NetFort Advertising

Forum

Importing Database Archives

3 April 2019 Forum By: Darragh Delaney

If you want to analyse network traffic data that is no longer available online and if you have backup enabled, you can import archived data back into a LANGuardian reader system.

When LANGuardian is deployed and fills its disk, it will create archive files of old data which can be exported automatically (by using the Enable Backup settings). When it comes to a time when these archives need to be accessed, most customers are wary about importing them into their live system as they will fill up the disk again.

This import feature and a LANGuardian reader system is useful in situations where you need to investigate past events such as file deletions or Internet downloads.

To do this, it’s necessary to create a separate LANGuardian (Reader) instance which will allow the archive file/s to be uploaded to it. It’s not possible to upload archive files to a production system and it would not be recommended in any case.

This separate LANGuardian system will require what’s known as a ‘Reader’ license, which we provide, on request. Email us at licensing@netfort.com.

When this license is applied and you navigate to the LANGuardian settings page, you will see a new option: Import Database archive

Image to show backup settings available

Click on this option > navigate to the .dat archive file and upload it:

image to show how to import data in LANGuardian
Image to show that the archive restoration was successful

You can click on ‘Show advanced options’ to select specific categories that you want to include in the import:

Image to show the data you can import in LANGuardian

Now, go to any report and run for the time frame of the archive files you uploaded. For example:

image to show the files uploaded
Image about traffic analysis to show application in use

After you import the data, it will become available through the LANGuardian Reader user interface and be included in all of the existing dashboards, reports, and trends. If you want to focus specifically on the imported data, you might need to create custom reports that focus on the dates covered by the archive.

If you need assistance creating reports or any of the above, let us know by emailing support@netfort.com.

If you need a free Reader license, email us at licensing@netfort.com.

How to open a Remote (ssh) Support Tunnel for the NetFort Support Team

20 February 2019 Forum By: Darragh Delaney

We always advise our customers to open a Secure SSH tunnel for NetFort Support. This way, if you need any assistance at any time we can jump straight onto your system and troubleshoot.

How do I open a Tunnel?

  1. Contact us at support@netfort.com to request a dedicated Support Tunnel ID.
  2. Navigate to Settings > Configuration > Remote support.
  3. Enter your assigned Support Tunnel ID and make sure to tick the box so that the connection is Persistent.
  4. Click Connect. You should then receive a pop-up stating: ‘Connection Established’.
Image showing how to connect to NetFort's Support Site

If you find that the address the connection is trying to establish is unknown and access to NetFort’s Remote Support Tunnel is actually located in the DMZ, a Firewall Rule will be required to allow outbound connections to our Remote Support Server.

The solution is to open an outbound TCP connection on Port 22 to 54.224.230.135. 54.224.230.135 which is the Address of NetFort’s Office.

LANGuardian needs direct ssh access to the Internet in order for successful connection. Make sure your firewall is configured to allow SSH connections from LANGuardian.

If you have any problems please do not hesitate to contact us at Support.

NetFort Tips & Tricks – How to exclude some of your network traffic from LANGuardian monitoring

20 February 2019 Forum By: Darragh Delaney

A customer recently contacted us with a situation: “We have an IP camera system and our security department is constantly monitoring the feeds, this is traversing the network and as a result is skewing the results on the dashboard. There is heavy traffic, but this is generated by the IP camera system.”

They then asked the following question: “Is there a way to filter or exclude these systems from LANGuardian? It’s on a separate VLAN, but the traffic is traversing through the same ports that are
being monitored.”

The answer is yes, it is possible.

The customer in question wanted to exclude camera traffic, but you can use the same technique to exclude any traffic you do not want to monitor. Reducing the amount of traffic monitored by LANGuardian improves database efficiency and overall performance. LANGuardian implements a Berkeley Packet Filter (BPF) to exclude or include the traffic you want it to monitor.

The steps involved in setting up a BPF filter are:

  1. Go to the LANGuardian Configuration page.
  2. In the System Status section of the Configuration page, click Check the sensor status.
  3. Click the Settings link for the sensor you want to modify.
  4. Click Edit Sensor Settings.
  5. Find the setting BPF Filter For The Traffic Monitor/BPF traffic filter for IDS.
  6. Specify a filter (see some examples below).
  7. Click Save.

The following examples show some of the most common BPF filters:

  • To exclude one host: not host x.x.x.x
  • To exclude multiple hosts: not host (x.x.x.x or x.x.x.x or x.x.x.x)
  • To exclude one port: not port x
  • To exclude traffic belonging to a certain host on a VLAN: not (vlan and host x.x.x.x)
  • To exclude traffic between host A and host B: not (host A and host B)
  • To exclude one sub net: not net x.x.x.x/mask
  • To capture only traffic to and from a sub net: net x.x.x.x/mask
  • To capture only traffic to and from a host: host x.x.x.x
  • To capture only traffic to and from a sub net: net x.x.x.x/mask

Please contact us if you would like to know more about configuring BPF filters to reduce the amount of traffic monitored by LANGuardian. If you have questions about LANGuardian itself, please contact support@netfort.com

How do I add a remote sensor to our central manager?

20 February 2019 Forum By: Darragh Delaney

All LANGuardian systems (Standalone, Central Managers and Sensors) are built using the same software, but they are configured and licensed in different ways.

To create a Central Manager and Sensor system you will need:

  • to know the IP address and Administrator Web GUI password of your Central Manager system.
  • a system to configure as a sensor. This system requires 2 network cards.

1. Create a new LANGuardian system:

Download the LANGuardian software (from here) and install as a regular (standalone) LANGuardian system. These videos describe how to achieve this on a physical and virtual system.

2. Verify that the new system is correctly receiving SPAN traffic:

Confirm this on the LANGuardian Sensors GUI page (under SPAN)

3. Verify that the new LANGuardian system can connect to the Central Manager:

Access the console (CLI) and select option 4 (Ping). Enter the Central Manger IP address

4. Convert the new system to probe (sensor) mode and bind it to a Central Manager:

4.1. Access the new LANGuardian console and select option 7 (Set Operating Mode)

4.2. Select ‘Change to probe’

4.3. Supply the password of the web GUI on the Central Manager system.

5. Add the new sensor on the Central Manager:

5.1. Access the Web GUI on your Central Manager system and go to Settings > Sensors

5.2. Add new sensor.

5.3. Choose ‘Remote/Local’ and your new sensor’s IP address should be visible. If not, review your license to make sure you are licensed to add additional sensors.

How do I apply my new LANGuardian License?

20 February 2019 Forum By: Darragh Delaney

Please note that the license text file has a file name similar to <netfort-license-xxxx-xxxx-xxxx-xxxx>.txt.

To apply your new LANGuardian license, please follow these steps:

If the old license has expired :

  1. Download and save the license file locally from the email.
  2. Click ‘Select File’ to locate the license file and upload to add the license to your LANGuardian system. You can also drag and drop the license file in here!
Image on how to upload new license

If the old license is still active :

  1. Download and save the license file locally from the email.
  2. Navigate to Settings > License > System license settings.
  3. Click ‘Select File’ to locate the license file and upload to add the license to your LANGuardian system. You can also drag and drop the license file in here!

*Once your new license is applied, we would suggest to carry out a simple check. You can do this by:

  1. Navigating to Settings Cog > Sensors 
  2. Beside your sensor, you will see a smaller Settings Cog. Click on it and select ‘Edit Sensor Settings.’  
  3. Make sure that both IDS and Traffic Monitoring are enabled and set to YES.

If you have any further queries on this matter, please contact licensing@netfort.com

Using Brocade switches – and need to monitor internal network activity. Is VLAN monitoring supported?

20 February 2019 Forum By: Darragh Delaney

We have great news about the Brocade ICX 7750 switches! VLAN monitoring is now supported. Check out the ICX7750 web site for the:

 

 

Configuring a SPAN session on Nexus 7000

20 February 2019 Forum By: Darragh Delaney

Here is an example of a SPAN configuration for a Nexus 7000 switch. In my case of the command below, I am monitoring more than 1 vlan.

In configuration mode: source vlan 3, 6-8 both

This guide contains detailed explanations of setting up a SPAN port on the Nexus 7000 switch: https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/113038-span-nexus-config.html

If you have any further questions on this topic, please do not hesitate to contact us at support@netfort.com

Can I monitor Oracle VM VirtualBox activity?

20 February 2019 Forum By: Darragh Delaney

By following the steps outlined below, you can easily create a LANGuardian image on a VM VirtualBox which will allow you monitor the traffic passing in and out of the VirtualBox host.

  1. Simply download the LANGuardian ISO image from: https://www.netfort.com/free-trial-software/
  2. Build a virtual machine from the ISO image. When defining the resources for the image, we would advise to use at least 700MB RAM and configure a hard disk size of at least 10GB. The default disk size of 4GB is not suitable for the LANGuardian and will cause errors.
  3. Configure the IP address using the installation CLI.
  4. Reboot the image, and when rebooted you can access LANGuardian using the web based GUI.
  5. Open a web browser and enter https://”The IP address you assigned to the LANGuardian.”

The final step is to create a local sensor on the LANGuardian to monitor the network
traffic. Follow these steps to create this:

  1. Administration -> Sensors -> Add New Sensor
  2. Add a local sensor – specify em0 in the sniffing interface field
  3. Click Save

A local sensor will now be created on the system, wait 10 minutes and traffic should be recorded in the reports.

The installation process is quite straightforward and you can easily achieve good visibility into
traffic going to and from the Cisco VM VirtualBox host.

Problem configuring SPAN port on Nexus 7700

20 February 2019 Forum By: Darragh Delaney

A LANGuardian customer recently contacted us with an interesting solution for their complex core switch. They could not seem to set Ethernet 1-2/1/12 as a SPAN port, the customer told us that they get the following error:

“error: switchport monitor not supported for interface type”

One thing we noticed on the nexus is that you have to set the mode of the destination interface (102/1/12) as a monitor port so, in interface configuration mode, run this command: switchport monitor.

The customer was then able to connect the SPAN port.

I can’t access the LANGuardian, HELP!

20 February 2019 Forum By: Darragh Delaney

LANGuardian can be accessed using a web based management system. You can access this from any web browser by entering https://”The IP address you assigned to the LANGuardian.”

You will be asked to enter a user name and a password, so the default settings are username: Administrator and password: Administrator. You can change this password once you have logged onto the Management Interface.

From the Management Interface, you can then manage and configure all aspects of LANGuardian. However, access to the console is limited to 2 restricted accounts which NetFort’s support staff can initiate for you.

These restricted console accounts will allow you to alter the Management Interface IP address parameters and run some low level console commands.

NetFort Tips & Tricks – How to add a NetFlow sensor to LANGuardian

20 February 2019 Forum By: Darragh Delaney

Many of our customers have been asking how to add a NetFlow sensor to LANGuardian, here are the steps you should follow:

1. Click on LANGuardian’s menu bar and select Sensors.
2. On the Sensors page, click Add New Sensor. LANGuardian will display a list of sensor types.
3. Select NetFlow from the drop-down menu and click Next.
4. Enter the Sensor Description, select the NetFlow Version, add the Listening UDP port*add the Accept flow data from address information and enable/disable Traffic Monitoring. Click Save.
5. Configure NetFlow on a Cisco router.

*Normally you would use 2055 for the first NetFlow sensor configured.

Image showing how to add a new sensor

To check if your flow sensor is working, click on the All Reports menu (top right of the LANGuardian GUI) and select the first report on the left. It will be called ‘Applications in Use‘ or ‘Top Protocols‘, depending on the version you are running.

Now, select the flow sensor from the Sensor drop down on the left and run the report for, for example, 24 hours and review the results.

However, please note that there is a charge per NetFlow sensor. If this feature is not available, it usually means that you do not have the required license item. If you are unsure of the features that have been licensed to you, please consult with support@netfort.com.

If you have any questions about adding a NetFlow sensor to LANGuardian, configuring NetFlow on a Cisco router, or any other aspect of network monitoring with LANGuardian, please contact us.

Interested in the comparison between packet and flow capture? Check out Darragh Delaney’s article below!

https://www.computerworld.com/article/2473229/networking/comparing-packet-and-flow-capture.html