% !TEX root = ../TSG_Administrator's_Guide_Latest_EN.tex % %\pdfbookmark[0]{Appendix E Best Practices}{Appendix E Best Practices} \chapter*{\hypertarget{link:Appendix E Best Practices}{Appendix E Best Practices}} \addcontentsline{toc}{chapter}{Appendix E Best Practices} \label{sec:appendix_f} %\pdfbookmark[1]{Security Policy}{Appendix Security Policy} \section*{\hypertarget{link:Appendix Security Policy}{Security Policy}} \addcontentsline{toc}{section}{Security Policy} \label{sec:appendix_f:policy} To improve your overall security posture, use the guidelines in this section to plan, deploy, and maintain your internet gateway best practices security policy. Apply security best practices to gain visibility into traffic, prevent threats, and protect your network, users, and data. \textbf{The first use case} is to deny SSL traffic based on SNI. For example, users are forbidden to visit Netflix pages. \begin{description}[leftmargin=0pt,itemindent=0em] \item[] \begin{enumerate} \item Without any policies, visit Netflix website and you can view it normally. \item Create a Deny Security Policy: \begin{enumerate} \item After logging into the system, create a Security Policy. \item Policy names can be defined according to user habits. \item Action select Deny. \item Specify client IP as matching criteria for the source field. \item Application select SSL. \item Specify the Netflix page you wish to deny as matching criteria for SNI field. \item Select Drop as Sub Action. \item Enable the policy and submit. \end{enumerate} \item Visit Netflix again and pages cannot be accessed. \end{enumerate} \end{description} \textbf{The second use case} is monitor mails based on specified keywords. This Security Policy will generate a Security Event Log when matched. \begin{description}[leftmargin=0pt,itemindent=0em] \item[] \begin{enumerate} \item Create a Monitor Security Policy: \begin{enumerate} \item After logging into the system, create a Security Monitor Policy. \item Policy names can be defined according to user habits. \item Action select Monitor. \item Specify client IP as matching criteria for the source field. \item Application select MAIL. \item Specify the keywords you wish to monitor as matching criteria for Content field. \item Enable the policy and submit. \end{enumerate} \item When the policy is matched, you can view Logs > Security Events and see the mail content. \end{enumerate} \end{description} %\pdfbookmark[1]{Proxy Policy}{Appendix Proxy Policy} \section*{\hypertarget{link:Appendix Proxy Policy}{Proxy Policy}} \addcontentsline{toc}{section}{Proxy Policy} \label{sec:appendix_f:proxy} The growth in SSL/TLS encrypted traffic traversing the internet is on an explosive upturn. We are going to take five use case to demonstrate proxy policy best practices. \textbf{The first use case} is to specifically deny HTTPS traffic based on the URL. For example, users are forbidden to visit specific pages of YouTube, but other pages of YouTube website are not affected. \begin{description}[leftmargin=0pt,itemindent=0em] \item[] \begin{enumerate} \item Without any policies, visit YouTube website and you can view it normally. \item Create a Deny Policy: \begin{enumerate} \item After logging into the system, create a policy. \item Policy names can be defined according to user habits. \item Action select Deny. \item Specify client IP as matching criteria for the source field. Specify the YouTube page you wish to deny as matching criteria for URL field. \item You can select the Response Content of the blocking page as an optional parameter. \item Enable the policy and submit. \end{enumerate} \item Visit YouTube again. The specified pages cannot be accessed and other pages can be accessed normally. \end{enumerate} \end{description} \textbf{The second use case} is URL redirect, such as redirect the traffic accessing Google to Bing. \begin{description}[leftmargin=0pt,itemindent=0em] \item[] \begin{enumerate} \item Without any policies, you can visit Google normally and search normally. \item Create a redirect policy. The above has demonstrated how to create a policy, to save time, simply enable the policy that which was created before. Then click Edit to view the content of the policy. \begin{enumerate} \item Action is Redirect. \item Filter is Google URL. \item Redirect URL is Bing URL. \item The policy is Enabled and click OK. \end{enumerate} \item Visit Google again and the page is redirected to Bing. \end{enumerate} \end{description} \textbf{The third use case} is content Replace. For example, search china in Google. Create a content Replace policy to make the search results only come from www.news.cn. \begin{description}[leftmargin=0pt,itemindent=0em] \item[] \begin{enumerate} \item Without any policies, search china in Google and you’ll see the search results come from different websites, wikis, etc. \item Create a Replace policy: \begin{enumerate} \item Action select Replace. \item Add Google URL as Filter. \item Specify Action Parameters: \begin{enumerate} \item Replace “q=china” in HTTP Request URI with “q=china+site%3Awww.news.cn”. \item Replace “china site:www.news.cn” in HTTP Response Body with “china”. \end{enumerate} \item Enable the policy and submit. \end{enumerate} \item Visit Google again, search china and you’ll see the search results only come from www.news.cn. \end{enumerate} \end{description} \textbf{The fourth use case} is hijack file. For example, download the WhatsApp installation package and replace it with other files, such as the WhatsApp installation package with trojan virus. Now replace it with test.exe is used Instead. \begin{description}[leftmargin=0pt,itemindent=0em] \item[] \begin{enumerate} \item Without any policies, it is normal to download the WhatsApp installation package. \item Create a Hijack policy: \begin{enumerate} \item Action select Hijack. \item Select WhatsApp download URL as Filter. \item Select test.exe as Hijack File for Action Parameters. \item Enable the policy and submit. \end{enumerate} \item Download WhatsApp again and find that the actual download file is test.exe. If you do not want to be found easily, you can change the hijack file into the same name as the original. \end{enumerate} \end{description} \textbf{The fifth use case} is script injection. For example, visit Facebook, insert the script into Facebook page, and the script will be executed on the client side. Here we use a JS script of pop-up window will show up to demonstrate. \begin{description}[leftmargin=0pt,itemindent=0em] \item[] \begin{enumerate} \item Without any policies, visit Netflix website and it displays normally without any pop-up window. \item Create an Insert policy: \begin{enumerate} \item Action select Insert. \item Select Netflix URL as Filter. \item Select the JS script of pop-up window as Insert Script for Action Parameters. \item Enable the policy and submit. \end{enumerate} \item Visit the Netflix website again, and the pop-up window appears. \end{enumerate} \end{description} \notemark\textit{The Watch feature only support policy and object. You can add them to your watch list. Select the checkbox for objects and policies in the list and Click \textbf{Watch} at the bottom to add to Watch List. And then you can click the star icon in the bottom right and select Object/Policy tab to view the Watch List. You can search objects and policies by ID and Name in the list. For policy, you can check policy in the list and enable or disable it. You can also export and clear the list.} %\pdfbookmark[1]{Custom Application}{Custom Application} \section*{\hypertarget{link:Custom Application}{Custom Application}} \addcontentsline{toc}{section}{Custom Application} \label{sec:appendix_f:application} A policy object consists of one item or a set of collective items that groups discrete identities such as IP addresses, URLs, applications, or accounts. The relationship between each item is “or”. However, for keyword, within each item, there can be “and” expression and the item can have up to 4 substrings. You can reference the object in policy as conditions. The relationship between each condition within policy is “and”. There can be eight conditions at most for every policy. Application is a little special as a kind of object in TSG. Applications increase the value of our TSG firewalls by making it easier and faster to determine the exact identity of applications traversing the network, enabling teams to set and enforce the right policies. Applications can reduce complexity and minimize human error. The following introduced predefined application attributes: TCP/UDP/IP Attributes \begin{longtable}{p{0.35\textwidth}|p{0.11\textwidth}|p{0.08\textwidth}|p{0.14\textwidth}} \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Attribute Name}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Layer}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Stage}} & \textcolor{white}{Value Type} \\\hline IP Address ip.src & Packet & 0 & ip \\ \hline ip.dst & Packet & 0 & ip \\ \hline tcp.payload.c2s\_first\_data & Session & 1 & string \\ \hline tcp.payload.s2c\_first\_data & Session & 2 & string \\ \hline tcp.analysis.create\_with\_syn & Session & 1 & Bool \\ \hline ip.payload & Packet & 0 & string \\ \hline tcp.payload & Packet & 0 & string \\ \hline tcp.srcport & Packet & 0 & Numeric \\ \hline tcp.dstport & Packet & 0 & Numeric \\ \hline tcp.syn.fingerprint & Session & 1 & string \\ \hline tcp.sack.fingerprint & Session & 1 & string \\ \hline udp.payload.c2s\_first\_data & Session & 0 & string \\ \hline udp.payload.s2c\_first\_data & Session & 1 & string \\ \hline udp.srcport & Packet & 0 & Numeric \\ \hline udp.dstport & Packet & 0 & Numeric \\ \hline \end{longtable} SSL Attributes \begin{longtable}{p{0.61\textwidth}|p{0.11\textwidth}|p{0.08\textwidth}|p{0.14\textwidth}} \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Attribute Name}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Layer}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Stage}} & \textcolor{white}{Value Type} \\\hline ssl.handshake.extensions\_server\_name & Session & 1 & string \\ \hline ssl.handshake.cert.fingerprint & Session & 2 & string \\ \hline ssl.handshake.cert.serial\_number & Session & 2 & string \\ \hline ssl.handshake.certificate.issuer\_common\_name & Session & 2 & string \\ \hline ssl.handshake.certificate.issuer\_organization\_name & Session & 2 & string \\ \hline ssl.handshake.certificate.issuer\_country\_name & Session & 2 & string \\ \hline ssl.handshake.certificate.subject\_common\_name & Session & 2 & string \\ \hline ssl.handshake.certificate.subject\_organization\_name & Session & 2 & string \\ \hline ssl.handshake.certificate.subject\_country\_name & Session & 2 & string \\ \hline ssl.handshake.certificate.not\_valid\_before & Session & 2 & string \\ \hline ssl.handshake.certificate.not\_valid\_after & Session & 2 & string \\ \hline ssl.handshake.certificate.algorithm\_id & Session & 2 & string \\ \hline ssl.analysis.use\_session\_resumption & Session & 3 & Numeric \\ \hline ssl.analysis.use\_selfsigned\_certificate & Session & 3 & Numeric \\ \hline ssl.analysis.incomplete\_certificate\_chain & Session & 3 & Numeric \\ \hline \end{longtable} \notemark\textit{Client Hello is in Stage 1, and Server Hello is in Stage 2. SSL Attributes are all in Session Layer.} HTTP Attributes \begin{longtable}{p{0.35\textwidth}|p{0.11\textwidth}|p{0.08\textwidth}|p{0.14\textwidth}} \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Attribute Name}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Layer}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Stage}} & \textcolor{white}{Value Type} \\\hline http.host & Session & 1 & string \\ \hline http.uri & Session & 1 & string \\ \hline http.user\_agent & Session & 1 & string \\ \hline http.content\_type & Session & 1 & string \\ \hline http.content\_encoding & Session & 1 & string \\ \hline http.referer & Session & 1 & string \\ \hline http.cookie & Session & 1 & string \\ \hline http.set\_cookie & Session & 3 & string \\ \hline \end{longtable} \notemark\textit{HTTP Request Header, Request Body, Response Header, Response Body are in Stage 1, Stage 2, Stage 3, Stage 4 in sequence. HTTP attributes are all in Session Layer.} Other Attributes \begin{longtable}{p{0.35\textwidth}|p{0.11\textwidth}|p{0.08\textwidth}|p{0.14\textwidth}} \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Attribute Name}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Layer}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Stage}} & \textcolor{white}{Value Type} \\\hline quic.sni & Session & 1 & string \\ \hline dns.qry.name & Session & 1 & string \\ \hline general.session.analysis.app\_id & Session & 2 & numeric \\ \hline general.c2s\_session\_size & Session & 2 & string \\ \hline general.s2c\_session\_size & Session & 2 & string \\ \hline \end{longtable} %\pdfbookmark[1]{Make Your Own Reports}{Make Your Own Reports} \section*{\hypertarget{link:Make Your Own Reports}{Make Your Own Reports}} \addcontentsline{toc}{section}{Make Your Own Reports} \label{sec:appendix_f:report} The following guides you to set a report with one type of chart. Of course, you can create a report with all types of charts by TSG function \textbf{Reports}. %\pdfbookmark[2]{The 1st: Bar}{The 1st: Bar} \subsection*{\hypertarget{link:The 1st: Bar}{The 1$^{st}$: Bar}} \addcontentsline{toc}{subsection}{The 1$^{st}$: Bar} \label{sec:appendix_f:report:bar} Create a Bar Report. For example, make a report about the top 10 server IP that our security policy matched last week and the sum of bytes sent and bytes received from that server IP. \begin{description} \item[STEP 1.] Create a Dataset. Dataset specify what data to extract from logs. \begin{enumerate} \item Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. \item Enter a \textbf{Name}, security event bytes by server IP dataset. \item Select a \textbf{Log Type}: Security Event. \item Select the \textbf{Group by}. This will serve as the X-Axis Data Binding options for Chart Libraries. The report mainly displays Server IP, so select Server IP. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label, which serve as Y-Axis Data Binding options of your Chart Libraries. Field consists of the Group by field you just added. You can add one or multiple fields. Field select bytes Sent and bytes Received. Aggregate select sum. Label set to bytes-Sum. \item Specify \textbf{Filter} and \textbf{Having}. For Filter, select Action as Field; select “=” as Operator; select Monitor and Intercept as Value. That is to say, only security policies with monitor and intercept actions will be counted. For Having, select Log ID as Field; select count as Aggregate; select “>=” as Operator; select 10 as value. This means only security policies that match more than 10 times (including 10) will be counted. Your selections will automatically generate a SQL. \item Click \textbf{OK}. \end{enumerate} \item[STEP 2.] Create Chart Library. Chart set the display form of the data. \begin{enumerate} \item Enter a \textbf{Name} and \textbf{Description}. Complete name, security event bytes by server IP Chart Library. Leave description set to empty. \item Select the \textbf{Dataset} you just created. \item Select \textbf{Chart Type}: Bar. \item Set the \textbf{Data Bindings} for X-Axis and Y-Axis. Set Show Top to 10. Set Label, which will be displayed in your report. \item Click \textbf{OK}. \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, security event bytes by server IP report. \item Select a \textbf{Time Period}. Here select last 1 week, which is from yyyy-mm-dd-7 hh:mi:ss to yyyy-mm-dd hh:mi:ss. \item Select the \textbf{Chart Library} you just created. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 2nd: Line}{The 2nd: Line} \subsection*{\hypertarget{link:The 2nd: Line}{The 2$^{nd}$: Line}} \addcontentsline{toc}{subsection}{The 2$^{nd}$: Line} \label{sec:appendix_f:report:line} Create a Line Report. For example, make a report about the security event sessions count previous day. \begin{description} \item[STEP 1.] Create a Dataset. Dataset specify what data to extract from logs. \begin{enumerate} \item Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. \item Enter a \textbf{Name}, security event sessions by time dataset. \item Select a \textbf{Log Type}: Security Event. \item Select the \textbf{Group by}. For Line Chart, you must select Receive Time. This will serve as the X-Axis Data Binding options for Chart Libraries. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label, which serve as Lines Data Binding options of your Chart Libraries. Field consists of the Group by field you just added. You can add one or multiple fields. Field select Log ID. Aggregate select count. Label set to count. \item Click \textbf{OK}. \end{enumerate} \item[STEP 2.] Create Chart Library. Chart set the display form of the data. \begin{enumerate} \item Enter a \textbf{Name} and \textbf{Description}. Complete name, security event sessions by time Chart Library. Leave description set to empty. \item Select the \textbf{Dataset} you just created. \item Select \textbf{Chart Type}: Line. \item Set the \textbf{Data Bindings} for X-Axis and Lines. For Lines, select count as Data Binding; select Counter(K/M/G) as Format; select Line Up as Type; input count as Legend. \item Click \textbf{OK}. \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, security event sessions by time report. \item Select a \textbf{Time Period}. Here select previous 1 day, which means from yyyy-mm-dd-1 00:00:00 to yyyy-mm-dd-1 23:00:00 if the Time Granularity is 1 hour. \item Select the \textbf{Chart Library} you just created. Enter number and select time unit for \textbf{Time Granularity}. Here set it to 1 hour. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 3rd: Drilldown}{The 3rd: Drilldown} \subsection*{\hypertarget{link:The 3rd: Drilldown}{The 3$^{rd}$: Drilldown}} \addcontentsline{toc}{subsection}{The 3$^{rd}$: Drilldown} \label{sec:appendix_f:report:drilldown} Create a Drilldown Report. For example, make a report about the session count for top 100 Http.Domain, Drilldown on Subscriber ID and show Drilldown top 5 that our security policy matched last week. \begin{description} \item[STEP 1.] Create a Dataset. Dataset specify what data to extract from logs. \begin{enumerate} \item Select \textbf{Reports} > \textbf{Datasets} menu, and click Create. \item Enter a \textbf{Name}, security event session top domain and subscriber IDs drilldown dataset. \item Select a \textbf{Log Type}: Security Event. \item Select the \textbf{Group by}. The report mainly displays Http.Domain and Subscriber ID, so add Http.Domain and Subscriber ID. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label, which serve as Columns options of your Chart Libraries. Field consists of the Group by field you just defined and you can add other fields. Here add Log ID; select count as Aggregate and set Label to sessions. \item Specify \textbf{Filter} and \textbf{Having}. For Filter, select Address Type as Field; select “=” as Operator; select IPv4 as Value. That is to say, only security policies with IPv4 address type will be counted. For Having, select Log ID as Field; select count as Aggregate; select “>=” as Operator; select 10 as value. This means only security policies that match more than 10 times (including 10) will be counted. Your selections will automatically generate a SQL. \item Click \textbf{OK}. \end{enumerate} \item[STEP 2.] Create Chart Library. Chart set the display form of the data. \begin{enumerate} \item Enter a \textbf{Name} and \textbf{Description}. Complete name, security event session top domain and subscriber IDs drilldown chart. Leave description set to empty. \item Select the \textbf{Dataset} you just created. \item Select \textbf{Chart Type}: Table. \item For \textbf{Data Bindings}, select Drilldown as Table Type. Drilldown tables have three columns and you must select one as drilldown column. Complete Title, Width, Data Binding, Format and Legend for each column. And enable Drilldown Columns for Subscriber ID. Select order by sessions descending. Show Top 100 Http.Domains. Drilldown Top 5 on Subscriber ID. \item Click \textbf{OK}. \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, security event session top domain and subscriber IDs drilldown report. \item Select a \textbf{Time Period}. Here select last 1 week, which is from yyyy-mm-dd-7 hh:mi:ss to yyyy-mm-dd hh:mi:ss. \item \textbf{Enable Notification}, select Email as Output Profile. Email: Enter recipient's e-mail. \item Select the \textbf{Chart Library} you just created. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 4th: Double-lines}{The 4th: Double-lines} \subsection*{\hypertarget{link:The 4th: Double-lines}{The 4$^{th}$: Double-lines}} \addcontentsline{toc}{subsection}{The 4$^{th}$: Double-lines} \label{sec:appendix_f:report:double-lines} Create a top N Line Report. For example, make a report about the session count group by Http.Domain (top 5) every day that our security policy matched in the last month. \begin{description} \item[STEP 1.] Create a Dataset. Dataset specify what data to extract from logs. \begin{enumerate} \item Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. \item Enter a \textbf{Name}, security event counter by domain dataset. \item Select a \textbf{Log Type}: Security Event. \item Select the \textbf{Group by}. For Line Chart, you must select Receive Time. This will serve as the X-Axis Data Binding options for Chart Libraries. The report mainly displays Http.Domain, so add Http.Domain. This will be added to your Group by option in your Chart Libraries. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field consists of the Group by field you just added. You can add other fields. Field select Log ID. Aggregate select count. Label set to counter. \item Click \textbf{OK}. \end{enumerate} \item[STEP 2.] Create Chart Library. Chart set the display form of the data. \begin{enumerate} \item Enter a \textbf{Name} and \textbf{Description}. Complete name, security event counter by domain chart. Leave description set to empty. \item Select the \textbf{Dataset} you just created. \item Select \textbf{Chart Type}: Line. \item Set the \textbf{Data Bindings} for X-Axis and Lines. For Lines, select counter as Data Binding; select Default as Format; select Line Up as Type; input counter as Legend. Check Group by and select Http.Domain. Check Order by and select counter. Check Descending. Max line is 5. \item Click \textbf{OK}. \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, security event counter by domain report. \item Select a \textbf{Time Period}. Here select last 1 month, which is from yyyy-(mm-1)-dd hh:mi:ss to yyyy-mm-dd hh:mi:ss. \item Select the \textbf{Chart Library} you just created. Enter number and select time unit for \textbf{Time Granularity}. Here set it to 1 day. \item Add \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This means, empty domain name will not be counted. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 5th: Area}{The 5th: Area} \subsection*{\hypertarget{link:The 5th: Area}{The 5$^{th}$: Area}} \addcontentsline{toc}{subsection}{The 5$^{th}$: Area} \label{sec:appendix_f:report:area} Create an Area Report. For example, make a report about the sum of bytes Sent and bytes Received and the sum of Packets Sent and Packets Received every day that our security policy matched in last month. \begin{description} \item[STEP 1.] Create a Dataset. Dataset specify what data to extract from logs. \begin{enumerate} \item Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. \item Enter a \textbf{Name}, security event bytes and packets dataset. \item Select a \textbf{Log Type}: Security Event. \item Select the \textbf{Group by}. For Area Chart, you must select Receive Time. This will serve as the X-Axis (TimeLine) Data Binding options for Chart Libraries. You can add other Fields, which will be added to your Group by options in your Chart Libraries. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field consists of the Group by field you just added. You can add other fields. Field select bytes Sent and bytes Received; aggregate select sum; label set to bytes. Field select Packets Sent and Packets Received; aggregate select sum; label set to Packets. \item Click \textbf{OK}. \end{enumerate} \item[STEP 2.] Create Chart Library. Chart set the display form of the data. \begin{enumerate} \item Enter a \textbf{Name} and \textbf{Description}. Complete name, security event bytes and packets chart. Leave description set to empty. \item Select the \textbf{Dataset} you just created. \item Select \textbf{Chart Type}: Area. \item Set the \textbf{Data Bindings} for X-Axis and Lines. For Lines, select bytes as Data Binding; select Bandwidth (Kbps/Mbps/Gbps) as Format; select Line Up as Type; input bytes as Legend. Select Packets as Data Binding; select Bandwidth (Kpps/Mpps/Gpps) as Format; select Line Down as Type; input Packets as Legend. \item Click \textbf{OK}. \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, security event bytes and packets report. \item Select a \textbf{Time Period}. Here select last 1 month, which is from yyyy-(mm-1)-dd hh:mi:ss to yyyy-mm-dd hh:mi:ss. \item Select the \textbf{Chart Library} you just created. Enter number and select time unit for \textbf{Time Granularity}. Here set it to 1 day. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 6th: Network Behavior Analysis for Specific User }{The 6th: Network Behavior Analysis for Specific User } \subsection*{\hypertarget{link:The 6th: Network Behavior Analysis for Specific User }{The 6$^{th}$: Network Behavior Analysis for Specific User }} \addcontentsline{toc}{subsection}{The 6$^{th}$: Network Behavior Analysis for Specific User} \label{sec:appendix_f:report:6th} Create a report to analyze network behavior of specific user, such as specific IP address or Subscriber ID. For example, create a report for Internal IP 192.168.50.2. It will include 9 charts and tables, that display traffic trend, top access domain and top access URLs based on sessions. \begin{description} \item[STEP 1.] Create 3 Datasets. Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. Select the same Log Type for the 3 datasets: Session Records. \begin{enumerate} \item Create a Dataset with \textbf{Name} Traffic-Metrics-Trend. \begin{enumerate} \item Select Receive Time as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings once and reference the same dataset when creating multiple charts. Now add 7 items. \begin{enumerate} \item Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to bytes. \item Field select Bytes Sent; aggregate select sum; Label set to Bytes Sent. \item Field select Bytes Received; aggregate select sum; Label set to Bytes Received. \item Field select sessions; aggregate select sum; Label set to New sessions. \item Field select Packets Sent and Packets Received; aggregate select sum; Label set to Packets. \item Field select Packets Sent; aggregate select sum; Label set to Packets Sent. \item Field select Packets Received; aggregate select sum; Label set to Packets Received. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Traffic-Top-Access-Domain. \begin{enumerate} \item Select Http.Domain as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field select Sessions; aggregate select sum; label set to Sessions. \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude empty domains. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Traffic-Top-Access-URL. \begin{enumerate} \item Select Http.URL as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field select Sessions; aggregate select sum; label set to Sessions. \item Specify \textbf{Filter}. Select Http.URL as Field; select notEmpty as Operator. This configuration will exclude empty URLs. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 2.] Create 9 Chart Libraries. Chart set the display form of the data. Select \textbf{Reports} > \textbf{Chart Library} menu, and click Create. \begin{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Bandwidth Trend. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Metrics-Trend. \item Select \textbf{Chart Type}: Area. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. You can add multiple Data Binding for Lines. \begin{enumerate} \item Select Bytes as Data Binding; select Bandwidth (Kbps/Mbps/Gbps) as Format; select Line Up as Type; input total as Legend. \item Select Bytes Sent as Data Binding; select Bandwidth (Kbps/Mbps/Gbps) as Format; select Line Up as Type; input out as Legend. \item Select Bytes Received as Data Binding; select Bandwidth (Kbps/Mbps/Gbps) as Format; select Line Up as Type; input in as Legend. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Packet Trend. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Metrics-Trend. \item Select \textbf{Chart Type}: Area. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. You can add multiple Data Binding for Lines. \begin{enumerate} \item Select Packets as Data Binding; select Bandwidth(Kpps/Mpps/Gpps) as Format; select Line Up as Type; input total as Legend. \item Select Packets Sent as Data Binding; select Bandwidth (Kpps/Mpps/Gpps) as Format; select Line Up as Type; input out as Legend. \item Select Packets Received as Data Binding; select Bandwidth (Kpps/Mpps/Gpps) as Format; select Line Up as Type; input in as Legend. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic New Sessions Trend. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Metrics-Trend. \item Select \textbf{Chart Type}: Line. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. Select New Sessions as Data Binding; select Counter(K/M/G) as Format; select Line Up as Type; input New Sessions as Legend. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Top 30 Access Domains Detail. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Access-Domain. \item Select \textbf{Chart Type}: Table. \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Domain as Title; select Domain as Data Binding; input Domain as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Select order by Sessions descending. Show Top 30. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Top 30 Access Domains Distribution. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Access-Domain. \item Select \textbf{Chart Type}: Bar. \item Set the \textbf{Data Bindings} for X-Axis and Y-Axis. For X-Axis, select Domain as Data Binding; set Domain as Label; set Show Top to 30. For Y-Axis, select Sessions as Data Binding; select Counter(K/M/G) as Format; set Label to Sessions. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Top 10 Access Domains Percent. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Access-Domain. \item Select \textbf{Chart Type}: Pie. \item Set the \textbf{Data Bindings} for Category and Series. For Category, select Domain as Data Binding; set Domain as Label; set Show Top to 10. For Series, select Sessions as Data Binding; select Counter(K/M/G) as Format; set Label to Sessions. Check Bundle rest into ‘Others’. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Top 30 Access URLS Detail. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Access-URL. \item Select \textbf{Chart Type}: Table. \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in URL as Title; select URL as Data Binding; input URL as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Select order by Sessions descending. Show Top 30. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Top 30 Access URLS Distribution. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Access-URL. \item Select \textbf{Chart Type}: Bar. \item Set the \textbf{Data Bindings} for X-Axis and Y-Axis. For X-Axis, select URL as Data Binding; set URL as Label; set Show Top to 30. For Y-Axis, select Sessions as Data Binding; select Counter(K/M/G) as Format; set Label to Sessions. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Top 10 Access URLS Percent. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Access-URL. \item Select \textbf{Chart Type}: Pie. \item Set the \textbf{Data Bindings} for Category and Series. For Category, select URL as Data Binding; set URL as Label; set Show Top to 10. For Series, select Sessions as Data Binding; select Counter(K/M/G) as Format; set Label to Sessions. Check Bundle rest into ‘Others’. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, Traffic Report with Internal IP 192.168.50.2. \item Select a \textbf{Time Period}. Select last 1 day. \item Select the \textbf{Chart Library} you just created. Click Add Chart to add multiple charts. \begin{enumerate} \item Select Traffic Bandwidth Trend. Set 5 minutes for \textbf{Time Granularity}. \item Select Traffic Packets Trend. Set 5 minutes for \textbf{Time Granularity}. \item Select Traffic New Sessions Trend. Set 5 minutes for \textbf{Time Granularity}. \item Select Traffic Top 30 Access Domains Detail. \item Select Traffic Top 30 Access Domains Distribution. \item Select Traffic Top 10 Access Domains Percent. \item Select Traffic Top 30 Access URLS Detail. \item Select Traffic Top 30 Access URLS Distribution. \item Select Traffic Top 10 Access URLS Percent. \end{enumerate} \item Specify \textbf{Filter}. Select Internal IP as Field; select “=” as Operator; set Value to 192.168.50.2. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 7th: Website Access Analysis for Specific Domain}{The 7th: Website Access Analysis for Specific Domain} \subsection*{\hypertarget{link:The 7th: Website Access Analysis for Specific Domain}{The 7$^{th}$: Website Access Analysis for Specific Domain}} \addcontentsline{toc}{subsection}{The 7$^{th}$: Website Access Analysis for Specific Domain} \label{sec:appendix_f:report:7th} Create a report to analyze website access of specific domain, such as google.com. For example, create a custom report to analyze security events which hit google.com. It will include 5 charts and tables, that display traffic trend based on bandwidth and client IP number, security event action hit sessions trend and and top Server IP based on sessions. \begin{description} \item[STEP 1.] Create 3 Datasets. Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. Select the same \textbf{Log Type} for the 3 datasets: Security Event. \begin{enumerate} \item Create a Dataset with \textbf{Name} Security-Intercept-Event-Metrics-Trend. \begin{enumerate} \item Select Receive Time as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Now add 2 items. \begin{enumerate} \item Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Field select Client IP; aggregate select count distinct; Label set to Unique Client IP. \end{enumerate} \item Specify \textbf{Filter}. Select Action as Field; select “=” as Operator; set Value to Intercept. This configuration will only include Security Events with intercept action. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Action-Hit-Sessions-Trend. \begin{enumerate} \item Select Receive Time and Action as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field select Log ID; Label set to Sessions. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Server-IP. \begin{enumerate} \item Select Server IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field select Log ID; Label set to Sessions. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 2.] Create 5 Chart Libraries. Chart set the display form of the data. Select \textbf{Reports} > \textbf{Chart Library} menu, and click Create. \begin{enumerate} \item Create a Chart Library with \textbf{Name} Security Intercept Event Metrics Trend. \begin{enumerate} \item Select \textbf{Dataset} Security-Intercept-Event-Metrics-Trend. \item Select \textbf{Chart Type}: Line. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. For Lines, select Unique Client IP as Data Binding; select Counter(K/M/G) as Format; select Line Up as Type; input Unique Client IP as Legend. Select Bytes as Data Binding; select Bandwidth(Kbps/Mbps/Gbps) as Format; select Line Down as Type; input bps as Legend. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Security Event Action Hit Sessions Trend. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Action-Hit-Sessions-Trend. \item Select \textbf{Chart Type}: Line. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. For Lines, select sessions as Data Binding; select Counter(K/M/G) as Format; select Line Up as Type; input sessions as Legend. Check Group By and select Action. Check Order By, select sessions and check Descending. Show Top 10. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Security Event Top 30 Server IP Detail. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Server-IP. \item Select \textbf{Chart Type}: Table. \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Server IP as Title; select Server IP as Data Binding; input Server IP as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Select order by Sessions descending. Show Top 30. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Security Event Top 30 Server IP Distribution. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Server-IP. \item Select \textbf{Chart Type}: Bar. \item Set the \textbf{Data Bindings} for X-Axis and Y-Axis. For X-Axis, select Server IP as Data Binding; set Server IP as Label; set Show Top to 30. For Y-Axis, select Sessions as Data Binding; select Counter(K/M/G) as Format; set Label to Sessions. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Security Event Top 10 Server IP Percent. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Server-IP. \item Select \textbf{Chart Type}: Pie. \item Set the \textbf{Data Bindings} for Category and Series. For Category, select Server IP as Data Binding; set Server IP as Label; set Show Top to 10. For Series, select Sessions as Data Binding; select Counter(K/M/G) as Format; set Label to Sessions. Check Bundle rest into ‘Others’. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, Security Event Report with Domain google.com. \item Select a \textbf{Time Period}. Select last 1 day. \item Select the \textbf{Chart Library} you just created. Click Add Chart to add multiple charts. \begin{enumerate} \item Select Security Intercept Event Metrics Trend. Set 5 minutes for \textbf{Time Granularity}. \item Select Security Event Action Hit Sessions Trend. Set 5 minutes for \textbf{Time Granularity}. \item Select Security Event Top 30 Server IP Detail. Set 5 minutes for \textbf{Time Granularity}. \item Select Security Event Top 30 Server IP Distribution. \item Select Security Event Top 10 Server IP Percent. \end{enumerate} \item Specify \textbf{Filter}. Select Http.Domain as Field; select “=” as Operator; set Value to google.com. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 8th: Endpoints Access Analysis for Specific City}{The 8th: Endpoints Access Analysis for Specific City} \subsection*{\hypertarget{link:The 8th: Endpoints Access Analysis for Specific City}{The 8$^{th}$: Endpoints Access Analysis for Specific City}} \addcontentsline{toc}{subsection}{The 8$^{th}$: Endpoints Access Analysis for Specific City} \label{sec:appendix_f:report:8th} Customize a report to analyze endpoints access of specific Data Center. For example, create a report to analyze session records about endpoints information in specific Data Center. It will include 2 charts and tables, that display number of Unique External IP, Internal IP and Subscriber ID trend based on bandwidth and show Unique client IP number and Unique Subscriber ID number of Top 100 domains. \begin{description} \item[STEP 1.] Create 2 Datasets. Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. Select the same \textbf{Log Type} for the 2 datasets: Session Records. \begin{enumerate} \item Create a Dataset with \textbf{Name} Traffic-Endpoints-Metrics-Trend. \begin{enumerate} \item Select Receive Time as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Now add 5 items. \begin{enumerate} \item Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Field select Sessions; aggregate select sum; Label set to Sessions. \item Field select Internal IP; aggregate select count distinct; Label set to Unique Internal IP. \item Field select External IP; aggregate select count distinct; Label set to Unique External IP. \item Field select Subscriber ID; aggregate select count distinct; Label set to Unique Subscriber ID. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Traffic-Top-Domain-with-Unique-Client-IP-and-Subscriber-ID. \begin{enumerate} \item Select Http.Domain as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Now add 2 items. \begin{enumerate} \item Field select Client IP; aggregate select count distinct; Label set to Unique Client IP. \item Field select Subscriber ID; aggregate select count distinct; Label set to Unique Subscriber ID. \end{enumerate} \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Session Records with empty domain. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 2.] Create 2 Chart Libraries. Chart set the display form of the data. Select \textbf{Reports} > \textbf{Chart Library} menu, and click Create. \begin{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Endpoints Metrics Trend. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Endpoints-Metrics-Trend. \item Select \textbf{Chart Type}: Line. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. For Lines, select Unique External IP as Data Binding; select Counter(K/M/G) as Format; select Line Up as Type; input Unique External IP as Legend; select Unique Internal IP as Data Binding; select Counter(K/M/G) as Format; select Line Up as Type; input Unique Internal IP as Legend; select Unique Subscriber ID as Data Binding; select Counter(K/M/G) as Format; select Line Up as Type; input Unique Subscriber ID as Legend. Select Bytes as Data Binding; select Bandwidth(Kbps/Mbps/Gbps) as Format; select Line Down as Type; input bps as Legend. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Top 100 Domains with Unique Client IP and Subscriber ID. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Domain-with-Unique-Client-IP-and-Subscriber-ID. \item Select \textbf{Chart Type}: Table. \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Domain as Title; select Http.Domain as Data Binding; input Http.Domain as Legend. Fill in Unique Client IP as Title; select Unique Client IP as Data Binding; select Counter(K/M/G) as Format; input Unique Client IP as Legend. Fill in Unique Subscriber ID as Title; select Unique Subscriber ID as Data Binding; select Counter(K/M/G) as Format; input Unique Subscriber ID as Legend. Select order by Unique Client IP descending. Show Top 100. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, Traffic Report with Data Center DC1 and DC2. \item Select a \textbf{Time Period}. Select last 1 day. \item Select the \textbf{Chart Library} you just created. Click Add Chart to add multiple charts. \begin{enumerate} \item Select Traffic Endpoints Metrics Trend. Set 5 minutes for \textbf{Time Granularity}. \item Select Traffic Top 100 Domains with Unique Client IP and Subscriber ID. \end{enumerate} \item Specify \textbf{Filter}. Select Data Center as Field; select “=” as Operator; set Value to DC1 and DC2. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 9th: Endpoints Details Analysis for Intercept Action }{The 9th: Endpoints Details Analysis for Intercept Action } \subsection*{\hypertarget{link:The 9th: Endpoints Details Analysis for Intercept Action }{The 9$^{th}$: Endpoints Details Analysis for Intercept Action }} \addcontentsline{toc}{subsection}{The 9$^{th}$: Endpoints Details Analysis for Intercept Action} \label{sec:appendix_f:report:9th} Customize a report to analyze endpoints details of intercept action. For example, create a report to analyze Security Events about multiple dimensional endpoints information. It will include 8 charts and tables, that display endpoints statistics details, including Top Client IP, Server IP, Internal IP, External IP (by Sessions with Bandwidth), Top Domain Distribution (by Sessions with Bandwidth), Top Domain Drilldown Internal IP (by Sessions), Top Domain Drilldown Server IP (by Bandwidth), Top Subscriber ID Drilldown Domain (by Sessions). With the help of this example, you can have a better understanding of the meaning of Drilldown table and bar charts and how to create them. \begin{description} \item[STEP 1.] Create 8 Datasets. Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. Select the same \textbf{Log Type} for the 2 datasets: Security Event. \begin{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Internal-IP-by-Sessions-with-Bandwidth. \begin{enumerate} \item Select Internal IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Now add 4 items. \begin{enumerate} \item Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Field select Bytes Sent; aggregate select sum; Label set to Bytes Sent. \item Field select Bytes Received; aggregate select sum; Label set to Bytes Received. \item Field select Log ID; Label set to Sessions. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-External-IP-by-Sessions-with-Bandwidth. \begin{enumerate} \item Select External IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Now add 4 items. \begin{enumerate} \item Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Field select Bytes Sent; aggregate select sum; Label set to Bytes Sent. \item Field select Bytes Received; aggregate select sum; Label set to Bytes Received. \item Field select Log ID; Label set to Sessions. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Client-IP-by-Sessions-with-Bandwidth. \begin{enumerate} \item Select Client IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Now add 4 items. \begin{enumerate} \item Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Field select Bytes Sent; aggregate select sum; Label set to Bytes Sent. \item Field select Bytes Received; aggregate select sum; Label set to Bytes Received. \item Field select Log ID; Label set to Sessions. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Server-IP-by-Sessions-with-Bandwidth. \begin{enumerate} \item Select Server IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Now add 4 items. \begin{enumerate} \item Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Field select Bytes Sent; aggregate select sum; Label set to Bytes Sent. \item Field select Bytes Received; aggregate select sum; Label set to Bytes Received. \item Field select Log ID; Label set to Sessions. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Domain-by-Sessions. \begin{enumerate} \item Select Http.Domain as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Field select Log ID; Label set to Sessions. \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Events with empty Domain. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Domain-by-Internal-IP-and-Sessions. \begin{enumerate} \item Select Http.Domain and Internal IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Field select Log ID; Label set to Sessions. \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Events with empty Domain. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Domain-by-Server-IP-and-Bandwidth. \begin{enumerate} \item Select Http.Domain and Server IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Events with empty Domain. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Subscriber-ID-by-Website-Domains-and-Sessions. \begin{enumerate} \item Select Http.Domain and Subscriber ID as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Field select Log ID; Label set to Sessions. \item Specify \textbf{Filter}. You can add multiple items. Select Http.Domain as Field; select notEmpty as Operator. Click add and select Subscriber ID as Field; select notEmpty as Operator. This configuration will exclude Security Events with empty Domain and Subscriber ID. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 2.] Create 9 Chart Libraries. Chart set the display form of the data. Select \textbf{Reports} > \textbf{Chart Library} menu, and click \textbf{Create}. \begin{enumerate} \item Create a Chart Library with \textbf{Name} Top 20 Internal IP by Sessions with Bandwidth. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Internal-IP-by-Sessions-with-Bandwidth. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Internal IP as Title; select Internal IP as Data Binding; input Internal IP as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Fill in Bytes as Title; select Bytes as Data Binding; select Bandwidth(KB/MB/GB) as Format; input Bytes as Legend. Fill in Bandwidth as Title; select Bytes Sent as Data Binding; select Bar as Format; input Bytes Sent as Legend; select Bytes Received as Data Binding; select Bar as Format; input Bytes Received as Legend. Select order by Sessions descending. Show Top 20. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Top 20 External IP by Sessions with Bandwidth. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-External-IP-by-Sessions-with-Bandwidth. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in External IP as Title; select External IP as Data Binding; input External IP as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Fill in Bytes as Title; select Bytes as Data Binding; select Bandwidth(KB/MB/GB) as Format; input Bytes as Legend. Fill in Bandwidth as Title; select Bytes Sent as Data Binding; select Bar as Format; input Bytes Sent as Legend; select Bytes Received as Data Binding; select Bar as Format; input Bytes Received as Legend. Select order by Sessions descending. Show Top 20. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Top 20 Client IP by Sessions with Bandwidth. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Client-IP-by-Sessions-with-Bandwidth. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Client IP as Title; select Client IP as Data Binding; input Client IP as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Fill in Bytes as Title; select Bytes as Data Binding; select Bandwidth(KB/MB/GB) as Format; input Bytes as Legend. Fill in Bandwidth as Title; select Bytes Sent as Data Binding; select Bar as Format; input Bytes Sent as Legend; select Bytes Received as Data Binding; select Bar as Format; input Bytes Received as Legend. Select order by Sessions descending. Show Top 20. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Top 20 Server IP by Sessions with Bandwidth. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Server-IP-by-Sessions-with-Bandwidth. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Server IP as Title; select Server IP as Data Binding; input Server IP as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Fill in Bytes as Title; select Bytes as Data Binding; select Bandwidth(KB/MB/GB) as Format; input Bytes as Legend. Fill in Bandwidth as Title; select Bytes Sent as Data Binding; select Bar as Format; input Bytes Sent as Legend; select Bytes Received as Data Binding; select Bar as Format; input Bytes Received as Legend. Select order by Sessions descending. Show Top 20. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Top 20 Website Domains Sessions Distribution. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Domain-by-Sessions. \item Select \textbf{Chart Type}: Bar \item Set the \textbf{Data Bindings} for X-Axis and Y-Axis. For X-Axis, select Domain as Data Binding; set Domain as Label; set Show Top to 20. For Y-Axis, select Sessions as Data Binding; select Counter(K/M/G) as Format; set Label to Sessions. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Top 20 Website Domains by Internal IP and Sessions. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Domain-by-Internal-IP-and-Sessions. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Drilldown as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Domain as Title; select Domain as Data Binding; input Domain as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Fill in Internal IP as Title; select Internal IP as Data Binding; input Internal IP as Legend. Check Bundle rest into ‘Others’. Select order by Sessions descending. Show Top 20. For Drilldown, Fill in Show Top 20. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Top 20 Website Domains by Server IP and Bandwidth. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Domain-by-Server-IP-and-Bandwidth. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Drilldown as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Domain as Title; select Domain as Data Binding; input Domain as Legend. Fill in Server IP as Title; select Server IP as Data Binding; input Server IP as Legend. Fill in Bytes as Title; select Bytes as Data Binding; select Bandwidth(KB/MB/GB) as Format; input Bytes as Legend. Check Bundle rest into ‘Others’. Select order by Bytes descending. Show Top 20. For Drilldown, Fill in Show Top 20. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Top 20 Subscriber ID by Website domains and Sessions. \begin{enumerate} \item Select \textbf{Dataset} Security-Event-Top-Subscriber-ID-by-Website-Domains-and-Sessions. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Drilldown as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Domain as Title; select Domain as Data Binding; input Domain as Legend. Fill in Subscriber ID as Title; select Subscriber ID as Data Binding; input Subscriber ID as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Check Bundle rest into ‘Others’. Select order by Sessions descending. Show Top 20. For Drilldown, Fill in Show Top 20. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, Security Event Intercept Endpoints Report. \item Select a \textbf{Time Period}. Select last 1 day. \item Select the \textbf{Chart Library} you just created. Click Add Chart to add multiple charts. \begin{enumerate} \item Select Top 20 Internal IP by Sessions with Bandwidth. \item Select Top 20 External IP by Sessions with Bandwidth. \item Select Top 20 Client IP by Sessions with Bandwidth. \item Select Top 20 Server IP by Sessions with Bandwidth. \item Select Top 20 Website Domains Sessions Distribution. \item Select Top 20 Website Domains by Internal IP and Sessions. \item Select Top 20 Website Domains by Server IP and Bandwidth. \item Select Top 20 Subscriber ID by Website domains and Sessions. \end{enumerate} \item Specify \textbf{Filter}. Select Action as Field; select “=” as Operator; set Value to Intercept. \item Click \textbf{OK}. \end{enumerate} \end{description} %\pdfbookmark[2]{The 10th: Traffic QoS Analysis for Specific Data Center }{The 10th: Traffic QoS Analysis for Specific Data Center } \subsection*{\hypertarget{link:The 10th: Traffic QoS Analysis for Specific Data Center }{The 10$^{th}$: Traffic QoS Analysis for Specific Data Center }} \addcontentsline{toc}{subsection}{The 10$^{th}$: Traffic QoS Analysis for Specific Data Center} \label{sec:appendix_f:report:10th} Customize a report to diagnose traffic statistics for specific data center. For example, create a report to analyze traffic QoS for Data Center DC2. It will include 4 charts and tables, that display network traffic QoS, including Estimated One-sided Connections, Internal IP at Top ADC Bandwidth Tend, SSL Certificate Installation Unique Client IP Trend and Top Internal IP Drill down Sled IP (by Sessions). \begin{description} \item[STEP 1.] Create Datasets. Select \textbf{Reports} > \textbf{Datasets} menu. \begin{enumerate} \item Select a predefined Dataset with \textbf{Name} Estimated-One-sided-Connections. You can use the search function, click and select Name and enter the given name. \item Create a Dataset with \textbf{Name} Traffic-Bandwidth-Trend-ADC-Internal-IP-192.168.50.2. \begin{enumerate} \item Select Session Records for \textbf{Log Type}. \item Select Device ID and Receive Time as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Specify \textbf{Filter}. Select Internal IP as Field; select “=” as Operator; set Value to 192.168.50.2. This configuration will restrict data source only come from ADC with internal IP 192.168.50.2. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Unique-Client-Security-Intercept-Event-with-Bytes. \begin{enumerate} \item Select Security Event for \textbf{Log Type}. \item Select Receive Time as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Now add 2 items. \begin{enumerate} \item Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. \item Field select Client IP; aggregate select count distinct; Label set to Unique Client IP. \end{enumerate} \item Specify \textbf{Filter}. Select SSL.Intercept State as Field; select “=” as Operator; set Value to Intercept. This configuration will only include Security Events with intercept action. \item Specify \textbf{Having}. Field select Bytes Sent and Bytes Received; Aggregate select sum; Operator select “>=”; Value set to 65535. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Traffic-Top-Internal-IP-by-Sled-IP-and-Sessions. \begin{enumerate} \item Select Session Records for \textbf{Log Type}. \item Select Internal IP and Sled IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field select Sessions; aggregate select sum; Label set to Sessions. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Traffic-Top-Domain-by-Establish-Latency-Time. \begin{enumerate} \item Select Session Records for \textbf{Log Type}. \item Select Http.Domain as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. Field select Establish Latency(ms); aggregate select avg; Label set to Avg Establish Latency(ms). \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude empty domains. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 2.] Create 4 Chart Libraries. Chart set the display form of the data. Select \textbf{Reports} > \textbf{Chart Library} menu, and click Create. \begin{enumerate} \item Create a Chart Library with \textbf{Name} Estimated One-sided Connections with Bandwidth. \begin{enumerate} \item Select \textbf{Dataset} Estimated-One-sided-Connections. \item Select \textbf{Chart Type}: Area. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. You can add multiple Data Binding for Lines. \begin{enumerate} \item Select Bytes as Data Binding; select Bandwidth (Kbps/Mbps/Gbps) as Format; select Line Down as Type; input bps as Legend. \item Select one\_side\_percent as Data Binding; select Default as Format; select Line Up as Type; input percent as Legend. \end{enumerate} \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Bandwidth Trend Top 10 ADC Internal IP 192.168.50.2. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Bandwidth-Trend-ADC-Internal-IP-192.168.50.2. \item Select \textbf{Chart Type}: Line. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. For Lines, select Bytes as Data Binding; select Bandwidth(Kbps/Mbps/Gbps) as Format; select Line Up as Type; input bps as Legend. Group By Device ID; Order By Bytes Descending; Show Top 10. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Security Intercept Event Certificated Unique Client Trend. \begin{enumerate} \item Select \textbf{Dataset} Unique-Client-Security-Intercept-Event-with-Bytes. \item Select \textbf{Chart Type}: Line. \item Set the \textbf{Data Bindings} for X-Axis and Lines. Select Receive Time defined in Group By from dataset as X-Axis. Select Time as Format. For Lines, select Unique Client IP as Data Binding; select Counter(K/M/G) as Format; select Line Up as Type; input Unique Client IP as Legend. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Traffic Top 20 Internal IP by Sled IP and Sessions. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Internal-IP-by-Sled-IP-and-Sessions. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Drilldown as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Internal IP as Title; select Internal IP as Data Binding; input Internal IP as Legend. Fill in Sled IP as Title; select Sled IP as Data Binding; input Sled IP as Legend. Fill in Sessions as Title; select Sessions as Data Binding; select Counter(K/M/G) as Format; input Sessions as Legend. Select order by Sessions descending. Show Top 20. For Drilldown, Fill in Show Top 20. \item Click \textbf{OK}. \end{enumerate} \item Create a Chart Library with \textbf{Name} Top 100 Most Time Consuming Domains. \begin{enumerate} \item Select \textbf{Dataset} Traffic-Top-Domain-by-Establish-Latency-Time. \item Select \textbf{Chart Type}: Table \item For \textbf{Data Bindings}, select Regular as Table Type. Click to add Column. Complete Title, Width, Data Binding, Format and Legend for each column. Fill in Domain as Title; select Domain as Data Binding; input Domain as Legend. Fill in Avg Establish Latency(ms) as Title; select Avg Establish Latency(ms) as Data Binding; input Avg Establish Latency(ms) as Legend. Select order by Avg Establish Latency(ms) descending. Show Top 100. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} \item[STEP 3.] Create a Report. \begin{enumerate} \item Enter a \textbf{Name}, Security Event Intercept Endpoints Report. \item Select a \textbf{Time Period}. Select last 1 day. \item Select the \textbf{Chart Library} you just created. Click Add Chart to add multiple charts. \begin{enumerate} \item Select Estimated One-sided Connections with Bandwidth. Set 5 minutes for \textbf{Time Granularity}. \item Select Traffic Bandwidth Trend Top 10 ADC Internal IP 192.168.50.2. Set 5 minutes for \textbf{Time Granularity}. \item Select Security Intercept Event Certificated Unique Client Trend. Set 1 hour for \textbf{Time Granularity}. \item Select Traffic Top 20 Internal IP by Sled IP and Sessions. \item Select Top 100 Most Time Consuming Domains. \end{enumerate} \item Specify \textbf{Filter}. Select Data Center as Field; select “=” as Operator; set Value to DC2. \item Click \textbf{OK}. \end{enumerate} \end{description}