Click on Join Now to Sign Up
Honestly, at this time I'm not too sure at what threshold I'd want an alert...
I have previously asked to get the flow count included in the MIBs so I could graph it and establish a base line without running reports and/or checking the box everyday. If it was available via SNMP I could then tie it into our centralized management system and alert that way.
Here we tend not to touch each device with alert capabilities because every vendor has a different UI and config, so it gets a little crazy at times, so I rather poll, graph, check the delta from last poll, and decide from there to alert or not.
Currently yes the exinda is outside our firewall but that was done on purpose so we could physically "break" two ISP links with separate bandwidth limits and shape based on bridge rather than the aggregate of both. I understand the exinda is not build to thwart of DoS attacks and we were bitten twice, but that's our fault. That being said, ISP topology has changed and we will be moving the box behind our firewall as recommended, but the flows based on outside source would help with troubleshooting, which I use the exinda for all the time.
I wanted to provide you all with a better explanation of how the active directory integration works with Exinda. Exinda only sees IP addresses, in order to report users the appliance needs an external source of information that helps him map the IPs seen to the AD usernames they belong to, this is why the AD Connector application must be installed for each of the Domain Controllers.
1.- Where can I find the database for what usernames have been mapped to what IPs so far?
In the Exinda WebUI, go to Configuration: Objects-->Users&Groups. You are going to see an alphabetical breakdown of all the Users in the active directory and, if they have been mapped to an IP, you will see the IP (or IPs) next to them. If you don't see any Users mapped to any IPs, then go to your Domain Controller or Domain Controllers and filter the event viewer looking for the following Event IDs: 4624 for Windows Server 2008/2012 and 528/540 for Windows Server 2003. In your DC, click on Start-->Administrative Tools-->Event Viewer and then browse to Windows Logs-->Security Logs-->Filter by Event IDs. If you do not see any events filtered, then this is why the Exinda has not been mapping any users to any IPs. In that case follow the following Exinda Support post:
If you do see the logs, then ensure that the AD Connector was configured with the right password for the Exinda (or Exindas), it must be the same password you use to log into the box with the user "admin".
2.- There is a misunderstanding as to why there can be more than one IP attached to a single user:
Exinda software integrates with AD by grabbing the information depicted on the Logon Events (4624 for Windows 2008/2012 and 528/540 for Windows 2003). This being said, the software was designed to not make any own decisions with regards to what IP belongs to what username, instead the exinda only listens to what the Domain Controller has to say. If a user in IP (A) logs into the domain, that logon event should have produced a respective log, and that is what the exinda grabs from the domain controller. When the exinda sees a new 4624 event from the Domain Controller (or 528 and 540 for Windows 2003) it inspects what username logged in with what IP, then the exinda adds that IP to the respective username but it does not delete the previous records . Exinda will only delete a previous record if and when that old IP is used to login by another username, in which case exinda’s software removes the old IP from the old username and adds it to the new one. This takes me to the next bullet point:
3.- One or some IPs should no longer belong to that user, exinda should’ve removed it already and added it to another user that is currently using it/them
Once again, Exinda is designed to comply with the Logon Events coming from the domain controller. If it is believed that an IP/Username mapping is wrong, I would please ask you to follow the following verification procedure:
a.- Take note of that IP
b.- Go to the domain controller or domain controllers where the AD connector is installed and go to the Event Viewer by clicking on StartàAdministrative ToolsàEvent Viewer.
c.- Here, your goal is to find out what was the last user that logged in with that IP, this is what the exinda must have mapped by now. These logs are located under Windows Logs--->Security but they are too many to find the right one. We can create a custom view for only the specific ones we want.
d.- Right click on "Custom Views" and click on “Create Custom View”:
e.- A window will come up, you will need to click on the XML tab, and accept the "Edit" option (A warning about not being able to edit this script will show up, just agree with it).
f.- Use the following script and change the IP after “DATA” to search the IP you wrote down on step ‘a’:
This script is telling the event viewer: Filter every Security log that is related to the IP 10.10.10.10. After you accept you will just have to put a name and description on the Custom Query.
g.- You will expect to see some logs with the event id #4624 (or 528/540 for Windows Servers 2003). The latest log will tell you what was the last username that logged in with the respective IP (or at least what is the last username that logged into the AD for which the DC is reporting it). If this username is not what the exinda is showing, please communicate this to Support so we can have a look at it. If the last username/IP mapping complies with what the exinda is reporting, then the DC is not auditing the events correctly which is why the exinda cannot report as expected. This could occur for many reasons, one of them could be that the username is logging to another Domain Controller for which the AD Connector has not been installed yet, in this case I would recommend to install the AD Connector on all the Domain Controllers. Another possible reason is that some of the logging tasks are being taken care of by a third party product that unfortunately does not make the DC generate a respective security log or the security log generated does not contain the appropriate information. In this case, the exinda AD connector cannot work as desired as this is a not supported scenario, I would recommend to speak to the third party vendor.
Exinda Mobile ServerVMware ESX
Exinda ESP partition
Exinda Mobile Manager
Exinda ESP partition
Exinda Mobile Server
Exinda ESP partition
Exinda Mobile Manager
Exinda ESP partition
The stencil(s) are at the following link:
Gordon McCague | Director of Customer Support | firstname.lastname@example.org | Exinda Inc.
1.226.336.9803 (O) | 1.519.721.6957 (M) | skype: gmccague
ro root=/dev/vda6 crashkernel=128M img_id=2 quiet loglevel=4 panic=10 console=tty0 console=ttyS0,1152001.- Append the word "single" like this: ro root=/dev/vda6 crashkernel=128M img_id=2 quiet loglevel=4 panic=10 console=tty0 console=ttyS0,115200 single
2.- Remove the 'quite' - that tells it to log very little. If something is going wrong it is useful to see all the mesasges.
3.- Change the 'loglevel=4' to 'loglevel=7'. That changes the messages that are shown from ERR and above to INFO and above. It may show something else of use.
4.- If using the VGA console and a keyboard remove the 'console=ttyS0,9600' - that'll stop it talking out the serial point.5.- If using the serial port remove the 'console=tty0' - that will stop it talking to the VGA output/local keyboard.
A new policy action has been added. By selecting the new policy action of HTML Response, the source computer will be given an HTML response specified in the policy. This is useful when coupled with Adaptive Response. When a user has exceeded their usage, they are put into a specified network object. All users that are in that network object can be directed to a new policy with the HTML Response policy action so that when they try to visit an HTTP site, they will be given back a custom HTML page that can explain that they have exceeded their quota.You can find this new feature documented in the online help on the policy documentation page.You can also find some sample use cases in the online documentation.
A new policy action has been added. By selecting the new policy action of HTTP redirect, any http traffic from a source computer will be responded to with a redirection to the specified URL. This is useful for implementing a captive portal solution when combined with the AD user integration API.You can find this new feature documented in the online help on the policy documentation page.You can also find some sample user cases in the online documentation.
The Adaptive Response feature has been extended to allow quotes based on Time. Adaptive Response objects could previously be defined in terms of the volume of data a user consumes. With this version, the quota can be defined in terms of data volume, elapsed time, or both data volume and time consumed, whichever comes first. The time is tracked in increments of 5 minutes and starts counting down from the first flow for the defined user.The online documentation for defining Adaptive Response objects has been updated.
The Application Object definition has been extended to include DSCP marks. This allows you to define an Application object based on a single DSCP mark, multiple DSCP marks or a range of DSCP marks. In previous versions of the firmware, DSCP marks could be used as part of the policy definition independent of Application definition. This allowed QoS based on DSCP marks, however, the reporting based on DSCP marks was not as complete and robust as that of applications. By defining an Application object based on DSCP marks, all application reporting can be used to track traffic with particular DSCP marks.You can read about how to define applications with DSCP marks in the online help page for application definition.
The context sensitive help has been removed from the appliance and is now hosted on docs.exinda.com. All the context sensitive help links have been updated to point to docs.exinda.com. This has reduced the size of the firmware download. A consequence of this is that the computer accessing the Web UI and the help must have internet access. The documentation can be found here.
The Exinda appliance provides solutions to specific problems that the network manager or application manager has. The solution describes what problem is being solved and how it is solved, often with a short video of how to use it or an image of what the screen or solution will look like.Solutions in the Solution Center:
- Application Performance
- Salesforce.com Performance – Tracks the application performance score, inbound and outbound bandwidth, top users, top hosts for salesforce.com
- Office 365 Performance - Tracks the application performance score, inbound and outbound bandwidth, top users, top hosts for Office 365.
- Adobe Creative Cloud Performance - Tracks the application performance score, inbound and outbound bandwidth, top users, top hosts for Adobe Creative Cloud.
- Application Performance for My App - Tracks the application performance score, inbound and outbound bandwidth, top users, top hosts for any application that the user chooses. They can create multiple application performance solutions by requesting the solution repeatedly with different applications. Custom-defined applications can also be tracked.
- VoIP Performance – Tracks the users’ experience of VoIP calls by showing the number of good, tolerable, and bad calls as well as showing attributes of the worst calls (such as delay, jitter, loss, MOS, rFactor). Note that the VoIP Performance monitor is a repackaging of the VoIP monitor on previous versions of the Exinda appliance.
- Network Governance
- RIAA Notice Prevention – Provides instructions on how to configure the Exinda appliance to combat the unauthorized distribution of copyrighted materials and so prevent the RIAA / MPAA notices.
- Recreational Traffic - Tracks the amount of network traffic due to different recreational traffic categories. Note that the Recreational Traffic Usage monitor is a repackaging of the Recreational Traffic chart on the dashboard of previous versions of the Exinda appliance.
- Project Readiness
- Data Center Continuity – Provides instructions on how to create and apply different appliance configuration sets, so that in an emergency, the users doesn’t have to tweak policies, read help manuals, and try to figure out how they would like to control the network.
- WAN Planning
- Bandwidth Usage Summary – Provides instructions on where to find an interface chart that shows inbound and outbound throughput of the appliance.
- Bandwidth Usage – Top Apps – Provides instructions on where to find bandwidth usage for your top apps as well as how to configure it such that the chart reflects the total throughput through your appliance.
The appliance analyzes the traffic and notices patterns or situations that Exinda would recommend a course of action, such as:
- If an application enters the daily top 10 applications and has not been in the top 10 in the previous week, Exinda would recommend to either control or protect the application, depending on whether it is a business critical application.
- If traffic is not caught by your configured circuits and virtual circuits, Exinda would recommend to investigate by looking at Virtual Circuits monitor or Real Time monitor, then redefine your virtual circuits to capture all of the circuit data.The recommendation engine proactively finds issues in the network and helps to tune the network to improve the network’s performance and the network users’ performance.
The following data types are represented as time series charts. They also report the entire data through the appliance – not just the top.
- Virtual Circuits
- Applications for a subnet
- Applications for a virtual circuitThe time series representation allows users to see traffic patterns, such as when these traffic types are spiking. The completeness of the data allows users to see the entire data for these data types – not just the top values for these charts.
Description: Bridge may be connected incorrectly. More 'internal' IPs have been detected on the WAN-side of the bridge than on the LAN-side. This can occur if the WAN and LAN connections reversed, where the WAN port connects to your LAN and your LAN port connects to your WAN. Or this can occur if you have external network objects defined as internal or vice versa. Note: The bridge direction check is only enabled for a limited time after boot. If you are sure that the WAN and LAN connections are correct you can ignore this alert.
configuration text generate active saved save <anyname>.txt upload tftp://<server>/<path>/<destination file name>.txt
configuration text generate active saved save Exindaconf.txt upload tftp://10.2.6.231/SavedConfig.txt
Simply type in the commands in the "Commands" Section of the Scheduled Jobs tab and it runs on a scheduled basis.