zWAN Director – Top Features
Top-N
Whose function is to show the most active services, applications, and accesses on the network. The dashboard consists of 4 additional dashboard, Top Applications, Top Talkers, Top Services and Top Conversations.
Threats
This dashboard includes a dictionary of public IP addresses that are known to have a poor reputation. This dictionary is built from many OSINT data sources, normalized to a common taxonomy. The Threats dashboard uses this IP reputation information to highlight three threat/risk types.
IP Reputations – Number of flows with reputation
Public Threats – Public clients with a poor IP reputation that are reaching private addresses.
At-Risk Servers – Private Servers that are being reached by clients with a poor IP reputation.
High-Risk Clients – Private clients that are accessing public servers which have a poor reputation.
Geo IP
Geo Location dashboards for Client/Server and Source/Destination perspectives for network flows.
Traffic Details
Provides more detailed breakdown of various network traffic characteristics. Additionally, it has Servers, Clients, services, and application-based traffic details.
Flow Records
Provides a peek into the total flows and various types of flows with a list of service logs. This will be client/server based or source/destination-based logs.
Statistics
Provides network statistics in the form of transmitted/received data, transmitted/received packets, transmitted/received errors for each of the interface in the network. Additionally, events and syslog logs are also listed. Transmitted data rate and received data rate are also displayed in this dashboard.
Site Availability
SLA – Overall Availability provides SLA percentage uptime for all the edge controllers onboarded with the Director. Edge controller SLA provides uptime duration across a selected time interval.
Edge Controller Level Charts
In addition to the charts mentioned above there are few more dashboards which are available for edge controller only.
Overview, System, Interfaces
In addition to the CPU and memory utilization statistics for each edge controller this dashboard also displays link status of the network interfaces transmitted/received bytes and signal quality if GSM/LTE is present. It also displays TWAMP outbound average latency, jitter and packet loss for configured interfaces.
Flows
Client/server flows which displays network statistics in bytes for each flow between client and server. AS Flow which displays the autonomous system flows between the source and the destination.
AS Traffic
Provides a view of traffic to and from Autonomous Systems (public IP ranges).
Flow Exporter
Provides egress and ingress data in bytes for each interface in the edge controller.
Traffic Details
Provides more detailed breakdown of various network traffic characteristics based on the Traffic Types, Attributes and Locality.
Global Applications
Provides application-based statistics like top applications and usage in bits per second and packets per second.
Link Status
Provides the up time and status for each network interface in the edge controller.
Signal Quality
If the edge controller is equipped with a GSM/LTE module then the RSSI (Received Signal Strength Indicator), SNR (Signal to noise ratio), RSRQ (quality of the received signal) and RSRP (average power received from a single Reference signal) statistics will be provided in this dashboard.
TWAMP
The Two-Way Active Measurement Protocol (TWAMP) is an open protocol for measuring network performance between any two devices in a network that supports the protocols in the TWAMP framework. This dashboard displays the inbound, outbound and roundtrip data based on latency, jitter and packet loss.
Logs
System logs, Firewall logs – a list of system logs and firewall logs are provided in this dashboard.
IPS Alerts
Alerts by GeoIP – a map showing the distribution of alerts by their country/region of origin based on geographic location (determined by IP).
Top Alerts – a summary of the most frequent triggered alerts and their description. Clicking an individual alert filters down the dashboard to the information pertaining to that specific alert.
Number of Alerts – the total count of alerts triggered by the ruleset.
Top alerts based on Suricata defined signatures, HTTP and protocols.
Top 20 Source/Destination IPs/Ports – pie charts showing the top 20 IPs and ports that alerts were triggered on. You can filter down on specific IPs/ports to see how many and what kind of alerts are being triggered.
Top alerts by TLS certificate issuer distinguish name.
Top multiple unique alerts by destination IP address.
Top multiple unique alerts by source IP address.
Top alerts by TLS Server name indication protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.
Alert Summary – a table summarizing specific details of each individual alert. You can customize this table to show other parameters of interest for each alert.
IPS Flow
Provides count of flows for various protocols used by the application. It also displays unique count of source and destination IP addresses, mean flow age and a list of flow events.
DNS Alerts
Displays various statistics for dns alerts generated via “Unbound DNS Resolver” in the edge controller. Stats like overall log count, log count based on return code and event list is provided.
Reports
Reporting in zWAN is on demand and can be generated at the Director level or edge controller level. Reports can be generated for various intervals with minimum granularity as a minute and maximum as a year.
Reports generated from Kibana have some major issues:
1. Reports cannot be customized.
2. However big report template is it will always generate one page only.(bug)
To fix the issues, we modified the Kibana source to include HTML based reports. These can easily be customized with customer logs and images and the content can also be easily updated.
The Director UI is very simple where in the user must select the type of report and time range after which the report will be loaded on a new tab of the web browser. Once the report is generated the user will be prompted for print it via the print dialog.
System – CPU and memory utilization statistics
Interface – Transmitted and received data and data-rate based on bytes, packets and errors.
TWAMP – The Two-Way Active Measurement Protocol (TWAMP) is an open protocol for measuring network performance between any two devices in a network that supports the protocols in the TWAMP framework. This dashboard displays the inbound, outbound and roundtrip data based on latency, jitter and packet loss.
Application – Global application charts to display application statistics as Top applications, usage in packets per second and bits per second. ISP traffic usage (rate) in bytes and packets for each application and for each service
Firewall Log – Provides network interface status by link uptime. In addition to that it also displays the overall log count and various events list based on event type like net_balancer, syslog etc.
Log – Displays a list of system logs and event list. This can be downloaded as CSV by using the “Export >> Formatted” link provided at the end of the list.