Any report, with any combination of filters, can be turned into a traffic monitoring policy by adding a Threshold to the report. The Threshold option is available by clicking on the “Filters / Details” button located in the left hand frame of the Report view. Instructions for adding thresholds to reports are detailed below. Thresholds are monitored every 5 minutes, based on the last 5 minute interval.
To add a threshold to a report:
- Save a report. Thresholds can only be added to Saved reports. Enter a report name in the Report: textbox in the left hand pane of the report view, then click the Save icon above the report name. If the report isn’t saved first, the interface will prompt the user to enter a report name and save it when they enter the threshold modal.
- Click the Add button to the right of Threshold in the left hand pane. The Report Details modal opens to the threshold tab with the following text:” Trigger alert if [rate/total] value per table’s [Total/Per row] for [inbound/outbound] traffic in 5 minute interval.
Selectable options within this modal are:
- Rate/Total – This is taken from the saved report parameter and determines if the threshold is based on the rate of the value selected, or the total amount of the value.
- Total/Per row – This radio button selectable in the threshold modal indicates whether to threshold against the total report value or each line/row entry’s value (per row).
- Inbound/Outbound – This variable is also determined by the saved report parameter, whether the selected flow direction is inbound or outbound. This is the flow direction that the threshold will be monitoring. If the saved report’s flow direction is bidirectional, the threshold will monitor inbound traffic.
Threshold comparison options are:
- Greater than or equal to (>=)
- Less than or equal to (<=)
- The threshold value is entered in the textbox after the word “than”. The unit of measurement is from the saved report unit setting and can be either bits, bytes, percent, or omitted for counter fields. If bits, bytes, or counter fields, an additional selection for unit quantity is presented:
- - : Integer value of bits/bytes, or counters.
- K : Kilobits/bytes, counter value
- M : Megabits/bytes, counter value
- G : Gigabits/bytes, counter value
- If Per row is selected above, an additional field is presented, called Policy Threat Multiplier. This value is used to multiply the policy violation counts for this threshold to give its weighted value reported as the Threat Index in the Policy Violations list. Default is 1.
- After completing entry of the fields listed above, click the Save Threshold button. To exit the threshold modal without saving, click the Close button.
- The Select Notification Profile modal displays next. If notification profiles have been configured, select the appropriate one from the dropdown selector. To configure new notification profiles, click Manage Notifications. A new browser window opens to the Notification Manager page. After creating new Notification Profile(s), to assign the profile to the report threshold, click on ‘edit’ to the right of threshold, then click Save Threshold, and the Select Notification Profile modal will be displayed again.
- After selecting the Notification Profile (or leaving the threshold modal without selecting a notification profile) click on:
- Save – Saves the threshold with the changes made up to this point
- Close – Exits without saving the Notification Profile selection
- Save & Edit Policy – Saves the threshold settings made so far and opens the Edit Policy modal to edit this threshold policy.
- The threshold setting unit of measurement is determined by the report settings, either percent, bits, or bytes. If the report is set to report by bits or bytes, then there is an additional option of K, M, or G for total bits/bytes.
- Thresholds can also be set on other counters such as round trip time, packet loss, jitter, flow count, etc. The K, M, and G option is also available when thresholding against these other counter fields.
- It is good practice to view the FlowView report to get an idea of what the raw data looks like before setting a threshold.
- After saving the threshold, the modal will go to Select Notification Profile. Select a profile from the dropdown, or click Manage Notifications to create one. Selecting Save and finish without adding a notification to the threshold is also an option. An alarm will still be generated when the threshold is violated even without a notification included in the threshold configuration.