User Tools
tips:paloalto
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
tips:paloalto [2019/11/01 12:13] veera [New Counter Groups : User-ID and App-ID] |
tips:paloalto [2019/11/01 12:55] (current) veera [NAT issues] |
||
|---|---|---|---|
| Line 33: | Line 33: | ||
| The retro analysis screen looks like below. | The retro analysis screen looks like below. | ||
| + | {{:tips:retro.png?600|}} | ||
| + | The Retro Analysis tools show you the Top-N, Bottom-N, Topper Trend over time, and Pie chart views. The following chart shows you toppers over time. | ||
| + | {{:tips:retro2.png?600|}} | ||
| - | NAT issues | + | ==== NAT issues ==== |
| + | |||
| + | The default behaviour is to show the Internal and External IP addresses. The NAT is hidden from Trisul , if you wish to see the NAT'd firewall address set the following parameter to FALSE in the [[https://www.trisul.org/docs/ref/netflow-config.html|Netflow configuration file]] | ||
| + | |||
| + | <code> | ||
| + | <UsePostNATAddresses>False</UsePostNATAddresses> | ||
| + | |||
| + | </code> | ||
| + | |||
| + | |||
| + | ==== Query by user-id and app-id ==== | ||
| + | |||
| + | The next step is to create a [[https://www.trisul.org/docs/ug/tools/flow_tagger.html|flow tagger]] that adds the User-ID and App-ID to every flow stored in Trisul. | ||
| + | |||
| + | Login as admin, then go to profile0 > Flow Taggers > Create a new Flow Tagger. Then create an AUTO:userid flow tagger (see docs) to add the User-ID counter group keys to the flow. Use a Tagger Group of ''user'' as shown below | ||
| + | |||
| + | {{:tips:flow-tag-create.png?400|}} | ||
| + | |||
| + | Do the same for App-ID. Now restart Trisul. From this point every flow will be tagged by the User-ID and App-ID. | ||
| + | |||
| + | === Query flows === | ||
| + | |||
| + | |||
| + | //From Tools > Explore Flows// | ||
| + | Use the syntax ''tag=[user]red\mike'' to query for flows from user ''red\mike'' | ||
| + | or ''tag=[app]whatsapp-base'' to query whatsapp flows. | ||
| + | |||
| + | You can see the flow tags. | ||
| + | {{:tips:flowtag1.png?400|}} | ||
| + | |||
| + | |||
| + | |||
| + | === Aggregate flows === | ||
| + | |||
| + | //From Tools > Aggregate Flows// | ||
| + | Use ''tag=[user]red\mike'' to aggregate for flows from user ''red\mike'' | ||
| + | |||
| + | This shows top IPs, top Applications, and other aggregated information for the user. A complete picture. | ||
| + | |||
| + | A sample is shown below. | ||
| + | |||
| + | {{:tips:aggflows1.png?400|}} | ||
| + | |||
| + | ==== Conclusion ==== | ||
| + | |||
| + | User-ID and App-ID attributes open up very powerful possibilities for visibility and investigation. Using the flexible tools offered by the Trisul platform you can customize in a variety of ways. Other tools you can use are "Filtered Counter Groups" if you want to zoom in on a particular user or app, "Cross keys" to monitor User App dataflows, "Flow Trackers" to zoom in on top flows from a particular user, etc. The scripting API also offers unlimited ways to craft your own tooling. | ||
| - | Create flow tags | ||
| - | Query by user-id and app-id | ||
| - | Aggregate flows | ||
| - | Crosskeys | ||
tips/paloalto.1572610412.txt.gz · Last modified: 2019/11/01 12:13 by veera
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
