McAfee® Network Security Platform: Network Security Manager version 6.0 docx

6 Selecting time constraints for Historical Threat Analyzer...6 Sample drilldown scenario ...7 Threat Analyzer Home ...8 Chapter 3 Alert Aggregation in Network Security Central Manager .

McAfee ®

Network Protection

Industry-leading network security solutions

McAfee® Network Security Platform

Network Security Manager version 6.0

COPYRIGHT

Copyright ® 2001 - 2010 McAfee, Inc All Rights Reserved No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc and/or its affiliates in the US and/or other countries The color red in connection with security is distinctive of McAfee brand products All other registered and unregistered trademarks herein are the sole property of their respective owners

LICENSE AND PATENT INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING

OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE) IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) * Cryptographic software written by Eric A Young and software written by Tim J Hudson * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users For any such software covered under the GPL, the source code is made available on this CD If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier * Software written by Douglas W Sauder * Software developed by the Apache Software Foundation (http://www.apache.org/) A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc * Software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper, (C) 1998, 1999, 2000 * Software copyrighted by Expat maintainers * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000 * Software copyrighted by Gunnar Ritter * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003 * Software copyrighted by Gisle Aas (C) 1995-2003 * Software copyrighted by Michael A Chase, (C) 1999-2000 * Software copyrighted by Neil Winton, (C) 1995-1996 * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992 * Software copyrighted by Sean M Burke, (C) 1999, 2000 * Software copyrighted

by Martijn Koster, (C) 1995 * Software copyrighted by Brad Appleton, (C) 1996-1999 * Software copyrighted by Michael G Schwern, (C) 2001 * Software copyrighted by Graham Barr, (C) 1998 * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000 * Software copyrighted by Frodo Looijaard, (C) 1997 * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003 A copy of the license agreement for this software can be found at www.python.org * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002 * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G Siek (C) 1997-2000 University of Notre Dame * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002 * Software copyrighted by Stephen Purcell, (C) 2001 * Software developed by the Indiana University Extreme! Lab

(http://www.extreme.indiana.edu/) * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003 * Software developed by the University of California, Berkeley and its contributors * Software developed by Ralf S Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/) * Software copyrighted by Kevlin Henney, (C) 2000-2002 * Software copyrighted by Peter Dimov and Multi Media Ltd (C) 2001, 2002 * Software copyrighted by David Abrahams, (C) 2001,

2002 See http://www.boost.org/libs/bind/bind.html for documentation * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000 * Software copyrighted by Boost.org, (C) 1999-2002 * Software copyrighted by Nicolai M Josuttis, (C) 1999 * Software copyrighted by Jeremy Siek, (C) 1999-2001 * Software copyrighted by Daryle Walker, (C) 2001 * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002 * Software copyrighted by Samuel Krempp, (C) 2001 See http://www.boost.org for updates, documentation, and revision history * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002 * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000 * Software copyrighted by Jens Maurer, (C) 2000, 2001 * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000 * Software copyrighted by Ronald Garcia, (C) 2002 * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001 * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000 * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001 * Software copyrighted by Paul Moore, (C)

1999 * Software copyrighted by Dr John Maddock, (C) 1998-2002 * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999 * Software copyrighted by Peter Dimov, (C) 2001, 2002 * Software copyrighted by Jeremy Siek and John R Bandela, (C) 2001 * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002 * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992 * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003 * Software copyrighted by Sparta, Inc., (C) 2003-2004 * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004 * Software copyrighted by Simon Josefsson, (C) 2003 * Software copyrighted by Thomas Jacob, (C) 2003-2004 * Software copyrighted by Advanced Software Engineering Limited, (C)

2004 * Software copyrighted by Todd C Miller, (C) 1998 * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek

Contents

Preface vi

Introducing McAfee Network Security Platform vi

About this Guide vi

Audience vi

Conventions used in this book vii

Related Documentation vii

Contacting Technical Support ix

Chapter 1 Using the Threat Analyzer 1

Defining terms 1

The life cycle of an alert 2

Understanding the alert cache and the database 2

Host Intrusion Prevention alerts 4

Chapter 2 Navigating to the Threat Analyzer 5

Real-Time Threat Analyzer 6

Historical Threat Analyzer 6

Selecting time constraints for Historical Threat Analyzer 6

Sample drilldown scenario 7

Threat Analyzer Home 8

Chapter 3 Alert Aggregation in Network Security Central Manager 10

Threat Analyzer of the Central Manager 10

Understanding alert aggregation and monitoring in Central Manager 11

Navigating to the Threat Analyzer from the Central Manager 12

Central Manager Threat Analyzer Home 13

Chapter 4 Viewing Alerts Dashboards 14

NSP Health view 14

Customized Dashboards and Monitors 15

Monitoring Sensor Performance metrics 27

Messages from McAfee 36

Status of Activities 36

Operational Status Summary 36

Sensor Update Summary 36

Viewing Operational Status 37

Viewing IPS alerts summary 38

Time view 39

Consolidated view 40

Viewing NAC summary 44

NTBA 45

The NTBA Monitors 46

Chapter 5 Viewing Alerts details 50

Viewing alert attributes 51

Action buttons 53

Alerts view: Right-click options 54

Sorting alerts by attributes 57

Viewing data in the Count view 59

Sorting alerts using multiple criteria 60

Creating display filters for alerts 61

Acknowledging alerts 62

Show details of a specific attack 64

Viewing the Attack-Type 65

Performing a response action 70

Viewing a packet log 71

Sending a TCP Reset 72

Blocking further DoS packets for statistical attacks 72

Configuring attack filter association 73

Viewing and editing attack responses 75

Running a script 75

Viewing and saving an Evidence Report 77

IPS Quarantine options in Alerts page 78

Adding hosts for IPS Quarantine from the Alerts page 78

Quarantine of hosts from Alert Details 79

Manual Quarantine of a Host 81

Quarantining options for NTBA Policy Violation Alerts, Botnet, and Behavioral Alerts 82

Performing an NSLookup 84

Querying host details from the ePO server 84

Viewing details of Source and Destination Hosts 85

Viewing host details using IP address 88

Deleting alerts 93

Hiding alerts 93

Creating incidents 94

Adding alerts to an incident 96

Adding occurrences to an incident 96

Exporting incidents 97

Identifying new attacks in the Threat Analyzer 97

Setting preferences for viewing new threats 98

Viewing the first seen alerts in the Alerts page 100

Assigning a new threats monitor to a new dashboard 100

Chapter 6 Viewing Hosts details 104

Viewing host attributes 106

Hosts view: right-click options 106

NAC options in the Hosts page 107

Creating display filters for hosts 109

Viewing historical host data using display filter 110

IPS Quarantine options from the Hosts page 111

Chapter 7 Using Incident Viewer 113

Viewing incidents 115

Chapter 8 Viewing Host Forensics 116

Viewing ePO Information 116

Viewing host details using IP address 116

Launching ePO console form the Host Forensics page 118

Viewing Latest events from the Host Forensics page 119

On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 120

Viewing Vulnerability Manager scans 122

Vulnerability Manager scan option 123

Rescanning the host 126

Concurrent scans 126

Fault messages for Vulnerability Manager on-demand scan 127

Vulnerability Manager scan from Hosts page 127

Network scenarios for Vulnerability Manager scan 128

Chapter 9 Setting Preferences 131

General Panel 131

Enabling IP address name resolution 132

Alerts View Panel 134

Hosts View Panel 135

Watch List 136

Historical Constraints 138

Chapter 10 Monitoring Operational Status 140

Operational Status condition indicator 140

Operational Status interface 141

Viewing a summary of selected fault messages 144

Fault window action buttons 144

Viewing the details of a specific fault 145

Action buttons 146

System fault messages 146

Index 147

Preface

This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized It also provides information such

as, the supporting documents for this guide and how to contact McAfee Technical Support

Introducing McAfee Network Security Platform

McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical enterprise, carrier and service provider networks, while providing unmatched protection against spyware; known, zero-day, and encrypted attacks

McAfee®

Network Threat Behavior Analysis Appliance provides the capability of monitoring network traffic by analyzing NetFlow information flowing through the network in real time, thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a single Manager

About this Guide

This System Status Monitoring Guide provides different sections on two functionalities of the Threat Analyzer interface- Monitoring alerts and system health

Alerts section describes the Threat Analyzer functionality, configuration, and field descriptions Operational Status section describes the health interface and the messages related to the status of your installed Network Security Platformcomponents

This guide will walk you through:

 Using the Threat Analyzer (on page 1): gives you detailed information on how to navigate through the Threat Analyzer, starting the Threat Analyzer, generating user incidents, and setting the Threat Analyzer preferences

 Operational Status: details the functional status for all of your installed Network Security PlatformIPS components, Operational Status indicators and viewing summaries of selected faults in the Operational Status interface

Audience

This guide is intended for use by network technicians responsible for maintaining McAfee®Network Security Manager and analyzing and disseminating the resulting data It is assumed that you are familiar with IPS-related tasks, the relationship between tasks, and the commands necessary to perform particular tasks

Conventions used in this book

This document uses the following typographical conventions:

Terms that identify fields, buttons, tabs,

options, selections, and commands on the

User Interface (UI) are shown in Arial

Narrow bold font

The Service field on the Properties tab specifies the name of the requested service

Menu or action group selections are

indicated using a right angle bracket

Select My Company > Admin Domain > Summary.

Procedures are presented as a series of

numbered steps

1 On the Configuration tab, click Backup

Names of keys on the keyboard are

denoted using UPPER CASE

Press ENTER

Text such as syntax, key words, and

values that you must type exactly are

denoted using Courier New font

Type: setup and then press ENTER

Variable information that you must type

based on your specific situation or

environment is shown in italics

Type: Sensor-IP-address and then press ENTER

Parameters that you must supply are

shown enclosed in angle brackets

set Sensor ip <A.B.C.D>

Information that you must read before

beginning a procedure or that alerts you

to negative consequences of certain

actions, such as loss of data is denoted

using this notation

Caution:

Information that you must read to prevent

injury, accidents from contact with

electricity, or other serious consequences

is denoted using this notation

Warning:

Notes that provide related, but

non-critical, information are denoted using this

 Getting Started Guide

 IPS Deployment Guide

 Manager Configuration Basics Guide

 I-1200 Sensor Product Guide

 I-1400 Sensor Product Guide

 I-2700 Sensor Product Guide

 I-3000 Sensor Product Guide

 I-4000 Sensor Product Guide

 I-4010 Sensor Product Guide

 M-1250/M-1450 Sensor Product Guide

 M-1250/M-1450 Quick Start Guide

 M-2750 Sensor Product Guide

 M-2750 Quick Start Guide

 M-3050/M-4050 Sensor Product Guide

 M-3050/M-4050 Quick Start Guide

 M-6050 Sensor Product Guide

 M-6050 Quick Start Guide

 M-8000 Sensor Product Guide

 M-8000 Quick Start Guide

 Gigabit Optical Fail-Open Bypass Kit Guide

 Gigabit Copper Fail-Open Bypass Kit Guide

 10 Gigabit Fail-Open Bypass Kit Guide

 M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure

 M-2750 Slide Rail Assembly Procedure

 M-series DC Power Supply Installation Procedure

 Administrative Domain Configuration Guide

 Manager Server Configuration Guide

 CLI Guide

 Device Configuration Guide

 IPS Configuration Guide

 NAC Configuration Guide

 Integration Guide

 System Status Monitoring Guide

 Reports Guide

 Custom Attack Definitions Guide

 Central Manager Administrator's Guide

 Best Practices Guide

 Troubleshooting Guide

 Special Topics Guide—In-line Sensor Deployment

 Special Topics Guide—Sensor High Availability

 Special Topics Guide—Virtualization

 Special Topics Guide—Denial-of-Service

 NTBA Appliance Administrator's Guide

 NTBA Monitoring Guide

 NTBA Appliance T-200 Quick Start Guide

 NTBA Appliance T-500 Quick Start Guide

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online

Contact McAfee Technical Support http://mysupport.mcafee.com

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates

Phone

Technical Support is available 7:00 A.M to 5:00 P.M PST Monday-Friday Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts Global phone contact numbers can be found at McAfee Contact Information

C H A P T E R 1

Using the Threat Analyzer

The Threat Analyzer is used for the analysis of the alerts detected by your McAfee®Network Security Platform [formerly McAfee® IntruShield®] Sensors as well as those processed by an integrated Host Intrusion Prevention Server The Threat Analyzer works

in conjunction with the policies applied to your McAfee® Network Security Sensor and Host Intrusion Prevention Sensors For more information on policies, see IPS Configuration Guide.

When a transmission violating your enforced security policies is detected by a Sensor, the Sensor compiles information about the offending transmission and sends this “attack” data

to McAfee® Network Security Manager in the form of an alert Alert details include transmission data such as source and destination IP addresses in the packet, as well as security analysis information (performed by the Sensor) such as attack type and severity Alerts are backed up to the database and archived in order of occurrence

Note: Security analysis information can be determined by a signature match, set threshold parameters, and abnormal spiking in traffic levels All of these measures are enforced through policy configuration and application

The Threat Analyzer opens in a separate browser window from that of the Manager Home page, providing a concentrated view for alert analysis When you open the Threat

Analyzer, you specify a time frame to retrieve alerts from the database The Manager retrieves the alerts matching your criteria and displays them in the Threat Analyzer By examining and acknowledging the alerts, you can use the information your analysis provides to determine your system weaknesses and modify your defenses

Note: If you make configuration changes while maintaining an open Threat Analyzer session, your configuration changes will not take affect in regards to actually seeing the changes in the Threat Analyzer The Threat Analyzer must be closed and re-opened to view your changes Configuration changes can include changing the policy of a VIPS, splitting a port pair into two single ports and applying a separate policy to each port; exporting User-defined Signature to the Manager’s attack database, then applying a policy containing custom attacks to a VIPS; and so forth

as configuration changes that affect policy application are made

Defining terms

An attack is any violation of your set McAfee® Network Security Platform policy

parameters An alert is one or more attack instances

In many cases, an alert represents a single detected attack A multi-attack alert is generated when multiple instances of identical attacks (same source IP, destination IP, specific attack name, and VIPS [interface or sub-interface ID where alert was detected]) are detected within a two-minute period (by default); data for all attacks is throttled into one alert instance; however, you can also choose to configure how many of each throttled

attacks you want to see in an individual alert (For more information, see Configuring alert suppression with packet log response, Devcie Configuration Guide. ) Each of the two main

views (see Navigating to Threat Analyzer (on page 5)) of the Threat Analyzer distinguishes between attacks and alerts, thus it is important to note the difference

The life cycle of an alert

Alerts exist in one of three states:

 Unacknowledged

 Acknowledged

 Marked for deletion

When an alert is raised, it appears in McAfee Network Security Manager (Manager) in an

unacknowledged state Unacknowledged means that you have not officially recognized its presence by marking it acknowledged An alert remains in an unacknowledged state until

you either acknowledge it or delete it

Unacknowledged alerts display in the Unacknowledged Alert Summary section of the Home page andinthe Real-Time Threat Analyzer Acknowledging alerts dismisses them from these views Acknowledged alerts display only in the Historical Threat Analyzer and in reports Deleting an alert both acknowledges it and marks it for deletion The alert is not actually deleted until a scheduled Disk Space Maintenance takes place At that time, McAfee Network Security Platform deletes those alerts marked for deletion and those alerts meeting the deletion criteria specified in the scheduler-older than 30 days, for example, whether or not they have been manually marked for deletion

Note: For more information on Disk Maintenance, see Managing your database’s disk space, Manager Server Configuration Guide.

Alerts are backed up to the database and archived in order of occurrence Deleted alerts are removed from the database

Understanding the alert cache and the database

The Threat Analyzer facility operates in the following manner: Manager receives alerts from the Sensors and organizes the alerts by the timestamps with alert; the most recent alerts are listed first All alerts are stored in the database, while a preset number of the most recent alerts are also maintained in a cache, known as the alert cache The alert cache contains only unacknowledged alerts, and is exclusive to a Real-Time Threat Analyzer query; a Historical Threat Analyzer query only pulls alerts from the database The difference in Threat Analyzer operations is detailed in the subsections that follow

The following below illustrates alert cache and database operation as it pertains to Threat Analyzer queries

Figure 1: Alert cache and database operations

The letters below correspond to the lettering in the illustration

a All alerts are received by the Manager from the reporting Sensors The alerts are sent to both the alert cache and the database

b Once the alert cache’s buffer begins to overflow, the oldest alerts are dropped from the cache Since no modifications have been made, the database version is maintained and the cached version is deleted

c A Real-Time View query is started requesting x number of alerts These alerts are pulled from the alert cache

d If during a Real-Time analysis an alert is Acknowledge[d] or Delete[d], the altered alert file is forwarded to the database and the database version is updated with the recent changes The interaction between a Real-Time Threat Analyzer and the database is one way; that is, alert record changes can be pushed from the Real-Time Threat Analyzer, but a Real-Time Threat Analyzer does not receive any data from the database

e During a Real-Time analysis, new alerts are received from the alert cache as they are reported, refreshing every 5 seconds Since the Real-Time Threat Analyzer has a maximum number of alerts that can be viewed at a time, the oldest alerts are dropped to accommodate new alerts Since no modifications have been made, the database version is maintained and the cached version is deleted

f A Historical query pulls alerts only from the database; there is no interaction between the alert cache and a Historical query There is no refresh of newer alerts because the Historical Threat Analyzer only requests alerts from a specific time frame Any alert file alteration (acknowledgement, deletion, and so forth) is simultaneously saved to the database Thus, the Historical Threat Analyzer can pull and push alert records directly from the database

Host Intrusion Prevention alerts

If integration with Host Intrusion Prevention is enabled, the Host Intrusion Prevention alerts start to appear as soon as you start the Host Intrusion Prevention server on the ePO console All Host Intrusion Prevention alert data is parsed and formatted by the Manager

to resemble the Network Security Platform alert style Note the following:

 Alerts sent by Host Intrusion Prevention are maintained by the Host Intrusion Prevention server

 All Host Intrusion Prevention alerts are categorized as Exploit alerts

 You cannot initiate responses to Host Intrusion Prevention alerts Any responses must

be sent via the Host Intrusion Prevention console

 If a Host Intrusion Prevention alert is in Mark as Read state before sent through Integrator, the alert appears as Acknowledged to Manager Thus, any Mark as Read alerts can only be seen using a Historical Threat Analyzer query

Note: For more information, see Integrating Host Intrusion Prevention for alert management

C H A P T E R 2

Navigating to the Threat Analyzer

You can view the overall summary of alerts in McAfee®

Network Security Manager Home page - Unacknowledged Alert Summary section

This view displays all of the unacknowledged alerts in the logged-in domain Within the Threat Analyzer, alerts are presented in multiple views for detailed analysis Alerts are organized by system impact severity level: High, Medium, Low, and Informational (For more information on how McAfee® Network Security Platform calculates severity level, see

IPS Configuration Guide.)

Figure 2: Navigating To The Threat Analyzer

1 Unacknowledged alerts by

severity

2 Current "monitored domain"

3 Click to open Real-time Threat

The Threat Analyzer Home page opens displaying the Dashboards by default

Note: The Threat Analyzer takes a few seconds to load

You can open multiple Threat Analyzer windows at a single time You can also open both Real-Time Threat Analyzer and Historical Threat Analyzer at the same time from the same client

The number of alerts the Threat Analyzer can display has a direct correlation to your system’s memory Since you can access McAfee®

Network Security Manager (Manager) from the local host or a remote connection, this depends on the machine used for Manager

login The memory overhead for alerts, including the code base and Java virtual machine,

is approximately 1 KB per alert when there are at least 10,000 alerts in the Threat Analyzer (more KBs when there are fewer alerts) McAfee recommends 1 GB of RAM in your system, which enables you to handle up to 1,000,000 total alerts If your available memory does not meet minimum requirements or is not properly set, you could experience memory problems

Real-Time Threat Analyzer

The Real-Time Threat Analyzer sets the attack filter to display information retrieved from the alert cache for a specified number of unacknowledged alerts Once opened, the Real-Time Threat Analyzer refreshes frequently to display the alerts that are being detected by your Sensors, thus you can view the alerts as they happen in real time

Historical Threat Analyzer

The Historical Threat Analyzer sets the filter to retrieve information for both acknowledged and unacknowledged alerts archived in the database during a specified time The Historical Threat Analyzer does not refresh with new alerts, thus you can focus on analyzing all alerts within the time frame you requested

Selecting time constraints for Historical Threat Analyzer

When you click Historical Threat Analyzer from the Network Security Platform Security Manager Home page, the Historical Constraints page is displayed

Figure 3: Setting parameters for Historical Threat Analyzer

1 Select the Start Time and End Time for viewing alerts historical data from the database

2 (Optional) Click More Constraints to select filtering parameters for your historical query

Figure 4: Setting additional parameters for Historical Threat Analyzer

The parameters available for filtering your historical alerts data query are as follows:

 Start Time: date and time to start range Format is yyyy-mm-dd hh:mm:ss

 End Time: date and time to stop range Format is yyyy-mm-dd hh:mm:ss

 Additional Constraints: this feature enables filtering of Historical alerts only When this dialog is opened, one or more of the following parameters can be queried to narrow your Historical Threat Analyzer analysis:

 IP Address Type: IPv4 or IPv6

3 Click OK, when finished

For historical queries, the maximum number of alerts that can be viewed from the database for the search are limited Thus, if there are 130,000 alerts within your selected Start and End times, you will only see the most recent 100,000 alerts in that time period

Sample drilldown scenario

This example focuses on analyzing attacks originating from a specific source IP address For this scenario, the source IP is 172.26.23.145, and a Historical search is selected to find all of the attacks from this source in the last 2 months To find information specific to this source IP address, do the following:

1 Open the Historical Threat Analyzer The End Time lists the current system time Configure the Start Time to two months prior to today, thus change the month field (yyyy-mm-dd), and click OK

2 Select Drilldown from the Threat Analyzer Detail view window, then select Source IP as the category

3 Find 172.26.23.145 in the Source IP column of the Count View table

4 Once found, select (left-click) the row for 172.26.23.145, then right-click for further drilldown options

5 Select Drilldown, then select Attack to view the attacks from 172.26.23.145

6 Repeat Step 4 and Step 5 to continue to drill down into 172.26.23.145 to view Severity, Destination IP address, and other drilldown categories to focus your forensic analysis for this source IP address

Threat Analyzer Home

The Threat Analyzer Home page is the central interface of the Threat Analyzer and displays the Dashboards page showing the NSP Health tab by default The Dashboards page

is logically divided into 2 sections: the top menu bar and the lower display area

Figure 5: Summary view: IPS tab

Display Area: The display area of the Dashboards view page presents the following data for the NSP Health and IPS default dashboards:

 NSP Health: Sensor TCP/UDP Flow Utilization, Sensor Throughput Utilization, Messages from McAfee, Status of Activities, Operational Status Summary, Sensor Update Summary

 IPS: Attack Severity Summary, Attack Result Summary, RFSB Attack Summary, IPS Quarantine Summary, Attacks Over Time (All Alerts, Attacks, Result Status, Source

IP, Destination IP)

 NAC: System Health Summary, McAfee NAC Client Summary, User Type Summary, System State Summary

 NTBA: Throughput Enterprise Traffic, Host- Threat Factor, Traffic Volumes, Band Utilization, Top files, Top URLs, Application Traffic, Protocol Distribution For more information see NTBA Monitoring Guide

Note: Custom dashboards can be created using using Options on the top right corner

of the Dashboards page See Customized dashboards and monitors (on page 15)

C H A P T E R 3

Alert Aggregation in Network Security Central Manager

McAfee Network Security Central Manager provides you with a single sign-on mechanism

to manage the authentication of global users across all Managers configuration Threat analysis tasks are performed at the Manager level and aggregated at the Network Security Central Manager (Central Manager) Local Managers attached to the Central Manager push new alerts and modifications into the Central Manager These alerts are aggregated

in the Central Manager Threat Analyzer

Alerts from the Managers managed by the Central Manager can be monitored and managed from the Central Manager The Real-Time Threat Analyzer of the Central Manager consolidates alerts from the local Managers and displays them for monitoring purposes

Threat Analyzer of the Central Manager

The Threat Analyzer in the Central Manager aggregates, alert information from the Managers attached to the Central Manager

The Threat Analyzer is used for analysis of alerts detected by your McAfee Network Security Sensors integrated and configured through the Managers attached to the Central Manager The Threat Analyzer works in conjunction with the policies applied to your McAfee Network Security Sensor and Host Intrusion Prevention Sensors For more information on policies, see IPS Configuration Guide

When a transmission violating your enforced security policies is detected by a Sensor, the Sensor compiles information about the offending transmission and sends this “attack” data

to the Manager in the form of an alert Alert details include transmission data such as, source and destination IP addresses in the packet, as well as security analysis information (performed by the Sensor) such as attack type and severity Alerts are backed up to the database and archived in order of occurrence Alerts generated in the Sensors are aggregated and displayed in the Threat Analyzer of the Central Manager

Note: Security analysis information can be determined by a signature match, set threshold parameters, and abnormal spiking in traffic levels All of these measures are enforced through policy configuration and application

The Threat Analyzer opens in a separate browser window from that of the Central Manager Home page, providing a concentrated view for alert analysis The Threat Analyzer of the Central Manager aggregates alerts in real time By examining and acknowledging the alerts, you can use the information your analysis provides to determine your system weaknesses and modify your defenses

Note: If you make configuration changes while maintaining an open Threat Analyzer session, your configuration changes will not take affect in regards to actually seeing the changes in the Threat Analyzer The Threat Analyzer must be closed and re-opened to view your changes Configuration changes can include changing the policy of a VIPS, splitting a port-pair into two single ports and applying a separate

policy to each port, exporting custom attacks to the Manager's attack database, then applying a policy containing the custom attacks to a VIPS and so forth as

configuration changes that affect policy application are made

Understanding alert aggregation and monitoring in Central Manager

Alert monitoring in the Central Manager extends the model of alert monitoring in the local Manager Local Managers managed by the Central Manager push alerts to the Central Manager The Alerts from the local Managers are aggregated in the Central Manager Threat Analyzer

Any changes triggered by a Threat Analyzer that is connected to a local Manager, are placed in the notification cache in the local Manager These notifications are sent to the Central Manager too Once the Central Manager receives these notifications, it queues them in its notification cache

Figure 6: Alert Aggregation in Central Manager

The letters below correspond to the lettering in the illustration

a The key components of live alerts received from Sensors are extracted and cached in the alert cache

b The Threat Analyzer connects to the Manager for retrieving live alerts In the local Manager, a secured communication is established between the local Manager and the Threat Analyzer

c Each local Manager pushes new alerts and modifications into the Central Manager

d The Threat Analyzer of the Central Manager connects to the Central Manager for retrieving live alerts

Navigating to the Threat Analyzer from the Central Manager

You can view the overall summary of alerts in McAfee Network Security Central Manager Home page - Unacknowledged Alert Summary section

This view displays all of the unacknowledged alerts in the logged-in domain Within the Threat Analyzer, alerts are presented in multiple views for detailed analysis Alerts are organized by system impact severity level: High, Medium, Low, and Informational (For more information on how McAfee Network Security Platform calculates severity level, see

IPS Configuration Guide.)

Figure 7: Navigating to the Central Manager Threat Analyzer

1 Unacknowledged alerts by severity

2 Click to open Real-Time Threat Analyzer

To view further details on alerts, you can access the Real-time Threat Analyzer from the Central Manager Home page

1 To start an analysis of generated alerts, do the following:

2 Select the Real-time Threats option from the Central Manager Home page

3 The Central Manager Threat Analyzer Home page opens displaying the Dashboards

view by default

Note: The Threat Analyzer takes a few seconds to load

You can open multiple Threat Analyzer windows at a single time

The number of alerts the Threat Analyzer can display has a direct correlation to your system's memory Since you can access the Central Manager from the local host or a remote connection, this depends on the machine used for the Central Manager logon The memory overhead for alerts, including the code base and Java virtual machine, is

approximately 1 KB per alert when there are at least 10,000 alerts in the Threat Analyzer (more KBs when there are fewer alerts) McAfee recommends 1 GB of RAM in your system which enables you to handle up to 1,000,000 total alerts If your available memory does not meet minimum requirements or is not properly set, you could experience memory problems

Central Manager Threat Analyzer Home

The Central Manager Threat Analyzer Home page is the central interface of the Threat Analyzer and displays the Dashboards page by default The Threat Analyzer pages are logically divided into 2 sections: the top menu bar and the lower display area

Figure 8: Central Manager Threat Analyzer Home Page

 NTBA: Administer the Network Threat Behavior Analyzer environment

Note: Custom dashboards can be created using Options on the top right corner of the Dashboards page See Customized dashboards and monitors (on page 15)

Using the Central Manager Threat Analyzer is similar to using the Manager Threat Analyzer Specific differences between Central Manager Threat Analyzer and Manager Threat Analyzer are indicated where relevant in Using the Threat Analyzer

C H A P T E R 4

Viewing Alerts Dashboards

The Dashboards page provides the following sections:

 NSP Health: a dashboard to display the operation status of the Sensor Clicking on the chart enables you to view the faults received on each Sensor

 IPS: the default dashboard displayed in the Dashboards page to view a summary of IPS alerts Clicking on the chart on the IPS tab automatically takes you to the Alerts page to view further details

 NAC: a new dashboard to display NAC alerts summary As in the IPS tab, clicking on the chart takes you to the Hosts page For more information, see NAC Configuration Guide

 NTBA: offers the full range of Network Threat Behavior Analysis (ntba) functionality For more information see NTBA Monitoring Guide

Note: In the Central Manager Threat Analyzer, the Dashboards page provides a single dashboard namely, IPS

NSP Health view

The Alerts Dashboards - NSP Health tab enables you to view/perform the following:

 Monitoring Sensor TCP/UDP flow utilization: (on page 27) Sensor TCP/UDP flow utilization status for all the devices configured in the Manager

 Monitoring Sensor throughput utilization (on page 29): Sensor throughput utilization status for all the devices configured in the Manager

 Viewing Messages from McAfee (on page 36): displays the latest updates, the current version of signature set applied to your Sensor

 Status of Activities (on page 36): displays the status of all the Sensors configured in the Manager

 Operational Status Summary (on page 36): displays the operational status from the Manager Home page This Operational Status view cannot be operated in the same manner as the Operational Status available from the Manager Home page that is, faults are not selectable This view is available for a quick glance usage so that you

do not have to leave the Threat Analyzer to get an update on possible system faults

 Sensor Update Summary (on page 36):displays the current versions of the Sensor software and signature set of the logged-in domain The Update Now button updates the Sensor configuration

Figure 9: General View - Summary

To view the NSP Heath settings Dashboards in the Threat Analyzer, do the following:

1 Click the Real-time threats from the Manager Home page

2 Select NSP Health tab

Customized Dashboards and Monitors

The Threat Analyzer allows you to add your own dashboard (s) using Options on the top right corner of the Dashboards page You can then add monitor (s) to your dashboard (s)

A monitor is a customized page to view alerts and threats You can either use the default monitors or create your own When you add a dashboard, it is initially made up of a single window where you can assign a monitor

Once you assign or create the first monitor, you can right-click on the name display area of the monitor (that you have just added) to split the window vertically or horizontally In the split window, you can add another monitor to further build the dashboard of your choice You can resize each monitor window size using the drag and drop method

Note that inside the monitors, you can switch between viewing the alerts data in bar chart

or pie chart format by clicking the small icon on the monitor’s name display area

You can create as many dashboards as you need If the number of dashboards increases, the Threat Analyzer automatically provides scroll bars for ease of use

You can perform the following actions using dashboards:

 Create customized dashboards and name/rename them accordingly

 Create/edit/delete multiple dashboards

 Switch between two dashboards pages in a default dashboard using toggle

 Move to the next and back page of multiple dashboards using the scroll bar

 Move custom dashboards using the Move left/move right buttons

Creating a Dashboard

To create a dashboard:

1 Open the Real-time Threat Analyzer from the Manager Home page

The Dashboards page opens

2 Click Options > Dashboard > New

Figure 10: Threat Analyzer - Dashboard

3 Enter a name for the dashboard and click OK

Note: No blanks spaces or special characters are allowed in the Dashboard Name

Creating a Monitor

To create a new monitor:

1 Open the Real-time Threat Analyzer from the Manager Home page

2 Click Options > Monitor > New.

Figure 11: Creating A Monitor

Alternatively, you can create a monitor while assigning a monitor to a dashboard See Assigning a New Custom Monitor

3 New Monitor dialog appears

4 Type a name for the monitor in Monitor name

5 Select Alerts, Hosts, Sensor Performance, or NTBA to be displayed as Data Source

6 Click OK The Display Filter window is displayed

Figure 12: Display Filter Window

7 Define the fields and assign a value for the parameters and click Next

Note: The fields are listed in the Filter Criteria To select a field to be defined, click the right arrow button displayed next to the field To remove a field, click the left arrow button displayed near the selected field

Figure 13: Wizard- Monitoring board

8 Use the Add and Remove buttons to include or remove fields as desired You can use the Up and Down buttons to arrange the order of the fields in Show These Fields in This Order

Click Previous if you want to move to the previous page

3 Select the created monitor from the Custom Monitor list and click Edit

4 Define the fields desired and click Next

5 Use the Add and Remove buttons to include fields as desired You can use the Up and

Down buttons to specify the order

6 Click Finish

Deleting a Monitor

1 Click Options > Monitor

2 Click Delete

Figure 15: Delete Monitor Window

3 Select the created monitor from the list and click Delete

Note: Only user-created monitors can be edited deleted

Viewing Default General Monitors

The list of existing monitors available under Type - NSP Health are:

 Messages from McAfee:Enables you to view any product or security-related messages from McAfee The messages can be related to operating system patches, signature set release, Manager software update, and so on

 Operational Status Summary: Enables you to view the Operational Status summary

 Sensor Update Summary: Enables you to update Sensor configurations and download SSL keys

 Status of Activities: Displays the status of currently In-Progress activities on your system that Network Security Platform identifies as long running processes

To assign an existing NSP Health type monitor to a dashboard:

1 Click Options > Dashboard > New to open the Create New Dashboard dialog

Figure 16: Creating a New Dashboard

2 Enter a name for the new dashboard in the Dashboard Dialog

Figure 17: New Dashboard Dialog

3 Click Assign Monitor to view the Assign Monitor Dialog

4 Select Assign an existing Monitor.

Figure 18: Assigning an existing Monitor- General

5 Under Category, select Default Monitors

6 Under Type, select General.

7 Under Monitor, select a default monitor, and click OK

Viewing Default IPS Monitors

The list of existing monitors available under Type - IPS are:

 Attack Result: depicts alerts ratio based on estimated result of detected attacks; whether the attack was Successful, Unknown, Failed, Blocked, or the alert was raised for suspicious, but not necessarily malicious, traffic For more details, see Attack result status (on page 42)

 Attack Severity: depicts alerts ratio based on severity level - High, Medium, Low, Informational

 Attacks Overtime: depicts the number of overtime attacks

 IPS Quarantine: depicts the number of hosts that are quarantined, and the number of hosts that are not quarantined by Network Security Platform

 New Threats: depicts the number of new threats

 Non-RFSB Attack: depicts the number of attacks that were not recommended for blocking (RFSB)

 RFSB Attack: depicts the number of attacks recommended for blocking (RFSB)

To assign an existing IPS monitor to a dashboard:

1 Click Options > Dashboard > New to open the Create New Dashboard dialog

2 Enter a name for the new dashboard in the Dashboard Dialog

3 Click Assign Monitor to view the Assign Monitor Dialog

4 Select Assign an existing Monitor

Figure 19: Assigning an Existing Default Monitor- IPS

5 In Category, select Default Monitors

6 In Type, select IPS.

7 In Monitor, select a default monitor, and click OK

Viewing Default NAC Monitors

The list of existing monitors available under Type - NAC are:

 McAfee NAC client: represents the quantity of hosts that were detected as VPN employees, guest users, and Local employees

 System health: a bar chart representing the quantity of host with six different System Health Levels

 System State: represents the quantity of hosts currently in any of the following states:

 Identity Required via Guest Portal

 Determining IBAC Policy

 Admitted

 IPS Quarantined

 Health Level Required via Guest Client

 Bad System Health

 User type: represents the quantity of hosts that were detected as VPN employees, guest users, and Local employees

To assign an existing NAC monitor to a dashboard:

1 Click Options > Dashboard > New to open the Create New Dashboard dialog

2 Enter a name for the new dashboard in the Dashboard Dialog

3 Click Assign Monitor to view the Assign Monitor Dialog

4 Select Assign an existing Monitor

Figure 20: Assigning an Existing Default Monitor- NAC

5 Under Category, select Default Monitors

6 Under Type, select NAC

7 Under Monitor, select a default monitor, and click OK

Viewing Default NTBA Monitors

The NTBA tab in the Dashboards page of the Threat Analyzer displays the following default monitors

Default Monitors

Throughput Enterprise Traffic (Bytes) Not Applicable

 Service Traffic Summary

 Application Traffic Summary

 Host Interaction Monitor

 NSLookup Information Monitor Bandwidth Utilization (%) - Interfaces  Interface Traffic - Throughput (bps)

 Interface Traffic - Packet Rate (pps)

 Bandwidth Utilization (%)

 Interface Traffic - Show All

 Top Bandwidth Consumers

 Service Traffic Summary

Application Traffic (Bytes) Application Profile

Protocol Distribution (Bytes) Not Applicable

Monitor Name Drill-Down Monitors

Traffic Volume (Bytes) - Zones  Zone Traffic

 Zone Services Traffic

 Top Bandwidth Consumers

 Zone Files

 Zone URLs

 Zone DoS Profile

The following additional default monitors, and custom monitors can be assigned to new dashboards

Additional Default Monitors

Monitor Name

 Applications - Active (Last 1 hour)

 Applications - New (Last 1 day)

 Hosts - Active (Last 1 hour)

 Services - Active (Last 1 hour )

 Services - New (Last 1 day)

 Services Traffic (Bytes)

 Top External Hosts by Reputation

 Top URLs by Category

 Top URLs by Reputation

Custom Monitors

 Throughput Enterprise Traffic (Bytes)

 Application Traffic (Bytes)

 Services Traffic (Bytes)

 Bandwidth Utilization (%) - Interfaces

 Traffic Volume (Bytes) - Zones

 Host Threat Factor

 Traffic Volume (bytes) - Top Source Hosts

 Applications Active (Last 1 hour)

 Applications - New (Last 1 day)

 Services - Active (Last 1 hour)

 Services - New (Last 1 day)

 Services Traffic (Bytes)

 Top External Hosts by Reputation

 Top URLs by Category

 Top URLs by Reputation

 Hosts Active (Last 1 hour)

 Hosts New (Last 1 day)

 Top URLs

 Top Files

 Protocol Distribution (Bytes)

 Zone Traffic Summary

 Zone Service Traffic (Bytes)

 Zone Files

 Zone URLs

 Top Zone Conversations

Alerts and Scans

Start Vulnerability Scan, ePO Scan, Show All Alerts, Show IPS Alerts, and Show NTBA Alerts options are available in the right-click options of various monitors as follows:

 Start Vulnerability Scan, and ePO scan options are available in the right-click menu of Traffic Volume (Bytes) - Top Source Hosts, Host Threat Factor, and Hosts - New (Last 1 day) monitors if McAfee Vulnerability Manager, and McAfee ePolicy Orchestrator are integrated with and enabled in McAfee Network Security Manager Scan information on vulnerability and ePO scans are displayed in the Host Forensics page of the Threat Analyzer

 Show IPS Alerts, and Show All Alerts options are available in the right-click menu of the

Host Threat Factor monitor, and redirects the user to the Alerts page where information

on the selected Host is displayed in a new tab Show NTBA Alerts option is available in the Host Threat Factor, and Traffic Volume (Bytes) - Zones monitors

For more information on NTBA monitors, see, NTBA Monitoring Guide

Viewing Default Sensor Performance Monitors

Sensor performance statistics can be viewed in the Threat Analyzer by creating a new dashboard and by choosing monitors that display different type of Sensor statistics The list of monitor available for Sensor performance statistics are:

 Statistics - Flow : Statistical view of the TCP and UDP flow data processed by a device Checking your flow rates can help you determine if your device is processing traffic normally, while also providing you with a view of statistics such as the maximum number of flows supported as well as the number of active TCP and UDP flows

 Statistics - IP Spoofing: Statistics on the number of IP spoofing attacks detected by Network Security Platform Statistics are displayed per direction

 Statistics - Malware: Statistics of the malware detected for a given device

 Statistics - Port Packet Drop: Packet drop rate on a port

 Statistics - Rate Limiting: Rate limiting statistics provides the estimated number of packets dropped/bytes dropped by the device You can view rate limiting statistics for each device (per port), listed in the resource tree of Manager

 Statistics - Rx/TX: Statistics of the total number of packets received (Rx) and transmitted (Tx) for a given device

 Statistics - Sensor Packet Drop: Packet drop rate on a device The statistics is displayed on

a per device basis The statistics includes the count of number of packets dropped by device due to set rate limiting on the device and sanity check failures

Follow this procedure to view Sensor performance statistics (this example demonstrates steps for creating Flow Statistics):

1 Click Options > Dashboard > New to open the Create New Dashboard dialog

2 Enter a name for the new dashboard in the Dashboard Dialog

3 Click Assign Monitor to view the Assign Monitor Dialog

4 Select Assign an existing Monitor

Figure 21: Monitor Selection for Sensor Performance

5 Under Category, select Default Monitors

6 Under Type, select Sensor Performance

7 Under Monitor, select Statistics - Flows, and click OK

8 Select the device for which you wish to view flow statistics and click Refresh to view the flow statistics for the selected device

9 Follow a similar procedure and select other Monitors for Sensor Performance to view the relevant Sensor Statistics

Monitoring Sensor Performance metrics

Core Sensor performance metrics can be monitored using the Threat Analyzer The core metrics are CPU Utilization, Sensor TCP/UDP Flow Utilization, and Sensor Throughput Utilization Monitoring of core metrics is possible only if Performance Monitoring is enabled under the Device List node or the Device_Name node from the Manager Configure pages

The procedure for monitoring metrics is detailed as follows:

 Monitoring Sensor TCP/UDP flow utilization (on page 27)

 Monitoring Sensor Throughput utilization (on page 29)

 Monitoring Port Throughput Utilization (on page 29)

 Monitoring Sensor CPU utilization (on page 33) (on page 29)

Monitoring Sensor TCP/UDP flow utilization

Follow this procedure to view the consolidated Sensor TCP/UDP flow utilization status for all the devices configured in the Manager

1 Open the Real-time Threat Analyzer from the Manager Home page

2 The NSP Health tab of the Dashboards page of the Threat Analyzer opens by default

3 The Senor TCP/UDP flow utilization pie chart displays the consolidated TCP/UDP flow utilization status for all the devices configured in the Manager The pie chart portions are color coded for "High", "Medium", "Low", "Metric Disabled", and "Disconnected" categories Click on a colored portion of the pie chart to display a list of devices and their utilization percentages relating to that portion

Figure 23: Details of Sensor TCP/UDP Flow Utilization

4 Select the device for which you wish to view information in a time chart and click Chart

to create time charts for the selected device

Figure 24: Sensor TCP/UDP Flow Utilization Chart

5 If you wish to view real time data, click Real-Time Threats to start the real time polling of Sensor TCP/UDP flow utilization

Equation 1: Button for Starting Real Time Metrics

Figure 25: Real time button TCP/UDP flow Utilization

6 Click Yes to view the chart based on real time polling

Figure 26: Real Time Polling Warning Dialog

Note: Normal interval for utilization charts is one minute When the real-time mode

is chosen, data is polled and plotted every 10 seconds Real time polling is done for

a block of 10 minutes User intervention is required to re-run real-time polling if needed after this block of time This acts as a check for utilizing bandwidth in a deliberate manner

Monitoring Sensor throughput utilization

Follow this procedure to view the consolidated Sensor throughput utilization status for all the devices configured in the Manager

1 Open the Real-time Threat Analyzer from the Manager Home page

2 The NSP Health tab of the Dashboards page of the Threat Analyzer opens by default

3 The Sensor throughput Utilization pie chart displays the consolidated Sensor throughput utilization status for all the devices configured in the Manager The pie chart portions are color coded for High, Medium, Low, Metric Disabled and Disconnected categories Click on a colored portion of the pie chart to display a list of devices and their utilization percentages relating to that portion

Figure 27: Details of Sensor Throughput Utilization

4 Select the device for which you wish to view information in a time chart and click Chart

to create time charts for the selected device

Figure 28: Sensor Throughput Utilization Chart

5 If you wish to view real time data, click Real-Time Threats to start the real time polling of Sensor throughput utilization

Equation 2: Real Time Button for Sensor Throughput Utilization

Figure 29: Real-Time button Sensor Throughput Utilization

6 Click Yes to view the chart based on real time polling

Figure 30: Real Time Polling Warning Dialog

Note: Normal interval for utilization charts is one minute When the real-time mode

is chosen, data is polled and plotted every 10 seconds Real time polling is done for

a block of 10 minutes User intervention is required to re-run real-time polling after this block of time This acts as a check for utilizing bandwidth in a deliberate manner

Monitoring Port throughput utilization

Follow this procedure to view the port throughput threshold status for all the devices configured in the Manager

1 Open the Real-time Threat Analyzer from the Manager Home page

The NSP Health tab of the Dashboards page of the Threat Analyzer opens by default

2 Click Options > Dashboard > New

3 Enter a name for the new dashboard in the Dashboard Dialog

4 Click Assign Monitor to view the Assign Monitor Dialog

5 Under Category, select Default Monitors

6 Under Type, select Sensor Performance

7 Under Monitor, select Utilization - Port Throughput, and click OK

Figure 31: Assigning an Existing Port Throughput Monitor

8 Select the ports for which you want to view throughput utilization from the Available device Ports list in the left pane of the Port Throughput Utilization dialog and click Add

to move them to the Selected device Ports pane on the right