manualshive.com logo in svg

Andrisoft Wanguard 5.2, User And Administrator Manual

Discover the power of Andrisoft Wanguard 5.2 with our comprehensive User and Administrator Manuals. Download it for free from our website and unlock the full potential of this cutting-edge network security solution. Ensure seamless operation and maximize security with our easy-to-follow manual.

Share
Download
background image

WANGUARD 5.2 User Manual & Administrator's Guide

IP Zone Configuration

IP Zones

 are hierarchical, tree-like structures that must include your IP address ranges and important IPs. 

Add an IP Zone by going to Confguraton » Network & Policy » Add IP Zone. Sensors use IP Zones to learn about 

your network and to extract per-subnet setngs. An IP Zone may be used by multple Sensors, but a Sensor can only 

use one IP Zone.

To change the name of an IP Zone you must frst open the IP Zone Confguraton window, provide a new 

descripton and then press <<Change Name>>.
 

To copy the selected IP Zone you must click the <<Duplicate>> buton. A new IP Zone will be created and it 

will have the same informaton and the same descripton with the word “(copy)” atached. In some cases when you 

have multple Sensor systems, you may have to create multple IP Zones that share the same prefxes. Instead of 

recreatng the same IP classes for each new IP Zone you can duplicate an existng IP Zone and modify only few 

parameters.

To delete an IP Zone you must frst open the IP Zone Confguraton window, press <<Delete>> buton and 

then confrm the deleton.

The IP Zone Confguraton window is divided in two vertcal sectons. In the upper side of the lef secton 

there are butons to manage Prefxes (IP address ranges or individual IPs). When adding a new Prefx, the tree below 

is automatcally updated. The right secton contains panels with user-provided setngs for the selected Prefx.

WANGUARD understands IPs and IP classes entered in the CIDR notaton. To enter individual hosts in IP 

Zones you must use the /32 CIDR for IPv4 and /128 for IPv6. For more about CIDR notaton you can consult the 

Appendix 1 – Network Basics You Should Be Aware Of on page 60.

Every IP Zone contains at least the 0.0.0.0/0 network. Because it has the /0 CIDR it contains all IP addresses 

available for both IPv4 and IPv6. To ease the confguraton, every new Prefx that you defne, inherits by default the 

propertes of the closest (having the biggest CIDR) IP class that includes it.

The 

IP Setngs

 panel on the right secton contains the following confgurable parameters:

IP Group

 combo box should contain a short descripton for the selected Prefx. Setng the same IP 

Group for more than one subnet will allow you to easily generate combined Reports.

IP Graphs

. If set to “Yes”, then the Console will collect graphs data for every IP contained in the selected 

IP class.

IP Accountng

. If set to “Yes”, then the Console will save daily accountng data for every IP contained in 

the selected IP class.

Enabling IP Graphs and IP Accountng for very large Prefxes (e.g. 0.0.0.0/0) is probably going to generate 

useless data and overload the system.

The 

Comments

 panel allows you to write a comment for the selected Prefx. It's not visible elsewhere.

- 40 -

Summary of Contents for Wanguard 5.2

Page 1: ......

Page 2: ...ment ANDRISOFT S R L 2013 All rights reserved All rights reserved This document is copyrighted and all rights are reserved by ANDRISOFT S R L No part of this document may be reproduced or transmited i...

Page 3: ...s Tools Reports Anomalies Tools 7 7 Anomalies 7 Actve Anomalies 7 Anomalies Archive 9 Anomalies Overview 9 BGP Prefxes 9 BGP Operatons 9 BGP Logs 10 Flow Collector 10 List Flows 10 Flows Tops 11 Auton...

Page 4: ...necton Confguraton BGP Connecton Confguraton 51 51 17 17 Filter Confguraton Filter Confguraton 53 53 18 18 Scheduled Reports Scheduled Reports 57 57 19 19 Events Reportng Events Reportng 58 58 20 20 U...

Page 5: ...fxes in BGP null routng send SNMP traps etc DETAILED ATTACK INFORMATION View atack details with atackers and packet samples Atack reports can be emailed automatcally to you or to your customers TRAFFI...

Page 6: ...o efectvely monitor and protect their network through a single integrated package The components have been built from the ground up to be high performing reliable and secure WANGUARD relies on the Sni...

Page 7: ...n sessions Panels are refreshed automatcally every 5 to 10 seconds The Reports secton ttle bar contains a Quick Search functonality buton Shortcut Ctrl S Central Region home of tabbed Reports and Dash...

Page 8: ...of the anomaly Click it to open a detailed Anomaly Report Prefx The IP address or IP class of the trafc anomaly and the reverse DNS In the front of the Prefx the graphic arrow indicates the directon...

Page 9: ...bits from the total trafc during the anomaly Overall Trafc The percent between the anomaly trafc and the overall trafc Threshold The threshold s value IP Zone The IP Zone of the Sensor Click it to op...

Page 10: ...afc anomalies sorted by tme in descending order By clicking the down arrow on any column header you can apply flters change sortng directon and hide or show columns The sign from the frst column expan...

Page 11: ...e Acton feld is visible only for Administrator or Operator roles BGP Logs BGP Logs shows all BGP announcements sent by WANGUARD sorted by tme in descending order By clicking the down arrow on any colu...

Page 12: ...ump opton to view the CLI command used to generate the data You can execute the command locally forward the output to a fle etc Aggregaton By default the fows are not aggregated By clicking on the che...

Page 13: ...fows are not aggregated By clicking on the checkboxes you can select how you want to have your fows aggregated You may also aggregate entre subnets when selectng srcIPv4 subnet bits Limit Limit the ou...

Page 14: ...ed trafc data is generated for all Flow Sensors Stack ASNs If you entered multple AS Numbers then you can sum all of them in a single AS graph Useful with ISPs and AS owners that have more than 1 allo...

Page 15: ...ton it will name the fles with enough leading 0s to support the maximum number of fles allowing them to sort correctly Time Rotaton s If specifed it rotates the fle every number seconds Sampling Type...

Page 16: ...size of the latest dump fle Packets The number of packets captured Actons Click the frst icon to view the latest dump fle in a Wireshark like web interface Click the second icon to download the lates...

Page 17: ...nd To collapse a widget click the frst icon on the widget ttle bar To edit a widget click the second icon from it s ttle bar To delete a widget click the third icon from it s ttle bar Along with speci...

Page 18: ...ng format Status If the Console is functoning properly a green checked arrow is displayed If there s a red cross instead re start the WANsupervisor daemon from the Console server Online Users The numb...

Page 19: ...pen a new tab with data specifc to the Sensor Administrators and Operators can right click it to open the Sensor s confguraton IPs The number of IP addresses that sent or received trafc Only your netw...

Page 20: ...ton and outbound usage percent Flows s The rate of fows per second received by the Flow Sensor Flows Delay Because trafc data must be aggregated frst fow devices export fows with a confgured delay Som...

Page 21: ...Load The load of the operatng system for the last 5 minutes Peak CPU The maximum CPU percent used by the Filter process RAM The amount of memory used by the Filter process Start Time The date when the...

Page 22: ...ow Sensors it represents the rate of received fows before validaton Dropped frames For Snifng Sensors it represents the number of packets dropped in the capturing process When the number is high it in...

Page 23: ...enter your own text that will be rendered as a ttle Graph Legend Select the details of the graph s legend Consolidaton If you are interested in spikes select the MAXIMUM aggregaton type If you are int...

Page 24: ...top generaton The number of top items and decoders can be modifed in the Storage Graphs Confguraton see page 32 Generatng tops for many Sensors and large tme frames may take minutes It may require th...

Page 25: ...WANGUARD 5 2 User Manual Administrator s Guide Anomalies Overview Here you can view trends and summarizatons of atacks detected by Sensor s for the selected tme frame and decoders 24...

Page 26: ...Groups opens the same type of tab that contains few sub tabs on the botom side All sub tabs use the following common toolbar felds Sensors Select the Sensors you re interested in or All to select all...

Page 27: ...s HTTP and HTTPS the graph will display stacked decoders to show the most specifc ones This generates both accurate and intuitve trafc graphs In the example TOTAL will show as TOTAL OTHER and TCP as T...

Page 28: ...s available only if there is at least one confgured Flow Sensor Flows Tops You can process and flter the fow data to generate tops for the IP class host or IP Group The optons are documented on page 1...

Page 29: ...n Debian Linux 6 0 free community supported distributon Ubuntu 12 x Other distributons may work but haven t been tested yet The WANGUARD architecture is completely scalable By installing the sofware o...

Page 30: ...Fast Ethernet for management 1 x 10 GbE Cards with 82599 chipset 1 x Fast Ethernet for management Operatng System RHEL 5 CentOS 5 RHEL CentOS 6 Debian 6 Ubuntu Server 12 OpenSUSE 12 RHEL 5 CentOS 5 RH...

Page 31: ...ntextual Help you must install Adobe PDF Reader Software Installation Download Sofware installaton instructons are listed and updated on the Andrisof website for RedHat based SuSE based and Debian bas...

Page 32: ...ents review decoders and graphs parameters page 32 Setup the anomalies detecton parameters and decoders page 33 Confgure the reacton to trafc anomalies page 34 Add your IP address ranges and important...

Page 33: ...ached rrdcached sock and you must confgure it frst The frst accuracy parameter or Archive default is 5 minutes specifes the granularity of the graphs for recent data It can be set as high as 5 seconds...

Page 34: ...decoders for the trafc for which you will apply thresholds Decoders determine the underlying protocols of each packet or fow Profle Anomalies Are detected through a behavioral recogniton approach The...

Page 35: ...u to see what IP classes are confgured to use the Response All Actons have their specifc felds together with the following common felds Actve selects if the Acton is enabled or disabled Priority selec...

Page 36: ...nsor fow for the Flow Sensor or virtual for the Virtual Sensor 9 Sensor ID Number sensor_id The unique ID of the Sensor 10 Flow Exporter IP String router_ip The Flow exporter s IP Empty when using the...

Page 37: ...less than expected thresholds 10 Unit pkts s bits s String unit It s pkts s for packets per second anomalies or bits s for bits per second anomalies 11 Threshold Value Number rule_value It s the thres...

Page 38: ...the IP or Subnet for all trafc 4 Latest TOTAL Bits s Number latest_total_bps The latest bits s throughput of the IP or Subnet for all trafc 5 TOTAL Packets Number sum_total_pkts The sum of packets of...

Page 39: ...cker dest destnaton port of the victm proto the IP Protocol feld len the size of the packets tl the TimeToLive feld others 3 Filter Value String filter_value The atack patern s value String filter_ip_...

Page 40: ...k patern s trafc String filter_log_100 The frst 100 packets of the atack patern s trafc String filter_log_500 The frst 500 packets of the atack patern s trafc String filter_log_1000 The frst 1000 pack...

Page 41: ...l IPs When adding a new Prefx the tree below is automatcally updated The right secton contains panels with user provided setngs for the selected Prefx WANGUARD understands IPs and IP classes entered i...

Page 42: ...per second so select pkts s to detect them For bandwidth related anomalies select bits s Response Select a previously defned Response or select None if you re not interested in reactng to the anomaly...

Page 43: ...the trafc analysis Packet snifng provides extremely fast and accurate trafc analysis and accountng results The downside is that it needs fast CPUs and good NICs Flow Sensor for NetFlow v5 v7 v9 jFlow...

Page 44: ...5400S series Brocade BigIron series FastIron series IronPoint series NetIron series SecureIron series ServerIron series Barracuda Barracuda NG Firewall Comtec Systems Rex 16Gi 24Gi 24Gi Combo Dell For...

Page 45: ...the Console to group multple interfaces by locaton roles etc Graph Color The color used in graphs for this Sensor The default color is a random one but you can change it To change the color you can e...

Page 46: ...ream MAC MAC validaton is actve and the MAC Address belongs to the downstream router The MAC Address must be writen using the Linux conventon six groups of two hexadecimal values separated by colons B...

Page 47: ...WANGUARD 5 2 User Manual Administrator s Guide like tcpdump The syntax is tcpdump i interface_usually_eth1 n c 100 If the IP Validaton is not disabled then the IP Zone must contain all your subnets 46...

Page 48: ...uter switch probe etc Usually the Loopback0 address of the router Each server running the Flow Sensor must have its system tme synchronized with the fow exporter Sampling 1 N Must contain the sampling...

Page 49: ...subnet setngs For more informaton about IP Zones please consult IP Zones Setup chapter on page 40 IP Validaton This opton can be used to distnguish the directon of the trafc or to skip unwanted fows...

Page 50: ...inutes please check the following You have correctly confgured the fow exporter to send fows to the server for each of the confgured interfaces The server is receiving the fow packets on the confgured...

Page 51: ...olor used in graphs for this Virtual Sensor The default color is a random one but you can change it To change the color you can enter the color as a HTML Color Code or you can manually select the colo...

Page 52: ...fer you have previously installed and confgured the bgpd daemon included in the quagga htp www quagga net package Some bgpd confguraton steps can be found on Appendix 3 Confguring Trafc Diversion at p...

Page 53: ...ng BGP prefxes that have the IPv4 CIDR mask less than the confgured value For example a value of 32 rejects all prefxes that are not hosts Reject IPv6 under You can restrict sending BGP prefxes that h...

Page 54: ...Interface Group Optonal descripton used within the Console to group multple interfaces by locaton roles etc Graph Color The color used in graphs for the Filter The default color is a random one but y...

Page 55: ...ters atack paterns If an atack patern is not whitelisted then the whole trafc matched by the atack patern is dropped The rest of the trafc is forwarded through the Outbound Interface Filter the atack...

Page 56: ...nable if you have PF_RING installed on the server PF_RING provides high speed packet analysis Trafc Diversion The Trafc Diversion feld provides a selecton of currently defned BGP Connectons that may b...

Page 57: ...what type of trafc the rule will match ANY TCP UDP ICMP Parameter Which trafc parameter should be compared IP Address Source Port Destnaton Port Packet Length IP Packet TimeToLive IP Protocol Type Op...

Page 58: ...y generate Reports and send them by email to you or to your customers at preconfgured intervals of tme You can include more than one email address in the Email To feld separated by comma The emails ar...

Page 59: ...flter Events Event s severity indicates the importance of the event MELTDOWN Meltdown events are generated when a very serious error is detected such as a hardware error CRITICAL Critcal events are g...

Page 60: ...n press Modify User The Full Name Company Positon Email Phone and Comments felds are optonal The Landing Tab list contains the tabs that can be opened immediately afer logging in The list is dynamic a...

Page 61: ...dress and which part belongs to the node address see IP address Classes further on The locaton of the boundary between the network and host portons of an IP address is determined through the use of a...

Page 62: ...eir frst two bits set to 1 and their third bit set to 0 Since Class C addresses have a 24 bit network mask this leaves 21 bits for the network porton of the address allowing for a maximum of 2 097 152...

Page 63: ...000 16 256 C 1 B 65536 255 255 000 000 15 512 C 2 B 131072 255 254 000 000 14 1024 C 4 B 262144 255 252 000 000 13 2048 C 8 B 524288 255 248 000 000 12 4096 C 16 B 1048576 255 240 000 000 11 8192 C 32...

Page 64: ...he flow For example interface FastEthernet0 ip route cache flow interface Serial2 1 ip route cache flow It is necessary to enable NetFlow on all interfaces through which trafc you are interested in wi...

Page 65: ...nfgured listening port UDP port 2000 is used only as an example switch enable set mls nde version 5 The following command is required to set up fow mask to full fows switch enable set mls flow full Th...

Page 66: ...r Engine 2 or 720 running IOS version 12 1 13 E or higher issue the following commands instead switch config mls flow ip interface full switch config mls nde interface Configuring NDE on a 4000 Series...

Page 67: ...WANGUARD 5 2 User Manual Administrator s Guide accept forwarding options sampling input family inet rate 100 output cflowd 192 168 1 100 port 2000 version 5 66...

Page 68: ...t matching prefx also known as the most specifc Afer establishing a BGP session with the router Filter sends a routng update where the Filter system is listed as the best path for the atacked destnato...

Page 69: ...Confgure the bgpd not to send routng informaton and to drop incoming BGP routng informaton Set the bgpd BGP community atribute values to no export and no advertse A match in the community atributes en...

Page 70: ...er The following example describes the distribute list method You can use the prefx list or route map fltering method types as long as the routng informaton is not sent to bgpd localhost config router...

Page 71: ...onfig router neighbor WANGUARD Filter IP address soft reconfiguration inbound r7500 config router neighbor WANGUARD Filter IP address distribute list routesToWANGUARDFilter out r7500 config router nei...

Page 72: ...ording to the routng table on the divert from router before trafc diversion is actvated Static Routing Layer 2 Forwarding Method In a Layer 2 topology the Filter system divert from router and next hop...

Page 73: ...method is the default gateway on the Filter system so that it points to the inject to next hop router Configuring GRE IP over IP Tunneling Layer 3 Forwarding Method In the tunnel diversion method you...

Reviews:

No comments

Related manuals for Wanguard 5.2

Cigent Technology RECON SENTINEL User Manual preview
RECON SENTINEL
Brand: Cigent Technology Pages: 50
Forcepoint 1402-C3 Hardware Manual preview
1402-C3
Brand: Forcepoint Pages: 32
SonicWALL NSA E7500 Getting Started Manual preview
NSA E7500
Brand: SonicWALL Pages: 43
Fortinet FortiGate 3600 Quick Start Manual preview
FortiGate 3600
Brand: Fortinet Pages: 2
Fortinet FortiGate 100 Administration Manual preview
FortiGate 100
Brand: Fortinet Pages: 388
Fortinet FortiGate 224B Installation Manual preview
FortiGate 224B
Brand: Fortinet Pages: 54
Atos DEP/T6 Owner'S Manual preview
DEP/T6
Brand: Atos Pages: 55
PaloAlto Networks Prisma SD-WAN ION 2000 Hardware Reference Manual preview
Prisma SD-WAN ION 2000
Brand: PaloAlto Networks Pages: 38
NETGEAR ProSAFE FVS318G v2 Installation preview
ProSAFE FVS318G v2
Brand: NETGEAR Pages: 2
Sophos XGS 116 Quick Start Manual preview
XGS 116
Brand: Sophos Pages: 68
Barracuda CloudGen Firewall F1000 CE0 Quick Start Manual preview
CloudGen Firewall F1000 CE0
Brand: Barracuda Pages: 8
D-Link NetDefend DFL-860 Quick Installation Manual preview
NetDefend DFL-860
Brand: D-Link Pages: 20
D-Link NetDefend DFL-260E Quick Installation Manual preview
NetDefend DFL-260E
Brand: D-Link Pages: 32
D-Link DFL-210 - NetDefend - Security Appliance Quick Manual preview
DFL-210 - NetDefend - Security Appliance
Brand: D-Link Pages: 20
Hillstone HLB480-375 Operating Manual preview
HLB480-375
Brand: Hillstone Pages: 6
Hillstone A200 Series Hardware Reference Manual preview
A200 Series
Brand: Hillstone Pages: 27
Hillstone SG-6000-E1100 Hardware Reference Manual preview
SG-6000-E1100
Brand: Hillstone Pages: 57
Hillstone SG-6000-X7180 Hardware Reference Manual preview
SG-6000-X7180
Brand: Hillstone Pages: 64

Brands by name

Popular brands

Load more brands