NetFort Advertising

NetFort LANGuardian

1.Dashboards #

The LANGuardian dashboards display live network information that you can use to monitor your network. When you log into LANGuardian, the dashboards are immediately displayed. If you navigate away from the dashboards, you can click Dashboards in the LANGuardian menu bar to display the dashboards again. By default, LANGuardian contains five dashboards as follows:

  • Network Traffic
  • Network Security
  • Internet Activity
  • Fileshares
  • Inventory and Services

To display a different dashboard, click on one of the dashboard tabs that are displayed at the top of the dashboard display area as follows:

help_dashboard_tabs

You can customize the dashboards to show at a glance the network information that is most important to you. You can also create new dashboards and customize them by adding and arranging reports and graphs.

Dashboards are user-specific, so each user can have an instant view of the information that is most important to them. Each user can have a maximum of five dashboards.

You can add any LANGuardian trend or report to a dashboard. When you create new trends or reports, they immediately become available for addition to dashboards under the Trends category.

Yes No

1.1.Maximize the Dashboard View #

To maximize the dashboard to fill your browser window and hide the LANGuardian menu bar and headers, click on the help_maximize_dash button to the right of the dashboard tabs. To display the LANGuardian menu bar and headers again, click on the same button

Yes No

1.2.Edit the Dashboards #

To edit a dashboard, click on the  help_edit_dash button. When you are in Edit mode, you can perform any of the modifications described in sections below. To save the changes that you make to a dashboard, click Save. To cancel any changes to a dashboard and exit Edit mode, click Cancel.

 

Modify the Dashboard Display

When you are in Edit mode, the details about each column of information that is displayed on the dashboard is presented as follows:

help_edit_column

You can modify the display of each dashboard in the following ways:

  • To modify the width of a column, type the width in pixels in the Column x width text box.
  • To change the order in which the reports/trends are displayed in a column, hover over the report/trend name until you see the move pointer help_move_pointer and then drag the report/trend to the desired location in the list. You can also drag a report to another column.
  • To add a new column to the dashboard, click on the Add Column help_edit_dash_add_column_icon icon. A new column is displayed with a default width and you can add reports or trends to the column as described in the next section.
  • To remove a column from the dashboard, click on the help_edit_dash_remove_column icon beside the Column x width text box and click Delete.
  • To change the order in which the columns are displayed, click on the blue header for the column and drag to column to the desired location.
  • To add reports or trends to a dashboard, see Add or Remove Reports or Trends [add hyperlink].

To save the changes to the dashboard and exit Edit mode, click Save. To cancel any changes that you made to the dashboard and exit Edit mode, click Cancel.

Add or Remove Reports or Trends

To remove a report or trend from a column, click on the help_dashboard_report_remove icon beside the report name and then click Delete.

To add a report or trend to a column:

  1. Click on the column that you wish to modify.
  2. Click on the arrow next to the All menu, as shown here:
    help_edit_dash_all_menu
  3. Select a report/trend category from the list, for example, Netscan.
  4. Click in the white space to the right of the arrow to view a list of the reports that are available for the selected category, as shown in the following example:help_edit_dash_report_menu
  5. Click on the report that you want to add. The report is added to the column.
  6. Click Save to save the changes to the dashboard and exit Edit mode.

Rename a Dashboard

To rename a dashboard, click on the dashboard tab and then click in the navy box, as shown in the following example:

Type the new name for the dashboard and click Save.

Move a Dashboard

To change the order in which the dashboard tabs are displayed, hover over the arrows displayed to the right of the dashboard name until you see the move pointer and then drag the dashboard to the desired location.

To save changes to the dashboard location, click Save.

Yes No

1.3.Add a Dashboard #

The maximum (default) number of dashboards that LANGuardian can display is five dashboards. You can add a new dashboard if you currently have less than five dashboards and the icon circled below is displayed next to the dashboard tabs.

help_dashboard_add

If the icon is not displayed and you want to add a new dashboard, then you must first delete an existing dashboard. See Delete a Dashboard.

To add a dashboard:

  1. Click on the Add Dashboard help_dashboard_add_icon icon.
  2. Click in the new dashboard tab and type a name for the new dashboard.
  3. By default, new dashboards contain one column. You can edit the dashboard to add the information that you require. See Edit the Dashboards for more information.
  4. Click Save to save the new dashboard.
Yes No

1.4.Delete a Dashboard #

To delete a dashboard:

  1. Click on the dashboard tab that you want to delete.
  2. Click on the help_edit_dash button and select Delete.
  3. Click Delete to confirm the deletion. The dashboard is now removed from LANGuardian.
Yes No

1.5.Modify Report Displays in a Dashboard #

You can modify how each report is displayed on a dashboard in the following ways:

  1. Click on the edit icon to the right of the report name, as shown below:
  2. Use the Run Time section to show data for the Last 1 Hour, Last 4 Hours, or Last 24 Hours. Click on the option that you require.
  3. Use the Show Chart section to specify whether to display a graphical representation of the data on the dashboard, if appropriate. The options can be None, Pie, and Bar, depending on the report type. For some reports, charts are not relevant and None is selected. For other reports, the options Pie and/or Bar may be displayed. Click on the option that you require.
  4. Use the Show Table section to specify whether to display the report information in table format. The options are None, Headers and Content, or Content Only. Click on the option that you require.
  5. Click Save to save the changes.

Note: LANGuardian displays the first five rows of each report that is included on a dashboard. To access the full report from the dashboard, click on the arrow icon to the right of the report name. See Access a Full Report from the Dashboard for more information.

Yes No

1.6.Access a Full Report from the Dashboard #

LANGuardian displays the first five rows of each report that is included on the dashboard. If the report displays something of interest on the dashboard and you want to view the full report, you can access the full report from the dashboard by clicking on the arrow button to the right of the report name, as shown in the following example:

help_dashboard_run_report

The full report is displayed. You can modify the filter options if required and click Run Report to view the information that interests you.

Yes No

1.7.Sending Feedback from the Dashboard #

Sending your feedback is very easy in Languardian, follow these steps:

  1. Click the Help button on the Languardian menu bar.
  2. Click the Send Feedback  option from the drop down menu.
  3. Enter a description, and click the Send Feedback button to send your feedback straight to netfort.
Yes No

1.8.Reporting a Issue from the Dashboard #

To report a technical issue in Languardian, follow these steps:

  1. Click the Help button on the Languardian menu bar.
  2. Click the Report An Issue option from the drop down menu.
  3. Enter a description of the issue, and click the Send A Report to send the issue straight to our support team.
Yes No

1.9.View System Information from the Dashboard #

To View the System information from the dashboard, follow these steps:

  1. Click the Help button on the Languardian menu bar.
  2. Click the About option from the drop down menu.
Yes No

2.Reports #

LANGuardian captures all network traffic flowing through your core switch and stores this data in a LANGuardian traffic database. LANGuardian provides a large number of built-in reports based on the data that it captures. You can customize the built-in reports to suit your requirements by applying a variety of filters. You can also easily create new custom reports if there is no built-in report to meet your requirements. When you run a report, LANGuardian creates a query based on your report criteria, applies the query to the LANGuardian database, and displays the results in graphical and tabular format.

Yes No

2.1.View Reports #

To view all of the built-in reports that are available, click on All Reports help_allreports_button. A list of report categories is displayed, with the most popular reports in each category displayed first. The reports are grouped under eight categories as follows:

  • Applications
  • Bandwidth
  • Security
  • Web
  • Windows File Shares
  • Ethernet
  • Inventory
  • My Reports

To view all of the reports in a category, click on More >>. When you click on More >>, LANGuardian displays a full list of the reports available in the reporting category and a brief description of each report.

To run a report and view the results:

  1. Click on a report name. A list of filter options is displayed on the left side of the screen, which you can modify according to your preferences. See Apply Report Filters for more information
  2. To run the report, click Run Report. The report results are displayed on the right side of the display.
  3. To hide the report filters and fill the display area with the report results, you can click on the arrow button help_report_expand_button to the top left of the report results, as shown in the following example:help_report_expand_example_75
    To display the report filters again, click on the arrow button help_report_collapse_button again.
  4. To view a graphical representation of the report results and to toggle between the graphical view and the tabular view, click help_report_graph.
  5. If the report contains multiple screens of information, use the page navigation buttons at the bottom of the screen to navigate the report. You can also use the Rows drop-down list to select the number of report rows to display per page. The Rows setting persists for all reports.

Related topics…

Embed a Report in a Third-Party Application

Create a Trend Report

Save a Report as a Custom Report

Download a Report

Email a Report

Print a Report

Yes No

2.2.Apply Report Filters #

Report Filters are displayed on the left of the screen and allow you to effectively modify the report results to display exactly the information that is of interest to you. By default, the most popular filters are displayed initially. To view more filters, click Show More. To view less filters again, click Show Less.

Using the Source IP/Subnet Filter

Many of the LANGuardian reports support the use of an IP/Subnet filter field to narrow the results of the report to specific IP addresses, a range of IP addresses, or to exclude certain IP addresses or ranges. The following table describes how to effectively use the IP/Subnet field to focus a report on the IP addresses that are of interest to you.

help_table_1

Using Common Regular Expressions

Some of the report filter fields contain a drop-down list to enable you to filter the report using regular expressions. For example, the following shows the drop-down list for the Website Name field:

help_websitename_drop

The following table provides examples of some of the regular expressions that you can use to filter reports, depending on the filter field in use:

help_table_2

help_table_3

Filtering SQL Server Reports

To view SQL Server reports, click on All Reports, go to the Inventory category, and click on SQL Server.

To check if sensitive information such as passwords, user profiles, or addresses is being accessed on the network, you can use the Statement filter field in SQL Server reports. For example, to search for all SQL statements requesting password, username, or address information, select Matches regexp from the Statement drop-down list and enter password|username|address.

To check for instances of data drops from SQL databases, you can select Drop from the Statement Type filter field to display all drop statements.

Yes No

2.3.Special usernames in Reports #

In addition to the regular usernames displayed in reports, the following special names are frequently displayed:

  • Unknown: LANGuardian queried a Domain, but could not find a log on record to match the client generating this flow or event.
  • Not Classified: LANGuardian has not yet queried the Domain Controllers to find a log on record to match the client generating this flow or event. LANGuardian updates the records about every 5 minutes.
  • Anonymous: LANGuardian queried the Domain Controllers and found a log on record to match the client generating this flow or event. The username returned by the Domain Controller was ‘Anonymous’.

 

Yes No

2.4.Embed a Report in a Third-Party Application #

To view a report from a third-party application without having to log on to LANGuardian, you can embed a link to a report in the third-party application. To do this from a report results page:

  1. View the report that you want to embed.
  2. Click Integration (help_integration_button) and select one of the following options from the drop-down list:
    • SolarWinds Orion
    • CSV
    • Excel Web Data Source
    • IFRAME
  3. Follow the instructions in the window that is displayed to copy the link to the third-party application.
Yes No

2.5.Create a Trend Report #

You can create a trend from a report. Trends can then be displayed on a dashboard or you can access the trend by editing a dashboard, clicking on the dashboard menu and selecting Trends.

To create a trend from a report:

  1. View the report that you want to trend.
  2. Select a sensor from the Sensor drop-down list. For trend reports, the default Sensor option of “all” is not acceptable. A trend must be connected to a particular sensor.
  3. Click Actions (help_actions_button) and select Trend Report.
  4. Type a name for the trend in the Name field.
  5. The report columns that are suitable for inclusion in the trend are listed. By default, all suitable report columns are selected for inclusion in the trend. To exclude a column, deselect the column name.
  6. Click Create.
Yes No

2.6.Save a Report as a Custom Report #

If you make changes to the filter fields for a standard report, you may wish to save a copy of the report for future use. The report then becomes a custom report. To save a copy of a report:

  1. Click Actions (help_actions_button) and select Duplicate Report.
  2. Type a name for the report in the Name field.
  3. Type a brief description of the contents of the report in the Description field.
  4. Click Save. The results are saved to a report and stored under the My Reports category. The results are cleared from the current screen. To view the report, click All Reports and select the report under the My Reports category.
Yes No

2.7.Download a Report #

To download a report:

  1. Click Download Report help_report_download.
  2. Select the report format:
    • PDF (Portable Document Format), for viewing and printing with Adobe Reader or Adobe Acrobat.
    • CSV (Comma-Separated Values) format, for importing into applications such as Microsoft Excel and Google Apps™.
  3. Select Current to export only the current page of results or All to export all of the results pages. The number of pages of results is indicated in the bottom right of the report display, for example, 1 of 18.
  4. Select A4 or Letter to determine the paper size.
  5. Select Portrait or Landscape to determine the orientation of the pages.
  6. Click Download. The file is downloaded to the default Downloads folder in the specified format.
Yes No

2.8.Email a Report #

To email a report to an email address:

  1. View the report that you want to email.
  2. Click Send Report by Email help_report_email on the report menu bar.
  3. Type the recipient email address in the To field.
  4. Type a brief subject in the Subject field. For example, “Top Talkers Report from LANGuardian”.
  5. Type a message in the Message field.
  6. Select Current to email only the current page of results or All to email all of the results pages. The number of pages of results is indicated in the bottom right of the report display, for example, 1 of 18.
  7. Click Send.

The report is included in the message body and sent to the recipient.

You can email any LANGuardian report on demand, and you can also schedule reports to run and email the results to specific users at hourly, daily or weekly intervals.

Yes No

3.Searching LANGuardian #

You can use the Search bar in the LANGuardian menu bar to search the LANGuardian reports and the LANGuardian traffic database for specific information.

help_search

You can use the Search bar in two different ways as follows:

  • Click in the Search box to display a full list of all LANGuardian reports. Select a report from the list to go directly to the report and click Run Report.
  • Click on the arrow to the right of the Search box to display other search options as follows:
    • To search for information by IP address or subnet, type an IP address or subnet in the IP Address text box. For example, 192.168.1.227 or 192.168.1.0/24.
    • To search for information by username, type a full or partial username in the User Name text box.
    • To search for information by filename, type a filename, partial filename, directory name, partial directory name, or file type in the File Name text box. LANGuardian searches for all filenames that match the search criteria.
    • To search for information by website, type a full or partial domain name. For example, you can enter “youtube.com” to display data for youtube.com or enter “you” to display data for any domain name that contains the word “you”.
    • From the Time Range drop-down list, select whether to perform the search on data from the Last 1 Hour, Last 4 Hours, or Last 24 Hours (default). Alternatively you can click on the calendar icon help_search_calendar_icon to display a date/time range dialog and specify a longer period of time that you want to search.
    • Click the Search button help_search_button to begin the search. All reports that contain data matching the search criteria are displayed. To view the full report, click on the arrow to the right of the report name.

The following table provides some guidelines for entering search criteria:

help_table_4

Yes No

4.Custom Event Rules #

This is a powerful feature that allows you to define a custom rule that can be used to trigger alerts for a suspicious activity that may appear on the network.

Yes No

4.1.Creating Custom Rules #

To create a custom event rule in Languardian:

  1. Choose Settings from the Settings drop-down menu
  2. Under Alerts, Reports click the Alert rules link
  3. Click the Add New Rule link
  4. Create a name for the rule. Note that rule names are restricted to letters and numbers only
  5. Define the custom rule
    To learn how to define a custom rule see custom rule syntax and building a custom rule.
  6. Click the Save button
  7. To view the alerts created from the custom event rules, select the search bar and enter User Defined, then select the Network Events Summary (User Defined) report
  8. Run the report
Yes No

4.2.Custom Rule Syntax #

The following is an example of a custom web access rule.

http, web_access host=”www.google.com”

The custom rules are divided into three sections. The first section is called the Module. The Module defines what type of Hooks and Fields are available to the rule. Modules and Fields will be discussed next.

Yes No

4.2.1.Modules #

There are four possible modules to select from, detailed below. Each module allows you to create rules based on a particular type of network traffic, or a related set of parameters.

flow: the flow module is used for generic network conversations

http: the http module is used for web related transactions

smb: the smb module is used when creating a custom rule that is aimed at file operations

smtp: the smtp module is used when creating a custom rule that is aimed at emails or email attachments

It is important to remember that each Module, Hook, and Field is case sensitive, therefore ensure that you use the names exactly as they are shown here.

Yes No

4.2.2.Hooks #

Each Module has a number of Hooks defined within it, and each Hook has a number of Fields that it can use, but more on this later.

The following is a list of each Hook available under each Module:

flow:

  1. new: Used to create an alert for IP addresses

http:

  1. web_access: Used to create an alert for web access

smb:

  1. create_file: Used to create an alert for any new files created
  2. open_file: Used to create an alert for any files that have been opened
  3. delete_file: Used to create an alert for any files that have been deleted
  4. read_file: Used to create an alert for a file read
  5. write_file: Used to create an alert for any files that have been written to
  6. delete_dir: Used to create an alert for any directory that has been deleted
  7. rename_file: Used to create an alert for any files that have been renamed

smtp:

  1. envelope: Used to create an alert for an email
  2. attachment: Used to create an alert for emails with attachments
Yes No

4.2.3.Fields #

Each Hook has a number of Fields that define the criteria for the rule. In the example above, the host field in the web_access hook will create an alert if a user has accessed a website that matches the host name defined in the rule.

The following is a list of the fields that each hook contains:

  1. flow – new
    1. src: the source IP of the traffic
    2. dst: the destination IP of the traffic
    3. sport: the source port
    4. dport: the destination port
    5. proto: the IP protocol of the traffic
  2. http – web_access
    1. src: the source IP address of the request
    2. dst: the destination IP address
    3. sport: the source port
    4. dport: the destination port
    5. host: the host name portion of the URI
    6. uri: the URI excluding the host portion
  3. smb – create_file, open_file, delete_file, read_file, write_file, delete_dir
    1. src: source
    2. dst: destination
    3. sport: source port
    4. dport: destination port
    5. name: name of the file/directory
  4. smb – rename_file
    1. src: source
    2. dst: destination
    3. sport: source port
    4. dport: destination port
    5. from: source address
    6. to: destination address
  5. smb – map_share
    1. src: source
    2. dst: destination
    3. sport: source port
    4. dport: destination port
  6. smtp – envelope
    1. src:  source
    2. dst:  destination
    3. sport: source port
    4. dport: destination port
    5. sender: the sender’s email
    6. recipient: the receiver’s email
    7. subject: the subject of the email
  7. smtp – attachment
    1. src: source
    2. dst: destination
    3. sport: source port
    4. dport: destination port
    5. size: size of the file
    6. sender: the sender’s email
    7. recipient: the receiver’s email
    8. filename: the name of the file
    9. type_desc: type of the file
Yes No

4.2.3.Conditional Operators #

When creating rules there are a number of conditional operators that can be used instead of the equals operator.
The following is a list of all available operators.

Contains=~
example: host =~ “web”

Not equal to: != or !~
example: host != “web”

Less than: <
example:  dport < 443

Less than or equals: <=
example:  dport <= 443

Greater than: >
example:  dport > 80

Greater than or equals: >=
example:  dport >= 80

Yes No

4.2.4.Building a Custom Event Rule #

These steps outline how to build a custom event rule:

  1. Select the Module that best suits your requirements from the Module list above
  2. Next, enter the Module name into the text area and add a comma after it
  3. Select the most appropriate Hook that comes with that Module, e.g. web_access
  4. Next, select the Field(s) from the list of Fields associated with that Module.
    String fields such as host and name require that the value is surrounded by double quotes,
    e.g. host=”website”, while IP addresses and integer values, such as those used for src and port, do not. For example src=10.1.1.1.
    Several fields can be used in combination in the same rule to define the criteria for the rule. See examples below.

The following rule will fire an alert when a user accesses any URI under cnn.com AND via port 80:
http, web_access host=”cnn.com” && dport=80

This will generate an alert if a URI with either cnn.com OR www.foxnews.com is accessed:
http, web_access host=”cnn.com” || host=”www.foxnews.com“

Yes No

4.2.5.Configuring an Immediate Alert E-mail #

These steps outline how to configure an immediate email on triggering a custom rule, known in LANGuardian as a user-defined event:

  1. Go to https://LANGuardianIP/ids/marked.cgi and click on ‘Add New Marked Signature’.
  2. Search for Name ‘User Defined’ and ‘mark’ the ‘action’ to ‘send email’.

The recipients in the alerts e-mail distribution list will receive the alerts.

Yes No

5.Packet Capture #

There are four fields to the packet capture available on LANGuardian.

  1. Network Interface
  2. Filter
  3. File Name
  4. Max Number of Packets

 

Network Interface: This allows the user to select what interface they wish to capture packets from.

 

Filter: This conforms to regular TCPDump filters.

Examples can be found here: http://www.tcpdump.org/tcpdump_man.html.

For more detailed filters: http://www.tcpdump.org/manpages/pcap-filter.7.html

 

File Name: This is the name under which the user wants the file to be saved.

 

Max Number of Packets: This allows the user to choose how many packets they wish to capture up to a maximum of 100,000

 

Yes No

6.Updates #

6.1.Manual #

The following steps will demonstrate how to manually update LANGuardian.

NOTE: Manually updating LANGuardian is not a recommended all customers. Manual upgrades are typically used by customers who have their LANGuardian installed in an environment without an internet connection.

  1.     Access the Settings Menu
  2.     Access Updates on the Setting page
  3.     Select More Options to get the Select File option. Select the upgrade package. 

If you require a download link please contact support and they will be happy to provide you with the latest update package.

Yes No

7.Identity Module #

7.1.Active Directory #

To integrate LANGuardian with Active Directory
The following five steps need to be completed to enable the integration.

(1)  Create an AD account which your LANGuardian will use for logging onto domain
(2)  Assign WMI permissions to this user
(3)  Add user to Performance Log Users and Event Log Readers groups
(4)  Check access rights using wbemtest application
(5)  Configure AD integration on LANGuardian

1. Create a standard user logon for LANGuardian

An existing account for AD integration can be used but for the purposes of this guide a new account will be created called LANGuardian.
This account does not need to be an administrator or in the domain admins group but it does need extra permissions which are described below.

We recommend that the account is set with a password which does not expire as there is no facility within the LANGuardian GUI to set AD passwords.

2. Assign WMI permissions

Logon to each domain controller and grant specific WMI permissions to the new user.

Click on start\run and type in wmimgmt.msc. In the WMI Management window, right click on the WMI Control sub menu and select Properties.
Under Security Tab select CIMV2 and click on the Security button in the bottom right corner. See below:

Add the LANGuardian AD account and verify that Enable Account, Remote Enable and Read Security is Allowed, if not, enable those permissions and apply your settings.

wmimgmt

3. Add user to Performance Log Users and Event Log Readers groups

Use the Active Directory Users and Computers application to add the LANGuardian AD account to the groups Performance Log Users and Event Log Readers.

Active Directory Groups

 

4. Check configuration and permission using the wbemtest application

Test the WMI configuration and permissions using the native Windows tool WBEMTEST from your desktop

(1) Click on run and type in wbemtest on a Windows 7 or 10 system
(2) Click on connect and type in \\x.x.x.x\root\cimv2 into the namespace field where x.x.x.x is the IP address of a domain controller
(3) Use the LANGuardian AD account with password and click on connect
(4) If the account has permissions to connect via WMI you should not see any error messages

If the steps above fail add the LANGuardian user account to the domain group Performance Log Users and try running the test again.
If this fails then try the test using the Administrator account to see if the server is blocking all remote WMI connections.

Optionally click on Query and type in SELECT * FROM Win32_NTLogEvent WHERE Logfile = ‘Security’ AND EventCode = ‘4624’.
The above command verifies that the account can run a query and see the user logon events.
If you do not get any data back from the query you may not be auditing user logon events or the LANGuardian AD account is not in the Event Log Readers group.

webemtest

5. Configure AD integration on LANGuardian

Logon to the LANGuardian GUI and click on the gear symbol top left then settings \ Identity \ Active Directory.
Click on add domain and enter the IP address of one domain controller together with the LANGuardian AD account.

 

Yes No