shortcuts > VoIP Performance Report - Worst 10 Host Groups by MOS
Figure 13-51. Reports > Shortcuts > VoIP Performance Report - Traffic by Host Group
Figure 13-52. Reports > Shortcuts > VoIP Performance Report - Host Group Pair by Average MOS
216
Cascade Profiler and Cascade Express User’s Guide
VoIP reports
Reporting
Figure 13-53. Reports > Shortcuts > VoIP Performance Report - Traffic by Host Group Pair
Figure 13-54. Reports > Shortcuts > VoIP Performance Report - Quality of Service section
VoIP Dependencies - Signaling report
The VoIP Dependencies - Signaling report is an application report. It reports traffic for connections between all clients
and servers within the monitored network that are made over ports typically used for Voice over IP. These are listed
by host pairs with ports or by host group pairs with ports. They are also displayed on a zoomable graph to indicate
dependencies. Additionally, the report includes a connection graph that illustrates dependencies between clients and
servers using VoIP ports.
If you are using the standard VoIP ports, then no inputs are needed to run this report.

Click Host to run the report for host pairs with ports, or

Click Site to run the report for host group pairs with ports.
Cascade Profiler and Cascade Express User’s Guide
217
Reporting
VoIP reports
Report Criteria
The Protocols or ports field of the Report Criteria section is pre-populated with the standard VoIP ports: tcp/1718, tcp/
1719, tcp/1720, tcp/2000, tcp/5060, tcp/5660, udp/1720, udp/2517 and udp/5060.
Figure 13-55. Reports > Shortcuts > VoIP Dependencies - Signaling report - Report Criteria section
You can modify the Report Criteria section to further limit the report, as follows.

VXLAN - Limit the report to a virtual network.

Applications - Click Browse to search for applications

Protocols or ports used - The Protocols or ports field of the Report Criteria section is pre-populated with the
standard VoIP ports: tcp/1718, tcp/1719, tcp/1720, tcp/2000, tcp/5060, tcp/5660, udp/1720, udp/2517. If your
network uses different ports for Voice over IP, you can modify this the report criteria before running the report
and save your modified version as a report template.

Servers, subnets or groups - addresses or address ranges of servers or names of host groups

Clients, subnets or groups - addresses or address ranges of clients or names of host groups

Quality of Service (QoS) classes - Click Browse to search for QoS classes.

Time frame - Time frame of the report. Specify a period of time ending in the present or a From/To time span.
Leaving an attribute field blank means “all.”
The Report Format section enables you to select additional displays.
Overall Traffic section
The Overall Traffic section displays the average VoIP traffic volume over time. The graph can be shifted forward or
backward in time and zoomed to rerun the report on a narrower time frame.
Traffic Breakdown section
The Traffic Breakdown section displays the average volume of VoIP traffic and average number of connections
between clients and servers. It displays these in both a table and a connection graph.
218
Cascade Profiler and Cascade Express User’s Guide
VoIP reports
Reporting
Figure 13-56. Reports > Shortcuts > VoIP Dependencies - Signaling Report - Overall Traffic
Figure 13-57. Reports > Shortcuts > VoIP Dependencies - Signaling Report - Traffic Breakdown
Cascade Profiler and Cascade Express User’s Guide
219
Reporting
Audit Trail reports
VoIP Dependencies - Calls report
The VoIP Dependencies - Calls report is an application report. It reports traffic for connections between clients and
servers within the monitored network using Voice over IP applications. These are listed by host pairs with ports or by
host group pairs with ports. They are also displayed on a zoomable graph to indicate dependencies.
Additionally, the report includes a connection graph that illustrates dependencies between clients and servers using
VoIP applications.
The Applications field of the Report Criteria section is pre-populated with the VOIP-RTP application. If your network
uses different a different application for Voice over IP, you can modify this filed before running report and save your
modified version as a report template.
You can further limit the report by specifying other criteria.
Figure 13-58. Reports > Shortcuts > VoIP Dependencies - Calls report - Report Criteria section
Audit Trail reports
Audit Trail reports are described in Chapter 6, “System Verification.”
220
Cascade Profiler and Cascade Express User’s Guide
Audit Trail reports
Reporting
Figure 13-59. Reports > Shortcuts > VoIP Dependencies - Calls report - results section
Cascade Profiler and Cascade Express User’s Guide
221
Reporting
Analyzing packet information with Cascade Pilot
Analyzing packet information with Cascade Pilot
If a Cascade Shark is sending packet information to a Profiler or Express, then the Profiler or Express can provide
packet capture information to the Cascade Pilot either by sending it directly to Pilot or by exporting it as a packet
capture (pcap) file. You can right-click any host, host pair, port, protocol, or flow wherever it is reported and send
packet-level information about the reported item directly to Pilot for analysis or export it to a pcap file for later
analysis. In both cases, the packet information is limited to the selected item and the time frame of the report.
The Express 460 appliance performs packet capture itself, so you can you can export packet capture files or send packet
information to Pilot from the right-click menu without requiring a Shark appliance. Also, you can define packet capture
jobs and export full packet capture information as pcap files.
Additionally, the Express 460 allows Pilot users to connect to it just as they would connect to a Cascade Shark. A Pilot
user can request packet-level information from the Express 460 just as they would from a Shark, although Pilot cannot
log in to the Express 460 web interface to set up capture jobs. Express 460 capture jobs must be defined on the Express
460 Configuration > Packet Capture page. Refer to “Packet capture (Express 460 only)” on page 32.
The use of Pilot packet analysis tool is described in the Cascade Pilot Reference Manual and in the product itself. Refer
to the reference manual, the training videos, and the help topics in Pilot for instructions on analyzing traffic at the
packet level.
This section describes accessing Pilot from within the Profiler. The advantage of this approach is that the Profiler
automatically provides Pilot with the context for the item that you want to investigate. That is, Pilot opens with the
information it needs to analyze the item that you right-clicked on in a Profiler or Express report. It uses this information
to obtain a packet trace from a Shark or Express 460. The packet information can be exported as a packet capture file
or analyzed and displayed by Pilot.
Prerequisites
There are several prerequisites for using Pilot from the Profiler:

User account - When you open Pilot from within the Profiler or Express to analyze packet data, it must connect
to the Shark or Express 460 to obtain the data. So you must provide login credentials if you are connecting to a
Shark.

Shark data export to Profiler - The Profiler or Express presents a menu of Shark appliances that you can select
as the source of the packet data you want to analyze with Pilot. The Profiler identifies all Shark appliances that
are sending the selected data to it. The Shark web interface allows the Shark administrator to set the Profiler
configuration on the Settings > Profiler Settings page to export the data seen on one or more Shark capture
interfaces to one or two Profiler or Express appliances. The Shark exports data about all traffic flows that it sees,
without any filtering.

Shark capture job - The Profiler and Express can display traffic information seen by the Shark whether or not a
capture job is configured on the Shark. However, a capture job is required in order to analyze the data in Pilot.
One or more capture jobs can be defined for each capture interface. A capture job can filter the data according to
a specification. When you use Pilot, you must specify which capture job it is to analyze. Note that catch and drop
filters specified for capture jobs have no effect on the data being sent directly to the Profiler or Express. They
affect only the data being sent to Pilot.

Packet capture on Express 460 - The Express 460 can be configured to capture packet data itself. It can also
receive data from Shark appliances. When exporting a packet capture file, you can select the Express 460 itself as
the source of the packet capture data or select any Shark that is sending data to the Express 460.
222
Cascade Profiler and Cascade Express User’s Guide
Analyzing packet information with Cascade Pilot
Reporting
Analyzing Cascade Shark or Express 460 packet information
To use Pilot to analyze packet-level data for a host, host pair, port, protocol, or flow,
1. Right-click the item to display the shortcut menu.
2. Select Packets for this <selection> to display the submenu.
3. Select Analyze in Cascade Pilot.
Figure 13-60. Analyze in Cascade Pilot
This opens the “Analyze in Cascade Pilot” popup window. This window has a drop-down list of Shark
appliances.
Figure 13-61. Relevant Cascade Shark appliances
The window also lists the capture jobs that are running on the selected Shark.
4. Select the Shark appliance that you want to use as the source of the packet details you want to analyze. If you are
using an Express 460, it will be listed here along with the Shark appliances as the source of the packet information.
5. Click the link for the capture job that you want Pilot to analyze.
6. The Profiler or Express generates a Pilot script file based on the report criteria and the Shark capture job
parameters. Click the link to launch Pilot with the script file.
7. If required, Pilot displays a popup for you to enter the login credentials for the Shark that you have selected.
8. Enter the login credentials and click OK. This opens main window of Pilot. The capture job you specified is listed
in both the Devices and Files panels. In the Files panel you can use the trace clip created for the selection in the
Profiler report. You can then apply views to the trace clip as necessary to analyze traffic at the packet level.
Refer to the Cascade Pilot documentation for descriptions of the features available for analyzing the traffic.
Cascade Profiler and Cascade Express User’s Guide
223
Reporting
Analyzing packet information with Cascade Pilot
Traffic flow analysis shortcut
The right-click procedure for packet analysis allows you to analyze packet-level information for a host, host pair, port,
protocol, or flow reported anywhere in the Profiler user interface. However, an additional shortcut is provided for
analyzing traffic flows at the packet level. The Reports > Traffic pages have a report format option for displaying a
flow list. The first column in the table listing traffic flows displays a row number for each flow listed. This can be
clicked to analyze a traffic flow using the Cascade Pilot.
1. Left-click the flow list row number to display the “Analyze in Cascade Pilot” popup window. This window has a
drop-down list of Shark appliances classified as relevant and not relevant to the selected flow.
Figure 13-62. Analyze in Cascade Pilot window
The window also lists the capture jobs that are running on the selected Shark.
2. Choose the Shark appliance that you want to use as the source of the packet details you want to analyze. (The
relevant Shark appliance is pre-selected.)
3. Click the link for the capture job on that Shark appliance that you want Pilot to analyze.
4. The Profiler or Express generates a Pilot script file based on the Profiler report criteria and the Shark capture job
parameters. Click the link to launch Pilot with the script file.
5. If required, Pilot displays a popup for you to enter the login credentials for the Shark that you have selected.
6. Enter the login credentials and click OK. This opens main window of Pilot. The capture job you specified is listed
in both the Devices and Files panels. In the Files panel you can use the trace clip created for the selection in the
Profiler report. You can then apply views to the trace clip as necessary to analyze traffic at the packet level.
Refer to the Cascade Pilot documentation for descriptions of the features available for analyzing the traffic.
Exporting Cascade Shark packet information
To use the Shark appliance to export a trace file for packets associated with a host, host pair, port, protocol, or flow
reported on the Profiler,
1. Right-click the item to display the shortcut menu.
2. Select Packets for this <selection> to display a submenu.
3. Select Export to PCAP file. This displays another submenu.
224
Cascade Profiler and Cascade Express User’s Guide
Analyzing packet information with Cascade Pilot
Reporting
Figure 13-63. Export to PCAP file from a Shark appliance
4. Choose From Cascade Shark on the submenu. If there is only one Shark appliance sending data to the Profiler,
and if that one appliance has only one capture job, then this choice exports the PCAP file from that appliance.
Otherwise, the Profiler or Express displays the “Export a PCAP file” popup window and identifies the Shark
appliance that will be used.
Figure 13-64. Export a PCAP file popup
5. Select the Shark appliance that you want to use as the source of the packet details you want to export. With an
Express 460, you can select the Express 460 itself as the source, if capture jobs are defined.
6. Click the link for the capture job that you want to export data from.
7. If you are exporting from a Shark, the Profiler or Express connects to the Shark. The first time you connect to the
Shark you are prompted to approve the Shark certificate.
8. When your browser displays a download popup, choose the options necessary for saving the file. The Shark Web
Interface displays a popup for you to enter the login credentials for the Shark that you have selected.
9. Enter the login credentials and click OK. This gives you a link to download the trace file. The download may start
automatically, depending on the browser and its settings.
Cascade Profiler and Cascade Express User’s Guide
225
Reporting
Packet reporting and export with Cascade Sensor
Packet reporting and export with Cascade Sensor
The Cascade Sensor monitors the network through taps or mirror ports. It sends traffic information to the Profiler for
display, reporting and alerting. However, the Sensor also has traffic analysis features of its own. These are described
in the Cascade Sensor and Cascade Gateway User’s Guide and in the Sensor online help system.
You can use the Sensor to view information about packets associated with traffic flows reported on the Profiler. From
within the Profiler or Express, right-click on any host, host pair, port, protocol, or flow, wherever it is reported. This
displays a menu with an option to use the Sensor to view packet data collected by any Sensor that is sending
information to the Profiler.
Additionally, you can use the Profiler to connect directly to the Sensor and export a packet trace file corresponding to
the Profiler report criteria.
This section describes accessing the Sensor from within the Profiler. The advantage of this approach is that the Profiler
automatically provides the Sensor with the context for the item that you want to investigate. That is, the Sensor GUI
opens with the information it needs to view packets for the item that you right-clicked on a Profiler report.
Viewing Sensor packet information
To use the Sensor to analyze packet-level data for a host, host pair, port, protocol, or flow reported on the Profiler,
1. Right-click the item to display the shortcut menu.
2. Select Packets for this <selection> to display the submenu.
3. Select View in Cascade Sensor. This displays a submenu of Sensors that are sending data to the Profiler.
Figure 13-65. View in Cascade Sensor
4. Choose the Sensor that you want to use as the source of the packet details you want to view.
5. The first time you choose a Sensor as the source of the data for analysis, you will be prompted to approve the
connection to the Sensor. This may also happen on subsequent uses, depending on your browser settings.
6. Approve the connection, if necessary. The browser displays the login page for the Sensor that you have selected.
7. Enter the login credentials and click OK. This opens Sensor Traffic Analysis > Packet View page. This page
displays information about packets associated with the host, host pair, port, protocol, or flow that you right-clicked
on the Profiler report.
226
Cascade Profiler and Cascade Express User’s Guide
Packet reporting and export with Cascade Sensor
Reporting
Exporting Sensor packet information
To use the Sensor to export a packet trace file for packets associated with a host, host pair, port, protocol, or flow
reported on the Profiler,
1. Right-click the item to display the shortcut menu.
2. Select Packets for this <selection> to display the submenu.
3. Select Export to PCAP file. This displays a submenu of Sensor appliances that are sending data to the Profiler.
Figure 13-66. Export to PCAP file from Sensor
4. Choose the Sensor that you want to use as the source of the packet details you want to export.
5. The first time you choose a Sensor as the source of the data for analysis, you may be prompted to approve the
connection to the Sensor. This may also happen on subsequent uses, depending on your browser settings.
6. The Profiler connects to the Sensor. You are prompted to approve the connection and to log in to the Sensor. Enter
the login credentials for the Sensor that you have selected.
7. When the Sensor displays the Packet Export Download page, click the link to initiate the download. Your browser
will prompt you for a location on your local machine to save the packet trace file.
Cascade Profiler and Cascade Express User’s Guide
227
Reporting
228
Packet reporting and export with Cascade Sensor
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 14
Mitigation
This chapter describes Cascade Profiler and Cascade Express capabilities for mitigating the affects of malicious or
misconfigured traffic. It includes the following sections:

“Introduction,” next

“Trusted hosts setup” on page 232

“Switch mitigation setup” on page 233

“Router mitigation setup” on page 235

“Enabling mitigation plan generation” on page 236

“Managing mitigation actions” on page 237

“Managing mitigation plans” on page 239
Introduction
The mitigation feature enables you to reduce or eliminate traffic to and from specified hosts by using the the appliance
to reconfigure switches and routers in your network. This feature is available when the optional security analytics
module is installed and enabled.
The appliance automatically generates a mitigation plan for blocking traffic by switching off switch ports or by
instructing routers to discard traffic. It reports the anticipated impact of mitigation actions and allows you to select
which mitigation actions are taken.
Once you set up the mitigation feature, you can view and create mitigation plans, tailor them to your network, activate
them, deactivate them, and delete or save them for reuse.
The setup of the mitigation feature involves specifying:

Trusted hosts (hosts whose traffic will not be blocked)

Mitigation switch information

Mitigation router information
The use of the configured mitigation feature includes managing mitigation plans and individual mitigation actions.
This chapter discusses each of these topics.
Cascade Profiler and Cascade Express User’s Guide
229
Mitigation
Introduction
Switch Mitigation
The appliance supports the use of switches for blocking traffic. It uses SNMP polling to obtain:

MAC address-to-switch port bindings from switches

MAC address-to-IP address bindings from routers
The appliance uses this information to determine which switch port an offending host uses. It can then use SNMP to
shut down the switch port and isolate the offending host.
Switch mitigation is appropriate for situations in which you would otherwise shut down switch ports manually by
disconnecting cables or by sending commands to the switch. To minimize the impact on non-offending hosts, you
should use switch mitigation on access switches where practical instead of distribution switches. Generally speaking,
the closer in the network topology the mitigation switch is to the offending host, the fewer other hosts will be affected
by the switch port being shut down.
Router Mitigation
The appliance supports the use of routers for blocking traffic by provisioning designated routers with black hole
routing instructions. These work in conjunction with the unicast Reverse Path Forwarding (uRPF) router feature to
isolate specified hosts from the routed network.
What uRPF does
uRPF prevents hosts from receiving traffic from IP addresses that it cannot verify. The feature assumes that a valid
packet will be received on the same interface that the router uses to return a packet to the source address. It checks the
packets it receives on a uRPF-enabled interface to determine if the interface and the source address of the packet match
a best return path (reverse path) in its routing table. If they match, it forwards the packet. But if the return path specifies
a different interface than the interface on which the packet was received, the router discards the packet. This prevents
the destination host from receiving traffic from unverifiable IP addresses on the routed network.
What black hole routing does
A black hole route prevents a host from receiving any routed traffic. When you identify a host that is sending traffic
that you want to block, you can use the appliance to publish a black hole route to a mitigation router. The black hole
route appears to be the best path to the offending host because it is the most specific (/32).
When the appliance publishes such a route on a designated mitigation router, the routing protocol advertises the route
to other routers on the network. The other routers add it to their routing tables as the best path to the offending host.
When a router than has the black hole route receives a packet having the destination address of the offending host, it
forwards the packet to the mitigation router, as instructed in the black hole route. But instead of forwarding the packet
to the offending host, the mitigation router forwards it to a null interface. That is, it discards the packet so that it never
reaches the offending host. This prevents the offending host from receiving any traffic (except from hosts on the same
subnetwork, which are not routed).
How uRPF and black hole routing work together
The uRPF feature discards traffic that has unverifiable source IP addresses. The black hole routing technique makes
the IP address of an offending host unverifiable by uRPF. This blocks the offending host from sending traffic on the
routed network.
The black hole routing technique also prevents an offending host from receiving any routed traffic, whether or not the
source addresses are verifiable. The combination of the two techniques completely isolates an offending host from the
routed network.
230
Cascade Profiler and Cascade Express User’s Guide
Introduction
Mitigation
Example 1: Black hole routing without uRPF enabled
1. The appliance publishes a static route on the mitigation router. On the GUI, you can specify individual host
addresses or ranges of addresses to be covered by different mitigation routers. However, each route the appliance
publishes on a mitigation router is a /32 route.
2. The mitigation router uses a routing protocol (e.g., OSPF) to distribute the route to other routers on the network.
3. Host A sends traffic to the offending host. The first router to receive the traffic uses the black hole route to forward
the traffic to the mitigation router. The mitigation router discards the traffic.
4. The offending host sends traffic to Host A. The traffic is routed to Host A. However, the offending host cannot
receive information from Host A or engage in any two-way communication.
Example 2: Black hole routing working with uRPF
1. As in Example 1, the appliance publishes a static route on the mitigation router, and the mitigation router
distributes the route to other routers on the network.
2. Also as in Example 1, Host A sends traffic to the offending host. The first router to receive the traffic uses the black
hole route to forward the traffic to the mitigation router, where it is discarded.
3. The offending host sends traffic to Host A.
4. When a uRPF-enabled router with the black hole route pertaining to the offending host receives the traffic, it
assumes that any traffic from the offending host should use the same route as traffic back to that host. But for most
network topologies, the traffic from the offending host will not match the router's reverse path to the host, because
the reverse path is the black hole route. So the uRPF-enabled router discards all traffic from the offending host.
There are uncommon network topologies in which the traffic from the offending host can arrive on the port specified
by the reverse path to the mitigation router and therefore be forwarded despite uRPF. For example, if there is a switch
or non-uRPF-enabled router between the mitigation router and the uRPF-enabled router, and if the traffic from the
offending host enters the network through that device, then the traffic can enter the uRPF-enabled router through the
port specified in its reverse path route to the mitigation router. The uRPF-enabled router will forward the traffic in this
case.
Configuration notes on uRPF
The uRPF feature does not have to be enabled on every router, but mitigation is more effective when uRPF is enabled
on more routers. Additionally, enabling uRPF on routers near the edge of the protected network is usually more
effective than on routers closer to the core.
Configuration notes on the mitigation router
You can use the appliance to publish a black hole route on a router that you designate as a mitigation router. You must
enter the name and passwords of this router on the Configuration > Mitigation > Add Router page so that the appliance
can publish the route.
The mitigation router must use a routing protocol such as OSPF to distribute the route to other routers. Usually, the
mitigation router must be explicitly configured to redistribute static routes.
The mitigation router does not need to run uRPF, and the uRPF-enabled routers do not need to be configured to
redistribute static routes. Refer to your router documentation for guidance on redistributing static routes.
Cascade Profiler and Cascade Express User’s Guide
231
Mitigation
Trusted hosts setup
Using the mitigation feature
The general procedure for using the mitigation feature is:
1. Specify trusted hosts. This is traffic that is to be excluded from mitigation actions, such as trusted infrastructure
devices.
2. Specify the switch mitigation setup. This involves identifying one or more lookup routers and one or more
switches. The lookup routers must have SNMP enabled.
3. Specify the router mitigation setup. This involves designating one or more mitigation routers and ensuring that
each is set up for redistribution of static routes. The appliance must be given the names and passwords of the
mitigation routers so that it can publish null routes for offending hosts on them.
4. Enable or disable automatic mitigation plan generation. By default, the appliance does not automatically
generate mitigation plans. You can set it to generate mitigation plans for events that cause Low, Medium, or High
alerts. Alternatively, you can leave automatic mitigation plan generation disabled and generate plans only when
you choose to. If you typically do not take mitigation action when you receive alerts, then Riverbed recommends
leaving automatic plan generation off.
5. Work with mitigation plans and actions. You can activate, deactivate, modify, create and delete mitigation
actions and mitigation plans.
These steps are discussed in more detail in the sections that follow.
Trusted hosts setup
The appliance does not take mitigation actions against devices that you designate as trusted hosts. Trusted hosts are
typically critical infrastructure devices, which you add to the appliance trusted host list on the Configuration >
Mitigation > Trusted Hosts page.
The appliance automatically adds the following devices to its trusted hosts list:

all the appliance modules and storage devices

mitigation switches and the lookup router for switch mitigation

mitigation routers
You can add a trusted host either by specifying it in the GUI or by importing a list of IP addresses and comments.
Figure 14-1. Configuration > Mitigation > Trusted hosts page
To add devices to the trusted hosts list
1. Go to the Configuration > Mitigation > Trusted Hosts page.
232
Cascade Profiler and Cascade Express User’s Guide
Switch mitigation setup
Mitigation
2. Click Add…. This displays the Add Trusted Host page.
3. Enter the IP address of a host or a range of trusted hosts in CIDR format.
4. Optionally, enter a comment for future reference.
5. Click Add to add the host or range of hosts to the trusted hosts list.
To import a trusted hosts list
1. Create a file specifying the trusted hosts. The file must specify one IP address or CIDR block of IP addresses per
line, with a comma separating the IP address from the optional comment. For example:
ip_address,comment
ip_address/24,comment
ip_address,comment
2. Go to the Configuration > Mitigation > Trusted Hosts page.
3. Click Import…. This displays the Import Trusted Host page.
4. Enter or browse to the path to the file containing your trusted hosts list.
5. Click Import to add the hosts to the trusted hosts list.
Switch mitigation setup
Switch mitigation requires a lookup router and one or more mitigation switches. Information for both the lookup router
and the switches is entered on the Configuration > Mitigation > Switching Setup pages.
Figure 14-2. Configuration > Mitigation > Switching Setup page
You can add devices either by specifying them in the GUI or by importing a comma-separated-list of device
information.
Cascade Profiler and Cascade Express User’s Guide
233
Mitigation
Switch mitigation setup
To add mitigation switches and lookup routers
1. Go to the Configuration > Mitigation > Switching Setup page.
2. Click Add Device…. This displays the Add Device page.
3. Enter the required information and click Add to add the specified device as a mitigation switch or lookup router.
Field descriptions

Name - Host name of the mitigation device.

IP address - IP address of the device.

Type - Either Switch for an actionable switch or Lookup Router for a router used to look up MAC-to-IP address
bindings.

Read community - Community string that the appliance should use to query the device.

Write community - Community string that the appliance should use to enact changes on the switch.
To import a switch mitigation device list
1. Create a file specifying the devices. Each line of the file must contain a comma-separated list of information about
one device using the following format:
host_name, IP_address, device_type, read_only_community_string, write_community_string
where:
host_name
- is the name of the mitigation device
IP_address
- is the IP address of the device
- is either SWITCH for an actionable switch or ROUTER for a router used to look up MAC-to-IP
address bindings.
device_type
read_only_community_string
write_community_string
- is the string the appliance must use to obtain information from the device
- is the string the appliance must use to enact changes on the switch (e.g., disable or
enable switch ports)
2. Go to the Mitigation > Switching Setup page.
3. Click Import. This displays the Import devices page.
4. Enter or browse to the path to the file containing your device list.
5. Click Import to add the devices to the switching device list.
Modifying switch setups
The Configuration > Mitigation > Switching Setup page provides controls in the Actions column for polling switches,
editing a switch setup, and deleting a switch setup.
The appliance polls the switches periodically for the latest address-to-port mappings. However, you can instruct the
appliance to update its information immediately by clicking Poll now.
234
Cascade Profiler and Cascade Express User’s Guide
Router mitigation setup
Mitigation
Router mitigation setup
Router mitigation requires a mitigation router that can distribute static routes on the network. You can use more than
one mitigation router and specify different mitigation routers to cover different ranges of IP addresses.
Figure 14-3. Configuration > Mitigation > Routing Setup page
To be fully functional, the router mitigation feature requires routers on the network to use unicast Reverse Path
Forwarding (uRPF). It does not require that all routers use uRPF. However, enabling uRPF on more routers makes
mitigation more effective. Also, uRPF-enabled routers near the edge of the protected network are generally more
effective than uRPF-enabled routers in the core of the network.
Mitigation routers are specified on the Configuration > Mitigation > Routing Setup pages.
To add a mitigation router
1. Go to the Configuration > Mitigation > Routing Setup page.
2. Click Add Router…. This displays the Add Router page.
3. Enter the required information. Click Help for a description of the fields on the page.
4. Click Add to add the mitigation router.
Field descriptions

Router name - Host name of the mitigation router.

IP address - IP address of the router.

Connection method - How the appliance must connect to the router; telnet or SSH.

Connection port - Which port on the router that the appliance must connect to.

Username - The name that the appliance must use to log in to the router.

Password - Password that the appliance must use to log in to the router.

Enable password - Password that the appliance must use to enact changes on the router; also known as the
privileged password.

Max number of routes - Maximum number of mitigation routes that the appliance can publish on this router.

Router coverage - Area of the network for which this router can mitigate. This is expressed as a list of CIDR
blocks separated by commas. Enter 0.0.0.0/0 when you are using one mitigation router to cover the entire
network. Trusted hosts are automatically excluded from mitigation actions.
Cascade Profiler and Cascade Express User’s Guide
235
Mitigation
Enabling mitigation plan generation
Modifying and testing router setups
The Configuration > Mitigation > Routing Setup page provides controls in the Actions column for testing the
connection to a router, editing a router setup, and deleting a router setup.
The Test action for an entry in the list causes the appliance to attempt to connect to the router in that entry and display
a message indicating whether the test connection succeeded or failed.
Enabling mitigation plan generation
The feature that automatically generates mitigation plans assumes that an administrator has already specified trusted
hosts and set up the switch and router connectivity necessary for mitigation.
Generating a mitigation plan has no effect on the network. For mitigation actions to take effect, you must specifically
activate a mitigation plan by selecting it and entering your password. This protects the network from the risk of
someone accidentally blocking traffic.
Figure 14-4. Global Settings
To enable the appliance to automatically generate mitigation plans
1. Go to the Behavior Analysis > Policies page Security tab.
2. Click Global Policy Settings…. This displays the Global settings for all Security Policies page.
3. In the Mitigation settings section, select the alert level that you want to trigger the automatic generation of a
mitigation plan. For example, you might want the appliance to generate a plan only when there is a High alert.
None disables automatic mitigation plan generation.
4. Click OK.
When a mitigation plan is ready, the status is indicated in the Current Events content block on the Dashboard page as
an entry in the Mitigation plan column.
The mitigation plan status can be:

Ready - a mitigation plan has been generated and is ready for use

Pending - a mitigation plan is being generated, but it is not yet complete

Updated - an existing mitigation plan that is already in use has been updated
If the Mitigation plan column is blank for an event in the event list, it means either that the event is not eligible for
mitigation or the automatic plan generation is disabled.
236
Cascade Profiler and Cascade Express User’s Guide
Managing mitigation actions
Mitigation
Managing mitigation actions
You can select one or more recommended mitigation actions to put into effect by making choices on the Mitigation
Plan Detail page. Conversely, you can deactivate one or more mitigation actions by making selections on this page.
There are several ways to display the Mitigation Plan Detail page:

Go to the Configuration > Mitigation > Plans and Actions page, select the Plans view, and search by host, event
ID, or plan ID for the desired mitigation plan. On the list entry for the plan, click the Edit link.

On a Dashboard page that is displaying a Current Events content block, click the Ready link in the Mitigation
plans column of the event you want to mitigate.

On an Event Detail Report page, click the View mitigation plan link on the Summary tab. (This is not shown if
automatic mitigation plan generation is disabled.)

On an Events Report page, click the event ID for an event you want to mitigate. This displays the Event Detail
Report. Click Mitigate on the Event Detail report.
All four of these links display the Mitigation Plan Detail page. This page provides a summary of the plan and lists the
mitigation actions. Mitigation actions are actions to block the traffic to and from specified hosts or groups of hosts.
The Actions taken section lists mitigation actions that have been put into effect. The Proposed actions section lists
mitigation actions that the appliance has proposed but which have not been put into effect.
Figure 14-5. Mitigation Plan
The lists of hosts in the two sections provide the following information:
Cascade Profiler and Cascade Express User’s Guide
237
Mitigation
Managing mitigation actions

Host - Name of the host and host group whose traffic is to be blocked. You can right-click this entry to access a
selection for running a traffic report for the host or host group.

Router - The router that the appliance will use for mitigation. An inactive (gray) box indicates that router
mitigation is not available.

Switch Port - The switch port that the appliance will use for mitigation. An inactive (gray) box indicates that
switch port mitigation is not available.

Affected Hosts - The number of hosts affected by the mitigation action. This number is linked to a page that lists
the addresses of the hosts that the appliance believes reside on the switch port that it has identified for the
mitigation action. This provides an indication of how many other hosts may be affected when the specified switch
port is shut down. Multiple hosts may be affected when the switch port is not directly connected to the host (e.g.,
it is connected to another switch).

Current - The current impact. This displays the number of peers that this host has transmitted to or received from
in the last minute and its traffic rate in packets per second for the last minute. The appliance regularly updates
these figures for all proposed actions. It updates about 2000 actions per minute.

History - The number of peers and packets per second of traffic reported for this host by the profile that was
active at the time the host was added to the mitigation plan. This historical impact figure is not updated.

Comments - This displays notes that were added to the mitigation plan.

Actions - You can remove the proposed mitigation action against a host or host group from the mitigation plan by
clicking Delete. The Actions taken section does not have an Actions column because mitigation actions must be
deactivated before they can be deleted.
You can add a host to the mitigation plan by clicking Add Host and entering the address of the host.
Additionally, you can click Recalculate to have the appliance update its address and routing records immediately
instead of at the next polling time.
Activating mitigation actions
Mitigation actions that have been proposed but not yet put into effect are listed in the Proposed actions sections of the
Mitigation Plan Detail page. The proposed mitigation actions can be put into effect either as a group or individually.
To activate all mitigation actions on a mitigation plan
1. On the Mitigation Plan Detail page, click the applicable link on the Activate line just above the Proposed actions
section:

All actions - performs all mitigation actions using both switch and router mitigation (i.e., blocks traffic to and
from all hosts) listed in this section.

All router actions - mitigates traffic on all hosts listed in this section, but uses only router mitigation and not
switch port mitigation.

All switch actions - mitigates traffic on all hosts listed in this section, but uses only switch port mitigation
and not router mitigation.
2. When prompted, enter your password.
Note that each of these choices activates all the proposed actions, regardless of whether or not the Router and Switch
port check boxes are checked in the individual entries. Each of these choices moves all the entries from the Proposed
actions section to the Actions taken section.
238
Cascade Profiler and Cascade Express User’s Guide
Managing mitigation plans
Mitigation
To activate a selected mitigation action
1. Select the Router and/or Switch port check boxes for the actions to be performed.
2. Click Commit at the bottom of the page and enter your password when prompted.
This moves all entries with checked check boxes from the Proposed actions section to the Actions taken section.
Proposed actions that were not selected (i.e., have no check boxes checked) remain in the Proposed actions section.
Deactivating mitigation actions
Mitigation actions that have been placed into effect are listed in the Actions taken section of the Mitigation Plan Detail
page. These mitigation actions can be deactivated either as a group or individually.
To deactivate all mitigation actions on a mitigation plan
1. On the Mitigation Plan Detail page, click the applicable link on the Deactivate line just above the Actions taken
section:

All actions - deactivates all mitigation actions (i.e., unblocks traffic to and from all hosts listed in this
section).

All router actions - deactivates all router mitigation in the plan, but leaves switch port mitigation active.

All switch actions - deactivates all switch port mitigation in the plan, but leaves router mitigation active.
2. When prompted, enter your password. Each of these choices moves all the deactivated entries from the Actions
taken section back to the Proposed actions section.
To deactivate selected individual mitigation actions
1. In the Actions taken section, deselect (clear) the Router and Switch port check boxes for the actions.
2. Click Commit at the bottom of the section and enter your password when prompted.
This moves all entries that have no check boxes checked back to the Proposed actions section. Entries with checked
check boxes remain active and listed in the Actions taken section.
Managing mitigation plans
Mitigation plans can be managed from the Configuration > Mitigation > Plans and Actions page. On this page, you
can activate or deactivate mitigation plans and individual mitigation actions. You can create new mitigation plans or
open existing mitigation plans.
The Actions view enables you to locate mitigation plans and mitigation actions by specifying the following search
criteria:

Mitigation device - switch or router or both

Event type - the type of event that caused the alert which resulted in the mitigation plan being generated, or all

Activated by - the login name of the user who activated the mitigation plan

State - the state of the mitigation plan or action: active, inactive, or all

Host/CIDR - the address or block of addresses of the affected host or hosts
Cascade Profiler and Cascade Express User’s Guide
239
Mitigation
Managing mitigation plans
Figure 14-6. Configuration > Mitigation > Plans and Actions page, Actions view

Event ID - the Event ID is available from an Dashboard page with a Current Events content block or from the
Event Reports pages.

Plan ID - the identification of the mitigation plan

Span - the number of seconds, minutes, hours, days, weeks or months, ending now or ending at a time and date
you specify
240
Cascade Profiler and Cascade Express User’s Guide
Managing mitigation plans
Mitigation
Working with Plans and Actions
You can view the results of a search either by Plans or by Actions. In both views, the information can be sorted in
ascending or descending order by any column except the Actions column.
Figure 14-7. Configuration > Mitigation > Plans and Actions page, Plans view
Plans view
When viewing the results by Plans, you can use the following controls:

Activate Selected and Deactivate Selected activate and deactivate mitigation plans. This activates or deactivates
all actions in the selected plans.

Delete to delete an entire mitigation plan.

Edit to open the Mitigation Plan Detail page, where you can modify or recalculate the plan.

Event ID link to open the Event Detail report.
Actions view
When viewing the results by Actions, you can use the following controls:

Activate Selected and Deactivate Selected to activate and deactivate mitigation actions. This activates or
deactivates only the selected actions.

Delete to delete a mitigation action.

Host entry that can be right-clicked to display a selection for a traffic report for the host.

Edit to open the Mitigation Plan Detail page, where you can modify or recalculate the plan.

Event ID link to open the Event Detail report.
To create a mitigation plan
1. Go to the Configuration > Mitigation > Plans and Actions page and choose Plans view.
Cascade Profiler and Cascade Express User’s Guide
241
Mitigation
Managing mitigation plans
2. Click Create plan. This displays an empty Mitigation Plan Detail page.
3. In the Proposed actions section, click Add Host.
4. Enter the name of the host and click Add. The appliance creates an entry for the host in the list in the Proposed
actions section and proposes the mitigation action.
5. Add more hosts, as necessary.
6. If you want to recheck the impact on current traffic before activating the plan, click the Refresh link beside the
Current column.
7. When you are ready to activate the plan, either:

Click the appropriate Activate link: All actions, All router actions, or All switch actions, or

Select the appropriate check boxes for each mitigation action and then click Commit in the Proposed actions
section.
8. When prompted, enter your password.
The appliance performs the selected mitigation actions and moves their entries to the Actions taken section.
242
Cascade Profiler and Cascade Express User’s Guide
CHAPTER 15
Appliance Security

“Overview,” next

“Password Security” on page 244

“Security Compliance” on page 245

“Encryption Key Management” on page 251

“Replacing SSH keys” on page 254

“Replacing SSL certificates” on page 255
Overview
The Profiler and Express appliances are secured by strong password controls, restricted access and encrypted
communication with other appliances. These features are controlled by three Appliance Security pages that are
accessible from the Configuration menu:

Password Security

Security Compliance

Encryption Key Management
This chapter describes these features. Additional security-related features include:

Password-protected email server and encrypted time server configuration on the Configuration > General Settings
page

Audit Trail Report on the System > Audit Trail page

Account privilege levels for assigning new accounts on the Configuration > Account Management > User
Accounts page
Cascade Profiler and Cascade Express User’s Guide
243
Appliance Security
Password Security
Password Security
On the Configuration > Appliance Security > Password Security page, a user logged into an Administrator account can
specify password security settings for all users. This page has three sections:
Figure 15-1. Configuration > Appliance Security > Password Security page
Strict Password Requirements – specifies password length, case usage, and requirement for non-alphabetic
characters. Specifies the number (from 1 to 16) of previous passwords the appliance should save and test to ensure that
the user is not recycling a small set of passwords. Also specifies the lifespan of a password. When a password expires,
the user is forced to change it upon their next login.
Login Settings – allows you to:

Limit the number of user sessions to one per name/password combination.

Require users of new accounts to change their password on their first log in.

Specify the number of consecutive failed login attempts the appliance allows before disabling logins for an
account.

Specify how long logins are disabled on an account after the allowed number of failed login attempts has been
exceeded. If a user needs access before the lockout period has expired, the Administrator can edit the account
profile to specify a new password for the account.

Exempt the admin account from being locked out by repeated unsuccessful login attempts.
244
Cascade Profiler and Cascade Express User’s Guide
Security Compliance
Appliance Security

Specify if the splash screen is dismissed automatically after 5 seconds, is displayed until the user clicks
Acknowledge, or is not displayed.

Specify the path to a splash screen, such as a company banner or appropriate use statement. The appliance
uploads the file and saves it until it is overwritten by a subsequent splash screen file upload. This file can be up to
1 Megabyte in size.

Add text to be displayed to a user before they log in.
Inactivity Timeout – specifies how long an account can remain inactive before being automatically logged off.

This global setting can be overridden by a shorter time set for an individual user account, but not by a longer
time.

When the appliance is in the Strict Security mode, this setting is automatically limited to no more than 10
minutes.

The timeout can be overridden when the appliance is displaying the main pages used for monitoring the network.
Settings made on this page are linked to the settings made on the Global Account Settings page. To view that page, go
to the Configuration > Accounts Management > User Accounts page and click Settings.
Security Compliance
The Configuration > Appliance Security > Security Compliance page controls security features that are used to comply
with various contractual and regulatory requirements. The page has three sections:

Operational modes – control the security posture of the appliance by automatically enabling sets of security
features and disabling certain types of access to the appliance.

Accounts – controls shell access and shell account passwords.

Access – controls remote access to the appliance.
Changes made to the settings in these sections are not applied to the appliance configuration until you click Configure
Now at the bottom of the page.
Note: Do not change the Shell Access selection in the Accounts section unless you understand the impact. Access to shell accounts
cannot be restored once it is disabled.
Operational modes
The security posture of the appliance is determined by its operational mode. There are four operational modes that
control the security features:

Standard

Strict Security

FIPS 140-2 Compatible Cryptography

Strict Security and FIPS 140-2 Compatible Cryptography.
These operational modes selections are independent of the shell account access selection. The effects of the shell
account access selections (Shell Enabled, Challenge Mode, Shell Disabled) are described in the Account Access topic.
Cascade Profiler and Cascade Express User’s Guide
245
Appliance Security
Security Compliance
Figure 15-2. Configuration > Appliance Security > Security Compliance page Operational Modes section
Standard Security
The appliance is in the standard security operational mode when neither the Strict Security mode nor FIPS 140-2
Compatible Cryptography are selected on the Configuration > Appliance Security > Security Compliance page. When
neither of these options are selected, security features can be chosen individually. In the Strict Security mode and FIPS
140-2 Compatible Cryptography mode, more secure configurations are selected automatically and less secure features
are disabled.
Strict Security Mode
When the Strict Security mode is selected on the Configuration > Appliance Security > Security Compliance page, the
appliance:

Disables the use of certain features.

Selects enhanced password protection.

Restricts access to the appliance.
Disabled features
The Strict Security mode prevents the use of the following features:

Reporting API access control list – the ACL section of the Configuration > Integration > API Authorization page
is disabled. This prevents scripts from bypassing the login requirements when accessing the reporting API. Tools
that must access the reporting API while the appliance is in the Strict Security mode must be able to handle the
login page.

Vulnerability scanning setup – the Configuration > Integration > Vulnerability Scanning setup page is disabled
and not displayed. The appliance cannot access any vulnerability scanners while it is in the Strict Security mode.

Mitigation – All Configuration > Mitigation pages are disabled and not displayed.

ODBC DB Access – the Configuration > Account Management > ODBC DB Access page is disabled and not
displayed.
Password protection
The Strict Security mode automatically selects the following global password protection options. Some settings can
be manually overridden to provide a higher level of security, but not a lower level. Other settings, as noted below,
cannot be changed while the appliance is in the Strict Security mode.

Minimum number of characters: 8; Can be set to a number greater than 8, but not lower than 8.

Require mixed case; Cannot be changed while the Strict Security mode.

Require non-alphanumeric characters; Cannot be changed while the Strict Security mode.

Remember 12 prior passwords; Can be set to a number greater than 12, but not lower than 12.

Enable password aging; Cannot be changed while the Strict Security mode.
246
Cascade Profiler and Cascade Express User’s Guide
Security Compliance
Appliance Security

Number of days before password expiration: 60; Can be set to a number lower than 60, but not greater than 60.

Force password change on first log-in; Cannot be changed while the Strict Security mode.

Number of attempts before account locked: 3; Can be set to a number lower than 3, but not greater than 3.

Number of minutes to keep account locked: 30; Can be set to a number greater than 30, but not lower than 30.
These settings can be viewed on the Configuration > Appliance Security > Password Security page. They are also
visible when you click Settings on the Configuration > Account Management > User Accounts page.
Access restrictions
The Strict Security mode also automatically:

Sets the inactivity time out for sessions on the console port and SSH connections to the Primary port to 10
minutes and limits login attempts to these ports to 3.

Disables Ctrl+Alt+Delete on the console.

Implements additional firewall rules restricting source routed packets and some ICMP requests.
FIPS 140-2 Compatible Cryptography
When the FIPS 140-2 Compatible Cryptography option is selected on the Configuration > Appliance Security >
Security Compliance page, the appliance uses FIPS 140-2 Level 1 encryption, which is approved for use by the U.S.
government for Sensitive (but unclassified) information.
Additionally, selecting the FIPS 140-2 Compatible Cryptography option has the following effects:

Product updates – the System > Update page displays a note that product updates are not available while in the
FIPS 140-2 Compatible Cryptography mode.

NTP encryption – In the Time Configuration section of the Configuration > General Settings page, NTP
connections must use either SHA1 encryption or no encryption. Any NTP servers that are currently configured to
use MD5 encryption will be disconnected when the FIPS 140-2 Compatible Cryptography mode is enabled.
Note: There is no notification when switching to the FIPS 140-2 Compatible Cryptography mode disconnects NTP connections
using MD5 encryption.

In the SNMP MIB Configuration section of the Configuration > General Settings page, the settings are modified
as follows:

If the SNMP MIB Configuration had been set to use SNMPv3 with Authentication and Privacy, then the
settings are not changed when the FIPS 140-2 Compatible Cryptography mode is enabled.

If the SNMP MIB Configuration had been set to anything else (SNMPv1, SNMPv2, SNMPv3 with No
Authentication/No Privacy or Authentication/No Privacy), then the SNMP server of the appliance is switched
off when the FIPS 140-2

Compatible Cryptography mode is enabled.

If the SNMP server of the appliance had been switched off, then it remains off when the FIPS 140-2

Compatible Cryptography mode is enabled.

Vulnerability scanning setup – the Configuration > Integration > Vulnerability Scanning setup page is disabled
and not displayed.

Mitigation – All Configuration > Mitigation pages are disabled and not displayed.
Cascade Profiler and Cascade Express User’s Guide
247
Appliance Security

Security Compliance
ODBC DB Access – the Configuration > Account Management > ODBC DB Access page is disabled and not
displayed.
Note: TLSv1 must be enabled on your web browser in order to connect to the appliance when it is in the FIPS 140-2 Compatible
Cryptography mode.
Strict Security Mode with FIPS 140-2 Compatible Cryptography
When both the Strict Security mode and FIPS 140-2 Compatible Cryptography are enabled, the appliance is restricted
to the limitations of each. The combined effects of enabling both options are:

Reporting API access control list – the ACL section of the Configuration > Integration > API Authorization page
is disabled. This prevents scripts from bypassing the login requirements when accessing the reporting API. Tools
that must access the reporting API while the appliance is in the Strict Security mode must be able to handle the
login page.

NTP encryption – In the Time Configuration section of the Configuration > General Settings page, NTP
connections must use either SHA1 encryption or no encryption. Any NTP servers that are currently configured to
use MD5 encryption will be disconnected when the FIPS 140-2 Compatible Cryptography mode is enabled.
Note: There is no notification when switching to the FIPS 140-2 Compatible Cryptography mode has disconnected NTP
connections using MD5 encryption.

In the SNMP MIB Configuration section of the Configuration > General Settings page, the settings are modified
as follows:

If the SNMP MIB Configuration had been set to use SNMPv3 with Authentication and Privacy, then the
settings are not changed when the FIPS 140-2 Compatible Cryptography mode is enabled.

If the SNMP MIB Configuration had been set to anything else (SNMPv1, SNMPv2, SNMPv3 with No
Authentication/No Privacy or Authentication/No Privacy), then the SNMP server of the appliance is switched
off when the FIPS 140-2

Compatible Cryptography mode is enabled.

If the SNMP server of the appliance had been switched off, then it remains off when the FIPS 140-2

Compatible Cryptography mode is enabled.

Password protection – increased as described above.

Product updates – the System > Update page is disabled and not displayed.

Vulnerability scanning setup – the Configuration > Integration > Vulnerability Scanning setup page is disabled
and not displayed.

Mitigation – All Configuration > Mitigation pages are disabled and not displayed.

ODBC DB Access – the Configuration > Account Management > ODBC DB Access page is disabled and not
displayed.
248
Cascade Profiler and Cascade Express User’s Guide
Security Compliance
Appliance Security
Accounts
The Accounts section enables you to specify a shell access mode and to change the passwords of shell accounts.
Figure 15-3. Configuration > Appliance Security > Security Compliance page Accounts section
The User Accounts list displays only accounts that are accessible from a command line session using either the console
port or SSH over the management (Primary) port. It does not list user accounts for the web user interface.
When the Shell Access mode is set to Shell Enabled, you can enable or disable logins individually for each shell
account. When you switch to a different Shell Access mode, shell access is restricted.
There are three Shell Access modes:

Shell Enabled

Challenge Mode

Shell Disabled
It is extremely important to understand the effects of changing the Shell Access mode before doing it. Some effects
are irreversible.
Shell Enabled
The appliance is shipped with shell access enabled. Shell access is not required for normal operation of the appliance.
All routine operational features are available from the web user interface. However, shell access is required for
integrating the appliance with other assets in your network and for troubleshooting in the event of a problem.
While in the Shell Enabled mode, you can enable or disable the following shell accounts individually and change their
passwords:

root

admin

mazu

dhcp

support
You can also change the password of the bootloader account, although that account cannot be disabled.
Challenge Mode
The Challenge Mode is the condition in which shell access to the appliance is limited to a single user account, and
access to that account cannot be gained without providing the correct response to a challenge question from the system.
The response must be obtained from Riverbed Support. Riverbed Support provides the response to only those
individuals authorized to receive it.
Cascade Profiler and Cascade Express User’s Guide
249
Appliance Security
Security Compliance
The Challenge Mode restricts user operations to only features that are available from the web user interface. Access
to the functionality of a command line shell is available to only those authorized to use the challenge account.
The default name for the challenge account is “support.” A challenge account user can change the name of the account
as well as the password. Additionally, the support account name can be changed on the Configuration > Appliance
Security > Security Compliance page. In the Accounts section, click the Edit Account link in the Action column.
Once the appliance has been switched to the Challenge Mode, it can be placed back into the Shell Enabled mode by
only the Challenge shell account user. It cannot be restored to the Shell Enabled mode by use of the web user interface.
Placing the appliance in the Challenge Mode has the following effects:

The support account becomes the only means of user access to the shell. This account is available only when the
appliance is in the Challenge Mode.

Password-based access is disabled for all shell accounts.

The Profiler or Express appliances cannot download updates to Sensor or Gateway appliances that are running in
Challenge Mode.
Note: If you lose your support account password, you can change it on the Configuration > Appliance Security > Security
Compliance page.
Shell Disabled
The Shell Disabled mode permanently disables login access to all shell accounts. This is useful in environments that
must not allow any form of shell access.
Note: Switching to the Shell Disabled mode is irreversible. The only way to regain access to the shell after it has been disabled is
by reloading the software and starting over from a fresh installation.
Access
The Access section of the page controls ODBC access to the appliance database and remote access to the appliance by
other devices.
Figure 15-4. Configuration > Appliance Security > Security Compliance page Access section
250
Cascade Profiler and Cascade Express User’s Guide
Encryption Key Management
Appliance Security
ODBC access
The Enable ODBC Access option allows other systems to access the database of the appliance if they have been set up
as database users on the Configuration > Account Management > ODBC DB Access page. Deselect this option to
prevent ODBC access to the appliance database and to hide the Configuration > Account Management > ODBC DB
Access page.
Remote access
This section allows you to restrict access to the appliance by web browsers and SSH connections.
Restrict Web access to – allows you to specify the IP addresses of hosts and devices that are allowed to access the
appliance using port 80 (HTTP) redirect and port 443 (HTTPS). Anyone attempting to use a web browser to connect
to the Profiler appliance from a host outside the specified addresses will be denied access.
Restrict SSH access to – allows you to specify the IP addresses of hosts and devices that are allowed to access the
appliance using port 22 (SSH). Anyone attempting to SSH to the Profiler appliance from a host outside the specified
addresses will be denied access.
The permitted access is specified as a comma-separated list of IP addresses or address ranges in CIDR format.
Note: Ensure that the IP address of your own computer is included in the list for web access or SSH access. If you do not include
your own address, you will be unable to access the appliance except through the console port.
Note: On the Enterprise Profiler appliance, restricting access to the UI module automatically restricts all access to the other
modules. That is, the devices with addresses you list will be permitted access to the UI module but the other modules will be
completely inaccessible except to one another as required for operation.
Encryption Key Management
Cascade appliances use encryption for communicating with:

Users

Sources of user identity information (Active Directory Domain Controllers)

Other Cascade products
This requires encryption keys and certificates for each type of communication. Encryption keys and certificates are
managed on the Configuration > Appliance Security > Encryption Key Management page.
Cascade appliances are shipped with default encryption certificates so that the appliances to interoperate when
installed. Many customers replace the default certificates as a security precaution. However, Cascade appliances
cannot communicate with one another while the certificate for that communication is being replaced.
Displays and controls on the page
The Encryption Key Management page has two tabs:

Local Credentials – lists the keys and certificates that this appliance is using.
Cascade Profiler and Cascade Express User’s Guide
251
Appliance Security

Encryption Key Management
Trusted Certificates – lists the trusted CA (Certificate Authority) certificates that this appliance trusts for
communicating with other Cascade products. When the other appliance is using a self-signed certificate, that
certificate must be listed here because it is itself the CA.
Local Credentials
The Local Credentials tab lists the types of certificates installed in the appliance you are logged in to, the dates for
which they are valid, the encryption algorithm and signature, and actions that you can take on this tab.
Figure 15-5. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
The columns list credentials as follows:
Type – type of credential: key or certificate

SSH – private keys for shell access

MNMP – SSL certificate for communication with other Cascade appliances

Identityd – SSL certificate for communicating with user identity sources: Mazu AD Connector 1.5 and Cascade
AD Connector 2.0.

Apache – SSL certificate for the web server for sessions with users’ web browsers
Not Before – date on which the certificate became valid
Expires On – date after which the certificate is no longer valid
Encryption – encryption algorithm and strength
Signature – type of certificate signature
Actions – actions that can be taken for the credentials.


252
For SSH keys:

View Public Key – displays the public key that the appliance sends while connecting to other devices that
need to be authenticated.

Regenerate Key Pair – regenerates the private key/public key pair.

Change Private Key – opens a window in which you can replace the current key.

Download Public Key – downloads this appliance’s public key to a location you specify.
For SSL certificates:

View Certificate – displays the certificate that the appliance sends while connecting to other devices.

Regenerate Key/Certificate – regenerates the private key and the self-signed certificate with the suitable
certificate extensions for its use.

Change Key/Certificate – opens a window in which you can paste in a new private key and certificate.
Cascade Profiler and Cascade Express User’s Guide
Encryption Key Management

Appliance Security
Download Certificate – downloads this appliance’s certificate to the system a location you specify.
Trusted Certificates
This tab lists the trusted CA certificates that this appliance should trust while communicating with other Cascade
products. When the other appliance’s certificate is issued by a chain of CAs, the entire chain of CAs up to the root CA
should be placed here. When the other appliance’s certificate is self-signed, it should be placed here because it is itself
a CA.
Figure 15-6. Configuration > Appliance Security > Encryption Key Management page Trusted Certificates tab
The columns list credentials as follows:
Description – either a user-defined comment or the certificate’s subject (Distinguished Name)
Not Before – date on which the certificate became valid
Expires On – date after which the certificate is no longer valid
Encryption – encryption algorithm and strength
Signature – type of certificate signature
Actions – actions that can be taken for the credentials:

View Certificate – displays the CA certificate that the appliance uses to verify the certificate of the appliance that
is connecting to it.

Change Entry – opens a window in which you can modify the description of this CA certificate and/or paste in a
new CA certificate. If you leave the description blank, the subject of the CA certificate is displayed as the
description.

Download Certificate – downloads this appliance’s CA certificate to a location you specify.

Delete Certificate – deletes the certificate.
Additionally, the tab has an Add New Certificate button. This opens a window in which you can add the CA certificate
for an additional appliance.
Replacing Keys and Certificates
The certificate that secures communication between Cascade appliances is the MNMP certificate. It is normally not
necessary to regenerate MNMP certificates in all interconnected Cascade products. Typically only the Profiler or
Express MNMP certificate is regenerated and the new certificate is given to all Sensor, Shark or Gateway appliances
that are sending data to the Profiler or Express appliance. However, you can regenerate all the certificates. The process
is the same, although the other appliances have no identityd certificate and the Shark web user interface is somewhat
different. Each appliance (including the Shark appliance) that generates a new self-signed certificate must have its new
certificate installed in every other Cascade appliance that communicates with it.
The sections that follow provide procedures for replacing SSH keys and SSL certificates on the Configuration >
Appliance Security > Encryption Key Management page.
Cascade Profiler and Cascade Express User’s Guide
253
Appliance Security
Replacing SSH keys
Replacing SSH keys
Cascade shell accounts are secured by SSH. The SSH private key-public key pair is randomly generated in each
Cascade appliance at the time it is installed. There are no default SSH keys.
The appliance uses the SSH public key to connect to a backup server for running backups. Additionally, the Enterprise
Profiler uses it for communication between modules.
You can replace an SSH key pair either by regenerating them or by replacing the current pair with a pair obtained from
another source.
Regenerating an SSH key pair
To regenerate a key pair,
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab.
2. In the row for the shell account of interest, choose the Regenerate Key Pair action.
3. Select View Public Key and observe that it has changed.
On an Enterprise Profiler, the new public SSH key is automatically distributed to all modules.
Changing SSH key pair
To change an SSH private key-public key pair,
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab.
2. In the row for the shell account of interest, choose the Change Private Key action. This opens a window into
which you can paste a new private key.
When you copy the private key from the file where it is stored, be sure to include the header and footer lines:
-----BEGIN RSA PRIVATE KEY----MIIEoQIBAAKCAQEAtMUjEKBf5m9hq7mdSasWiYcB2D3qa1mGeRT/7lPkpGbewNrl
...
CeNBbPMkGZONosCnmZvSycY/wFoslx9ozPPG/dRQHGmm7z6Ktw==
-----END RSA PRIVATE KEY-----
254
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
Figure 15-7. Change Private Key for SSH
3. Paste the key into the window and click OK. This installs the new private key. The private key includes a public
key within it, so this authorizes the public key as well.
4. Select View Public Key and observe that it has changed.
Replacing SSL certificates
The Profiler and Express appliances secure the following SSL connections using certificates:

MNMP – Profiler or Express communicating with other Cascade appliances

Identityd – Profiler or Express communicating with the Cascade ADConnector program to obtain user
information from Microsoft Active Directory domain controllers

Apache – Profiler or Express communicating with users’ web browsers
The certificates that are currently in use can be replaced by:

Regenerating the certificate – The Profiler or Express appliance generates a new certificate.

Replacing the certificate – The current certificate can be replaced by a CA-signed or self-signed certificate that
you obtain or generate outside of the Cascade appliance.
There are slightly different procedures for replacing each type of certificate, as described below. You can locate the
procedure for your task and skip the others.
Replacing the MNMP SSL certificate
Before you replace the MNMP certificate, go to the System > Devices/Interfaces page Devices tab and identify all the
Cascade Sensor, Gateway and Shark appliances that connect to this appliance. These should be noted because after the
MNMP SSL certificate in this appliance has been replaced, each of those appliances must have their Trusted
Certificates list updated before they can connect to this appliance.
Cascade Profiler and Cascade Express User’s Guide
255
Appliance Security
Replacing SSL certificates
The connected appliances are displayed at the top level of the list on the Devices & Interfaces (Tree) tab. The tree view
may be disabled to improve performance if the list is very large. Click the Show all Devices and Interfaces button to
display the complete list. Note that the appliance performance may be impacted while a very large list is displayed.
Regenerating the MNMP SSL certificate
The Regenerate action creates a new private key and self-signed certificate. Note that when you regenerate the MNMP
certificate, the Profiler or Express will not be accessible to other Cascade appliances until you have installed the
certificate in their Trusted Certificates section.
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab.
2. In the row for the MNMP SSL Certificate, choose Regenerate Key/Cert from the Actions menu.
This generates a new certificate and a new private key. The certificate contains the new public key.
Figure 15-8. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
3. Choose either Download Certificate or View Certificate from the Actions menu.

If you choose Download Certificate, follow the prompts to specify a location where the certificate file can
be downloaded. You can then copy the certificate from the file.

If you choose View Certificate, copy the certificate from the window.
4. On each Cascade appliance that communicates with this appliance, go to the Configuration > Appliance Security
> Encryption Key Management page Trusted Certificates tab.
Figure 15-9. Configuration > Appliance Security > Encryption Key Management page Trusted Certificates tab
5. Click Add New Certificate to open a window into which you can paste the new Profiler or Express MNMP
certificate.
6. Paste the new certificate into the Key/Cert field.
256
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
7. Optionally, enter a description to be displayed in the Trusted Certificates list. Leave it blank if you want to use the
certificate’s subject. This can be changed later using the Change Entry action.
Figure 15-10. Configuration > Appliance Security > Encryption Key Management > Add New Public Certificate page
8. Click OK and confirm that the certificate is listed on the Trusted Certificates tab. The appliance will reestablish
contact with the Profiler or Express automatically within a few minutes.
Replacing the MNMP certificate with a CA-signed certificate
To minimize the time that the Profiler or Express appliance is inaccessible, it is recommended that you set up all the
Trusted Certificates first, and then replace the MNMP private key in the Profiler or Express.
Prerequisites
A CA-signed certificate may include a hierarchical chain of certificates from several certification authorities (the
certification chain). All these CA certificates must all be added as individual entries in the Trusted Certificates section
of this appliance and all the Cascade appliances that connect to it.
Depending on your CA, you may receive these as a concatenation in one file and need to separate them before placing
them in the Trusted Certificates sections. If you add more than one CA certificate at a time, the appliance will use the
first one it finds, which may not be the correct one.
Alternatively, your CA may provide certificates in separate files. In this case, ensure that you have each certificate in
the entire CA chain and not just the end entity certificate.
The end entity certificate and its private key must be pasted into the Local Credentials section of the Profiler or Express
appliance, and the entire CA certificate chain must be pasted into the Trusted Certificates section of the Profiler or
Express appliance and every Sensor, Sensor-VE, Gateway and Shark appliance that connects to it.
The certificates must include the following certificate extensions:

X.509v3 Subject Key Identifier

X.509v3 Authority Key Identifier
These are necessary in case the CA certificate is renewed and in case more than one CA certificate has the same
subject.
Cascade Profiler and Cascade Express User’s Guide
257
Appliance Security
Replacing SSL certificates
Part 1 – Trusted Certificates
For each Cascade appliance that is to communicate with the Profiler or Express,
1. Copy the first certificate of the CA certificate chain, including the BEGIN and END statements. The certificate
will be in a format such as:
-----BEGIN CERTIFICATE----MIIBsTCCARqgAwIBAgIJAOqvgxZRcO+ZMA0GCSqGSIb3DQEBBAUAMA8xDTALBgNVBAMTBE1henUwHhcNMDYxMDAyMTY0M
zQxWhcNMTYwOTI5MTY0MzQxWjAPMQ0wCwYD05BPDxKbb8Ic6HBPDxKbb8Ic6HWpTJpzs
...
ehyejGdw6VhXpf4lP9Q8JfVERjCoroVkiXenVQe/zer7Qf2hiDB/5s02/
+8uiEeqMJpzsSdEYZUSgpyAcws5PDyr2GVFMI3dfPnl28hVavIkR8r05BPDxKbb8Ic6HWpTZMA0GCSqGSIb3DQEBBAUAM
A8xDTNMTYwOTI5MTY0MzQxBA
-----END CERTIFICATE-----
2. Go to the Configuration > Appliance Security > Encryption Key Management page Trusted Certificates tab.
Figure 15-11. Configuration > Appliance Security > Encryption Key Management page Trusted Certificates tab
3. Click Add New Certificate to open a window into which you can paste the CA-signed certificate.
4. Paste the certificate into the Certificate field.
5. Optionally, enter a description to be displayed in the Trusted Certificates list. Leave it blank if you want to use the
certificate’s subject. This can be changed later using the Change Entry action.
Figure 15-12. Configuration > Appliance Security > Encryption Key Management > Add New Public Certificate page
258
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
6. Click OK and confirm that the certificate is listed on the Trusted Certificates tab.
7. Repeat Steps 1 through 6 for each CA certificate in the chain until all CA certificates in the chain have been added
as separate entries on the first Cascade appliance that communicates with the Profiler or Express.
8. Then perform Steps 1 through 7 on all other Cascade appliances that connect to the Profiler or Express appliance.
9. After all the connecting Cascade appliances have all the CA certificates, perform Steps 1 through 6 on this
appliance.
Part 2 – Local Certificate and private key
After each certificate in the CA chain has been added to each appliance in your Cascade deployment as a trusted
certificate, the final step is to add the end entity certificate and the private key as the Local Credentials for your Profiler
or Express.
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab.
Figure 15-13. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
2. In the row for the MNMP SSL Certificate, choose Change Key/Cert from the Actions menu.
3. Paste both the MNMP certificate and the private key into the Key/Cert field.
4. Click OK and confirm that the MNMP certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the end entity certificate with their BEGIN and END statements. If you paste
in just the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY---------BEGIN CERTIFICATE----MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
Cascade Profiler and Cascade Express User’s Guide
259
Appliance Security
Replacing SSL certificates
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when
you initially paste it into the Change window.
Replacing the MNMP certificate with a self-signed certificate
The procedure for a self-signed certificate is the same as for a CA-signed certificate except that you do not have to add
the CA chain of certificates to the Trusted Certificates section. All you need to add is the self-signed certificate.
Part 1 – Trusted Certificate
For each Cascade appliance that is to communicate with the Profiler or Express appliance,
1. Copy the self-signed certificate, including the BEGIN and END statements. The certificate will be in a format such
as:
-----BEGIN CERTIFICATE----MIIBsTCCARqgAwIBAgIJAOqvgxZRcO+ZMA0GCSqGSIb3DQEBBAUAMA8xDTALBgNVBAMTBE1henUwHhcNMDYxMDAyMTY0M
zQxWhcNMTYwOTI5MTY0MzQxWjAPMQ0wCwYD05BPDxKbb8Ic6HBPDxKbb8Ic6HWpTJpzs
...
ehyejGdw6VhXpf4lP9Q8JfVERjCoroVkiXenVQe/zer7Qf2hiDB/5s02/
+8uiEeqMJpzsSdEYZUSgpyAcws5PDyr2GVFMI3dfPnl28hVavIkR8r05BPDxKbb8Ic6HWpTZMA0GCSqGSIb3DQEBBAUAM
A8xDTNMTYwOTI5MTY0MzQxBA
-----END CERTIFICATE-----
2. Go to the Configuration > Appliance Security > Encryption Key Management page Trusted Certificates tab.
Figure 15-14. Configuration > Appliance Security > Encryption Key Management page Trusted Certificates tab
3. Click Add New Certificate to open a window into which you can paste the CA-signed certificate.
260
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
Figure 15-15. Configuration > Appliance Security > Encryption Key Management > Add New Public Certificate page
4. Paste the certificate into the Key/Cert field.
5. Optionally, enter a comment to be displayed in the Trusted Certificates list. Leave it blank if you want to use the
certificate’s subject. This can be changed later using the Change Entry action.
6. Click OK and confirm that the certificate is listed on the Trusted Certificates tab.
Part 2 – Local Certificate and private key
After the self-signed certificate has been added to each appliance in your Cascade deployment as a trusted certificate,
the final step is to add the certificate and the private key as the Local Credentials for your Profiler or Express.
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab.
Figure 15-16. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
2. In the row for the MNMP SSL Certificate, choose Change Key/Cert from the Actions menu.
Cascade Profiler and Cascade Express User’s Guide
261
Appliance Security
Replacing SSL certificates
Figure 15-17. Change Key/Certificate for MNMP
3. Paste both the MNMP certificate and the private key into the Key/Cert field.
4. Click OK and confirm that the MNMP certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the certificate with their BEGIN and END statements. If you paste in just
the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY---------BEGIN CERTIFICATE----MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when
you initially paste it into the Change window.
Replacing the Identityd SSL certificate
The Identityd certificate secures communication between the Cascade ADConnector program and the Profiler or
Express appliance. The Cascade ADConnector program transfers user identity information from Microsoft Windows
Active Directory domain controllers to a Cascade Profiler or Express appliance.
The subject Common Name in the Identityd certificate must be: CN=Mazu Profiler: Identity
The appliance checks the validity dates when the certificate is loaded. Afterwards, it ignores the expiration date.
262
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
Regenerating the Identityd certificate
The Regenerate action creates a new private key and self-signed certificate. To regenerate the Identityd certificate,
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab.
2. In the row for the Identityd SSL Certificate, choose Regenerate Key/Cert from the Actions menu.
This generates a new certificate and a new private key. The certificate contains the new public key.
Figure 15-18. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
3. Click OK and confirm that the Identityd certificate is listed on the Local Credentials tab.
4. If the program collecting the user identity information is the Cascade ADConnector 1.5 program (Microsoft
Windows 2000 or Windows 2003 Active Directory domain controllers), then resynchronize the program. Refer to
Tech Note 029 for details.
5. If the program collecting the user identity information is the Cascade ADConnector 2.0 program (Microsoft
Windows 2008 Active Directory domain controllers), then the program will resynchronize automatically and no
further action is necessary.
Replacing the Identityd certificate with a CA-signed certificate
When replacing the Identityd certificate with a CA-signed certificate, it is not necessary to add these certificates to the
device that is running the ADConnector program.
Prerequisites
A CA-signed certificate may include a hierarchical chain of certificates from several certification authorities (the
certification chain). All these CA certificates must all be added as individual entries in the Trusted Certificates section
of this appliance.
Depending on your CA, you may receive these as a concatenation in one file and need to separate them before placing
them in the Trusted Certificates section. If you add more than one CA certificate at a time, the appliance will use the
first one it finds, which may not be the correct one.
Alternatively, your CA may provide certificates in separate files. In this case, ensure that you have each certificate in
the entire CA chain and not just the end entity certificate.
The end entity certificate and its private key must be pasted into the Local Credentials section of the Profiler or Express
appliance, and the entire CA certificate chain must be pasted into the Trusted Certificates section of this Profiler or
Express appliance.
Cascade Profiler and Cascade Express User’s Guide
263
Appliance Security
Replacing SSL certificates
The certificates must include the following certificate extensions:

X.509v3 Subject Key Identifier

X.509v3 Authority Key Identifier
These are necessary in case the CA certificate is renewed and in case more than one CA certificate has the same
subject.
Part 1 – Trusted Certificates
To add the CA certificates to this Profiler or Express appliance,
1. Copy the first certificate of the CA certificate chain, including the BEGIN and END statements. The certificate
will be in a format such as:
-----BEGIN CERTIFICATE----MIIBsTCCARqgAwIBAgIJAOqvgxZRcO+ZMA0GCSqGSIb3DQEBBAUAMA8xDTALBgNVBAMTBE1henUwHhcNMDYxMDAyMTY0M
zQxWhcNMTYwOTI5MTY0MzQxWjAPMQ0wCwYD05BPDxKbb8Ic6HBPDxKbb8Ic6HWpTJpzs
...
ehyejGdw6VhXpf4lP9Q8JfVERjCoroVkiXenVQe/zer7Qf2hiDB/5s02/
+8uiEeqMJpzsSdEYZUSgpyAcws5PDyr2GVFMI3dfPnl28hVavIkR8r05BPDxKbb8Ic6HWpTZMA0GCSqGSIb3DQEBBAUAM
A8xDTNMTYwOTI5MTY0MzQxBA
-----END CERTIFICATE-----
2. Go to the Configuration > Appliance Security > Encryption Key Management page Trusted Certificates tab.
Figure 15-19. Configuration > Appliance Security > Encryption Key Management page Trusted Certificates tab
3. Click Add New Certificate to open a window into which you can paste the CA-signed certificate.
264
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
Figure 15-20. Configuration > Appliance Security > Encryption Key Management > Add New Public Certificate page
4. Optionally, enter a description to be displayed in the Trusted Certificates list. Leave it blank if you want to use the
certificate’s subject. This can be changed later using the Change Entry action.
5. Paste the certificate into the Key/Cert field.
6. Click OK and confirm that the certificate is listed on the Trusted Certificates tab.
7. Repeat this procedure for each CA certificate in the chain until all CA certificates in the chain have been added as
separate entries.
Part 2 – Local Certificate and private key
After each certificate in the CA chain has been added as a trusted certificate, add the end entity certificate and the
private key as the Local Credentials for this Profiler or Express.
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab.
Figure 15-21. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
2. In the row for the Identityd SSL Certificate, choose Change Key/Cert from the Actions menu.
Cascade Profiler and Cascade Express User’s Guide
265
Appliance Security
Replacing SSL certificates
Figure 15-22. Change Key/Certificate for Identityd
3. Paste both the end entity Identityd certificate and the private key into the Key/Cert field.
4. Click OK and confirm that the Identityd certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the end entity certificate with their BEGIN and END statements. If you paste
in just the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY---------BEGIN CERTIFICATE----MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when
you initially paste it into the Change window.
Part 3 – Cascade ADConnector program
If the program collecting the user identity information is the Cascade ADConnector 1.5 program (Microsoft Windows
2000 or Windows 2003 Active Directory domain controllers), then resynchronize the program. Refer to Tech Note 029
for details.
If the program collecting the user identity information is the Cascade ADConnector 2.0 program (Microsoft Windows
2008 Active Directory domain controllers), then the program will resynchronize automatically and no further action
is necessary.
266
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
Replacing the Identityd certificate with a self-signed certificate
To replace the Identityd certificate with a self-signed certificate,
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab of this
appliance.
Figure 15-23. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
2. In the row for the Identityd SSL Certificate, choose Change Key/Cert from the Actions menu.
Figure 15-24. Change Key/Certificate for Identityd
3. Paste both the Identityd certificate and the private key into the Key/Cert field.
4. Click OK and confirm that the Identityd certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the certificate with their BEGIN and END statements. If you paste in just
the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY-----
Cascade Profiler and Cascade Express User’s Guide
267
Appliance Security
Replacing SSL certificates
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY---------BEGIN CERTIFICATE----MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when
you initially paste it into the Change window.
5. If the program collecting the user identity information is the Cascade ADConnector 1.5 program (Microsoft
Windows 2000 or Windows 2003 Active Directory domain controllers), then resynchronize the program. Refer to
Tech Note 029 for details.
6. If the program collecting the user identity information is the Cascade ADConnector 2.0 program (Microsoft
Windows 2008 Active Directory domain controllers), then the program will resynchronize automatically and no
further action is necessary.
Replacing the Apache SSL certificate
The Apache certificate secures the Profiler appliance while it is communicating with users’ web browsers. After you
replace the Apache certificate it will be necessary to restart your browser to avoid browser errors. Additionally, all
other users that are connected to the web user interface of this appliance should restart their browsers to avoid browser
errors.
Regenerating the Apache certificate
The Regenerate action creates a new private key and CA-signed certificate. Each Cascade appliance has its own CA
root for Apache.
To regenerate the SSL certificate for the Apache web server,
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab.
2. In the row for the Apache SSL Certificate, choose Regenerate Key/Cert from the Actions menu.
Figure 15-25. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
This generates a new certificate and a new private key.
268
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
3. Restart your web browser before logging back in to the appliance. Advise all other users that are connected to the
web user interface of this appliance to restart their browsers to avoid browser errors.
Replacing the Apache certificate with a CA-signed certificate
For the Apache certificate, there is no need to load the CA certificate chain. Only the end entity certificate and private
key are necessary. The Apache certificate should have standard web server extensions (SSL Server, TLS Web Server
Authentication, etc.). If it does not have these, the web browser’s certificate verification process may fail.
To replace the Apache certificate with a CA-signed certificate,
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab of this
appliance.
Figure 15-26. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
2. In the row for the Apache SSL Certificate, choose Change Key/Cert from the Actions menu.
Figure 15-27. Change Key/Certificate for Apache
3. Paste both the Apache certificate and the private key into the Key/Cert field.
Cascade Profiler and Cascade Express User’s Guide
269
Appliance Security
Replacing SSL certificates
4. Click OK and confirm that the Apache certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the certificate with their BEGIN and END statements. If you paste in just
the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY---------BEGIN CERTIFICATE----MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when
you initially paste it into the Change window.
5. Restart your web browser before logging back in to the appliance. Advise all other users that are connected to the
web user interface of this appliance to restart their browsers to avoid browser errors.
Replacing the Apache certificate with a self-signed certificate
For the Apache certificate only the end entity certificate and private key are necessary. The Apache certificate should
have standard web server extensions (SSL Server, TLS Web Server Authentication, etc.). If it does not have these, the
web browser’s certificate verification process may fail.
To replace the Apache certificate with a self-signed certificate,
1. Go to the Configuration > Appliance Security > Encryption Key Management page Local Credentials tab of this
appliance.
Figure 15-28. Configuration > Appliance Security > Encryption Key Management page Local Credentials tab
2. In the row for the Apache SSL Certificate, choose Change Key/Cert from the Actions menu.
270
Cascade Profiler and Cascade Express User’s Guide
Replacing SSL certificates
Appliance Security
Figure 15-29. Change Key/Certificate for Apache
3. Paste both the Apache certificate and the private key into the Key/Cert field.
4. Click OK and confirm that the Apache certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the certificate with their BEGIN and END statements. If you paste in just
the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY---------BEGIN CERTIFICATE----MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when
you initially paste it into the Change window.
5. Restart your web browser before logging back in to the appliance. Advise all other users that are connected to the
web user interface of this appliance to restart their browsers to avoid browser errors.
SSL certificate requirements
Cascade products require SSL certificates to follow ITU-T standard X.509 and base-64 encoding of DER with header
and footer lines. This is generally referred to as PEM format.
Cascade products require an unencrypted private key in a PKCS#8 format encoded in the PEM format. Encrypted
private keys and binary-encoded private keys (including PKCS#12) are not accepted. If your Certificate Authority
issues the PKCS#12 file, you will need to convert it to the PEM format.
Cascade Profiler and Cascade Express User’s Guide
271
Appliance Security
Replacing SSL certificates
The Local Credential section expects:
-----BEGIN CERTIFICATE----Base-64 encoded certificate
-----END CERTIFICATE---------BEGIN PRIVATE KEY----Base-64 encoded private key
-----END PRIVATE KEY-----
Additionally, the certificates and keys must meet the minimum requirements of the operational security mode. If the
certificates do not comply with FIPS 140-2 requirements when the appliance is switched into FIPS 140-2 Compatible
Cryptography mode, they will automatically be replaced by the default certificates.
The key and certificate requirements are as follows:



FIPS Compatible Cryptology mode:

SSH: 1024 bit or more RSA or DSA

SSL: X.509 certificate, 1024 bit or more RSA or DSA, signed with SHA1 or higher
Not in FIPS Compatible Cryptology mode (minimum requirements):

SSH: 512 bit or more RSA or DSA

SSL:

X.509 certificate, 512 bit or more RSA or DSA, any signature
The default values are:

SSH: 2048 bit RSA

SSL:

272
X.509 certificate, 2048 bit RSA, SHA512 signature
Cascade Profiler and Cascade Express User’s Guide
APPENDIX A
SNMP Support
The Cascade Profiler and Cascade Express appliances send SNMP traps and support MIB browsing by MIB tools. This
section describes the traps and access to the MIB. A copy of the MIB can be downloaded from the help system.
This appendix includes the following sections:

“Trap summary,” next

“Variables common to all Cascade Profiler and Cascade Express traps” on page 274

“Additional trap variables” on page 276

“Cascade Profiler and Cascade Express appliance MIB” on page 278
Trap summary
The Cascade appliance sends SNMP Version 1, 2c or 3 traps, if enabled. The Behavior Analysis > Notifications page
specifies two IP addresses and port numbers for the trap destinations.
Each trap is identified by an enterprise-specific trap number. This is an INTEGER, provided as the last part of the trap
Object ID .1.3.6.1.4.1.7054.70.0.n, where n is the trap number as follows:
Event
Enterprise-specific trap numbers
Low
Medium
High
Denial of Service/Bandwidth Surge
11
12
13
Worm
15
16
17
Host Scan
19
20
21
Port Scan
23
24
25
Suspicious Connection
27
28
29
New Host
31
32
33
New Server Port
47
48
49
User-defined policy
55
56
57
-
-
65
Sensor Problem
Cascade Profiler and Cascade Express User’s Guide
273
SNMP Support
Variables common to all Cascade Profiler and Cascade Express traps
Event
Enterprise-specific trap numbers
Low
Medium
High
Application Availability
79
80
81
Link Congestion
83
84
85
Link Outage
87
88
89
Application Performance
91
92
93
Service
95
-
97
Storage Problem
-
-
105
Test
-
-
99
Sensor Problem events and Storage Problem events always generate high level alert traps.
Variables common to all Cascade Profiler and Cascade
Express traps
The appliance attaches variables to traps to provide information to the trap receiver. All traps include a set of variables
describing the conditions that caused the trap. Traps for some types of policies include additional variables, which are
listed separately by trap. The variables that are common to all the appliance traps include:

Trap Number - an INTEGER, indicated by a component of the trap Object ID .1.3.6.1.4.1.7054.70.0.n, where n
is the unique, enterprise-specific trap number as listed in the table above.

System Up Time - an INTEGER, identified as .1.3.6.1.2.1.1.3.0, that is the length of time that the appliance
operating system has been running, expressed in Time Ticks (hundredths of a second).

Severity - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.1.0, that indicates the severity, on a scale of 1 to
100, of the event that triggered the alert.

Event Description - a human-readable OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.3.0, that provides
the name of the type of policy that caused the alert.

Event ID - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.4.0, that is the appliance's Event ID number for the
event that triggered the alert. This is the ID number displayed on the Dashboard page and the Event Reports page.

Event URL - an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.5.0, that is the URL of the Event Details
report for the event that triggered the alert. This is given in the format https://<appliance_name>/
event_viewer.php?id=<event_ID>. A login (Event Viewer role or higher) and password on the appliance are
required to view the report.

Alert Level - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.7.0, that indicates the level of the alert, where 1
is Low, 2 is Medium, and 3 is High.

Start Time - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.8.0, that is the epoch time that the event started.

Source Count - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.16.0, that is the number of sources associated
with the event.

Source List - a sequence, identified as .1.3.6.1.4.1.7054.71.2.17.0, that lists the IP address and host name of
sources associated with the event. The elements in this list are:
Index - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.17.1.1.n, where n is the number of the row.
274
Cascade Profiler and Cascade Express User’s Guide
Variables common to all Cascade Profiler and Cascade Express traps
SNMP Support
Name - an OCTET STRING, which is the DNS name (if available) of the source host, and is identified as
.1.3.6.1.4.1.7054.71.2.17.1.2.n where n is the number of the row.
Address - an IpAddress, which is the IP address of the source host, and is identified as
.1.3.6.1.4.1.7054.71.2.17.1.3.n where n is the number of the row.
For example, the OIDs for the first three rows are:
Index:
.1.3.6.1.4.1.7054.71.2.17.1.1.1
Name:
.1.3.6.1.4.1.7054.71.2.17.1.2.1
Address:
.1.3.6.1.4.1.7054.71.2.17.1.3.1
Index:
.1.3.6.1.4.1.7054.71.2.17.1.1.2
Name:
.1.3.6.1.4.1.7054.71.2.17.1.2.2
Address:
.1.3.6.1.4.1.7054.71.2.17.1.3.2
Index:
.1.3.6.1.4.1.7054.71.2.17.1.1.3
Name:
.1.3.6.1.4.1.7054.71.2.17.1.2.3
Address:
.1.3.6.1.4.1.7054.71.2.17.1.3.3

Destination Count - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.18.0, that is the number of destinations
associated with the event.

Destination List - a sequence, identified as .1.3.6.1.4.1.7054.71.2.19.0, that lists the IP address and host name of
destinations associated with the event. The elements in this list are:
Index - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.19.1.1.n, where n is the number of the row.
Name - is an OCTET STRING, which is the DNS name (if available) of the destination host, and is identified
as .1.3.6.1.4.1.7054.71.2.19.1.2.n where n is the number of the row.
Address - is an IpAddress, which is the IP address of the destination host, and is identified as
.1.3.6.1.4.1.7054.71.2.19.1.3.n where n is the number of the row.

Protocol Count - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.20.0, that is the number of protocols
associated with the event.

Protocol List - a sequence, identified as .1.3.6.1.4.1.7054.71.2.21.0, that lists the protocols associated with the
event. The elements in this list are:
Index - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.21.1.1.n, where n is the number of the row.
Name - is an OCTET STRING, which is the name of the protocol, and is identified as
.1.3.6.1.4.1.7054.71.2.21.1.2.n where n is the number of the row.
Number - is an INTEGER, which is the number of the protocol, and is identified as
.1.3.6.1.4.1.7054.71.2.21.1.3.n where n is the number of the row.

Port Count - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.22.0, that is the number of ports associated with
the event.

Port List - a sequence, identified as .1.3.6.1.4.1.7054.71.2.23.0, that lists the ports associated with the event. The
elements in this list are:
Index - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.23.1.1.n, where n is the number of the row.
Name - is an OCTET STRING, which is the name of the port, and is identified as
.1.3.6.1.4.1.7054.71.2.23.1.2.n where n is the number of the row.
Protocol Number - is an INTEGER, which is the numeric ID of the protocol associated with the port and is
identified as .1.3.6.1.4.1.7054.71.2.23.1.3.n where n is the number of the row.
Cascade Profiler and Cascade Express User’s Guide
275
SNMP Support
Additional trap variables
Port Number - is an INTEGER, which is the numeric ID of the port and is identified as
.1.3.6.1.4.1.7054.71.2.23.1.4.n where n is the number of the row.
The length of the source, destination, protocol, and port lists is limited by the “Maximum length of lists
attached to traps” setting in the SNMP MIB Configuration section of the Configuration > General Settings
page. For compatibility reasons, the protocol/port-related variables are named in terms of “services” in the
appliance MIB.
Additional trap variables
In addition to the variables that are common to all Cascade Profiler and Cascade Express traps, the following traps
include other variables:

Denial of Service/Bandwidth Surge

Suspicious Connection

New Server Port

Performance and Availability and User-defined

Service

Storage Problem
Denial of Service/Bandwidth Surge trap variables
In addition to the variables that are common to all the appliance traps, the Denial of Service/Bandwidth Surge traps
include:

normal bytes per second - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.31.0, that is the normal number of
bytes per second for the current profile.

current bytes per second - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.32.0, that is the current number of
bytes per second.

normal packets per second - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.33.0, that is the normal number
of packets per second for the current profile.

current packets per second - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.34.0, that is the current number
of packets per second.
Suspicious Connection trap variables
In addition to the variables that are common to all the appliance traps, the Suspicious Connection traps include:

276
current number of connections - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.36.0, that is the current
number of connections per second.
Cascade Profiler and Cascade Express User’s Guide
Additional trap variables
SNMP Support
New Server Port trap variables
In addition to the variables that are common to all the appliance traps, the New Server Port traps include:

host or group switch - An INTEGER, identified as .1.3.6.1.4.1.7054.71.2.41.1.0, that indicates whether the
policy alerted on a host or on a group, where 1 indicates Host, and 2 indicates Group.

host name - an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.41.2.0. If the policy alerts for only a
specified host, then this is the host name.

host address - an IpAddress, identified as .1.3.6.1.4.1.7054.71.2.41.3.0. If the policy alerts for only a specified
host, then this is the host's IP address.

policy description - an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.43.0, that describes the policy that
was violated.

group type ID - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.41.4.0. If the policy alerts for only a given
group, then this is the numeric ID of the group type.

group ID - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.41.5.0. If the policy alerts for only a given group,
then this is the numeric ID of the group.
Performance, Availability, and User-defined trap variables
In addition to the variables that are common to all the appliance traps, the Performance and Availability traps and Userdefined traps both include:

policy name - an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.42.0, that is the name of the policy that
was violated.

policy description - an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.43.0, that describes the policy that
was violated.

upper or lower bound - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.45.0, that identifies whether the
threshold is an upper bound or lower bound, where 1 indicates upper bound and 2 indicates lower bound.

threshold value - an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.46.0, that identifies the traffic rate for the
exceeded threshold.

threshold units - a STRING, identified as .1.3.6.1.4.1.7054.71.2.47.0, that identifies the units of measure that the
rule is using.
Service trap variables
In addition to the variables that are common to all Profiler traps, Service traps include:

policy name - an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.42.0, that is the name of the policy that
was violated.

policy description - an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.43.0, that describes the policy that
was violated.
Storage Problem trap variables
Storage traps include only the variables that are common to all Profiler and Express traps.
Cascade Profiler and Cascade Express User’s Guide
277
SNMP Support
Cascade Profiler and Cascade Express appliance MIB
Cascade Profiler and Cascade Express appliance MIB
The appliance MIB values can be read with any standards-based SNMP MIB tool, including those on the Windows
and Linux operating systems. You can obtain a copy of the MIB definition file from the help system and save it locally
for your MIB tool to use for labeling the values it retrieves from the appliance.
The SNMP Object ID for the MIB is 1.3.6.1.4.1.7054.70. You can use either Version 1 or Version 3 of SNMP for
browsing the MIB.
Versions 1 and 2c
If you are using an SNMP Version 1 or 2c MIB tool, ensure that the correct configuration is selected in the SNMP MIB
Configuration section of the Configuration > General Settings page and copy the Version 1 MIB definition file from
the online help system SNMP Support > MIB page. This file is named MAZU-V1-COMPATIBILITY-MIB.txt.
Version 3
If you are using an SNMP Version 3 MIB tool, ensure that the Version 3 configuration is selected in the SNMP MIB
Configuration section of the Configuration > General Settings page and copy the Version 3 MIB definition file from
the online help system SNMP Support > MIB page. This file is named MAZU-MIB.txt.
Examples
The following examples use the Linux snmpwalk tool. In these examples, the command is entered as one line.
Version 3 without privacy
snmpwalk -m MIB_path -v 3 -u fred -l authNoPriv -a MD5 -A fredpass1 mgt_if .1.3.6.1.4.1.7054.70
where:
MIB_path
fred
MD5
is the path to the local copy of MAZU-MIB.txt
is the user name
is the authentication protocol
fredpass1
is the authentication password
is the IP address or host name of the Standard Profiler or the Manager blade in an Enterprise Profiler. This is
available in the Management Interface Configuration section of the Configuration > General Settings page.
mgt_if
Version 3 with privacy
snmpwalk -m MIB_path -v 3 -u fred -l authPriv -a MD5 -A fredpass1 -x DES -X fredpass2 mgt_if
.1.3.6.1.4.1.7054.70
where:
MIB_path
fred
MD5
is the path to the local copy of MAZU-MIB.txt
is the user name
is the authentication protocol
fredpass1
DES
278
is the authentication password
is the privacy protocol
Cascade Profiler and Cascade Express User’s Guide
Cascade Profiler and Cascade Express appliance MIB
fredpass2
SNMP Support
is the privacy password
is the IP address or host name of the Standard Profiler or the Manager blade in an Enterprise Profiler. This is
available in the Management Interface Configuration section of the Configuration > General Settings page.
mgt_if
Version 1
snmpwalk -m MIB_path -v 1 -c community mgt_if .1.3.6.1.4.1.7054.70
where:
MIB_path
is the path to the local copy of MAZU-V1-COMPATIBILITY-MIB.txt
is the community name of the appliance. This is available in the SNMP MIB Configuration section of the
Configuration > General Settings page.
community
is the IP address or host name of the Standard Profiler or the Manager blade in an Enterprise Profiler. This is
available in the Management Interface Configuration section of the Configuration > General Settings page.
mgt_if
Cascade Profiler and Cascade Express User’s Guide
279
SNMP Support
280
Cascade Profiler and Cascade Express appliance MIB
Cascade Profiler and Cascade Express User’s Guide
APPENDIX B
Backup and Restore
This appendix describes backing up the Cascade Profiler and Cascade Express logs and restoring the system from the
backup copy. It includes the following sections:

“Overview,” next

“Profiler and Profiler-VE” on page 281

“Express and Express 460” on page 287
Overview
The Profiler, Profiler-VE and Express backup and restore operations are performed using the mazu-sync command line
utility. This utility replaces the mazu-backup and mazu-restore utilities used by earlier versions of the product.
The mazu-sync utility backs up the system configuration information and traffic information to a customer-provided
system. It also loads the system with the configuration information and traffic information (if stored) from the backup
system. It is run from the command line interface of the Profiler and does not affect the Sensor.
Profiler and Profiler-VE
Check the backup requirements and restore requirements before using the mazu-sync command line utility to backup
or restore a Profiler or Profiler-VE.
Backup requirements
For backup operations, the mazu-sync utility requires:

SSH key - The SSH daemon on the backup machine should be configured to allow the Profiler to access it
without asking for a password. To configure this, add the RSA public key of the Standard Profiler or the UI
Module of the Enterprise Profiler (found in /opt/cascade/vault/ssh/mazu/id_rsa.pub) to (for example)
~admin/.ssh/authorized_keys2 on the backup server.

10 Mb/s access - The backup system must be accessible via SSH at an effective speed of at least 10 Mbps.
The mazu-sync utility keeps a log locally at /usr/mazu/var/log/backup.log and also on the backup machine at
<backup_directory>/backup.log.
Cascade Profiler and Cascade Express User’s Guide
281
Backup and Restore
Profiler and Profiler-VE
Sensitive data (passwords, encryption keys, community strings) can be encrypted with AES256 encryption by
specifying a password when doing the backup. This is required when going through the web user interface.
The Profiler does not need to be stopped during the backup. However, running mazu-sync will have some performance
impacts.
Notes

Version consistency - The backup files can be used to restore only a Profiler running the same version of
software used to create the backup. If the Profiler software is not identical to the version backed up, then the
restore operation will not succeed.

Configuration - In addition to backing up and restoring a single appliance, backup files from one appliance can
be used to restore another appliance, with the following limitations:

Backup files from a Standard Profiler can restore another Standard Profiler or an Enterprise Profiler that has
one Analysis Module.

Backup files from an Enterprise Profiler can restore another Enterprise Profiler with the same number of
modules.
Note that in order to use backup files from one appliance to restore a different appliance,


The two appliances must be using the identical software version.

The two appliances must be based on compatible hardware. Appliances using hardware earlier than the
model xx60 hardware are compatible with one another. Appliances using the model xx60 hardware are
compatible with one another. Additionally, backup files from hardware earlier than the model xx60 hardware
can be used to restore appliances using the model xx60 hardware.
Licenses - The Profiler being restored (xx60 based hardware platforms and later models) must have its licenses
installed prior to restore. This can be done on the Configuration > Licenses web user interface page.
Restore requirements
For restore operations, the mazu-sync utility requires:

SSH key - The SSH daemon on the backup machine should be configured to allow the Profiler to access it
without asking for a password. To configure this, add the RSA public key of the Standard Profiler or the UI
Module of the Enterprise Profiler (found in /opt/cascade/vault/ssh/mazu/id_rsa.pub) to ~admin/.ssh/
authorized_keys2 on the backup server. Additionally, the Profiler (or the UI Module, in the case of a Enterprise
Profiler) should be configured to allow the backup machine access without asking for a password. To do this, add
the DSA or RSA public key of the backup machine (typically found in ~admin/.ssh/id_dsa.pub) to /opt/
cascade/vault/ssh/mazu/authorized_keys2 of the Standard Profiler or of the UI Module of the Enterprise
Profiler.

10 Mb/s access - The backup system must be accessible via SSH at an effective speed of at least 10 Mbps.

Version consistency - The backup files can be used to restore only a Profiler running the same version of
software used to create the backup. If the Profiler software is not identical to the version backed up, then the
restore operation will not succeed.

Shell access - Shell access must be enabled on the Configuration > Appliance Security > Security Compliance
page in order to perform the restore operation.

Password - the image may require a password if:

It was backed up from the web user interface

It was backed up using the --pass option
The system cannot be restored with the image without the correct password.
282
Cascade Profiler and Cascade Express User’s Guide
Profiler and Profiler-VE

Backup and Restore
Configured Profiler - The Profiler must be configured for your installation before you run mazu-sync. Note that
the security compliance settings on the Configuration > Appliance Security > Security Compliance page are
specific to the appliance and are not included in the backup image. This includes FIPS mode, Strict Security
mode, Shell Access setting, shell user passwords, Bootloader password and appliance access settings. These must
be set for each appliance after restoring the image.
In addition to backing up and restoring a single appliance, backup files from one appliance can be used to restore
another appliance, with the following limitations:

Backup files from a Standard Profiler or a Profiler-VE can restore another Standard Profiler, a Profiler-VE, or
an Enterprise Profiler that has one Analysis Module.

Backup files from an Enterprise Profiler can restore another Enterprise Profiler with the same number of
modules.
Note that in order to use backup files from one appliance to restore a different appliance,


The two appliances must be using the identical software version.

The two appliances must be based on compatible hardware. Appliances using hardware earlier than the
model xx60 hardware are compatible with one another. Appliances using the model xx60 hardware are
compatible with one another. Additionally, backup files from hardware earlier than the model xx60 hardware
can be used to restore appliances using the model xx60 hardware.
Licenses - Before beginning the restore operation, install all applicable licenses on the system that is to be
restored. Licenses are installed on the Configuration > Licenses page.
Backing up a Standard Profiler or a Profiler-VE
The mazu-sync utility is run from the command line on the Profiler or Profiler-VE in the format:
mazu-sync --push TARGET-DIR [options]
where TARGET-DIR is the copy-to destination and is specified using the [user@]host:path syntax as with the scp
command. The target directory on the backup machine must already exist and the backup machine must have the RSA
public key of the Profiler.
To run a full backup:
1. Ensure that the backup requirements have been met.
2. Ensure that the ~/backup directory exists on the backup server.
3. Initiate an SSH connection to the Profiler as user mazu.
4. Ensure that ~admin/.ssh/authorized_keys2 on the backup server has the Profiler RSA public key, which you
can copy from /opt/cascade/vault/ssh/mazu/id_rsa.pub on the Profiler.
5. Enter the backup command in the format:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --all
This creates a subdirectory in the target directory, names it with the current timestamp (e.g., 20120731_2359),
and copies all configuration and traffic data to it.
To exclude traffic flow logs and user identity logs from the backup, use the command with the --no-logs option
(default). For example:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs
Cascade Profiler and Cascade Express User’s Guide
283
Backup and Restore
Profiler and Profiler-VE
Pasword protection
Sensitive data (passwords, encryption keys, community strings) in the backup image can be encrypted with AES256
encryption by specifying a password when doing the backup. Use the --pass option to include a password. You can
enter the password string in the command line or from STDIN. For example,

Entering a password from the command line:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs --pass
'mypassword'

Receiving a password from STDIN:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs --pass
STDIN
Notes
When mazu-sync is run, it keeps the last two copies (by default) of the backup and deletes anything older than that. To
keep 'N' older copies, use the --keep N option.
To see other available options under mazu-sync, run: mazu-sync
--help
Restoring a Standard Profiler or a Profiler-VE
The mazu-sync utility restores the Profiler or Profiler-VE to the state that existed when the backup was created, except
that it does not change the basic network settings that are configured on the Configuration > General Settings page.
Current data on the Profiler is lost when the mazu-sync utility is run. The mazu-sync utility is run from the command
line on the Profiler in the format:
mazu-sync --pull SOURCE-DIR [options]
where SOURCE-DIR is the backup directory and is specified using the [user@]host:path
syntax as with the scp command. For example, to restore from a full backup:
1. Ensure that the restore requirements have been met.
2. Ensure that keyless SSH access between the backup server admin account and the Profiler mazu account is
configured.
3. Ensure that all applicable licenses are installed on the Profiler to be restored. (This step does not apply to hardware
platforms earlier than xx60 models.)
4. Initiate an SSH connection to the Profiler and log in as mazu.
5. If any changes were made in local.conf, copy <backup_directory>/profiler/emhost/usr/mazu/etc/device
and <backup_directory>/profiler/emhost/usr/mazu/etc/local.conf from the backup server to /usr/mazu/
etc/ of the Profiler.
6. On the Profiler, if no password is required for the backup image, run the restore command as follows:

To run a full restore of the Profiler (which requires that you ran a full backup), run the restore command in
the following format:
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all
284
Cascade Profiler and Cascade Express User’s Guide
Profiler and Profiler-VE
Backup and Restore
To restore a Profiler without restoring traffic flow logs or user identity logs, run the restore command in the
following format:

/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs
7. If the sensitive data in the backup image has been protected by a password and encryption, you must enter the
password either on the command line or from STDIN.
For entering a password from the command line, use the following commands instead of the commands
shown in Step 6:

/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all --pass
'mypassword'
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs --pass
'mypassword'
For receiving a password from STDIN, use the following commands instead of the commands shown above:

/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all --pass
STDIN
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs --pass
STDIN
Notes:

To see other available options for mazu-sync, run mazu-sync

If there are multiple backup image folders in the path you specified, mazu-sync will restore the latest image
available.

The mazu-sync utility keeps a log locally at /usr/mazu/var/log/restore.log.
--help
on the Profiler command line.
Backing up an Enterprise Profiler
The mazu-sync utility is run from the command line on the UI Module of the Enterprise Profiler in the format:
mazu-sync --push TARGET-DIR [options]
where TARGET-DIR is the copy-to destination and is specified using the [user@]host:pathsyntax as with the scp
command. The target directory on the backup machine must already exist and the backup machine must have the RSA
public key of the Profiler.
To run a full backup:
1. Ensure that the backup requirements have been met.
2. Ensure that the ~/backup directory exists on the backup server.
3. Initiate an SSH connection to the UI Module of the Enterprise Profiler as user mazu.
4. Ensure that ~admin/.ssh/authorized_keys2 on the backup server has the Profiler RSA public key, which you
can copy from /opt/cascade/vault/ssh/mazu/id_rsa.pub on the UI Module of the Profiler.
5. Enter the backup command in the format:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --all
This creates a subdirectory in the target directory, names it with the current timestamp (e.g., 20120731_2359), and
copies all configuration and traffic data to it.
Cascade Profiler and Cascade Express User’s Guide
285
Backup and Restore
Profiler and Profiler-VE
To exclude traffic flow logs and user identity logs from the backup, use the command with the --no-logs option
(default). For example:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs
Password protection
Sensitive data (passwords, encryption keys, community strings) in the backup image can be encrypted with AES256
encryption by specifying a password when doing the backup.
Use the --pass option to include a password. You can enter the password string in the command line or from STDIN.
For example,

Entering a password from the command line:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs --pass
'mypassword'

Receiving a password from STDIN:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs --pass
STDIN
Notes
When mazu-sync is run, it keeps the last two copies (by default) of the backup and deletes anything older than that. To
keep "N" older copies, use the --keep N option.
To see other available options under mazu-sync, run mazu-sync
--help
from the Profiler command line.
Restoring an Enterprise Profiler
The mazu-sync utility restores the Enterprise Profiler to the state that existed when the backup was created, except that
it does not change the basic network settings that are configured on the Configuration > General Settings page.
Current data on the Enterprise Profiler is lost when the mazu-sync utility is run.
The mazu-sync utility is run from the command line on the Profiler in the format:
mazu-sync --pull SOURCE-DIR [options]
where SOURCE-DIR is the backup directory and is specified using the [user@]host:path syntax as with the scp
command. For example, to restore from a full backup:
1. Ensure that the restore requirements have been met.
2. Ensure that keyless SSH access between the backup server admin account and the Profiler mazu account is
configured.
3. Ensure that all applicable licenses are installed on the Enterprise Profiler that is to be restored. (This step does not
apply to hardware platforms earlier than xx60 models.)
4. Initiate an SSH connection to Profiler Database Module and log in as mazu.
5. If any changes were made in local.conf, copy <backup_directory>/profiler/emhost/usr/mazu/etc/device
and <backup_directory>/profiler/emhost/usr/mazu/etc/local.conf from the backup server to /usr/mazu/
etc/ of the Profiler.
6. On the Profiler, if no password is required for the backup image, run the restore command as follows:
286
Cascade Profiler and Cascade Express User’s Guide
Express and Express 460

Backup and Restore
To run a full restore of the Profiler (requires that you ran a full backup), run the restore command in the
following format:
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all

To restore a Profiler without restoring traffic flow logs or user identity logs, run the restore command in the
following format:
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs
7. If the sensitive data in the backup image has been protected by a password and encryption, you must enter the
password either on the command line or from STDIN.

For entering a password from the command line, use the following commands instead of the commands
shown in Step 6:
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all --pass
'yourpassword'
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs -pass 'yourpassword'

For receiving a password from STDIN, use the following commands instead of the commands shown above:
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all --pass
STDIN
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs -pass STDIN
Notes

To see other available options for mazu-sync, run mazu-sync

If there are multiple backup image folders in the path you specified, mazu-sync will restore the latest image
available.
--help
on the Profiler command line.
Express and Express 460
Check the backup requirements and restore requirements before using the mazu-sync command line utility to backup
or restore an Express. Express 460 packet logs, capture jobs, and index files are not backed up.
Backup requirements
For backup operations, the mazu-sync utility requires:

SSH key - The SSH daemon on the backup machine should be configured to allow the Express to access it
without asking for a password. To configure this, add the RSA public key of the Express (found in /opt/
cascade/vault/ssh/mazu/id_rsa.pub) to (for example) ~admin/.ssh/authorized_keys2 on the backup
server.

10 Mb/s access - The backup system must be accessible via SSH at an effective speed of at least 10 Mbps.
The mazu-sync utility keeps a log locally at /usr/mazu/var/log/backup.log and also on the backup machine at
<backup_directory>/backup.log.
Sensitive data (passwords, encryption keys, community strings) can be encrypted with AES256 encryption by
specifying a password when doing the backup. This is required when going through the web user interface.
Cascade Profiler and Cascade Express User’s Guide
287
Backup and Restore
Express and Express 460
The Express does not need to be stopped during the backup. However, running mazu-sync will have some performance
impacts.
Notes

Version consistency - The backup files can be used to restore only an Express running the same version of
software used to create the backup. If the Express software is not identical to the version backed up, then the
restore operation will not succeed.

Configuration - In order to use backup files from one appliance to restore a different appliance,


The two appliances must be using the identical software version.

The two appliances must be based on compatible hardware. Appliances using hardware earlier than the
model xx60 hardware are compatible with one another. Appliances using the model xx60 hardware are
compatible with one another. Additionally, backup files from hardware earlier than the model xx60 hardware
can be used to restore appliances using the model xx60 hardware.
Licenses - The Express being restored (xx60 based hardware platforms and later models) must have its licenses
installed prior to restore. This can be done on the Configuration > Licenses web user interface page.
Restore requirements
For restore operations, the mazu-sync utility requires:

SSH key - The SSH daemon on the backup machine should be configured to allow the Express to access it
without asking for a password. To configure this, add the RSA public key of the Express (found in /opt/
cascade/vault/ssh/mazu/id_rsa.pub) to ~admin/.ssh/authorized_keys2 on the backup server. Additionally,
the Express should be configured to allow the backup machine access without asking for a password. To do this,
add the DSA or RSA public key of the backup machine (typically found in ~admin/.ssh/id_dsa.pub) to /opt/
cascade/vault/ssh/mazu/authorized_keys2 of the Express.

10 Mb/s access - The backup system must be accessible via SSH at an effective speed of at least 10 Mbps.

Version consistency - The backup files can be used to restore only an Express running the same version of
software used to create the backup. If the Express software is not identical to the version backed up, then the
restore operation will not succeed.

Shell access - Shell access must be enabled on the Configuration > Appliance Security > Security Compliance
page in order to perform the restore operation.

Password - The image may require a password if:

It was backed up from the web user interface.

It was backed up using the --pass option
The system cannot be restored with the image without the correct password.

Configured Profiler - The Profiler must be configured for your installation before you run mazu-sync. Note that
the security compliance settings on the Configuration > Appliance Security > Security Compliance page are
specific to the appliance and are not included in the backup image. This includes FIPS mode, Strict Security
mode, Shell Access setting, shell user passwords, Bootloader password and appliance access settings. These must
be set for each appliance after restoring the image.
Note that in order to use backup files from one appliance to restore a different appliance,

288
The two appliances must be using the identical software version.
Cascade Profiler and Cascade Express User’s Guide
Express and Express 460


Backup and Restore
The two appliances must be based on compatible hardware. Appliances using hardware earlier than the
model xx60 hardware are compatible with one another. Appliances using the model xx60 hardware are
compatible with one another. Additionally, backup files from hardware earlier than the model xx60 hardware
can be used to restore appliances using the model xx60 hardware.
Licenses - Before beginning the restore operation, install all applicable licenses on the system that is to be
restored. Licenses are installed on the Configuration > Licenses page.
Backing up an Express
The mazu-sync utility is run from the command line on the Express in the format:
mazu-sync --push TARGET-DIR [options]
where TARGET-DIR is the copy-to destination and is specified using the [user@]host:path syntax as with the scp
command. The target directory on the backup machine must already exist and the backup machine must have the RSA
public key of the Express.
To run a full backup:
1. Ensure that the backup requirements have been met.
2. Ensure that the ~/backup directory exists on the backup server.
3. Initiate an SSH connection to the Express as user mazu.
4. Ensure that ~admin/.ssh/authorized_keys2 on the backup server has the Express RSA public key, which you
can copy from /opt/cascade/vault/ssh/mazu/id_rsa.pub on the Express.
5. Enter the backup command in the format:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --all
This creates a subdirectory in the target directory, names it with the current timestamp (e.g., 20120731_2359),
and copies all configuration and traffic data to it.
To exclude traffic flow logs and user identity logs from the backup, use the command with the --no-logs option
(default). For example:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs
Pasword protection
Sensitive data (passwords, encryption keys, community strings) in the backup image can be encrypted with AES256
encryption by specifying a password when doing the backup.
Use the --pass option to include a password. You can enter the password string in the command line or from STDIN.
For example,

Entering a password from the command line:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs --pass
'mypassword'

Receiving a password from STDIN:
/usr/mazu/bin/mazu-sync --push admin@backup-server.company.com:/backup/mazu --no-logs --pass
STDIN
Cascade Profiler and Cascade Express User’s Guide
289
Backup and Restore
Express and Express 460
Notes

When mazu-sync is run, it keeps the last two copies (by default) of the backup and deletes anything older than
that. To keep 'N' older copies, use the --keep N option.

To see other available options under mazu-sync, run: mazu-sync
--help
Restoring an Express
The mazu-sync utility restores the Express to the state that existed when the backup was created, except that it does
not change the basic network settings that are configured on the Configuration > General Settings page.
Current data on the Express is lost when the mazu-sync utility is run.
The mazu-sync utility is run from the command line on the Express in the format:
mazu-sync --pull SOURCE-DIR [options]
where SOURCE-DIR is the backup directory and is specified using the [user@]host:path syntax as with the scp
command. For example, to restore from a full backup:
1. Ensure that the restore requirements have been met.
2. Ensure that keyless SSH access between the backup server admin account and the Express mazu account is
configured.
3. Ensure that all applicable licenses are installed on the Express to be restored. (This step does not apply to hardware
platforms earlier than xx60 models.)
4. Initiate an SSH connection to Express and log in as mazu.
5. If any changes were made in local.conf, copy <backup_directory>/profiler/emhost/usr/mazu/etc/device
and <backup_directory>/profiler/emhost/usr/mazu/etc/local.conf from the backup server to /usr/mazu/
etc/ of the Express.
6. On the Express, if no password is required for the backup image, run the mazu-sync command as follows:

To run a full restore of the Express (which requires that you ran a full backup), run the restore command in
the following format:
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all

To restore a Express without restoring traffic flow logs or user identity logs, run the restore command in the
following format:
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs
7. If the sensitive data in the backup image has been protected by a password and encryption, you must enter the
password either on the command line or from STDIN.

For entering a password from the command line, use the following commands instead of the commands
shown in Step 6:
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all --pass
'mypassword'
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs -pass 'mypassword'

290
For receiving a password from STDIN, use the following commands instead of the commands shown above:
Cascade Profiler and Cascade Express User’s Guide
Express and Express 460
Backup and Restore
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --all --pass STDIN
/usr/mazu/bin/mazu-sync --pull admin@backup-server.company.com:/backup/mazu --no-logs --pass STDIN
Notes

To see other available options for mazu-sync, run mazu-sync

If there are multiple backup image folders in the path you specified, mazu-sync will restore the latest image
available.

The mazu-sync utility keeps a log locally at /usr/mazu/var/log/restore.log.
Cascade Profiler and Cascade Express User’s Guide
--help
on the Express command line.
291
Backup and Restore
292
Express and Express 460
Cascade Profiler and Cascade Express User’s Guide
APPENDIX C
Securing the Environment
In most Cascade Profiler and Cascade Express deployments, Sensors are not on the same subnetwork as Profiler or
Express appliance. Messages from the Sensor to appliance are typically routed. However, Sensors can be placed on the
same subnetwork as the Profiler or Express appliance. This presents the following threat scenario:

If a Sensor is placed on the same subnetwork as Profiler or Express appliance, and

if an intruder can place an unauthorized device on that subnetwork, and

if the intruder knows the IP address of the Profiler or Express interface,

then it could be possible for the intruder to assign the IP address of the Profiler or Express appliance to the
unauthorized device.
This scenario could result in some of the Sensor data being received by the unauthorized device instead of by the
Profiler or Express appliance. It is very unlikely that the unauthorized device could decipher the Sensor data because
it is encrypted. Even if it could, having that information is unlikely to be of any value anyway. The security concern is
that the Profiler or Express appliance might not receive all the data the Sensor sends under this scenario.
You can protect against this type of threat by binding the Profiler or Express IP and MAC addresses on the Sensor.
This eliminates the possibility of the Sensor getting the MAC address of an unauthorized device that is using the IP
address belonging to the Profiler or Express appliance.
This precaution is not necessary when the Sensor and Profiler are on different subnetworks of a routed network. If an
intruder duplicates the Profiler IP address on a routed network, the Sensor will see either the unauthorized device or
the Profiler, but not both. In the first case, Profiler will indicate the loss of connectivity with the Sensor. In the second
case, the unauthorized device will have no impact on the operation of the Sensor and Profiler, even without a static
MAC/IP address binding.
Setting up a static MAC/IP address binding on a Sensor
To set up a static MAC/IP binding on a Sensor,
1. Obtain the Profiler MAC address and IP address. Use the command line interface to log in as mazu and run
ifconfig.
2. Log on to the Sensor command line interface as root:
su root
3. Create the file /etc/ethers and edit it to contain a line that specifies the MAC address, followed by a tab, followed
by the IP address. Use the format:
xx:xx:xx:xx:xx:xx y.y.y.y
Cascade Profiler and Cascade Express User’s Guide
293
Securing the Environment
4. Edit the /etc/rc.local file to add the following line:
/sbin/arp -f /etc/ethers
This ensures that this binding is used if the Sensor is rebooted.
5. Run the command to establish the binding now:
/sbin/arp -f /etc/ethers
6. Check the System Information > Devices/Interfaces page to ensure that the appliance is receiving Sensor data. If
the Sensor status is listed as OK, connectivity has been established.
If the IP address changes (e.g., you move the Profiler or Express appliance on the network), or the MAC address
changes (e.g., you replace the interface card), this procedure will need to be performed again.
294
Cascade Profiler and Cascade Express User’s Guide
Cascade Profiler and Cascade Express User’s Guide
295
Riverbed Technology
199 Fremont Street
San Francisco, CA 94105
Phone: 415.247.8800
Fax: 415.247.8801
Web: http://www.riverbed.com
Part Number
712-00060-12