GenieATM ISPEdition UserManual v5.3.2 Eng (NetStream) PDF

GenieATM
User Manual
Version 5.3
Copyright 2009 belongs to Genie Network Resource Management Inc.

Copyright Reserved
For the main contents contained in these written materials, Genie Network Resource Management Inc.
owns the patent right, patent priority right, trademark right, copyright and other intellectual property
rights. No part of the manual may be added, omitted, edited, copied, altered, or faked without the prior
written permission of Genie Network Resource Management Inc.
Network Resource Management Inc. reserves the right to alter the contents of this publication without
advance notice. All the examples in this publication are used to assist the administrators or the users
to operate the system easily. The regulations of copyright law should be obeyed when using the
software. On the premise of not violating the copyright laws, without the prior written permission of
Genie Network Resource Management Inc., no parts of this publication can be reproduced or used in
any form or by any means (electronic or mechanical, including photocopying and recording) on any
type of information storing and retrieval system.
Product Serial Number

Date of Purchase
Contents
1
Introduction.................................................................................................................1
System and Functions Overview ...............................................................................2

2.1
2.2
2.3
System Overview ................................................................................................2

System Screen Overview ....................................................................................3
2.2.1
System Screen........................................................................................................... 3
2.2.2
System Functions Overview ...................................................................................... 6
System Login/Logout......................................................................................... 11
2.3.1
Login the system.......................................................................................................11
2.3.2
Logging out the system............................................................................................ 12
System Admin Function ...........................................................................................13

3.1
3.2
3.3
User ..................................................................................................................13
3.1.1
Local User Account .................................................................................................. 13
3.1.2
Privilege Template.................................................................................................... 18
3.1.3
Online User .............................................................................................................. 20
3.1.4
Remote Authentication............................................................................................. 21
Device ...............................................................................................................22
3.2.1
Controller ................................................................................................................. 22
3.2.2
Collector ................................................................................................................... 24
3.2.3
MSP Server.............................................................................................................. 27
3.2.4
Flow Load Balancers ............................................................................................... 29
Network.............................................................................................................33
3.3.1
3.3.1.1
Home Network ............................................................................................. 33
3.3.1.2
ATD White List.............................................................................................. 35
3.3.2
Dark IP ..................................................................................................................... 36
3.3.3
Router ...................................................................................................................... 37
3.3.3.1
Router........................................................................................................... 38
3.3.3.2
Interfaces...................................................................................................... 43
3.3.3.3
Recomm. to Add/Edit ................................................................................... 47
3.3.3.4
Recomm. to Remove ................................................................................... 48
3.3.4
Internet Boundary .................................................................................................... 49
3.3.5
Backbone Links........................................................................................................ 53
3.3.6
Neighbor .................................................................................................................. 55
3.3.7
Sub-Network ............................................................................................................ 57
3.3.8
Server....................................................................................................................... 66
3.3.9
MSP Customer......................................................................................................... 72
3.3.9.1
MSP Customer ............................................................................................. 72
3.3.9.2
Boundary Template ...................................................................................... 75
3.3.9.3
MSP User Account ....................................................................................... 77
3.3.9.4
Privilege Template ........................................................................................ 77
3.3.10
Home Network ......................................................................................................... 33
Filter ....................................................................................................................... 79
3.3.10.1
Factor ......................................................................................................... 79
3.3.10.2
Filter ........................................................................................................... 84
3.3.10.3
Filter Batch ................................................................................................. 93
2009 Genie Network Resource Management Inc. All Rights Reserved.
3.3.11
Application ............................................................................................................. 96
3.3.12
Anomaly ............................................................................................................... 100
3.3.12.1
Protocol-Misuse Anomaly......................................................................... 101
3.3.12.2
Application Anomaly................................................................................. 102
3.3.13
3.4
3.5
3.6
Template .............................................................................................................. 108
3.3.13.1
Baseline Template .................................................................................... 108
3.3.13.2
Sub-Network Boundary .............................................................................117
3.3.13.3
Server-farm Boundary.............................................................................. 120
3.3.13.4
Server TopN Report ................................................................................. 122
Configuration...................................................................................................125
Mitigation.........................................................................................................129
3.5.1
Blackhole ............................................................................................................... 129
3.5.2
Device .................................................................................................................... 133
3.5.2.1
Guard ......................................................................................................... 133
3.5.2.2
Eudemon .................................................................................................... 137
3.5.2.3
Global ......................................................................................................... 141
Preferences.....................................................................................................142
3.6.1
Status ..................................................................................................................... 142
3.6.2
Storage................................................................................................................... 143
3.6.3
Report .................................................................................................................... 146
3.6.4
Notification ............................................................................................................. 148
3.6.4.1
System Notification .................................................................................... 149
3.6.4.2
Router Notification...................................................................................... 151
3.6.4.3
Sub-Network Notification............................................................................ 152
3.6.4.4
MSP Customer Notification ........................................................................ 153
3.6.4.5
Filter Notification ........................................................................................ 154
3.6.5
Name Mapping....................................................................................................... 155
3.6.5.1
Services...................................................................................................... 156
3.6.5.2
Protocols .................................................................................................... 157
3.6.5.3
ASNs .......................................................................................................... 158
3.6.5.4
Area............................................................................................................ 160
3.6.5.5
IP to Area.................................................................................................... 161
3.6.6
Group ..................................................................................................................... 163
3.6.6.1
User............................................................................................................ 163
3.6.6.2
Router......................................................................................................... 166
3.6.6.3
Sub-Network .............................................................................................. 168
3.6.6.4
Server-farm ................................................................................................ 170
3.6.6.5
Neighbor..................................................................................................... 172
3.6.6.6
Filter ........................................................................................................... 175
3.6.6.7
MSP Customer User .................................................................................. 177
3.6.7
Baseline History ..................................................................................................... 179
3.6.7.1
Sub-Network Baseline History ................................................................... 179
3.6.7.2
MSP Customer Baseline History................................................................ 180
3.6.7.3
Filter Baseline History ................................................................................ 182
3.6.8
Offline Report ......................................................................................................... 183
3.6.8.1
Scheduler Template ................................................................................... 183
3.6.8.2
Sub-Network .............................................................................................. 185

II
3.6.9
3.7
4
Report Rebuild ................................................................................................188
Status.......................................................................................................................191
4.1
4.2
4.3
Summary.........................................................................................................191
4.1.1
Global..................................................................................................................... 191
4.1.2
MSP Server............................................................................................................ 193
4.1.3
Anomaly ................................................................................................................. 193
4.1.4
System ................................................................................................................... 195
4.1.5
Resources .............................................................................................................. 198
Anomaly Console ............................................................................................199

4.2.1
Global..................................................................................................................... 199
4.2.2
MSP Server............................................................................................................ 206
Log..................................................................................................................207
4.3.1
Alert Log................................................................................................................. 207
4.3.2
Mitigation Log......................................................................................................... 208
Snapshot .................................................................................................................210
Mitigation.................................................................................................................218
6.1
6.2
Blackhole ........................................................................................................218
Hardware Mitigation ........................................................................................221
6.2.1
Guard ..................................................................................................................... 221
6.2.2
Eudemon................................................................................................................ 225
Report ......................................................................................................................227
7.1
Internet............................................................................................................227
7.1.1
Summary Report.................................................................................................... 227
7.1.2
Breakdown Report ................................................................................................. 229
7.1.2.1
Sub-Network .............................................................................................. 229
7.1.2.2
Origin ASN.................................................................................................. 230
7.1.2.3
Peer ASN.................................................................................................... 231
7.1.2.4
Peering Analysis......................................................................................... 231
7.1.2.5
AS Path Length .......................................................................................... 231
7.1.3
7.2
Attribute Report...................................................................................................... 232
7.1.3.1
Application.................................................................................................. 232
7.1.3.2
Protocol ...................................................................................................... 234
7.1.3.3
Protocol+Port ............................................................................................. 234
7.1.3.4
TOS ............................................................................................................ 235
7.1.3.5
Packet Size ................................................................................................ 235
Neighbor .........................................................................................................236
7.2.1
Summary Report.................................................................................................... 236
7.2.1.1
Compare..................................................................................................... 236
7.2.1.2
Detail .......................................................................................................... 237
7.2.2
III
Remote Update...................................................................................................... 187
7.2.2.1
Sub-Network .............................................................................................. 239
7.2.2.2
Neighbor..................................................................................................... 239
7.2.2.3
AS Path Length .......................................................................................... 240
7.2.2.4
BGP Message ............................................................................................ 240
7.2.2.5
7.2.3
7.3
7.4
7.5
7.6
Origin ASN.................................................................................................. 242
7.2.3.1
Application.................................................................................................. 242
7.2.3.2
Protocol ...................................................................................................... 243
7.2.3.3
Protocol+Port ............................................................................................. 243
7.2.3.4
TOS ............................................................................................................ 244
7.2.3.5
Packet Size ................................................................................................ 245
Backbone ........................................................................................................246
7.3.1
Summary Report.................................................................................................... 246
7.3.2
Core Router ........................................................................................................... 247
7.3.2.1
Compare..................................................................................................... 247
7.3.2.2
Detail .......................................................................................................... 248
Router .............................................................................................................250
7.4.1
Traffic ..................................................................................................................... 250
7.4.2
Performance .......................................................................................................... 251
7.4.3
BGP Message ........................................................................................................ 252
7.4.4
BGP Next Hop ....................................................................................................... 254
7.4.5
MPLS ..................................................................................................................... 255
7.4.5.1
Summary Report ........................................................................................ 255
7.4.5.2
Class of Services ....................................................................................... 256
7.4.5.3
Egress PE .................................................................................................. 257
Interface ..........................................................................................................258
7.5.1
Compare ................................................................................................................ 258
7.5.2
Detail ...................................................................................................................... 259
7.5.3
Top Talker............................................................................................................... 261
7.5.4
7.5.4.1
Application.................................................................................................. 262
7.5.4.2
Protocol ...................................................................................................... 263
7.5.4.3
Protocol+Port ............................................................................................. 263
7.5.4.4
TOS ............................................................................................................ 264
7.5.4.5
Packet Size ................................................................................................ 264
Sub-Network ...................................................................................................265
7.6.1
Summary Report.................................................................................................... 265
7.6.1.1
Compare..................................................................................................... 265
7.6.1.2
Detail .......................................................................................................... 266
7.6.2
7.6.2.1
Sub-Network .............................................................................................. 268
7.6.2.2
Sub-Network Matrix.................................................................................... 269
7.6.2.3
Neighbor ASN ............................................................................................ 270
7.6.2.4
Neighbor Matrix .......................................................................................... 270
7.6.2.5
Origin ASN.................................................................................................. 271
7.6.2.6
Top Talker ................................................................................................... 271
7.6.3
7.6.3.1
Application.................................................................................................. 272
7.6.3.2
Protocol ...................................................................................................... 272
7.6.3.3
Protocol+Port ............................................................................................. 273
7.6.3.4
TOS ............................................................................................................ 274

IV
7.6.3.5
7.7
Server .............................................................................................................275
7.7.1
Compare..................................................................................................... 275
7.7.1.2
Detail .......................................................................................................... 276

Sub-Network .............................................................................................. 278
7.7.2.2
Neighbor ASN ............................................................................................ 279
7.7.2.3
Origin ASN.................................................................................................. 280
7.7.2.4
Area............................................................................................................ 280
Application.................................................................................................. 281
7.7.3.2
Protocol ...................................................................................................... 281
7.7.3.3
Protocol/Port .............................................................................................. 282
7.7.3.4
TOS ............................................................................................................ 282
7.7.3.5
Packet Size ................................................................................................ 283
TopN Report........................................................................................................... 283
Rule-based Report ..........................................................................................285

7.8.1
Summary Report.................................................................................................... 285
7.8.1.1
Compare..................................................................................................... 285
7.8.1.2
Detail .......................................................................................................... 286
7.8.2
TopN Report........................................................................................................... 288
MSP Customer ........................................................................................................290

8.1
8.2
Anomaly Console ............................................................................................290

Report .............................................................................................................296
8.2.1
Traffic ..................................................................................................................... 296
8.2.2
Boundary Traffic..................................................................................................... 297
8.2.3
Top Talker............................................................................................................... 298
8.2.4
8.2.4.1
Application.................................................................................................. 300
8.2.4.3
Protocol/Port .............................................................................................. 302
8.2.4.5
Packet Size ................................................................................................ 303
8.2.5
TopN Report........................................................................................................... 303
Anomaly Activities..................................................................................................305
9.1
9.2
7.7.3.1
7.7.4
7.7.2.1
7.7.3
Summary Report.................................................................................................... 275
7.7.1.1
7.7.2
7.8
Packet Size ................................................................................................ 274
Dark IP ............................................................................................................305
9.1.1
Summary Report.................................................................................................... 305
9.1.2
9.1.2.1
Infected Hosts ............................................................................................ 306
9.1.2.2
Victim Hosts ............................................................................................... 308
9.1.2.3
Interface ..................................................................................................... 309
9.1.2.4
Sub-Network .............................................................................................. 309
Worm .............................................................................................................. 311

9.2.1
Summary Report.....................................................................................................311
9.2.2
9.2.2.1
Infected Hosts ............................................................................................ 312
9.2.2.2
Interface ..................................................................................................... 314
9.2.2.3
Sub-Network .............................................................................................. 314
Appendix (A) -- NetFlow Device Configuration.............................................................315

Appendix (B) -- sFlow Device Configuration.................................................................316
Appendix (C) -- Installing SSL in Controller for Enabling Secure Web Access ..........317
Appendix (D) -- Booting GenieATM from TFTP Server..............................................319
Appendix (E) -- Dictionary of IETF Radius Client Attributes Supported by GenieATM
.........................................................................................................................................320
VI
List of Figures
Figure 2.3.1-1 System Login Window.....................................................................................................11
Figure 2.3.1-2 Default System Operation Window ................................................................................ 12
Figure 2.3.1-3 Login/Logout Alert Message Window............................................................................. 12
Figure 3.1.1-1 System Admin / User / Local User Account Management Window ............................... 14
Figure 3.1.1-2 System Admin / User / Local User Account -- Add Local User Account Window .......... 14
Figure 3.1.1-3 System Admin / User / Local User Account -- Edit Local User Account Window .......... 16
Figure 3.1.1-4 System Admin / User / Local User Account -- View Local User Account Window ......... 17
Figure 3.1.2-1 System Admin / User / Privilege Template Management Window ................................. 18
Figure 3.1.2-2 System Admin / User / Privilege Template -- Add User Privilege Template Window ..... 18
Figure 3.1.2-3 System Admin / User / Privilege Template -- Edit User Privilege Template Window ..... 19
Figure 3.1.2-4 System Admin / User / Privilege template -- View User Privilege Template Window .... 20
Figure 3.1.3-1 System Admin / User / Online User Management Window ........................................... 20
Figure 3.1.4-1 System Admin / User / Remote Authentication Management Window .......................... 21
Figure 3.1.4-2 System Admin / User / Remote Authentication / Edit Remote Authentication Window
(Radius Server) .............................................................................................................. 21
Figure 3.2.1-1 System Admin / Controller Management Window ......................................................... 22
Figure 3.2.1-2 System Admin / Controller -- Edit Controller Window .................................................... 23
Figure 3.2.2-1 System Admin / Collector Management Window........................................................... 24
Figure 3.2.2-2 System Admin / Collector -- Add New Collector Window............................................... 24
Figure 3.2.2-3 System Admin / Collector -- Edit Collector Window ....................................................... 25
Figure 3.2.2-4 System Admin / Collector -- View Collector Window ..................................................... 26
Figure 3.3.1-1 System Admin / Network / Home Network / Home Network Management Window...... 33
Figure 3.3.1-2 System Admin / Network / Home Network / Home Network Edit Local IP Address
Window........................................................................................................................... 34
Figure 3.3.1-3 System Admin / Network / Home Network / Home Network Edit Local AS Number
Window........................................................................................................................... 34
Figure 3.3.1-4 System Admin / Network / Home Network / ATD White List Management Window ...... 35
Figure 3.3.1-5 System Admin / Network / Home Network Edit ATD White List Window .................... 35
Figure 3.3.2-1 System Admin / Network / Dark IP Management Window............................................. 36
Figure 3.3.2-2 System Admin / Network / Dark IP -- Edit Dark IP & Non-Dark IP Addresses Window . 36
Figure 3.3.3-1 System Admin / Network / Router / Router Management Window ................................ 37
Figure 3.3.3-2 System Admin / Network / Router / Router -- Add Router Window................................ 38
Figure 3.3.3-3 System Admin / Network / Router / Router -- Edit Router Window................................ 41
Figure 3.3.3-4 System Admin / Network / Router / Router -- View Router Window .............................. 42
Figure 3.3.3-5 System Admin / Network / Router / Interface Management Window............................. 43
Figure 3.3.3-6 System Admin / Network / Router / Interface -- Interface Discovery with SNMP Window......... 44
Figure 3.3.3-7 System Admin / Network / Router / Interface -- Add Interface Window ......................... 44
Figure 3.3.3-8 System Admin / Network / Router / Interface -- Edit Router Interface Window ............. 45
Figure 3.3.3-9 System Admin / Network / Router / Interface -- View Interface Window........................ 46
Figure 3.3.3-10 System Admin / Network / Router / Recomm. to Add/Edit Window ............................. 47
Figure 3.3.3-11 System Admin / Network / Router / Recomm. to Remove Window ............................. 48
Figure 3.3.4-1 System Admin / Network / Internet Boundary Management Window ............................ 49
Figure 3.3.4-2 System Admin / Network / Internet Boundary -- Change Boundary Type Window (with
VII
Segment Cut Illustration)................................................................................................ 49

Circular Cut Illustration).................................................................................................. 50
Figure 3.3.4-4 System Admin / Network / Internet Boundary -- Add Internet Boundary Window.......... 50
Figure 3.3.4-5 System Admin / Network / Internet Boundary -- Edit Internet Boundary Window.......... 51
Figure 3.3.5-1 System Admin / Network / Backbone Links Management Window ............................... 53
Figure 3.3.5-2 System Admin / Network / Backbone Links -- Add Backbone Links Window ................ 54
Figure 3.3.6-1 System Admin / Network / Neighbor Management Window .......................................... 55
Figure 3.3.6-2 System Admin / Network / Neighbor -- Add Neighbor Window ...................................... 55
Figure 3.3.6-3 System Admin / Network / Neighbor -- Edit Neighbor Window ...................................... 56
Figure 3.3.6-4 System Admin / Network / Neighbor -- View Neighbor Window .................................... 56
Figure 3.3.7-1 System Admin / Network / Sub-Network Management Window .................................... 57
Figure 3.3.7-2 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by CIDR)
....................................................................................................................................... 58
Figure 3.3.7-3 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by AS
Number) ......................................................................................................................... 59
Path Regular Expression) .............................................................................................. 59
Figure 3.3.7-5 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by BGP
Community String).......................................................................................................... 59
Figure 3.3.7-6 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by
Interface) ........................................................................................................................ 59
Figure 3.3.7-7 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by Private
Network) ......................................................................................................................... 60
Figure 3.3.7-8 System Admin / Network / Sub-Network -- Edit Sub-Network Learning Interface Window
....................................................................................................................................... 61
Figure 3.3.7-9 System Admin / Network / Sub-Network -- Edit Sub-Network Boundary Window ......... 63
Figure 3.3.7-10 System Admin / Network / Sub-Network -- Edit Sub-Network Window ....................... 64
Figure 3.3.7-11 System Admin / Network / Sub-Network -- View Sub-Network Window ...................... 65
Figure 3.3.8-1 System Admin / Network / Server Server-farm Management Window ....................... 66
Figure 3.3.8-2 System Admin / Network / Server -- Add Server-farm Window...................................... 67
Figure 3.3.8-3 System Admin / Network / Server -- Edit Server Boundary Window ............................. 69
Figure 3.3.8-4 System Admin / Network / Server -- Adding TopN Report to the Server-farm ............... 69
Figure 3.3.8-5 System Admin / Network / Server -- Edit Server-farm Window...................................... 70
Figure 3.3.8-6 System Admin / Network / Server -- View Server-farm Window .................................... 71
Figure 3.3.9-1 System Admin/Network/MSP Customer -- MSP Customer Management Window ....... 72
Figure 3.3.9-2 System Admin/Network/MSP Customer/MSP Customer Adding MSP Customer
Window........................................................................................................................... 73
Figure 3.3.9-3 System Admin/Network/MSP Customer/MSP Customer -- Add Boundary Routers
Window........................................................................................................................... 74
Figure 3.3.9-4 System Admin/Network/MSP Customer/ MSP Customer Boundary Template
Management Window .................................................................................................... 75
Figure 3.3.9-5 System Admin/Network/MSP Customer/Boundary Template Adding MSP Customer
Boundary Template Window .......................................................................................... 76
VIII
Figure 3.3.9-6 System Admin/Network/MSP Customer/MSP User Account MSP User Account
Window........................................................................................................................... 77
Figure 3.3.9-7 System Admin/Network/MSP Customer/Privilege Template -- Privilege Template
Management Window .................................................................................................... 77
Figure 3.3.9-8 System Admin / Network/ MSP Customer / Privilege Template -- Edit User Privilege
Template Window........................................................................................................... 78
Figure 3.3.10-1 System Admin / Network / Filter / Factor Management Window ................................. 79
Figure 3.3.10-2 System Admin / Network / Filter / Factor -- Add Factor Window (IP Factor)................ 80
Figure 3.3.10-3 System Admin / Network / Filter / Factor -- Add Factor Window (BGP Community Factor)
....................................................................................................................................... 80
Figure 3.3.10-4 System Admin / Network / Filter / Factor -- Add Factor Window (AS Number Factor) 81
Figure 3.3.10-5 System Admin / Network / Filter / Factor -- Add Factor Window (AS Path Factor)...... 81
Figure 3.3.10-6 System Admin / Network / Filter / Factor -- Add Factor Window (Application Factor) . 81
Figure 3.3.10-7 System Admin / Network / Filter / Factor -- Edit Factor Window.................................. 83
Figure 3.3.10-8 System Admin / Network / Filter / Factor -- View Factor Window ................................ 84
Figure 3.3.10-9 System Admin / Network / Filter / Filter Management Window.................................... 84
Figure 3.3.10-10 System Admin / Network / Filter / Filter -- Add Filter Window .................................... 85
Figure 3.3.10-11 System Admin / Network / Filter / Filter -- Add Filter Expression Window ................. 86
Figure 3.3.10-12 System Admin / Network / Filter / Filter -- Edit Filter Expression Window ................. 88
Figure 3.3.10-13 System Admin / Network / Filter / Filter -- View Filter Expression Window................ 88
Figure 3.3.10-14 System Admin / Network / Filter / Filter -- Add Filter TopN Window........................... 89
Figure 3.3.10-15 System Admin / Network / Filter / Filter -- Edit Filter TopN Window........................... 90
Figure 3.3.10-16 System Admin / Network / Filter / Filter -- Edit Filter Window .................................... 91
Figure 3.3.10-17 System Admin / Network / Filter / Filter -- View Filter Window................................... 92
Figure 3.3.10-18 System Admin / Network / Filter / Filter Batch Management window ........................ 93
Figure 3.3.10-19 System Admin / Network / Filter / Filter Batch Batch Add Filter Window ................ 94
Figure 3.3.11-1 System Admin / Network / Application Management Window...................................... 96
Figure 3.3.11-2 System Admin / Network / Application -- Add System Application Window ................. 97
Figure 3.3.11-3 System Admin / Network / Application -- Edit System Application Window ................. 99
Figure 3.3.11-4 System Admin / Network / Application -- View System Application Window................ 99
Figure 3.3.12-1 System Admin / Network / Anomaly / Protocol-Misuse Anomaly Management Window
..................................................................................................................................... 100
Figure 3.3.12-2 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Outgoing
Protocol-Misuse Anomaly Detection Window .................................
!

Figure 3.3.12-3 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Protocol-Misuse
Anomaly-Default for Home and User-defined Resources Window.............................. 101
Figure 3.3.12-4 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Protocol-Misuse
Anomaly-Non-Home Window....................................................................................... 102
Figure 3.3.12-5 System Admin / Network / Anomaly / Application Anomaly Management Window ... 103
Figure 3.3.12-6 System Admin / Network / Anomaly / Application Anomaly -- Edit Detection Scope
Window......................................................................................................................... 103
Figure 3.3.12-7 System Admin / Network / Anomaly / Application Anomaly -- Add Application Anomaly
Window......................................................................................................................... 104
Figure 3.3.12-8 System Admin / Network / Anomaly / Application Anomaly -- Edit Application Anomaly
IX
Window......................................................................................................................... 106
Figure 3.3.12-9 System Admin / Network / Anomaly / Application Anomaly -- View Application Anomaly
Window......................................................................................................................... 107
Figure 3.3.13-1 System Admin / Network / Template / Baseline Management Window ..................... 108
Figure 3.3.13-2 System Admin / Network / Template / Baseline-- Add Baseline Template Window
(Interface Traffic Type) ................................................................................................. 109
Figure 4.4.11-3 System Admin / Network / Template / Baseline Add Baseline Template Window (BGP
Update Message Type) ................................................................................................. 111
Figure 3.3.13-4 System Admin / Network / Template / Baseline Add Baseline Template Window
(Traffic Anomaly Type) ..................................................................................................113
(Traffic Anomaly - Filter Type) .......................................................................................114
(Router Performance) ...................................................................................................115
Figure 3.3.13-7 System Admin / Network / Template / Baseline -- Edit Baseline Template Window ...115
Figure 3.3.13-8 System Admin / Network / Template / Baseline -- View Baseline Template Window..116
Figure 3.3.13-9 System Admin / Network / Template / Sub-Network Boundary Template Management
Window..........................................................................................................................117
Figure 3.3.13-10 System Admin / Network / Template / Sub-Network Boundary -- Add Sub-Network
Boundary Template Window .........................................................................................117
Figure 3.3.13-11 System Admin / Network / Template / Sub-Network Boundary -- Edit Sub-Network
Figure 3.3.13-12 System Admin / Network / Template / Sub-Network Boundary -- View Sub-Network
Figure 3.3.13-13 System Admin / Network / Template / Server-farm boundary Template Management
Window......................................................................................................................... 120
Figure 3.3.13-14 System Admin / Network / Template / Server-farm boundary -- Add Server-farm
boundary Template Window......................................................................................... 120
Figure 3.3.13-15 System Admin / Network / Template / Server-farm boundary -- Edit Server-farm
boundary Template Window......................................................................................... 121
Figure 3.3.13-16 System Admin / Network / Template / Server-farm boundary -- View Server-farm
Boundary Template Window ........................................................................................ 122
Figure 3.3.13-17 System Admin / Network / Template / TopN Report -- TopN Report Template Window
..................................................................................................................................... 123
Figure 3.3.13-18 System Admin / Network / Template / TopN Report -- Add Server-farm TopN Report
Template Window......................................................................................................... 123
Figure 3.3.13-19 System Admin / Network / Template / TopN Report -- Edit Server-farm TopN Window
..................................................................................................................................... 124
Figure 3.4-1 System Admin / Configuration Management Window..................................................... 125
Figure 3.4-2 System Admin / Configuration Dispatch Network Configuration and Save Window.... 126
Figure 3.4-3 System Admin / Configuration -- Upload Configuration Window .................................... 128
Figure 3.5.1-1 System Admin / Mitigation / Blackhole Management Window ..................................... 129
Figure 3.5.1-2 System Admin / Mitigation / Blackhole -- Edit Blackhole Window................................ 129
Figure 3.5.1-3 System Admin / Mitigation / Blackhole -- Add Blackhole Policy Window ..................... 130
Figure 3.5.2-1 System Admin / Mitigation / Device / Device Management Window ........................... 133
Figure 3.5.2-2 System Admin / Mitigation / Device / Cisco Guard -- Add Guard Window................... 133
Figure 3.5.2-3 System Admin / Mitigation / Device / Cisco Guard -- Edit Guard Window................... 135
Figure 3.5.2-4 System Admin / Mitigation / Device / Cisco Guard -- View Guard Window ................. 136
Figure 3.5.2-5 System Admin / Mitigation / Device / Eudemon -- Eudemon Management Window ... 137
Figure 3.5.2-6 System Admin / Mitigation / Device / Eudemon -- Add Eudemon Window .................. 137
Figure 3.5.2-7 System Admin / Mitigation / Device / Eudemon -- Edit Eudemon Window .................. 139
Figure 3.5.2-8 System Admin / Mitigation / Device / Eudemon -- View Eudemon Window ................ 140
Figure 3.5.2-9 System Admin / Mitigation / Global / SSH Public Key Window.................................... 141
Figure 3.5.2-10 System Admin / Mitigation / Global / SSH Public Key Window.................................. 141
Figure 3.6.1-1 System Admin / Preferences / Status Parameter Management Window..................... 142
Figure 3.6.1-2 System Admin / Preferences / Status -- Edit Status Parameter Window ..................... 142
Figure 3.6.2-1 System Admin / Preferences / Storage Management Window .................................... 143
Figure 3.6.2-2 System Admin / Preferences / Storage -- Edit Disk Usage Window ............................ 143
Figure 3.6.2-3 System Admin / Preferences / Storage -- Edit Report Data Window ........................... 144
Figure 3.6.2-4 System Admin / Preferences / Storage -- Edit Alert Log Window ................................ 144
Figure 3.6.2-5 System Admin / Preferences / Storage -- Edit Anomaly Log Window.......................... 145
Figure 3.6.2-6 System Admin / Preferences / Storage -- Edit Login Log Window............................... 145
Figure 3.6.3-1 System Admin / Preferences / Report Parameter Management Window.................... 146
Figure 3.6.3-2 System Admin / Preferences / Report -- Edit Pre-defined TopN Report Parameter
Window......................................................................................................................... 146
Figure 3.6.3-3 System Admin / Preferences / Report -- Edit Report Parameter Window ................... 147
Figure 3.6.3-4 System Admin / Preferences / Report -- Edit Rule-Based Report Label Window........ 147
Figure 3.6.3-5 System Admin / Preferences / Report -- Edit Detail Anomaly Traffic Analysis Report
Parameter Window....................................................................................................... 147
Figure 3.6.4-1 System Admin / Preferences / Notification / System Notification Configuration Window
..................................................................................................................................... 148
Figure 3.6.4-2 System Admin / Preferences / Notification / System -- Edit Email Notification Window
..................................................................................................................................... 149
Figure 3.6.4-3 System Admin / Preferences / Notification / System -- Edit Trap Notification Window 150
Figure 3.6.4-4 System Admin / Preferences / Notification / Router Notification Configuration Window
..................................................................................................................................... 151
Figure 3.6.4-5 System Admin / Preferences / Notification / Router -- Edit Router Notification
Configuration Window .................................................................................................. 151
Figure 3.6.4-6 System Admin / Preferences / Notification / Sub-Network Notification Configuration
Window......................................................................................................................... 152
Figure 3.6.4-7 System Admin / Preferences / Notification / Sub-Network -- Edit Sub-Network Notification
Figure 3.6.4-8 System Admin/Preference/Notification/MSP Customer MSP Customer Notification
Figure 3.6.4-9 System Admin/Preference/Notification/MSP Customer Edit MSP Customer Notification
Figure 3.6.4-10 System Admin / Preferences / Notification / Filter Notification Configuration Window
..................................................................................................................................... 154
XI
Figure 3.6.4-11 System Admin / Preferences / Notification / Filter -- Edit Filter Notification Configuration
Window......................................................................................................................... 154
Figure 3.6.5-1 System Admin / Preferences / Name Mapping / Service Management Window ......... 155
Figure 3.6.5-2 System Admin / Preferences / Name Mapping / Service -- Add Service Name Window
..................................................................................................................................... 156
Figure 3.6.5-3 System Admin / Preferences / Name Mapping / Service -- Edit Service Name Window
..................................................................................................................................... 156
Figure 3.6.5-4 System Admin / Preferences / Name Mapping / Protocol Management Window........ 157
Figure 3.6.5-5 System Admin / Preferences / Name Mapping / Protocol -- Add Protocol Name Window
..................................................................................................................................... 157
Figure 3.6.5-6 System Admin / Preferences / Name Mapping / Protocol -- Edit Protocol Name Window
..................................................................................................................................... 158
Figure 3.6.5-7 System Admin / Preferences / Name Mapping / ASN management Window.............. 158
Figure 3.6.5-8 System Admin / Preferences / Name Mapping / ASN -- Add ASN Window................. 159
Figure 3.6.5-9 System Admin / Preferences / Name Mapping / ASN -- Edit ASN Name Window ...... 159
Figure 3.6.5-10 System Admin / Preferences / Name Mapping / Area Management Window ........... 160
Figure 3.6.5-11 System Admin / Preferences / Name Mapping / Area -- Add Area management Window
..................................................................................................................................... 160
Figure 3.6.5-12 System Admin / Preferences / Name Mapping / Area -- Edit Area management window
..................................................................................................................................... 161
Figure 3.6.5-14 System Admin / Preferences / Name Mapping / IP to Area Import IP-to-Area
management Window .................................................................................................. 162
Figure 3.6.6-1 System Admin / Preferences / Group / User Group Management Window................. 163
Figure 3.6.6-2 System Admin / Preferences / Group / User -- Add User Group Window.................... 163
Figure 3.6.6-3 System Admin / Preferences / Group / User -- Edit User Group Window.................... 164
Figure 3.6.6-4 System Admin / Preferences / Group / User -- View User Group Window .................. 165
Figure 3.6.6-5 System Admin / Preferences / Group / Router Group Management Window.............. 166
Figure 3.6.6-6 System Admin / Preferences / Group / Router -- Add Router Group Window ............. 166
Figure 3.6.6-7 System Admin / Preferences / Group / Router -- Edit Router Group Window ............. 167
Figure 3.6.6-8 System Admin / Preferences / Group / Router -- View Router Group Window............ 167
Figure 3.6.6-9 System Admin / Preferences / Group / Sub-Network Group Management Window ... 168
Figure 3.6.6-10 System Admin / Preferences / Group / Sub-Network -- Add Sub-Network Group
Window......................................................................................................................... 168
Figure 3.6.6-11 System Admin / Preferences / Group / Sub-Network -- Edit Sub-Network Group Window
..................................................................................................................................... 169
Figure 3.6.6-12 System Admin / Preferences / Group / Sub-Network -- View Sub-Network Group
Window......................................................................................................................... 169
Figure 3.6.6-13 System Admin / Preferences / Group / Server-farm Group Management Window ... 170
Figure 3.6.6-14 System Admin / Preferences / Group / Server-farm -- Add Server-farm Group Window
..................................................................................................................................... 170
Figure 3.6.6-15 System Admin / Preferences / Group / Server-farm -- Edit Server-farm Group Window
..................................................................................................................................... 171
Figure 3.6.6-16 System Admin / Preferences / Group / Server-farm -- View Server-farm Group Window
..................................................................................................................................... 171
XII
Figure 3.6.6-17 System Admin / Preferences / Group / Neighbor Group Management Window........ 172
Figure 3.6.6-18 System Admin / Preferences / Group / Neighbor -- Add Neighbor Group Window.... 172
Figure 3.6.6-19 System Admin / Preferences / Group / Neighbor -- Edit Neighbor Group Window.... 173
Figure 3.6.6-20 System Admin / Preferences / Group / Neighbor -- View Neighbor Group Window .. 174
Figure 3.6.6-21 System Admin / Preferences / Group / Filter Group Management Window .............. 175
Figure 3.6.6-22 System Admin / Preferences / Group / Filter -- Add Filter Group Window................. 175
Figure 3.6.6-23 System Admin / Preferences / Group / Filter -- Edit Filter Group Window................. 176
Figure 3.6.6-24 System Admin / Preferences / Group / Filter -- View Filter Group Window ............... 176
Figure 3.6.6-25 System Admin / Preferences / Group / MSP Customer User -- MSP Customer User
Group Management Window ....................................................................................... 177
Figure 3.6.6-26 System Admin / Preferences / Group / MSP Customer User -- Edit MSP Customer User
Group Window ............................................................................................................. 178
Figure 3.6.6-27 System Admin / Preferences / Group / MSP Customer User -- View MSP Customer
User Group Window..................................................................................................... 178
Figure 3.6.7-1 System Admin / Preferences / Baseline History / Sub-Network Baseline History Window
..................................................................................................................................... 179
Figure 3.6.7-2 System Admin / Preferences / Baseline History / Sub-Network -- View Baseline History
Window......................................................................................................................... 179
Figure 3.6.7-3 System Admin / Preferences / Baseline History / MSP Customer Baseline History
Window......................................................................................................................... 180
Figure 3.6.7-4 System Admin / Preferences / Baseline History / MSP Customer -- View Baseline History
Window......................................................................................................................... 181
Figure 3.6.7-5 System Admin / Preferences / Baseline History / Filter Baseline History Window ...... 182
Figure 3.6.7-6 System Admin / Preferences / Baseline History / Filter -- View Baseline History Window
..................................................................................................................................... 182
Figure 3.6.8-1 System Admin / Preferences / Offline Report / Scheduler Template Management Window
..................................................................................................................................... 183
Figure 3.6.8-2 System Admin / Preferences / Offline Report / Scheduler -- Edit Schedule Template
Window (Daily Schedule Type) .................................................................................... 184
Figure 3.6.8-3 System Admin / Preferences / Offline Report / Scheduler -- View Schedule Template
Window......................................................................................................................... 184
Figure 3.6.8-4 System Admin / Preferences / Offline Report / Sub-Network Offline Report Management
Window......................................................................................................................... 185
Figure 3.6.8-5 System Admin / Preferences / Offline Report / Sub-Network-- Edit Sub-Network Offline
Report Window............................................................................................................. 185
Figure 3.6.8-6 System Admin / Preferences / Offline Report / Sub-Network -- View Sub-Network Offline
Report Window ............................................................................................................. 186
Figure 3.6.9-1 System Admin / Preferences / Remote Update Management Window ....................... 187
Figure 3.6.9-2 System Admin / Preferences / Remote Update -- Edit Default Configuration of Remote
Update Window............................................................................................................ 187
Figure 3.7-1 System Admin / Report Rebuild Window ........................................................................ 188
Figure 3.7-2 System Admin / Report Rebuild Adding a New Request Window ............................... 188
Figure 3.7-3 System Admin / Report Rebuild Rawdata File Window ............................................... 189
Figure 3.7-4 System Admin / Report Rebuild Looking Up Last Request Status Window ................ 190
XIII
Figure 3.7-5 System Admin / Report Rebuild Aborting Last Request Window................................. 190
Figure 4.1.1-1 Status / Summary / Global Window ............................................................................. 192
Figure 4.1.2-1 Status / Summary / MSP Server Window .................................................................... 193
Figure 4.1.3-1 Status / Summary / Anomaly Window .......................................................................... 194
Figure 4.1.4-1 Status / Summary / System Window............................................................................ 195
Figure 4.1.4-2 Status / Summary / System / Controller Hardwares Status Report............................. 196
Figure 4.1.4-3 Status / Summary / System / Controller Hardwares Event Report.............................. 196
Figure 4.1.4-4 Status / Summary / System / Controllers Status Window ........................................... 197
Figure 4.1.5-1 The Resource Summary Viewing List .......................................................................... 198
Figure 4.1.5-2 The Further Viewing List of Collector Resource .......................................................... 198
Figure 4.2-1 Status / Anomaly Console / Anomaly Console Querying Window .................................. 199
Figure 4.2-2 Status / Anomaly Console / Summary Anomaly Report Window (Sub-Network Resource
Type) ............................................................................................................................ 202
Figure 4.2-3 Status / Anomaly Console / Detail Anomaly Report Window (Sub-network Resource Type)
..................................................................................................................................... 203
Figure 4.2-4 Status / Anomaly Console / Detail Anomaly Report -- ACL Generate Tool Window ....... 205
Figure 4.2-5 Status / Anomaly Console / Summary Anomaly Report Window (Filter Resource Type) 205
Figure 4.2-6 Status / Anomaly Console / MSP Server Anomaly Console Querying Window.............. 206
Figure 4.3.1-1 Status / Alert Log / Alert Log Querying Window ........................................................... 207
Figure 4.3.2-1 Status / Log -- Mitigation Log Querying Window.......................................................... 208
Figure 4.3.3-1 Status / Log / Login Log Querying Window.................................................................. 209
Figure 5-1 Traffic Snapshot Management Window ............................................................................. 210
Figure 5-2 Snapshot -- Device Interface Management Window.......................................................... 212
Figure 5-3 Snapshot -- Instant Top N Report....................................................................................... 216
Figure 5-4 Snapshot -- Instant Top N Report / Latest 100 Raw Flows ................................................ 217
Figure 6.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation Action Management Window ... 218
Figure 6.1-2 Mitigation / Hardware Mitigation - Add Hardware Mitigation Action Window .................. 219
Figure 6.1-3 Mitigation / Blackhole - View Blackhole Mitigation Action Management Window ........... 220
Figure 6.2.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation: Guard Management Window 221
Figure 6.2.1-2 Mitigation / Hardware Mitigation - Add Guard Mitigation Action Window..................... 221
Figure 6.2.1-3 Mitigation / Hardware Mitigation - Hardware Mitigation Traffic Report......................... 223
Figure 6.2.1-4 Mitigation / Hardware Mitigation - Hardware Mitigation Attack Report......................... 224
Figure 6.2.2-1 Mitigation / Hardware Mitigation / Eudemon Management Window ............................ 225
Figure 6.2.2-2 Mitigation / Hardware Mitigation/Eudemon - Add Eudemon Mitigation Window.......... 225
XIV
Introduction
This manual describes the traffic analysis functions of GenieATM system. In the following section, the
framework of this manual is addressed to give users a summary of this user manual.
System and Functions Overview

To ensure full use of the system functions in observing and analyzing flow traffic status, this section
introduces the features, functions, and design concepts of the system, so that users can
understand the basic functional framework of the system before operating it, and also can use all
system functions with greater flexibility.
System Functions Descriptions

To facilitate users to properly use all system functions, the following sections (section 3 to section 9)
will introduce the operation procedure for individual function in details accompanied with clear
illustrations, so that users can operate and set up every system function more easily.
Appendix (A) -- NetFlow Device Configuration

This appendix shows users how to configure various NetFlow devices for enabling NetFlow
devices to export NetFlow data to GenieATM Flow Collector.
Appendix (B) -- sFlow Device Configuration

This appendix shows users how to configure sFlow devices for enabling sFlow devices to export
sFlow data to GenieATM Flow Collector.
Appendix (C) -- Installing SSL in GenieATM for Enabling Secure Web Access
This appendix introduces how to install SSL in GenieATM for enabling secure web access.
Appendix (D) Booting GenieATM from TFTP Server

This appendix introduces the operations about how to boot GenieATM from TFTP server. With this
feature, users can verify if the system image is sound before updating the software.
Appendix (E) Dictionary of IETF Radius Client Attributes Supported by

GenieATM
This appendix provides overall detailed Radius Client attributes (supported by GenieATM)
information for users to configure their remote user accounts on their Radius server.
System and Functions Overview
2.1
System Overview
As a network operator, it is a torture when facing troublesome daily maintenance and a sudden
DOS/DDOS attack. It is a tough situation when the operators are unable to find out the causes of
unusual network traffic. Therefore, to immediately solve unusual problems with real-time traffic
reports instead of analyzing historical traffic logs after troubles occur would be a great help. Besides,
being short of precise traffic analysis for business management support no matter peering strategy or
capacity planning is an urgent issue for the operators to improve network performance.
Today, most network management equipments monitor only the status of connection, up or down,
without providing the scalability and performance reports of network traffic. Monitoring only the
facilities status is very insufficient for network management operators to solve the problems without
analysis for the network performance and qualities. Most traffic analysis tools only analyze the traffic
volume and few well-known applications, and are not able to create reports, such as the reports
about volumes of packets and sessions, or all TCP/UDP ports. They are also deficient in precise
traffic analysis for BGP information, which can provide peering and transit traffic for network
managers to do significant business decisions.
GenieATM series provides an intelligent Network Traffic Modeling that can precisely classify traffic
flows and cooperate with the built-in reports to generate various related traffic statistics. This
intelligent Network Traffic Modeling sufficiently knows the hierarchical network structure that adopted
by most of xSPs, so that it can analyze traffic appropriately. With the accurate analysis reports of
GenieATM, network operators can easily and efficiently monitor their networks. GenieATM series
also provides a traffic snapshot tool which can be used for instant flow analysis and presents the
instant flow status of the specified network range in a TOP N report. With the configuration of
analysis criteria, users can sieve out some specific traffic from the entire traffic for Top-N analysis.
Furthermore, in order to provide more flexible traffic analysis comparing with Network Traffic
Modeling analysis, GenieATM also equips rule-based Filter traffic analysis function. With
user-defined Factor and Filter elements, users can locate traffic with greatly flexibility. In addition, the
Anomaly Traffic Detection function in the GenieATM system can effectively detect and timely notify
DoS/DDoS attacks, routing mis-configurations, and endangered network devices before they
undermine network availability, performance, and Sub-Network satisfactions.
GenieATM series adopts the network structure of distributed-deployment & centralized-management
which can collect the largest scope of network flows, simplify the management and configuration of
the system, and cut down user's TCO (Total Cost of Ownership). It collects network flows from core
switches/routers through the Collectors deployed on regional networks, and then delivers the
collected network flows (after analyzing) to the Controller for data aggregation. With the Controller,
therefore, network operators can manage the distributed Collectors, aggregate the analyzed traffic
data, monitor the entire network traffic, and read the analysis reports.
GenieATM series equips a BGP module that can provide the monitoring about the BGP update
message of neighbor ASes. Once the statistic of BGP update message has abnormal changes,
network operators can adjust their routing policy according to this reliable statistic information. In
addition, the BGP module also can detect and issue alert notifications for BGP Hijack. In security,
GenieATM provides the BGP encryption of TCP MD5 Signature that can efficiently prevent the BGP
communication between GenieATM and BGP routers from malicious attacks.
GenieATM series products developed by GenieNRM Inc. are state of the art flow analyzing systems.
It provides full functions of statistics and analysis for traffic, such as 24 hours flow monitoring,
warning for over the traffic threshold, issuing anomaly & alert notifications, snapshot (instant)
analysis through TOP N sorting, various traffic model lings analyses, rule-based Filter traffic analysis,
BGP traffic analysis, common attribute analyses, online WEB reports for query, and DB storage
management. Network operators can utilize the traffic analysis reports and statistics to manage their
network resources and plan the future network topology.
2.2
System Screen Overview
This section highlights the system screen and various function keys to assist users to understand the
system framework and basic operation. For an optimal viewing, IE 6.0 or higher browser with
600x800 (or 1024x768) screen resolution is highly recommended.
2.2.1
System Screen
The following section describes the location and function briefs of GenieATM. Please refer to
Figure 3.2.1-1.
6. Logout Button
5. System Version
7. Help
3. Path
4. Sub Menu Tab
8. Configuration
View List
1. System
Menu Tree
2. Action Buttons
Figure 2.2.1-1 System Operation Screen
1. System Menu Tree

List systems main functions and users can click on the item to expend the sub-main function or
enter the window of the function.
2. Action Buttons
There are two kinds of action buttons: one is text-form, like Add , Edit , and so on; the other
is icon-form, like (Edit), (Delete), and so on. With these action buttons, users can manage
setup data.
The following table lists all kinds of action buttons and their meanings.
Action Buttons / Meanings
Abort Last Request To terminate the processing request of report rebuilding
Abort Prefix Learning To terminate the processing request of prefixs auto learning
Add To create an object
Add New Request To add a report-rebuilt request
Add Via Learning To add objects via system auto-learning
Browse To look through all detailed objects
Cancel To stop the uncompleted settings and exit the management window
Check To check the information to see if there is any difference
Close To close the window
Delete To delete an object
Delete All To delete all listed objects
Dispatch Network Configuration and Save To dispatch the current configuration in
Database to the Collectors and then save it as a DB configuration file.
Download To copy a DB configuration file from the Controller to the local host
Edit To edit the content of an object
Get Last Request Status To get the detail information of the last request status
Get Learning Status To get the detail information of the last or processing request
status of prefixs auto-learning
Get Synchronizing Status To get the detail information of the last dispatch status
Go To submit the query conditions
Reset To get back to original settings
Restore and Dispatch To restore a saved DB configuration file into Database and
then dispatch it to the Collectors.
Save To save the configuration
Start Prefix Learning To start a prefix learning request
Submit To send the settings to the system
Upload To copy the configuration file from the local host to the system
View To view the profile of an object
View History To view historical statuses of prefixs auto-learning requests
View Result To view the result of last prefixs auto-learning request
To unfold the under sub menus

To fold the under sub menus
To enter an operation/management window of the menu
To edit the content of an object

To delete an object
3. Path
Path indicates where the current operating page locates. It is relative to the System Menu Tree.
4. Sub Menu Tab
Sub Menu Tabs are used to access the different sections of a sub menu that has multi-functions.
Please refer to the table in System Menu Tree section.
5. System Version
Show the running version of the Controller.
6. Logout Button
It is located at the right top corner of the screen. Users must click on the Logout button to exit the
system. When users click on the button, the system will automatically record their login and
logout time.
7.
Help
It is a glossary located under the Logout button and provides information to help users to
understand the operations of GenieATM.
8. Configuration View List

All the setup data will be displayed in the view list after the configuration is completed. Users can
click on the action buttons, which are being displayed in front of the configurations, to modify or
delete items.
2.2.2
System Functions Overview
The system operating structure basically includes system management and report presentation two
major parts. The system management contains functions: User, Device, Network, Configuration,
Mitigation, Preferences, and Report Rebuild; the report presentation contains parts: Internet,
Neighbor, Backbone, Router, Interface, Sub-Network, Server, Rule-based Report, MSP
Customer and Anomaly Activities. Except the MSP Customer and Anomaly Activities report
menus, others are converged on the Report main menu. Not to include the Anomaly Activities report
menu is due to anomaly events focus. In addition, a Status, a Snapshot, and a Mitigation functions
are also provided to report the summary statistics of detected anomalies, issued alerts and the
system profiling, to carry the powerful diagnostic and troubleshooting capabilities into execution, and
to actually execute actions for stopping or mitigating impacts from the detected anomaly activities.
The following section outlines all the configurations of individual system functions to help users to
quickly and easily configure system functions.
Web-based Interface
The system offers easy-to-use web-based user interface.
Command Line Interface

Users can use terminal, Telnet, or SSH2 to access GenieATM to do configuration setup.
User Account Management

User menu allows users to manage local user accounts, to enable the remote authentication
function, to constrainedly terminate the login session of online users, and to query the history of
user loggings in the system.
Local User Account
The system offers local users authentication and authority control functions:
User Authority
Users are divided into three privilege groups: Administrator, Sub-Network user and defined
bye template. The administrator is assigned with the authority of accessing all functions
and managing user accounts. The Sub-Network user can read the reports of the specified
Sub-Network entity, query anomaly events of the assigned Sub-Network entity, and use
the Snapshot function within the traffic scope of the assigned Sub-Network entity. Defined
by template is use for users to specify the roles that only can access some system
functions. The factory default privileges in the defined template are superuser and user for
viewing only. The superuser can access most functions except some in the System
Admin menu (Including: User, Device, Mitigation and Status, Storage, Report, Name
Mapping and Remote Update of Preferences). The user for viewing only can only read
the reports and is not allowed to use the System Admin and Mitigation functions.
System Default Account
* admin: administrator privilege
Privilege Template
The system support that users can define the accessing group and those who
belong to the specified role group only can access the specified functions. The
factory default privileges are Administrator, Superuser, and user for viewing only.
Online User
The system allows users with administrator authority to terminate the connection of any
online users.
Remote Authentication
The system supports the remote authentication for those user accounts not registered in the
GenieATM system.
Device Management
The Device menu provides users to management Controller, Collector, MSP servers
(value-added function) and Flow Load Balancer (value-added function).
Controller
The system will display the detail information of the Controller module here.
Collector
All Collectors managed by the Controller will be displayed here. Administrators have to
configure any new Collector once they are added into the system.
MSP Server
Allow users to define the MSP server to collect customers traffic and provide portal site for
customers to maintain system and browse kinds of traffic reports.
This function will show when the system support the MSP module (value-added function).
Flow Load Balancer
The Flow Load Balancer devices are used to receive the flows from the routers and forward
them to multiple ATM collectors according to the policy configured.
Note
Support Flow Record
GenieATM collects NetFlow (V1, V5, V7, V9), NetStream, and sFlow (V2, V4, V5) records
from different Flow exporters and can perform statistics and analysis of such records.
Network
GenieATM utilizes the definition of Network Boundary to implement the concept of Network
Cut and provides the built-in Network Model lings to analyze network traffic. Users need to
configure some mandatory entities and then the analysis will operate effectively.
Home Network
Users need to provide all address prefixes belonging to Home with CIDR format and Home
Network AS numbers. This function also allows users to define prefix-based network entities
without traffic detection.
Dark IP
Users can define dark or non-dark IP address prefixes with CIDR format for Dark IP
Detection.
Router
Users need to provide all related information of their desire routers and interfaces for traffic
and hardware monitoring.
Internet Boundary
Users need to define their Internet boundary for traffic analysis between users networks and
the Internet.
Backbone Links
Users need to register their entire backbone links for GenieATM to auto identify backbone
routers and backbone boundary.
Neighbor
Users need to provide their entire neighbor ASes (AS: Autonomous System) for traffic
analysis between users networks and their neighboring networks.
Sub-Network
Users should define sub-networks for traffic analysis of some specific network entities. These
specific network entities could be a POP, a Sub-Networks network, or a server farm, and
might be either inside (internal) or outside (external) Home Network.
Server
Users can define their server farm, which includes several servers to the system, so
that they can gain variety of reports relevant to the server traffic.
MSP Customer
Users can define the MSP customers and generate their traffic. Therefore, the MSP
customers can access the MSP server to manage system function and view their
traffic reports.
Filter
The system provides rule-based traffic analysis for users to locate traffic by themselves.
7
Application
Users can gather different services (protocol + port), which all belong to one kind of network
application, to form a group. The system will adopt the application group configured to
classify traffic for the Attribute Application reports.
Anomaly
The system provides default Protocol-Misuse & Application anomaly signatures which are
used to define the traffic characteristics of known anomalies. Users are allowed to modify the
default Protocol-Misuse & Application anomaly signatures and also are allowed to create new
Application anomaly signatures. In addition, this menu also provides the latest definition of
system anomaly signatures download from GenieATM definition update servers.
Template
Users can create templates for the baseline and boundary (including Sub-Network boundary
and Server-farm boundary) that can be quickly applied to some configurations of network
entities.
Configuration
The system offers configuration backup, restoration, and dispatching for the settings of Network
menu.
Mitigation
This Mitigation sub menu (under Network menu) is for users to configure essential
mitigation elements for two system mitigation methods supported (Hardware Mitigation
and Blackhole). Before adding mitigation actions, there are some required elements
must be provided for each mitigation method.
Blackhole
Users can configure basic elements for Blackhole mitigation method and this should be done
before adding Blackhole mitigation actions.
Device
Users can configure basic elements for Hardware Mitigation method and also manage Guard
devices and Eudemon device here. Before adding Hardware mitigation actions, users should
make sure that the related mitigation devices have been configured.
Preferences
Status
Users can control the refreshed time of the Status page, and the maximum number of the
most recent ongoing anomalies and alerts displayed.
Storage
Users can control the duration for storage of analysis reports and logs.
Report
Users can set the parameter about the maximum displayed entries of pre-defined TopN
report.
Notification
Users can configure the settings of the system alert and anomaly event notifications.
Name Mapping
Users can maintain the built-in name mapping, including services, protocols, ASNs
(Autonomous System Numbers) Area, and IP to Area.
Group
Users can aggregate multiple resource entities as a group, such as user group, router group,
sub-network group, server-farm group, neighbor group, filter group and MSP customer
group.
Baseline History
The system provides users the historical results of dynamic anomaly detection baseline
buildings of all existing Sub-Network, MSP Customer, and Filter entities in the system. Users
are allowed to reset the historical detected traffic baseline values for manually excluding
improper statistics.
Offline Report
Users can configure schedule template, which decides when to send out offline reports,
enable the generation of offline reports for Sub-Network entities, and delete the added offline
reports.
Remote Update
Users can configure the definition update server of GenieATM system anomaly signatures for
the latest definition download.
Report Rebuild
The system provides a convenient function allowing users to rebuild rule-based Filter reports of a
specific time period.
Status
Summary
Summary function presents some significant traffic statistics and information in these tabs:
Global: Anomaly Statistics, Ongoing Anomalies, and Most Recent Alerts; MSP Server:
Anomaly Statistics and Ongoing Anomalies of MSP Servers; Anomaly: Summary Report;
System: System Status, and Cisco Guard Status. The reason to gather these data that users
might want to know urgently together is to ensure that users can presently understand the
entire situation. The refreshing time period of this page is decided by the configuration of
Status Page Refresh Period in the Preferences/Status function. The configurable values are
from 1 minute to 10 minutes. Resources: display the number of configured resources and
the maximum number that the system supports.
Anomaly Console
The system presents a variety of anomaly events detected, provides summary and detailed
traffic characteristics of detected anomaly events, and is able to generate appropriate ACL
(Access Control List) commands as suggestions for network operators.
Log

Alert Log
When there is any significant status change or failure, the system will send a notification to
users according to the configuration, and record all alerts issued and recovered.

Mitigation Log
The system will record the logs of the mitigation actions.

Login Log
The system will record the users of logging into the system.
Report
Internet
The system provides various built-in reports for traffic analysis between the Internet and
Home Network.
Neighbor
The system provides various built-in reports for traffic analysis for Neighbor ASes
(Autonomous Systems).
Backbone
The system provides various built-in reports for Backbone traffic analysis.
Router
The system provides various built-in reports for the traffic analysis of each router configured
in the system.
Interface
The system provides various built-in reports for the traffic analysis of each interface on the
routers configured in the system.
Sub-Network
The system provides various built-in reports for traffic analysis within a sub-network itself,
between a sub-network and other sub-networks, and through each Neighbor AS to/from a
specific sub-network.
Server
The system provides the reports within Server farms, between a server farm to other server
farm, and through sub-networks, Neighbors and Areas.
9
Rule-based Report
The system provides traffic analysis reports for rule-based Filters which are configured in the
system and based on users definitions. There are two types of analysis reports for Filter
traffic, Summary Report and TopN Report.
MSP Customer
Anomaly Console
Provide anomaly statistic and ongoing reports of MSP customers.
Report
Provide various traffic reports of MSP customers, including traffic report, boundary
traffic report, top talker report, attribute report, topn report and son on.
Anomaly Activities
Dark IP
The system provides various built-in dark IP traffic analysis reports, such as overall dark IP
traffic, each infected host traffic, each victim host traffic, into/out of each interface traffic, and
into/out of each SUB-NETWORK entity.
Worm
The system provides various built-in application anomaly traffic analysis reports, such as
overall application anomaly traffic, each infected host traffic, into/out of each interface traffic,
and into/out of each SUB-NETWORK entity.
Snapshot
Users can define the analysis scope, analysis criteria, aggregation method, and the number of
value for TOP N sorting. The system provides two kinds of analyzed data sources, cache and
rawdata files. The rawdata source provided can meet the needs on analyzing a specific time
period in the past.
Analysis Scope
Users can specify a specific network entity configured in the system as the analysis scope of
the inspected traffic.
Analysis Criteria
Users can define the range of analysis with criteria. The system will ignore the flow outside
the range during analysis.
Aggregation Method
Users can define up to three aggregation keys to generate the snapshot report. The selected
keys are such as source or destination IP address, Source or Destination protocol/port,
Application on Source or Destination, TCP Flag, TOS Value, Protocol, Input or Output
Interface, Router, and etc.
Detect the Distributed Denial of Service
This system is capable of analyzing the traffic flow in real time. When an attack flood occurs,
the system can accurately trace the source. Even when the router or switch fails after the
attack, the system still can analyze the last output data to trace the source of attack.
Mitigation
The Mitigation menu (on the Main Menu tree) provides users mitigation methods to execute
mitigation actions for protecting their network resources or filtering anomaly traffic.
Blackhole
The system utilizes limited BGP announcement to conduct anomaly traffic to a setup honey
pot or blackhole device. Before adding any blackhole mitigation action, the related
configuration requested should be done in the System Admin / Mitigation / Blackhole
function.
Hardware Mitigation
The system integrates with a traffic-cleaning device (such as Guard, Eudemon and etc) to
wash out attacking traffic and forward clean traffic back to their original destination. Before
adding any hardware mitigation action, the related configuration requested should be done in
the System Admin / Mitigation / Device function.
10
2.3
System Login/Logout
The system is using web-based operation and configuration interfaces, so that users can configure
all system functions, and view system reports on the Internet. This section will show users how to
login and logout the system.
2.3.1
Login the system
1. Run the browser and enter URL at http://xxx.xxx.xxx.xxx/ or https://xxx.xxx.xxx.xxx/ to open the
system login window (as presented in Figure 2.3.1-1).
Note
1. xxx.xxx.xxx.xxx refers to the IP address of the Controller.
2. The secure web access (https) to GenieATM will only be available after you enable it in CLI
interface of the Controller. Please refer to the Appendix (C) Installing SSL in Controller for
Secure Web access for how to enable https.
3. Both https and http are supported after https was enabled in GenieATM.
Figure 2.3.1-1 System Login Window

2. Enter username and password, and then click on the
system operation window (as presented in Figure 2.3.1-2).
button to enter the default
Note
The default username/password to login this system is admin/admin.
11
Figure 2.3.1-2 Default System Operation Window

3. If a Login/Logout Alert Message window appears (as presented in Figure 2.3.1-3), it means that
one of the following conditions occurs. First, the user who login this system with this
ID/password did not properly logout the system. Second, another online user already login to
this system with the same ID/password and is still online without logout the system. In this case,
you may select Kick the user out and force into system to login the system or click on Closed to
exit. The system will check the connection status of the ID and password when someone logins
the system. If the user clicks on Kick the user out and force into system while another user is
online, the system will remove the connection of the existing user.
Figure 2.3.1-3 Login/Logout Alert Message Window
2.3.2
Logging out the system
Click on the
button at the right top corner of the Window to logout GenieATM (as
presented in Figure 2.3.1-2).
12
System Admin Function

System Admin menu is designed for the system management of GenieATM. The system
management includes managing user accounts, specifying devices, configuring the related system
settings and preferences, and the essential mitigation elements, and defining various network
boundaries, factors and filters for rule-based reports, anomaly-monitored objects and anomaly
signatures. When users click on the unfolding mark of System Admin, all sub menus will be unfolded
including User, Device, Network, Configuration, Mitigation, Preferences, and Report Rebuild.
Note
Only administrators can operate all functions of System Admin. Other users with
non-administrators authority can only access limited functions. Please refer to the User section for
details.
3.1
User
User menu allows users to manage local user accounts, to specify the privilege group for login
account, to constrainedly terminate the login session of online users, and to enable the remote
authentication function, GenieATM supports the remote authentication for those user accounts not
registered in the GenieATM system. In order to avoid confusion, the user accounts registered in the
system are called local user accounts. After clicking the User menu displayed on the Sub Menu
tree of System Admin at the left side of the screen, users will enter the Local User Account
window (the default entered window) and see the sub-menu tabs, Local User Account, Privilege
Template, Online User, and Remote Authentication, appearing above the screen. (See Figure
3.1.1-1) The following sections (Local User Account, Privilege Template, Online User, and Remote
Authentication) are going to introduce how to mange local user accounts, how to specify the
privilege template, how to terminate the login session of an online user, and how to enable the
Radius-Server remote authentication.
Note
Only the user with the privilege of administrator can access all sub-functions of the User menu.
The Sub-Network user and the defined by template, superuser and viewing only user, cannot
access anyone of them.
3.1.1
Local User Account

Users can manage local user account such as add, edit, delete, or view a local user and assign
users different authorities for system management and security control. Besides, they also can
check the current status of each account in the Local User Management window.
Click on the User menu to enter the Local User Management window. (As presented in Figure
3.1.1-1) Users can use the sorting symbol in columns to decide the sorting of the view list; is
ascending and is descending.
13
Figure 3.1.1-1 System Admin / User / Local User Account Management Window
To add a new local user account

Users can create new local user accounts, so that the users can use the created local user
accounts to login GenieATM system by web interface. Click on Add button to enter the action
window and start the input. (As presented in Figure 3.1.1-2)
Figure 3.1.1-2 System Admin / User / Local User Account -- Add Local User Account Window
1. Enter user information in all fields: (The asterisk "" indicates a mandatory field.)
User ID: Account name used for login GenieATM. It is a mandatory field. All characters are
accepted except space and special characters. The number of inputted characters must be
between 2 and 40.
14
First Name: All characters are accepted except space and special characters. The number
of inputted characters must be between 1 and 80.
Last Name: All characters are accepted except space and special characters. The number
of inputted characters must be between 1 and 80.
Password: It is a mandatory field. The password is at least 4 characters and at most 40
characters with no space inside. Be aware that the password is case sensitive.
Confirm Password: Re-type the password and make sure it is exactly the same as the one
typed previously.
Phone: Please enter the contact phone number. Only numerical characters and the dash
(-) are accepted.
Email: It is a mandatory field. Please follow the format aaa@aaa.aaa with no space inside.
Privilege: Administrator may assign different authority to different user accounts with these
types of roles. A Sub-Network entity must be specified if the Sub-Network user role is
assigned.
(I) administrator
Users have the highest authority and can use all system functions.
(II) Sub-Network user
The account with sub-network privilege only can view the reports of the specified
sub-network, which can be selected from the dropped-down list or Browse button.
Besides, administrators can define the authority for each sub-network account by using
the Privilege Template.
(III) defined by template
Administrators can define the specified authority for the account by using the Privilege
Template to operate the parts of the systems functions.
Note
The built-in account, admin (default password: admin), belongs to the default
privilege template, Administrator, which can operate all system functions.
Privilege template
If the Privilege type of the account is Sub-Network user or defined by template, a
privilege template should be assigned to that account. The system will list all defined
templates, including system default privilege templates and user defined ones, in the drop
down list for users to select. In addition, users can define a new template via clicking on the
Define button, or specifying it in the Privilege Template tab in System Admin/User
Function. The configuration steps please refer to the section, Privilege Template, in the
System Admin/User function.
Note
There are two default privilege templates, superuser and user for viewing only.
(a) superuser
Users can access most functions except some in the System Admin menu
(Including: User, Controller, Collector, Flow Load Balancers, Mitigation and
Status, Storage, Report, Name Mapping and Remote Update of Preferences).
(b) user for viewing only
Users can only read the reports. They are not allowed to use the Mitigation and
System Admin function.
Language: GenieATM offers language options: English, Traditional Chinese, Simplified
Chinese and Japanese. Users may choose a proficient one as their system language.
Status: There are two kinds of account statuses, Active and Inactive. This item can be the
15
control of accounts for activating and inactivating.

Remark: Enter additional information for the user account. The inputted characters are
allowed to 64 the most.
User Group (Optional): Assign this created user account to a user group if necessary.
Once the user account is assigned to a user group, any email notifications associated with
this user group will be sent to this user. Here, GenieATM will not provide any error check or
restriction for the user account with different privileges. In other words, a user account can
be added into any user group without the privilege check. Clicking on <<Add button to add
the selected user groups to the text box. Using Remove>> or Remove All button to
remove the added user groups from the text box.
2. Click on Submit button to complete the configuration.
To edit a local user account

Users can modify the contents and authority of the local user to facilitate the maintenance of a
local user account.
Figure 3.1.1-3 System Admin / User / Local User Account -- Edit Local User Account Window
1. Click on the edit icon to modify the account information.
A page with Edit Local User Account title will be shown.
2. Modify the content or change the role.
The input information for each field, please refer to the section, To add a new local user
account, for details. To change the password: only need to enter a new password in both
fields of Password and Confirm Password.
3. Click on Submit button to complete the modification.
To delete a local user account

Users can delete a local user to take this user account out of the system.
1. Click on the delete icon .
A confirmative dialog box will pop up.
2. Click on OK button to remove the local user from the system.
16
To view the profile of a local user account

Users can view the local user account information in detail (See Figure 3.1.1-4). The detail
information includes users ID, first name, last name, phone number, email address, privilege,
language, status, remarks, user group, online, last login and last logout.
Figure 3.1.1-4 System Admin / User / Local User Account -- View Local User Account Window
1. Click on a local user ID to enter the View Local User Account window.
When you move the cursor to the user account listed in the User ID column, the color of the
pointed username will turn into blue.
2. Besides, users can click on the View button at the Privilege row to view which function is
enabled for this account (See Figure 3.1.1-5).
3. Click on Back to List button to return to the User management window.
Note
If the status of a user account is Inactive, users will be unable to login the system with that
user ID. However, all information saved under this ID will still be preserved in the system.
This information will be gone from the system only with the Delete command executed.
Figure 3.1.1-5 System Admin / User / Local User Account -- View Privilege Template of Local User
Account Window
17
3.1.2
Privilege Template
Users can add, edit, delete, or view a privilege template and specify authorized system functions for
each privilege template. Click on the Privilege Template tab to enter the Privilege Template window.
(As presented in Figure 3.1.2-1)
Figure 3.1.2-1 System Admin / User / Privilege Template Management Window
To add a new privilege template

Users can create new privilege templates, so that administrators can apply these templates to
the created local user accounts. Click on Add button to enter the Add Privilege Template
window and start the input. (As presented in Figure 3.1.2-2)
Note
There are default privilege templates listed in the table and they are Administrator, Superuser
and user for viewing only. User can click on the No. or Name to view the authorized system
functions. Besides, these default privilege templates are unable to edit or delete.
Figure 3.1.2-2 System Admin / User / Privilege Template -- Add User Privilege Template Window
18
1. Enter privilege template information in all fields: (The asterisk "" indicates a mandatory field.)
Name: Input a name of the Privilege Template.
Coverage: select the coverage, whole network or sub-network, for the privilege template.
Note
When the role is set as sub-network user, only Anomaly Console, Sub-network Reports,
Snapshot functions and Profile Management can be assigned in the Authority.
Remarks: Enter additional information for the Privilege Template. The inputted characters
are allowed to 64 the most.
Authority: Check the system functions that are allowed to be executed by this role. Click on
the to extend the function tree for selecting the sub functions (As presented in Figure
3.1.2-2).
To edit a user privilege Template

Users can modify the operating system functions of the privilege template.
Figure 3.1.2-3 System Admin / User / Privilege Template -- Edit User Privilege Template Window
1. Click on the edit icon to modify the privilege template information.
A page with Edit Use Privilege Template will show. (As presented in Figure 3.1.2-3)
2. Modify the name or change the authorization of the system functions.
The input information for each field or setup steps, please refer to the section, To add a new
privilege template, for details.
Note
The user accounts who are assigning to this privilege template will list in the Applied table
below.
19
To view a user privilege template

Users can view the privilege template information in detail (See Figure 3.1.2-4). The detail
information includes name, remarked and the authorized system functions.
Figure 3.1.2-4 System Admin / User / Privilege template -- View User Privilege Template Window
1. Click on a privilege template No. or name to enter the View User Privilege Template window.
When you move the cursor to the name listed in the ID or Name column, the color of the
2. Click on Back to List button to return to the User Privilege Template window.
3.1.3
Online User
Click on Online User tab to enter the Online User management window. (See Figure 3.1.3-1)
With this function, users can view all online users at a time and terminate their login sessions.
The default sorting way to list online users is descending according to the login time. Users can
also sort the online users according to the user ID, or logout IP either ascending or descending
by clicking on or .
Figure 3.1.3-1 System Admin / User / Online User Management Window

Terminating a Login Session
1. Click on a radio button in front of the online user whose connecting session that you want to
terminate.
The only one online user you cannot terminate is yourself. So, there is no radio button in front
of your User ID row.
2. Click on Kick out button after you selected an online user.
20
3.1.4
Remote Authentication
So far, GenieATM only supports the remote authentication for the Radius server. The users
logging on the Web UI via Radius authentication may be assigned with the administrator,
Sub-Network user, or defined by template authority without a user group. Once the remote
user has successfully logged on the system via Radius authentication, some attributes will be
carried with this user such as Privilege, Language, and Sub-Network ID (if the assigned
privilege is Sub-Network user). For detailed configuration of Radius server, please refer to
Appendix (E) Dictionary of IETF Radius Client Attributes Supported by GenieATM. Click on
Remote Authentication tab to enter the Remote Authentication management window. (See
Figure 3.1.4-1)
Figure 3.1.4-1 System Admin / User / Remote Authentication Management Window
Enabling the Radius Authentication

1. Click on Edit button at the right side of the Radius Server block area, a management
window will pop up. (See Figure 3.1.4-2)
2. Select Enable from the Radius Authentication drop-down list to enable this function.
3. Enter the primary IP address of the Radius server in the Primary IP Address field.
This configuration is mandatory to enable the Radius authentication function. The inputted
format is xxx.xxx.xxx.xxx.
4. Enter the secondary IP address of the Radius server in the Secondary IP Address field.
(Optional)
This configuration is optional. The inputted format is xxx.xxx.xxx.xxx.
5. Enter the printable ASCII string in the Secret field.
This configuration is mandatory. At least 1, up to 80 characters should be inputted.
6. Enter the authentication port number in the Authentication Port Number field.
This configuration is mandatory and its default value is 1812.
7. Click on Submit button to complete the modification
Figure 3.1.4-2 System Admin / User / Remote Authentication / Edit Remote Authentication Window
(Radius Server)
21
3.2
Device
The sub menus under Device menu will turn up when users click on the unfolding mark of Device.
These sub menus include Controller, Collector, MSP Server, and Flow load Balancers. The
Device menu mainly provides configuration interfaces of devices attributes. Please refer to the
following sections to get the detail information.
Note
1. Only the user assigned to the privilege template, administrator, can access the Device
menu.
2. The tab, MSP Server, will not show when the system does not support the MSP module
(value-added service).
3.2.1
Controller
Controller menu mainly provides some information about the Controller. After clicking on
Controller menu displayed on the Sub Menu tree of System Admin/Device at the left side of the
screen, a page with the Controller Management title will show the detail information about the
Controller. (See Figure 3.2.1-1) Users can edit the Controllers name, community string, and
remark information manually. The information displayed of CLI configuration is retrieved through
SNMP protocol from the SNMP agent of the Controller.
Figure 3.2.1-1 System Admin / Controller Management Window

Name: This name is only for identification purpose. (It is not relevant to the CLI command.)
The default name is Controller. The number of inputted characters must be between 1 and
40. You may modify it with your preference.
Re-type Community String Configured in CLI: The password to connect with the Controller.
The default value is genie. The number of inputted characters must be between 1 and 40.
CLI Configuration: The information about the Controller retrieved by SNMP protocol,
including Controller ID, Model Number, and Operation Status.
Remarks: The additional information for the Controller. The inputted characters are allowed
to 400 the most.
22
To edit the Controllers information

Users can modify the Controllers name, update the community string, and edit the remark
information. Click on Edit button to enter the Edit Controller window. (See Figure 3.2.1-2)
Figure 3.2.1-2 System Admin / Controller -- Edit Controller Window

(Please refer to the previous section for the following steps of your modification. The asterisk ""
indicates a mandatory field.)
1. Enter a new Controller name if you desire.
2. Enter the read-only community string that you configured in CLI.
If you have changed the community string, please re-type the same string here. Please note
that it will fail to get the SNMP information if the read-only community string you provided is
not correct. The number of inputted characters must be between 1 and 40.
3. Enter additional information in the Remarks field if necessary.
The inputted characters are allowed to 400 the most.
23
3.2.2
Collector
Collector menu allows users to manage the Collectors under the system. After clicking on
Collector menu displayed on the sub menu tree of System Admin/Device at the left side of the
screen, the Collector Management window will be presented and display all the Collectors
controlled by the Controller (As presented in Figure 3.2.2-1).
The latest configured Collector will be displayed at the first row of the list. A message next to the
Add button is the last version of dispatched Network configuration, which is convenient to
compare with the current version of each Collector.
Note
Only the user assigned to the privilege template, administrator, can access the Collector
menu.
There is a built-in Collector in the Controller, called Collector1. It is displayed at the last row in
the view list.
Figure 3.2.2-1 System Admin / Collector Management Window
To add a new Collector

Users should add (register) new Collectors in Web UI Management System after they have
finished the hardware installation and setup of the Collectors. The added Collectors will be under
control of the Controller after the registration. After clicking on Add button located at the top of
the Collector view list, a page with the Add New Collector title will be shown on the screen. (See
Figure 3.2.2-2)
Figure 3.2.2-2 System Admin / Collector -- Add New Collector Window
24
1. Enter Collector information in all fields: (The asterisk "" indicates a mandatory field.)
Collector Name: The Collector name defined here is for easy identification for multiple
Collectors controlled under the same Controller. You can give a meaningful name for the
new Collector. Only the default name of the First Collector (The one built in the Controller) is
Collector1; others are Collector. The number of inputted characters must be between 1
and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
SNMP IP Address: The IP address of the SNMP agent to get Collectors information. Every
Collector has its own built-in SNMP agent, so please enter the IP address setup at the
Collector. The inputted format is xxx.xxx.xxx.xxx.
Note
Only the First Collector (The one built in the Controller) has a default SNMP IP address,
127.0.0.1, that means the IP address of the local host itself, here namely the
Controller. Other new adding Collectors do not have a default SNMP IP address.
Read Community String: The password to connect with the Collector. The default value is
genie. If you have changed the community string in CLI, please enter the same string here.
Please note that it will fail to get Collectors information if the read-only community string you
provided is not correct. The number of inputted characters must be between 1 and 40.
SNMP Version: The current SNMP version.
CLI Configuration: The information about the Collector retrieved through SNMP protocol,
including Collector ID, Model Number, Admin Status, Operation Status, and Configuration
Version. Click on the SNMP WALK >> button to get the current information of the
Collector. All the latest configurations will be firstly displayed in the SNMPWALK Information
block area of the right side, users have to click on << Update button to write the
displayed configurations into Controller.
Remarks: Enter additional information for the Collector. The inputted characters are
To edit a Collector
Users can modify the Collectors name, update the community string, refresh Collectors
information, and edit the remark information. Click on Edit button to enter the Edit Controller
window. (See Figure 3.2.2-3)
Figure 3.2.2-3 System Admin / Collector -- Edit Collector Window

25
(Please refer to the previous To add a New Collector section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Enter a new Collector Name if you desire.
2. Enter the Collector IP address if changed.
3. Enter the read-only community string that you configured in CLI.
If you have changed the community string, please re-type the same string here.
4. Get current CLI information by clicking on SNMP WALK >> button.
If the Configuration Version displayed is not the same as the latest dispatched configuration
version, you can synchronize it by clicking on Synchronize Network Configuration
button.
To delete a Collector
Users can delete a Collector from the system except the First Collector built in the Controller.
A Delete page with detailed configuration will be shown. Note that if the Collector you are
deleting has applied to any configurations, the system will not allow you to delete it and the
Submit button will be unavailable. You have to change the applied configurations to
another Collector before you delete this Collector.
2. Click on Submit button to remove the Collector from the system.
To view the profile of a Collector

Users can view the Collector information in detail. The detail information includes Collectors
name, SNMP IP address, community string, remarks, controlled routers (exporters), and CLI
configurations, including the Collectors ID, model number, operation status, and configuration
version. (See Figure 3.2.2-4)
Figure 3.2.2-4 System Admin / Collector -- View Collector Window

1. Click on a Collector ID/name to enter the View Collector window.
When you move the cursor to the ID/name listed in the ID/Name column, the color of the
pointed ID/name will turn into blue.
2. Click on Back to List button to return to the Collector Management window.
26
3.2.3
MSP Server
MSP Server menu allows users to manage the MSP server (GenieATM 6110 device) under the system.
After clicking on MSP Server menu displayed on the Sub Menu tree of System Admin/Device at the
left side of the screen, the MSP Server Management window will be presented and all the MSP
Servers controlled by the Controller will be displayed (see the figure 3.2.3-1). The MSP Server can
generate customers reports and provides a portal site for end users to view themselves reports.
Note
This function will not show when the system does not support the MSP module (value-added
service).
Figure 3.2.3-1 System Admin/Device/MSP Server -- the MSP Collector Management window
To add a new MSP Server

Users can add new MSP Servers in Web UI Management System after they have finished the
hardware installation and setup of the MSP Servers. The added MSP Servers will be under control
of the Controller after the registration. After clicking on Add button located at the top of the MSP
Server view list, a page with the Add New MSP Server title will be shown on the screen (see the
figure 3.2.3-2).
1. Enter MSP Server information in all fields: (The asterisk "" indicates a mandatory field.)
Name: The MSP Server name defined here is for easy identification for multiple MSP Servers
controlled under the same Controller. You can give a meaningful name for the new MSP
Server. All characters are accepted except space and special characters (!@#$%^&<>?...).
SNMP IP Address: The IP address of the SNMP agent to get MSP Servers information.
Every MSP Server has its own built-in SNMP agent, so please enter the IP address setup at
the MSP Server. The inputted format is xxx.xxx.xxx.xxx.
Re-type Community String Configured in CLI : Input the password used to connect with
the MSP Server. The default value is genie. If you have changed the community string in CLI,
please enter the same string here. Please note that it will fail to get MSP Servers information if
the read-only community string you provided is not correct. The number of inputted characters
must be between 1 and 40.
SNMP Version: The current SNMP version.
CLI Configuration: The information about the MSP Server retrieved through SNMP protocol,
including Collector ID, Model Number, Admin Status, Operation Status, and Configuration
Version. Click on SNMP WALK >> button to get the current information of the MSP Server.
All the latest configurations will be firstly displayed in the SNMPWALK Information block area
of the right side, users have to click on << Update button to write the displayed
configurations into Controller.
Remarks: Enter additional information for the MSP Server. The inputted characters are
27
Figure 3.2.3-2 System Admin/Device/MSP Server Add New MSP Collector window
To edit a MSP Server

Users can modify the MSP Servers name, edit SNMP IP address, update the community string,
refresh MSP Servers information, and change the remark information. Click on Edit button to
enter the Edit MSP Server window.
(Please refer to the previous To add a new MSP Server section for the following steps of your
1. Provide new information to those fields/options that you like to modify.
To delete a MSP Server

Users can delete a MSP Server from the system.
A Delete page with detailed configuration will be shown.
Note that if the MSP Server you are deleting has applied to any configurations, the system will
not allow you to delete it and the Submit button will be unavailable. You have to change the
applied configurations to another MSP Server before you delete it.
2. Click on Submit button to remove the MSP Server from the system.
To view the profile of a MSP Server

Users can view the MSP Server information in detail.
1. Click on the ID/name to enter the View MSP Server window.
2. Click on Back to List button to return to the MSP Server Management window.
28
To view the Dispatch Log

Any changes about the system configuration in all sub functions of the Network or Preference
menu will take no effect on the MSP Server before the changed configuration has been dispatched.
This action will list the dispatch status for the MSP Server.
1.
2.
3.2.4
Click on the View button of the specified MSP Server entry.

Then, a popped up window with the dispatch logs of the specified MSP Server displays.
Click on the Close button to close the window.
Flow Load Balancers
The major functions of FLB are to receive the flows from the routers and forward them to multiple ATM
collectors according to the policy configured. Flow Load Balancers menu allows users to manage the
Flow Load Balancer devices. After click on the Flow Load Balancers menu displayer on the sub
menu tree of the System Admin/Device at the left side of the screen, the Flow Load Balancers
management window will display all configured the Flow Load Balancers (As presented in Figure
3.2.4-1). The latest set Flow Load Balancer will display at the first row of the list.
Figure 3.2.4-1 System Admin / Flow Load Balancers Management Window
To add a flow load balancer

Users should add a new Flow Load Balancer in Web UI Management System after the hardware
installation and setup has been finished. The added Collectors will be under control of the
Controller after the registration. After clicking on Add button located at the top of the Flow Load
Balancer view list, a page with the Add Flow Load Balancer title will show on the screen. (See
Figure 3.2.4-2)
Figure 3.2.4-2 System Admin / Flow Load Balancers / Add Flow Load Balancers Window
29
Provide the information in all fields: (The asterisk "" indicates a mandatory field.)
Name: The name defined here is for easy identification for the Flow Load Balancers controlled
under the same Controller. You can give a meaningful name for the Flow Load Balancer. The
number of inputted characters must be between 2 and 64. All characters are accepted except
space and special characters (!@#$%^&<>?...).
SNMP IP Address: Input the IP address of the SNMP agent to get the Flow Load Balancers
information. Every Flow Load Balancer has its own built-in SNMP agent, so please enter the IP
address setup for the Flow Load Balancer. The inputted format is xxx.xxx.xxx.xxx.
Read Community String: The password to connect with the Flow Load Balancer. The default
value is genie. If you have changed the community string in CLI, please enter the same string
here. Please note that it will fail to get Flow Load Balancers information if the read-only community
string you provided is not correct. The number of inputted characters must be between 2 and 32.
SNMP Version: select the SNMP version from the dropped down list.
CLI Configuration: The information about the Flow Load Balancer retrieved through SNMP
protocol, including ID, Model Number, Admin Status, Operation Status, and Configuration Version.
Click on the SNMP WALK >> button to get the current information of the Flow Load Balancer.
All the latest configurations will be firstly displayed in the SNMPWALK Information block area of
the right side, users have to click on << Update button to write the displayed configurations into
Controller.
Note
The advanced configuration fields, Flow Dispatching and Collector BGP Configuration, show after
the SNMP information of the Flow Load Balancer shows via clicking on the SNMP WALK >> button.
The detail pleases refer to the following description.
Flow Dispatching: this setting provides the way for users to specify the load balance policy
performing on the selected collectors. The available collectors will list in the Collector table.

Load Balance Policy: there are three types of Load Balance Policy for users to
specify and they are Round-Robin, Model-based Round-Robin and Weighted
Round-Robin. The factory default is Model-based Round-Robin.
When Round-Robin is specified, the weights of the selected collectors are equal.
When the Model-based Round-Robin is selected, the weight shall be assigned by

1
the system according to the model number of the selected collectors.

When the Weighted Round-Robin is set, users can manually specify the weighted
value of each selected collectors. Note that the total weighted value of flow policy
is 100% in Weighted Round-Robin Policy.
The Weight assigned by GenieATM is according to the model number of GenieATM Collector.
Model
Flows/s
Model
Flows/s
Model
Flows/s
Model
Flows/s
Model
Flows/s
Model
Flows/s
6105
10K f/s
6133
20K f/s
6165
50K f/s
6323
20K f/s
6333
20K f/s
6365
50K f/s
6123
20K f/s
6135
30K f/s
6167
70K f/s
6325
30K f/s
6335
30K f/s
6367
70K f/s
6125
30K f/s
6169
90K f/s
6369
90K f/s
30
Note
The system will automatically relay traffic to other FLB devices when one of the FLB
devices is down.

Collector: click on the check box before the listed in the Assigned row to add the
collector to the Load Balance Policy. If the load balance policy is set as Weighted
Round-Robin, users have to specify the percentage value of the flow dispatched.
Collector BGP Configuration: select the set of the BGP connection for the FLB. The factory
default is disabled. This parameter is used to let user select FLB BGP Module as the
reference of the parameter Use BGP Table of Another Router in the BGP Lookup
configuration of the System Admin/Router/Router function. If users set enable, the following
parameters users have to define.
BGP MD5 Secret: Enter the string. The number of inputted characters must be
between 0 and 40.
Remote AS Number: Enter the AS number of BGP router with which the FLBs BGP
module to establish the BGP connection.
Local AS Number: Enter the AS number of the FLB to establish the BGP connection
with the BGP router.
To edit a flow load balancer

Click on icon to enter the Edit Flow Load Balancers window. (See Figure 3.2.4-3)
Figure 3.2.4-3 System Admin / Flow Load Balancers / Edit Flow Load Balancers Window
(Please refer to the previous To add a flow load balancer section for the following steps of your
1. Provide new information to those fields that you like to modify.
31
To delete a flow load balancer

1. Click on the Delete icon
A Delete page with detailed configuration will show.
2. Click on Submit button to remove the configuration from the system.
To view the profile of a flow load balancer

The detail information of the flow load balancer displays. (See Figure 3.2.4-4)
Figure 3.2.4-4 System Admin / Flow Load Balancers / View Flow Load Balancers Window
1.
Click on an No./Name to enter the View Flow Load Balancer window.

When you move the cursor to the No./Name listed in the No. or Name column, the color of
the pointed No./Name will turn into blue. The Applied block area shows the information of the
Flow Load Balancer.
2.
Click on Back to List button to return to the Flow Load Balancer management window.
32
3.3
Network
A string of sub menus under Network menu will turn up when users click on the unfolding mark of
Network. These sub menus include Home Network, Dark IP, Router, Internet Boundary,
Backbone Links, Neighbor, Sub-Network, Server, MSP Customer, Filter, Application,
Anomaly, and Template. The Network menu mainly provides configuration interfaces of network
attributes for users to build their own network traffic modeling and anomaly detection environment.
Through this Network menu, users can also establish user-defined traffic analysis reports which
can meet users needs different from pre-defined network modeling reports.
Note
Only the user with the authority of administrator or defined by privilege, superuser, can
access the Network menu.
3.3.1
Home Network
Home Network menu provides two main configuring functions. One is to define the Home
Network area and the other is to define router-based anomaly traffic detection prefix scopes.
After clicking on Home Network menu displayed on the Sub Menu tree of System Admin/
Network at the left side of the screen, the Home Network management window (the default
entered window) will be shown. Users can see the sub-menu tabs, Home Network and ATD
White List, appearing above the screen. (See Figure 3.3.1-1)
Figure 3.3.1-1 System Admin / Network / Home Network / Home Network Management Window
3.3.1.1
Home Network
Home Network sub-menu tab is to specify the local network area by IP address prefixes and AS
numbers. All network areas directly controlled by users belong to the local network area namely
Home Network. After clicking on Home Network menu displayed on the Sub Menu tree of
Network at the left side of the screen, a page with the Home Network title will be shown. (See
Figure 3.3.1-1 above) Specifying all IP addresses and AS numbers of the Home Network is an
essential procedure.
33
To specify Home Network IP addresses

1. Click on Edit button at the bottom of the IP Address Prefix column, a management window
will pop up. (See Figure 3.3.1-2)
2. Enter all local IP addresses of your home network with CIDR format in the IP Addresses list
box.
You can enter one IP address prefix in a line (use Enter key to create different lines) or
separate multi-prefixes with commas. Please note that the overlaps between the prefixes are
not allowed.
Note
The maximum # of prefixes of Home can be up to 128.
Figure 3.3.1-2 System Admin / Network / Home Network / Home Network Edit Local IP Address
Window
To specify Home Network AS numbers

1. Click on Edit button at the bottom of the ASN List column, a management window will pop
up. (See Figure 3.3.1-3)
2. Enter all your AS numbers.
You can enter one AS number in a line (use Enter key to create lines) or separate multi-ASNs
with commas. The maximum number of AS can be up to 300.
Figure 3.3.1-3 System Admin / Network / Home Network / Home Network Edit Local AS Number
Window
34
3.3.1.2
ATD White List
All IP prefixes/addresses specified in the white list will not be ignored when the system perform the
Protocol-Misuse and Application Anomalies anomaly detection. Click on the ATD White List
sub-menu tab to enter the management window. (See Figure 3.3.1-4)
Figure 3.3.1-4 System Admin / Network / Home Network / ATD White List Management Window
To specify ATD White List

Refer to the following steps to specify the ATD White List.
1. Click on Edit button at the bottom of the IP Address Prefix column, a management window
2. Enter all local IP addresses of your home network with CIDR format in the IP Addresses list
box.
separate multi-prefixes with commas. Please note that the overlaps between the prefixes are
not allowed. The adopted matching logic is sequential match.
Figure 3.3.1-5 System Admin / Network / Home Network Edit ATD White List Window
35
3.3.2
Dark IP
Dark IP menu allows users to specify dark IP addresses and non-dark IP addresses. As long as
an IP address matches any inputted IP address defined as dark IP or non-dark IP, the system
will consider it as dark IP or non-dark IP. The adopted matching logic is longest match. Once any
dark IP is detected, it will be accounted for threshold violation checking. After clicking on Dark IP
menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen,
a page with the Dark IP title will be shown (See Figure 3.3.2-1).
Figure 3.3.2-1 System Admin / Network / Dark IP Management Window
To specify Dark IP or /and Non-Dark IP addresses

1. Click on Edit button at the bottom of the columns, a management window will pop up (See
Figure 3.3.2-2).
2. Enter the dark IP address with CIDR format in the Dark IP list box.
separate multi-prefixes with commas.
3. Enter the non-dark IP address in the Not Dark IP list box.
For those private IP addresses allocated and used in your networks, you may need the system
not to identify them as dark IP. You can enter one IP address prefix in a line (use Enter key to
create lines) or separate multi-prefixes with commas.
Note
The maximum # of prefixes of Dark IP plus Not Dark IP is up to 128.
Figure 3.3.2-2 System Admin / Network / Dark IP -- Edit Dark IP & Non-Dark IP Addresses Window
36
3.3.3
Router
Router menu allows users to add routers to the system for monitoring. This function provides the
configuration parameters about the router and the interfaces on the router. Users can add both
routers and interfaces to the system configuration. Besides, the Recomm. to Add/Edit
sub-menu tab provide user to add/edit the interface which is unspecified/updated and Recomm.
to Remove sub-menu tab list interfaces that the system recommends users to delete.
After clicking on Router menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, the Router management window (the default entered window) will be
shown. Users can see the sub-menu tabs, Router, Interface, Recomm. to Add/Edit and Recomm.
to Remove, appearing above the screen. (See Figure 3.3.3-1)
Figure 3.3.3-1 System Admin / Network / Router / Router Management Window
37
3.3.3.1
Router
Once you click on Router menu, you will directly enter the Router management window. The
latest added router will be displayed at the first row of the list. The following sections are going to
introduce how to add, edit, and delete a router, and how to view the profile of a router.
To add a router
Click on Add button at the top of the Router view list to enter the Add Router window. (See
Figure 3.3.3-2)
Figure 3.3.3-2 System Admin / Network / Router / Router -- Add Router Window
1. Provide router information to the following fields: (The asterisk "" indicates a mandatory
field.)
38
Basic Information
Name: Give a name for this router. (It is only for the purpose of identification.) The number
of inputted characters must be between 2 and 40. All characters are accepted except space
and special characters (!@#$%^&<>?...).
SNMP IP Address: The IP address of the SNMP agent to get the routers information.
Please enter the IP address from which setup at the router. The inputted format is
xxx.xxx.xxx.xxx.
Read Community String: The password to connect with the Router. Enter routers SNMP
read community string. Please note that it will fail to get the routers information if the
read-only community string you provided is not correct. The number of inputted characters
must be between 1 and 40.
SNMP Version: Select the SNMP version which to contact with router. Note that this item is
available only if the SNMP IP address and its community string are provided. After you
select the version, click on SNMP WALK >> button to get the current routers information.
The results of SNMP query will be displayed in a yellow block at the upper-right side of the
screen, including routers system description, name, contact, location, and total memory.
You have to manually enter a correct value of the total memory (unit is megabyte) if without
a query result.
Time Out of SNMP Polling: Select a time from the drop-down list. Users are allowed to
manually configure the waiting time length for each SNMP polling request. Available time
selections are 3, 4, 5., to 15 (seconds) and the default value is 5 seconds.
Retries of SNMP Polling: Select a preference setting from the drop-down list. Users can
also configure the frequency of retrying SNMP polling. Once the collector does not get
SNMP polling response from routers exceeding the configured time out, the system will try
to send a SNMP polling request again. Available selections are 1, 2, and 3 (times) and the
default value is 2 times.
Anomaly Traffic Detection: Select Enabled or Disabled from the drop-down list. The
factory default is enabled.
Rawdata: Select the Enabled or Disabled from the drop-down list. The factory default is
enabled and it allows the system to store the rawdata.
SNMP Polling (CPU, Memory):

SNMP Polling (CPU, Memory): Select Disabled or Enabled from the drop-down
list to disable or enable the monitoring of usage for devices CPU & memory. This item
is available only if the SNMP IP address and its community string are provided and
correct.

CPU SNMP OID: input the SNMP OID of the devices CPU. Note that be sure the
inputted OID is the devices CPU because the system does not check the contents of
the OID that is the information of the CPU. If users do not input the value, the system
will accord to the factory default OID to get the information. After inputting the OID,
users can click on the Check button to verify the SNMP connection is successful. If

the connection is successful, the

button shows otherwise the button shows.
Memory SNMP OID: input the SNMP OID of the devices Memory. Note that be sure
the inputted OID is the devices Memory because the system does not check the
contents of the OID that is the information of the Memory. If users do not input the
value, the system will accord to the factory default OID to get the information. Besides,
Users still have to manually enter a correct value of the total memory (unit is megabyte)
in the SNMPWALK Information field at the top right side of the page.
Baseline of CPU and Memory: Select the base line from the dropped down list if it is
needed. The baseline of the CPU and Memory is specified in the Baseline function
System Admin/Network/Template.
NetFlow/SFlow Information
Flow Exporter IP Address: Enter the IP address of the flow exporter from which flow data
is collected. The inputted format is xxx.xxx.xxx.xxx. If the IP address is incorrect, the
Collector will be unable to collect flow data.
Flow Receiving Port Number: Enter the port number to which flow data are exported. The
value is between 1025 and 65534. The port number must be the same with the one set up at
the flow exporter. We strongly recommend that you give each configured router with
different port number for receiving the traffic flow.
39
Sampling Rate: Specify a method of defining your sampling rate. Basically, the system
provides two types of sampling rate, one is dynamic and the other is fixed. Dynamic
sampling rate is to use the sampling rate inside the flow records received and will be
changing all the time. Fixed sampling rate is to use a constant sampling rate specified by
users. Choose dynamic sampling rate by clicking on Adopt the Sampling Rate carried in
flows radio button or fixed sampling rate by click on Adopt the Sampling Rate Defined
Manually radio button. If you choose fixed sampling rate, please enter a number between 1
and 32768 in the blank. For example, if you want to take one from ten, please enter 10. If
the value you entered is 1, that means the packet sampling function is disabled.
Age-out Time (V9): Enter an age-out time if the flow type is NetFlow V9. Its unit is second
and the available value is 0 or from 30 to 1800.
Flow Relay:

Flow Relay IP Address: Enter the IP address of flow collector to which flow data will
be relayed. The inputted format is xxx.xxx.xxx.xxx.

Flow Relay Port Number: Enter the port number to which flow data will be relayed.
The value is between 1 and 65534.

Flow Relay Sampling Rate: Enter the sampling rate. The value is between 1 and
1024. The factory default is 1. For example, if you want to take one from fifteen, please
enter 15. If the value you entered is 1, that means the packet sampling function is
disabled.
Note
Netflow v9 Templates are not guaranteed to be relayed.
Collector/FLB
Collector/FLB: Select the Collectors IP address, MSP Server or FLB device from the
drop-down list, which displays all Collectors, MSP Servers and FLB devices under control of
the Controller. The Collector you selected will collect NetFlow records from the router you
are configuring.
Note
The selected entries, MSP-xxx, will not show when the system does not support the MSP
module (value-added service).
BGP Lookup: Choose to activate the service of BGP lookup or not. If you do not want to
use this service, just click on the Disabled radio button. Please note that this will lead to no
AS path information generated in the report. If the router you are configuring is not a BGP
router but you want to analyze its BGP information, please click on the Enabled radio
button and provide the following information needed.
NetFlow ASN: Select a method for the adopted ASN information in the NetFlow records
from the drop-down list. There are three options: Overwritten by BGP module lookup
means all ASN information in the NetFlow records will be replaced by BGP lookup; Keep
them as Peer ASN means to keep the ASN information of NetFlow records as Peer ASN;
Keep them as Origin ASN means to keep the ASN information of NetFlow records as
Origin ASN.
Use BGP Table of Another Router: Select a router from the drop-down list. The
drop-down list will show the routers configured under the same Collector and also must
activate the BGP lookup service. Once this option is used, the BGP hijack and BGP
update message monitoring wont be available.
Connect to BGP Router IP Address: Enter the IP address of BGP router for the
Collectors BGP module to create a BGP peering session. If you want to look up BGP
information from an external BGP router, you can use this function. Please provide the
following information needed:
BGP MD5 Secret: Enter the string. The number of inputted characters must be
between 0 and 40.
Remote AS Number: Enter the AS number of BGP router with which the Collectors
BGP module to establish the BGP connection.
40
Local AS Number: Enter the AS number of the Collector by which the Collectors BGP
module will use to establish the BGP connection.
BGP Hijack Detection: Click on the Disabled or Enabled radio button for the BGP
hijack detection. (Default is Disabled.)
BGP Update Message Monitoring: Select a threshold template from the drop-down list
for the monitoring of update BGP message. All threshold templates of router
configured in the Template/Baseline function of the Network menu will be shown at
here. (Default is Disabled.)
To edit a router
Click on icon to enter the Edit Router window. (See Figure 3.3.3-3)
Figure 3.3.3-3 System Admin / Network / Router / Router -- Edit Router Window
(Please refer to the previous To add a router section for the following steps of your
41
To delete a router
A Delete page with detailed configuration will be shown. The system will remind you that all
configurations are using this router will be affected if the router is deleted.
2. Click on Submit button to remove the router from the system.
To view the profile of a router

The detail information of the router can be reviewed (See Figure 3.3.3-4).
Figure 3.3.3-4 System Admin / Network / Router / Router -- View Router Window
1. Click on an ID/Name to enter the View Router window.
When you move the cursor to the ID/Name listed in the ID/Router Name column, the color of
the pointed ID/Name will turn into blue. The Applied block area shows the information of Filters
to which this viewed router applied.
2. Click on Back to List button to return to the Router Management window.
42
3.3.3.2
Interfaces
Click on Interface sub-menu tab to enter the Interface management window. (See Figure 3.3.3-5)
There are drop-down lists presented at the below of the sub-menu tabs. One is the Router
Group drop-down list from which you can choose the router group (if any router groups are
configured in the Preferences/Group function of System Admin); the other is the Router
drop-down list which will display all routers that belong to the selected Router Group. A
message about the current-selected router will be presented at the top of the view list. The latest
added interface will be displayed at the first row of the list. The following sections are going to
introduce how to add, edit, and delete an interface. (Note that the interface indicates the router
interface.)
Figure 3.3.3-5 System Admin / Network / Router / Interface Management Window
To add an interface
GenieATM monitors and collects link-layer traffic statistics from the interfaces added here. Users
can add an interface manually or through the SNMP query to get the interfaces information of the
router. After selecting the router from which users can start the adding procedures below.
Adding via SNMP discovery
When users click on Discover via SNMP button, a Router Interface Discovery with SNMP window
will pop up and the system will trigger the SNMP walk to retrieve the interface inventory table from the
router (See Figure 3.3.3-6). The interfaces with a red check mark represent they have been added in
Web UI Management System.
1. Select a preferred interface by checking on the check box.
A green check mark will appear once you check on the check box.
2. Enter a new name for the interface if you desire.
After you checked on the check box, the Interface name field will be available. The number of
inputted characters must be between 1 and 64. All characters are accepted except space and
special characters (!@#$%^&<>?...). The default Interface Name depends on what kind of
system version is supported by the router. If the router supports V1, Interface Name will be the
value of Router Name plus SNMPWalk ifDescr. If the router supports V2c, Interface Name
will be the value of SNMPWalk ifAlias; however, if the value of SNMPWalk ifAlias is empty,
the system will use the value of Router Name plus SNMPWalk ifDescr as Interface Name,
then.
3. Select a baseline template for the monitored SNMP traffic.
All baseline templates of interface configured in the Template/Baseline function of the
Network menu will be shown at here. The system will issue alert logs once the SNMP traffic is
against the specified baseline template. If you select no baseline template for the SNMP
polling, then, no alert logs will be issued.
Note
The factory default of the SNMP Polling function is enabled and users can change the status
to disable.
43
4. Select the action of Flow aggregation.

Note
The factory default of the Flow Aggregation function is enabled and users can disable the
function. In addition, what common attribute reports are activated can be specified via editing
the interface.
Figure 3.3.3-6 System Admin / Network / Router / Interface -- Interface Discovery with SNMP Window
Adding by manual
If the SNMP query is failed or SNMP community string is not available, users can manually add
interface. When users click on Add button, the Add Interface window will pop up. (See Figure
3.3.3-7) Under the title, the router to which the interface belongs is indicated including its name
and IP address.
Figure 3.3.3-7 System Admin / Network / Router / Interface -- Add Interface Window
1. Provide router information to the following fields: (The asterisk "" indicates a mandatory
field.)
Interface Name: Give a name for this interface. The number of inputted characters must be
between 1 and 64. All characters are accepted except space and special characters
(!@#$%^&<>?...).
ifIndex: Enter the interface index. Please refer to the realistic value of the router.
44
ifDescr: Enter the description for this interface. The number of inputted characters must be
between 1 and 256.
ifAlias: Enter the alias name of the interface.
ifSpeed: Enter the interface speed. The unit is bps (bits per second). Please refer to the
realistic configuration of the router.
ifType: Enter the interface type. Value 6 represents ethernet and 22 represents serial.
Please refer to the realistic configuration of the router.
Flow ifIndex: Enter the flow interface index carried in flow packet.
Except manually entering the above information one by one, you can also use
SNMP WALK >> button (will be available when the value of ifIndex is inputted) to get
interfaces information configured in the router automatically and then click on << Update
button (will be available after the interface information is gotten) to update ifIndex, ifDescr,
ifSpeed, ifType, Flow ifIndex at once.
SNMP Monitor
SNMP Polling: Select Enabled or Disabled from the SNMP Polling drop-down list.
(Default is Disabled.) If you select to enable this function, you can specify a baseline
template from the Baseline Template drop-down list below. If the SNMP polling function is
disabled here, then, there will be no SNMP traffic statistics in the Interface detail report.
Baseline Template: Specify a baseline template from the Baseline Template drop-down
list if you selected to enable the SNMP polling. The SNMP monitor can provide traffic and
performance monitoring for interfaces. All baseline templates of interface configured in the
Template/Baseline function of the Network menu will be shown at here. The system will
issue alert logs once the SNMP traffic is against the specified baseline template. If you
select no baseline template for the SNMP polling, then, no alert logs will be issued.
Flow Aggregation
Flow Aggregation: Select Enabled or Disabled from the drop-down list.
Common Attribute Report: Click on the check boxes to generate your preferred common
attribute reports for this interface. The selectable reports include Application, Protocol,
Protocol+Port, TOS, Packet Size, and Top Talker.
If you want to manually add more than one router interface, you can add them one by one. To
close the Add Router Interface window, please click on Cancel button to exit.
To edit an interface
Click on button, the Edit Interface window will pop up. (See Figure 3.3.3-8)
Figure 3.3.3-8 System Admin / Network / Router / Interface -- Edit Router Interface Window
45
(Please refer to the previous To add an interface section for the following steps of your
To delete an interface
configurations are using this interface will be affected if the interface is deleted.
Note
If users want to remove multiple interfaces once, users just click on the check boxes of the
interfaces and then click on the Delete button to remove them.
2. Click on Submit button to remove the interface from the system.
To view the profile of an interface

The detail information of the interface can be reviewed.
(See Figure 3.3.3-9)
Figure 3.3.3-9 System Admin / Network / Router / Interface -- View Interface Window
1. Click on an ID/Name to enter the View Interface window.
When you move the cursor to the ID/Name listed in the ID/Interface Name column, the color
of the pointed ID/Name will turn into blue.
2. Click on Back to List button to return to the Router management window.
46
3.3.3.3
Recomm. to Add/Edit
Click on Recomm. to Add/Edit sub-menu tab to enter the Interface Add/Edit Recommendation
window. (See Figure 3.3.3-10) There is a Router drop-down list, which users can choose the
router presented below the sub-menu tabs. Besides, the Searching function which is including
the drop-down list and text box is use for finding the specified interface.
The interface recommendation view list will show the interfaces that the system recommends
adding or updating. When the system receives a flow but can not find its corresponding interface
in the configuration, the interface will be listed here as recommended to add. In addition, if the
value of a recommended interface is the same as the other interface in the configuration, it will
be marked red as recommended to update. This may occur when users add a new interface slot
between the running interfaces.
Note
It needs a period of time for the system to check and update the interfaces information.
Figure 3.3.3-10 System Admin / Network / Router / Recomm. to Add/Edit Window
To add/edit a recommendation interface

1. Click on the check box of the interface that users want to add/update.
2. Click on the Submit button to add/update the interface. The modified interface will be
display in the list table in the Interface in System Admin/Router function.
47
3.3.3.4
Recomm. to Remove
Click on Recomm. to Remove sub-menu tab to enter the Interface Remove Recommendation
window. (See Figure 3.3.3-11) Below the sub-menu tabs is a Router drop-down lists for users to
choose. Besides, the search function which includes the Searching drop-down list displayed the
types of interface and text box is use for finding the specified interface.
Here lists the interfaces that the system recommends to remove. These interfaces are without
passing through flows for a long time.
To delete a recommendation interface

1. Click on check box of the interface. Users still can click on the check box located at the title
row for select all interface.
Note
The Ref# column shows the number of the interface referenced by other configurations in the
system.
2. Click on Submit button to remove the interface from the system.
Figure 3.3.3-11 System Admin / Network / Router / Recomm. to Remove Window
48
3.3.4
Internet Boundary
Internet Boundary menu allows users to define the boundary of Internet/Neighbor for their
networks. The Neighbor boundary shares the same defined boundary here since it is actually
part of the Internet boundary. The Internet boundary actually consists of one or more than one
boundary links (external interfaces). In order to prevent the flow traffic from being double
counted, there are two types of boundary samples provided for users to define their
Internet/Neighbor boundary: Segment Cut and Circular Cut. These two boundary cuts have
different ways to calculate the flow traffic. Therefore, users should specify which boundary type
they are going to use before they start to define the Internet/Neighbor boundary. The following
sections will introduce how to specify the boundary type and how to define boundary links of the
Internet boundary.
Note
Once the Internet boundary is built, it will become a default boundary template that can be
reused for the sub-network boundary. However, this boundary template will not be displayed
in the Boundary Template configuration view list.
After clicking on Internet Boundary menu displayed on the Sub Menu tree of System Admin/
Network at the left side of the screen, a page with the Internet Boundary title will be shown. (See
Figure 3.3.4-1)
Figure 3.3.4-1 System Admin / Network / Internet Boundary Management Window
Specifying Boundary Type

Click on Edit button at the right side of the Boundary Type area, a management window will
pop up. (See Figure 3.3.4-2 or 3.3.4-3)
1. Select a boundary type by clicking on the radio button.
The selection of boundary type will influence the configuration setup of flow exporting for the
routers on customers network. If the Segment Cut (See Figure 3.3.4-2) was selected, only
border routers on the internet boundary need to export flow packets to GenieATM for analysis.
But, you have to enable flow exporting for all active interfaces on the border routers.
Segment Cut Illustration)
49
If Circular Cut (See Figure 3.3.4-3) was selected, not only border routers but also the routers
(could be border routers or aggregation routers) on the circular cut should export flow packets
need to export flow packets to GenieATM. However, only the interfaces on the circular cut
need to export flow packets to GenieATM.
The default type is Segment Cut.
Circular Cut Illustration)
Defining Boundary Links

The Internet Boundary management window will display all boundary links (external interfaces)
configured in the Boundary Link view list (See Figure 3.3.4-1). The information displayed in the
view list includes No., Router, ifIndex, Interface Name, Traffic Direction, and Force Neighbor
ASN [Enabled; ASN; Force Rule]. The following sections are going to introduce how to add, edit,
and delete a boundary link.
To add a boundary link

When you click on Add button at the top of the Boundary Link view list, a management
window with the Add Internet Boundary title will pop up. (See Figure 3.3.4-4)
Figure 3.3.4-4 System Admin / Network / Internet Boundary -- Add Internet Boundary Window
1. Select a router group from the Router Group drop-down list.
All router groups configured in the Group/Router function of Preferences will be shown in this
drop-down list. (Default is All Routers)
50
2. Select a router from the Router drop-down list.

After you selected a router group, all routers belong to the router group you selected will be
shown in this Router drop-down list. Here will change according to the router group you
selected.
3. Select an interface from the Interface list table.
The records will change according to the router you selected. All interfaces belong to the
router you selected will be shown in this Interface list table.
Note
Once the interface is defined as an Internet boundary link, it will be marked as an external
interface. You can see this information in External column of the Interface view list in the
System Admin/Network/Router/Interface function. In the meantime, the monitoring of
SNMP polling will be automatically enabled but it can be disabled manually if necessary.
(Please see Figure 3.3.3-5 and refer to the Configuring Interfaces section.)
4. Select the traffic direction by clicking on the radio button
If you have selected the Segment Cut as your Internet boundary type, you have to select
Both (two-way, input and output) as your traffic direction. However, if you have selected the
Circular Cut as your Internet boundary type, you should select either Input or Output as
your traffic direction.
To edit a boundary link

Click on button, the Edit Interface Boundary window will pop up. (See Figure 3.3.4-5)
Figure 3.3.4-5 System Admin / Network / Internet Boundary -- Edit Internet Boundary Window
(Please refer to the previous To add a boundary link section for the following steps of your
2. Choose Enable or Disable item for replacing the Neighbor AS number of flow traffic or not
by clicking on the radio button. The factory default is disable.
Enable means you want to decide the Neighbor ASN of the flow traffic for this interface by
yourself; Disable means you prefer the system to decide it according to the routing
information and flow data (Default is Disable). If you choose to enable this function, you have
51
to provide further information below. Usually, you choose Enable because only one neighbor
connect to this interface and you exactly know the traffic comes from whose network.
ASN: enter the AS number of this connective neighbor.
Force Rule: select the interface connects to your neighbor or home network by clicking on
the radio button. If Interface Connect to Neighbor is selected (the ingress flow packets on
the interface should be exported to GenieATM), the Peer ASN on Source IP address of the
input flow traffic will be replaced by the ASN you provided above. Oppositely, if Interface
Connect to Home is selected (the egress flow packets on the interface should be exported
to GenieATM), the Peer ASN on Source IP address of the output flow traffic will be replaced
by the ASN you provided above.
To delete a boundary link

Note
Users still can check multiple entries and then click on the Delete button to remove them.
2. Click on OK button to remove the boundary link from the system.
52
3.3.5
Backbone Links
Backbone Links menu allows users to register backbone links on users network. The
backbone link is the interface used to connect to two backbone routers. Once users register the
backbone links here, the backbone routers and backbone boundary can be automatically
identified by GenieATM. That information can be utilized by GenieATM to do Backbone traffic
analysis.
After clicking on Backbone Links menu displayed on the Sub Menu tree of System Admin/
Network at the left side of the screen, a page with the Backbone Links title will be shown (See
Figure 3.3.5-1). The following sections will introduce how to add and delete a backbone link.
Figure 3.3.5-1 System Admin / Network / Backbone Links Management Window
53
To add a backbone link

When users click on Add button at the top of the Backbone Links view list, a management
window with the Add Backbone Links title will pop up. (See Figure 3.3.5-2)
Figure 3.3.5-2 System Admin / Network / Backbone Links -- Add Backbone Links Window
shown in this Router drop-down list. Here will change according to the router group you
selected.
3. Select an interface from the Interface drop-down list.
It is same as the router selection above. Here will change according to the router you selected.
All interfaces belong to the router you selected will be shown in this Interface drop-down list.
Note
Once the link (interface) is defined as a backbone link, it will be marked backbone interface.
You are able to see this information in Backbone column of the Interface view list. (Please
see Figure 3.4.3-5 and refer to the Configuring Interfaces section.)
To delete a backbone link

2. Click on OK button to remove the backbone link from the system.
54
3.3.6
Neighbor
Neighbor menu allows users to configure neighbor AS (Autonomous System) into the system.
For analyzing the traffic between users network and their neighboring networks, they have to
add their entire neighbor ASes to the system manually. (The Neighbor boundary shares the
same one with the Internet boundary, so users do not need to define it here.)
After clicking on Neighbor menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, a page with the Neighbor Management title will be shown (See Figure
3.3.6-1). The following sections will introduce how to add, edit, delete, and view a neighbor.
Figure 3.3.6-1 System Admin / Network / Neighbor Management Window
To add a neighbor
Click on Add button at the top of the Neighbor view list to enter the Add Neighbor window.
(See Figure 3.3.6-2) It is allowed to add up to 128 neighbor ASes to the system.
Figure 3.3.6-2 System Admin / Network / Neighbor -- Add Neighbor Window

1. Provide neighbor information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this neighbor. The number of inputted characters must be between
2 and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
AS Number: Enter the AS number of the neighbor. They are not allowed to be duplicable.
You can enter up to 12 AS numbers (separated by commas; and between 1 and 65535) in a
neighbor entity.
Remarks: Enter additional information for the neighbor. The inputted characters are
2. Checking on the check boxes to select the wanted attribute reports.
There are five kinds of attribute reports (Application, Protocol, Protocol + Port, TOS, Packet
Size). All their default values are Enabled.
55
To edit a neighbor
Click on icon to enter the Edit Neighbor window. (See Figure 3.3.6-3)
Figure 3.3.6-3 System Admin / Network / Neighbor -- Edit Neighbor Window

(Please refer to the previous To add a neighbor section for the following steps of your
To delete a neighbor
A Delete page with detailed configuration will be shown. Note that if the neighbor you are
another neighbor before you delete this neighbor.
2. Click on Submit button to remove the neighbor from the system.
To view the profile of a neighbor

The detail information of the neighbor can be reviewed (See Figure 3.3.6-4).
Figure 3.3.6-4 System Admin / Network / Neighbor -- View Neighbor Window

1. Click on an ID or Name to enter the View Neighbor window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue.
2. Click on Back to List button to return to the Neighbor management window.
56
3.3.7
Sub-Network
Sub-Network menu allows users to define their sub-networks. The sub-network could be a part
of network inside or outside users network identified by IP address (CIDR), AS number, AS path
regular expression, BGP community string, interface (Prefixes Daily Learned) or Private Network.
Users should define all their sub-networks to the system, so that they can gain variety of reports
relevant to the Sub-Network traffic. The definition of sub-network includes two main parts, the
sub-network area and boundary.
After clicking on Sub-Network menu displayed on the Sub Menu tree of System
Admin/Network at the left side of the screen, a page with the Sub-Network Management title
will be shown (See Figure 3.3.7-1). The IP Space column is presented with a list box and it
allows users to read the data by rolling the scroll bar. If the sub-network entity uses a created
sub-network boundary template as its boundary, the Boundary Links column will display a
hyperlink of the used boundary template for users to view the detail information about it. The
following sections will introduce how to add, edit, delete, and view a sub-network.
Note
1. A searching function is provided. It is located next to the Add button and above the view
list. Users can utilize multiple searching filters (ID, Name/Remarks, IP Space) to quickly find
out a specific sub-network from plenty of listed sub-networks. Select a type of searching
filter in the Searching drop-down list, input key word in the for blank, and then click on the
Go button.
2. Page-control buttons are next to the Go button.

|<
button: to go to the first page.
<<
button: to go to the previous page.
>>
button: to go to the next page.
>|
button: to go to the end page.
The Page drop-down list: to go to a specific page selected from the drop-down list. The
numerator represents the page you are going to list and the denominator represents the
total pages.
3. Entries/Page drop-down list: to control the displayed entries per page of the Application
view list. There are six options to select: 12, 25, 50, 100, 150, and 250. The number 25
with an asterisk means the default value.
Figure 3.3.7-1 System Admin / Network / Sub-Network Management Window
57
To add a sub-network
Click on Add button at the top of the Sub-Network view list to enter the Add Sub-Network
window. (See Figure 3.3.7-2) It is allowed to add up to 600 sub-networks to the system.
CIDR)
1. Enter the name of the sub-network in the Name field.
This name must be unique among sub-network in the system. The number of inputted
characters must be between 2 and 40. All characters are accepted except space and special
characters (!@#$%^&<>?...).
2. Select CIDR, AS Number, AS Path Regular Expression, BGP Community String, Interface (Prefixes
Daily Learned) or Private Network from the Defined By drop-down list for the sub-network area.
The default type is CIDR. If you select the AS Number/AS Path Regular Expression/BGP
Community String/Interface/Private Network type, the screen will be transferred to another
window for configuring the AS number/AS path/BGP community string/Interface (Prefixes Daily
Learned). (See Figure 3.3.7-3 / Figure 3.3.7-4 / Figure 3.3.7-5 / Figure 3.3.7-6/ Figure 3.3.7-7)
58
Number)
Path Regular Expression)
Figure 3.3.7-5 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by BGP
Community String)
Interface)
59
Private Network)
3. Enter all IP addresses to define the sub-network with IP prefixes (CIDR) or IP ranges in the
CIDR text box if you select the CIDR type on Step 2.
You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not
specify permit or deny keyword, the IP prefix or range will be considered as Permit. The
sequence does matter and works like an ACL. You can enter one IP address prefix in a line
(use Enter key to create different lines) or separate multi-prefixes with commas. The
maximum # of prefixes can be up to 200.
Enter all AS numbers to define the sub-network in the AS Number text box if you select the
AS Number type on Step 2.
They are not allowed to be duplicable. Both singular AS number and successive range are
acceptable. You can enter up to 40 elements of AS numbers (separated by commas; and
between 1 and 65535) in a sub-network entity.
Enter the AS path to define the sub-network in the AS Path Regular Expression text box if you
select the AS Path Regular Expression type on Step 2.
You can define the sub-network with one AS path regular expression. An AS path regular
expression is used for displaying BGP routes by a list of AS numbers (concatenating one or
more AS numbers). Three types of token expressions are supported by the system: digital
token, * token, and [] token; and a space character is needed between every AS number
and */[] token.
A digital token is a number which range is from 0 to 9;
A * token represents zero or multiple AS numbers, i.e. 32 * 123 means any AS path
with Peer ASN 32 and Origin ASN 123;
A [] token represents a union relationship between all the AS numbers inside [].
Once an AS number in the AS path in the specified location equals any one AS number in
the union-ship, this token is considered matched, e.g. [13 439 302] * means any AS path
with Peer ASN 13,439 or 302.
The total length of the AS path regular expression string can be up to 200 characters.
Enter the BGP community to define the sub-network in the BGP Community String text box if
you select the BGP Community String type on Step 2.
You can define the sub-network with up to 12 BGP communities with wildcards. A BGP
community string consists of two token sets, separated by a colon :, and must be
cascaded together without space or tab in between. A token set includes 5 digits from 0 to 9
and three types of token expressions are supported: digital token, ? token, and [] token.
A ? token represents one digit with any value from 0 to 9, e.g. 21829:1290? means
from 21829:12900 to 21829:12909;
A [] token represents a container that can hold up to 10 digits. A digit matched any
digit inside the token, this token is matched, e.g. 23910:391[0 2]4 means 23910:39104
and 23910:39124.
The 0 digit can be skipped if they do not affect the value, for example, 00023:12802 can be
replaced by 23:12802. The total length of a BGP community-with-wildcard string is up to 120
characters.
60
Add interfaces (which connect to your sub-network) to define the sub-network in the
Interface text box if you select the Interface type on Step 2.
The interfaces you select here will form a border which is used to auto learn prefixes for
the defined sub-network. Once you use auto-learning interfaces to define your
sub-network, then you don't need to define a sub-network boundary in the next step.
Using the previous four defining methods ("CIDR", "AS Number", "AS Path Regular
Expression", "BGP Community String") to define a sub-network entity must manually
specify IP Spaces and Boundary Cut but the "Interface" and Private Network defining
method has merged these two elements. Therefore, with "Interface" and Private
Network defining method, you will only need to specify the Boundary Cut manually and
then the system will learn the IP Spaces automatically. There are some differences to
use auto-learning interfaces on defining the Boundary Cut. Firstly, you could select
the interface which is connected to backbone but not sub-network as the border. In this
way, you can simplify the configuration when there are more interfaces connecting to the
sub-network and less to the backbone. Secondly, the flow traffic calculation is always
two-way, so you don't have to specify the traffic direction for interfaces. After clicking on
Edit button next to the Interface text box, the Edit Sub-Network Learning Interface
window will pop up (See Figure 3.3.7-8). Please follow the steps below for configuring
your sub-network auto-learning interfaces.
Figure 3.3.7-8 System Admin / Network / Sub-Network -- Edit Sub-Network Learning Interface
Window
(1)
(2)
(3)
61
Select a router group from the Router Group drop-down list.

All router groups configured in the Group/Router function of Preferences will be shown in
this drop-down list. (Default is All Routers)
Select a router from the Router drop-down list.
After you selected a router group, all routers belong to the router group you selected will
be shown in this Router drop-down list. Here will change according to the router group
you selected.
Select an interface from the Interface drop-down list.
It is same as the router selection above. Here will change according to the router you
selected. All interfaces belong to the router you selected will be shown in this Interface
drop-down list. In addition, users still can add the interface via click on
the Browse button and a interface list table shows for specifying.
Note
If users add the interface via the step, clicking on the Browse button, they have
to specify traffic direction ( step (4) below) before clicking on the Add button
(below the list table ). When users click on the Add button (below the list table ) the
selected interface will be added to the Learning Interface text box, and users can skip
the step (4) and (5).
(4)
(5)
Select the traffic direction by clicking on the radio button.

According to your physical interface connection to select which type of network entity it
connects to.
Click on Add button to add the specified interface into the Learning Interface text box
one by one.
Note
If user add the interface via the step, clicking on the Browse button, this step can
be ignored. Otherwise, the error message duplicate may show.
(6)
After adding all interfaces desired, please click on Submit button to complete the
configuration.
Add Private Network (which connect to your sub-network) to define the sub-network in the
Interface text box if you select the Private Network on Step 2.
The Private Network defining method is the same as the method of Interface, please refer
to the above steps to set the sub-network via defining Private Network.
4. Define the boundary of the sub-network.
You can use the existing boundary templates as the sub-network boundary or manually define
a new one right away by clicking on the radio button. Please ignore this step if you have used
auto-learning interfaces to define your sub-network in the previous step.
If you use the existing boundary templates, please select a template from the Use Boundary
Template drop-down list. Both the templates defined in the Template/ Sub-Network
Boundary function of Network and the Internet boundary will be shown here.
If you want to define a new one, please click on Edit button (will be selectable after
clicking on the Defined radio button) to start the configuration. You will see the Edit
Sub-Network Boundary window pop up. (See Figure 3.3.7-9) After selecting the router group,
router, and interface from each drop-down list, and specifying the traffic direction, you click on
Add button to add the link (one by one) to the Sub-Network Boundary text box. In addition,
users still can add the interface via click on the Browse button and a interface list table show
for specifying. After you finish adding links, you click on the Submit button and the links you
added will form the boundary of this sub-network.
Note
1.
2.
Traffic Directions:
Input the flow will be included for traffic counting if the interface ifindex appears in
Input Interface field of the flow record.
Output the flow will be included for traffic counting if the interface ifindex appears in
Output Interface field of the flow record.
Both the flow will be included for traffic counting if the interface ifindex appears in
Input Interface or Output Interface field of the flow record.
If users add the interface via the step, clicking on the Browse button, they have to
specify the Traffic Direction before clicking on the Add button (below the list table) to
add the selected interface into the Learning Interface text box.
62
Figure 3.3.7-9 System Admin / Network / Sub-Network -- Edit Sub-Network Boundary Window
5. Set the parameters for generating Report data.
Select reports that you want to generate by checking on the check boxes. There are two types
of the reports for selection. One is Advanced Traffic Analysis report including Breakdown
Report and Top Talker report, and the other is Command Attribute Report including
Application, Protocol, Protocol+Port, TOS, and Packet Size reports. The default set of
command attribute report is Enabled except TOS report.
6. Set the Offline Report Scheduler
This function defines whether the sub-network provides the offline report function for the users
whose privilege is belong to this sub-network to set its own offline report. Select Enabled from
the dropped-down list to enforce the Offline report function for the sub-network; otherwise
keep the default value, Disabled. The default set is Disabled.
Note
1.
2.
If this function of the sub-network is enabled, the user whose privilege is specified to
this sub-network can set all types offline reports in the Report/Sub-network function.
The ways to set the offline report please refer to the Report/Sub-Network section.
The language type of the received offline reports can specify in the Global in the
System Admin/Preference/Offline Report function.
7. Set the actions to anomaly detection.

There are two Anomaly Detection modules here, Traffic Anomaly and Protocol-Misuse
Anomaly Detection modules.
Traffic Anomaly Detection: it is divided into two parts, Incoming and Outgoing. You
can individually configure them in two different directions (Incoming & Outgoing) by
select the baseline template form the drop-down list.
DDoS and Worm Detection: select Enabled or Disabled from the drop-down list
(default is Disabled).
Note
When users disable DDoS and Worm Detection, the detection of Protocol-Misused
anomalies and Application anomalies will not work.
If the anomaly detection is enabled, the anomaly report of this sub-network will display in
Status/Anomaly Console function. The factory defaults of anomaly detection actions are
disabled.
8. Enter additional information for the sub-network in the Remarks field.
63
To edit a sub-network
Click on icon to enter the Edit Sub-Network window. (See Figure 3.3.7-10)
Figure 3.3.7-10 System Admin / Network / Sub-Network -- Edit Sub-Network Window

(Please refer to the previous To add a sub-network section for the following steps of your
modification.)
To delete a sub-network
A Delete page with detailed configuration will be shown. Note that if the sub-network you are
another sub-network before you delete this sub-network.
2. Click on Submit button to remove the sub-network from the system.
64
To view the profile of a sub-network

The detail information of the sub-network can be reviewed (See Figure 3.3.7-11).
Figure 3.3.7-11 System Admin / Network / Sub-Network -- View Sub-Network Window
1. Click on an ID or Name to enter the View Sub-Network window.

pointed ID/Name will turn into blue. The Applied block area shows the information of Filters to
which this viewed sub-network applied.
2. Click on Back to List button to return to the Sub-Network Management window.
65
3.3.8
Server
Server menu allows users to define server farm, which includes several servers. Users can
define their server farm to the system, so that they can gain variety of reports relevant to the
server traffic.
After clicking on Server menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, the Server-farm Management window will be shown. (See Figure
3.3.8-1)
Note
list. Users can utilize multiple searching filters (ID, Name/Remarks, IP Space) to quickly find
out a specific Server-farm from plenty of listed server entries. Select a type of searching
filter in the Searching drop-down list, input key word in the for blank, and then click on the
Go button.
| < button: to go to the first page.
<< button: to go to the previous page.
>> button: to go to the next page.
> | button: to go to the end page.
total pages.
3.
Entries/Page drop-down list: to control the displayed entries per page of the Application
Figure 3.3.8-1 System Admin / Network / Server Server-farm Management Window
To add a server-farm
Click on Add button at the top of the Server view list to enter the Add Server-farm
management window (See Figure 3.3.8-2). Please check the resource limitation for server farm
entries in Status/Summary/Resources function.
66
Figure 3.3.8-2 System Admin / Network / Server -- Add Server-farm Window

1. Name: Enter the name of the server in the Name field.
This name must be unique among server in the system. The number of inputted characters
must be between 2 and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
2. CIDR: Enter all IP addresses to define the server with IP prefixes (CIDR) or IP ranges in the
CIDR text box.
You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not
specify permit or deny keyword, the IP prefix or range will be considered as Permit. The
sequence does matter and works like an ACL. You can enter one IP address prefix in a line
(use Enter key to create different lines) or separate multi-prefixes with commas. The
maximum # of prefixes can be up to 200.
3. Protocol/Port: Define the Protocol/Port of the Server-farm.
You can set any or define the value of Protocol/Port to Server-farm. Select the protocol/port by
clicking on the radio button, then enter the port number or the message type/code, and then
click on <<Add button to add the definition to the text box. You have to add multiple values
of Protocol/Port into text box individually. It is allowed to add up to 32 combinations to a
server-farm. Using Remove>> or Remove All button to remove the added configuration
from the text box.
67
Protocol/Port: select protocol/port from the drop-down list and define the port number.
You can enter a port range (continuous port numbers) at one time. For adding a port
range, you should enter the first number of the range in the previous field and the last
number of the range in the back field. For adding a port number, you can select Port
Number and enter the number in the text box.
ICMP: the system allows you to set the message type and code further for various
services of ICMP. You have to enter the message type and code if ICMP is selected.
4. Boundary Links: Define the boundary of the server-farm.

You can use the existing boundary templates as the server-farm boundary or manually define
a new one right away by clicking on the radio button.
If you use the existing boundary templates, please select a template from the Use Boundary
Template drop-down list. The templates defined in the Template/ Server-farm Boundary
function of Network will be shown here.
If you want to define a new one, please click on Edit button (will be selectable after
clicking on the Defined radio button) to start the configuration. You will see the Edit Server
Boundary window pops up. (See Figure 3.3.8-3) After selecting the router group, router,
and interface from each drop-down list, and specifying the traffic direction, you click on
Add button to add the link (one by one) to the Server Boundary text box. In addition,
users still can add the interface via click on the Browse button and an interface list table
show for specifying. After you finish adding links, you click on the Submit button and the
links you added will form the boundary of this server-farm.
Note
Traffic Directions:
Input the flow will be included for traffic counting if the interface ifindex appears in
Input Interface field of the flow record.
Output the flow will be included for traffic counting if the interface ifindex appears in
Output Interface field of the flow record.
Both the flow will be included for traffic counting if the interface ifindex appears in
Input Interface or Output Interface field of the flow record.
If users add the interface via the step, clicking on the Browse
button, they have to
specify the Traffic Direction before clicking on the Add button (below the list table)
to add the selected interface into the Server Boundary text box.
68
Figure 3.3.8-3 System Admin / Network / Server -- Edit Server Boundary Window
5. Generate Report Data: Set the parameters for generating Report data.
Select reports that you want to generate by checking on the check boxes. There are two types
of the reports for selection. One is Advanced Traffic Analysis report including Breakdown
Report, and the other is Command Attribute Report including Application, Protocol,
Protocol+Port, TOS, and Packet Size reports. The default set of command attribute report is
Enabled except Protocol and TOS report.
6. TopN Report: Enable TopN report.
A TopN report of a server is to sort the analyzed traffic results of a specified server farm with
aggregation elements. All listed TopN reports are predefined in the TopN Report function of
the System Admin/ Network/ Template function. The operation describes as follows:

Adding a TopN Report
Click on the Add button to list the aggregation reports of TopN. Check the needed
reports and then click on the Add button to create the TopN reports of the server
farm. In addition, users can redefine the fields, Name, TopN # and Status, when adding
a TopN Report.
Figure 3.3.8-4 System Admin / Network / Server -- Adding TopN Report to the Server-farm
69
Editing a TopN Report

Click on the Edit button to modify the specified TopN entries. Users can edit these
fields, Name, TopN # and Status, and then click on the Edit button when completing
the modification.
Delete a TopN Report
Click on the Delete to list the specified TopN entries. Check the TopN entries that
users want to delete and then click on the Delete button to delete them.
7. Remarks: Enter additional information for the server-farm in the Remarks field.
To edit a server-farm
Click on icon to enter the Edit Server-farm window. (See Figure 3.3.8-5)
Figure 3.3.8-5 System Admin / Network / Server -- Edit Server-farm Window

(Please refer to the previous To add a server-farm section for the following steps of your
modification.)
To delete a server-farm
2. Click on Submit button to remove the configuration from the system.
70
To view the profile of a server-farm

The detail information of the Server-farm can be reviewed.
Figure 3.3.8-6 System Admin / Network / Server -- View Server-farm Window

1. Click on an ID or Name to enter the View Server-farm window.
2. Click on Back to List button to return to the Server Management window.
71
3.3.9
MSP Customer
MSP Customer menu allows users to manage MSP customers, to specify the boundary template, to
configure the MSP user account, and set privilege template for user account. After clicking on the MSP
Customer menu displayed under the Sub Menu tree of System Admin/Network at the left side of the
screen, users will enter the MSP Customer Management window (the default-entered window) and
see its sub-menu tabs, MSP Customer, Boundary Template, MSP User Account, and Privilege
Template. (See Figure 3.3.9-1) The following sections are going to introduce how to configure MSP
customer, how to define the boundary template, how to manage MSP user account, and how to
specify the privilege template.
Note
This function will not show when the system does not support the MSP module (value-added
function).
3.3.9.1
MSP Customer
Users can specify the MSP customers to a MSP server, and assign the MSP user with the
administrator privilege, can log into the MSP server to view/manage its traffic reports.
After clicking on MSP Customer menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, a page with the MSP Customer Management title will be shown (see the
figure 3.3.9-1).
Note
A searching function and page-control buttons are provided and the detail descriptions please refer to
the Sub-Network sub-menu of System Admin/Network function.
Figure 3.3.9-1 System Admin/Network/MSP Customer -- MSP Customer Management Window
72
To add a MSP Customer

Click on Add button at the top of the MSP Customer view list to enter the Add MSP Customer
Management window (see the figure 3.3.9-2). Users can add up to 100 MSP Customers for each
Collector registered in the system. It is allowed to add up to 1000 MSP Customers to the system.
Figure 3.3.9-2 System Admin/Network/MSP Customer/MSP Customer Adding MSP Customer

Window
1. Name: Enter the name of the MSP Customer in the Name field.
This name must be unique in the system. The number of inputted characters must be between
2 and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
2. MSP Server: select the MSP Server to which the customer belongs.
3. CIDR: Enter all IP addresses to define the MSP Customer with IP prefixes (CIDR) or IP
ranges in the CIDR text box.
You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not specify
permit or deny keyword, the IP prefix or range will be considered as Permit. The sequence
does matter and works like an ACL. You can enter one IP address prefix in a line (use Enter
key to create different lines) or separate multi-prefixes with commas. The maximum number of
prefixes can be up to 200.
73
4. Define the Boundary Routers of the MSP customer.

You can use the existing boundary templates or manually define a new one right away by
clicking on the radio button.
If you use the existing boundary templates, please select a template from the Use
Boundary Template drop-down list. The templates defined in the Boundary Template
function of MSP Customer in the System Admin/Network function.
If you want to define a new one, please click on Define button (will be selectable after
clicking on the Defined radio button) to start the configuration. You will see the Add MSP
Customer window pops up. (See Figure 3.3.9-3) After selecting the Collector, and checking
routers, you click on Add button to add the boundary routers to the text box. After you
finish adding boundary routers, you click on the Submit button and the set routers you
added will form the boundary of this MSP customer.
Figure 3.3.9-3 System Admin/Network/MSP Customer/MSP Customer -- Add Boundary Routers

Window
5. Select the Anomaly Detection features for the configured Customer.
There are Anomaly Detection modules here, Traffic Anomaly Detection and DDoS and Worm
Detection modules. Traffic Anomaly Detection is divided into two parts: Incoming and Outgoing.
You can individually configure them in two different directions (Incoming & Outgoing).
Configurations are as follows:

Traffic Anomaly Detection:
Incoming: select one traffic anomaly baseline template (Default is Disabled).
Outgoing: select one traffic anomaly baseline template (Default is Disabled).

DDoS and Worm Detection:

Anomaly Detection: select Enabled or Disabled (Default is Enabled).
Users can reset the action for each detection via click on the Advance button and
click on Submit button to complete the modification. When users disable DDoS and
Worm Detection, the detection of Protocol-Misused anomalies and Application
anomalies will not work.
6. Administrator User Account: set the account with the administrator role for the MSP
customer. This account can manage the system profiles on the portal site of the MSP Server.
The asterisk "" indicates a mandatory field. The descriptions of fields please refer to the
Local User Account function in the System Admin/User menu. Except the Notification for
Anomalies field is different, others fields are the same. The factory default of Notification for
Anomalies is Enabled.
7. Enter additional information for the MSP Customer in the Remarks field.
74
To edit a MSP Customer

Click on icon to enter the Edit MSP Customer window.
(Please refer to the previous To add a MSP Customer section for the following steps of your
modification.)
To delete a MSP Customer

2. Click on Submit button to remove the MSP Customer from the system.
To view the profile of a MSP Customer

The detail information of the MSP Customer can be reviewed.
1. Click on an ID or Name to enter the View MSP Customer Management window.
pointed ID/Name will turn into blue. Besides, users can click on Advance button to view
detailed configurations of DDoS and Worm Detection in the View MSP Customer window.
2. Click on Back to List button to return to the MSP Customer Management window.
3.3.9.2
Boundary Template
Click on the Boundary Template tab to define the routers to a boundary template used in MSP
Customer function in System Admin/Network/MSP Customer. After clicking on Boundary
Template tab, a page with the MSP Customer Boundary Template Management title will be
shown (see the figure 3.3.9-4). The following sections will introduce how to add, edit, delete, and
view the routers in a boundary template.
Figure 3.3.9-4 System Admin/Network/MSP Customer/ MSP Customer Boundary Template

Management Window
To add a Boundary Template

Click on Add button at the top of the Boundary Template view list to enter the Add MSP
Customer Boundary Template window in System Admin/Network/MSP Customer (see the
figure 3.3.9-5).
75
Figure 3.3.9-5 System Admin/Network/MSP Customer/Boundary Template Adding MSP

Customer Boundary Template Window
1. Name: Enter the name of the Boundary Template in the Name field.
This name must be unique in the system. The number of inputted characters must be between
2 and 40. All characters are accepted except space and special characters (!@#$%^&<>?...).
2. Boundary Routers: select the collector from the dropped-down list and its related routers lists
below. Check the router and click on << Add button to add the router to the Boundary
Routers text box. Multiple routers can be added in to the text box. Using Remove>> button
to remove the added configuration from the text box.
3. Click on the Submit button to complete the configuration.
To edit a Boundary Template

Click on icon to enter the Edit MSP Customer Boundary Template window.
(Please refer to the previous To add a Boundary Template section for the following steps of your
modification.)
To delete a Boundary Template

A Delete page with detailed configuration will be shown. Note that if the boundary template you
are deleting has applied to any configurations, the system will not allow you to delete it and the
Submit button will be unavailable. You have to change the applied configurations to another
boundary template before you delete this boundary template.
2. Click on Submit button to remove the boundary template from the system.
To view the profile of a Boundary Template

The detail information of the Boundary Template can be reviewed.
1. Click on an ID or Name to enter the View Boundary Template window.
pointed ID/Name will turn into blue. The Applied block area shows the information of MSP
Customer to which this viewed Boundary Template applied.
2. Click on Back to List button to return to the Boundary Template Management window.
76
3.3.9.3
MSP User Account
Click on MSP User Account tab to enter the MSP User Account Management window (see the figure
3.3.9-6). The MSP User Account management window lists all MSP user accounts specified to all
MSP collectors.
Note
1.
The account with the privilege template, Customer Admin, is specified in the MSP Customer
function of System Admin / Network / MSP Customer menu in the Controller system, but
the account with other privileges, such as Customer Superuser or Customer Viewer, are set
in the specified MSP Server by its admin account.
2.
The access authority of Privilege template is defined in Privilege Template function in the
System Admin/ Network / MSP Customer menu in the Controller system.
Figure 3.3.9-6 System Admin/Network/MSP Customer/MSP User Account MSP User Account
Window
3.3.9.4
Privilege Template
Users can edit, or view a privilege template and specify authorized functions for the privilege
template. Click on the Privilege Template tab to enter the Privilege Template window. (As shown in
Figure 3.3.9-7)
Figure 3.3.9-7 System Admin/Network/MSP Customer/Privilege Template -- Privilege Template

Management Window
77
To edit a user privilege Template

There are three default types of privilege templates, Customer Admin, Customer Superuser and
Customer Viewer, for users to modify.
Figure 3.3.9-8 System Admin / Network/ MSP Customer / Privilege Template -- Edit User Privilege
Template Window
1. Click on the icon to modify the information in the privilege template.
A page with Edit User Privilege Template will show. (As presented in Figure 3.3.9-8)
2. Change the authorization of the system functions by checking the box.
Note
The user accounts who are assigned to this privilege template will list in the Applied table
below.
To view a user privilege template

Users can view the privilege template information in detail.
1. Click on a privilege template No. or name to enter the View User Privilege Template window.
When you move the cursor to the name listed in the ID or Name column, the color of the
2. Click on Back to List button to return to the User Privilege Template window.
78
3.3.10 Filter
Filter menu allows users to manage Factors and Filters, which are two significant elements used
to implement the Rule-based report. Factors can be basic building components used in an
expression inside a Filter. Filters are basic units which allow users to locate traffic to analyze.
Through Factors and Filters, users can analyze traffic elastically to make up the deficiency of
pre-defined reports.
After clicking on Filter menu displayed on the Sub Menu tree of System Admin/Network at the
left side of the screen, the Factor Management window (the default entered window) will be
shown. Users can see sub-menu tabs, Factor and Filter, appearing above the screen. (See
Figure 3.3.10-1)
Figure 3.3.10-1 System Admin / Network / Filter / Factor Management Window
3.3.10.1
Factor
Once you click on Filter menu, you will directly enter the Factor Management window. There are
categories of Factors: one is System Factor like Home network, Sub-Network entities, and
applications already defined in the system; another is User-defined Factor. The following
sections are going to introduce how to add, edit, and delete a Factor, and how to view the profile
of a Factor.
Note
1.
2.
3.
A searching function and page-control buttons are provided. Please refer to the Note
descriptions in Sub-Network sub menu of Network function for the operation.
The Export button are use for backup the Factor configurations to local host. After
clicking on the Emport button, the download configuration field shows. There are
two file formats, XML Schema and XML Data, to download. However, users have to
perform the CLI command factor encoding in the global configuration mode before
exporting the Factor configurations.
The Import are use for load the Factor configurations from the local host. After
clicking on the Import button, the Upload configuration field shows and users have
to click on the Browser button to select the factor configuration file for uploading.
To add a Factor
Click on Add button at the top of the Factor view list to enter the Add Factor window. (See
Figure 3.3.10-2) There are five different types of user-defined Factors. Each type of them has its
maximum entities in a Controller.
Factor Type
IP Factor
BGP Community Factor
AS Number Factor
AS Path Regular Expression Factor
Application Factor
79
Maximum Entities
1024
256
256
256
256
Figure 3.3.10-2 System Admin / Network / Filter / Factor -- Add Factor Window (IP Factor)
1. Enter the name of the Factor in the Name field.
This name must be unique among Factors in the system. The number of inputted characters
(!@#$%^&<>?...).
2. Input additional information in the Remarks field if desired.
3. Select IP, BGP Community, AS Number, AS Path or Application from the Type drop-down list for the
Factor.
The default type is IP. If you select the BGP Community/AS Number/AS Path /Application type,
the screen will be transferred to another window for configuring the IP/BGP Community/AS
Number/AS Path. (See Figure 3.3.10-3 / Figure 3.3.10-4/ Figure 3.3.10-5 / Figure 3.3.10-6)
Figure 3.3.10-3 System Admin / Network / Filter / Factor -- Add Factor Window (BGP Community
Factor)
80
Figure 3.3.10-4 System Admin / Network / Filter / Factor -- Add Factor Window (AS Number Factor)
Figure 3.3.10-5 System Admin / Network / Filter / Factor -- Add Factor Window (AS Path Factor)
Figure 3.3.10-6 System Admin / Network / Filter / Factor -- Add Factor Window (Application Factor)
81
4. Enter all IP addresses to define the IP Factor with IP prefixes (CIDR) or IP ranges in the IP
text box if you select the IP type on Step 3.
You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not specify
permit or deny keyword, the IP prefix or range will be considered as Permit. The sequence
does matter and works like an ACL. You can enter one IP address prefix in a line (use Enter
key to create different lines) or separate multi-prefixes with commas. The maximum # of
prefixes in one Factor can be up to 128.
Enter the BGP community to define the BGP community Factor in the BGP Community
String text box if you select the BGP Community type on Step 3.
You can define the Factor with one BGP community with wildcards. A BGP community string
consists of two token sets, separated by a colon :, and must be cascaded together without
space or tab in between. A token set includes 5 digits from 0 to 9 and three types of token
expressions are supported: digital token, ? token, and [] token.
A ? token represents one digit with any value from 0 to 9, e.g. 21829:1290? means from
21829:12900 to 21829:12909;
A [] token represents a container that can hold up to 10 digits. A digit matched any digit
inside the token, this token is matched, e.g. 23910:391[0 2]4 means 23910:39104 and
23910:39124.
The 0 digit can be skipped if they do not affect the value, for example, 00023:12802 can be
replaced by 23:12802. The total length of a BGP community-with-wildcard string is up to 120
characters.
Enter all AS numbers to define the AS Number factor in the AS Number text box if you
select the AS Number type on Step 3.
They are not allowed to be duplicable. Both singular AS number and successive range are
acceptable. You can enter up to 40 elements of AS numbers (separated by commas; and
between 1 and 65535) in a factor.
Enter the AS path to define the AS path Factor in the AS Path text box if you select the AS
Path type on Step 3.
You can define the Factor with one AS path regular expression. An AS path regular expression
is used for displaying BGP routes by a list of AS numbers (concatenating one or more AS
numbers). Three types of token expressions are supported by the system: digital token, *
token, and [] token; and a space character is needed between every AS number and */[]
token.
A * token represents zero or multiple AS numbers, i.e. 32 * 123 means any AS path with
Peer ASN 32 and Origin ASN 123;
A [] token represents a union relationship between all the AS numbers inside []. Once an
AS number in the AS path in the specified location equals any one AS number in the
union-ship, this token is considered matched, e.g. [13 439 302] * means any AS path with
Peer ASN 13,439 or 302.
The total length of the AS path regular expression string can be up to 200 characters.
Specify applications and channel numbers to define the application Factor in the text box if
you select the Application type on Step 3.
You can select an application via using the Application drop-down list or clicking on Browse
button (Please refer to the Browse Helper part in Snapshot for details. They have the same
operation.). After selecting the application, you also have to select its channel number from the
Channel No. drop-down list and then click on Add button to add the selected application
and channel number into the text box. The combination of an application and a channel
number is called an application definition. Up to 16 entries of application definitions can be
added into one application Factor. Note that the * symbol represents all channels. Once the
* is added, any other channel with the same application will unable to be added into the text
box. You can delete an added application definition entry or all from the text box by using
Remove One or Remove All button.
82
To edit a Factor
Click on icon to enter the Edit Factor window. (See Figure 3.3.10-7)
Figure 3.3.10-7 System Admin / Network / Filter / Factor -- Edit Factor Window
(Please refer to the previous To add a Factor section for the following steps of your
modification.)
To delete a Factor
A Delete page with detailed configuration will be shown. Note that if the Factor you are
another Factor before you delete this Factor.
2. Click on Submit button to remove the Factor from the system.
83
To view the profile of a Factor

The detail information of the Factor can be reviewed.
Figure 3.3.10-8 System Admin / Network / Filter / Factor -- View Factor Window
1. Click on an ID or Name to enter the View Factor window.
pointed ID/Name will turn into blue. The Applied block area shows the information of Filters to
which this viewed Factor applied.
2. Click on Back to List button to return to the Factor Management window.
3.3.10.2
Filter
Click on Filter sub-menu tab of Filter to enter the Filter Management window (See Figure
3.3.10-9). The latest added Filter will be displayed at the first row of the list. The following
sections are going to introduce how to add, edit, and delete a Filter, and how to view the profile
of a Filter.
Note
Figure 3.3.10-9 System Admin / Network / Filter / Filter Management Window

84
To add a Filter
Click on Add button at the top of the Filter view list to enter the Add Filter window. (See Figure
3.3.10-10)
Figure 3.3.10-10 System Admin / Network / Filter / Filter -- Add Filter Window
1. Enter the name of the Filter in the Filter Name field.
This name must be unique among Filters in the system. The number of inputted characters
(!@#$%^&<>?...).
2. Specify the traffic scope for analysis.
First, select a network scope type from the Scope drop-down list and then specify a network
entity from another drop-down list. There are several types of network scopes to select and
the drop-down list of network entity will display different network entities according to different
network scope types selected, except the ANY and Home (they has no need to specify a
network entity). The supported boundary scope includes Internet, and Sub-network
boundaries. The inspected traffic will be restricted by the specified traffic scope (i.e. only traffic
flows belong to the scope specified will be inspected by the traffic analysis of Filter). A Browse
function is provided here. Please refer to Browse Helper part in Snapshot for details.
3. The drop-down list shows the IPv4 and there is no other parameter for select.
4. Select Disabled or Enabled from the Status drop-down list.
This function allows you to flexibly activate or inactivate the Filter in any time of need. Once
you select to disable the Filter, all traffic reports and applied scope related to this Filter will be
unavailable, including its TopN reports configured.
6. Configure expressions for constructing the Filter.
Expressions are basic elements internal the Filter and used to sift traffic flows. In other words,
they are sort of criteria configured in the Filter. Totally, up to 2048 expressions are allowed to
configure in the system. This step will introduce how to add, edit, delete, and view an
expression.
85
To add an expression
Click on Add button above the Expression table list to open the Add Filter Expression
Figure 3.3.10-11 System Admin / Network / Filter / Filter -- Add Filter Expression Window
No.: select a number from the No. drop-down list for the sequence of expression
configured. The number you select is the sequence of the created expression among
all expressions. You do not have choice for the first created expression since it does
not have sequence issue. Only when the second expression and upward are creating,
the system will allow you to decide their sequence. The rule to match multiple
expressions in a Filter is First Match in the Sequence.
Matching Rule: select to permit or deny the expression from the Matching Rule
drop-down list. The default value is Permit.
The following is provided to define expressions.
Src. IP: available selections for source IP address have Home, a sub-network, an IP
Factor, and a BGP community Factor. Select Home from the Src. IP drop-down list or
click on Browse button next to the drop-down list to select a Factor, or a
sub-network. Specify the source IP by clicking on the radio and Submit buttons
(Destination IP can be selected at the same time through the Browse button). You
can refer to Browse Helper part in Snapshot for further operation.
Dst. IP: same as Src. IP. Please refer to its description above.
86
Src. AS Path: select an AS Path Factor for source AS path from the Src. AS Path
drop-down list. All AS Path Factors configured in the system will be displayed here.
Dst. AS Path: same as Src. AS Path. Please refer to its description above.
Src. Application: select an application or an Application Factor from the Src.
Application drop-down list. All applications defined and Application Factors configured
will be displayed here. Or click on Browse button next to the drop-down list to
select the source application by clicking on the radio and Submit buttons
(Destination application can be selected at the same time through the Browse
button). You can refer to Browse Helper part in Snapshot for further operation.
Dst. Application: same as Src. Application. Please refer to its description above.
Router: select a router from the Router drop-down list. After you selecting a router, the
Input Flow ifIndex and Output Flow ifIndex fields will be available. You can enter flow
ifIndexes directly or click on Browse button next to the fields to select the source
and destination flow ifIndexes by clicking on the radio and Submit buttons.
TOS Value: check on the check box and then the drop-down lists of all values will be
configurable. Select the value for each bit of the TOS field in IP header.
Note
There are three values representing different meanings for users to set, XIgnore,
1Flag On, and 0Flag Off (Ignorethe system will not check this bit value; On :
the system will collect the traffic information about the IP packets with the bit On in
TOS field; Off : the system will collect the traffic information about the IP packets
with the bit Off in TOS field).
TCP Flag: check on the check box and then the drop-down lists of all flags will be
configurable. Select the value for each flag.
Note
There are six types of TCP flags (URG, ACK, PSH, RST, SYN, and FIN in TCP
header) and three values representing different meanings for users to set each flag.
Three values are : XIgnore, 1Flag On, and 0Flag Off (Ignore : the system will
not check this bit value; On : the system will collect the traffic information about the
TCP packets with the bit On in TOS field; Off : the system will collect the traffic
information about the TCP packets with the bit Off in TOS field).
IPv4 Next Hop: enter a next hop IP addresses in the Next Hop field.
IPv4 BGP Next Hop: enter a BGP next hop IP addresses in the BGP Next Hop field.
Avg. Packet Size: select an average packet size from the Avg. Packet Size drop-down
list. The packet size segments are: <32, 32-64, 64-96, 96-128, 128-160, 160-192,
192-224, 224-256,
256-320, 320-384, 384-448, 448-512, 512-768, 768-1024,
1024-1536, and >1536.

ACL-Based sFlow Flag: select the value shown in the drop down list to the sFlow flag.
Three values representing different meanings for users to set each flag. They are:
XIgnore, 1Flag On, and 0Flag Off.
To edit an expression
Click on a radio button in the Expression table list and press the Edit button above to
open the Edit Filter Expression window. (See Figure 3.3.10-12)
87
Figure 3.3.10-12 System Admin / Network / Filter / Filter -- Edit Filter Expression Window
(Please refer to the previous To add a Filter section for your modification.)
Provide new information to those fields/options that you like to modify and then Click on
Submit button to complete the modification.
To delete an expression
Click on a radio button in the Expression table list and press the Delete button above
to remove the expression from the table list. Once the Delete button is pressed, the
selected expression will be deleted right away.
To view the profile of an expression
Click on a radio button in the Expression table list and press the View button above to
open the View Filter Expression window. (See Figure 3.3.10-13)
Figure 3.3.10-13 System Admin / Network / Filter / Filter -- View Filter Expression Window
The detail information of the expression can be reviewed. Click on Cancel button to
close the View Filter Expression window.
88
7. Enable the traffic report and monitor for the Filter (Optional).
You can choose to enable the traffic report or not to by selecting Enabled or Disabled from
the Report drop-down list located in the Traffic Report and Monitor block area (See Figure
4.64). The default value is Disabled. Once Traffic Report is enabled, the system will generate
traffic reports for the Filter namely the Summary reports in Rule-based Report. If Traffic
Report is not enabled, the system will not generate traffic reports but will still collect the filtered
traffic and save it in database for Snapshots utilization. As soon as you enable Traffic Report,
its monitoring feature will be also available. Select a type of baseline template configured in
the system from the Baseline Template drop-down list next to the Report drop-down list for the
Filter traffic report. If there is any traffic violation, an anomaly will be generated and tracked by
the system. You can enable the anomaly notification for the Filter through the
Preferences/Notification/Filter function of System Admin. In addition, the system can also
provide an opposite direction report contrary to the Filter traffic report. Select Enabled from
the Opposite Direction Report drop-down list and a type of baseline template from the next
Baseline Template drop-down list to generate the opposite direction report if desired.
8. Configure TopN reports of a Filter (Optional).
A TopN report of a Filter is to sort the analyzed traffic results of a specific Filter with
aggregation elements of Source / Destination / Directionless. A configured and enabled TopN
report can be viewed in the TopN Report sub menu of Rule-based Report. Totally, up to 1024
rule-based TopN reports are allowed to configure in the system. This step will introduce how to
add, edit, delete, and view a TopN report of a Filter.
To add a TopN report of a Filter

Click on Add button above the TopN Report table list to open the Add Filter TopN
Figure 3.3.10-14 System Admin / Network / Filter / Filter -- Add Filter TopN Window
Name: input a name for the TopN report. The number of inputted characters must be
(!@#$%^&<>?...).
Status: select Disabled or Enabled from the Status drop-down list. This function
allows you to flexibly activate or inactivate the rule-based TopN report in any time of
need.
Aggregation Keys: select an aggregation element from the text box. The aggregation
elements include such as Source/Destination IP, Source/Destination Protocol/Port,
Application on Source/Destination, TCP Flag, TOS Value, Protocol, Input/Output
Interface, Router, and so on.
Number of Top-N: select a number for the N value of Top-N, that traffic statistics will
be saved into database and will be also displayed in Rule-based reports, from the
Number of Top-N drop-down list. The available selections are 16 (default), 32, 64, 128,
and 256.
89
To edit a TopN report of a Filter

Click on a radio button in the TopN Report table list and press the Edit button above to
open the Edit Filter TopN window. (See Figure 3.3.10-15)
Figure 3.3.10-15 System Admin / Network / Filter / Filter -- Edit Filter TopN Window
(Please refer to the previous To add a TopN report of a Filter section for your
modification.)
Note that the aggregation elements cannot be changed once the TopN report has been
created. You have to create a new one to replace the one whose aggregation elements
you want to change. Provide new information to those fields/options that you like to
modify and then Click on Submit button to complete the modification.
To delete a TopN report of a Filter
Click on a radio button in the TopN Report table list and press the Delete button above
to remove the TopN report from the table list. Once the Delete button is pressed, the
selected TopN report will be deleted right away.
9. Select a Filter from the Total Traffic calculated on Filter drop-down list to replace the calculated
total traffic of the configuring Filters TopN reports. (Optional)
The default value is Self, which means not to replace the calculated total traffic with any
other Filters. If users choose to use other Filters total traffic, each TopNs percentage value
will be derived from the replaced total as divisor. With this function, users can easily utilize two
Filters to customize an integrated report by defining some identical criteria but sieving out
specific traffic to sort. For instance, two Filters A and B are configured with same
expressions (i.e. same network cuts) but one more expression is added to Filter A to sieve
out traffics of specific source ASNs. Therefore, by replacing the calculated total traffic of Filter
A with Filter Bs, users can obtain a TopN report of those specific ASNs, but remain the traffic
percentage as the proportion of defined network cuts.
90
To edit a Filter
Click on icon to enter the Edit Filter window. (See Figure 3.3.10-16)
Figure 3.3.10-16 System Admin / Network / Filter / Filter -- Edit Filter Window
(Please refer to the previous To add a Filter section for the following steps of your
modification.)
Note
Users still can add a new filter via clicking on the button " Save As New Filter " after editing
the filter.
To delete a Filter
2. Click on OK button to remove the Filter from the system.
91
To view the profile of a Filter

The detail information of the Application anomaly can be reviewed.
Figure 3.3.10-17 System Admin / Network / Filter / Filter -- View Filter Window
1. Click on an ID or Name to enter the View Filter window.
2. Click on Back to List button to return to the Filter Management window.
92
3.3.10.3
Filter Batch
Filter Batch function provides users to generate batch filters. Click on Filter Batch sub-menu tab of
Filter to enter the Filter Management window (See Figure 3.3.10-18). The latest added entry will be
displayed at the first row of the list. The following sections are going to introduce how to add, and
delete an entry.
Figure 3.3.10-18 System Admin / Network / Filter / Filter Batch Management window
To Add Batch Filters

Click on Add button at the top of the Filter view list to enter the Batch Add Filter window. (See
Figure 3.3.10-19)
93
Figure 3.3.10-19 System Admin / Network / Filter / Filter Batch Batch Add Filter Window
1. Specify the traffic scope for analysis.

entity from another drop-down list. There are eight types of network scopes to select: Any, Any
(Non-ACL-based sFlow), Home, Neighbor, Sub-network, Server-farm, Boundary and
ACL-based sFlow. The drop-down list of network entity will display different network entities
according to different network scope types selected, except the ANY, Any (Non-ACL-based
sFlow), Home, ACL-based sFlow (they has no need to specify a network entity). The
supported boundary scope includes Internet, and Sub-network boundaries. The inspected
traffic will be restricted by the specified traffic scope (i.e. only traffic flows belong to the scope
specified will be inspected by the traffic analysis of Filter). A Browse function is provided here.
Please refer to Browse Helper part in Snapshot for details.
2. Configure expressions for constructing the Filter.
Expressions are basic elements internal the Filter and used to sift traffic flows. In other words,
they are sort of criteria configured in the Filter and the criteria are configured factors (except its
type is Application Faction) listed in the Available Factors box. Select the available factors and
click on the Add button next to the text box, Factors for the Source IP criteria, to add the
factor as a source criterion. Multiple factors can be selected at the same time. After adding
factors as source criteria, perform the same action to add the factors as the destination
criteria.
3. Specify the direction of Origin ASN for the Origin ASN TopN report of each filter.
Select the direction from the drop down list for Origin ASN TopN report of each filter.
4. Click on the Submit button to complete the configuration.
94
The filters within the factor-crossing will be generated. The generated way of the filter is a
source factor with a destination factor. In other words, when users specified three source
factors and two destination factors to generate batch filters, there will be six filters created.
To Delete Batch Filters

1. Check the box to select one or multiple filters and then click on the Delete button.
2. Click on OK button to remove the Filter from the system.
95
3.3.11 Application
Application menu allows users to organize several services (protocol + port) into an application.
For example, users can define a FTP application which includes ftp-data (20/TCP, 20/UDP) and
ftp (21/TCP, 21/UDP). The application defined here will be used for the Common Attribute
Application reports.
After clicking on Application menu displayed on the Sub Menu tree of System Admin/Network
at the left side of the screen, a page with the Application Management title will be shown (See
Figure 3.3.11-1). Users can see some default applications provided by the system. The
Protocol/Port column is presented with a list box and it allows users to read the data by rolling
the scroll bar. The following sections will introduce how to add, edit, delete, and view an
application.
Note
list. Users can utilize multiple searching filters (ID, Application No., Channel No., Name, Port,
or NPC Application ID) to quickly find out a specific application from plenty of listed
applications. Select a type of searching filter in the Searching drop-down list, input key word
in the for blank, and then click on the Go button.
total pages.
Figure 3.3.11-1 System Admin / Network / Application Management Window
96
To add an application
Click on Add button at the top of the Application view list to enter the Add System Application
Figure 3.3.11-2 System Admin / Network / Application -- Add System Application Window
1. Provide the application name.
There are two ways to decide the application name. You can input a new application name,
which is not defined in the system, in the New Application Name field. Note that the number of
inputted characters must be between 2 and 40. All characters are accepted except space and
special characters (!@#$%^&<>?...). Or you can select an existing application name, from
the Using Application Name drop-down list. Check on the radio boxes to decide which way you
are going to use. The name for the application you are adding is actually a combination. It is
combined with an application name and a channel name.
2. Enter the channel name in the Channel Name field.
The number of inputted characters must be between 0 and 40. All characters are accepted
except special characters (!@#$%^&<>?...). This channel name and the application name
you entered or selected in the previous step will form a combination name, and this
combination name must be unique in the system. The channel name has to be provided but it
can be a blank space once for one application name because the combination of the name
must be unique in the system.
3. Select Enabled or Disabled from the Pre-defined Report drop-down list.
This function allows you to flexibly activate or inactivate the applications in any time of need.
Once you select to disable the applications, the Application traffic analyses of all attribute
reports will not appear the traffic statistics relevant to the disabled applications.
97
4. Enter additional information for the application in the Remarks field (Optional).
5. Enter the application ID defined in the GenieNPC exporter.
Once a GenieNPC application ID configured for identifying an application, GenieATM will try to
classify the Application traffic by matching the application ID information in the flow packets
exported by GenieNPC. The available range is from 1 to 65535.
6. Adding the services (protocol + port) for this application.
Select the protocol by clicking on the radio button, then enter the port number or the message
type/code, and then click on <<Add button to add the services to the text box. You have to
add all services that you desire to the Protocol+Port text box individually. It is allowed to add
up to 32 service combinations to an application. A service combination can be used in different
applications. Using Remove>> or Remove All button to remove the added service from
the text box.
Select a protocol from the drop-down list and click on the radio button to specify the port
number. For adding one port number, you can just select Port Number and enter the
number. You also can enter a port range (continuous port numbers) at one time via selecting
Port Range. For adding a port range, you should enter the first number of the range in the
first field and the last number of the range in the second field.
The system allows you to set the message type and code further for various services of
ICMP. You have to enter the message type and code if ICMP is selected.
7. Enter the IP prefixes/ranges desired (Optional).
GenieATM provides IP prefixes/ranges as an extra criterion to define an application service,
which means the system will classify the traffic by matching both the configured service
(protocol + port) and IP prefixes/ranges. Up to 128 IP prefixes or ranges are supported. You
can enter one IP prefix in a line (use Enter key to create different lines) or separate
multi-prefixes with commas. Please note that the overlaps between the prefixes are not
allowed.
8. Click on Submit button after you finish adding all services to complete the configuration.
To edit an application
Click on icon to enter the Edit System Application window. (See Figure 3.3.11-3)
98
Figure 3.3.11-3 System Admin / Network / Application -- Edit System Application Window
(Please refer to the previous To add an application section for the following steps of your
modification.)
1. Provide new information to those fields/options that you like to modify. Note that you can only
enable or disable the Pre-defined Report function, and modify the IP prefixes/ranges
information for the system built-in applications, but are not allowed to modify their Detail
settings.
To delete an application
A Delete page with detailed configuration will be shown. Note that if the user-defined
application you are deleting has applied to any configurations, the system will not allow you to
delete it and the Submit button will be unavailable. You have to change the applied
configurations to another application before you delete this user-defined application.
2. Click on Submit button to remove the user-defined application from the system.
To view the profile of an application

The detail information of the application can be reviewed (See Figure 3.3.11-4).
Figure 3.3.11-4 System Admin / Network / Application -- View System Application Window
1. Click on an ID or Name to enter the View System Application window.
2. Click on Back to List button to return to the Application Management window.
99
3.3.12 Anomaly
Anomaly menu allows users to manage anomaly signatures, which is used to define the traffic
characteristics of known anomalies. For the purpose of directly locating attacking and infected
hosts, GenieATM adopts host-based anomaly traffic detections to target each host IP address to
collect and analyze anomaly traffic. There are two kinds of anomaly signatures provided here,
Protocol-Misuse Anomaly and Application Anomaly. As implied by the name, the
Protocol-Misuse anomaly signature is used to verify the anomaly traffic that caused by the
misuse of communication protocols and the Application anomaly signature is used to verify the
anomaly traffic that caused by the abnormal applications.
After clicking on Anomaly menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, the Protocol-Misuse Anomaly Management window (the default
entered window) will be shown. Users can see two sub-menu tabs, Protocol-Misuse Anomaly
and Application Anomaly. (See Figure 3.3.12-1)
Figure 3.3.12-1 System Admin / Network / Anomaly / Protocol-Misuse Anomaly Management Window
100
3.3.12.1
Protocol-Misuse Anomaly
Once you click on Anomaly menu, you will directly enter the Protocol-Misuse Anomaly
Management window. There are two parts in the management window. First part is Default for
Home and User-defined Resources which defines default Protocol-Misuse anomalies for the
detection scopes of Home and user-defined resources; second part is Non-Home which
defines Protocol-Misuse anomalies for the detection scopes of those not belonging to Home and
user-defined resources. The information displayed in the Protocol-Misuse Anomaly view list
includes two latency settings (Severity & Recover) and other information for each anomaly (No.,
ID, Name, Status, Event Threshold, and Unit). The Protocol-Misuse anomalies are system
built-in and users are unable to add or delete them. The built-in Protocol-Misuse anomalies of
the system are as follows:
TCP SYN Flooding,
IP Protocol Null,
TCP Flag Null or Misuse,
TCP Fragment,
UDP Fragment,
ICMP Misuse,
Land Attack,
TCP RST Flooding.
UDP Flooding
Host Total Traffic
The following section is going to introduce how to edit Protocol-Misuse anomalies of Default for
Home and User-defined Resources and Non-Home parts.
To edit Protocol-Misuse anomalies for Default for Home and User-defined Resources part
Click on Edit button of the Default for Home and User-defined Resources part to enter the
Edit Protocol-Misuse Anomaly-Default for Home and User-defined Resources window. (See
Figure 3.3.12-2) Note that the configurations here will be default settings of any new-added
user-defined anomaly detection resource (Sub-network) but users can overwrite these default
settings for each individual resource through its management window.
Figure 3.3.12-2 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit

Protocol-Misuse Anomaly-Default for Home and User-defined Resources Window
1. Select a time from the Severity Latency drop-down list.
Severity Latency is a time period parameter used to control when an anomaly severity
becomes RED from YELLOW. Once the detected traffic rate is higher than the event threshold
configured, an anomaly event will be generated with the anomaly severity as YELLOW. If the
detected event maintains in YELLOW level for a period, which is longer than the severity
latency configured, the anomaly severity will become RED. The configurable values are from 2
to 30 (minutes), and Forever (Default is 3 minutes). If the severity latency is configured as
Forever, there will be no RED anomaly.
101
2. Select a time from the Recover Latency drop-down list.

Recover Latency is a time period parameter used to control when an anomaly severity
becomes recovered from YELLOW. When the detected traffic rate is lower than the anomaly
threshold configured and maintains longer than the recover latency, the anomaly status will be
changed to Recovered. Its configurable values are from 2 to 30 (minutes).
3. Select Disabled from the Status drop-down list for a desired anomaly signature.
This function allows you to flexibly activate or inactivate a Protocol-Misuse anomaly in any
time of need. Once you select to disable the anomaly, the system will not verify this type of
anomaly when analyzing the received traffic flows.
4. Modify the Event Threshold value for the desired anomaly.
Input the Event Threshold value (Only integers from 1 to 65535 will be accepted) and also to
select the unit from the Unit drop-down list (pps: packet per second; Kpps: kilopacket per
second; Mpps: megapacket per second; Gpps: gigapacket per second). We recommend you
not to change the default settings for built-in system anomalies unless necessary.
To edit Protocol-Misuse anomalies for Non-Home part

Click on Edit button of the Non-Home part to enter the Edit Protocol-Misuse
Anomaly-Non-Home window. (See Figure 3.3.12-3) Please refer to the To edit
Protocol-Misuse anomalies for Default for User-defined Resources part above for details.
Figure 3.3.12-3 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit

Protocol-Misuse Anomaly-Non-Home Window
3.3.12.2
Application Anomaly
Application Anomaly Detection is designed with a global detection threshold for each application
anomaly, which is different from Protocol-Misuse Anomaly Detection allowing users to overwrite
default settings for each individual resource. In other words, users can overwrite the default
settings of application anomalies and the changes will be applied to all host IP addresses of the
configured detection scope but not for some individual resource. In addition, this function also
provides the latest definition of system application anomaly signatures download from
GenieATM definition update servers.
Click on Application Anomaly sub-menu tab of Anomaly to enter the Application Anomaly
Management window. (See Figure 3.3.12-4) There are three parts displaying in this window,
Anomaly Update, Detection Scope, and Application Anomaly view list. The Anomaly Update part
indicates if there are any new anomalies to update. The Detection Scope part shows the
presently configured detection scope. The latest added application anomaly will be displayed at
the first row of the list. The following sections are going to introduce how to edit detection scope;
how to update system application anomaly signatures; how to add, edit, and delete an
application anomaly, and how to view the profile of an application anomaly.
102
Figure 3.3.12-4 System Admin / Network / Anomaly / Application Anomaly Management Window
Note
There are four built-in Application anomalies in the system: MS Blaster, Sasser, Code Red,
and SQL Slammer. These four system built-in Application anomalies are irremovable from the
system. Only when it is necessary, otherwise, we DO NOT recommend users to modify the
definition of the system built-in Application anomalies.
To Update System Application Anomaly Signatures

GenieATM system provides not only the built-in system application anomaly signatures but also
the remote update function for users to download the newest definition from GenieATM definition
update servers. In the Anomaly Update block area (See Figure 3.3.12-4), you can see a update
information telling any new anomaly definitions available to download or not and two action
buttons, Update and Check , used to do the updating and checking jobs. If the
auto-checking function is enabled (please refer to the Remote Update menu in the Preferences
function), then the system will daily auto check if there is any new update, or you can manually
execute checking job by clicking on Check button. Clicking on Update button to download
the latest system anomaly signature definitions when the system shows there are new
definitions available. The new system anomaly signature definitions will be added into the view
list after downloading and will be effective after a system configuration dispatching is executed.
To edit Application Anomalys Detection Scope

Click on Edit button of the Detection Scope part to enter the Edit Detection Scope window.
Figure 3.3.12-5 System Admin / Network / Anomaly / Application Anomaly -- Edit Detection Scope
Window
1. Check on a radio button to select a desired detection scope.
There are three detection scopes provided, User-defined Resources Only, Home, and Whole
Internet. The User-defined Resources Only scope indicates only user-defined resources in the
system including Sub-Network entity; the Home scope indicates entire Home network; the
Whole Internet scope, as implied by the name, indicate whole Internet. The default setting is
Home.
103
To add an Application anomaly

Click on Add button at the top of the Application Anomaly view list to enter the Add
Application Anomaly window. (See Figure 3.3.12-6)
Figure 3.3.12-6 System Admin / Network / Anomaly / Application Anomaly -- Add Application
Anomaly Window
1. Enter the channel name in the Channel Name field.
It must be provided at least 4 up to 64 characters. All characters are accepted except space
and special characters (!@#$%^&<>?...). Give a channel name that can be easily recognized
which type of traffic attack the Application anomaly is. (Application No. : Channel No.: the
application and channel numbers that the system uses to identify what kinds of the application
and channel are. The application number for a Protocol-Misuse anomaly is 20000.)
2. Select Disabled or Enabled from the Status drop-down list.
This function allows you to flexibly activate or inactivate the Application anomaly in any time of
need. Once you select to disable the anomaly, the system will not verify this type of anomaly
when analyzing the received traffic flows.
4. Specify the Attack Type, Worm or DDoS, form the dropped-down list. If the Attack Type is
set worm and the status is enabled, user can view the worm reports in the Anomaly
Activities/Worm function.
5. Define the following traffic characteristics for the Application anomaly you are configuring.
Number of Packets Per Flow: check on the check box and then the drop-down list of (=, >,
<) will be configurable. Select a comparison sign and input a value of packets for each flow
(Integer and must be greater than 0) in the blank next to the drop-down list.
Number of Bytes Per Flow: check on the check box and then the drop-down list of (=, >, <)
will be configurable. Select a comparison sign and input a value of byte counts for each flow
(Integer and must be greater than 0) in the blank next to the drop-down list.
Number of Bytes Per Packet: check on the check box and then the drop-down list of (=, >,
<) will be configurable. Select a comparison sign and input a value of byte counts for each
packet (Integer and must be greater than 0) in the blank next to the drop-down list.
TCP Flag: check on the check box and then the drop-down lists of all flags will be
configurable. Select the value for each flag.
104
Note
There are six types of TCP flags (URG, ACK, PSH, RST, SYN, and FIN in TCP header)
and three values representing different meanings for users to set each flag. Three values
are : XIgnore, 1Flag On, and 0Flag Off (Ignore : the system will not check this bit
value; On : the system will collect the traffic information about the TCP packets with the
bit On in TOS field; Off : the system will collect the traffic information about the TCP
packets with the bit Off in TOS field).
TOS Value: check on the check box and then the drop-down lists of all values will be
configurable. Select the value for each bit of the TOS field in IP header.
Note
There are three values representing different meanings for users to set, XIgnore,
1Flag On, and 0Flag Off (Ignorethe system will not check this bit value; On : the
system will collect the traffic information about the IP packets with the bit On in TOS field;
Off : the system will collect the traffic information about the IP packets with the bit Off in
TOS field).
Protocol: check on the check box and then the drop-down list of protocol will be
configurable. Select a protocol from the drop-down list. If you select ICMP protocol, you
have to specify its message type and code.
Note
ICMP protocol works with message type and code. An error message will pop up to
remind you that port number is not supported for ICMP.
Port: once you have selected the TCP or UDP protocol in the Protocol characteristic, you
can specify the port numbers. Check on the check box and then this item will be
configurable. Select source or destination, source, or destination from the drop-down list,
and then input the port number in the right-side blank. The value of port number should be
between 0 to 65535. Multiple port numbers are separated by the comma character and
up to 36 port numbers are supported.
Dark IP: check on the check box to enable the Dark IP detection. When the IP address
cannot be found with BGP lookup or is not a private IP address defined in Home Network, it
will be considered as a Dark IP address.
Prefix: check on the check box to enable the IP Blacklist mechanism. This mechanism
allows users to use IP prefixes as one part of criteria to define the signatures of Application
Anomaly for the undesirable traffic from some specific hosts always sending malicious traffic.
Enter desired IP prefixes (Up to 64 prefixes are supported) with CIDR format after checking
on the check box and selecting the destination or source traffic direction. Note that once you
enable this function, the Dark IP check box will not be available.
6. Configure baseline template for the added application anomaly.
The following are items needed to be configured:
Event Threshold: Input the Event Threshold value (Only integers from 1 to 4294967296
will be accepted).
Unit: Select the unit from the drop-down list (bps: bit per second; Kbps: kilobit per second;
Mbps: megabit per second; Gbps: gigabit per second; pps: packet per second; Kpps:
kilopacket per second; Mpps: megapacket per second; Gpps: gigapacket per second).
Severity Latency: Select a time from the drop-down list. Severity Latency is a time period
parameter used to control when an anomaly severity becomes RED from YELLOW. Once
the detected traffic rate is higher than the event threshold configured, an anomaly event will
be generated with the anomaly severity as YELLOW. If the detected event maintains in
YELLOW level for a period, which is longer than the severity latency configured, the
anomaly severity will become RED. The configurable values are from 2 to 30 (minutes), and
Forever (Default is 3 minutes). If the severity latency is configured as Forever, there will be
no RED anomaly.
Recover Latency: Select a time from the drop-down list. Recover Latency is a time period
parameter used to control when an anomaly severity becomes recovered from YELLOW.
When the detected traffic rate is lower than the anomaly threshold configured and maintains
longer than the recover latency, the anomaly status will be changed to Recovered. Its
configurable values are from 2 to 30 (minutes).
105
To edit a Application anomaly

Click on icon to enter the Edit Application Anomaly window. (See Figure 3.3.12-7)
Figure 3.3.12-7 System Admin / Network / Anomaly / Application Anomaly -- Edit Application Anomaly
Window
(Please refer to the previous To add an Application anomaly section for the following steps of
your modification.) For those built-in system application anomalies, we strongly recommend you
not to change default settings unless necessary.
To delete an Application anomaly

2. Click on OK button to remove the Application anomaly from the system.
106
To view the profile of an Application anomaly

The detail information of the Application anomaly can be reviewed.
Figure 3.3.12-8 System Admin / Network / Anomaly / Application Anomaly -- View Application
Anomaly Window
1. Click on an ID or Name to enter the View Application Anomaly window.
2. Click on Back to List button to return to the Application Anomaly management window.
107
3.3.13 Template
Template menu allows users to create reusable templates for baseline and boundary. The
baseline template is for the traffic statistics of link layer, BGP message, anomaly traffic
monitoring, and rule-based Filter traffic; the boundary template is to define the boundary
template that can be applied to sub-networks.
After clicking on Template menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, the Baseline Management window (the default entered window) will
be shown. Users can see the sub-menu tabs, Baseline, Sub-Network Boundary, Server-farm
Boundary and TopN Report appearing above the screen (See Figure 3.3.13-1).
Figure 3.3.13-1 System Admin / Network / Template / Baseline Management Window

3.3.13.1
Baseline Template
Once you click on Template menu, you will directly enter the Baseline Template management
window. The latest added baseline template will be displayed at the first row of the list. The
following sections are going to introduce how to add, edit, and delete a baseline template, and
how to view the profile of a baseline template. There are types of baseline templates, Interface
Traffic, BGP Update Message, Traffic Anomaly - SubNetwork, and Traffic Anomaly Filter and
Router Performance. The system provides some built-in baseline templates, which are
irremovable, but users can add new ones by themselves.
108
To add a baseline template

Click on Add button at the top of the Baseline Template view list to enter the Add Baseline
Template window (See Figure 3.3.13-2).
Figure 3.3.13-2 System Admin / Network / Template / Baseline-- Add Baseline Template Window
(Interface Traffic Type)
1. Select the baseline type from the Type drop-down list.
If you select the Interface Traffic type, please follow step 3 below to configure its thresholds;
if you select the BGP Update Message type, please follow step 4 below to configure its
threshold;
if you select the Traffic Anomaly, please follow step 5 below to configure its thresholds;
if you select the Traffic Anomaly - Filter type, please follow step 6 below to configure its
thresholds.
if you select the Router Performance, please follow step 7 below to configure its thresholds.
Please refer the following descriptions what you need to know before you start to
configure the baseline thresholds.
Auto Learning: only applies to the High Watermark of Traffic Anomaly - Sub-Network, and
Traffic Anomaly - Filter. There are three options available when the traffic anomaly baseline
109
templates threshold is configured as auto. Including:

Initial Learning Period: a time period parameter whose value (N) can be configured from
th
1 day to 30 days (Default is 15 day). The 37 traffic datum of each day within the initial
learning period will be saved as learning baselines. The maximum one of learning baselines
will be used as T1 traffic baseline and T1 multiplied by [1+Tolerance] generates T2 traffic
baseline. These two traffic baselines are used as event thresholds for anomaly detection.
Any traffic datum exceeds T2 will not be saved as daily learning baseline. The values of T1
and T2 may be changed because the learning period shifts according to times moving on.
The following is the system algorithm of triggering anomaly events:
When anomaly traffic exceeds T1 traffic baseline, the system will trigger a GREEN event
(which is an internal event, no alarm will be generated). Once the traffic goes down under
T1 traffic baseline, the triggered GREEN event will be deleted. However, if the traffic goes
up and exceeds T2 traffic baseline, the system will trigger a YELLOW event (at the same
time, an alarm will be generated). The status of YELLOW event will change to GREEN once
the traffic goes down under T1 traffic baseline and lasts a period longer than the configured
recover latency (refer to the Recover Latency description below). Or even more, a RED
event may be triggered once the traffic lasts exceeding T2 traffic baseline for a period longer
than the configured severity latency (refer to the Severity Latency description below). The
RED event will change to GREEN event once the traffic goes down under T2 traffic baseline
but still more than T1 traffic baseline with lasting a period longer than the configured recover
latency, or will just be recovered then the traffic is down to T1 traffic baseline.
Note that all traffic data of anomaly events with YELLOW severity level (or higher) will not be
used for daily learning baselines. The included range of YELLOW event traffic starts from
exceeding T1 traffic baseline and ends at going down to T1 traffic baseline.
Significant Threshold (Optional): a bottom line of the auto anomaly threshold. An attack
will be considered ineffectual when the traffic rate is below the significant threshold
configured and no anomaly event will be generated.
Tolerance: valid value is from 1 to 200 % (Default is 10%). The system uses it to calculate
the T2 traffic baseline of auto learning event threshold. Please refer the description in Initial
Learning Period above.
Fixed: a watermark building method. The system uses the fixed threshold values configured
by users to detect anomalies. Different from the Auto Learning mechanism, the system will
use the fixed event threshold user input as the T2 traffic baseline. When the traffic anomaly
baseline templates threshold is configured as fixed, there will be no T1 traffic baseline since
the fixed threshold does not configure learning period which is an essential element to
generate T1 traffic baseline.
Severity Latency: a time period parameter used to control when an anomaly severity
becomes RED from YELLOW. Once the detected traffic rate is higher than the event
threshold configured, an anomaly event will be generated with the anomaly severity as
YELLOW. If the detected event maintains in YELLOW level for a period, which is longer
than the severity latency configured, the anomaly severity will become RED. The
configurable values are from 1 to 30 (minutes), and Forever. If the severity latency is
configured as Forever, there will be no RED anomaly.
Recover Latency: a time period parameter used to control when an anomaly severity
becomes recovered from YELLOW or RED. When the detected traffic rate is lower than the
event threshold configured and maintains longer than the recover latency configured, the
anomaly status will be changed to Recovered. The values are from 0 to 30 (minutes).
2. Enter the name of the baseline template in the Name field.
except space and special characters (!@#$%^&<>?...).
3. Enter the following thresholds for the baseline if you selected the Interface Traffic type in
step 1. (See Figure 3.3.13-2) The low watermark must be less than the high watermark if both
of them are enabled.
Throughput: select Enabled from the High/Low Watermark drop-down list if you want to
perform the High/Low Watermark checking by traffic throughput. Once Enabled is selected,
you have to input the Event Threshold value (Only integers from 1 to 4294967296 will be
accepted) and also to select the unit from the Unit drop-down list (bps: bits per second;
Kbps: kilobits per second; Mbps: megabits per second; Gbps: gigabits per second). You
110
should also set the severity & recover latencies for the Throughput thresholds by selecting
the time periods (Default is 5 minutes) respectively from the Severity & Recover Latency
drop-down lists.
Packets: select Enabled from the High/Low Watermark drop-down list if you want to
perform the High/Low Watermark checking by packet rates. Once Enabled is selected, you
have to input the Event Threshold value (Only integers from 1 to 4294967296 will be
accepted) and also to select the unit from the Unit drop-down list (pps: packets per second;
Kpps: kilo-packets per second; Mbps: mega-packets per second; Gbps: giga-packets per
second). You should also set the severity & recover latencies for the Packets thresholds by
selecting the time periods (Default is 5 minutes) respectively from the Severity & Recover
Latency drop-down lists.
Interface Utilization: select Enabled from the High/Low Watermark drop-down list if you
want to perform the High/Low Watermark checking by interface link utilization. Once
Enabled is selected, you have to input the Event Threshold value (Only values from
0.0001 to 100 will be accepted) and the unit is percentage (%). You should also set the
severity & recover latencies for the Interface Utilization thresholds by selecting the time
periods (Default is 5 minutes) respectively from the Severity & Recover Latency drop-down
lists.
(CRC)Errors: select Enabled from the High Watermark drop-down list if you want to
perform the High Watermark checking by CRC error. Once Enabled is selected, you have
to input the Event Threshold value and the unit is counts per 5 minutes. You should also set
the severity & recover latencies for the (CRC) Errors thresholds by selecting the time
periods (Default is 5 minutes) respectively from the Severity & Recover Latency drop-down
lists.
Discards: select Enabled from the High Watermark drop-down list if you want to perform
the High Watermark checking by discard packet. Once Enabled is selected, you have to
input the Event Threshold value and the unit is counts per 5 minutes. You should also set
the severity & recover latencies for the Discards thresholds by selecting the time periods
(Default is 5 minutes) respectively from the Severity & Recover Latency drop-down lists.
Percentage of Multicast + Broadcast: select Enabled from the High Watermark
drop-down list if you want to perform the High Watermark checking by Multicast + Broadcast
packet # percentage. Once Enabled is selected, you have to input the Event Threshold
value (Only values from 0.0001 to 100 will be accepted) and the unit is percentage (%). You
should also set the severity & recover latencies for the Percentage of Multicast + Broadcast
thresholds by selecting the time periods (Default is 5 minutes) respectively from the Severity
& Recover Latency drop-down lists.
4. Enter the following thresholds for the baseline if you selected the BGP Update Message type
in step 1 (See Figure 3.3.13-3).
BGP update message: enter the High Watermark value as the no. of BGP update
message received per 5 minutes.
(BGP Update Message Type)
111
5. Select the learning period and enter the following thresholds for the baseline if you selected
the Traffic Anomaly type in step 1. (See Figure 3.3.13-4) The low watermark must be less
than the high watermark if both of them are enabled.
Initial Learning Period: select a time period (1 to 30 days) from the Initial Learning Period
drop-down list (Default is 15 days) if any high watermark of anomaly threshold of BPS or
PPS is configured as auto. For each Anomaly type, the learning period applies to its all
anomaly thresholds.
BPS (bits per second): select Enabled from the High/Low Watermark drop-down list if
you want to perform the High/Low Watermark checking by BPS. There are some differences
between configuring High Watermark and Low Watermark. For High Watermark, you will
need to choose either Auto or Fixed method for anomaly detection. Once Fixed is
selected, you have to input the Event Threshold value (Only integers from 1 to 4294967296
will be accepted) and also to select the unit from the Unit drop-down list (bps: bit per second;
Kbps: kilobit per second; Mbps: megabit per second; Gbps: gigabit per second). If you
select Auto, you do not need to input the Event Threshold value but can choose to input a
Significant Threshold value or not (Optional). For Low Watermark, Auto and Significant
Threshold Value are unavailable. No matter High or Low Watermark is enabled, you should
set the severity & recover latencies for the BPS thresholds by selecting the time periods
Input the Tolerance value if the Auto method of High Watermark is enabled.
PPS (packets per second): select Enabled from the High/Low Watermark drop-down list
if you want to perform the High/Low Watermark checking by PPS. There are some
differences between configuring High Watermark and Low Watermark. For High Watermark,
you will need to choose either Auto or Fixed method for anomaly detection. Once Fixed
is selected, you have to input the Event Threshold value (Only integers from 1 to
4294967296 will be accepted) and also to select the unit from the Unit drop-down list (pps:
packet per second; Kpps: kilo-packet per second; Mbps: mega-packet per second; Gbps:
giga-packet per second). If you select Auto, you do not need to input the Event Threshold
value but can choose to input a Significant Threshold value or not (Optional). For Low
Watermark, Auto and Significant Threshold Value are unavailable. No matter High or Low
Watermark is enabled, you should set the severity & recover latencies for the BPS
& Recover Latency drop-down lists. Input the Tolerance value if the Auto method of High
Watermark is enabled.
112
(Traffic Anomaly Type)
the Traffic Anomaly - Filter type in step 1. (See Figure 3.3.13-5) The low watermark must be
less than the high watermark if both of them are enabled.
Initial Learning Period: select a time period (1 to 30 days) from the Initial Learning Period
drop-down list (Default is 15 days) if any high watermark of anomaly threshold of BPS, PPS,
or FPS is configured as auto. For each Anomaly type, the learning period applies to its all
anomaly thresholds.
BPS (bits per second): select Enabled from the High/Low Watermark drop-down list if
you want to perform the High/Low Watermark checking by BPS. There are some differences
will be accepted) and also to select the unit from the Unit drop-down list (bps: bit per second;
Kbps: kilobit per second; Mbps: megabit per second; Gbps: gigabit per second). If you
select Auto, you do not need to input the Event Threshold value but can choose to input a
Significant Threshold value or not (Optional). For Low Watermark, Auto and Significant
Threshold Value are unavailable. No matter High or Low Watermark is enabled, you should
set the severity & recover latencies for the BPS thresholds by selecting the time periods
Input the Tolerance value if the Auto method of High Watermark is enabled.
PPS (packets per second): select Enabled from the High/Low Watermark drop-down list
if you want to perform the High/Low Watermark checking by PPS. There are some
differences between configuring High Watermark and Low Watermark. For High Watermark,
you will need to choose either Auto or Fixed method for anomaly detection. Once Fixed
is selected, you have to input the Event Threshold value (Only integers from 1 to
4294967296 will be accepted) and also to select the unit from the Unit drop-down list (pps:
packet per second; Kpps: kilo-packet per second; Mbps: mega-packet per second; Gbps:
giga-packet per second). If you select Auto, you do not need to input the Event Threshold
value but can choose to input a Significant Threshold value or not (Optional). For Low
Watermark, Auto and Significant Threshold Value are unavailable. No matter High or Low
Watermark is enabled, you should set the severity & recover latencies for the BPS
& Recover Latency drop-down lists. Input the Tolerance value if the Auto method of High
Watermark is enabled.
113
FPS (flows per second): select Enabled from the High/Low Watermark drop-down list if
you want to perform the High/Low Watermark checking by FPS. There are some differences
will be accepted) and also to select the unit from the Unit drop-down list (fps: flow per
second; Kpps: kilo-flow per second; Mbps: mega-flow per second; Gbps: giga-flow per
second). If you select Auto, you do not need to input the Event Threshold value but can
choose to input a Significant Threshold value or not (Optional). For Low Watermark, Auto
and Significant Threshold Value are unavailable. No matter High or Low Watermark is
enabled, you should set the severity & recover latencies for the BPS thresholds by selecting
the time periods (Default is 3 minutes) respectively from the Severity & Recover Latency
drop-down lists. Input the Tolerance value if the Auto method of High Watermark is
enabled.
(Traffic Anomaly - Filter Type)
the Router Performance type in step 1 (See Figure 3.3.13-6). The low watermark must be
less than the high watermark if both of them are enabled.
CPU: select Enabled from the High Watermark drop-down list if you want to perform the High
Watermark checking by usage percentage.
Memory: select Enabled from the High Watermark drop-down list if you want to perform the
High Watermark checking by usage percentage.
114
(Router Performance)
8. Click on Submit button to complete the configuration and then the screen will show you the
settings. You can click on Back to List button to go back to the Baseline Template view list.
To edit a baseline template

Click on icon to enter the Edit Baseline Template window (See Figure 3.3.13-7).
Figure 3.3.13-7 System Admin / Network / Template / Baseline -- Edit Baseline Template Window
115
(Please refer to the previous To add a baseline template section for the following steps of
your modification.)
To delete a baseline template

A Delete page with detailed configuration will be shown. Note that if the baseline template you
are deleting has applied to any configurations, the system will not allow you to delete it and the
another baseline before you delete this baseline template.
2. Click on Submit button to remove the baseline template from the system.
To view the profile of a baseline

The detail information of the baseline can be reviewed. (See Figure 3.3.13-8)
Figure 3.3.13-8 System Admin / Network / Template / Baseline -- View Baseline Template Window
1. Click on an ID or Name to enter the View Baseline Template window.
When you move the cursor to the ID/Name listed in the ID/ Name column, the color of the
pointed ID/Name will turn into blue. The Applied table displays all anomaly signatures to which
the viewed baseline template is applied.
2. Click on Back to List button to return to the Baseline Template management window.
116
3.3.13.2
Sub-Network Boundary
Click on Sub-Network Boundary sub-menu tab of Template to enter the Sub-Network

Boundary Template management window (See Figure 3.3.13-9). The latest added boundary
template will be displayed at the first row of the list. The following sections are going to introduce
how to add, edit, and delete a sub-network boundary template, and how to view the profile of a
sub-network boundary template.
Figure 3.3.13-9 System Admin / Network / Template / Sub-Network Boundary Template Management
Window
To add a sub-network boundary template

Click on Add button at the top of the Sub-Network Boundary Template view list to enter the
Add Sub-Network Boundary Template window. (See Figure 3.3.13-10)
Figure 3.3.13-10 System Admin / Network / Template / Sub-Network Boundary -- Add Sub-Network
Boundary Template Window
1. Enter the name of the sub-network boundary template in the Name field.
117

shown in this Router drop-down list.
All interfaces belong to the router you selected will be shown in this Interface drop-down list. In
addition, users still can add the interface via clicking on the Browse button.
5. Select the traffic direction from the drop-down list.
There are three options: Input, Output, and Both. (Please refer to descriptions on the Step4s
note of To add a sub-network.)
6. Click on <<Add button to add the link (one by one) to the Boundary Links text box.
Up to 640 links could be added into a Sub-Network Boundary. You can use Remove>> or
Remove All button to remove one link or all of them from the text box.
7. Click on Submit button to complete the configuration after you finished adding links.
To edit a sub-network boundary template

Click on icon to enter the Edit Sub-Network Boundary Template window. (See Figure
3.3.13-11)
Figure 3.3.13-11 System Admin / Network / Template / Sub-Network Boundary -- Edit Sub-Network
(Please refer to the previous To add a sub-network boundary template section for the following
steps of your modification.)
Note
Users still can add a new sub-network boundary via clicking on the button
" Save As New Boundary " after editing the sub-network boundary.
118
To delete a sub-network boundary template

A Delete page with detailed configuration will be shown. Note that if the sub-network boundary
template you are deleting has applied to any configurations, the system will not allow you to
configurations to another sub-network boundary before you delete this sub-network boundary
template.
2. Click on Submit button to remove the sub-network boundary template from the system.
To view the profile of a sub-network boundary template

The detail information of the sub-network boundary can be reviewed.
Figure 3.3.13-12 System Admin / Network / Template / Sub-Network Boundary -- View Sub-Network
1. Click on an ID or Name to enter the View Sub-Network Boundary Template window.
pointed ID/Name will turn into blue. The Applied table displays all sub-network entities to
which the viewed sub-network boundary template is applied.
2. Click on Back to List button to return to the Sub-Network Boundary Template
management window.
119
3.3.13.3
Server-farm Boundary
Click on Server-farm boundary sub-menu tab of Template to enter the Server-farm boundary
Template management window (See Figure 3.3.13-13). The latest added boundary template will
be displayed at the first row of the list. The following sections are going to introduce how to add,
edit, and delete a server-farm boundary template, and how to view the profile of a server-farm
boundary template.
Figure 3.3.13-13 System Admin / Network / Template / Server-farm boundary Template Management
Window
To add a server-farm boundary template

Click on Add button at the top of the Server-farm boundary Template view list to enter the
Add Server-farm boundary Template window (See Figure 3.3.13-14).
Figure 3.3.13-14 System Admin / Network / Template / Server-farm boundary -- Add Server-farm
boundary Template Window
1. Enter the name of the server-farm boundary template in the Name field.
120

shown in this Router drop-down list.
All interfaces belong to the router you selected will be shown in this Interface drop-down list. In
addition, users still can add the interface via clicking on the Browse button.
5. Select the traffic direction displayed in the drop-down list.
There are three types of directions for select and they are Both, Input and Output.
6. Click on <<Add button to add the link (one by one) to the Boundary Links text box.
Up to 640 links could be added into a Server-farm boundary. You can use Remove>> or
Remove All button to remove one link or all of them from the text box.
7. Click on Submit button to complete the configuration after you finished adding links.
To edit a server-farm boundary template

Click on
3.3.13-15)
icon to enter the Edit Server-farm boundary Template window. (See Figure
Figure 3.3.13-15 System Admin / Network / Template / Server-farm boundary -- Edit Server-farm
boundary Template Window
(Please refer to the previous To add a server-farm boundary template section for the following
steps of your modification.)
Note
Users still can add a new server-farm boundar y via clicking on the button
" Save As New Boundary " after editing the server-farm boundary.
121
To delete a server-farm boundary template

A Delete page with detailed configuration will be shown. Note that if the server-farm boundary
template you are deleting has applied to any configurations, the system will not allow you to
configurations to another server-farm boundary before you delete this server-farm boundary
template. (Users can view the server-farm boundary template first to get the applied
information.)
2. Click on Submit button to remove the server-farm boundary template from the system.
To view the profile of a server-farm boundary template

The detail information of the server-farm boundary can be reviewed.
Figure 3.3.13-16 System Admin / Network / Template / Server-farm boundary -- View Server-farm
1. Click on an ID or Name to enter the View Server-farm Boundary Template window.
pointed ID/Name will turn into blue. The Applied table displays all Sever entities to which the
viewed server-farm boundary template is applied.
2. Click on Back to List button to return to the Server-farm boundary Template management
window.
3.3.13.4
Server TopN Report
Click on Server TopN Report sub-menu tab of System Admin/Network/Template to enter the
TopN Report Template management window (See Figure 3.3.13-17). The latest added TopN
Report template will be displayed at the first row of the list. The following sections are going to
introduce how to add, edit, and delete a TopN Report template.
Note
The defined TopN Report Templates are shown when users add TopN reports for a creating
Server farm in the System Admin/Network/Server function.
122
Figure 3.3.13-17 System Admin / Network / Template / Server TopN Report -- TopN Report Template
Window
To add a TopN report template

Click on Add button above the TopN Report table list to open the Add Server-farm TopN Report
Template window (See Figure 3.3.13-18).
Figure 3.3.13-18 System Admin / Network / Template / Server TopN Report -- Add Server-farm TopN
Report Template Window
1. Enter the information in all fields: (The asterisk "" indicates a mandatory field.)
Name: input a name for the TopN report. The number of inputted characters must be
(!@#$%^&<>?...).
Status: select Disabled or Enabled from the Status drop-down list. This function allows
you to flexibly activate or inactivate the TopN report of Server farm in any time of need.
Aggregation Keys: select an aggregation element from the text box. The aggregation
elements include Source/Destination IP, Source/Destination Protocol/Port, Application on
Source/Destination, TCP Flag, TOS Value, Protocol, and so on.
Number of Top-N: select a number for the N value of Top-N, that traffic statistics will be
saved into database and will be also displayed in Rule-based reports, from the Number of
Top-N drop-down list. The available selections are 16 (default), 32, 64, 128, and 256.
123
To edit a TopN report template

Click on icon to edit the TopN template. (See Figure 3.3.13-19)
Figure 3.3.13-19 System Admin / Network / Template / Server TopN Report -- Edit Server-farm TopN
Window
(Please refer to the previous To add a TopN report template section for your modification.)
Note that the aggregation elements cannot be changed once the TopN report has been
created. You have to create a new one to replace the one whose aggregation elements
you want to change. Provide new information to those fields/options that you like to modify and
then click on Submit button to complete the modification.
To delete a TopN report template

Click on the icon to remove the TopN report template from the table list. Once the icon is
pressed, the TopN report template will be deleted right away.
124
3.4
Configuration
GenieATM offers configuration backup, dispatching, and restoration, for the configuration settings
of System Admin / Network menu. When users change any settings in all sub functions under the
Network menu (including Home Network, Router, Internet Boundary, Backbone Links, Neighbor,
Sub-Network, Filter, Application, Anomaly, and Template), the changed configuration can be saved
as a record and further downloaded to users computer for backup. Once the users need to restore
this backup configuration, they can upload the backup configuration file to the Controller. However,
one thing that users must know is any saved configuration in the Controller will not have any effect
if it has not been dispatched to Collectors.
Click on Configuration menu displayed on the Sub Menu tree of System Admin at the left side of
the screen to enter the Configuration Management window (As presented at Figure 3.4-1). There
are four parts in the Configuration Management window:
Current Configuration: this part allows users to save the present Network settings as a record
and dispatch it to Collectors. The present Network settings have not taken effect before being
dispatched to Collectors.
Last Dispatched Configuration: this part shows the last version of dispatched configuration
setting and its dispatch status, and allows users to get detail information of last dispatch status.
There are three statuses here could be: Synchronizing -- the Controller is dispatching the
Network configuration to Collectors; Completed -- the Controller has finished all dispatching jobs
to Collectors and all of them were successful; Completed Partially -- the Controller has finished all
dispatching jobs to Collectors but only some of them were successful.
Saved Configuration: this part displays all saved configuration setting records, and allows
users to download / upload the saved configuration to / from a local host, to delete the saved DB
configuration file, and to restore and dispatch the upload.
Status: this part will be displayed above the Saved Configuration view list only when users do
some action. It will show the result or detail information of the taken action.
The following sections will introduce the operation and function of Configuration Management.
Note
Only the user with the authority of administrator or defined by template, superuser, can
access the Configuration menu.
If the home network area or at least one router is not configured (in other words, both of them
must be configured in the system), the system will not allow users to dispatch the system
configuration changed.
Figure 3.4-1 System Admin / Configuration Management Window
125
Saving and dispatching Network configuration

Any changes about the system configuration in all sub functions of the Network menu will take
no effect before the changed configuration has been dispatched to Collectors. This section will
tell users how to save and dispatch the current configuration at the same time or separately.
To save and dispatch Network configuration at the same time
If you have changed some present Network settings and want to save and dispatch it right away,
you can just do the following steps to simply quickly complete the saving and dispatching actions
(See Figure 3.4-2).
1. Click on <<Check>> button between the block areas of Current Configuration and Last
Dispatched Configuration, a Check Status above the Saved Configuration view list will tell you
if the current configuration equals the last dispatched configuration or not (The symbol !=
means not equal).
Usually, it is only necessary for you to save or dispatch the current configuration when it does
not equal the last dispatched configuration.
2. Enter the description for the Network configuration in the Current Configuration field. It will be
an identification of current configuration setting.
3. Click on Dispatch Network Configuration and Save button to execute the saving and
dispatching actions.
Once you click on this button, the Controller will save the current configuration as a record and
dispatch it to all Collectors managed by this Controller. You can see a Synchronizing Status
showing Synchronizing Network Configuration and Save Completed!. The configuration
record saved will be given a version number and displayed in the first row of the Saved
Configuration view list with boldface. The execution of saving the Network configuration will be
completed right away after you click on this button but it will need about 1 minute to complete
the execution of dispatching.
4. Click on Get Synchronizing Status button to check the result of the dispatching for each
Collector.
There are two kinds of the dispatching results and their detail information will be displayed in
the Synchronizing Status area above the Saved Configuration view list:
Completed the dispatching job to the Collector has been successful and completed.
Failure the dispatching job to the Collector failed.
You can get the Collectors synchronized with the current network configuration individually in
the Collector sub menu (under System Admin menu) for the Collector which does not get the
current configuration setting.
Figure 3.4-2 System Admin / Configuration Dispatch Network Configuration and Save Window
126
To save and dispatch Network configuration separately

If you have changed some present Network settings and want to save it right away but to
dispatch it later, you can just do the following steps to separately execute the saving and
dispatching actions.
Saving Network configuration
1. Click on <<Check>> button between the block areas of Current Configuration and Last
Dispatched Configuration, a Check Status will be displayed above the Saved Configuration
view list and will tell you if the current configuration equals the last dispatched configuration or
not.
Usually, it is only necessary for you to save or dispatch the current configuration when it does
not equal the last dispatched configuration.
2. Enter the description for the Network configuration in the Current Configuration field.
3. Click on Save button to save the Network configuration as a record.
The Network configuration record saved will be given a version number and displayed in the
first row of the Saved Configuration view list.
Dispatching Network configuration
1. Select a saved configuration listed in the Saved Configuration view list via clicking on its radio
button.
The highlighted one means the current version running in the system. So, you should select
other saved configuration to dispatch but this one.
2. Click on Restore and Dispatch button.
Once you click on this button, the Controller will dispatch the Network configuration you
selected to all Collectors managed by this Controller. You can see a Synchronizing Status
showing Synchronizing Network Configuration!. It will need about 1 minute to complete
the execution of dispatching.
3. Click on Get Synchronizing Status button to check the result of the dispatching.
There are several kinds of the dispatching results and their detail information will be displayed
in the Synchronizing Status area above the Saved Configuration view list. Please refer to the
last step of To save and dispatch Network configuration at the same time section for
details.
Downloading and uploading Network configuration

In order to provide more flexible backup for Network configurations, GenieATM allows users not
only to save the Network configuration as a record in the Controller but also to download it to
users local hosts for backup. This section will tell users how to download and upload the
Network configuration.
To download Network configuration
1. Select a saved configuration record listed in the Saved Configuration view list via clicking on
its radio button.
2. Click on Download button.
After you click on this button, a File Download dialog box will pop up.
3. Click on Save button in the File Download dialog box.
After you click on this button, a Save As window will pop up to ask you to specify a directory
where to save the Network configuration file.
4. After specifying the directory, you click on Save button in the Save As pop-up window.
The system will save the configuration file under the directory. You will see a Download Status
showing Downloading Configuration version Completed!.
127
To upload Network configuration

1. Click on Upload button.
After you click on this button, an Upload Configuration window will pop up. (See Figure 3.4-3
below)
2. Click on Browse button in the Upload Configuration pop-up window.
After you click on this button, a Choose File window will pop up to ask you to specify the
Network configuration file you want to upload.
3. Click on Open button in the Choose File pop-up window.
Once you specify the Network configuration file and click on this button, the absolute path of
the file will be attached in the File field of the Upload Configuration pop-up window.
4. Enter the description for the Network configuration file in the Description field.
5. Click on Submit button to upload the file.
The uploaded Network configuration file will be displayed in the first row of the Saved
Configuration view list with a new version number. The new version number will not be the
same as the old one before this configuration file was downloaded. If you want to dispatch it to
Collectors, please refer to the previous Dispatching Network configuration section.
Figure 3.4-3 System Admin / Configuration -- Upload Configuration Window
Deleting Network configuration

With this function, users can delete the useless saved Network configuration file in the system.
Please follow steps below:
1. Select a saved configuration listed in the Saved Configuration view list via clicking on its radio
button.
2. Click on Delete button.
After you click on this button, a confirmation dialog box will pop up.
3. Click on OK button to confirm the deletion.
Once you click on OK button, the system will remove this Network configuration file from
the Saved Configuration view list.
128
3.5
Mitigation
The Mitigation sub menu of Network is for users to configure essential mitigation elements for two
system mitigation methods supported (Hardware Mitigation and Blackhole). When users click on
the unfolding mark of Mitigation, all its sub menus will be unfolded including Blackhole, and
Device. The Blackhole menu is used to configure basic element for the Blackhole mitigation
method; and the Device menu is used to manage Cisco Guard devices for the Hardware Mitigation
method. Be aware of getting confused with the Main Menu tree of Mitigation which is for
taking/managing mitigation actions.
Note
Only the user with the authority of administrator or defined by template, superuser, can
access the Mitigation sub menu of System Admin.
3.5.1
Blackhole
The Blackhole menu (on the Mitigation sub menu of System Admin Main Menu tree at the left
side of the screen) is used to configure Blackhole next hop for creating Blackhole mitigation
actions. After clicking on Blackhole menu, a page with the Blackhole title will be shown (See
Figure 3.5.1-1).
Figure 3.5.1-1 System Admin / Mitigation / Blackhole Management Window
To configure Blackhole parameters

1. Click on Edit button, a management window will pop up (See Figure 3.5.1-2).
2. Enter a null route in the Null Route field.
Routing traffic to a nonexistent interface is the idea of null route which is often called a 'bit
bucket' and used to keep packets from getting to their destination. Therefore, a null route can
temporarily be used near the destination to drop all traffic generated by the attack. The null
route set here can be applied in configuring Blackhole mitigation actions (on the Blackhole
sub menu of Mitigation main menu). The inputted format is xxx.xxx.xxx.xxx.
3. Enter the IP address of a blackhole device in the Off-ramp Next Hop field.
The idea of off-ramp next hop here is to divert malicious traffic to a blackhole device such as
IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) to eat up attacking
traffic. The inputted format is xxx.xxx.xxx.xxx.
Figure 3.5.1-2 System Admin / Mitigation / Blackhole -- Edit Blackhole Window
129
Configure the Blackhole Policy

This function allows users to define the policy for specified Blackhole action. When an attack
happens, users can use the defined blackhole policy to perform the protection.
To add a blackhole policy

Click on the Add button to add the Blackhole policy. (See Figure 3.5.1-3)
1. Provide Blackhole Policy information to the following fields: (The asterisk "" indicates a
mandatory field.)
Policy Name: Give a name for this policy. The inputted characters must be between 2
and 40.
Time Out: Input a value in this field. The configured blackhole mitigation action will
automatically stop when the time configured here is expired. Available range is from 5 to
1440 (minutes).
BGP Next Hop: Select the hop from the drop-down list and click on the <<< button to
add it. There are two types of BGP Next Hop for select, Null route or Off-ramp Next Hop.
Community String: Select the community string type from the drop-down list. If the
AAAAA:NNNNN (by Input) is set, users have to input the values in the text box.
Router: Select the router from the Peers Configured in Zebra text box and click on the
<< Add button to add it. Users can select added route and click on the Remove>>
button to remove it or just click on the Remove All to clear the configuration. The
system will announce the configuration to the router for reroute the traffic in order to
protect the specified zone prefixes.
Auto-Mitigation: Select the Enabled or Disabled from the drop-down list.
Protected Zone: Input the prefixes in the text box. Prefix 0.0.0.0/0, which means any
host is accepted here.
2. Click on the
Submit
button to add the configuration.
Figure 3.5.1-3 System Admin / Mitigation / Blackhole -- Add Blackhole Policy Window
130
To edit a Blackhole Policy

Click on icon to enter the Blackhole Policy window (See Figure 3.5.1-4).
Figure 3.5.1-4 System Admin / Mitigation / Blackhole -- Edit Blackhole Policy Window
(Please refer to the previous "To add a Blackhole Policy" section for the following steps of your
2. Click on " Submit " button to complete the modification.
To delete a Blackhole Policy

1. Click on the delete icon " ".
configurations specify this blackhole policy will be affected if the blackhole policy is deleted.
2. Click on " Submit " button to remove the router from the system.
131
To view the blackhole policy

The detail information of the blackhole policy can be reviewed (See Figure 3.5.1-5).
Figure 3.5.1-5 System Admin / Mitigation / Blackhole -- View Blackhole Policy Window
1. Click on an ID/Name to enter the View Blackhole Policy window.
2. Click on Back to List button to return to the Blackhole management window.
132
3.5.2
Device
Device menu allows users to add Guard/Eudemon devices into the system for washing out
attacking traffic and redirecting normal traffic back to its original destination. The added
Guard/Eudemon devices here will be applied in configuring Hardware Mitigation actions (on the
Hardware Mitigation sub menu of Mitigation main menu). This function mainly provides
Guard/Eudemon devices integrant information for GenieATM to provision for the devices. Here,
users can generate SSH host key for SSH access to Guard from GenieATM and configure
Guard into the system.
After clicking on Device menu displayed on the Sub Menu tree of Mitigation at the left side of
the screen, the Guard management window (the default entered window) will be shown. Users
can see the sub-menu tabs, Cisco Guard, Eudemon and Global, appearing above the screen
(See Figure 3.5.2-1). The job of Global sub-menu tab is to generate SSH host key. Users should
go get a host key before adding a Guard.
Figure 3.5.2-1 System Admin / Mitigation / Device / Device Management Window
3.5.2.1
Guard
Once you click on Device menu, you will directly enter the Guard management window. The
latest added Guard will be displayed at the first row of the list. The following sections are going to
introduce how to add, edit, and delete a Guard device, and how to view the profile of a Guard
device.
To add a Cisco Guard

Click on Add button at the top of the Guard view list to enter the Add Guard window. (See
Figure 3.5.2-2)
Figure 3.5.2-2 System Admin / Mitigation / Device / Cisco Guard -- Add Guard Window
133
1. Provide Guard information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this Guard. (It is only for the purpose of identification.) The number
of inputted characters must be between 2 and 40. All characters are accepted except space
and special characters (!@#$%^&<>?...).
IP Address: The IP address of the Guard. The inputted format is xxx.xxx.xxx.xxx.
Device Type: select the device type of the Guard from the drop-down list. The supported
types are Cisco Guard and Leadsec Guard.
SSH:
Username: Input an available user account on your Guard. The number of inputted
characters must be between 2 and 64. Default is admin.
Password: Input the password of the specified user account in the Username field. The
number of inputted characters must be between 2 and 64.
Port: Input a port number to connect to Guard with SSH. The available value is between 1
and 65535. Default is 22.
SNMP:
Read Community String: The password to connect with Guard. Enter Guards SNMP read
community string. Please note that it will fail to get Guards information if the read-only
community string you provided is not correct. The number of inputted characters must be
between 2 and 64.
SNMP Version: Select the SNMP version which to contact with Guard. Note that this item is
available only if the IP address and its community string are provided. Only SMNP version
2c is provided, click on SNMP WALK >> button to get the current Guards information.
The results of SNMP query will be displayed in a yellow block at the upper-right side of the
screen, including Guards system object ID, description, name, and rhNESw version.
selections are 1, 2, 3, 4, 5., to 15 (seconds) and the default value is 5 seconds.
SNMP polling response from Guard exceeding the configured time out, the system will try to
send a SNMP polling request again. Available selections are 1, 2, and 3 (times) and the
default value is 2 times.
Auto-Mitigation:
Auto-mitigation: Select the Enabled to perform the mitigation automatically, otherwise
select the Disabled. The default set is Disabled.
Triggered Severity: Select the severity, red or yellow, to trigger the auto-mitigation, if the
auto-mitigation function is enabled.
Bandwidth: Set the capacity of the Guard device. Once the volume of attacking traffic
exceeds the capacity of Guard device, the mitigation action will not to be executed.
Time Out: Set the time-out duration to stop the mitigation action.
2. Click on Update button displayed at the top of Zone Table to get the latest configured zone
information on Guard. The Zone Table information includes No., Zone ID, Zone Name, Prefix #,
Prefix, Status and Auto. Each zone has its one auto control. The system default is disable.
134
To edit a Guard
Click on icon to enter the Edit Guard window. (See Figure 3.5.2-3)
Figure 3.5.2-3 System Admin / Mitigation / Device / Cisco Guard -- Edit Guard Window
(Please refer to the previous To add a Guard section for the following steps of your
To delete a Guard
configurations are using this Guard will be affected if the Guard is deleted.
2. Click on Submit button to remove the Guard from the system.
135
To view the profile of a Guard

The detail information of the Guard can be reviewed.
Figure 3.5.2-4 System Admin / Mitigation / Device / Cisco Guard -- View Guard Window
1. Click on an ID/Name to enter the View Guard window.
2. Click on Back to List button to return to the Guard management window.
136
3.5.2.2
Eudemon
Click on Eudemon sub-menu to enter the Eudemon management window (See Figure 3.5.2-5).
The latest added Eudemon will be displayed at the first row of the list. The following sections are
going to introduce how to add, edit, and delete a Eudemon device, and how to view the profile of
a Eudemon.
Figure 3.5.2-5 System Admin / Mitigation / Device / Eudemon -- Eudemon Management Window
To add a Eudemon
Click on Add button at the top of the Eudemon view list to enter the Add Eudemon window
(See Figure 3.5.2-6).
Figure 3.5.2-6 System Admin / Mitigation / Device / Eudemon -- Add Eudemon Window
1. Provide Eudemon information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this Eudemon. (It is only for the purpose of identification.) The
number of inputted characters must be between 2 and 40. All characters are accepted
Note
The name specified in the Blackhole or Device function can not be duplicated.
137
IP Address: The IP address of the Eudemon. The inputted format is xxx.xxx.xxx.xxx.

Device Type: Select the device type from the dropped down list.
SSH:
User Name: Enter the user name used to connect the Eudemon device via ssh tool.
Password: Enter the password of the user name.
Port: Enter the connecting port used by ssh tool.
SNMP:
Read Community String: The password to connect with Eudemon. Enter Eudemons
SNMP read community string. Please note that it will fail to get Eudemons information if
the read-only community string you provided is not correct. The number of inputted
characters must be between 2 and 64.
SNMP Version: Select the SNMP version which to contact with Eudemon. Note that this
item is available only if the IP address and its community string are provided. Click on
SNMP WALK >> button to get the current Eudemons information. The results of
SNMP query will be displayed in a yellow block at the right side of the screen, including
Eudemons system object ID, description, and name.
selections are 1, 2, 3, 4, 5., to 15 (seconds) and the default value is 5 seconds.
SNMP polling response from Eudemon exceeding the configured time out, the system
will try to send a SNMP polling request again. Available selections are 1, 2, and 3 (times)
and the default value is 2 times.
Auto-Mitigation:
Auto-mitigation: Select the Enabled to perform the mitigation action automatically,
otherwise select the Disabled. The default set is Disabled.
Triggered Severity: Select the severity, red or yellow, to trigger the auto-mitigation, if the
auto-mitigation function is enabled.
Bandwidth: Set the capacity of the Eudemon device. Once the volume of attacking traffic
exceeds the capacity of Eudemon device, the mitigation action will not to be executed.
Time Out: a time period parameter used to control when to stop the mitigation action.
When the traffic drop rate of victim IP is extremely low and maintains longer than the
recovery latency configured, the mitigation action will end.
Protect zone: Input the IP Prefix for protection.
138
To edit a Eudemon
Click on icon to enter the Edit Eudemon window (See Figure 3.5.2-7).
Figure 3.5.2-7 System Admin / Mitigation / Device / Eudemon -- Edit Eudemon Window
(Please refer to the previous To add a Eudemon section for the following steps of your
To delete a Eudemon
configurations using this Eudemon will be affected if the Eudemon is deleted.
2. Click on Submit button to remove the Eudemon from the system.
139
To view the profile of a Eudemon

The detail information of the Eudemon can be reviewed (See Figure 3.5.2-8).
1. Click on an ID/Name to enter the View Eudemon window.
When you move the cursor to the ID/Name listed in the ID or Name column, the color of the
2. Click on Back to List button to return to the Eudemon management window.
Figure 3.5.2-8 System Admin / Mitigation / Device / Eudemon -- View Eudemon Window
140
3.5.2.3
Global
Click on Global sub-menu tab to enter the SSH Public Key Generation window (See Figure
3.5.2-9). If users want to use SSH access to their mitigation device, the SSH key generated here
should be copied into both the mitigation device and GenieATM. In GenieATM, users should
copy the key into the Host Key field of mitigation device management window (such as Guard
management Window).
After clicking on Generate SSH Key Pair button, the system will take couple minutes to
generate the SSH key and a message will tell the generation is processing, completed, or failed.
If the generation is completed, a new set of SSH key will be displayed in the SSH Public Key text
field then and a time stamp will appear to tell when the key is generated. Please see Figure
3.5.2-10 for a completed example.
Figure 3.5.2-9 System Admin / Mitigation / Global / SSH Public Key Window
Figure 3.5.2-10 System Admin / Mitigation / Global / SSH Public Key Window
141
3.6
Preferences
Preferences menu allows users to define the preferred parameters and templates which can be
applied in the system including ten sub menus: Status, Storage, Report, Notification, Name
Mapping, Group, Baseline History, Offline Report, and Remote Update. These sub menus will
turn up when users click on the unfolding mark of Preferences.
Note
Only the user with the authority of administrator can access all functions of the Preferences
menu. The user with the authority of defined by template, superuser, can access only the
Notification, Group, Baseline History, and Offline Report functions in Preferences, and the
viewing only user & Sub-Network user cannot access any of them.
3.6.1
Status
The Status menu here indicates the sub-function in Preferences (not the Status menu on the
Main Menu tree). This function allows administrators to set the parameter for the Status
Summary page (under the Main Menu tree of Status). Click on Status menu displayed on the
Sub Menu tree of Preferences at the left side of the screen to enter the Status Parameter
management window. (As presented at Figure 3.6.1-1)
Figure 3.6.1-1 System Admin / Preferences / Status Parameter Management Window
To edit the Status preferences

Click on Edit button at the right side, a management window will pop up. (See Figure 3.6.1-2)
1. Select your preferred time period from the Status Page Refresh Period drop-down list.
The selected time period decides how frequently the Status Summary page is refreshed. The
selectable values for the time period are from 1, 2, 3 to 10 (The unit is minute; the default
is 1 minute).
2. Select your preferred maximum displayed entries of the latest ongoing Anomalies from the
Maximum Number of Most Recent Ongoing Anomalies drop-down list.
The selectable values for the maximum Anomalies displayed are from 3, 4, 5 to 20 (Default
is 5).
3. Select your preferred maximum displayed entries of the latest alerts from the Maximum
Number of Most Recent Alerts Displayed drop-down list.
The selectable values for the maximum alerts displayed are from 3, 4, 5 to 30 (Default is
10).
4. Click on the check box to enable the system to play the alarm sound if it is need.
5. Select the time from the drop-down list for system to detect the new anomaly.
Figure 3.6.1-2 System Admin / Preferences / Status -- Edit Status Parameter Window
142
3.6.2
Storage
Storage menu provides administrators a tool to manage the store of analysis report and log. It
can prevent the system from running out of disk storage space. There are five parts: Disk Usage,
Report Data, Alert Log, Anomaly Log, and Login Log. The Disk Usage part is to configure the
parameters of when the auto DB purging process will be triggered and till when the purging
process halted. The Report Data part is to configure for how long different types (daily, weekly,
monthly, and yearly) of reports will be preserved in DB once the auto DB purging process is
triggered. The preservation durations of different period-type reports can be configured
respectively. The report data is preserved according to various different time periods: daily,
weekly, monthly, and yearly. The Alert Log part is to configure the maximum preservative period
and amount for system alert logs. The Anomaly Log part is to configure the maximum
preservative period and amount for anomaly event logs. The Login Log part is to configure the
maximum preservative period and amount for login logs.
The following sections are going to tell users how to set up the parameters of these five parts.
Click on Storage menu displayed on the Sub Menu tree of Preferences at the left side of the
screen to enter the Storage Management window. (As presented at Figure 3.6.2-1)
Figure 3.6.2-1 System Admin / Preferences / Storage Management Window
To edit the preferences for Disk Usage

1. Click on Edit button at the right side of the Disk Usage block area, a management window
2. Enter a percentage in the When the Disk Usage Is More Than field.
The percentage by which system will start the auto purging process once the DB usage space
percentage reaches the percentage configured. The default value is 90% (the upper limit of
disk storage usage).
3. Enter a percentage in the Purge Data Until field.
The percentage by which system will stop the DB purging process once the DB usage space
percentage is no higher than the percentage configured. The default value is 60%.
Figure 3.6.2-2 System Admin / Preferences / Storage -- Edit Disk Usage Window
143
To edit the preferences for Report Data

1. Click on Edit button at the right side of the Report Data block area, a management window
2. Select your preferred duration of each period type of the reports from the drop-down lists.
Those numbers with an asterisk represents a default value. Daily reports are allowed to be
preserved from 1 to 45 days (Default is 10 days). Weekly reports are allowed to be preserved
from 1 to 52 weeks (Default is 8 weeks). Monthly reports are allowed to be preserved from 1
to 24 months (Default is 12 months). Yearly reports are allowed to be preserved from 1 to 5
years (Default is 1 years).
Figure 3.6.2-3 System Admin / Preferences / Storage -- Edit Report Data Window
To edit the preferences for Alert Log

1. Click on Edit button at the right side of the Alert Log block area, a management window will
pop up. (See Figure 3.6.2-4)
2. Select your preferred duration of preservation of alert logs from the Preserved Alert Log
drop-down list.
Alert logs are allowed to be preserved from 1 to 180 days (Default is 14 days).
3. Select your preferred maximum number of preserved alert log entries from the drop-down list.
The configurable values for the maximum logs are from 1000, 2000, 3000 to 10000 (Default
is 3000).
Note
Users can query all the alert logs stored in the database via the Alert Log function of Status.
Figure 3.6.2-4 System Admin / Preferences / Storage -- Edit Alert Log Window
144
To edit the preferences for Anomaly Log

1. Click on Edit button at the right side of the Anomaly Log block area, a management
2. Select your preferred duration of preservation of anomaly logs from the Preserved Anomalies
drop-down list.
Anomaly logs are allowed to be preserved from 1 to 12 months (Default is 1 month).
3. Select your preferred maximum number of preserved anomaly log entries from the drop-down
list.
is 1000).
Note
Users can query all the anomaly logs stored in the database via the Anomaly Console
function of Status.
Figure 3.6.2-5 System Admin / Preferences / Storage -- Edit Anomaly Log Window
To edit the preferences for Login Log

1. Click on Edit button at the right side of the Login Log block area, a management window
2. Select your preferred duration of preservation of login logs from the Preserved Login Log
drop-down list.
Notification logs are allowed to be preserved from 30 to 180 days (Default is 30 days).
3. Select your preferred maximum number of preserved login log entries from the drop-down list.
is 1000).
Figure 3.6.2-6 System Admin / Preferences / Storage -- Edit Login Log Window
145
3.6.3
Report
Report menu allows administrators to set the parameters about the maximum displayed entries
of the pre-defined TopN reports (Internet, Neighbor, Backbone, Router, Interface, and
Sub-Network), and the detail anomaly traffic analysis report. Click on Report menu displayed on
the Sub Menu tree of Preferences at the left side of the screen to enter the Report Parameter
management window (As presented at Figure 3.6.3-1).
Figure 3.6.3-1 System Admin / Preferences / Report Parameter Management Window
To edit the Pre-defined TopN Report preferences

1. Click on Edit button at the right side, a management window will pop up. (See Figure
3.6.3-2)
2. Select your preferred maximum number of displayed entries of the TopN report from the
Pre-defined TopN Report drop-down list.
The selectable values for the maximum entries displayed are from 10, 20, 25, 30, 35, 40, 45,
50, 75, 100, and 128 (Default is 25). The maximum number of displayed entries should be up
to the configured value. However, if the entries saved in the database does not have that much,
then the system will only display the number of entries saved in the database.
Figure 3.6.3-2 System Admin / Preferences / Report -- Edit Pre-defined TopN Report Parameter
Window
146
To edit the Default Tab Activated of Report Table

Users can select the preferred report table as the default one when displaying a report.
3.6.3-3)
2. Select your preferred report table as the default one.
The selectable values are Average, Current and Maximum (Default is Average).
Figure 3.6.3-3 System Admin / Preferences / Report -- Edit Report Parameter Window
To edit the Rule-Based Report Label

3.6.3-4)
2. Type the alphabetic descriptions of the bi-directional Y-axis labels for all report charts
displaying in the Rule-Based report.
Figure 3.6.3-4 System Admin / Preferences / Report -- Edit Rule-Based Report Label Window
To edit the Anomaly Traffic Analysis report preferences

The GenieATM system provides the detail traffic analysis report for every Anomaly event
happened and users can decide the maximum number of displayed entries of the analysis
statistics by configuring the preference here.
3.6.3-5)
2. Select your preferred maximum number of displayed entries of the TopN report from the
Anomaly Traffic Detail Report drop-down list.
The selectable values for the maximum entries displayed are from 5 to 16 (Default is 5).
Figure 3.6.3-5 System Admin / Preferences / Report -- Edit Detail Anomaly Traffic Analysis Report
Parameter Window
147
3.6.4
Notification
Notification menu allows administrators to configure the settings of the system alert and
anomaly event notifications. There are three kinds of notification methods supported, Email,
SNMP Trap, and Syslog notifications. Except Syslog, Email and SNMP Trap can be configured
through Web UI. Please refer to the GenieATM CLI Command Reference document for
relevant configurations of Syslog.
The Notification function is divided into five parts: System Notification -- includes parameters of
overall notification sending and system-related alert notifications; Router Notification -provides parameter configurations of router relevant alert and anomaly notifications;
Sub-Network Notification -- provides parameter configurations of anomaly notification relevant
to Sub-Network; MSP Customer Notification -- provides parameter configurations of anomaly
notification relevant to MSP Customers; Filter Notification -- provides parameter configurations
of anomaly notification relevant to Filters.
Note
The MSP Customer tab will not show when the system does not support the MSP module
(value-added function).
After clicking on Notification menu displayed on the Sub Menu tree of Preferences at the left
side of the screen, the System Notification Configuration window (the default entered window)
will be shown. Users can see the sub-menu tabs, System, Router, Sub-Network, MSP Customer,
and Filter, appearing above the screen (See Figure 3.6.4-1).
Figure 3.6.4-1 System Admin / Preferences / Notification / System Notification Configuration Window
148
3.6.4.1
System Notification
Once you click on Notification menu, you will directly enter the System Notification
Configuration window. It includes two parts of configurations, the Email Notification part is to
register email sending relevant parameters and; the Trap Notification part is to configure the
SNMP community string which will be used for SNMP trap sending.
To edit the Email Notification

Click on Edit button at the right side of the Email Notification block area, a management
Figure 3.6.4-2 System Admin / Preferences / Notification / System -- Edit Email Notification Window
1. Set the action, Enabled or Disabled, for receiving the Email Notification.
2. Enter an email address which will be used as the sender of notification email.
Please follow the format aaa@aaa.aaa with no space inside. This email account must be valid
email account.
3. Enter the IP address of the email (SMTP) server which will be used to send the alert
notifications for all events.
4. Enter a user name, which is used to authenticate by the SMTP server.
5. Enter the password of the user name.
6. From the dropped list, select the user group that specified to receive the email notification.
The maintainer can specify a user group in User function in the System Admin/ Preference/
Group function.
7. Select the displaying way of the notification in the email. There are two ways, Pop up login
page and Direct to Report page, for selection and the factory default is Direct to Report page.
In addition, users can set the way to link the report via HTTP or HTTPS.
8. Select the displaying format, TEXT or HTML, to present the content in the Notification mail.
9. Input the subjects descriptions of the Notification Mail.
10. Input the subjects descriptions of the Offline-line Report Mail.
11. Select the language type from the dropped down list. There are four languages for selection
and the factory default is Westerm (ISO-8859-1). The specified language is use for the
Notification mail and Offline Report mail.
12. 11. Click on Submit button to complete the configuration.
149
To edit the Trap Notification

Click on Edit button at the right side of the Trap Notification block area, a management
Figure 3.6.4-3 System Admin / Preferences / Notification / System -- Edit Trap Notification Window
1. Select Disabled or Enabled to disable or enable the notification sending via email from the
Email Notification drop-down list.
The default value is Disabled.
2. Enter the IP address that the system sends traps to.
3. Enter the read-only community string for the SNMP trap which will be applied to all
notifications.
The number of inputted characters must be between 1 and 40. (Default is public)
150
3.6.4.2
Router Notification
Click on Router sub-menu tab to enter the Router Notification Configuration window. (See
Figure 3.6.4-4) The information displayed in the Router Notification view list includes No., Router
Name, IP Address, Email Notification [Enabled; User Group], and Resource Importance. All
routers configured in the system (in the Network/Router function of System Admin) will be
shown in this view list. Users can edit the notifications parameters for each router here.
Figure 3.6.4-4 System Admin / Preferences / Notification / Router Notification Configuration Window
To edit a Router Notification

Click on icon to enter the Edit Router Notification Configuration window. (See Figure 3.6.4-5)
Figure 3.6.4-5 System Admin / Preferences / Notification / Router -- Edit Router Notification
Configuration Window
Email Notification drop-down list. The default value is Disabled.
2. Select a user group from the drop-down list of User Group to Receive Email Notification.
All user groups configured in the Group/User function of Preferences will be shown in this
drop-down list. The default value is None. Please note that if you have selected to enable the
Email notification, you have to choose a user group. Otherwise, the system will send the Email
notification to nowhere.
3. Select an importance level for the router from the Resource Importance drop-down list.
There are two importance levels, Regular and High (Default is Regular). This configuration
parameter works with the User Groups email notification configurations to determine whether
the email notification will be sent under different situation.
151
3.6.4.3
Sub-Network Notification
Click on Sub-Network sub-menu tab to enter the Sub-Network Notification Configuration

window. (See Figure 3.6.4-6) The information displayed in the Sub-Network Notification
configuration view list includes No., Name, Email Notification [Enabled; User Group], and
Resource Importance. All Sub-network configured in the system (in the Network/Sub-Network
function of System Admin) will be shown in this configuration view list. Users can edit the
notifications parameters for each Sub-Network here.
Figure 3.6.4-6 System Admin / Preferences / Notification / Sub-Network Notification Configuration

Window
To edit a Sub-Network Notification

Click on icon to enter the Edit Sub-Network Notification Configuration window. (See Figure
3.6.4-7)
Figure 3.6.4-7 System Admin / Preferences / Notification / Sub-Network -- Edit Sub-Network

Notification Configuration Window
3. Select an importance level for the Sub-Network entity from the Resource Importance
drop-down list.
152
3.6.4.4
MSP Customer Notification
Click on MSP Customer sub-menu tab to enter the MSP Customer Notification Configuration window
(see the figure 3.6.4-8). Users only can edit the notifications parameters for sending notifications to
the specified MSP Customer.
Figure 3.6.4-8 System Admin/Preference/Notification/MSP Customer MSP Customer Notification

To edit a MSP Customer Notification

Click on " " icon to enter the Edit MSP Customer Notification Configuration window (see the figure
3.6.4-9).
1.
Select the action, Disabled or Enabled, for the notification sending via email. The default
value is Disabled.
2.
The system only displays the default user group for selecting. The MSP customers with
Customer Admin and Customer Superuser Privileges will belong to default user group of this
customer. System admin can add or delete the users form default user group listed at
System Admin/Preference/Group/MSP Customer User function.
3.
Select an importance level for the Customer entity from the Resource Importance drop-down
list. There are two importance levels, Regular and High (Default is Regular). This
configuration parameter works with the User Groups email notification to determine what
situation the email notification will be sent.
4.
Click on " Submit " button to complete the configuration.
Figure 3.6.4-9 System Admin/Preference/Notification/MSP Customer Edit MSP Customer

Notification Configuration Window
153
3.6.4.5
Filter Notification
Click on Filter sub-menu tab to enter the Filter Notification Configuration window. (See Figure
3.6.4-10) The information displayed in the Filter Notification view list includes No., Name, Email
Notification [Enabled; User Group], and Resource Importance. All Filters configured in the
system (in the Network/Filter function of System Admin) will be shown in this view list. Users
can edit the notifications parameters for each Filter here.
Figure 3.6.4-10 System Admin / Preferences / Notification / Filter Notification Configuration Window
To edit a Filter Notification

Click on icon to enter the Edit Filter Notification Configuration window. (See Figure 3.6.4-11)
Figure 3.6.4-11 System Admin / Preferences / Notification / Filter -- Edit Filter Notification
3. Select an importance level for the Filter from the Resource Importance drop-down list.
154
3.6.5
Name Mapping
Name Mapping menu allows administrators to maintain and configure the name-mapping of
Services, Protocols, ASNs (Autonomous System Numbers), Area and IP to Area. (The called
service is a combination of protocol and port number.) This mapping information will be used in
reports. There are built-in mappings provided, but the system also allows users to create and
update name mappings.
After clicking on Name Mapping menu displayed on the Sub Menu tree of Preferences at the
left side of the screen, the Service management window (the default entered window) will be
shown. Users can see its sub-menu tabs, Service, Protocol, ASN, Area, and IP to Area
appearing above the screen. (See Figure 3.6.5-1)
Note
list. Users can utilize multiple searching filters (Protocol, Port, Name, AS Number, Display
Name, or Registered Name) to quickly find out a specific service, protocol, or ASN from the
view list. Select a type of searching filter in the Searching drop-down list, input key word in
the for blank, and then click on the Go button.

|<
<<
>>
>|
total pages.
view list. There are four options to select: 15, 30, 60, and 120. The number 15 with an
asterisk means the default value.
Figure 3.6.5-1 System Admin / Preferences / Name Mapping / Service Management Window
155
3.6.5.1
Services
Once you click on Name Mapping menu, you will directly enter the Service management
window. The information displayed in the Service view list includes No., Protocol, Port, and
Name. The following sections are going to introduce how to add, edit, and delete a service.
To add a service
Click on Add button at the top of the Service view list to enter the Add Service Name window.
Figure 3.6.5-2 System Admin / Preferences / Name Mapping / Service -- Add Service Name Window
1. Provide service information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this service. The number of inputted characters must be between 1
(!@#$%^&<>?...).
Protocol: Enter the protocol number. Only integers from 0 to 255 will be accepted.
Port: Enter the port number. Only integers from 0 to 65535 will be accepted.
Note
The system will reject your submission if the service (protocol and port) you add is
duplicated with existing configurations.
To edit a service
Click on icon to enter the Edit Service Name window. (See Figure 3.6.5-3)
Figure 3.6.5-3 System Admin / Preferences / Name Mapping / Service -- Edit Service Name Window
(Please refer to the previous To add a service section for the following steps of your
1. Enter a new name if necessary.
To delete a service
2. Click on OK button to remove the service from the system.
156
3.6.5.2
Protocols
Click on Protocol sub-menu tab to enter the Protocol management window. (See Figure 3.6.5-4)
The information displayed in the Protocol view list includes No., Protocol, and Name. The
following sections are going to introduce how to add, edit, and delete a protocol.
Figure 3.6.5-4 System Admin / Preferences / Name Mapping / Protocol Management Window
To add a protocol
Click on Add button at the top of the Protocol view list to enter the Add Protocol Name
Figure 3.6.5-5 System Admin / Preferences / Name Mapping / Protocol -- Add Protocol Name
Window
1. Provide protocol information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this protocol. The number of inputted characters must be between 1
and
64.
All
characters
are
accepted
except
space
and
special
characters
(!@#$%^&<>?...).
Protocol: Enter the protocol number. Only integers from 0 to 255 will be accepted.
Note
The system will reject your submission if the protocol you add is duplicated with existing
configurations.
157
To edit a protocol
Click on icon to enter the Edit Protocol Name window. (See Figure 3.6.5-6)
Figure 3.6.5-6 System Admin / Preferences / Name Mapping / Protocol -- Edit Protocol Name
Window
(Please refer to the previous To add a protocol section for the following steps of your
1. Enter a new name if necessary.
To delete a protocol
2. Click on OK button to remove the protocol from the system.
3.6.5.3
ASNs
Click on ASN sub-menu tab to enter the ASN management window. (See Figure 3.6.5-7) The
information displayed in the Protocol view list includes No., AS Number, Display Name, and
Registered Name. The following sections are going to introduce how to add, edit, and delete a
protocol.
Figure 3.6.5-7 System Admin / Preferences / Name Mapping / ASN management Window
158
To add a ASN
Click on Add button at the top of the ASN view list to enter the Add ASN Name window. (See
Figure 3.6.5-8)
Figure 3.6.5-8 System Admin / Preferences / Name Mapping / ASN -- Add ASN Window
1. Provide AS number information to the following fields: (The asterisk "" indicates a
mandatory field.)
Display Name: Give a name for this AS number. This name will be displayed in reports.
AS Number: Enter the AS number. Only integers from 0 to 65535 will be accepted.
Registered Name: Enter the registered name of the AS number. The number of inputted
characters must be between 1 and 256.
Note
The system will reject your submission if the AS number you add is duplicated with existing
configurations.
To edit a ASN
Click on icon to enter the Edit ASN Name window. (See Figure 3.6.5-9)
Figure 3.6.5-9 System Admin / Preferences / Name Mapping / ASN -- Edit ASN Name Window
(Please refer to the previous To add a ASN section for the following steps of your modification.
The asterisk "" indicates a mandatory field.)
1. Enter a new display name if desired.
2. Enter a new registered name if necessary.
To delete a ASN
2. Click on OK button to remove the protocol from the system.
159
3.6.5.4
Area
Click on Area sub-menu tab to enter the Area management window. (See Figure 3.6.5-10) The
information displayed in the Area view list includes No., Code2, Code3 and Area. The following
sections are going to introduce how to add, edit, and delete a configuration of Area.
Figure 3.6.5-10 System Admin / Preferences / Name Mapping / Area Management Window
To add an area
Click on Add button at the top of the Area view list to enter the Add Area management
Figure 3.6.5-11 System Admin / Preferences / Name Mapping / Area -- Add Area management Window
1. Provide area information to the following fields: (The asterisk "" indicates a mandatory field.)
Code2: Give an abbreviation name for this Area. The number of inputted characters must
be between 1 and 5. All characters are accepted except space and special characters
(!@#$%^&<>?...).
Code3: Enter the abbreviation name of the Area. The number of inputted characters must
be between 1 and 64. All characters are accepted except space and special characters
(!@#$%^&<>?...).
Area: enter the areas full name.
Note
The system will reject your submission if anyone field you add is duplicated with existing
configurations.
160
To edit an area
Click on icon to enter the Edit Area management window. (See Figure 3.6.5-12)
Figure 3.6.5-12 System Admin / Preferences / Name Mapping / Area -- Edit Area management
window
(Please refer to the previous To add an area section for the following steps of your modification.
The asterisk "" indicates a mandatory field.)
1. Enter a new display data in Code3, or Area field if desired.
To delete an area
2. Click on OK button to remove the entry from the system.
3.6.5.5
IP to Area
Click on IP to Area sub-menu tab to enter the IP to Area management window. (See Figure
3.6.5-13) The information displayed in the IP to Area view list includes No., Begin IP, End IP,
Area Code and Area. The following section is going to introduce how to import the aggregation
data about IP to Area.
Figure 3.6.5-13 System Admin / Preferences / Name Mapping / IP to Area Management Window
161
To import the ip-to-area database

Click on Import button above the IP to Area view list to enter the Import IP-to-Area
management window. (See Figure 3.6.5-14)
1. Click on the Browse button and then a popped-up window shows for users to select the
CSV file.
Note
The web site, http://ip-to-country.webhosting.info/node/view/6, is one of the solutions

for users to download the IP-to-Country database. In addition, please make sure that
the file size must be less than 8 Mbytes.
The format of imported CSV file is as follows:

Field Name
Data Type
Field Description
IP_FROM
numerical (Double)
Beginning of IP address range
IP_TO
numerical (Double)
Ending of IP address range
CODE2
char(2)
Two-character country code based on ISO 3166
CODE3
char(3)
Three-character country code based on ISO 3166
Country Name
varchar(50)
Country name is based on ISO 3166
Note that all IP address ranges recorded in the IP_FROM and IP_TO fields are
represented as IP numbers which is the numeric representation of the dotted IP
address. The formula to convert an IP Address of the form A.B.C.D to an IP Number is
as follows:
IP Number = A x (256*256*256) + B x (256*256) + C x 256 + D
2. Click on Submit button to import the data.
Figure 3.6.5-14 System Admin / Preferences / Name Mapping / IP to Area Import IP-to-Area
management Window
162
3.6.6
Group
Group menu allows users to aggregate multiple entities as a resource group, such as user
group, router group, sub-network group, server-farm, neighbor group, Filter group and MSP
Customer User group. With this function, operating the system and managing the network
resources will be easier and more flexible. Every kind of Group has a built-in group called All,
which contains all created objects of the object type. For instance, The All group of User
contains all created (registered) user accounts in the system. These All groups are not addible,
modifiable, or removable by manual.
After clicking on Group menu displayed on the Sub Menu tree of Preferences at the left side of
the screen, the User Group Management window (the default entered window) will be shown.
Users can see the sub-menu tabs, User, Router, Sub-Network, Server-farm, Neighbor, Filter,
and MSP Customer User, appearing above the screen. (See Figure 3.6.6-1)
Note
Except administrators, the user with the authority of defined by template, superuser, also can
access the Group menu.
Figure 3.6.6-1 System Admin / Preferences / Group / User Group Management Window
3.6.6.1
User
Once you click on Group menu, you will directly enter the User Group Management window.
The information displayed in the User Group view list includes No., Group ID, and Group Name,
User, and User #. (The User # is the total users of the user group.) The following sections are
going to introduce how to add, edit, and delete a user group and how to view the profile of a user
group.
To add a user group

Click on Add button at the top of the User Group view list to enter the Add User Group
Figure 3.6.6-2 System Admin / Preferences / Group / User -- Add User Group Window
163
1. Enter a name for this user group in Name field.

You can give a meaningful name that can represent the user group you are adding. The
2. Select users for this group from the Available User list box.
You can select a user in the Available User list box each time and then click on <<Add
button to add the user to the Group list box at the left side. Use Remove>> button to
remove one selected user per time or Remove All button to remove all selected users at a
time from the left-hand Group list box. All registered users in the system will be displayed in
the Available User list box.
3. Provide the notification configurations for the user group.
Minimum Severity to Receive Email Notification for High Importance Resource:
Select a severity level from the drop-down list of Minimum Severity to Receive Email
Notification For High Importance Resource. The system will send out email notifications for
high importance resources when the event severity level is equal or above the selected
level.
Minimum Severity to Receive Email Notification for Regular Importance Resource:
Notification For Regular Importance Resource. The system will send out email notifications
for regular importance resources when the event severity level is equal or above the
selected level.
Receive Email for Recovery:
Select Disabled or Enabled to disable or enable system sending email notifications to the
user groups from the drop-down list of Receive Email for Anomaly Recovery.
To edit a user group

Click on icon to enter the Edit User Group window. (See Figure 3.6.6-3)
Figure 3.6.6-3 System Admin / Preferences / Group / User -- Edit User Group Window
164
(Please refer to the previous To add a user group section for the following steps of your
modification.
1. Enter a new name for the user group if desired.
2. Add/Remove the users for the group if necessary.
3. Modify the Notification configurations for the group if necessary.
To delete a user group

2. Click on OK button to remove the user group from the system.
To view the profile of a user group

The detail information will show all members information of a user group. (See Figure 3.6.6-4)
Figure 3.6.6-4 System Admin / Preferences / Group / User -- View User Group Window
1. Click on a (User) Group ID or Group Name to enter the View User Group window.
When you move the cursor to the ID/Name listed in the Group ID/Group Name column, the
color of the pointed ID/name will turn into blue. The View User Group window will display the
following information:
Name: name of the user group you selected to view.
User ID: user ID of each member in the group.
User Name: detailed user name of each member in the group.
Minimum Severity to Receive Email Notification for High Importance Resource:
Please refer To add a user group section for details.
Minimum Severity to Receive Email Notification for Regular Importance Resource:
2. Click on Back to List button to return to the User Group Management window.
165
3.6.6.2
Router
Click on Router sub-menu tab to enter the Router Group Management window. (See Figure
3.6.6-5) The information displayed in the Router Group view list includes No., Group ID, and
Group Name, Router, and Router #. (The Router # is the total routers of the router group.) The
following sections are going to introduce how to add, edit, and delete a router group and how to
view the profile of a router group.
Figure 3.6.6-5 System Admin / Preferences / Group / Router Group Management Window
To add a router group

Click on Add button at the top of the Router Group view list to enter the Add Router Group
Figure 3.6.6-6 System Admin / Preferences / Group / Router -- Add Router Group Window
1. Enter a name for this router group in Name field.
You can give a meaningful name that can represent the router group you are adding. The
2. Select routers for this group from the Available Router list box.
You can select a router in the Available Router list box each time and then click on <<Add
button to add the router to the Group list box at the left side. Use Remove>> button to
remove one selected router per time or Remove All button to remove all selected routers at
a time from the left-hand Group list box. All registered routers in the system will be displayed in
the Available Router list box.
166
To edit a router group

Click on icon to enter the Edit Router Group window. (See Figure 3.6.6-7)
Figure 3.6.6-7 System Admin / Preferences / Group / Router -- Edit Router Group Window
(Please refer to the previous To add a router group section for the following steps of your
modification.
1. Enter a new name for the router group if desired.
2. Add/Remove the routers for the group if necessary.
To delete a router group

2. Click on OK button to remove the router group from the system.
To view the profile of a router group

The detail information will show all routers information of a router group. (See Figure 3.6.6-8)
Figure 3.6.6-8 System Admin / Preferences / Group / Router -- View Router Group Window
1. Click on a (Router) Group ID or Group Name to enter the View Router Group window.
color of the pointed ID/Name will turn into blue. The View Router Group window will display the
Name: name of the router group you selected to view.
Router ID: router ID of each member in the group.
Router Name: name of each router in the group.
IP Address: the routers IP address.
2. Click on Back to List button to return to the Router Group Management window.
167
3.6.6.3
Sub-Network
Click on Sub-Network sub-menu tab to enter the Sub-Network Group Management window.
(See Figure 3.6.6-9) The information displayed in the Sub-Network Group view list includes No.,
Group ID, and Group Name, Sub-Network, and Sub-Network #. (The Sub-Network # is the total
sub-networks of the sub-network group.) The following sections are going to introduce how to
add, edit, and delete a sub-network group and how to view the profile of a sub-network group.
Figure 3.6.6-9 System Admin / Preferences / Group / Sub-Network Group Management Window
To add a sub-network
Click on Add button at the top of the Sub-Network Group view list to enter the Add
Sub-Network Group window. (See Figure 3.6.6-10)
Figure 3.6.6-10 System Admin / Preferences / Group / Sub-Network -- Add Sub-Network Group
Window
1. Enter a name for this sub-network group in Name field.
You can give a meaningful name that can represent the sub-network group you are adding.
2. Select sub-networks for this group from the Available Sub-Network list box.
You can select a sub-network in the Available Sub-Network list box each time and then click
on <<Add button to add the sub-network to the Group list box at the left side. Use
Remove>> button to remove one selected sub-network per time or Remove All button
to remove all selected sub-networks at a time from the left-hand Group list box. All registered
sub-networks in the system will be displayed in the Available Sub-Network list box.
168
To edit a sub-network group

Click on icon to enter the Edit Sub-Network Group window. (See Figure 3.6.6-11)
Figure 3.6.6-11 System Admin / Preferences / Group / Sub-Network -- Edit Sub-Network Group
Window
(Please refer to the previous To add a sub-network group section for the following steps of
your modification.
1. Enter a new name for the sub-network group if desired.
2. Add/Remove the sub-networks for the group if necessary.
To delete a sub-network group

2. Click on OK button to remove the sub-network group from the system.
To view the profile of a sub-network group

The detail information will show all sub-network information of a sub-network group. (See Figure
3.6.6-12)
Figure 3.6.6-12 System Admin / Preferences / Group / Sub-Network -- View Sub-Network Group
Window
1. Click on a (Sub-Network) Group ID or Group Name to enter the View Sub-Network Group
window.
color of the pointed ID/Name will turn into blue. The View Sub-Network Group window will
display the following information:
Name: name of the sub-network group you selected to view.
Sub-Network ID: sub-network ID of each member in the group.
Sub-Network Name: name of each sub-network in the group.
2. Click on Back to List button to return to the Sub-Network Group Management window.
169
3.6.6.4
Server-farm
Click on Server-farm sub-menu tab to enter the Server-farm Group Management window. (See
Figure 3.6.6-13) The information displayed in the Server-farm Group view list includes No.,
Group ID, and Group Name, Server-farm, and Server-farm #. (The Server-farm # is the total
server-farms of the server-farm group.) The following sections are going to introduce how to add,
edit, and delete a server-farm group and how to view the profile of a server-farm group.
Figure 3.6.6-13 System Admin / Preferences / Group / Server-farm Group Management Window
To add a server-farm group

Click on Add button at the top of the Server-farm Group view list to enter the Add Server-farm
Group window. (See Figure 3.6.6-14)
Figure 3.6.6-14 System Admin / Preferences / Group / Server-farm -- Add Server-farm Group
Window
1. Enter a name for this Server-farm group in Name field.
You can give a meaningful name that can represent the server-farm group you are adding.
2. Select server-farm for this group from the Available Server-farm(s) list box.
You can select a server-farm in the Available Server-farm list box each time and then click on
<<Add button to add the server-farm to the Group list box at the left side. Use
Remove>> button to remove one selected server-farm per time or Remove All button to
remove all selected Server-farms at a time from the left-hand Group list box. All registered
server-farms in the system will be displayed in the Available Server-farm list box.
170
To edit a server-farm group

Click on icon to enter the Edit Server-farm Group window. (See Figure 3.6.6-15)
Figure 3.6.6-15 System Admin / Preferences / Group / Server-farm -- Edit Server-farm Group Window
(Please refer to the previous To add a Server-farm group section for the following steps of
your modification.
1. Enter a new name for the server-farm group if desired.
2. Add/Remove the server-farms for the group if necessary.
To delete a Server-farm group

2. Click on OK button to remove the server-farm group from the system.
To view the profile of a Server-farm group

The detail information will show all server-farm information of a server-farm group. (See Figure
3.6.6-16)
Figure 3.6.6-16 System Admin / Preferences / Group / Server-farm -- View Server-farm Group
Window
171
1. Click on a (Server-farm) Group ID or Group Name to enter the View Server-farm Group
window.
color of the pointed ID/Name will turn into blue. The View Server-farm Group window will
display the following information:
Name: name of the server-farm group you selected to view.
Server-farm ID: server-farm ID of each member in the group.
Server-farm Name: name of each server-farm in the group.
2. Click on Back to List button to return to the Server-farm Group Management window.
3.6.6.5
Neighbor
Click on Neighbor sub-menu tab to enter the Neighbor Group Management window. (See
Figure 3.6.6-17) The information displayed in the Neighbor Group view list includes No., Group
ID, and Group Name, Neighbor, and Neighbor #. (The Neighbor # is the total neighbors of the
neighbor group.) The following sections are going to introduce how to add, edit, and delete a
neighbor group and how to view the profile of a neighbor group.
Figure 3.6.6-17 System Admin / Preferences / Group / Neighbor Group Management Window
To add a neighbor
Click on Add button at the top of the Neighbor Group view list to enter the Add Neighbor
Group window. (See Figure 3.6.6-18)
Figure 3.6.6-18 System Admin / Preferences / Group / Neighbor -- Add Neighbor Group Window
172
1. Enter a name for this neighbor group in Name field.

You can give a meaningful name that can represent the neighbor group you are adding. The
2. Select neighbors for this group from the Available Neighbor list box.
You can select a neighbor in the Available Neighbor list box each time and then click on
<<Add button to add the neighbor to the Group list box at the left side. Use Remove>>
button to remove one selected neighbor per time or Remove All button to remove all
selected neighbors at a time from the left-hand Group list box. All registered neighbors in the
system will be displayed in the Available Neighbor list box.
To edit a neighbor group

Click on icon to enter the Edit Neighbor Group window. (See Figure 3.6.6-19)
Figure 3.6.6-19 System Admin / Preferences / Group / Neighbor -- Edit Neighbor Group Window
(Please refer to the previous To add a neighbor group section for the following steps of your
modification.
1. Enter a new name for the neighbor group if desired.
2. Add/Remove the neighbors for the group if necessary.
To delete a neighbor group

2. Click on OK button to remove the neighbor group from the system.
173
To view the profile of a neighbor group

The detail information will show all neighbors information of a neighbor group. (See Figure
3.6.6-20)
Figure 3.6.6-20 System Admin / Preferences / Group / Neighbor -- View Neighbor Group Window
1. Click on a (Neighbor) Group ID or Group Name to enter the View Neighbor Group window.
color of the pointed ID/Name will turn into blue. The View Neighbor Group window will display
the following information:
Name: name of the neighbor group you selected to view.
Neighbor ID: neighbor ID of each member in the group.
Neighbor Name: name of each neighbor in the group.
2. Click on Back to List button to return to the Neighbor Group Management window.
174
3.6.6.6
Filter
Click on Filter sub-menu tab to enter the Filter Group Management window. (See Figure
3.6.6-21) The information displayed in the Filter Group view list includes No., Group ID, and
Group Name, Filter, and Filter #. (The Filter # is the total Filters of the Filter group.) The following
sections are going to introduce how to add, edit, and delete a Filter group and how to view the
profile of a Filter group.
Figure 3.6.6-21 System Admin / Preferences / Group / Filter Group Management Window
To add a Filter
Click on Add button at the top of the Filter Group view list to enter the Add Filter Group
Figure 3.6.6-22 System Admin / Preferences / Group / Filter -- Add Filter Group Window
1. Enter a name for this Filter group in Name field.
You can give a meaningful name that can represent the Filter group you are adding. The
2. Select Filters for this group from the Available Filter list box.
You can select a Filter in the Available Filter list box each time and then click on <<Add
button to add the Filter to the Group list box at the left side. Use Remove>> button to
remove one selected Filter per time or Remove All button to remove all selected Filters at a
time from the left-hand Group list box. All registered Filters in the system will be displayed in
the Available Filter list box.
175
To edit a Filter group

Click on icon to enter the Edit Filter Group window (See Figure 3.6.6-23).
Figure 3.6.6-23 System Admin / Preferences / Group / Filter -- Edit Filter Group Window
(Please refer to the previous To add a Filter group section for the following steps of your
modification.
1. Enter a new name for the Filter group if desired.
2. Add/Remove the Filters for the group if necessary.
To delete a Filter group

2. Click on OK button to remove the Filter group from the system.
To view the profile of a Filter group

The detail information will show all Filters information of a Filter group. (See Figure 3.6.6-24)
Figure 3.6.6-24 System Admin / Preferences / Group / Filter -- View Filter Group Window
1. Click on a (Filter) Group ID or Group Name to enter the View Filter Group window.
color of the pointed ID/Name will turn into blue. The View Filter Group window will display the
Name: name of the Filter group you selected to view.
Filter ID: Filter ID of each member in the group.
Filter Name: name of each Filter in the group.
2. Click on Back to List button to return to the Filter Group Management window.
176
3.6.6.7
MSP Customer User
After clicking on MSP Customer User tab in the System Admin/Preference/Group menu at
the left side of the screen, the MSP Customer User Group Management window will be shown
(see the figure 3.6.6-25). The fields of MSP Customer User view list include No., Group ID,
Group Name, User, and User # (The User # shows the total Users in the User group). Please
refer to the following section to modify the contents of the MSP Customer User group.
Figure 3.6.6-25 System Admin / Preferences / Group / MSP Customer User -- MSP Customer User
Group Management Window
To edit a MSP Customer User group

Click on icon to enter the Edit MSP Customer User Group window (as shown in the figure
3.6.6-26).
1. Select users from the Available User(s) text box.

You can select a user listed in the Available User text box and then click on <<Add button in
turns to add the user to the left text box. Use Remove>> button to remove one selected
user per time or Remove All button to remove all selected users at a time from the
left-hand Group list box. All users created in the System Admin/User function will be displayed
in the Available User list box.
Note
The admin role of this MSP Customer group lists in the below text box with the white
background and it cannot be modify.
2. Provide the notification configurations for the user group.

Minimum Severity to Receive Email Notification For High Importance Resource:
Notification For High Importance Resource. The system will send out email notifications for
high importance resources when the event severity level is equal or above the selected
level.

Minimum Severity to Receive Email Notification For Regular Importance

Resource:
Select a severity level from the drop-down list for Minimum Severity to Receive Email
Notification For Regular Importance Resource. The system will send out email notifications
for regular importance resources when the event severity level is equal or above the
selected level.

Select Disabled or Enabled to disable or enable system sending email notifications to the
user groups.

177
Figure 3.6.6-26 System Admin / Preferences / Group / MSP Customer User -- Edit MSP Customer
User Group Window
To view the profile of a MSP Customer User group

All members information of a MSP Customer User group will show in detail.
1. Click on a Group ID or Group Name to enter the View MSP User Group window (see figure
3.6.6-27).
color of the pointed ID/name will turn into blue.
2. Click on Back to List button to return to the MSP Customer User Group Management
window.
Figure 3.6.6-27 System Admin / Preferences / Group / MSP Customer User -- View MSP Customer
User Group Window
178
3.6.7
Baseline History
Baseline History menu mainly provides users the historical results of auto-learning traffic
baseline in the past N days (up to 30 days) of all existing Sub-Network, MSP Customer, and
Filter entities in the system. It also allows users to delete daily auto-learning traffic baseline
values which are confirmed as attacks happened in the learning period to manually exclude
improper statistics. So that, the auto-learning traffic baseline will not be greatly impacted by
happened attacks and can stay a more adaptive nature.
After clicking on Baseline History menu displayed on the Sub Menu tree of Preferences at the
left side of the screen, the Sub-Network Baseline History window (the default entered window)
will be shown. Users can see the sub-menu tabs, Sub-Network, MSP Customer, and Filter
appearing above the screen. (See Figure 3.6.7-1)
Note
Except administrators, the user with the authority of defined by template, superuser, also
can access the Baseline History menu.
Figure 3.6.7-1 System Admin / Preferences / Baseline History / Sub-Network Baseline History
Window
3.6.7.1
Sub-Network Baseline History
The information displayed in the Baseline History view list of Sub-Network includes No., ID,
(Sub-network) Name, Resource Importance, and Traffic Anomaly - Sub-Network [Incoming /
Outgoing] (See Figure 3.6.7-1). The activation status in the Incoming / Outgoing field indicates
whether the anomaly detection is enabled or disabled for the specific Sub-Network entity. The
detected results of traffic anomaly detection will be shown in the Traffic Anomaly Detection table
in detail (See Figure 3.6.7-2).
Figure 3.6.7-2 System Admin / Preferences / Baseline History / Sub-Network -- View Baseline History
Window
179
Viewing the baseline history of a Sub-Network

1. Click on a (Sub-Network) ID or Name to enter the View Baseline History window of
Sub-Network.
pointed ID/Name will turn into blue. The View Baseline History window will display the
List Table
This part is on the top of the screen. It shows the activation status of anomaly detection of the
selected Sub-Network entity.
Traffic Anomaly Detection View List
If the Traffic anomaly detection is enabled for this Sub-Network entity (in System
Admin/Network/Sub-Network function) and the baseline template is configured as auto (in
Baseline function in System Admin/Network/Template menu), the historical baseline values
will be displayed in this area. Here will only show the Traffic Anomaly Detection information
because only it can apply to auto-learning (dynamic) traffic baseline. Others, Protocol-Misuse
and Application Anomaly Detections can only apply to fixed traffic baseline. In each row of the
table displays the historical learned traffic baseline values (in each unit configured in the
baseline template) of the last N days (N is the configured Learning Period value of the auto
traffic baseline in question). For every daily value learned, there will be a check box for users
to select or deselect the value (Default is selected). Once users deselect a daily value, that
value will not be used as a traffic baseline. In addition, a convenient hyperlink is provided for
you to view the detailed configuration of traffic anomaly detection via clicking on Traffic
Anomaly Detections Incoming / Outgoing. Besides, the button, Clear All Baseline History ,
can be use for clearing all baseline history.
2. Click on Back to List button to return to the Baseline History window of Sub-Network.
3.6.7.2
MSP Customer Baseline History
The information displayed in the Baseline History view list of MSP Customer (See Figure
3.6.7-1). The activation status shown in the Traffic Anomaly-SubNetwork [Incoming / Outgoing]
field indicates whether the anomaly detection is enabled or disabled for the specific MSP
Customer entity. The detected results of traffic anomaly detection will be shown in the Traffic
Anomaly Detection table in detail (See Figure 3.6.7-3).
Figure 3.6.7-3 System Admin / Preferences / Baseline History / MSP Customer Baseline History
Window
180
Figure 3.6.7-4 System Admin / Preferences / Baseline History / MSP Customer -- View Baseline
History Window
Viewing the baseline history of a MSP Customer

1. Click on a (MSP Customer) ID or Name to enter the View Baseline History window of MSP
Customer.
List Table
This part is on the top of the screen. It shows the activation status of anomaly detection of the
selected MSP Customer entity.
Traffic Anomaly Detection View List
If the Traffic anomaly detection is enabled for this MSP Customer entity (in System
Admin/Network/MSP Customer function) and the baseline template is configured as auto (in
Baseline function in System Admin/Network/Template menu), the historical baseline values
will be displayed in this area. Here will only show the Traffic Anomaly Detection information
because only it can apply to auto-learning (dynamic) traffic baseline. Others, Protocol-Misuse
and Application Anomaly Detections can only apply to fixed traffic baseline. In each row of the
table displays the historical learned traffic baseline values (in each unit configured in the
baseline template) of the last N days (N is the configured Learning Period value of the auto
traffic baseline in question). For every daily value learned, there will be a check box for users
to select or deselect the value (Default is selected). Once users deselect a daily value, that
value will not be used as a traffic baseline. In addition, a convenient hyperlink is provided for
you to view the detailed configuration of traffic anomaly detection via clicking on Traffic
Anomaly Detections Incoming / Outgoing. Besides, the button,
Clear All Baseline History ,
can be use for clearing all baseline history.

2. Click on Back to List button to return to the Baseline History window of Sub-Network.
181
3.6.7.3
Filter Baseline History
Click on Filter sub-menu tab to enter the Filter Baseline History window. (See Figure 3.6.7-5)
The information displayed in the Baseline History view list of Filter includes No., ID, (Filter) Name,
Resource Importance, and Baseline Template [Filter; Opposite]. The columns of Filter and
Opposite show which baseline templates the Filter Traffic Anomaly used. The detected results of
traffic anomaly detections will be shown in the Baseline History table in detail (See Figure
3.6.7-6).
Figure 3.6.7-5 System Admin / Preferences / Baseline History / Filter Baseline History Window
Figure 3.6.7-6 System Admin / Preferences / Baseline History / Filter -- View Baseline History Window
Viewing the baseline history of a Filter

1. Click on a (Filter) ID or Name to enter the View Baseline History window of Filter.
List Table
This part is on the top of the screen. It shows the activation statuses of anomaly detection of
the selected Filter.
Baseline History Area
If the Traffic anomaly detection of Filter direction is enabled for this Filter (in Filter function in
system Admin/Network/Filter menu) and the adopted baseline template is configured as
auto (in Baseline function in the System Admin/Network/ Template menu), the historical
baseline values will be displayed in this area. In each row of the table displays the historical
learned peak traffic values (in each unit configured in the baseline template) of the last N days
(N is the configured Learning Period value of the auto traffic baseline in question). For every
daily value learned, there will be a check box for users to select or deselect the value (Default
is selected). Once users deselect a daily value, that value will not be used as a traffic
baseline.
In addition, a convenient hyperlink is provided for you to view the detailed configuration of
traffic anomaly detection via clicking on Filters directions, Filter and Opposite. Besides, users
still can click on the button, Clear All Baseline History , to clear all baseline history.
2. Click on Back to List button to return to the Baseline History window of Filter.
182
3.6.8
Offline Report
Offline Report menu allows users to configure schedule template, which decides when to send
out offline reports, to enable the generation of offline reports for Sub-Network entities, and to
delete the added offline reports. GenieATM now provides offline reports with HTML format via
email delivery only. For most reports under Sub-Network Main Menu, users whose privilege is
sub-network can create offline reports with specific conditions (Please go to the Sub-Network
menu for creating offline reports). With the Offline Report function, users can conveniently obtain
the reports of Sub-Network entities on a regular time schedule via email without on-line access.
Note
If the sub-network is enabled to generate offline report, the users with the Sub-Network
authority can specify the offline reports in the Report/Sub-network function. The configurations
of Offline Report please refer to the Report/Sub-Network section.
After clicking on Offline Report menu displayed on the Sub Menu tree of Preferences at the left
side of the screen, the Scheduler Template management window (the default entered window)
will be shown. Users can see three sub-menu tabs, Scheduler and Sub-Network, appearing
above the screen. (See Figure 3.6.8-1)
Note
Except administrators, the user with the authority of defined by template, superuser, also can
access the Offline Report menu.
Figure 3.6.8-1 System Admin / Preferences / Offline Report / Scheduler Template Management
Window
3.6.8.1
Scheduler Template
Click on the Scheduler sub-menu tab to enter the Schedule Template Management window.
The information displayed in the Scheduler Template view list includes No., ID, Name, Type,
Execution Time, and Offline Report # (including all enabled and disabled offline reports applied
to schedule templates). There are three system default schedule templates: Daily, Weekly, and
Monthly. Users can change default configurations of these schedule templates, but are not
allowed to add new templates or delete the system default templates. The following sections are
going to introduce how to edit and view a scheduler template.
Note
The subject and language type of the Offline Report mail is set in the System in System
Admin/Preferences/Notification function.
183
To edit a scheduler template

Click on icon to enter the Edit Scheduler Template window. (See Figure 3.6.8-2)
Figure 3.6.8-2 System Admin / Preferences / Offline Report / Scheduler -- Edit Schedule Template
Window (Daily Schedule Type)
1. Input a new name to replace the default name in the Name field if desired.
except special characters (!@#$%^&<>?...).
2. Select a time from the drop-down list if desired.
The execution time decides when the system executes the work for offline report generation
and delivery. Select the Hour and Minute from the dropped down list. Users still need to
select the day of week or the day of month if a weekly or monthly schedule template is
modified.
To view the profile of a schedule template

The detail information of the router can be reviewed.
Figure 3.6.8-3 System Admin / Preferences / Offline Report / Scheduler -- View Schedule Template
Window
1. Click on an ID/Name to enter the View Schedule Template window.
pointed ID/Name will turn into blue. The Applied block area shows the information of
Sub-Network entities and the number of created offline report to which this viewed template
applied.
2. Click on Back to List button to return to the Schedule Template Management window.
184
3.6.8.2
Sub-Network
Click on Sub-Network sub-menu tab to enter the Sub-Network Offline Report Management
window. (See Figure 3.6.8-4) The information displayed in the Sub-network Offline Report view
list includes No., ID, Name, Offline Report Scheduler, Offline Report # [Daily; Weekly; Monthly]
and IP Space. The following sections are going to introduce how to enable the offline report
generation of a Sub-Network entity, how to delete the added offline reports, and how to view its
offline report configuration.
Figure 3.6.8-4 System Admin / Preferences / Offline Report / Sub-Network Offline Report
Management Window
To enable the offline report generation of a Sub-Network entity

Click on icon to enter the Edit Sub-Network Offline Report window. (See Figure 3.6.8-5)
Figure 3.6.8-5 System Admin / Preferences / Offline Report / Sub-Network-- Edit Sub-Network Offline
Report Window
185
1. Select Enabled from the Generate Offline Report drop-down list.

The enabling action here will activate the generation and email delivery of the added offline
reports. The default setting is Disabled.
To delete an added offline report

1. Click on the delete icon of which offline report you want to delete. (See Figure 3.6.8-5
above)
2. Click on OK button to remove the added offline report from the Sub-Network entity.
To view the offline report configuration of a Sub-Network entity

The detail offline report configuration of the Sub-Network entity can be reviewed. (See Figure
3.6.8-6)
Figure 3.6.8-6 System Admin / Preferences / Offline Report / Sub-Network -- View Sub-Network
Offline Report Window
1. Click on an ID/Name to enter the View Sub-Network Offline Report window.
pointed ID/Name will turn into blue. The Offline Report block area lists all added offline reports
of this viewed Sub-Network entity.
2. Click on Back to List button to return to the Sub-Network Offline Report Management
window.
186
3.6.9
Remote Update
Remote Update menu allows users to configure the definition update server of GenieATM
system anomaly signatures for the latest definition download. Note that the configuration here is
to set the DNS name of the server but not to execute the update job (Please refer to the
Anomaly menu in the System Admin / Network function for details). Click on Remote Update
menu displayed on the Sub Menu tree of Preferences at the left side of the screen to enter the
Remote Update management window. (As presented at Figure 3.6.9-1)
Note
Except administrators, the user with the authority of defined by user, superuser, also can
access the Remote Update menu.
Figure 3.6.9-1 System Admin / Preferences / Remote Update Management Window
To edit the Default Configuration of Remote Update

1. Click on Edit button, a management window will pop up. (See Figure 3.6.9-2)
2. Enable or disable the daily auto-checking of the latest system anomaly signatures by clicking
on the Automatically Check For Remote Update check boxes.
Default is Enabled.
3. Enter the IP address or host name of the server desired in the Remote Server blank.
The default server name is update.genienrm.com.
Figure 3.6.9-2 System Admin / Preferences / Remote Update -- Edit Default Configuration of Remote
Update Window
187
3.7
Report Rebuild
GenieATM provides a convenient function that allows users to rebuild rule-based Filter reports of a
specific time period. The rebuilding data source is the saved rawdata in the system. Once users
rebuild rule-based reports of a Filter, the TopN reports under the Filter will be also rebuilt and old
reports of the Filter within the time period will be overwritten by the rebuilt reports.
Click on Report Rebuild menu displayed on the Sub Menu tree of System Admin at the left side
of the screen to enter the Report Rebuild window. (As presented at Figure 3.7-1) There are five
parts in the Report Rebuild window:
Last Request: this part displays the result and detail information of the latest report-rebuilt
request. There are four statuses might display here: Processing, Completed, Aborted, or Failure.
Historical Request: this part displays historical report-rebuilt requests successfully added, and
allows users to view the detailed configuration of requests and to delete the added requests.
System: this part will be displayed below the Last Request block area only after users submit a
new request. It will show the result of adding the request.
Last Request Status: this part will be displayed below the Last Request block area only after
users click on Get Last Request Status button. It will show the detailed information and
processing result of each Collector, which are selected to provide rawdata for the rebuilt report.
The Status column has four kinds of statuses: Processing, Completed, Aborted, and Failure.
Abort Last Request: this part will be displayed below the Last Request block area only after
users click on Abort Last Request button. It will show the result of aborting the request.
Note
Only the user with the authority of administrator or superuser can access the Report Rebuild
menu.
Figure 3.7-1 System Admin / Report Rebuild Window
Adding Report-rebuilt Request

Click on Add New Request button to start the processes of adding a new report-rebuilt
request (as presented in Figure 3.7-2). The following descriptions are four main steps needed to
complete a new request.
Note
The system only allows one report-rebuilt request processing at a time. The
Add New Request button will be disabled when a request is processing.
Figure 3.7-2 System Admin / Report Rebuild Adding a New Request Window
188
Step 1. Click on <<Check>> button in the Checking System Configuration block area to
check if the current system configuration equals the last dispatched configuration (The symbol
!= means not equal).
When the current system configuration is not consistent with the last dispatched configuration,
the system will not allow you to add report-rebuilt requests (The Browse button will be
disabled and Step 2 will not be able to proceed).
Step 2. Click on Browse button to specify the Collectors of data source and the time duration
for the rebuilt report.
After you click on Browse button, a Rawdata File window will pop up (as presented in
Figure 3.7-3). First of all, select year and month from the Date Used to Update drop-down lists
to display all Collectors daily rawdata status of the entire month (Gray: No Data; Yellow:
Incomplete Data; Green: Complete Data). Check on the check boxes to specify Collectors.
And then click on a radio button of a date that you want to be your start date of the time
duration and then press <<Update button of Start Time to update the start time. Same to
the end time, click on a radio button of a date that you want to be your end date of the time
duration and then press <<Update button of Until. Note that the end time cannot be earlier
than the start time. After you finish specifying the Collectors and time duration, click on
Submit button. All specified information will be updated in the Input Time Duration And Pick
Up Collector block area of Step 2.
Figure 3.7-3 System Admin / Report Rebuild Rawdata File Window

Step 3. Select Filters from the Available Filters list box.
You can select a Filter in the Available Filters list box each time and then click on <<Add
button to add the Filter to the Selected Filters list box at the left side. Use Remove>> button
to remove one selected Filter per time or Remove All button to remove all selected Filters
at a time from the left-hand Selected Filters list box. All configured Filters in the system will be
displayed in the Available Filters list box.
Step 4. Enter the description for the report-rebuilt request in the Description field and then click
on Submit button to complete and submit the request. Be aware that the description here
cannot be duplicated.
Looking Up Last Request Status

A look-up function is provided for users to check each selected Collectors processing result of
the last request. Click on Get Last Request Status button to get related information (as
presented in Figure 3.7-4) and the Last Request Status block area will displayed above the
Historical Request view list. Please read the following descriptions for details.
189
Figure 3.7-4 System Admin / Report Rebuild Looking Up Last Request Status Window

Request ID: a numerical ID assigned by the system for identification.

Date/Time: submitted date and time of the last report-rebuilt request.
No.: a sequence number given by the system to control the listing.
Collector ID: identification number of Collector assigned by the system.
Name: Collector name and its IP address.
Status: current processing status of retrieving rawdata from Collector.
Details: detailed information for the processing status of retrieving rawdata.
Aborting Last Processing Request

GenieATM provides a function to terminate a processing report-rebuilt request. This function is
only available when a request is processing (See Figure 3.7-5). Please follow steps below to
abort a processing request:
Figure 3.7-5 System Admin / Report Rebuild Aborting Last Request Window
1. Click on Abort Last Request button to terminate the process of the last report-rebuilt
request.
Once you click on this button, an Abort Last Request block area will be displayed above the
Historical Request view list to tell you if the abortion is completed or not. The system will
indicate the reason if the abortion is failed.
Deleting Historical Request

With this function, users can delete the useless historical report-rebuilt request in the system.
Please follow steps below:
1. Click on Delete button of the historical request that you want to delete.
After you click on this button, a confirmation dialog box will pop up.
2. Click on OK button to confirm the deletion.
Once you click on OK button, the system will remove this request from the Historical
Request view list.
190
Status
Status menu provides users the overall information about the event summary and the system profile.
A Summary Report with the concise information including the brief anomaly event statistics tables,
the top N ongoing Anomalies, the top N most recent Alerts, the total number of anomalies, the
system utilizations, and the utilizations of Cisco Guard devices is presented for users to precisely
understand the general situation of the system. An Anomaly Console and an Alert Log functions are
also provided for users to query all events with many kinds of searching filters. With this function,
administrators can manage the system and their networks more effectively. When users click on the
unfolding mark of Status, all its sub menus will be unfolded including Summary, Anomaly Console,
and Alert Log.
4.1
Summary
Summary menu presents some significant traffic statistics and information in these tabs: Global:
Anomaly Statistics, Ongoing Anomalies, and Most Recent Alerts; MSP Server: Anomaly Statistics
and Ongoing Anomalies of the MSP Server; Anomaly: Summary Report; System: System Status,
FLB Status and Cisco Guard Status. The reason to gather these data that users might want to
know urgently together is to ensure that users can presently understand the entire situation. The
refreshing time period of this page is decided by the configuration of Status Page Refresh
Period in the Preferences/Status function. The configurable values are from 1 minute to 10
minutes. Resources: display the number of configured resources and the maximum number that
the system supports.
Click on Summary menu to enter the Status Summary window (See Figure 4.1.1-1) and refer to
the descriptions below for details.
4.1.1
Global
The reports listed in the Global sub function are as follows (See Figure 4.1.1-1):
Anomaly Statistics: there are two briefly anomaly statistic table provided here to report
useful anomaly event statistics. It is briefly reporting the total numbers of the ongoing
anomalies and the anomalies detected in the last 24-hour (including how many are Yellow
severity level and how many are Red severity level).
Ongoing Anomalies: a list table that reports the latest ongoing N anomaly events. The N
value is decided by the configuration of The Maximum Number of Most Recent Ongoing
Anomalies in the Preferences/Status function. The configurable values are from 3 to 20
(Default is 5). The information displayed in the table includes events ID, verification check
box, traffic line chart, severity level, when the anomaly event started, events duration,
anomalys direction, which type the anomaly is, and which resource the anomaly cautioned.
Most Recent Alerts: a list table that reports the most recent N alerts. The N value is decided
by the configuration of The Maximum Number of Most Recent Alerts Displayed in the
Preferences/Status function. The configurable values are from 3 to 30 (Default is 10). The
information displayed in the table includes when the alert issued, which type the alert is, which
resource the alert cautioned, and the further description about the alert.
191
Figure 4.1.1-1 Status / Summary / Global Window
192
4.1.2
MSP Server
The reports present the anomaly traffic gathered from all MSP Servers. Click on MSP Server
sub-menu tab to enter the management window of MSP Server.
The reports listed in the MSP Server sub function are as follows (See Figure 4.1.2-1):
Anomaly Statistics: there are two briefly anomaly statistic table provided here to report
useful anomaly event statistics. It is briefly reporting the total numbers of the ongoing
anomalies and the anomalies detected in the last 24-hour (including how many are Yellow
severity level and how many are Red severity level).
Ongoing Anomalies: a list table that reports the latest ongoing N anomaly events. The N
value is decided by the configuration of The Maximum Number of Most Recent Ongoing
Anomalies in the Preferences/Status function. The configurable values are from 3 to 20
(Default is 5). The information displayed in the table includes events ID, verification check
box, MSP Server, severity level, Start Time, Duration, anomalys direction, Type (which type
the anomaly is), and Resource (which resource the anomaly cautioned).
Figure 4.1.2-1 Status / Summary / MSP Server Window
4.1.3
Anomaly
Click on the Anomaly sub function to enter the Anomaly Window (See Figure 4.1.3-1). The Anomaly
report display the total counts of three important types of anomaly events (Unexpected Traffic,
DDoS/DoS Attacks, and Worms) in the last 24-hour (including how many are Yellow severity level
and how many are Red severity level). The Unexpected Traffic event is actually Traffic Anomaly
plus Interface Traffic anomaly; the DDoS/DoS Attack event is Protocol-Misuse anomaly; and the
Worm event is Application anomaly.
193
Figure 4.1.3-1 Status / Summary / Anomaly Window

194
4.1.4
System
Click on the System sub function to enter the System Window (See Figure 4.1.4-1) and refer to the
description below for details.
Figure 4.1.4-1 Status / Summary / System Window
System Status: a list table that reports the latest performance profiling statuses of Controller,
Collectors, and MSP Server (shows when the system supports MSP module) ,and their
associated routers the messages of hardware (status and events). their associated routers
and the messages of hardware (status and events). It allows users to look up the utilizations
of devices not only in real-time but also in the past. In addition, clicking on the Report
button also can present a line chart report for the CPU usage, memory usage, and DB Disk
usage.
Hardware
There are two buttons, Status and Events, to display the hardware messages. The
messages from hardware status and events are implemented by the hardware manufacturer.
Click on the Status button to display the status of sensed hardware (See Figure 4.1.4-2).
The Status report of the Hardware displays these information including Sensor Name,
Present (status), Entity ID, and Current Reading.
Click on the Event button to show the events of the devices hardware (See Figure
4.1.4-3). The Events report of the Hardware lists these information including No., Date/Time,
Source, Description and Direction. Users still can set the display entries in a page via
selecting the number from the dropped down list above the list table.
Note
Users still can show the hardware messages via the CLI command, ipmitool shell, in the
enable mode.
195
Figure 4.1.4-2 Status / Summary / System / Controller Hardwares Status Report
Figure 4.1.4-3 Status / Summary / System / Controller Hardwares Event Report
Report
After users click on Report button, a pop-up window will be shown (See Figure 4.1.4-4). In
this window, users can see two parts: Query Bar and Report Chart.
Report Chart
There are four line charts displayed here: CPU Usage, Memory Usage, DB Disk Usage. The
first one is the CPU utilization chart; the second one is the memory utilization chart; the third
one is the chart about DB disk utilization. The X-coordinate of represents time and will be
converted according to the time period selected by users. The Y-coordinate of CPU,
Memory and DB Disk Usage charts represents the percentage of the utilization.
Query Bar
This part is located on the top of the screen and contains condition options below:
Collector: Collectors id, name, and IP address.
Time Period: daily, weekly.
Until: year, month, and date.
Go: after finishing the query conditions, click on this button to submit the query.
Cancel: click on this button to cancel the query and close the pop-up window.
196
Figure 4.1.4-4 Status / Summary / System / Controllers Status Window

FLB System Status: except the data listed in FLB System Status table is different, other
descriptions are almost the same as System Status. Please refer to above descriptions to get
the detail description.
Cisco Guard: a list table that reports the latest performance profiling statuses of Cisco Guard
devices. It allows users to look up the utilizations of devices not only in real-time but also in
the past. A Report button is provided to present a line chart report for the CPU usage,
memory usage, bps traffic, and pps traffic for each configured Cisco Guard device. After users
click on Report button, a pop-up window will be shown. It will be similar with reports of
Controller and Collector in System Status. Please see their descriptions above for reference.
197
4.1.5
Resources
The Resources Summary viewing list displays the resources information here. The Resources
Summary view list includes Resource, System Limit Description, Configured and Limit (see figure
4.1.5-1). The number of the configured resources and the limited number of each resource are
showed. In addition, the records with underline in the configured column can be clicked to view the
detail information (see the figure 4.1.5-2).
Figure 4.1.5-1 The Resource Summary Viewing List
Figure 4.1.5-2 The Further Viewing List of Collector Resource
198
4.2
Anomaly Console
Anomaly Console menu is mainly to provide various reports of anomaly events through Anomaly
Console. Anomaly Console sub function allows users to list out a variety of anomaly events
detected via several searching filters, provides summary and detailed traffic characteristics for
each detected anomaly event, and is able to generate appropriate ACL (Access Control List)
commands as suggestions for network operators.
After clicking the Anomaly Console menu displayed on the Sub Menu tree of Status at the left
side of the screen, users will enter the Anomaly Console window (the default entered window) and
see the sub-menu tabs, Global and MSP Server, appearing above the screen (See Figure 4.2-1).
Note
When the system supports the MSP module (value-added function), the tab, MSP Server, will
show.
4.2.1
Global
Click on Global sub-menu tab to enter the Anomaly Console Querying window (See Figure 4.2-1).
The default sorting way to list the anomaly events is descending according to the ID number.
Figure 4.2-1 Status / Anomaly Console / Anomaly Console Querying Window

NO.: a sequence number given by the system to control the listing.
ID: an identification number assigned by the system to recognize anomaly events.
CHK: a check box used to help users to know those anomaly events which have been looked
over. Click on the check box in the front of the row to check the anomaly event.
Traffic: a line chart that shows a 2-hour (starts from the event start time) traffic statistic chart.
Clicking on the chart can enter to the Summary Anomaly Report window.
199
Severity: three pieces of information are shown in this field. Firstly, the severity degree in terms
of Yellow/Red of the anomaly is shown; following displays the detected traffic rate at which the
event was determined as the previous severity degree; finally the event threshold value
configured for this anomaly event is shown.
Status: the present status of an anomaly event that could be ongoing, recovered, or obsolete.
Start Time/End Time: the beginning time/close time of an anomaly event. The displaying format
is mm-dd hh:mm (e.g. 08-18 15:12). If an anomaly event is not recovered, there shows no end
time.
Duration: a time period that represents how long an anomaly event lasts. The displaying format
is 00 hours / 00 mins / 00 secs (e.g. 27 hours / 37 mins / 42 secs).
Direction: the traffic direction of an anomaly event.
Type: a category plus an anomaly type and with a monitored traffic statistic object (e.g. Traffic
Anomaly by bps / Protocol-Misuse with TCP SYN Flooding by pps / Application with Code Red
by pps).
Resource: the detection scope of a detected anomaly event and its related information. For
Traffic anomaly, here will show resource type and the resource name of detection scope only.
For Protocol-Misuse and Application anomalies, if the resource type is Global, then here will
show resource type and Global type, Home or Non-Home (Home indicates the host IP address
of detected anomaly event belongs to Home and Non-Home indicates the host IP address of
detected anomaly event belongs to outside of Home.), and event-triggered host IP address; if
the resource type is Sub-Network, then Home or Non-Home will be replaced by resource name
and other information will be the same.
Querying Anomaly Events & Reading Summary/Detail Anomaly Report

Specify one or more filters below to search anomaly events you want to query from the
following drop-down lists and then click on the Go button.
Resource Type: to select a specific resource from the drop down list.
Note
Except selecting Resource Type, All, there is a field appeared for you to select a specific
entity. If the number of entity is over 20, then a button will be available to browse.
Category: to specify a specific kind of anomaly events. This searching filter will be converted
according to the resource type selected.
For example: When user select resource type as Sub-Network, the available options will
have All (default), Traffic, Protocol-Misuse, and Application anomalies.
Anomaly Type: the options in the drop-down list are based on the Category specified to
display possible anomaly types. The default value is All.
Traffic Direction: to select a specific traffic direction of anomaly events from the drop down
list.
Minimum Severity: to specified the minimum severity degree of anomaly events. For
example, when Yellow is selected, all events with Yellow or Red severity level will be shown.
Anomaly Status: to define the status of anomaly events from the drop down list.
Victim/Infect IP: to list all anomaly events with/within a specific victim or infected IP
address/range. Please input an IP address or range with CIDR format (eg.
192.168.10.0/25).
Time Range: a flexible way to specify the time interval for displaying report. There are ways
provided to specify the time interval in the system: one is Time Range and the other is Time
Period (Please see the description below for details). Once users choose this way, please
specify the start time and end time of analysis report from the Start Time and Until
drop-down lists.
200
Time Period: daily, weekly, monthly, and quarterly. This is another way different from Time
Range to specify reports time interval. In this way, the fixed time interval are provided to
present analysis report with an end time specified from the Until drop-down list. Once users
choose this way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of
reports time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start
Time, the year-month-date time table will be shown. Specify the year and month from the
drop-down lists in the time table, select the date by using your cursor to click on (the
selected date will be highlighted), and then click on the OK button. Or click on the
Cancel button to close the time table. Specify the time from the time drop-down list after
finishing the selections of year, month, and date. If users choose the Period way to specify
the reports time interval, this drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports
time interval. Please refer to the Start Times description above for operation.
The system will list all anomaly events detected in the Anomaly Console view list according to
the filters you specified.
Action Buttons Description
Note
1. Page-control buttons are above the view list:
total pages.
2. An Anomaly ID searching function is provided. It is located next to the Page-control
buttons and above the view list. Users can input the ID of the anomaly event in the
Anomaly ID blank and then press the View button to quickly find out a specific anomaly
from plenty of listed anomalies. The Summary Anomaly report of the searched anomaly
will pop up (Please refer to the descriptions below for details.)
3. A Rows per Page drop-down list is provided to control the displayed entries per page of
the Anomaly Console view list. The number 10 with an asterisk means the default value.
[Summary Anomaly Report Description of Sub-Network Resource Type]

Click on an ID number/traffic line chart in ID/Traffic column to read the summary report of the
clicked anomaly event.
A window with the Summary Anomaly Report title will pop up after the clicking. There are
some differences between the reports of Global, Sub-Network, Filter, and Interface resource
types, but the way to read these reports is generally quite the same. Therefore, we will only
introduce couple types of them in the following. For Sub-Network resource type, please refer
to Summary Anomaly Report Description of Sub-Network Resource Type part and see Figure
4.2-2; for Filter resource type, please refer to Summary Anomaly Report Description of Filter
Resource Type part and see Figure 4.2-5. Regarding Global type, please refer to the
descriptions of Sub-Network type; regarding Interface types, please refer to the descriptions of
Filter type.
Note
The summary anomaly report, which Category field is specified as Traffic has no
information of Traffic Characteristics and Network Elements fields. In addition, the Detail
button is also unavailable for the summary anomaly report, which Resource Type field is
specified as Filter or Interface.
201
Figure 4.2-2 Status / Anomaly Console / Summary Anomaly Report Window (Sub-Network Resource
Type)
Anomaly Event List Table
This part is on the upper area of the screen. It shows the brief information of the clicked
anomaly event. For details, please refer to the descriptions in Figure 4.2-2.
There are buttons located at the right-upper corner above the list table and a Cripple Attack
check box is in the ID filed of the list table. The descriptions are as follows.
View Raw Flow : this button is used to view all received raw flows of the clicked anomaly
event from routers. Once users click on this button, an Anomaly Raw Flow pop-up window
will show and display raw flows for all routers. Users can use Download button to
download the raw flow file in a desired storage.
Forced Obsolete : this button is used to obsolete an anomaly event when users consider
the event not worthy to trace for some exceptional issues. Once users click on this button, the
anomaly event will be obsolete. If the traffic detection related to this anomaly is still going and
the detected traffic is large than the anomaly threshold, a new anomaly event will be created
since the original one has been obsolete.
Details : this button is used to display the detail report of the clicked anomaly event. Once
clicking on this button, users will enter the Detail Anomaly Report window. Please refer to the
descriptions below for the detail anomaly report.
Cancel : clicking on this button can close the Detail Anomaly Report pop-up window.

Cripple Attack : this check box is used to manually disable the clicked anomaly event.
Once users check on this check box, the system will count this event traffic in the calculation
of traffic baseline. This function is only applied to tickets triggered by auto-learning baseline.
Traffic Line Chart
A traffic line chart with a timer controller is provided for users to query a specific time period
traffic statistics of the monitored anomaly event. Select the start time
(year/month/date/hour/minute) and the duration (hour) from the drop-down lists, and then click
on Go button to submit the query. The default start time in this time controller is the start
time of the queried anomaly event, and the duration of the drop-down list is 0.25hour
(15minutes).
Remarks
This Remarks column is used to record additional information relevant to the anomaly events.
Up to 800 characters are available. The Update button will be clickable after any characters
are inputted.
202
Traffic Characteristics
This part will display the latest top N traffic analysis statistics of traffic characteristics items of
the queried anomaly event by bps and pps. There are some certain formulas used to
determine the N value. According to different anomaly types, different Traffic Characteristics
items will be displayed.
Network Elements
This part will display the latest Top N routers with input-interface and routers with
output-interface which are most impacted by the traffic of the anomaly event queried. The Top
N analysis statistics are provided with bps and pps units.
Mitigation
This part will display the information of all added mitigation actions for the detected anomaly
event (Only 1.Incoming traffic direction; 2. High Watermark is over a specific amount; 3.
Sub-Network resource types with Traffic Anomaly, Protocol-Misuse, or Application type). Click
on Add button to add new mitigation action, an Add Mitigation window will pop up. Specify a
mitigation method from the Method drop-down list and then provide all requested information.
For more details, please refer to the Hardware Mitigation and Blackhole section of
Mitigation.
[Detail Anomaly Report Description of Sub-Network Resource Type]
Figure 4.2-3 Status / Anomaly Console / Detail Anomaly Report Window (Sub-network Resource
Type)
203

This part shows the information of the anomaly Evert and is the same as the Anomaly Event
Brief in Summary Anomaly Report.
There are buttons located at the right-upper corner of the screen:
Back : clicking on this button can go back the Summary Anomaly Report window.
Cancel : clicking on this button can close the pop-up window.
Traffic Line Chart
GenieATM will combine the traffic statistics from the routers, which enables traffic detection for
the queried Sub-Network, in this chart. Therefore, more than one traffic line may be displayed
here. Users can compare the differences between multiple routers about the traffic of this
Sub-Network. The color marks indicate the traffic from which router. For other details, please
refer to the Traffic Line Chart part of Summary Anomaly Report Description of Sub-Network
Resource Type above.
The system provides view points for users to understand the evolution of the selected anomaly
event in terms of its traffic characteristics at different time points (sorting by per minute).
In addition, the Detail Anomaly Report window also provides the functions that allow users to
link to the Snapshot menu with the provided anomaly traffic characteristics and view the ACL
commands generated by the system. These functions are implemented by the Snapshot
and Generate ACL buttons. Please follow the steps below:
Linking to Snapshot Menu
1.
2.
Decide one or more analyzed traffic characteristics as the snapshot analysis criteria
and click on the Lock check boxes (at the end of the rows) of the decided traffic
characteristics.
Click on Snapshot button.
A Snapshot window with the analysis criteria you checked will pop up after the clicking.
For Sub-Network resource, the snapshot scope of this page will be locked as the
Sub-Network entity of the queried anomaly event. Since the most operations are the
same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu
tree) for more detail function information.
Generating ACL Commands

1.
2.
3.
Decide one or more traffic characteristics as the target that you want to lock and click
on the Lock check boxes (at the end of the rows) of the decided traffic characteristics.
Click on Generate ACL button.
An ACL Generate Tool window will pop up after the clicking (See Figure 4.2-3). The
Configuration part in this window will show the traffic characteristics you checked on
the previous step. It also allows you to do the tuning by manual configurations here
before populating the ACL commands.
Click on Update button in the ACL Generate Tool window to generate ACL
commands. (Please see Figure 4.2-4)
After you press the button, the system will generate appropriate ACL commands
according to the traffic characteristics you selected and show the commands in the
Result text box. A Router Type drop-down list is provided in order to meet different
needs of ACL commands for different router brands (Cisco / Juniper / Foundry). With
different router types selected, the system will generate different ACL commands for
users. Note that TCP Flag is only available for the Cisco router type.
204
Figure 4.2-4 Status / Anomaly Console / Detail Anomaly Report -- ACL Generate Tool Window
[Summary Anomaly Report Description of Filter Resource Type]
Figure 4.2-5 Status / Anomaly Console / Summary Anomaly Report Window (Filter Resource Type)
The following only describes Filter resource types summary anomaly report.
Display the information of the selected anomaly event.
Traffic Line Chart
GenieATM will combine the traffic statistics from the routers, which enables traffic detection for
the queried Filter, in this chart. Therefore, more than one traffic line may be displayed here.
Users can compare the differences between multiple routers about the traffic of this Filter. The
color marks indicate the traffic from which router. For other details, please refer to the Traffic
Line Chart part of Summary Anomaly Report Description of Sub-Network Resource Type
above.
205
4.2.2
MSP Server
This report presents the anomaly traffic gathered from all MSP servers. Click on MSP Server
sub-menu tab to enter the Anomaly Console window of MSP Server (see the figure 4.2-6).
The default sorting way to list the anomaly events is descending according to the ID number. Users
can click on the ID of the entry to view the Summary Anomaly report.
Except the some of the field name are different, the descriptions of the operation steps or reports are
the same as the data in the Global section in the Status / Anomaly Console.
Figure 4.2-6 Status / Anomaly Console / MSP Server Anomaly Console Querying Window
206
4.3
Log
Log menu presents a variety of alert events issued and their recoveries generated from the system.
Here displays three types of the logs, Alert Log, Mitigation Log and Login Log. Alert Log records
the system status that are abnormal or in fail. Mitigation Log records the status and action of the
anomaly to mitigate. Login Log records the status that user accounts access the system. Please
refer to the following sections to get detail descriptions.
4.3.1
Alert Log
An alert is used to inform users the significant status change or failure with severity. For the same
resource with the same cause, an alert will only be generated once. Doing so is to prevent
delivering mass emails and traps. The following alert types are supported:
SNMP Polling: alerts associated with the SNMP polling module. Two causes -- one is due to
SNMP failure or recovery; another is due to traffic threshold crossed by SNMP polling
information.
Module Monitoring: when a module went up or went abnormal/down (Operation Status changed).
BGP Monitoring: when any of the following situations happens -- Hijack warning, BGP updates
crossing threshold.
Configure Manager: when the download of configuration changes to a module failed.
Collector: when any router under a Collector had not exported any NetFlow for more than some
specific time (i.e. 5 minutes)
Click on Alert Log menu to enter the Alert Log Querying window (See Figure 4.3.1-1). The
information displayed in the Alert Log view list includes No., Alert Time, Alert Type, Resource
Name, and Description. The default sorting way to list the alert logs is descending according to the
alert time. Users can sort the alert logs ascending or descending by clicking on or .
Note
If an alert has recovered, the system will issue an alert recovery log.
Figure 4.3.1-1 Status / Alert Log / Alert Log Querying Window

Querying Alert logs
1. Specify an alert type you want to query from the Alert Type drop-down list.
The system will list all alert logs issued by the type you specified in the Alert Log view list
(Default is All).
2. Specify a time period for the alert logs you want to query from the Opened In drop-down list.
There are 10 time periods to select: 1 day, 2 days, 7 days, 1 month, 2 months, and 3 months.
The default value is 1 day. Working together with the Until time, a specific time period can be
defined. All alert logs issued within the time period will be shown in the Alert Log view list.
207
3. Select the end time for the time period you specified from the Until drop-down list.
The end time includes Year, Month, and Date. The system will list all alert logs from the date
you selected backward to the time period you specified. For example, if you specified 7 days
as your time period and selected 2005/8/11 as your end time, the system will list all login logs
from 2005/8/11 backward to 2005/8/5.
4. Select a number that you want to display the alert logs per page from the Alerts Per Page
drop-down list.
The configurable values are 10, 15, 20, 25, and 30 (Default is 15).
5. Click on Go button to submit your query.
4.3.2
Mitigation Log
Click on Auto-Mitigation Log sub-menu tab to enter the Auto-Mitigation Log Querying window
(See Figure 4.3.2-1). The information displayed in the Mitigation Log view list includes No.,
Mitigation (ID/Execution Time), Protected IP/Prefix, Related Anomaly (ID/Resource), Device
Type, Cisco Guard | Next Hop (Zone | Community), Action, Result(Cause Failure), Operator. The
default sorting way to list the logs is descending according to the No (system auto generates).
Figure 4.3.2-1 Status / Log -- Mitigation Log Querying Window

NO.: a sequence number given by the system to control the listing
Mitigation
ID: an identification number assigned by the system to recognize the Mitigation action
Execution Time: record the date and time that the system starts to perform the auto-mitigation.
Protected IP/Prefix: record the Protected IP/Prefix.
Related Anomaly
ID: an identification number assigned by the system to recognize the anomaly event
Resource: record the routers name.
Device Type: record the device type that may is blackhole, Cisco Guard, or Eudemon.
Cisco Guard | Next Hop
Zone | Community: record the zone and community to which the protected IP is belonged.
Action: record current status of the action, start or stop.
Result (Cause of Failure): present the status of the execution result, Failed/Success.
Operator: record user account that performs the mitigation.
Querying Mitigation Log

1. Users can search the specified logs via set the following parameters and then click on the
Go button.
Time Range: a flexible way to specify the time interval for displaying report. There are two
ways provided to specify the time interval in the system: one is Time Range and the other is
Time Period (Please see the description below for details). Once users choose this way,
please specify the start time and end time of analysis report from the Start Time and Until
drop-down lists.
208
Range to specify reports time interval. In this way, five fixed time interval are provided to
year/month/date drop-down lists or a year-month-date time table. After clicking on Start
Time, the year-month-date time table will be shown. Specify the year and month from the
drop-down lists in the time table, select the date by using your cursor to click on (the
selected date will be highlighted), and then click on the OK button. Or click on the
Cancel button to close the time table. Specify the time from the time drop-down list after
finishing the selections of year, month, and date. If users choose the Period way to specify
the reports time interval, this drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports
time interval. Please refer to the Start Times description above for operation.
Anomaly ID: to list all anomaly events. Please input the ID (eg. 24035).
Protected IP/Prefix: to list all Protected IP address/Prefix. Please input an IP address or
range with CIDR format (eg. 192.168.10.0/25).
2. User also can directly click on an ID of Anomaly or Mitigation to viewing the records.Login Log.
Click on Login Log sub-function tab to enter the Login Log Querying window. (See Figure
4.3.3-1)The information displayed in the Login Log view list includes No., User ID, Login Method,
Last Login IP, Last Login Time, and Last Logout Time.
Figure 4.3.3-1 Status / Log / Login Log Querying Window
Querying Login logs

1. Specify a time period for the login logs you want to query from the Time Period drop-down list.
There are three time periods to select: daily, weekly, and monthly. The default value is
Weekly. All login logs in the specified time period will be shown in the Login Log view list.
2. Select the end time for the time period you specified from the Until drop-down list.
The end time includes Year, Month, and Date. The system will list all login logs from the date
you selected backward to the time period you specified. For example, if you specified weekly
as your time period and selected 2005/8/15 as your end time, the system will list all login logs
from 2005/8/15 backward to 2005/8/9.
3. Click on Go button to submit your query.
The default sorting way to list the login logs is descending according to the last login time. You
can also sort the login logs according to the user ID, last login IP, or last logout time either
ascending or descending by clicking on or .
209
Snapshot
The Traffic Snapshot function of GenieATM is designed for instant flow analysis and presents the
instant flow status of the specified network range in a TOP N report. GenieATM provides two kinds of
analyzed data sources, cache and rawdata files. The rawdata source provided can meet the needs
on analyzing a specific time period in the past. Users are also allowed to export or import the analysis
configurations of scope, criteria, and aggregation. With the configuration of analysis criteria, users
can sieve out some specific traffic from the entire traffic for Top-N analysis. In addition, users can
configure the N value of the TOP N report according to the needs (default value is 10 and the
maximum is 120). Click on the Snapshot menu to enter the Snapshot management window as
presented in Figure 6-1. In following sections, we will introduce how to conduct various data mining
with the Snapshot function and describe the Snapshot (Instant) Top N report content.
Figure 5-1 Traffic Snapshot Management Window
Operation Procedure to Query Snapshot Reports

1.
Specify Data Source

Select Cache or Rawdata File data source from the Data Source drop-down list. No matter
which data source is selected, users must restrict the snapshot traffic to the traffic flows collected
within specific time duration backwards from the submitting moment (if the Cache data source is
selected) or the start time (if the Rawdata File data source is selected). Input time duration (the
configurable time duration is from 1 sec to 86400 secs) into the Time Duration field and the
time-out period from the Time Out drop-down list. If the Rawdata File is selected, users must
specify a start time and a period of time-out. Select the year, month, date, and time separately
from the Start Time drop-down list. The time-out period decides how long the system would stop
to retrieve the rawdata and display the analyzed result. Its default value is 20 seconds and the
longest period is 120 seconds. Be aware of that the selected start time must be the past time.
210
2.
Specify Traffic Scope

entity from another drop-down list. There are several types of network scopes to select. The
drop-down list of network entity will display different network entities according to different
network scope types selected, except the ANY and Home (they has no need to specify a
network entity). The inspected traffic will be restricted by the specified traffic scope (i.e. only
traffic flows belong to the scope specified will be inspected by the Snapshot analysis). A Browse
function here, which can conveniently browse and search a specific network entity or object, is
provided. Please refer to Browse Helper part below for details. After specifying the traffic scope,
users also need to select a traffic direction (In, Out, or Both) from the Traffic Direction drop-down
list except for the Filter scope. If the Filter scope is selected, the options will be Filter Direction,
Opposite Direction, or Both. In addition, when the ACL-based sFlow is selected, the Traffic
Direction field is blank.
Further more, users have to select the IP version from the drop down list and there are IPv4,
IPv6, or Both for users to specify.
Browse Helper
This browse helper can help users quickly seek out a specific target from plenty of objects and
this function is only available for the Filter scope types. The object type of browsing will be
converted according to the selected scope type. After clicking on Browse button, an
interactive window will pop up.
Searching: this drop-down list displays all searching filters.
Filter: Filter ID, Filter Name/Remarks.
for blank: input key word in this blank after select a type of searching filter.
Go : click on this button to start the key-word searching.
Page-control buttons and the Page drop-down list:
numerator represents the page you are going to list and the denominator represents the total
pages.
Entries/Page drop-down list: to control the displayed entries per page of the Application view
list. There are five options to select: 10, 20, 30, 60, and 120. The number 20 with an asterisk
means the default value.
Radio button: click on the radio buttons to select a wanted or searched object from the view
list.
Submit : after selecting the object wanted or searched from the view list, click on this button
to send the request.
Cancel : click on this button to close the pop-up window.
3.
211
Specify Analysis Criteria

Users can set the analysis criteria basing on their requirements to further restrict the scope of the
traffic to be analyzed. The analysis criteria are described as the following: (Note that the
configuration field of each analysis criterion will be displayed in the Detail area only when the
criterion check box is checked.)
(1) Protocol/Port
Users can restrict the snapshot traffic to the traffic with specific source, destination, or source
& destination combinations of protocol and port. Input the protocols and ports in the
Source/Input Interface and Destination/Output Interface of the Protocol/Port fields, and use a
comma to separate every two inputs if multiple combinations of protocols and ports are
inputted.
Example Check on the Protocol/Port check box and input tcp/80 in the Source/Input of
Protocol/Port field if the www application is required as the analysis criteria of the collected
flow data.
(2) Interface
Users can restrict the snapshot traffic to the traffic with specific source, destination, source &
destination interfaces. Please see the following instructions to configure the interface criteria:
Click on Browse to display device interface information (as presented in Figure 5-2).
Select a router group from the Router Group drop-down list.
Select a flow exporter (router) from the Router drop-down list.
Check on check boxes to select input/output interfaces of the flow exporters and click on
Add to add the interface to the Source/Input Interface or Destination/Output Interface of
Interface field. To uncheck the check boxes, please click on Reset button. To close the
window, please click on Cancel button.
Example If users want to collect the flow data whose source or destination interface is
Router1.11 of the device, Router 1 (Router 1 does not belong to any router group), check on
the Interface check box, select All Routers from the Router Group drop-down list, select the
device, Router 1, from the Router drop-down list, and click on the input and output check
boxes of the interface Router1.11. Then, click on the Add button to add the interface in the
text field.
Figure 5-2 Snapshot -- Device Interface Management Window

(3) Application
Users can restrict the snapshot traffic to the traffic with specific source, or destination
application. Select the application from the Source/Input Interface or Destination/Output
Interface of Application drop-down list. Note that users can only specify one of them (source or
destination) to analyze.
Example Select HTTP application from the Destination/Output drop-down list if users want
to analyze the web service traffic.
212
(4) IPv4
When users define the IP version as IPv4 or Both in the Scope field, this field is available for
specify. Users can restrict the snapshot traffic to the traffic with specific source, destination, or
source & destination IP addresses. Users can configure the IP spaces by a number of IP
prefixes.
Example If users want to set 192.168.3.0-255 as the source IP Block and 192.168.88.0-127
as the destination IP Block for the scope of collected flow data, check on the IP check box, enter
192.168.3.0/24 in the Source/Input Interface of IP field and 192.168.88.0/25 in the
Destination/Output Interface of IP field.
(5) IPv6
specify. Users can restrict the snapshot traffic to the traffic with specific source, destination, or
source & destination IP addresses. Users can configure the IP spaces by a number of IP
prefixes.
Example If users want to set fe80::5efe:192.168.38.168/128 as the source IP Block
and ::1/128 as the destination IP Block for the scope of collected flow data, check on the IP check
box, enter fe80::5efe:192.168.38.168/128 in the Source/Input Interface field and ::1/128 in the
Destination/Output Interface field.
(6) BGP Community

Users can restrict the snapshot traffic to the traffic with source, destination, source &
destination BGP community strings.
Example If users want to set 21829:12900 to 21829:12909 as the source BGP communities
and 23910:39104 & 23910:39124 as the destination BGP communities for the scope of collected
flow data, check on the BGP Community check box, enter 21829:1290? in the Source/Input
Interface of BGP Community field and 23910:391[0 2]4 in the Destination/Output Interface of
BGP Community field.
(7) Peer ASN
& destination Peer AS numbers.
Example If users want to set UCLA University (AS52) as the source Peer AS Number and
Harvard University (AS11) as the destination Peer AS Number for the criteria of collected flow
data, check on the Peer ASN check box, enter 52 in the Source/Input Interface of Peer ASN
field and 11 in the Destination/Output Interface of Peer ASN field.
(8) Origin ASN
& destination Origin AS numbers.
Example If users want to set UCLA University (AS52) as the source Origin AS Number and
Harvard University (AS11) as the destination Origin AS Number for the scope of collected flow
data, check on the Origin ASN check box, enter 52 in the Source/Input Interface of Origin ASN
field and 11 in the Destination/Output Interface of Origin ASN field.
213
(9) IPv4 BGP Next Hop

specify. Users can restrict the snapshot traffic to the traffic with specific BGP next hop IP
addresses. The flow will be counted if any address is matched.
Example If users want to analyze the traffic whose BGP next hop IP address is 192.168.1.254
and 192.168.38.254, check on the BGP Next Hop check box, and then input 192.168.1.254
and 192.168.38.254 (separate them by Enter key) in the BGP Next Hop field.
(10) IPv6 BGP Next Hop
specify. Users can restrict the snapshot traffic to the traffic with specific BGP next hop IP
addresses. The flow will be counted if any address is matched.
Example If users want to analyze the traffic whose BGP next hop IP address is
fe80::5efe:192.168.38.254, check on the IPv6 BGP Next Hop check box, and then input
fe80::5efe:192.168.38.254 (separate them by Enter key) in the IPv6 BGP Next Hop field.
(11) TCP Flag
Users can restrict the snapshot traffic to the traffic with specific TCP flag value(s).
Note
There are six bits of a TCP flag (URG, ACK, PSH, RST, SYN, and FIN in TCP header) and
each bit can be set as one of three different values: XIgnore, 1Flag On, and 0Flag Off.
(Ignore : the system will not check this bit value; On : the system will collect the traffic
information about the TCP packets with the bit On in TCP flag field; Off : the system will
collect the traffic information about the TCP packets with the bit Off in TCP flag field).
Example If users want to analyze the traffic flows with SYN bit set, check on the TCP Flag
check box, select 1 from the SYN-bit drop-down list and X for others.
(12) TOS Value
Users can restrict the snapshot traffic to the traffic with specific TOS value(s).
Note
Each bit of the TOS value field can be set as one of three different values: XIgnore,
1Flag On, and 0Flag Off (Ignorethe system will not check this bit value; On : the
system will collect the traffic information about the IP packets with the bit On in TOS value
field; Off : the system will collect the traffic information about the IP packets with the bit Off
in TOS value field).
Example If users want to analyze their ADSL service whose TOS values were configured as
011XXXXX, check on the TOS Value check box, select 0 from the 8-bit drop-down list, 1
from the 7-bit drop-down list, 1 from the 6-bit drop-down list, and X for others.
(13) Packet Size
Users can restrict the snapshot traffic to the traffic with specific packet sizes. The system
supports 16 levels of packet sizes.
Example If users want to analyze small packets, they can select 32 < Ave. Packet Size < =
64 from the drop-down list. The highest level of packet size is greater than 1536 bytes.
214
(14) IPv4 Next Hop

specify. Users can restrict the snapshot traffic to the traffic with specific next hop IP addresses.
The flow will be counted if any address is matched.
Example If users want to analyze the traffic whose next hop IP address is 192.168.1.254 or
192.168.38.254, check on the Next Hop check box, and then input 192.168.1.254 and
192.168.38.254 (separate them by Enter key) in the Next Hop field.
(15) IPv6 Next Hop
specify. Users can restrict the snapshot traffic to the traffic with specific next hop IP addresses.
The flow will be counted if any address is matched.
Example If users want to analyze the traffic whose next hop IP address is
fe80::5efe:192.168.38.254, check on the IPv6 Next Hop check box, and then input
fe80::5efe:192.168.38.254 (separate them by Enter key) in the IPv6 Next Hop field.
(16) Anomaly
Users can restrict the snapshot traffic to the traffic matching a specific Protocol-Misuse or
Application anomaly signature. Please note that this analysis criterion is only available for the
Sub-Network traffic scope type.
Example If users want to analyze the Sub-Network traffic matching the signature of the TCP
Fragment Protocol-Misuse anomaly, check on the Anomaly check box, and select the
Protocol-Misuse Anomaly, TCP Fragment anomaly signature from the Anomaly drop-down list.
(17) ACL-based sFlow Flag
Select the value shown in the drop down list to the sFlow flag. Three values representing
different meanings for users to set each flag. They are: XIgnore, 1Flag On, and 0Flag
Off.
4. Assign Aggregation Method
After specifying the traffic scope and analysis criteria, users will need to assign an aggregation
method for the Top N analysis (at least one aggregation method option needs to be assigned).
Up to three aggregation keys can be specified and the system will aggregate and then sort the
instant traffic by the assigned method (including Source/Destination IP, Source/Destination
Protocol/Port, Application on Source/Destination, TCP Flag, TOS, Protocol, Input/Output
Interface, Peer ASN, Origin ASN, and etc). In addition, users can configure the N value of Top N
Report from the Number of Top-N drop-down list. The content of the generated instant Top N
report includes three pie charts and detail statistic tables of BPS, PPS, and FPS.
Select a number from the Number of Top-N drop-down list to display the Top N report, the
configurable values are 10(default), 30, 60, and 120.
5. Click on Export button to output the configuration (Optional)
Users can export and save the analysis configurations of scope, criteria, and aggregation to a
local host. Once users need to reuse the exported configurations, they can just easily import and
upload the configuration file from the local host by using Import button after specifying data
source. All the original configurations of uploaded file will be automatically loaded on the
Snapshot page.
6. Click on Submit button to complete the configuration
The traffic snapshot report will be displayed instantly. To reset the configuration, please click on
Reset button.
215
Instant Top N Report Descriptions

The Instant Top N report includes several parts described below (See Figure 5-3):
Figure 5-3 Snapshot -- Instant Top N Report

Timestamps
The timestamps indicate the time points of the first and last flow records contributed to the queried
instant Top N report. The format is yyyy-mm-dd hh:mm:ss (e.g. 2005-08-23 17:40:19).
Report Charts
Three pie charts by BPS, PPS, FPS will be displayed to visualize the analysis results by
percentage of the Top-N objects. With the distinctness of the colors, users can easily read traffic
statistics from the detail statistic tables located under the pie charts.
BPS: bits per second
PPS: packets per second.
FPS: flows per second.
Detail Report Tables
There are three tabs at the left top corner of the table: bps, pps, and fps.
The BPS table presents the traffic statistics of bits per second and this one is the default table. The
PPS table presents the traffic statistics of packets per second. The FPS table presents the traffic
statistics of flows per second. Users can click on the tabs to view the detail data for each. The blue
tab means you are entering the page now. The content in each table includes:
Rank: this column displays ranking numbers from 1 to N for the highest to the lowest
volume.
BPS/PPS/FPS: this column displays traffic volumes and percentages of the analyzed objects. In
the BPS table, this column will be BPS; in the PPS table, this column will be PPS; in the FPS
table, this column will be FPS.
Traffic records of the aggregation keys: according to the aggregation keys specified there will
up to three columns record traffic counts of each set aggregation keys. For example, if users
assign Application on Source, Input Interface and Protocol as the aggregation keys, there will
three columns, Application on Source, Input Interface and Protocol, display.
Check Box: at the end of each ranked object row has a check box which is used to quickly select
the attribute value this ranked object as a criterion for the next drill-down snapshot.
216
Action Buttons
The action buttons are located at the bottom of the page, and are described as follows:
Back : to go back to the Snapshot management window with the previously selected criteria.
Generate ACL : pressing this button can obtain the system generation ACL commands with
the analyzed traffic characteristics. Please refer to the Generating ACL Commands part in
Anomaly Console.
Snapshot : users can utilize this button to perform further drill-down analysis to narrow down
the scope of the target traffic. For instance, after performing snapshot on a large analysis scope
and loose criteria, users can narrow the scope and tighten the criteria basing on those ranked
objects they find and do a next round snapshot. Check on the specific check boxes and then
click on this button.
Note
There is a restriction on using the ranked Applications and Packet Sizes to do snapshot
drilldown. Only the highest-ranked objects selected will be default criterion for the next round
snapshot since the system does not support multiple selections for Application and Packet
Size criteria. For example, after a previous snapshot, users selected top 3 ranked applications
(HTTP, FTP, SMTP) to do next round snapshot. The system will only list HTTP application as
the default scope criterion after clicking on the Snapshot button. Besides, the Router
aggregation method is unable to be passed back as a criterion.
Cancel : to go back to the Snapshot management window.
Latest 100 Raw Flows : users can view the latest 100 raw flow data from a specific collector.
Select a collector from the From drop-down list and then click on this button. A Latest 100 Raw
Flows window will pop up and the latest 100 records will be displayed (See Figure 5-4).
Figure 5-4 Snapshot -- Instant Top N Report / Latest 100 Raw Flows
217
Mitigation
The Mitigation menu (on the Main Menu tree) mainly provides users mitigation methods to execute
mitigation actions for protecting their network resources or filtering anomaly traffic. There are two
mitigation methods provided here, Hardware Mitigation and Blackhole. Hardware Mitigation is that
GenieATM integrates with a traffic-cleaning device (such as Cisco Guard) to wash out attacking
traffic and forward clean traffic back to their original destination; Blackhole is utilizing limited BGP
announcement to conduct anomaly traffic to a setup honey pot or blackhole device. Be aware of
getting confused with the Mitigation sub menu of System Admin, which is for configuring essential
mitigation elements such as blackhole next hops and mitigation devices. With this function,
administrators or defined by template, supersuer, can add, manage, and remove mitigation actions of
the system. When users click on the unfolding mark of Mitigation, all its sub menus will be unfolded
including Hardware Mitigation and Blackhole.
6.1
Blackhole
The Blackhole menu, under the Main Menu tree of Mitigation, is used to manage (add, remove,
start, or stop) blackhole mitigation actions. Blackhole mitigation utilizes limited BGP announcement
to conduct anomaly traffic to a setup honey pot or blackhole device thus achieving network
resources protection. Except the configuration of blackhole mitigation action, users also need to
get the Zebra daemon running on GenieATM Controller via CLI (Using config bgpd command to
enter bgpd mode for running Zebra daemon).
Click on Blackhole menu to enter the Blackhole Mitigation management window (See Figure
6.1-1). The information displayed in the Blackhole Mitigation view list includes No., ID, Name,
Anomaly ID/Resource Name, Protected Prefix, BGP Next Hop/Community String, Start Time/End
Time, Time Out, Status, Action, and Issued By. The following sections will introduce how to add,
stop, delete, and view a blackhole mitigation action. Besides, at the top of the report table there is a
search function that allows users to list the records, Ongoing, Stop, or All status. After selecting
the status, users have to click on the Go button to list the records.
Figure 6.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation Action Management Window
218
To add a blackhole mitigation action

After clicking on Add button located at the top of the Hardware Mitigation Action view list, a
page with the Add Hardware Mitigation title will be shown on the screen. (See Figure 6.1-2)
Figure 6.1-2 Mitigation / Hardware Mitigation - Add Hardware Mitigation Action Window
1. Enter blackhole mitigation action information required in all fields: (The asterisk "" indicates
a mandatory field.)
Method: Select the method form the drop down list.
Name: Give a name for this action. The number of inputted characters must be between 2
(!@#$%^&<>?...).
Protected Prefix: Input prefixes that you want to protect with CIDR format. Duplicated IP
prefixes are not allowed in both all Hardware and Blackhole mitigations.
Note
If you are adding a blackhole mitigation action through Anomaly Console Report, then
there will be a drop-down list for you to select a desired protected prefix. After selecting
the prefix and clicking on Protect button, the selected prefix will be copied to the
Protected Prefix field.
Blackhole Policy: select the policy from the drop-down list.
Note
Users who are with the administrator authority can specify the mitigation policy in the
System Admin/Mitigation/Blackhole function.
Time Out: Input a time value in this field. The configured blackhole mitigation action will
1440 (minutes) and the factory default value is 120 minutes.
BGP Next Hop: this field is unable to input. The list information is bind with the blackhole
policy.
Community: this field is unable to input. The list information is bind with the blackhole
policy.
219
Router: this field is unable to input. The list information is bind with the blackhole policy.
Protected Zone: this field is unable to input. The list information is bind with the blackhole
policy.
To stop a blackhole mitigation action

Users can stop an active mitigation action.
1. Click on Stop button (in the Action column of Blackhole Mitigation Action view list).
A Stop Blackhole page with all detailed configuration and related information will be shown,
and the Status will be displaying Inactive. Note that you are not allowed to delete an active
mitigation action and it will not have a delete icon displayed.
2. Click on Submit button to stop the action after confirming the information are all correct. A
completed message will tell if the submitting is completed or failed.
To delete a blackhole mitigation action

Users can delete a mitigation which status is stopped from the system. Only the status of a
mitigation action is stop, it will have a delete icon displayed. Therefore, users will not be able
to delete an ongoing mitigation action.
A Delete Blackhole page with detailed configuration and related information will be shown.
2. Click on Submit button to remove the action from the system.
Note
The factory default records shown on the Mitigation management window is with its status as
Ongoing, and users can change the status as All or Stop, at the top of the view list, to display
the stopped mitigation records.
To view the profile of a blackhole mitigation action

Users can view the mitigation actions information in detail. The detail information includes
actions name, protected prefix, time out, next hop, community, routers, and status (See Figure
6.1-3). If the action was added via Anomaly Console Report, then there will be two more
information displayed, anomaly ID and resource name.
Figure 6.1-3 Mitigation / Blackhole - View Blackhole Mitigation Action Management Window
1. Click on an action ID/name and show a popped-up View Blackhole window.
2. Click on Close button to close the popped-up window.
220
6.2
Hardware Mitigation
The Hardware Mitigation menu, under the Main Menu tree of Mitigation, is used to manage (add,
remove, start, or stop) hardware mitigation actions, and also provides brief overall traffic statistics
and detailed attacking traffic for each action. Hardware mitigation cooperates with a traffic-cleaning
device (such as Guard or Eudemon) to protect a specific IP address/prefix.
After clicking on Hardware Mitigation menu displayed on the Sub Menu tree of Mitigation at the
left side of the screen, the Guard management window (the default entered window) will be shown.
Users can see two sub-menu tabs, Guard, and Eudemon, appearing above the screen.
6.2.1
Guard
Click on Hardware Mitigation menu to enter the Hardware Mitigation management window (See
Figure 6.2.1-1). The information displayed in the Guard view list includes No., ID, Name, Anomaly
ID/Resource Name, Protected IP/Prefix, bps/pps (In, Dropped, Passed), Start Time/End Time,
Status, Action, Issued By and Report. Besides, at the top of the report table there is a search
function that allows users to list the records, Ongoing, Stop, or All status. After selecting the
status, users have to click on the Go button to list the records. The following sections will
introduce how to add, stop, delete, and view a hardware mitigation action, and how to read its
report.
Note
If the mitigation is added from the anomaly console report, users can click on the anomaly ID
to view the anomaly console report.
Figure 6.2.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation: Guard Management Window
To add a Guard mitigation action

After clicking on Add button located at the top of the Guard view list, a page with the Add
Mitigation title will be shown on the screen. (See Figure 6.2.1-2)
Figure 6.2.1-2 Mitigation / Hardware Mitigation - Add Guard Mitigation Action Window
1. Enter Guard mitigation action information required in all fields: (The asterisk "" indicates a
mandatory field.)
Method: Select the method form the drop down list.
(!@#$%^&<>?...).
221
Protected Host: Input an IP address that you want to protect. The inputted IP address
must be within the selected Zones IP range. If you leave this field blank, then all the IP
addresses of the selected Zone will be protected.
Note
If you are adding a hardware mitigation action through Anomaly Console Report, then
there will be a drop-down list for you to select a desired protected IP address. After
selecting the IP address and clicking on Protect button, the selected IP address will
be copied to the Protected IP Address field.
Time Out: Provide time-out information for action expiration. You can set the time-out as
forever by clicking on the Forever radio button. Using this way, the action will not be
terminated until you manually stop it through the Stop button of Web UI or CLI. Or, you
can choose to input a time value yourself. The configured hardware mitigation action will
65535 (seconds).
Device: Select a traffic-cleaning device from the Device drop-down list. All devices
configured in the System Admin / Mitigation / Device / Cisco Guard function will be
displayed here.
Zone: Select a zone from the Zone drop-down list. The selections here will be converted
according to which device is selected. Once you select a device, all zones configured in the
device will be displayed here. The text box will display all IP addresses configured in the
selected zone. GenieATM will execute SNMP polling every minute to get the latest zone
information from Cisco Guard.
To stop a Guard mitigation action

Users can stop an active mitigation action.
1. Click on Stop button (in the Action column of Guard Mitigation view list).
A Stop Mitigation page with all detailed configuration and related information will be shown,
and the Status will be displaying Inactive. Note that you are not allowed to delete an active
mitigation action and it will not have a delete icon displayed.
2. Click on Submit button to stop the action after confirming the information are all correct. A
completed message will tell if the submitting is succeeded or failed.
Note
The factory default records shown on the Guard Management Window are with their status as
Ongoing, and users can change the status as All or Stop, at the top of the view list, to display
the stopped mitigation records.
To delete a Guard mitigation action

Users can delete a stop mitigation action from the system. If the status of a mitigation action is
stopped, a delete icon will display. Therefore, users can delete a stopped mitigation action.
A Delete Hardware Mitigation page with detailed configuration and related information will be
shown.
To read the reports of a Guard mitigation action

There are two types of hardware mitigation action reports provided. One is Traffic Report which
compiles statistics of the passed, dropped, and total traffic for the action; another is Attack
Report which allows users to retrieve the list of available attack reports regarding to the related
zone. Click on Report button at the end of each row, a Hardware Mitigation Report window
will pop up and it will be displaying two sub-menu tabs, Traffic and Attack Report. Please see the
following sections for details.
222
Traffic
Click on the Traffic sub-menu tab to enter the traffic report window. (See Figure 6.2.1-3)
Figure 6.2.1-3 Mitigation / Hardware Mitigation - Hardware Mitigation Traffic Report
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains actions information and condition
options below:
Name: the name of hardware mitigation action.
Protected: the time that the hardware mitigation action was started.
Unit: bps (bit per second) and pps (packet per second).
Time Period: daily, and weekly. Two fixed time interval are provided to present analysis report
with an end time specified from the Until drop-down list.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation. Users can specify the
end date of the analysis report from either the year/month/date drop-down lists or a
year-month-date time table. After clicking on Until, the year-month-date time table will be
shown. Specify the year and month from the drop-down lists in the time table, select the date
by using your cursor to click on (the selected date will be highlighted), and then click on the
OK button. Or click on the Cancel button to close the time table. Specify the time from the time
drop-down list after finishing the selections of year, month, and date.
Go: after finishing the query conditions, click on this button to submit the query.
Cancel: click on this button to close the report window.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. In the chart, each stacked
band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked
bands represents the total traffic of all bands. (The objects with colors indicate which traffic they
are.)
223
Report Table
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can use Download Excel-XML button to download tabular data of the table with XML
file, which can be read by the Excel program.
Please refer to the Operation Procedure to Query Reports part in the Summary Report
section of Report / Internet for details.
Attach Report
Click on the Attack Report sub-menu tab to enter the attack report window. (See Figure
6.2.1-4)
Figure 6.2.1-4 Mitigation / Hardware Mitigation - Hardware Mitigation Attack Report

Report Descriptions
There are three parts in the Traffic Report window: Action Information, Action Buttons, and
Report Table.
Action Information
This part is located on the top of the screen and presents actions information below:
Name: the name of hardware mitigation action.
Protected: the time that the hardware mitigation action was started
Action Button
Get Report List : click on this button to retrieve related attack reports from traffic-cleaning
devices.
Close : click on this button to close the report window.
Report Table
After users execute retrieving attack reports via Get Report List button, the retrieved
reports will be displayed in this table. The information includes NO., Report ID, Attack [Start;
Until; Duration], Peak, Report.
224
6.2.2
Eudemon
Click on Eudemon sub-menu to enter the Eudemon management window (See Figure 6.2.2-1).
The information displayed in the Eudemon view list includes No., ID, Name, Anomaly ID/Resource
Name, Protected IP Address, bps [Max Legitimate / Malicious], Start Time/End Time, Status, Action,
Issued By and Report. Besides, at the top of the report table there is a search function that allows
users to list the records by Ongoing, Stop, or All status. After selecting the status, users have
to click on the Go button to list the records. The following sections will introduce how to add,
stop, and delete a mitigation action.
Figure 6.2.2-1 Mitigation / Hardware Mitigation / Eudemon Management Window
To add a mitigation action

After clicking on Add button located at the top of the Eudemon view list, a page with the Add
Mitigation title will be shown on the screen. (See Figure 6.2.2-2)
Figure 6.2.2-2 Mitigation / Hardware Mitigation/Eudemon - Add Eudemon Mitigation Window

1. Enter the parameters of the mitigation action required in the fields: (The asterisk "" indicates
a mandatory field.)
(!@#$%^&<>?...).
Protected Host: Input an IP address that you want to protect. The inputted IP address
must be within the selected Zones IP range.
Note
If you are adding a mitigation action through Anomaly Console Report, then there will
be a drop-down list for you to select a desired protected IP address. After selecting the
IP address and clicking on Protect button, the selected IP address will be copied to
the Protected IP Address field.
225
Max Speed Limit: This value is to define the host total traffic profile for Eudemon 8000. The
inputted value must be between 1 and 1024 (Mbps). It will be provisioned to Eudemon 8000
device as tcp-max-speed/ udp-max-speed/ icmp-max-speed parameters in CLI command
"firewall ddos-policy ip <victim ip addr> tcp-max-speed INTEGER<0-1024>".
Device: Select a Eudemon device from the drop-down list. All devices configured in the
System Admin / Mitigation / Device / Eudemon function will be displayed here.
To stop a mitigation action

Users can stop an ongoing mitigation action.
1. Click on Stop button (in the Action column of Eudemon view list).
A Stop Mitigation page with all detailed and related information will pop up, and the Status will
be displaying Inactive. Note that you are not allowed to delete an active mitigation action and
it will not have a delete icon displayed.
2. Click on Submit button to stop the action after confirming the information are correct. A
completed message will tell if the submitting is succeeded or failed.
Note
The factory default records shown on the Eudemon view list are with their status as Ongoing,
and users can change the status as All or Stop, at the top of the window, to display
all/stopped mitigation records.
To delete a mitigation action

Users can delete a stopped mitigation action from the system. There is a delete icon
displayed at the first column of the stopped mitigations and users can delete a stopped
mitigation action via clicking on it.
A Delete Mitigation page with detailed and related information will be popped up.
226
Report
Report menu provides system report presentation including both pre-defined (built-in) and
rule-based reports. The system pre-defined reports are included in the Report main menu. When
users click on the unfolding mark of Report, all its sub menus will be unfolded including Internet,
Neighbor, Backbone, Router, Interface, Sub-Network, Server, and Rule-based Report.
Note
The viewing report within user-specified parameters (such as network resource, Time Range,
Unit, Chart, etc) will be set to other reports in Report function when users switch to browse.
However, some of the specified parameters may not support by the switched report, so only the
accepted parameters will be set in the switched report.
7.1
Internet
Internet menu provides various built-in reports for traffic analysis between the Internet and Home
Network, provided that the Home Network area and the Internet boundary must be defined in
advance. GenieATM analyzes the collected flow data about the traffic through the interfaces of
defined Internet boundary and the BGP routing information, and then generates a variety of
Internet traffic analysis reports. There are three types of analysis reports for Internet traffic:
Summary Report, Breakdown Report, and Attribute Report. In following sections, we will
introduce how to query various Internet traffic reports.
When users click on the unfolding mark of Report / Internet, all its sub menus will be unfolded
including Summary Report, Breakdown Report, and Attribute Report.
7.1.1
Summary Report
The summary report of the Internet traffic presents the traffic analysis between the Internet and
Home Network in a macroscopic view. With the Internet summary report, users can briefly know
their Internet traffic. Click on the Summary Report sub menu of Report / Internet menu to enter
the Summary Report window. The system will display various analysis reports for Internet traffic
according to the selected traffic unit, time interval, and traffic type.
Report Descriptions
Query Bar
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
227
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a line chart. The X-coordinate represents time and will be converted
according to the time interval selected by users. The Y-coordinate represents traffic flow. In the
chart, each line represents one kind of traffic and its data will be matching the data listed in Report
Table. (The objects with colors next to check boxes indicate what traffic they are.)
Report Table
For Internet summary report, this table will display five kinds of traffic statistics:
Internet to Home If the source IP address does not belong to Home Network and the
destination IP address belongs to Home Network, the flow packet will be considered as Internet
to Home Traffic.
Home to Internet If the source IP address belongs to Home Network and the destination IP
address does not belong to Home Network, the flow packet will be considered as Home to
Internet Traffic.
Internet to Internet If the source and destination IP addresses both do not belong to Home
Network, the flow packet will be considered as Internet to Internet Traffic, also called Transit
Traffic.
Into Home It is the total traffic into Home, namely the sum of Internet to Home Traffic plus
Transit Traffic.
Out of Home It is the total traffic out of Home, namely the Home to Internet Traffic plus Transit
Traffic.
Average, current, and maximum values will be displayed in the table. Clicking on the check box in
the front of the row means to draw the traffic in Report Chart. So that users can compare different
types of traffic clearly by unselecting the traffic and leave those they want. An All check box for
users to conveniently select all check boxes at once. Please click on Submit button (in Query
Bar) to refresh the screen for your selection. In addition, users can use Download Excel-XML
button to download tabular data of the table with XML file, which can be read by the Excel program.
Operation Procedure to Query Reports

1. Select the condition options in Query Bar for generating your report.
2. Select the traffic you want from Report Table by clicking on the check box.
3. Click on Submit button (in Query Bar) to refresh the screen and generate your report.
228
7.1.2
Breakdown Report
The breakdown report is unlike the macroscopic summary report; it provides the further analysis
in some kind of specific traffic. The breakdown report of the Internet traffic includes four types of
reports: Sub-Network, Origin ASN, Peer ASN, and Peering Analysis.
When users click on the unfolding mark of Breakdown Report under the Report / Internet
menu, all its sub menus will be unfolded including Sub-Network, Origin ASN, Peer ASN, and
Peering Analysis.
7.1.2.1
Sub-Network
The Sub-Network traffic analysis of Internet breakdown report provides the information about the
Internet traffic into/out of each Sub-Network defined in the system. The traffic will be collected
from all each Sub-Network boundary. The Top N Report Table will display all sub-networks (N:
maximum =300). Each row of Report Table will display ingress, egress and sum traffic for each
Sub-Network. Click on the Sub-Network sub menu of Breakdown Report under the Report /
Internet menu to enter the Sub-Network Report window.
Report Descriptions
Query Bar
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Report Chart
interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Home and the lower part
represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic
229
and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of
all bands. (The objects with colors next to check boxes indicate what traffic they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
This table will display all kinds of traffic analysis statistics of sub-networks that defined in the
system. There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different types of traffic clearly by unselecting the traffic and
leave those they want. An All check box for users to conveniently select all check boxes at once.
Please click on Submit button (in Query Bar) to refresh the screen for your selection. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML file,
which can be read by the Excel program. The downloaded file will separate the Average, Current,
and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.1.2.2
Origin ASN
The Origin ASN traffic analysis of Internet breakdown report provides the information about the
Internet traffic originated from different ASes. Because the number of ASes is quite large,
therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be
displayed and each in a row. Each row of Report Table will display ingress, egress and sum
traffic for each Origin ASN. Click on the Origin ASN sub menu of Breakdown Report under the
Report / Internet menu to enter the Origin ASN Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
Except the data listed in Report Table is different, other descriptions are all the same. For Origin
ASN reports, the Report Table will display top N Origin ASNs.
230
7.1.2.3
Peer ASN
The Peer ASN traffic analysis of Internet breakdown report provides the information about the
traffic between the Internet and Home Network through each Neighbor AS. Since the number of
Neighbor AS wont be more than 100, at most up to top 128 will be displayed. Each row of
Report Table will display ingress, egress and sum traffic for each Neighbor ASN. Click on the
Peer ASN sub menu of Breakdown Report under the Report / Internet menu to enter the Peer
ASN Report window.
Report Descriptions
Except the data listed in Report Table is different, other descriptions are all the same. For Peer
ASN reports, the Report Table will display top N Peer ASNs.
7.1.2.4
Peering Analysis
The Peering traffic analysis of Internet breakdown report provides the Peering traffic of top 128
ASN in and out of Home Network. Actually the Neighbor AS will be listed within the list most of
the time because they are the major Transit traffic providers of the Home Network. If there is a
Neighbor AS (defined in the system) appearing in the Neighbor column of Report Table, the
traffic is between this Neighbor and Home Network. However, if there is no Neighbor AS
appearing in the Neighbor column of Report Table, the traffic is between an AS (not a Neighbor
AS) and Home Network.
Each row of Report Table will display ingress(through, from), egress(through, to) and sum traffic
for each AS. The value of Thru(Through) in the Into Home column means the traffic is through
the AS to Home. The value of From in the Into Home column means the traffic originates from
the AS to Home. Conversely, the value of Thru(Through) in the Out of Home column means
the traffic is from Home through the AS to other ASes. And, the value of To in the Out of Home
column means the traffic is from Home to the AS.
Click on the Peering Analysis sub menu of Breakdown Report under the Report / Internet
menu to enter the Peering Analysis Report window.
Report Descriptions
Except the data listed in Report Table is different and Bar & Pie Charts are not supported, other
descriptions are all the same. For Peering Analysis reports, the Report Table will display top N
Peering Analyses (that will be relative to a Neighbor AS or an Origin AS).
7.1.2.5
AS Path Length
The AS Path Length traffic analysis of Internet breakdown report provides the information about
the ingress/egress (Into Home/Out of Home) traffic from a specific AS, which is aggregated
according to the BGP AS Path length. The system will ignore the length longer than 30. Each
row of Report Table will display ingress, egress and sum traffic for each AS path length.
231
This report can help users understand the routing efficiency of their networks and review their
routing policies.
Click on the AS Path Length sub menu of Breakdown Report under the Report / Internet
menu to enter the AS Path Length Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For AS Path
Length reports, the Report Table will display the traffic aggregated according to different lengths of
AS path for the Internet AS passed through.
7.1.3
Attribute Report
The attribute report provides the analysis information about some common attributes. With
common attribute reports, users can really understand how their network resources are actually
been using. The attribute report of the Internet traffic has five kinds: Application, Protocol,
Protocol+Port, TOS, and Packet Size.
When users click on the unfolding mark of Attribute Report under the Report / Internet menu,
all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and
Packet Size.
7.1.3.1
Application
The Application traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to the user defined
application groups on source and destination ports separately for different traffic directions. Up to
top 128 applications will be saved to DB. The top N (N: default = 25) applications will be
displayed and each in a row.
In this report, users can obtain not only the traffic Into Home and Out of Home for applications
but also the traffic between the Request side and the Response side. For example, when a client
issues a request to a server, the traffic belongs to Request traffic; when a server replies to a
client, the traffic belongs to Response traffic. (A server is the Response side and a client is the
Request side.) A Service drop-down list is provided for users to select the traffic direction. There
are items selectable, Inside, and Outside. Inside means the server is inside the entity (Home
Network, Sub-Network) and represents the data of Request of Ingress traffic or the data of
Response of Egress traffic. Outside means the server is outside the entity and represents the
data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the Report / Internet menu to
enter the Application Report window.
Report Descriptions
Query Bar
232
Chart. The default setting is stacked chart. Both
Service: once the bar chart or pie chart is selected, the Service drop-down list will be shown for
users to select traffic direction of service. There are kinds of traffic directions: Inside, and
Outside.
Report Chart
all bands. (The objects with colors next to check boxes indicate which application they are.)
to separately represent Ingress, Egress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and
Report Table
This table will display top N Applications. There are three tabs at the right top corner of the table:
Average, Current, and Maximum.
233
7.1.3.2
Protocol
The Protocol traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to the protocol (e.g. TCP/6,
UDP/17, ICMP/1...). Totally, top 128 protocols will be stored to database and top N (N: default =
25) will be displayed for report. Each row of Report Table will display the Into Home/Out of Home
traffic for the protocol and the value in the Sum column is the total amount of the Into Home and
Out of Home traffic.
Click on the Protocol sub menu of Attribute Report under the Report / Internet menu to enter
the Protocol Report window.
Report Descriptions
Except the data listed in Report Table is different, other descriptions are all the same. For Protocol
reports, the Report Table will display top N Protocols.
7.1.3.3
Protocol+Port
The Protocol+Port traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to protocol plus port
number (service) for TCP and UDP (if the ICMP, the traffic will be aggregated according to the
code and type of the ICMP). Each row of Report Table will display the Into Home/Out of Home
traffic for the protocol+port (service) and the value in the Sum column is the total amount of the
Into Home and Out of Home traffic. The top 128 will be stored to database and top N (N: default
= 25) will be displayed for report.
In this report, users can obtain not only the traffic Into Home and Out of Home for the service
(protocol+port), but also the traffic between the Request side and the Response side. For
example, when a client issues a request to a server, the traffic belongs to Request traffic; when a
server replies to a client, the traffic belongs to Response traffic. (A server is the Response side
and a client is the Request side.) A Service drop-down list is provided for users to select the
traffic direction. There are two items selectable, Inside, and Outside. Inside means the service
is inside the entity (Home Network, Sub-Network) and represents the data of Request of
Ingress traffic or the data of Request of Egress traffic. Outside means the server is outside the
entity and represents the data of Response of Ingress traffic or the data of Request of Egress
traffic.
Click on the Protocol+Port sub menu of Attribute Report under the Report / Internet menu to
enter the Protocol+Port Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Application section of Attribute Report of
Report / Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Protocol+Port reports, the Report Table will display top N Protocol+Port (services).
234
7.1.3.4
TOS
The TOS traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to the 256 TOS values.
Each row of Report Table will display the Into Home/Out of Home traffic for the TOS and the
value in the Sum column is the total amount of the Into Home and Out of Home traffic. Totally, top
128 TOS will be stored to database and top N (N: default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Internet menu to enter the
TOS Report window.
Report Descriptions
Except the data listed in Report Table is different, other descriptions are all the same. For TOS
reports, the Report Table will display top N TOSes.
7.1.3.5
Packet Size
The Packet Size traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to the packet size. The
packet size is calculated by dividing the bytes with number of packets. The packet size segments
are: <32, 32-64, 64-96, 96-128, 128-160, 160-192, 192-224, 224-256, 256-320, 320-384,
384-448, 448-512, 512-768, 768-1024, 1024-1536, and >1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Internet menu to
enter the Packet Size Report window.
Report Descriptions
Except the data listed in Report Table is different, other descriptions are all the same. For Packet
Size reports, the Report Table will display all segments of Packet Size.
235
7.2
Neighbor
Neighbor menu provides various built-in reports for traffic analysis between Neighbor ASes and
Home Network, provided that the Home Network area, the Internet boundary, and the Neighbor AS
must be defined in advance. Since border routers in Home AS can connect to Neighbor AS via
external interfaces, the Neighbor boundary shares the same boundary with the Internet boundary.
GenieATM Collector receives the flow data from the border routers to analyze and reports the
results related the Neighbor AS list when BGP module is enabled. There are three types of
analysis reports for Neighbor traffic: Summary Report, Breakdown Report, and Attribute Report.
In following sections, we will introduce how to query various Neighbor traffic reports.
When users click on the unfolding mark of Report / Neighbor, all its sub menus will be unfolded
7.2.1
Summary Report
The summary report of the Neighbor traffic presents the traffic analysis between the Neighbor
ASes and Home Network in a macroscopic view. With the Neighbor summary report, users can
briefly know not only the total traffic of each Neighbor AS into/out of Home Network but also the
detail traffic analysis for each Neighbor AS. When users click on the Summary Report sub
menu of Report / Neighbor, there are two sub menus will be shown: Compare and Detail.
7.2.1.1
Compare
The Compare traffic analysis of Neighbor summary report provides users the information about
the ingress/egress (Into Home/Out of Home) traffic for each Neighbor AS to compare the
differences with the total amount. The Top N Report Table will display all Neighbor ASes (N:
maximum = 128).
Click on the Compare sub menu of Summary Report under the Report / Neighbor menu to
enter the Compare Report window.
Report Descriptions
Query Bar
Neighbor Group: All Neighbors (default) and the defined Neighbor groups (All Neighbor groups
defined in the Group menu of System Admin / Network / Preferences will be shown here. If
you select one specific group, Report Table will only display the traffic analyses for the Neighbor
ASes configured in this group. Otherwise, it will display all Neighbor ASes configured in the
system.)
236
Report Chart
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
all bands. (The objects with colors next to check boxes indicate which Neighbor they are.)
Report Table
This table will display the traffic analyses statistics for all Neighbor ASes that configured in the
system or some if you selected some specific group in the Neighbor Group drop-down list (In
Query Bar) to view. There are three tabs at the right top corner of the table: Average, Current, and
Maximum.
7.2.1.2
Detail
The Detail traffic analysis of Neighbor summary report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to different traffic types
(Neighbor Transit, Local Transit, Peering, Both Transit, and Unknown) for a specific Neighbor
AS.
Click on the Detail sub menu of Summary Report under the Report / Neighbor menu to enter
the Detail Report window.
237
Report Descriptions
Query Bar
defined in the Group menu of System Admin / Network / Preferences will be shown here. If
you select one specific group, Report Table will only display the traffic analyses for the Neighbor
ASes configured in this group. Otherwise, it will display all Neighbor ASes configured in the
system.)
Neighbor: every Neighbor AS configured in the Neighbor group (It will be converted according to
the group selected in the Neighbor Group drop-down list.)
Report Chart
all bands. (The objects with colors next to check boxes indicate what traffic they are.)
Report Table
For the Detail traffic analysis of Neighbor summary report, this table will display five types of traffic
analysis statistics for a specific Neighbor AS.
Neighbor Transit It counts all traffic that is transient by the Neighbor AS.
Local Transit It counts all traffic that origins from the Neighbor AS and is transient to another
AS by Home Network.
Peering It counts all traffic that origins from the Neighbor AS and is delivered to Home
Network.
Both Transit It counts all traffic that is transient by the Neighbor AS and Home Network.
Unknown It counts those traffic does not match anyone of the four types above.
238
There are tabs at the right top corner of the table: Average, Current, and Maximum.
7.2.2
Breakdown Report
in some kind of specific traffic. The breakdown report of the Neighbor traffic provides the traffic
analysis between one network entity (a Neighbor AS) to another (a Neighbor AS or a
sub-network) and has five kinds of reports: Sub-Network, Neighbor, AS Path Length, BGP
Message, and Origin ASN.
When users click on the unfolding mark of Breakdown Report under the Report / Neighbor
menu, all its sub menus will be unfolded including Sub-Network, Neighbor, AS Path Length,
BGP Message, and Origin ASN.
7.2.2.1
Sub-Network
The Sub-Network traffic analysis of Neighbor breakdown report provides the traffic information
between the Neighbor AS and each Sub-Network defined in the system. Actually, the traffic
analyzed in this report is the same as the Neighbor ASN traffic analysis of Sub-Network
breakdown report, but only in different statistic perspectives. The Top N Report Table will display
all sub-networks (N: maximum = 300). Each row of Report Table will display ingress, egress and
sum traffic for each Sub-Network. Click on the Sub-Network sub menu of Breakdown Report
under the Report / Neighbor menu to enter the Sub-Network Report window.
Report Descriptions
Neighbor for details.
Sub-Network reports, the Report Table will display the traffic between the Neighbor AS specified
and each Sub-Network defined in the system.
7.2.2.2
Neighbor
The Neighbor traffic analysis of Neighbor breakdown report provides the traffic information about
the traffic through a specific Neighbor AS to/from each other Neighbor AS defined in the
system. The Top N Report Table will display all Neighbor ASes (N: maximum = 128). Each row of
Report Table will display ingress, egress and sum traffic for each Neighbor AS. Click on the
Neighbor sub menu of Breakdown Report under the Report / Neighbor menu to enter the
Neighbor Report window.
239
Report Descriptions
Except the data listed in Report Table is different, other descriptions are all the same. For Neighbor
reports, the Report Table will display the traffic between the Neighbor AS specified and each other
Neighbor AS defined in the system.
7.2.2.3
AS Path Length
The AS Path Length traffic analysis of Neighbor breakdown report provides the information
about the ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is
aggregated according to the BGP AS Path length. The system will ignore the length longer than
30. Each row of Report Table will display ingress, egress and sum traffic for each AS path length.
This report can help users understand the routing efficiency of their networks and review their
routing policies.
Click on the AS Path Length sub menu of Breakdown Report under the Report / Neighbor
menu to enter the AS Path Length Report window.
Report Descriptions
Except the data listed in Report Table is different, other descriptions are all the same. For AS Path
Length reports, the Report Table will display the traffic aggregated according to different lengths of
AS path for the Neighbor AS passed through.
7.2.2.4
BGP Message
The BGP Message traffic analysis of Neighbor breakdown report provides the update
information about Peer BGP message for a single Neighbor at a time. For an individual router
associated with a specific Neighbor entity, there are several statistic types of BGP messages.
Each row of Report Table will display message type, number of message, and total percentage.
Click on the BGP Message sub menu of Breakdown Report under the Report / Neighbor
menu to enter the BGP Message Report window.
Report Descriptions
Query Bar
defined in the Group menu of System Admin / Network / Preferences will be shown here.)
Neighbor: every Neighbor AS configured in the Neighbor group (It will be converted according to
the group selected in the Neighbor Group drop-down list.)
Router Group: All routers (default) and the defined Router groups (All Router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here.)
240
Router: every router configured in the Router group (It will be converted according to the group
selected in the Router Group drop-down list.)
Report Chart
There are three line charts displayed here: Neighbor Traffic, Prefixes From Neighbor, and BGP
Messages.
The first one is the traffic chart for the selected Neighbor entity (Into Home/Out of Home). The
X-coordinate represents time and will be converted according to the time interval selected by users.
The Y-coordinate represents traffic flow. In the chart, the line represents the traffic of the selected
Neighbor into and out of Home. The objects with colors below the chart indicate what traffic they
are.
The second one displays the number of routes (prefixes) announced through the selected
Neighbor entity. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents number of prefixes.
The third one displays the variation of different types of messages within the selected time interval.
The X-coordinate represents time and will be converted according to the time interval selected by
users. The Y-coordinate represents number of messages (per 5 minutes). The objects with colors
below the chart indicate what message types they are.
Report Table
For the BGP message information of Neighbor breakdown report, this table will display six statistic
types of BGP messages for a specific router with a specific Neighbor.
ANN -- Routes Announced by Peer.
AADIFF -- A route is withdrawn implicitly and replaced with a different route when the original
route turns into unreachable, or an alternative path preferred turns into available. AADIFF is
classified as forwarding instability.
AADUP -- A route is withdrawn implicitly and replaced with a duplicate of the original route. A
duplicate route is defined as a subsequent route announcement that has the same nexthop or
AS-path attribute information. AADUP may reflect pathological behavior because a router should
only send a BGP update for a change in topology or policy. AADUP may also reflect policy
fluctuation as subsequent route announcements may be different in other attributes such as
MED and Aggregator.
TUP -- A previously unavailable route is announced as available. This represents a route repair.
TDOWN -- A previously available route is withdrawn. This represents a route failure.
UPDATES -- BGP updates (AADIFF + AADUP+ TUP + TDOWN).
241
Chart. So that users can compare different types of BGP message clearly by unselecting the
message type and leave those they want. An All check box for users to conveniently select all
check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
your selection. In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, and Maximum tables into three different worksheets.
7.2.2.5
Origin ASN
The Origin ASN traffic analysis of Neighbor breakdown report provides the information about the
traffic from/to the Home Network through a specific Neighbor AS to/from some Origin ASes. This
report will list top N Origin ASNs passing through the specific Neighbor AS. Because the number
of Origin ASes may be quite large, therefore, only top 128 ASNs will be saved to DB. The top N
(N: default = 25) ASNs will be displayed and each in a row. Each row of Report Table will display
ingress, egress and sum traffic for each Origin ASN. Click on the Origin ASN sub menu of
Breakdown Report under the Report / Neighbor menu to enter the Origin ASN Report window.
Report Descriptions
7.2.3
Attribute Report
common attribute reports, users can understand how their network resources are actually been
using. The attribute report of the Internet traffic has five kinds: Application, Protocol,
When users click on the unfolding mark of Attribute Report under the Report / Neighbor menu,
Packet Size.
7.2.3.1
Application
The Application traffic analysis of Neighbor attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is
aggregated according to the user defined application groups on source and destination ports
separately for different traffic directions. Up to top 128 applications will be saved to DB. The top
N (N: default = 25) applications will be displayed and each in a row.
242
In this report, users can obtain not only the traffic Into Home and Out of Home for applications
but also the traffic between the Request side and the Response side. For example, when a client
issues a request to a server, the traffic belongs to Request traffic; when a server replies to a
client, the traffic belongs to Response traffic. (A server is the Response side and a client is the
Request side.) A Service drop-down list is provided for users to select the traffic direction. There
are items selectable, Inside, and Outside. Inside means the server is inside the entity (Home
Network, Sub-Network) and represents the data of Request of Ingress traffic or the data of
Response of Egress traffic. Outside means the server is outside the entity and represents the
data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the Report / Neighbor menu to
Report Descriptions
Application reports, the Report Table will display top N Applications.
7.2.3.2
Protocol
The Protocol traffic analysis of Neighbor attribute report provides the information about the
aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols
will be stored to database and top N (N: default = 25) will be displayed for report. Each row of
Report Table will display the Into Home/Out of Home traffic for the protocol and the value in the
Sum column is the total amount of the Into Home and Out of Home traffic.
Click on the Protocol sub menu of Attribute Report under the Report / Neighbor menu to
enter the Protocol Report window.
Report Descriptions
7.2.3.3
Protocol+Port
The Protocol+Port traffic analysis of Neighbor attribute report provides the information about the
aggregated according to protocol plus port number (service) for TCP and UDP (if it is for ICMP,
the traffic will be aggregated according to the code and type of the ICMP). Each row of Report
Table will display the Into Home/Out of Home traffic for the protocol+port (service) and the value
in the Sum column is the total amount of the Into Home and Out of Home traffic. The top 128 will
be stored to database and top N (N: default = 25) will be displayed for report.
In this report, users can obtain not only the traffic Into Home and Out of Home for the service
243
(protocol+port), but also the traffic between the Request side and the Response side. For
server replies to a client, the traffic belongs to Response traffic. (A server is the Response side
and a client is the Request side.) A Service drop-down list is provided for users to select the
traffic direction. There are two items selectable, Inside, and Outside. Inside means the server is
inside the entity (Home Network, Sub-Network) and represents the data of Request of Ingress
traffic or the data of Response of Egress traffic. Outside means the server is outside the entity
and represents the data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Protocol+Port sub menu of Attribute Report under the Report / Neighbor menu
to enter the Protocol+Port Report window.
Report Descriptions
7.2.3.4
TOS
The TOS traffic analysis of Neighbor attribute report provides the information about the
aggregated according to the 256 TOS values. Each row of Report Table will display the Into
Home/Out of Home traffic for the TOS and the value in the Sum column is the total amount of the
Into Home and Out of Home traffic. Totally, top 128 TOS will be stored to database and top N (N:
default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Neighbor menu to enter the
TOS Report window.
Report Descriptions
244
7.2.3.5
Packet Size
The Packet Size traffic analysis of Neighbor attribute report provides the information about the
aggregated according to the packet size. The packet size is calculated by dividing the bytes with
number of packets. The packet size segments are: <32, 32-64, 64-96, 96-128, 128-160, 160-192,
192-224, 224-256, 256-320, 320-384, 384-448, 448-512, 512-768, 768-1024, 1024-1536, and
>1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Neighbor menu to
Report Descriptions
245
7.3
Backbone
Backbone menu provides various built-in reports for Backbone traffic analysis, provided that the
Home Network area, and the Backbone boundary must be defined in advance. The traffic going
through the interfaces on the Backbone boundary is classified as Backbone traffic. Users can
realize the traffic delivered through their backbone network and the traffic status of each core
router from Backbone traffic reports. Backbone traffic reports include: Summary Report, and Core
Router. In following sections, we will introduce how to query various Backbone traffic reports.
When users click on the unfolding mark of Report / Backbone, all its sub menus will be unfolded
including Summary Report, and Core Router.
7.3.1
Summary Report
The summary report of the Backbone traffic presents the traffic analysis about the traffic from the
Internet/Home Network through Backbone to the Internet/Home Network in a macroscopic view.
With the Backbone summary report, users can briefly know their Internet traffic. Click on the
Summary Report sub menu of Report / Backbone menu to enter the Summary Report window.
The system will display various analysis reports for Backbone traffic according to the selected
traffic unit, time interval, and traffic type.
Report Descriptions
Query Bar
Report Chart
according to the time interval selected by users The Y-coordinate represents traffic flow. In the
Table. The data is divided into two parts by the X-axis. The upper part represents the traffic into
Home and the lower part represents the traffic out of Home. (The objects with colors next to check
boxes indicate what traffic they are.)
246
Report Table
For Backbone summary report, this table will display four kinds of traffic statistics:
Home to Home If both the source and destination IP addresses of the Backbone traffic belong
to the Home Network IP space, the traffic will be considered as Home to Home Traffic.
Internet to Home If the destination IP address of the Backbone traffic belongs to the Home
Network IP space but the source IP address does not belong to the Home Network, the traffic
will be considered as Internet to Home Traffic.
Home to Internet If the source IP address of the Backbone traffic belongs to the Home
Network IP space but the destination IP address does not belong to the Home Network, the
traffic will be considered as Home to Internet Traffic.
Internet to Internet If both the source and destination IP addresses of the Backbone traffic do
not belong to the Home Network IP space, the traffic will be considered as Internet to Internet
Traffic, also call Transit Traffic.
7.3.2
Core Router
The report of Core Router of the Backbone traffic presents the traffic analysis related to
backbone network from core routers viewpoint. (The router with any backbone link is the core
router.) There are two kinds of reports about the core router. One displays the traffic summary for
each core router; another provides the detail traffic information for a specific core router. When
users click on the Core Router sub menu of Report / Backbone, there are two sub menus will
be shown: Compare and Detail.
7.3.2.1
Compare
The Compare report of Core Router of Backbone traffic analysis provides users the information
about the Into Backbone/Out of Backbone (Backbone Boundary to Backbone Links/Backbone
Links to Backbone Boundary) traffic for each Core Router to compare the differences with the
total amount. The Top N Report Table will display all core routers.
Click on the Compare sub menu of Core Router under the Report / Backbone menu to enter
the Compare Report window.
Report Descriptions
Query Bar
247
Report Chart
parts by the X-axis. The upper part represents the traffic into Backbone and the lower part
represents the traffic out of Backbone. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which router they are.)
Report Table
This table will display the traffic analyses statistics for all core routers. There are three tabs at the
right top corner of the table: Average, Current, and Maximum.
7.3.2.2
Detail
The Detail report of Core Router of Backbone traffic analysis provides the information about the
Into Backbone/Out of Backbone (Boundary to Backbone/Backbone to Boundary) traffic
aggregated according to different traffic types (Local to Local, Local to Backbone, Backbone to
Local, and Backbone to Backbone) for a specific Core Router.
Click on the Detail sub menu of Core Router under the Report / Backbone menu to enter the
Detail Report window.
248
Report Descriptions
Query Bar
Core Router: every core router (All routers with a backbone interface, also called backbone link,
are the core routers and will be listed in this drop-down list. You can check this information in the
Router configuration view list of the System/Network/Router function. )
Report Chart
Report Table
For the Detail report of Core Router of Backbone traffic analysis, this table will display four types of
traffic analysis statistics for a specific Core Router.
Local to Backbone It counts all traffic only the output interface is backbone link (interface).
Local to Local It counts all traffic both input and output interfaces are not backbone link
(interface).
Backbone to Local It counts all traffic only the input interface is backbone link (interface).
Backbone to Backbone It counts all traffic both input and output interface are backbone link
(interface).
249
7.4
Router
Router menu provides various built-in reports for the traffic analysis of each router configured in
the system. Users can obtain the information of the total ingress/egress traffic, the device utilization
of CPU and memory, the BGP message (the BGP lookup function must be enabled), and BGP next
hops of each router configured in the system. In following sections, we will introduce how to query
various Router traffic reports. For the traffic of each interface on routers, please check out the
Report / Interface menu.
When users click on the unfolding mark of Report / Router, all its sub menus will be unfolded
including Traffic, Performance, BGP Message, and BGP Next Hop.
7.4.1
Traffic
The Traffic report of the router presents the traffic analysis for every single router. With this report,
users can know the ingress/egress traffic of each router. Click on the Traffic sub menu of Report
/ Router menu to enter the Traffic Report window. The system will display various analysis
reports for Router traffic according to the selected router group, traffic unit, and time interval. The
Top N Report Table will display all routers.
Report Descriptions
Query Bar
Router Group: All routers (default) and the defined router groups (All router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here. If you select
one specific group, Report Table will only display the traffic analyses for the routers configured in
this group. Otherwise, it will display all routers configured in the system.)
Chart: there is only one type of output report charts provided Stacked Chart.
Report Chart
This report is presented as a stacked chart. The X-coordinate represents time and will be
converted according to the time interval selected by users The Y-coordinate represents traffic flow.
250
The data is divided into two parts by the X-axis. The upper part represents the traffic into Router
and the lower part represents the traffic out of Router. In the chart, each stacked band represents
the traffic of a router and it is additive, that is to say the outer edge of all stacked bands represents
the total traffic of all bands. The objects with colors below the chart indicate which router they are.
Report Table
This table will display the traffic analyses statistics for all routers. There are three tabs at the right
top corner of the table: Average, Current, and Maximum.
Chart. So that users can compare different routers of traffic clearly by unselecting the router and
7.4.2
Performance
The Performance report of the router presents the information about the CPU and memory
utilization for every configured router. It uses SNMP polling to collect data. With this report, users
can take the precaution against any overload in advance. Click on the Performance sub menu
of Report / Router menu to enter the Performance Report window. The system will display
various analysis reports for Router traffic according to the selected router group, and time
interval.
Report Descriptions
Query Bar
Router Group: All routers (default) and the defined router groups (All router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here. If you select
one specific group, Report Table will only display the traffic analyses for the routers configured in
this group. Otherwise, it will display all routers configured in the system.)
251
Report Chart
There are two line charts displayed here: CPU Usage, and Memory Usage. The first one is the
CPU utilization chart and the second one is the Memory utilization chart for the selected router
group. The X-coordinate represents time and will be converted according to the time interval
selected by users. The Y-coordinate represents the percentage of the utilization. In the chart, the
line represents the utilization of the selected router. The objects with colors below the chart
indicate which router they are.
Report Table
This table will display the percentage of CPU and memory utilization for every router in the
selected router group. There are three tabs at the right top corner of the table: Average, Current,
and Maximum.
Chart. So that users can compare different routers of utilization clearly by unselecting the router
and leave those they want. An All check box for users to conveniently select all check boxes at
once. Please click on Submit button (in Query Bar) to refresh the screen for your selection. In
addition, users can use Download Excel-XML button to download tabular data of the table with
XML file, which can be read by the Excel program. The downloaded file will separate the Average,
Current, and Maximum tables into three different worksheets.
7.4.3
BGP Message
The BGP Message traffic analysis of Router report provides the update information about BGP
message for a single Router at a time. This report provides similar statistic information of
Neighbor BGP Message report, but it does not display ANN message type statistics. This is
because ANN is related to a specific Neighbor. Each row of Report Table will display message
type, number of message, and total percentage.
Click on the BGP Message sub menu of Report / Router menu to enter the BGP Message
Report window.
Report Descriptions
Query Bar
252
Report Chart
There are two line charts displayed here: All Prefixes on Router, and BGP Messages.
The first one displays the total number of routes (prefixes) learned from the router within the
selected time interval. The X-coordinate represents time and will be converted according to the
time interval selected by users. The Y-coordinate represents number of prefixes.
The second one displays the variation of different types of messages within the selected time
interval. The X-coordinate represents time and will be converted according to the time interval
selected by users. The Y-coordinate represents number of messages (per 5 minutes). The objects
with colors below the chart indicate what message types they are.
Report Table
For the BGP message information of Router report, this table will display five statistic types of BGP
messages for a specific router.
AADIFF -- A route is withdrawn implicitly and replaced with a different route when the original
route turns into unreachable, or an alternative path preferred turns into available. AADIFF is
classified as forwarding instability.
AADUP -- A route is withdrawn implicitly and replaced with a duplicate of the original route. A
duplicate route is defined as a subsequent route announcement that has the same nexthop or
AS-path attribute information. AADUP may reflect pathological behavior because a router should
only send a BGP update for a change in topology or policy. AADUP may also reflect policy
fluctuation as subsequent route announcements may be different in other attributes such as
MED and Aggregator.
TUP -- A previously unavailable route is announced as available. This represents a route repair.
TDOWN -- A previously available route is withdrawn. This represents a route failure.
UPDATES -- BGP updates (AADIFF + AADUP+ TUP + TDOWN).
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Chart. So that users can compare different types of BGP message clearly by unselecting the
message type and leave those they want. An All check box for users to conveniently select all
253
7.4.4
BGP Next Hop

The BGP Next Hop traffic analysis of Router report provides the information about BGP next
hops of a specific router. This report displays the top N (N: maximum = 128; default = 25) listing
for the traffic of looked up BGP next hop with the IP address. The Report Table contains BGP
Next Hop IP address, traffic value and total percentage. The Total row is the sum of routers
egress traffic.
Click on the BGP Next Hop sub menu of Report / Router menu to enter the BGP Next Hop
Report window.
Report Descriptions
Query Bar
Report Chart
The chart (above the X-axis) represents the traffic out of Router. In the chart, each stacked band
represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands
represents the total traffic of all bands. (The objects with colors next to check boxes indicate which
next hop they are.)
Report Table
254

Chart. So that users can compare different routers of traffic clearly by unselecting the router and
7.4.5
MPLS
The MPLS traffic analysis of Router report provides both overall and detailed MPLS
(Multi-protocol Label Switching) traffic analyses. GenieATM will collect MPLS traffic via retrieving
NetFlow V9 packets from each router (NetFlow V9 packets can carry MPLS traffic information).
The reports will be presented for each router (since there is no way to know if the router enables
NetFlow V9 and MPLS or not) and will be empty if the router does not get NetFlow V9 and MPLS
enabled. There are three kinds of reports supported for MPLS traffic including Summary, Class
of services, and Egress PE reports.
When users click on the unfolding mark of MPLS under the Report / Router menu, all its sub
menus will be unfolded including Summary Report, Class of Services, and Egress PE.
7.4.5.1
Summary Report
The summary report of the MPLS traffic presents the traffic analysis for each routers ingress and
egress traffic carried by MPLS packets, and also the total MPLS and non-MPLS traffic of the
router. With the MPLS summary report, users can know how much MPLS traffic running on each
router. Up to top 64 MPLS labels will be saved to DB and top N (N: default = 25) will be displayed
and each in a row. Each row will display the following information: MPLS labels, into router traffic,
out of router traffic, sum traffic, and total percentage.
Click on the Summary Report sub menu of MPLS under the Report / Router menu to enter the
Summary Report window.
Report Descriptions
Query Bar
255
Chart. The default setting is stacked chart. Both
Report Chart
The chart (above the X-axis) represents the traffic out of router. In the chart, each stacked band
represents the total traffic of all bands. (The objects with colors next to check boxes indicate which
MPLS label they are.)
Report Table
Chart. So that users can compare different MPLS label of traffic clearly by unselecting the label
7.4.5.2
Class of Services
There are three class of services used to feature MPLS: CAR, WRED, and WFQ. CAR uses
TOS bits in IP header to classify packets according to the input and output transmission rate.
Therefore, this report will aggregate the router input traffic according to the SRC_TOS if
256
MPLS_LABEL_1 exists and the router output traffic according to DST_TOS if MPLS_LABEL_1
exists. Up to top 64 CoS values will be saved to DB and top N (N: default = 25) will be displayed
and each in a row. Each row will display the following information: CoS values, into router traffic,
out of router traffic, sum traffic, and total percentage.
Click on the Class of Services sub menu of MPLS under the Report / Router menu to enter the
Class of Services Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Summary Report section of Report / Router /
MPLS for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Class o
Services reports, the Report Table will display top N CoS.
7.4.5.3
Egress PE
When the MPLS_TOP_LABEL_IP_ADDR is not zero and label type is LDP, the traffic will be
aggregated according to the values of MPLS_TOP_LABEL_IP_ADDR. Up to top 64 IP
addresses will be saved to DB and top N (N: default = 25) will be displayed and each in a row.
Each row will display the following information: IP addresses, egress traffic, and total
percentage.
Click on the Egress PE sub menu of MPLS under the Report / Router menu to enter the Egress
PE Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Summary Report section of Report / Router /
MPLS for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Egress
PE reports, the Report Table will display top N IP addresses.
257
7.5
Interface
Interface menu provides various built-in reports for the traffic analysis of each interface on routers
configured in the system. Users cannot only compare the total traffic in/out of each interface for a
specific router but also obtain the detail traffic analysis for each interface of the router. In addition,
Interface menu also provides common attribute analysis reports for each interface. In following
sections, we will introduce how to query various Interface traffic reports.
When users click on the unfolding mark of Report / Interface, all its sub menus will be unfolded
including Compare, Detail, Top Talker, and Attribute Report.
7.5.1
Compare
The Compare report of Interface traffic analysis provides users the information about the Into
Router/Out of Router traffic for each available interface on the router to compare the differences
with the total amount. The Top N Report Table will display all interfaces in a router.
Click on the Compare sub menu of Report / Interface menu to enter the Compare Report
window.
Report Descriptions
Query Bar
258
Report Chart
The data is divided into two parts by the X-axis. The upper part represents the traffic into Router
and the lower part represents the traffic out of Router. In the chart, each stacked band represents
one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the
total traffic of all bands. (The objects with colors next to check boxes indicate which interface they
are.)
Report Table
This table will display the traffic analyses statistics for all available interfaces on the selected router.
Chart. So that users can compare different interfaces of traffic clearly by unselecting the interface
once. Please click on Submit button (in Query Bar) to refresh the screen for your selection.
(The top 5 interfaces will be the default selections for the line chart. Users can select more (up to
16) interfaces to add them into the report chart. The total row will be the ingress/egress traffic of the
selected router.) In addition, users can use Download Excel-XML button to download tabular
In addition, users can inspect the detail information via click on Snapshot button. A Snapshot
window with the analysis criteria popped up. The snapshot scope of this page will be locked as the
queried criterion and the checked entries in the list table are considered as source parameters.
Users also can keep the wanted entries to perform the Snapshot. Since the most operations are
the same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for
more detail function information.
7.5.2
Detail
The Detail report of Interface traffic analysis provides the information about the Into Router/Out
of Router traffic aggregated according to different traffic types (NetFlow Traffic (bps), SNMP
Traffic (bps), NetFlow Traffic(pps), SNMP Traffic (pps), SNMP Discard, SNMP CRC Error, and
SNMP Multicast/Broadcast) for each available interface on the router. Note that the traffic data of
this report is collected from both the NetFlow records and SNMP Polling. So, users must enable
the SNMP Monitor when configuring the interface.
Click on the Detail sub menu of Report / Interface menu to enter the Detail Report window.
Report Descriptions
Query Bar
Router: every router configured in the system.
259
Interface: every available interface on the selected router. (It will be converted according to the
router selected in the Router drop-down list.)
Report Chart
according to the time interval selected by users The Y-coordinate represents traffic flow. The data
is divided into two parts by the X-axis. The upper part represents the traffic into Interface and the
lower part represents the traffic out of Interface. (The objects with colors next to check boxes
indicate what traffic type they are.)
Report Table
For the Detail report of Interface of Router traffic analysis, this table will display seven types of
statistics related to layer 2 & layer 4 traffic for a specific interface.
NetFlow Traffic (bps)
SNMP Traffic (bps)
NetFlow Traffic (pps)
SNMP Traffic (pps)
SNMP Discard
SNMP CRC Error
SNMP Multicast/Broadcast
types of traffic clearly by unselecting the traffic type and leave those they want. An All check box
for users to conveniently select all check boxes at once. Please click on Submit button (in
Query Bar) to refresh the screen for your selection. (Default types of traffic drawn in the report
chart are NetFlow Traffic and SNMP Traffic.) In addition, users can use Download Excel-XML
260
7.5.3
Top Talker
The Top Talker traffic analysis of Interface report provides the top N listing for the traffic of IP
address within interfaces. Because the number of IP addresses may be large, therefore, only top
128 IP addresses will be saved to DB. The top N (N: default = 25) IP addresses will be displayed
and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each
IP address. Click on the Top Talker sub menu of Report / Interface menu to enter the Top
Talker Report window.
Report Descriptions
Query Bar
Router: every router configured in the system.
Interface: every available interface on the selected router. (It will be converted according to the
router selected in the Router drop-down list.)
Report Chart
parts by the X-axis. The upper part represents the traffic into Interface and the lower part
represents the traffic out of Interface. In the chart, each stacked band represents one kind of
traffic of all bands. (The objects with colors next to check boxes indicate which IP address they
are.)
261
Report Table
This table will display top N IP addresses within the selected interface. There are three tabs at the
right top corner of the table: Average, Current, and Maximum.
Chart. So that users can compare different IP addresses of traffic clearly by unselecting the IP
address and leave those they want. An All check box for users to conveniently select all check
boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for your
selection. In addition, users can use Download Excel-XML button to download tabular data of
the table with XML file, which can be read by the Excel program. The downloaded file will separate
the Average, Current, and Maximum tables into three different worksheets.
7.5.4
Attribute Report
common attribute reports, users can understand how their network resources are actually been
using. The attribute report of the Interface traffic has five kinds: Application, Protocol,
When users click on the unfolding mark of Attribute Report under the Report / Interface menu,
Packet Size.
7.5.4.1
Application
The Application traffic analysis of Interface attribute report provides the information about the
ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is
separately for different traffic directions. Up to top 128 applications will be saved to DB. The top
N (N: default = 25) applications will be displayed and each in a row.
In this report, users can obtain not only the traffic Into Interface and Out of Interface for
applications but also the traffic between the Request side and the Response side. For example,
when a client issues a request to a server, the traffic belongs to Request traffic; when a server
replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a
client is the Request side.) A Service drop-down list is provided for users to select the traffic
direction. There are items selectable, Inside, and Outside. Inside means the server is inside the
entity (Home Network, Sub-Network) and represents the data of Request of Ingress traffic or
the data of Response of Egress traffic. Outside means the server is outside the entity and
represents the data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the Report / Interface menu to
262
Report Descriptions
Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for
details.
7.5.4.2
Protocol
The Protocol traffic analysis of Interface attribute report provides the information about the
Report Table will display the Into Interface/Out of Interface traffic for the protocol and the value in
the Sum column is the total amount of the Into Interface and Out of Interface traffic.
Click on the Protocol sub menu of Attribute Report under the Report / Interface menu to enter
the Protocol Report window.
Report Descriptions
details.
7.5.4.3
Protocol+Port
The Protocol+Port traffic analysis of Interface attribute report provides the information about the
aggregated according to protocol plus port number (service) for TCP and UDP (if it is for ICMP,
the traffic will be aggregated according to the code and type of the ICMP). Each row of Report
Table will display the Into Interface/Out of Interface traffic for the protocol+port (service) and the
value in the Sum column is the total amount of the Into Interface and Out of Interface traffic. The
top 128 will be stored to database and top N (N: default = 25) will be displayed for report.
In this report, users can obtain not only the traffic Into Interface and Out of Interface for the
service (protocol+port), but also the traffic between the Request side and the Response side.
For example, when a client issues a request to a server, the traffic belongs to Request traffic;
when a server replies to a client, the traffic belongs to Response traffic. (A server is the
Response side and a client is the Request side.) A Service drop-down list is provided for users to
select the traffic direction. There are two items selectable, Inside, and Outside. Inside means
the server is inside the entity (Home Network, Sub-Network) and represents the data of
Request of Ingress traffic or the data of Response of Egress traffic. Outside means the server
is outside the entity and represents the data of Response of Ingress traffic or the data of Request
of Egress traffic.
Click on the Protocol+Port sub menu of Attribute Report under the Report / Interface menu to
enter the Protocol+Port Report window.
263
Report Descriptions
details.
7.5.4.4
TOS
The TOS traffic analysis of Interface attribute report provides the information about the
Interface/Out of Interface traffic for the TOS and the value in the Sum column is the total amount
of the Into Interface and Out of Interface traffic. Totally, top 128 TOS will be stored to database
and top N (N: default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Interface menu to enter the
TOS Report window.
Report Descriptions
details.
7.5.4.5
Packet Size
The Packet Size traffic analysis of Interface attribute report provides the information about the
192-224, 224-256, 256-320, 320-384, 384-448, 448-512, 512-768, 768-1024, 1024-1536, and
>1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Interface menu to
Report Descriptions
details.
264
7.6
Sub-Network
Sub-Network menu provides various built-in reports for traffic analysis within a sub-network itself,
between sub-networks, between a sub-network and other sub-networks, and between a
sub-network and Neighbor ASes. The traffic data of Sub-Network report is collected from the
Sub-Network boundaries defined in the system. There are three types of analysis reports for
Sub-Network traffic: Summary Report, Breakdown Report, and Attribute Report. In following
sections, we will introduce how to query various Sub-Network traffic reports.
When users click on the unfolding mark of Report / Sub-Network, all its sub menus will be
unfolded including Summary Report, Breakdown Report, and Attribute Report.
7.6.1
Summary Report
The summary report of the Sub-Network traffic presents the traffic analysis about the
sub-network from the viewpoints of comparing the total traffic of each sub-network with a
sub-network group and analyzing the detail traffic of one sub-network. With the Sub-Network
summary report, users can briefly know not only the total traffic of each sub-network but also the
detail traffic analysis for each sub-network. When users click on the Summary Report sub menu
of Report / Sub-Network, there are two sub menus will be shown: Compare and Detail.
7.6.1.1
Compare
The Compare traffic analysis of Sub-Network summary report provides users the information
about the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for each sub-network
itself to compare the differences with the total amount. The Into Sub-Network traffic includes the
traffic from Home and the Internet to the sub-network; the Out of Sub-Network traffic includes the
traffic from the sub-network to Home and the Internet. The Top N Report Table will display all
sub-networks (N: maximum = 300).
Click on the Compare sub menu of Summary Report under the Report / Sub-Network menu to
enter the Compare Report window.
Report Descriptions
Query Bar
Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All
Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will
be shown here.)
265
Report Chart
parts by the X-axis. The upper part represents the traffic into sub-network and the lower part
represents the traffic out of sub-network. In the chart, each stacked band represents one kind of
traffic of all bands. (The objects with colors next to check boxes indicate which sub-network
traffic they are.)
Report Table
This table will display the traffic analyses statistics for all sub-networks that configured in the
system or some if you selected some specific group in the Sub-Network Group drop-down list (In
Query Bar) to view. There are three tabs at the right top corner of the table: Average, Current, and
Maximum.
Chart. So that users can compare different sub-networks of traffic clearly by unselecting the
sub-network and leave those they want. An All check box for users to conveniently select all
7.6.1.2
Detail
The Detail traffic analysis of Sub-Network summary report provides the information about the
average/current/maximum traffic aggregated according to different traffic types (Home to
Sub-Network, Sub-Network to Home, Internet to Sub-Network, and Sub-Network to Internet) for
a specific sub-network.
Click on the Detail sub menu of Summary Report under the Report / Sub-Network menu to
enter the Detail Report window.
Report Descriptions
Query Bar
266
be shown here.)
Sub-Network: every sub-network configured in the Sub-Network group (It will be converted
according to the group selected in the Sub-Network Group drop-down list.)
Report Chart
Report Table
For the Detail traffic analysis of Sub-Network summary report, this table will display four types of
traffic analysis statistics for a specific sub-network.
Home to Sub-Network It counts all traffic that the source IP address belongs to the Home
Network area, and the destination IP address belongs to any existing sub-network area.
Sub-Network to Home It counts all traffic that the destination IP address belongs to the Home
Network area, and the source IP address belongs to any existing sub-network area.
Internet to Sub-Network It counts all traffic that the source IP address does not belong to the
Home Network area, and the destination IP address belongs to any existing sub-network area.
Sub-Network to Internet It counts all traffic that the destination IP address does not belong to
the Home Network area, and the source IP address belongs to any existing sub-network area.
267
7.6.2
Breakdown Report
in some kind of specific traffic. The breakdown report of the Sub-Network traffic provides the
traffic analysis between a sub-network and other sub-networks, between a sub-network and
other Neighbor entities, between a sub-network and origin ASes, and for top N IP addresses with
sub-networks. There are four kinds of breakdown reports: Sub-Network, Neighbor ASN, Origin
ASN, and Top Talker. Since the number of sub-networks/Neighbor entities and IP addresses
may be very large, the data aggregated will be saved for every 30 minutes.
When users click on the unfolding mark of Breakdown Report under the Report / Sub-Network
menu, all its sub menus will be unfolded including Sub-Network, Neighbor ASN, Origin ASN,
and Top Talker.
7.6.2.1
Sub-Network
The Sub-Network traffic analysis of Sub-Network breakdown report provides the traffic
information between a specific sub-network and every other sub-network within a specific
sub-network group. Each row of Report Table will display ingress (Into Sub-Network), egress
(Out of Sub-Network) and sum traffic for each Sub-Network. And the maximum number for the
listed sub-network in Report Table is 300. Click on the Sub-Network sub menu of Breakdown
Report under the Report / Sub-Network menu to enter the Sub-Network Report window.
Report Descriptions
Query Bar
be shown here.)
Sub-Network: every sub-network configured in the Sub-Network group (It will be converted
according to the group selected in the Sub-Network Group drop-down list.)
268
Report Chart
parts by the X-axis. The upper part represents the traffic into sub-network and the lower part
represents the traffic out of sub-network from a specific sub-network selected. In the chart, each
stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all
stacked bands represents the total traffic of all bands. (The objects with colors next to check
boxes indicate which sub-network they are.)
Report Table
Chart. So that users can compare different sub-networks of traffic clearly by unselecting the
sub-network and leave those they want. An All check box for users to conveniently select all
7.6.2.2
Sub-Network Matrix
The Sub-Network Matrix analysis report provides the crossing report of the sub-networks. Click
on the Sub-Network Matrix sub menu of Breakdown Report under the Report / Sub-Network
menu to enter the Sub-Network Matrix Report window.
Report Descriptions
There are two parts in the Traffic Report window: Query Bar, and Report Table.
Query Bar
be shown here.)
Period: daily, weekly, and monthly. In this way, three fixed time intervals are provided to present
analysis report with an end time specified from the Until drop-down list.
Until: year, month, and date. It represents the end time of reports time interval.
Submit : after finishing the query conditions, click on this button to submit the query. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML
Report Table
The first column shows the sequence number to mark the sub-network and the second shows
the sun-network name. Besides, the top row shows the sequence number just like the first
column to mark the sub-network. The sub-network listed in the second column is the source
sub-network and the sub-network listed in the top row is the direction sub-network. So, users can
easily to know the traffic information of a sun-network to all other sub-networks.
269
7.6.2.3
Neighbor ASN
The Neighbor ASN traffic analysis of Sub-Network breakdown report provides the traffic
information about the traffic through each Neighbor AS (defined in the system) to/from a
specific sub-network. And the maximum number for the listed Neighbor ASes in Report Table is
128. Each row of Report Table will display ingress, egress and sum traffic for each Neighbor AS.
Click on the Neighbor ASN sub menu of Breakdown Report under the Report / Sub-Network
menu to enter the Neighbor ASN Report window.
Report Descriptions
of Report / Sub-Network for details.
Except the data listed in Report Table are different, other descriptions are all the same. For
Neighbor ASN breakdown reports, the Report Table will display the traffic between a specific
sub-network and the Neighbor entities. In addition, users can inspect the detail information via click
on Snapshot button. A Snapshot window with the analysis criteria popped up. The snapshot
scope of this page will be locked as the queried criterion and the checked entries in the list table
are considered as source parameters. Users also can keep the wanted entries to perform the
Snapshot. Since the most operations are the same as the Snapshot main menu, please refer to
Snapshot menu (on the Main Menu tree) for more detail function information.
7.6.2.4
Neighbor Matrix
The Neighbor Matrix analysis report provides the crossing report of the sub-networks in the
specified sub-network group to all specified Neighbors in the Neighbor group. Click on the
Neighbor Matrix sub menu of Breakdown Report which is under the Report / Sub-Network
menu to enter the Neighbor Matrix Report window.
Report Descriptions
There are two parts in the Traffic Report window: Query Bar, and Report Table.
Query Bar
be shown here.)
Neighbor Group: All Neighbors (default) and the defined Neighbors groups (All Neighbors
groups defined in the Group menu of System Admin / Network / Preferences will be shown
here.)
Period: daily, weekly, and monthly. In this way, three fixed time intervals are provided to present
analysis report with an end time specified from the Until drop-down list.
Until: year, month, and date. It represents the end time of reports time interval.
Submit : after finishing the query conditions, click on this button to submit the query. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML
Report Table
The first column shows the sequence number to mark the sub-network and the second shows the
sun-network name. Besides, the top row shows the Neighbors name. The traffic direction is from a
sub-network to all the specified neighbors. So, users can easily to know the traffic information of all
sub-networks in the specified sub-network group to all neighbors in the specified neighbor group.
270
7.6.2.5
Origin ASN
The Origin ASN traffic analysis of Sub-Network breakdown report provides the top N listing for
Origin AS traffic into/out of a specific sub-network. Because the number of Origin ASes may be
large, therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be
Report / Sub-Network menu to enter the Origin ASN Report window.
Report Descriptions
ASN reports, the Report Table will display top N Origin ASNs. In addition, users can inspect the
detail information via click on Snapshot button. A Snapshot window with the analysis criteria
popped up. The snapshot scope of this page will be locked as the queried criterion and the
checked entries in the list table are considered as source parameters. Users also can keep the
wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot
main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function
information.
7.6.2.6
Top Talker
The Top Talker traffic analysis of Sub-Network breakdown report provides the Inside/Outside top
N listing for the traffic of IP address within/outside sub-networks. Because the number of IP
addresses may be large, therefore, only top 128 IP addresses will be saved to DB. The top N (N:
default = 25) IP addresses will be displayed and each in a row. Each row of Report Table will
display ingress, egress and sum traffic for each IP address. Click on the Top Talker sub menu of
Breakdown Report under the Report/Sub-Network menu to enter the Top Talker Report
window.
Report Descriptions
Except the data listed in Report Table is different, other descriptions are all the same. Furthermore,
the tab Usage is supported here. For Top Talker reports, the Report Table will display inside top
N IP addresses within sub-network entities. Besides, the IP addresses which are out of
sub-network also can browse when users set Talker as outside to view report. In addition, users
can inspect the detail information via click on Snapshot button. A Snapshot window with the
analysis criteria popped up. The snapshot scope of this page will be locked as the queried criterion
and the checked entries in the list table are considered as source parameters. Users also can keep
the wanted entries to perform the Snapshot. Since the most operations are the same as the
Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail
function information.
271
7.6.3
Attribute Report
been using. The attribute report of the Sub-Network traffic has five kinds: Application, Protocol,
When users click on the unfolding mark of Attribute Report under the Report / Sub-Network
menu, all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS,
and Packet Size.
7.6.3.1
Application
The Application traffic analysis of Sub-Network attribute report provides the information about
the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network,
which is aggregated according to the user defined application groups on source and destination
ports separately for different traffic directions. Up to top 128 applications will be saved to DB. The
top N (N: default = 25) applications will be displayed and each in a row.
In this report, users can obtain not only the traffic Into Sub-Network and Out of Sub-Network for
direction. There are three items selectable, Both, Inside, and Outside. Both represents the sum
of Request and Response of Ingress or Egress traffic. Inside means the server is inside the
entity (Home Network, Sub-Network) and represents the data of Request of Ingress traffic or
the data of Response of Egress traffic. Outside means the server is outside the entity and
represents the data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the Report / Sub-Network menu
to enter the Application Report window.
Report Descriptions
Application reports, the Report Table will display top N Applications. In addition, users can inspect
the detail information via click on Snapshot button. A Snapshot window with the analysis
criteria popped up. The snapshot scope of this page will be locked as the queried criterion and the
checked entries in the list table are considered as source parameters. Users also can keep the
wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot
main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function
information.
7.6.3.2
Protocol
The Protocol traffic analysis of Sub-Network attribute report provides the information about the
ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is
Report Table will display the Into Sub-Network/Out of Sub-Network traffic for the protocol and the
value in the Sum column is the total amount of the Into Sub-Network and Out of Sub-Network
traffic.
272
Click on the Protocol sub menu of Attribute Report under the Report / Sub-Network menu to
enter the Protocol Report window.
Report Descriptions
reports, the Report Table will display top N Protocols. In addition, the snapshot function also
provide for user to inspect the detail information. The detail information please refer to Application
section of Report/Sub-Network/Attribute Report.
7.6.3.3
Protocol+Port
The Protocol+Port traffic analysis of Sub-Network attribute report provides the information about
which is aggregated according to protocol plus port number (service) for TCP and UDP (if the
ICMP, the traffic will be aggregated according to the code and type of the ICMP). Each row of
Report Table will display the Into Sub-Network/Out of Sub-Network traffic for the protocol+port
(service) and the value in the Sum column is the total amount of the Into Sub-Network and Out of
Sub-Network traffic. The top 128 will be stored to database and top N (N: default = 50) will be
displayed for report.
In this report, users can obtain not only the traffic Into Sub-Network and Out of Sub-Network for
the service (protocol+port), but also the traffic between the Request side and the Response side.
For example, when a client issues a request to a server, the traffic belongs to Request traffic;
when a server replies to a client, the traffic belongs to Response traffic. (A server is the
Response side and a client is the Request side.) A Service drop-down list is provided for users to
select the traffic direction. There are two items selectable, Inside, and Outside. Inside means
the server is inside the entity (Home Network, Sub-Network) and represents the data of
Request of Ingress traffic or the data of Response of Egress traffic. Outside means the server
is outside the entity and represents the data of Response of Ingress traffic or the data of Request
of Egress traffic.
Click on the Protocol+Port sub menu of Attribute Report under the Report/Sub-Network
menu to enter the Protocol+Port Report window.
Report Descriptions
Protocol+Port reports, the Report Table will display top N Protocol+Port (services). In addition, the
snapshot function also provide for user to inspect the detail information. The detail information
please refer to Application section of Report/Sub-Network/Attribute Report.
273
7.6.3.4
TOS
The TOS traffic analysis of Sub-Network attribute report provides the information about the
ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is
Sub-Network/Out of Sub-Network traffic for the TOS and the value in the Sum column is the total
amount of the Into Sub-Network/Out of Sub-Network traffic. Totally, top 128 TOS will be stored to
database and top N (N: default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Sub-Network menu to enter
the TOS Report window.
Report Descriptions
reports, the Report Table will display top N TOSes. In addition, the snapshot function also provide
for user to inspect the detail information. The detail information please refer to Application section
of Report/Sub-Network/Attribute Report.
7.6.3.5
Packet Size
The Packet Size traffic analysis of Sub-Network attribute report provides the information about
which is aggregated according to the packet size. The packet size is calculated by dividing the
bytes with number of packets. The packet size segments are: <32, 32-64, 64-96, 96-128,
128-160, 160-192, 192-224, 224-256, 256-320, 320-384, 384-448, 448-512, 512-768, 768-1024,
1024-1536, and >1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Sub-Network menu
to enter the Packet Size Report window.
Report Descriptions
Size reports, the Report Table will display all segments of Packet Size. In addition, the snapshot
function also provide for user to inspect the detail information. The detail information please refer to
Application section of Report/Sub-Network/Attribute Report.
274
7.7
Server
Server menu provides various built-in reports for traffic analysis within a server itself, between
servers, between a server and other sub-networks, between a server and Neighbor ASes and
between a server and Countries. The traffic data of Server report is collected from the Server
boundaries defined in the system. There are three types of analysis reports for Server traffic:
Summary Report, Breakdown Report, Attribute Report and TopN Report. In following sections,
we will introduce how to query various Server traffic reports.
When users click on the unfolding mark of Report / Server, all its sub menus will be unfolded
7.7.1
Summary Report
The summary report of the Server traffic presents the traffic analysis about the server from the
viewpoints of comparing the total traffic of each server-farm group and analyzing the detail traffic
of server hosts in the server-farm. With the Server summary report, users can briefly know not
only the total traffic of each server but also the detail traffic analysis for server. When users click
on the Summary Report sub menu of Report / Server, there are two sub menus will be shown:
Compare and Detail.
7.7.1.1
Compare
The Compare traffic analysis of Server summary report provides users the information about the
ingress/egress (Into Server/Out of Server) traffic for all server-farms to compare the differences
with the total amount. The Top N Report Table will display all Server-farms.
Click on the Compare sub menu of Summary Report under the Report / Server menu to enter
the Compare Report window.
Report Descriptions
Query Bar
Server-farm Group: All server-farms (default) and the defined server-farm groups (All
server-farm groups defined in the Group menu of System Admin / Preferences will be shown
here).
Unit: bps (bit per second), pps (packet per second) and conn (connections in 5 minute).
275
Note
1.
2.
A connection is a connected client-server IP pair where the client builds the connection
with the server.
Only legal TCP protocol is supported for connection counting. Therefore, when the
receiving TCP flows flag equals SYN only or SYN+ACK only, the IP pair will not be
treated as a legal connection.
Report Chart
parts by the X-axis. The upper part represents the traffic into Server-farm and the lower part
represents the traffic out of Server-farm. In the chart, each stacked band represents one kind of
traffic of all bands. (The objects with colors next to check boxes indicate which server-farm traffic
they are.)
Report Table
This table will display the traffic analyses statistics for all server-farms that configured in the system
or some if you selected some specific server-farm from drop-down list (In Query Bar) to view.
Chart. So that users can compare different Server-farms traffic clearly by unselecting the
Server-farm and leave those they want. An All check box for users to conveniently select all
7.7.1.2
Detail
The Detail traffic analysis of Server summary report provides the information about the
average/current/maximum traffic aggregated according to each server IP (Into to Server-Farm
and Out of Server-Farm) for a specific Server-farm.
Click on the Detail sub menu of Summary Report under the Report / Server menu to enter the
Detail Report window.
276
Report Descriptions
Query Bar
here).
Server-farm: every server-farm configured in the Server-farm group (It will be converted
according to the group selected in the Server-farm Group drop-down list.)
Unit: bps (bit per second), pps (packet per second) and conn (connections in 5 minute).
Note
1.
2.
A connection is a connected client-server IP pair where the client builds the connection
with the server.
Only legal TCP protocol is supported for connection counting. Therefore, when the
receiving TCP flows flag equals SYN only or SYN+ACK only, the IP pair will not be
treated as a legal connection.
Report Chart
It is a Stacked Chart. The X-coordinate represents time and will be converted according to the time
parts by the X-axis. The upper part represents the traffic into Server-farm and the lower part
represents the traffic out of Server-farm. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic
of all bands. (The objects with colors next to check boxes indicate which server-farm traffic they
are.)
Report Table
277
Chart. So that users can compare different server hosts of traffic in the server-farm clearly. An All
check box for users to conveniently select all check boxes at once. Please click on Submit
button (in Query Bar) to refresh the screen for your selection. In addition, users can use
Download Excel-XML button to download tabular data of the table with XML file, which can be
read by the Excel program. The downloaded file will separate the Average, Current, and Maximum
tables into three different worksheets.
7.7.2
Breakdown Report
in some kind of specific traffic. The breakdown report of the Server traffic provides the traffic
analysis between a server-farm and other network objects. There are four kinds of breakdown
reports: Sub-Network, Neighbor ASN, Origin ASN, and Area. Since the number of
sub-networks/Neighbor entities and IP addresses may be very large, the data aggregated will be
saved for every 30 minutes.
When users click on the unfolding mark of Breakdown Report under the Report / Server menu,
all its sub menus will be unfolded including Sub-Network, Neighbor ASN, Origin ASN, and
Area.
7.7.2.1
Sub-Network
The Sub-Network traffic analysis of Server-farm breakdown report provides the traffic
information between a specific server-farm and sub-networks. Each row of Report Table will
display Into Server-farm, Out of Server-farm and sum traffic for each sub-network. And the
maximum number for the listed sub-network in Report Table is 300. Click on the Sub-network
sub menu of Breakdown Report under the Report/Server menu to enter the Sub-Network
Report window.
Report Descriptions
Query Bar
here).
278
Report Chart
parts by the X-axis. The upper part represents the traffic into server-farm and the lower part
represents the traffic out of server-farm from a specific sub-network. In the chart, each stacked
bands represents the total traffic of all bands. (The objects with colors next to check boxes
indicate which sub-network they are.)
Report Table
Chart. So that users can compare different sub-networks of traffic into/Out of the Server-farm
clearly and leave those they want. An All check box for users to conveniently select all check
7.7.2.2
Neighbor ASN
The Neighbor ASN traffic analysis of Server breakdown report provides the traffic information
about the traffic through each Neighbor AS (defined in the system) to/from a specific
server-farm. And the maximum number for the listed Neighbor ASes in Report Table is 128.
Each row of Report Table will display ingress, egress and sum traffic for each Neighbor AS. Click
on the Neighbor ASN sub menu of Breakdown Report under the Report / Server menu to
enter the Neighbor ASN Report window.
279
Report Descriptions
of Report / Server for details.
Except the data listed in Report Table are different, other descriptions are all the same. For
Neighbor ASN breakdown reports, the Report Table will display the traffic between a specific
server-farm and the Neighbor entities.
7.7.2.3
Origin ASN
The Origin ASN traffic analysis of Server breakdown report provides the top N listing for Origin
AS traffic into/out of a specific server-farm. Because the number of Origin ASes may be large,
therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be
Report / Server menu to enter the Origin ASN Report window.
Report Descriptions
7.7.2.4
Area
The Area in system or the Country is mapped by a group of IP addresses. The Area traffic
analysis of Server breakdown report provides Top N listing about the traffic of each Area
(specified in the System Admin/Preference/Name Mapping function) into/out of a specific
server-farm. And the maximum number for the listed areas in report table is 128. Each row of
Report Table will display ingress, egress and sum traffic for each area. Click on the Area sub
menu of Breakdown Report under the Report/Server menu to enter the Area Report window.
Report Descriptions
Except the data listed in Report Table is different, other descriptions are all the same. For Area
reports, the Report Table will display top N areas.
280
7.7.3
Attribute Report
been using. The attribute report of the Server traffic has five kinds: Application, Protocol,
When users click on the unfolding mark of Attribute Report under the Report / Server menu, all
its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and
Packet Size.
7.7.3.1
Application
The Application traffic analysis of Server attribute report provides the information about the
ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is
separately for different traffic directions. Up to top 128 applications will be saved to DB. The top N
(N: default = 25) applications will be displayed and each in a row.
In this report, users can obtain not only the traffic Into Server-farm and Out of Server-farm for
direction. There are two items selectable, Inside, and Outside. Inside means the server is inside
the entity (Home Network, Sub-Network, Server-farm) and represents the data of Request of
Ingress traffic or the data of Response of Egress traffic. Outside means the server is outside the
traffic.
Click on the Application sub menu of Attribute Report under the Report / Server menu to enter
the Application Report window.
Report Descriptions
7.7.3.2
Protocol
The Protocol traffic analysis of Server attribute report provides the information about the
Report Table will display the Into Server-farm/Out of Server-farm traffic for the protocol and the
value in the Sum column is the total amount of the Into Server-farm and Out of Server-farm traffic.
Click on the Protocol sub menu of Attribute Report under the Report / Server menu to enter the
Protocol Report window.
281
Report Descriptions
7.7.3.3
Protocol/Port
The Protocol/Port traffic analysis of Server attribute report provides the information about the
ingress/egress (Into Server-Farm/Out of Server-Farm) traffic for a specific server-farm, which is
aggregated according to protocol plus port number (service) for TCP and UDP (if the ICMP, the
traffic will be aggregated according to the code and type of the ICMP). Each row of Report Table
will display the Into Server-farm/Out of Server-farm traffic for the protocol/port (service) and the
value in the Sum column is the total amount of the Into Server-farm and Out of Server-farm traffic.
The top 128 will be stored to database and top N (N: default = 50) will be displayed for report.
In this report, users can obtain not only the traffic Into Server-farm and Out of Server-farm for the
service (protocol/port), but also the traffic between the Request side and the Response side. For
server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and
a client is the Request side.) A Service drop-down list is provided for users to select the traffic
direction. There are two items selectable, Inside, and Outside. Inside means the server is inside
the entity (Home Network, Sub-Network, Server-farm) and represents the data of Request of
Ingress traffic or the data of Response of Egress traffic. Outside means the server is outside the
traffic.
Click on the Protocol/Port sub menu of Attribute Report under the Report / Server menu to
enter the Protocol/Port Report window.
Report Descriptions
Protocol+Port reports, the Report Table will display top N Protocol+Port.
7.7.3.4
TOS
The TOS traffic analysis of Server attribute report provides the information about the
Server-farm/Out of Server-farm traffic for the TOS and the value in the Sum column is the total
amount of the Into Server-farm/Out of Server-farm traffic. Totally, top 128 TOS will be stored to
database and top N (N: default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Server menu to enter the TOS
Report window.
282
Report Descriptions
7.7.3.5
Packet Size
The Packet Size traffic analysis of Server attribute report provides the information about the
192-224, 224-256, 256-320, 320-384, 384-448, 448-512, 512-768, 768-1024, 1024-1536, and
>1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Server menu to enter
the Packet Size Report window.
Report Descriptions
There are three parts in the Report window: Query Bar, Report Chart, and Report Table. Please
refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of
Report / Server for details.
Size reports, the Report Table will display Packet Size distribution.
7.7.4
TopN Report
The TopN traffic analysis of Server report provides the top N listing for the traffic according to the
TopN Report Template. Because the number of data may be large, therefore, only top 256 entries
will be saved to DB. The top N (N: default = 64) aggregation keys will be displayed and each in a
row. Each row of Report Table will display Into Server-farm, Out of Server-farm and sum traffic for
paired of entries.
Click on the TopN Report sub menu under the Report / Server menu to enter the TopN Report
window.
Report Descriptions
There are three parts in the TopN Report window: Query Bar, Report Chart and Report Table.
Query Bar
here).
TopN Report: every TopN report configured in the server-farm (The TopN reports of a
server-farm are defined in the System Admin/Network/Server function).
283
Output: there three output formats for selection: Show on Web, Download Graph CSV, and
Download XML file.
Report Chart
parts by the X-axis. The upper part represents the traffic into server-farm and the lower part
represents the traffic out of server-farm. In the chart, each stacked band represents one kind of
traffic of all bands. (The objects with colors next to check boxes indicate which topN entries they
are.)
Report Table
There are four tabs at the right top corner of the table: Average, Current, Maximum and Usage.
Usage: the usage values during the selected time interval.
Chart. So that users can compare different entries aggregation traffic into/Out of the Server-farm
clearly and leave those they want. An All check box for users to conveniently select all check
the Average, Current, Maximum and Usage tables into different worksheets.
284
7.8
Rule-based Report
Rule-based Report menu provides traffic analysis reports for rule-based Filters which are
configured in the system and based on users definitions. The system provides not only the
Compare report which compares each Filter within one same Filter group but also the Detail report
which presents detail traffic information of a Filter. In addition, the TopN report analyzed based on
Filters traffic flow is also provided. There are two types of analysis reports for Filter traffic:
Summary Report, and TopN Report. In following sections, we will introduce how to query various
Rule-based traffic reports.
When users click on the unfolding mark of Report / Rule-based Report, all its sub menus will be
unfolded including Summary Report, and TopN Report.
7.8.1
Summary Report
The summary report of the Rule-based Filter traffic presents the traffic analysis about the Filter
from the viewpoints of comparing the total traffic of each Filter within a Filter group and analyzing
the detail traffic of one Filter. With the Rule-based Summary report, users can briefly know not
only the total traffic of each Filter but also the detail traffic analysis for each Filter. When users
click on the Summary Report sub menu of Report / Rule-based Report, there are two sub
menus will be shown: Compare and Detail.
7.8.1.1
Compare
The Compare traffic analysis of Rule-based Summary report provides users the information
about the original direction/opposite direction (Filter/Opposite) traffic for each Filter itself to
compare the differences with the total amount. The Top N Report Table will display all filters (N:
maximum = 1024).
Click on the Compare sub menu of Summary Report under the Report / Rule-based Report
menu to enter the Compare Report window.
Report Descriptions
Query Bar
Filter Group: the defined Filter groups (All Filter groups defined in the Group menu of System
Admin / Network / Preferences will be shown here, except the default All Filters group.)
285
Unit: bps (bit per second), pps (packet per second), and fps (flow per second).
Output: users can view the report on the web, download it in the CSV format or XML file by
selecting Show on Web, Download Graph CSV, or Download XML file from the drop-down
list.
Report Chart
parts by the X-axis. The upper part represents the total traffic of Filters original direction and the
lower part represents the total traffic of Filters opposite direction. In the chart, each stacked
bands represents the total traffic of all bands. (The objects with colors next to check boxes
indicate which Filter they are.)
to separately represent Filter, Opposite, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Filter, Opposite, and
Report Table
This table will display the traffic analysis statistics for all Filters that configured in a specific group in
the Filter Group drop-down list (In Query Bar) to view. There are three tabs at the right top corner
of the table: Average, Current, and Maximum.
Chart. So that users can compare different Filters of traffic clearly by unselecting the Filter and
7.8.1.2
Detail
The Detail traffic analysis of Rule-based Summary report presents the traffic analyses of each
Filters original and opposite directions for a specific time interval. With this report, users can
know the ingress/egress traffic of each Filter displayed by bps, pps, and fps.
Click on the Detail sub menu of Summary Report under the Report / Rule-based Report menu
to enter the Detail Report window.
286
Report Descriptions
There are two parts in the Detail Report window: Query Bar, and Report Chart.
Query Bar
Admin / Network / Preferences will be shown here.).
Filter: every Filter configured in the Filter group (It will be converted according to the group
selected in the Filter Group drop-down list.)
Output: users can view the report on the web, download it in the PDF file, CSV format, or XML
file by selecting Show on Web, Download PDF file, Download Graph CSV, or Download
XML file from the drop-down list.
Report Type: there are two kinds of output report types provided Standard, and Trend. The
default setting is standard. Note that Trend report is not available for Daily report.
Report Chart
Standard Report Chart. There are three line charts displayed here: bps, pps, and fps. The
X-coordinate represents time and will be converted according to the time interval selected by
users. The Y-coordinate represents the calculation unit of the traffic. The data is divided into two
parts by the X-axis. The upper part represents the total traffic of Filters original direction and the
lower part represents the total traffic of Filters opposite direction. In the chart, the average,
maximum, and current traffic values are indicated. The objects with colors below the chart
indicate which traffic direction they are.
Trend Report Chart. This chart uses historical flow data to generate the average trend line for a
specific time period in the past. The trend line can help users to identify potential traffic amount
in the near future.
287
7.8.2
TopN Report
Rule-based TopN Report presents the TopN analyses and reports which use defined Filters as
analysis criteria. Three types of aggregation keys are provided (Source, Destination, and
Directionless) and over ten kinds of aggregation methods are available to select (IP, Protocol,
Application, Interfaceetc.). Up to top 256 top-N objects will be stored in DB and top N (N: 16,
32, 64, 128, or 256) will be displayed for report. With this report, users can easily and quickly
obtain top-N origins and targets of the traffic analysis.
Click on the TopN Report sub menu of Report / Rule-based Report menu to enter the TopN
Report window. The system will display various analysis reports and statistics according to the
selected TopN Report defined, traffic unit, and time interval.
Report Descriptions
There are three parts in the TopN Report window: Query Bar, and Report Chart.
Query Bar
Admin / Network / Preferences will be shown here.).
Filter: every Filter configured in the Filter group (It will be converted according to the group
selected in the Filter Group drop-down list.)
TopN Report: every enabled TopN report configured in the selected Filter.
highlighted), and then click on the
OK
button. Or click on the
Cancel button to close the
Unit: bps (bit per second), and pps (packet per second).
Output: users can view the report on the web, download it in the CSV format or XML file by
selecting Show on Web, Download Graph CSV, or Download XML file from the drop-down
list.
288
Report Chart
parts by the X-axis. The upper part represents the original directions total traffic of sorted top-N
objects and the lower part represents the opposite directions total traffic of sorted top-N objects.
In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the
outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors
next to check boxes indicate which sorted top-N object they are.)
to separately represent Filter, Opposite, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Filter, Opposite, and
Report Table
This table will display the traffic analysis statistics for all TopN reports that configured in a specific
Filter in the Filter drop-down list (In Query Bar) to view. There are tabs at the right top corner of the
table: Average, Current, and Maximum.
Usage: the percentage of the usage during the selected time interval.
Chart. So that users can compare different sorted top-N objects of traffic clearly by unselecting the
sorted top-N objects and leave those they want. An All check box for users to conveniently select
all check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
289
MSP Customer
The MSP Customer menu includes the sub functions, Anomaly Console, Report and users can click on
the unfolding mark of MSP Customer. This function will show when the system support the MSP
module (value-added function). Please refer to the following section to get the detail descriptions.
8.1
Anomaly Console
The Anomaly Console function of MSP Customer provides various reports of anomaly events.
Anomaly Console allows users to list out a variety of anomaly events detected via several searching
filters, provides summary and detailed traffic characteristics for each detected anomaly event, can
generate appropriate ACL (Access Control List) commands as suggestions for network operators and
snapshots for advanced traffic inspect.
After clicking the Anomaly Console sub menu of MSP Customer, users will enter the Anomaly
Console window (see the figure 8.1-1). The following sections is going to introduce how to use Anomaly
Console function to query anomaly events and read its related reports.
Figure 8.1-1 MSP Customer -- The Anomaly Console Window

List Table Description
NO.: a sequence number given by the system to control the listing.
ID: an identification number assigned by the system to recognize anomaly events.
CHK: a check box used to help users to know those anomaly events which have been looked
over. Click on the check box in the front of the row to check the anomaly event.
MSP Server: list the name of the MSP Server that specified in the System Admin/Device/MSP
server function.
Severity: three pieces of information are shown in this field. Firstly, the severity degree in terms of
Yellow/Red of the anomaly is shown; following displays the detected traffic rate at which the
event was determined as the previous severity degree; finally the event threshold value
configured for this anomaly event is shown.
Status: present the status of an anomaly event that could be ongoing, recovered, obsolete or
checked.
Start Time/End Time: the beginning time/close time of an anomaly event. The displaying format is
mm-dd hh:mm (e.g. 08-26 16:03). If an anomaly event is not recovered, there shows no end
time.
290
Duration: a time period that represents how long an anomaly event lasts. The displaying format is
00 hours / 00 mins / 00 secs (e.g. 27 hours / 37 mins / 42 secs).
Direction: the traffic direction of an anomaly event.
Type: a category plus an anomaly type and with a monitored traffic statistic object (e.g. Traffic
Anomaly by bps / Protocol-Misuse with TCP SYN Flooding by pps / Application with Code Red
by pps).
Resource: the detection scope of a detected anomaly event and its related information. For
Traffic anomaly, here will show resource type and the resource name of detection scope only.
For Protocol-Misuse and Application anomalies, then here will show anomaly type, resource
name, and event-triggered host IP address.
Querying Anomaly Events & Reading Summary/Detail Anomaly Report

Specify one or more filters below to search anomaly events you want to query from the following
drop-down lists and then click on the Go button.
Resource Type: list the resource name in the field.
Note
There is a field appeared right for you to select the specific entity and a button will
be available to browse.
Category: to define a specific kind of anomaly events. This searching filter will be converted
according to the resource type selected.
Anomaly Type: select the type from the drop down list and the default value is All.
Traffic Direction: to select a specific traffic direction of anomaly events from the drop down
list.
Minimum Severity: to specified the minimum severity degree of anomaly events. For example,
when Yellow is selected, all events with Yellow or Red severity level will be shown.
Anomaly Status: to define the status of anomaly events from the drop down list.
Victim/Infect IP: to list all anomaly events with/within a specific victim or infected IP
address/range. Please input an IP address or range with CIDR format (eg. 192.168.10.0/25).
Time Range: a flexible way to specify the time interval for displaying report. There are two
ways provided to specify the time interval in the system: one is Time Range and the other is
Time Period (Please see the description below for details). Once users choose this way,
please specify the start time and end time of analysis report from the Start Time and Until
drop-down lists.
Range to specify reports time interval. In this way, the fixed time interval are provided to
year/month/date drop-down lists or a year-month-date time table. If users choose the Period
way to specify the reports time interval, this drop-down list will be unavailable.
291
Action Buttons Description

1. Page-control buttons are above the configuration view list:

|<
<<
>>
>|
total pages.
2. An Anomaly ID searching function is provided. It is located next to the Page-control
buttons and above the configuration view list. Users can input the ID of the anomaly in the
Anomaly ID blank and then press the View button to quickly find out a specific anomaly
from plenty of listed anomalies. The Summary Anomaly report of the searched anomaly will
pop up. Please refer to the following step, Descriptions of Summary Anomaly Report, for
detail.
3. A Rows per Page drop-down list is provided to control the displayed entries per page of
the Anomaly Console view list. There are five options to select: 10, 15, 20, 25, and 30. The
number 10 with an asterisk means the default value.
Descriptions of Summary Anomaly Report

Click on an ID number in ID column to read the summary report of the clicked anomaly event.
A window with the Summary Anomaly Report title will pop up after the clicking (as shown in the
figure 8.1-2).
Note
The summary anomaly report, which Category field is specified as Traffic has no
information of Traffic Characteristics and Network Elements fields.
Figure 5.1-2 MSP Customer/Anomaly Console -- the Summary Anomaly Report of the
Anomaly Event
292
Anomaly Event Brief

This part is on the upper area of the screen. It shows the brief information of the clicked
anomaly event.
There are four buttons located at the right-upper corner and a Cripple Attack check box at
the left-upper corner of the screen:

View Raw Flow : this button is used to view all received raw flows of the clicked
anomaly event from routers. Once users click on this button, an Anomaly Raw Flow
pop-up window will show and display raw flows for all routers. Users can use
Download button to download the raw flow file in a desired storage.

Forced Obsolete : this button is used to obsolete an anomaly event when users
consider the event not worthy to trace for some exceptional issues. Once users click on
this button, the anomaly event will be obsolete. If the traffic detection related to this
anomaly is still going and the detected traffic is large than the anomaly threshold, a
new anomaly event will be created since the original one has been obsolete.

Details : this button is used to display the detail report of the clicked anomaly event.
Once clicking on this button, users will enter the Detail Anomaly Report window. Please
refer to the descriptions The descriptions of Detail Report below for the detail
anomaly report.

Cancel : clicking on this button can close the Detail Anomaly Report pop-up
window.

Cripple Attack : this check box is used to manually disable the clicked anomaly
event. Once users check on this check box, the system will count this event traffic in
the calculation of traffic baseline. This function is only applied to tickets triggered by
auto-learning baseline.
Traffic Line Chart

A traffic line chart with a timer controller is provided for users to query a specific time period
traffic statistics of the monitored anomaly event. Select the start time
(year/month/date/hour/minute) and the duration (hour) from the drop-down lists, and then
click on Go button to submit the query. The default start time in this time controller is the
start time of the queried anomaly event.

Remarks
This Remarks column is used to record additional information relevant to the anomaly
events. Up to 800 characters are available. The Update button will be clickable after any
characters are inputted.

This part will display the latest top N traffic analysis statistics of traffic characteristics items
of the queried anomaly event by bps and pps. There are some certain formulas used to
determine the N value. According to different anomaly types, different Traffic Characteristics
items will be displayed.

Network Elements
This part will display the latest Top N routers with input-interface and routers with
output-interface which are most impacted by the traffic of the anomaly event queried. The
Top N analysis statistics are provided with bps and pps units.
The descriptions of Detail Report

Click on the Details button to read the detail report of the clicked anomaly event. Please
see Figure 8.1-3 and its descriptions below.
293
Figure 8.1-3 The Detail Anomaly Report of Anomaly Console

Anomaly Event Brief

This part is the same as the Anomaly Event Brief in Summary Anomaly Report described
above.
There are two buttons located at the right-upper corner of the screen:
Back : clicking on this button can go back the Summary Anomaly Report window.
Cancel : clicking on this button can close the pop-up window.
Traffic Line Chart

GenieATM will combine the traffic statistics from the routers, which enables traffic
detection for the queried MSP Customer, in this chart. Therefore, more than one traffic
line may be displayed here. Users can compare the differences between multiple routers
about the traffic of this Sub-Network. The color marks indicate the traffic from which
router.
In addition a traffic line chart with a timer controller is provided for users to query a
specific time period traffic statistics of the monitored anomaly event. Select the start time
(year/month/date/hour/minute) and the duration (hour) from the drop-down lists, and then
click on Go button to submit the query. The default start time in this time controller is
the start time of the queried anomaly event.
The system provides view points for users to understand the evolution of the selected
anomaly event in terms of its traffic characteristics at different time points (sorting by per
minute).
294
In addition, this Detail report of Summary Anomaly Report window also provides two functions that
allow users to link to the Snapshot with the provided anomaly traffic characteristics and view the ACL
commands generated by the system. These two functions are implemented by the Snapshot and
Generate ACL buttons. Please follow the steps below:
Linking to the Snapshot

1.
Decide one or more analyzed traffic characteristics as the snapshot analysis criteria and
click on the Lock check boxes (at the end of the rows) of the decided traffic
characteristics.
2.
Click on Snapshot button.

A Snapshot window with the analysis criteria you checked will pop up after the clicking.
The snapshot scope of this page will be locked as the Customer entity of the queried
anomaly event. Since the most operations are the same as the Snapshot main menu,
please refer to Snapshot section illustration in the GenieATM User Manual.
Generating ACL Commands

Decide one or more traffic characteristics as the target that you want to lock and click on
the Lock check boxes (at the end of the rows) of the decided traffic characteristics.
Click on Generate ACL button.

An ACL Generate Tool window will pop up after the clicking. The Configuration part in this
window will show the traffic characteristics you checked on the previous step. It also
allows you to do the tuning by manual configurations here before populating the ACL
commands.
Click on Update button in the ACL Generate Tool window to generate ACL commands.
After you press the button, the system will generate appropriate ACL commands
according to the traffic characteristics you selected and show the commands in the Result
text box. A Router Type drop-down list is provided in order to meet different needs of ACL
commands for different router brands (Cisco / Juniper / Foundry). With different router
types selected, the system will generate different ACL commands for users. Note that
TCP Flag is only available for the Cisco router type.
295
8.2
Report
All pre-defined (built-in) and rule-based reports of MSP Customer entities are aggregated into the
Report sub menu of MSP Customer for convenience. Including Traffic, Boundary Traffic, Top
Talker, Attribute Report, and TopN Report sub menus will be displayed when users click on the
unfolding mark of Report under the MSP Customers main menu.
8.2.1
Traffic
The Traffic report of MSP Customer presents the traffic analysis for every MSP Customer entity
configured in the system. With this report, users can know the ingress/egress traffic of each MSP
Customer entity displayed by bps, and pps. Click on the Traffic sub menu of MSP Customer/Report to
enter the Traffic Report window. The system will display various analysis reports for MSP Customer
traffic according to the selected MSP Customer entity, and time interval.
Report Descriptions
There are two parts in the Traffic Report window: Query Bar, and Report Chart.
Query Bar
MSP Customer: list all MSP Customer entities configured in the system.
Note
A button will be available to browse all listed entries.
Output: users can view the report on the web or download it in the PDF format by selecting
Show on Web or Download PDF File from the drop-down list.
Report Type: there is the Standard report provided.
296
Report Chart
Standard Report Chart. There are two line charts displayed here: bps, and pps. The
X-coordinate represents time and will be converted according to the time interval selected by
users. The Y-coordinate represents the calculation unit of the traffic. The upper part represents
the traffic into the selected MSP Customer entity and the lower part represents the traffic out of
the selected MSP Customer entity. In the chart, the average and maximum traffic values are
indicated. The objects with colors below the chart indicate which traffic direction they are.
Operation Procedure to Query Reports
1. Select a MSP Customer entity from the MSP Customer dropped down list or through
Browse button.
2. Select Time Range or Period for specifying reports time interval.
3. Specify the start/end date and time from the From/Until drop-down lists.
4. Choose Show on web or Download PDF file from the drop-down list to view.
5. Click on Submit button to refresh the screen and generate your report.
8.2.2
Boundary Traffic
The Boundary Traffic analysis report provides the information about the average/current/maximum
traffic aggregated according to defined elements for a specific MSP server.
Click on the Boundary Traffic under the MSP Customer/Report menu to enter the Boundary Traffic
Report window.
Report Descriptions
Query Bar
MSP Customer: list every MSP customer configured in the MSP Customer menu of System
Admin/Network function.
297
Report Chart
Report Table
This table will display the traffic analyses statistics for all routers bounded into MSP Customer
when you select some specific MSP customer in the drop-down list (In Query Bar) to view. There
are tabs at the right top corner of the table: Average, Current, and Maximum.
Chart. Users can compare different bounded routers of traffic clearly. An All check box for users
to select conveniently all check boxes at once. Please click on Submit button (in Query Bar) to
refresh the screen for your selection. In addition, users can use Download Excel-XML button to
download tabular data of the table with XML file, which can be read by the Excel program. The
downloaded file will separate the Average, Current, and Maximum tables into three different
worksheets.
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report for details.
8.2.3
Top Talker
The Top Talker traffic analysis of MSP Customer breakdown report provides the top N listing for the
traffic of IP address from/to the MSP Customer. Because the number of IP addresses may be large,
therefore, only top 128 IP addresses will be saved to DB. The top N (N: default = 25) IP addresses will
be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for
each IP address. Click on the Top Talker sub menu under the MSP Customer/Report to enter the Top
Talker Report window.
Report Descriptions
Query Bar
Time Range: a flexible way specifies the time interval for displaying report. There are two ways
298
Chart. The default setting is Stacked Chart.
Talker: there are two directions of Talker provided: Inside, and Outside. Inside indicates the Top
Talker report listing the hosts within the MSP Customer Network. Outside shows the Top
Listener report as top N listing of outside hosts which are most visited by the MSP Customer
network.
Report Chart
parts by the X-axis. The upper part represents the traffic into MSP entity and the lower part
represents the traffic out of MSP entity. In the chart, each stacked band represents one kind of
traffic of all bands. (The objects with colors next to check boxes indicate which Talkers they are.)
Report Table
There are four tabs at the right top corner of the table: Average, Current, Maximum, and Usage.
Chart. Therefore, users can compare different traffic clearly. An All check box for users to select
all check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
separate the Average, Current, Maximum and Usage tables into different worksheets.
8.2.4
Attribute Report
The attribute report of MSP Customers provides the analysis information about some common
attributes. With common attribute reports, users can really understand how their network resources are
actually been used. The attribute report of the MSP Customers traffic has three kinds: Application,
Protocol, Protocol/Port, TOS, and Packet Size.
When users click on the unfolding mark of Attribute Report under the MSP Customer/Report main
menu, all its sub menus will be unfolded including Application, Protocol, Protocol/Port, TOS, and
Packet Size.
299
8.2.4.1
Application
The Application traffic analysis of MSP Customers attribute report provides the information about the
ingress/egress (Into MSP/Out of MSP) traffic for a specific MSP Customer entity, which is aggregated
according to the user defined application groups on source and destination ports separately for different
traffic directions. Up to top 128 applications will be saved to DB. The top N (N: default = 25) applications
will be displayed and each in a row.
In this report, users can obtain not only the traffic Into MSP Customer and Out of MSP Customer for
applications but also the traffic between the Request side and the Response side. For example, when a
client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client,
the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.)
A Service drop-down list is provided for users to select the traffic direction. There are two items
selectable, Inside, and Outside. Inside means the server is inside the MSP Customer entity and
represents the data of Request of Ingress traffic or the data of Response of Egress traffic. Outside
means the server is outside the MSP Customer entity and represents the data of Response of Ingress
traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the MSP Customer/Report main menu
to enter the Application Report window.
Report Descriptions
Query Bar
Time Range: a flexible way specifies the time interval for displaying report. There are two ways
Unit: there are bps (bit per second) and pps (packet per second).
Service: there are traffic directions, Inside or Outside, to specify.
300
Report Chart
parts by the X-axis. The upper part represents the traffic into MSP Customer entity and the lower
part represents the traffic out of MSP Customer entity. In the chart, each stacked band
represents the total traffic of all bands. (The objects with colors next to check boxes indicate
which application they are.)
Report Table
Chart. So that users can compare different applications of traffic clearly by unselecting the
application and leave those they want. An All check box for users to conveniently select all check
8. 2. 4 .2 P ro t o co l
The Protocol traffic analysis of MSP Customer attribute report provides the information about the
according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 50 protocols will be stored to
database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display
the Into Customer/Out of Customer traffic for the protocol and the value in the Sum column is the total
amount of the Into Customer and Out of Customer traffic.
Click on the Protocol sub menu of Attribute Report under the MSP Customer to enter the Protocol
Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Application section of Attribute Report under
the MSP Customer/Report main menu for details.
Customer/Report function for details.
301
8.2.4.3
Protocol/Port
The Protocol/Port traffic analysis of MSP Customer attribute report provides the information about the
according to protocol plus port number (service). Each row of Report Table will display the Into
Customer /Out of Customer traffic for the Protocol/Port (service) and the value in the Sum column is the
total amount of the Into Customer and Out of Customer traffic. The top 128 will be stored to database
and top N (N: default = 25) will be displayed for report.
In this report, users can obtain not only the traffic Into MSP Customer and Out of MSP Customer for the
service (Protocol/Port), but also the traffic between the Request side and the Response side. For
example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server
replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is
the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are
two items selectable, Inside, and Outside. Inside means the server is inside the MSP Customer entity
and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. Outside
means the server is outside the MSP Customer entity and represents the data of Response of Ingress
traffic or the data of Request of Egress traffic.
Click on the Protocol/Port sub menu of Attribute Report under the MSP Customer/Report main
menu to enter the Protocol/Port Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Application section of Attribute Report of
MSP Customer/Report for details.
Protocol/Port reports, the Report Table will display top N Protocol/Port (services).
8. 2. 4 .4 TO S
The TOS traffic analysis of MSP Customer attribute report provides the information about the
ingress/egress (Into MSP /Out of MSP) traffic for a specific MSP Customer entity, which is aggregated
according to the 256 TOS values. Each row of Report Table will display the Into MSP Customer /Out of
MSP Customer traffic for the TOS and the value in the Sum column is the total amount of the Into MSP
Customer /Out of MSP Customer traffic. Totally, top 50 TOS will be stored to database and top N (N:
default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the MSP Customer/Report main menu to
enter the TOS Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Application section of Attribute Report under
MSP Customer/Report menu for details.
302
8.2.4.5
Packet Size
The Packet Size traffic analysis of MSP Customer attribute report provides the information about the
ingress/egress (Into MSP /Out of MSP) traffic for a specific MSP Customer entity, which is aggregated
according to the packet size. The packet size is calculated by dividing the bytes with number of packets.
The packet size segments are: <32, 32-64, 64-96, 96-128, 128-160, 160-192, 192-224, 224-256,
256-320, 320-384, 384-448, 448-512, 512-768, 768-1024, 1024-1536, and >1536.
Click on the Packet Size sub menu of Attribute Report under the MSP Customer/Report to enter the
Packet Size Report window.
Report Descriptions
There are three parts in the Report window: Query Bar, Report Chart, and Report Table. Please
refer to the Report Descriptions part in the Application section of Attribute Report under MSP
Customer/Report.
Size reports, the Report Table will display the segments of Packet Size that are recorded the traffic
data.
Customer/Report function for details.
8.2.5
TopN Report
The TopN Report of MSP Customer presents the TopN analyses and reports. Up to top 256 top-N
objects will be stored in DB and top N (N: 16, 32, 64, 128, or 256) will be displayed for report. With this
report, users can obtain top-N origins easily and quickly and targets of the traffic analysis. Click on the
TopN Report sub menu under MSP Customer/Report menu to enter the TopN Report window. The
system will display various analysis reports and statistics according to the selected TopN Report
defined, traffic unit, and time interval.
Note
Only the MSP administrator, which is defined in the System Admin/Network/MSP Customer/MSP
Customer function, can configure the aggregation rule of TopN report to the MSP Collector device. In
addition, here only displays defined TopN Reports of the MSP Customers.
Click on the unfolding mark of the TopN Report sub menu of MSP Customer/Report to enter the TopN
Report window.
Report Descriptions
There are three parts in the Detail Report window: Query Bar, Report Chart, and Report Table.
Query Bar
MSP Customer: select the specified MSP customer.
TopN Report: the defined TopN reports configured in the selected MSP customer.
303
Unit: there are bps and pps in the drop-down list.
Output: users can view the report on the web, download it in the CSV format, PDF file or XML
file by selecting Show on Web, Download Graph CSV, Download PDF file, or Download
XML file from the drop-down list.
Chart: there are three kinds of output report types provided Stacked Chart, Bar Chart and Pie
Chart. The default setting is Stacked Chart.
Report Chart
parts by the X-axis. The upper part represents the traffic matched defined filter entity and the
lower part represents the opposite direction. In the chart, each stacked band represents one kind
of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which TopN they are.)
Pie Chart. There are three pie charts presented to separately represent Ingress (Filter), Egress
(Opposite), and Sum traffic statistics.
Report Table
This table will display the traffic analysis statistics for all TopN reports that configured in a specific
Filter in the Filter drop-down list (In Query Bar) to view. There are four tabs at the right upper
corner of the table: Average, Current, Maximum and Usage.


Current: the last values data during the selected time interval.
Chart. Therefore, users can compare different sorted top-N objects of traffic clearly. An All check
box for users to select all check boxes at once. Please click on Submit button (in Query Bar) to
downloaded file will separate the Average, Current, Maximum and Usage tables into different
worksheets.
304
Anomaly Activities
Anomaly Activities menu provides overall anomaly traffic reports, different from Report menu which
focuses on defined network detection scopes (Internet, Neighbor, Backbone, Router, Interface,
Sub-Network, Rule-based Report) to present all their related traffic reports, and also different from
Anomaly Console menu which is based on every single anomaly event to present the anomaly
traffic report. There are two kinds of anomaly activity reports provided in the system. One is about the
Dark IP activity; the other is about the abnormal Application activity. When users click on the
unfolding mark of Anomaly Activities, all its sub menus will be unfolded including Dark IP and
Worm.
9.1
Dark IP
Dark IP menu provides various built-in dark IP traffic analysis reports. The system will base on all
detected dark IP traffic to compile various traffic statistics, such as overall dark IP traffic, each
infected host traffic, each victim host traffic, into/out of each interface traffic, and into/out of each
Sub-Network entity. There are two types of analysis reports for Dark IP traffic: Summary Report,
and Breakdown Report. In following sections, we will introduce how to query various Dark IP
traffic reports.
When users click on the unfolding mark of Anomaly Activities / Dark IP, all its sub menus will be
unfolded including Summary Report, and Breakdown Report.
9.1.1
Summary Report
The summary report of the Dark IP traffic presents the overall dark IP traffic analysis for entire
network of users. With the Dark IP summary report, users can briefly know how much traffic
from/to dark IP space, how much traffic of dark IP dropped by the routers, and the number of the
infected hosts. Click on the Summary Report sub menu of Anomaly Activities / Dark IP menu
to enter the Summary Report window. The system will display various analysis reports for dark
IP traffic according to the selected traffic unit, time interval, and traffic type.
Click on the Sub-Network sub menu of Breakdown Report under the Anomaly Activities /
Dark IP menu to enter the Interface Report window.
Report Descriptions
There are two parts in the Traffic Report window: Query Bar, and Report Chart.
Query Bar
305
IP version: only Both shows in the dropped down list.
Report Chart
There are three line charts displayed here: infected hosts, bps, and pps. The X-coordinate
represents time and will be converted according to the time interval selected by users. The
Y-coordinate represents the calculation unit of the traffic. In the chart, the average, maximum and
current traffic values are indicated. In infected hosts report chart, the number of infected hosts will
be shown over time period. The maximum number supported by each Collector is 2000. In bps
and pps report charts, the In traffic is the traffic into Dark IP space (Destination is a dark IP), the
Out traffic is the traffic out of dark IP space (Source is a dark IP), and the Drop is the traffic
dropped by the routers.
9.1.2
Breakdown Report
in some kind of specific traffic. The breakdown report of the Dark IP traffic includes five types of
reports: Infected Hosts, Victim Hosts, Home Prefix, Interface, and Sub-Network.
When users click on the unfolding mark of Breakdown Report under the Anomaly Activities /
Dark IP menu, all its sub menus will be unfolded including Infected Hosts, Victim Hosts,
Interface, and SUB-NETWORK.
9.1.2.1
Infected Hosts
The Infected Hosts traffic analysis of Dark IP breakdown report provides the information about
the traffic amount of each infected host in a (Top N) Report Table. Totally, top 64 infected hosts
Report Table will display infected host IP, traffic amount, and total percentage. Click on the
Infected Hosts sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu
to enter the Infected Hosts Report window.
Report Descriptions
Query Bar
306
Report Chart
interval selected by users. The Y-coordinate represents infected host number. In the chart, each
boxes indicate which infected host they are.)
Bar Chart. Bar Chart is presented with horizontal bars and displays Egress traffic statistics for
each infected host and the total traffic statistics for all.
Pie Chart. There is one pie chart presented to represent Egress traffic statistics.
Report Table
This table will display all kinds of traffic analysis statistics of infected hosts detected. There are
three tabs at the right top corner of the table: Average, Current, and Maximum.
Chart. So that users can compare different infected hosts of traffic clearly by unselecting the host
307
9.1.2.2
Victim Hosts
The Victim Hosts traffic analysis of Dark IP breakdown report provides the information about the
traffic amount of each victim host in a (Top N) Report Table. Totally, top 64 victim hosts will be
stored to database and top N (N: default = 25) will be displayed for report. Each row of Report
Table will display victim host IP, traffic amount, and total percentage. Click on the Victim Hosts
sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu to enter the
Victim Hosts Report window.
Report Descriptions
Query Bar
Report Chart
interval selected by users. The Y-coordinate represents victim host number. In the chart, each
boxes indicate which victim host they are.)
Bar Chart. Bar Chart is presented with horizontal bars and displays Ingress traffic statistics for
Pie Chart. There is one pie chart presented to represent Ingress traffic statistics.
Report Table
This table will display all kinds of traffic analysis statistics of victim hosts detected. There are three
tabs at the right top corner of the table: Average, Current, and Maximum.
308

Chart. So that users can compare different victim hosts of traffic clearly by unselecting the host and
9.1.2.3
Interface
The Interface traffic analysis of Dark IP breakdown report provides the information about the
dark IP traffic of each interface (the traffic sent to the interface from Dark IP space and the traffic
sent to Dark IP space from the interface). The system will display Top N (N: maximum = 64;
default = 25) interfaces in a (Top N) Report Table. Each row of Report Table will display router
name, interface name, into interface traffic, out of interface traffic, and sum traffic for each
interface. Click on the Interface sub menu of Breakdown Report under the Anomaly Activities
/ Dark IP menu to enter the Interface Report window.
Report Descriptions
Please refer to the Report Descriptions part in the Infected Hosts section of Breakdown Report
of Anomaly Activities / Dark IP for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Interface
reports, the Report Table will display top N Interfaces and there is no total percentage statistics
provided.
9.1.2.4
Sub-Network
The Sub-Network traffic analysis of Dark IP breakdown report provides the information about the
dark IP traffic of Sub-Network entities defined in the system (the traffic sent to the Sub-Network
entity from Dark IP space and the traffic sent to Dark IP space from the Sub-Network entity). The
system will display Top N (N: maximum = 64; default = 25) entities in a (Top N) Report Table.
Each row of Report Table will display Sub-Network name, into Sub-Network traffic, out of
Sub-Network traffic, sum traffic, and total percentage for each Sub-Network. Click on the
Sub-Network sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu
to enter the Interface Report window.
Report Descriptions
Query Bar
309
Report Chart
parts by the X-axis. The upper part represents the dark IP traffic into Sub-Network and the lower
part represents the traffic out of Sub-Network. In the chart, each stacked band represents one
kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the
total traffic of all bands.
to separately represent Into-SubNetwork, Out-of-SubNetwork, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Into-SubNetwork,
Out-of-SubNetwork, and Sum traffic statistics.
Report Table
Chart. So that users can compare the traffic of the selected entries clearly. An All check box to
conveniently select all check boxes at once. Please click on Submit button (in Query Bar) to
worksheets.
310
9.2
Worm
Worm menu provides various built-in application anomaly traffic analysis reports. The system will
base on all detected abnormal application traffic to compile various traffic statistics, such as overall
application anomaly traffic, each infected host traffic, into/out of each interface traffic, and into/out
of each Sub-Network entity. There are two types of analysis reports for Application Anomaly traffic:
Summary Report, and Breakdown Report. In following sections, we will introduce how to query
various Application Anomaly traffic reports.
When users click on the unfolding mark of Anomaly Activities / Worm, all its sub menus will be
unfolded including Summary Report, and Breakdown Report.
9.2.1
Summary Report
The summary report of the Worm traffic presents the overall abnormal application traffic analysis.
With the Application Anomaly summary report, users can briefly know how much abnormal
application traffic in/out of Home network. Click on the Summary Report sub menu of Anomaly
Activities / Worm menu to enter the Summary Report window. The system will display various
analysis reports for worm traffic according to the selected traffic unit, time interval, and traffic
type.
Report Descriptions
Query Bar
IP Version: only Both shows in the dropped down list.
311
Report Chart
all bands.
to separately represent Into-Home, Out-of-Home, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Into-Home, Out-of-Home,
and Sum traffic statistics.
Report Table
Chart. So that users can compare the traffic of the selected entries clearly. An All check box to
conveniently select all check boxes at once. Please click on Submit button (in Query Bar) to
worksheets.
9.2.2
Breakdown Report
in some kind of specific traffic. The breakdown report of the Worm traffic includes three types of
reports: Infected Hosts, Interface, and Sub-Network.
When users click on the unfolding mark of Breakdown Report under the Anomaly Activities /
Worm menu, all its sub menus will be unfolded including Infected Hosts, Interface, and
Sub-Network.
9.2.2.1
Infected Hosts
The Infected Hosts traffic analysis of Worm breakdown report provides the information about the
traffic amount of each infected host in a (Top N) Report Table. Totally, top 64 infected hosts will
be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report
Table will display infected host IP, traffic amount, and total percentage. Click on the Infected
Hosts sub menu of Breakdown Report under the Anomaly Activities / Worm menu to enter
the Infected Hosts Report window.
Report Descriptions
Query Bar
Worm: select a worm type from the dropped down list.
Note
All listed worm types are defined and enabled in the Application Anomaly in the System
Admin/Network/Anomaly function.
312
IP version: only Both shows in the dropped list.
Report Chart
interval selected by users. The Y-coordinate represents infected host number. In the chart, each
boxes indicate which infected host they are.)
Bar Chart. Bar Chart is presented with horizontal bars and displays Egress traffic statistics for
Pie Chart. There is one pie chart presented to represent Egress traffic statistics.
Report Table
This table will display all kinds of traffic analysis statistics of infected hosts detected. There are
three tabs at the right top corner of the table: Average, Current, and Maximum.
Chart. So that users can compare different infected hosts of traffic clearly by unselecting the host
313
9.2.2.2
Interface
The Interface traffic analysis of Worm breakdown report provides the information about the traffic
of each interface. The system will display Top N (N: maximum = 64; default = 25) interfaces in a
(Top N) Report Table. Each row of Report Table will display router name, interface name, into
interface traffic, out of interface traffic, and sum traffic for each interface. Click on the Interface
sub menu of Breakdown Report under the Anomaly Activities / Worm menu to enter the
Interface Report window.
Report Descriptions
of Anomaly Activities / Worm for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Interface
reports, the Report Table will display top N Interfaces and there is no total percentage statistics
provided.
9.2.2.3
Sub-Network
The Sub-Network traffic analysis of Worm breakdown report provides the information about the
worm traffic of Sub-Network entities defined in the system. The system will display Top N (N:
maximum = 64; default = 25) entities in a (Top N) Report Table. Each row of Report Table will
display Sub-Network name, into Sub-Network traffic, out of Sub-Network traffic, sum traffic, and
total percentage for each Sub-Network. Click on the Sub-Network sub menu of Breakdown
Report under the Anomaly Activities / Worm menu to enter the Interface Report window.
Report Descriptions
of Anomaly Activities / Worm for details.
Sub-Network reports, the Report Table will display top N Sub-Network entities.
314
Appendix (A) -- NetFlow Device Configuration

A-1 Cisco NetFlow Configuration
1. Export NetFlow version 5
Router(config)# ip flow-export version 5 origin-as

Router(config)# ip flow-export destination [GenieATMs ipaddr] [v5 port number]
Router(config)# ip flow-cache timeout active 1
2. Set command on Interface:
Router(config-if)# ip route-cache flow
Note
Since the router will only perform NetFlow statistics on inbound packets, we strongly
suggest users to apply the command on every interface for data accuracy to ensure full
collection of all flow data.
3. Check NetFlow setting
Router# show ip flow export
A-2 Foundr y BigIron NetFlow Configuration

1. Export NetFlow version 5
BigIron(config)# ip flow-export enable

BigIron(config)# ip flow-export version 5
BigIron(config)# ip flow-export destination [GenieATMs ipaddr] [v5 port number] 1
Bigiron(config)# ip flow-cache timeout active 1
BigIron(config)# ip flow-export original-as
2. Set command on Interface:
Bigiron(config-if)# ip route-cache flow
Note
3. Check NetFlow setting
Bigiron# show ip flow export
A-3 Enterasys NetFlow Configuration

Note
Enable SNMP before starting NetFlow.
Do not start NetFlow and RMON at the same time.
1. Export NetFlow
xp# netflow enable

xp# netflow set port [port lost]/all-ports
Note
xp# netflow set collector [GenieATMs ipaddr] deadtime 120 flow-destination-port [port
number]
xp# netflow set interval 1
2. Check Netflow setting
xp# netflow show all

315
Appendix (B) -- sFlow Device Configuration

B-1 Foundr y Networks sFlow Configuration
1. Export sFlow
BigIron(config)# sflow enable (optical)

BigIron(config)# sflow sample [decimal] (optical)
BigIron(config)# sflow destination [Genies ipaddr] [sFlow port number] (optical)
BigIron(config)# sflow source [ethernet/loopback/null] (optical)
Note
The configuration value of sflow sample must be the same as the sampling rate setup at
GenieATMs system / Flow Exporter.
2. Check sflow setting
BigIron(config)# show sflow
316
Appendix (C) -- Installing SSL in Controller for Enabling Secure

Web Access
The GenieATM supports the security access via browser. Follow steps below to setup the GenieATM
support SSL.
1. Enter Global configuration Mode to generate CSR(Certificate Signing Request) file
ATM # gencsr
Generating RSA private key, 1024 bit long modulus
........................++++++
....++++++
unable to write 'random state'
e is 65537 (0x10001)
...
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:TW
TW
State or Province Name (full name) [Some-State]:TAIWAN
TAIWAN
Locality Name (eg, city) []:TAIPEI
TAIPEI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GenieNRM
GenieNRM
Organizational Unit Name (eg, section) []:TAC
TAC
Common Name (eg, YOUR name) []:Genie
Genie
Email Address []:service@genienrm.com
service@genienrm.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [press enter]
An optional company name []: [press enter]
enter]
ATM (config)# exit
2. Display the ssl-csr files (the shown data is used to apply for the SSL server certificate)
ATM # show ssl-csr
-----BEGIN CERTIFICATE REQUEST----MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAlRXMQ8wDQYDVQQIEwZUQUlXQU4xDzAN
BgNVBAcTBlRBSVBFSTERMA8GA1UEChMIR2VuaWVOUk0xDDAKBgNVBAsTA1RBQzEO
MAwGA1UEAxMFR2VuaWUxKDAmBgkqhkiG9w0BCQEWGWpvc2VwaF9jaGVuZ0BnZW5p
ZW5ybS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJPErtO+e7P7nGEn
9Th4UA+1kZBgAbJOngbeECjdhFvu0aXaRN0OyE4BUODfbntdcoIvenTWkPMzZrZe
paC8gC81XpyTZGrDi2AqELMHA6cFbuDkZgyDvMfuV9Ekvw9l0TwmY1ijNXJSRDo/
jB4orIKmEBNMzByGFORLby4n8JsxAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBj
5SZ9eGdO+dCubupnhtfocRqZO7H3+qLAc0Q3s1uFDzqG630nZYhot0ZR2YvuwCmZ
KVzi2KzWQAq4ioXsTCm4EguUhUKOkKDcbYSUXjQF5gAWlelCsZwX3LajZ8Z8P1Sc
9bVUJs/Tgcyf83cZpohcqBA5Eg0A9omsC5+BJ+03BQ==
-----END CERTIFICATE REQUEST----ATM #
317
3. You have to apply for the SSL server certificates through the Certificate Authorities like
Verisign and other independent third parties.
Note
The certificate authorities may issue the SSL server certificates via email, or a download file or
directly displaying contents on a popped up window. Save the content of SSL server certificates as a
file, getcacert.cer, for GenieATM download.
4. Download the SSL server certificate issued by the Certificate Authorities to GenieATM.
ATM # copy ftp certificate
Address of remote host?
192.168.12.100
Source file name? (absolute path, file name with path)
/getcacert.cer
[Waiting for FTP transmission ...]
FTP file from: /getcacert.cer
[FTP_STATUS] FTP_SUCCESS, 593 Bytes received
[copy ftp certificate ... OK]
ATM #
5. Backup SSL files(CRT, CSR, and Key files) to FTP server
ATM # copy ssl-files ftp
Address of remote host?
192.168.1.1
Destination file path? (The path to store SSL files)
/backup
[Waiting for FTP transmission ...]
FTP file to: /backup/mykey.key
[FTP_STATUS] FTP_SUCCESS, 887 Bytes transferred
FTP file to: /backup/mysite.csr
FTP file to: /backup/mysite.crt
[copy ssl-files ftp ... OK]
ATM #
Note
Strongly suggest backup the CRT, CSR and private Key files in case of unexpected situation.
318
Appendix (D) -- Booting GenieATM from TFTP Server

GenieATM provides the function that you are able to boot from a TFTP server. With this mechanism,
you can verify if a received GenieATM image file is good without damage before doing a software
upgrade. Besides, this function also can help you to recover GenieATM from a failed software upgrade.
Refer to the following steps to boot GenieATM from a TFTP server.
Step1: Attach one side of the RS232 cable to the RS232 port on GenieATM and connect the other
side to a terminal server. The location of RS232 port on GenieATM please refers to the
installation guide. Console parameters are as follows:
Baud: 9600 bps
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
Step 2: When the system starts to load OS and the screen displays "Loading..." as shown below,
press "b" to interrupt program and enter into boot mode to perform booting from TFTP server.
Loading... Press "b" to interrupt system loading processes.
Step 3: When the screen prompts "boot>", please type in the command "tftp" to activate TFTP client.
boot> tftp
Step 4: There are three parameters you have to specify, local TFTP client IP/CIDR, remote TFTP
servers IP address and default gateway for local TFTP client.
local-ip> 192.168.10.202/24
remote-ip> 192.168.10.201
default-gw> 192.168.10.254
Step 5: Use the command "ping" and then input the TFTP server IP address to check the network
connection between GenieATM and TFTP server.
boot> ping
target-ip> 192.168.10.201
PING 192.168.10.201 (192.168.10.201): 56 data bytes
64 bytes from 192.168.10.201: icmp_seq=0 ttl=64 time=0.5 ms
--- 192.168.10.201 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.2/0.5 ms
target-ip> exit
Step 6: Type in the command "image" and then input the image name located at TFTP server.
boot> image
boot-image> image.jffs2
boot>
Step 7: Enter the boot tftp command to start booting from TFTP server. GenieATM will boot into CLI
mode if the image was ok.
boot> boot tftp
Booting from TFTP(192.168.10.201)....
319
Appendix (E) -- Dictionary of IETF Radius Client Attributes

Supported by GenieATM
This appendix provides overall Radius Client attributes supported by GenieATM.
RQ: Request
AR: Accept/Reject
ST: Start
SP: Stop
RQ AR
ST
SP
1
1
1
1
1
1
1
1
1
0-1
0-1
0-1
1
0-1
-
1
1
1
1
0-1
1
1
1
1
1
1
0-1
1
1
1
2
3
4
5
9
10
13
14
15
18
19
20
1
1
-
1
1
1
21
24
26
29
1
1
1
1
30
31
35
0-1
36
0-1
0-1
37
38
0-1
39
0-1
40
0-1
41
0-1
42
User-Name
User-Password
NAS-IP-Address
NAS-Port
Service-Type
Login-IP-Host
Replay-Message
Class
Session-Timeout
Idle-Timeout
Calling-Station-Id
NAS-Identifier
Acct-Status-Type
2865
2865
2865
2865
2865
2865
2865
2865
2865
2865
2865
2865
2866
1
2
4
5
6
14
18
25
27
28
31
32
40
Type of
Value
String
String
Ipaddr
Integer
Integer
Ipaddr
String
String
Integer
Integer
String
String
Integer
Acct-Delay-Time
Acct-Session-Id
Acct-Session-Time
Acct-Terminate-Cause
2866
2866
2866
2866
41
44
46
49
Integer
String
Integer
Integer
Enent-Timestamp
NAS-Port-Type
NAS-Port-ID
2869
2865
2869
55
61
87
Integer
Integer
Integer
GENIE-USER-ROLE
9926
60
Integer
GENIE-USER-GROUP-ID
GENIE-USER-SubNetwork-ID
GENIE-USER-LANGUAGE
9926
9926
9926
61
62
63
Integer
Integer
Integer
GENIE-USER-STATUS
9926
64
Integer
GENIE-CLI-Privilege
9926
80
Integer
GENIE-CLI-Command
9926
81
String
Attribute
Vender
ID
Value
User input
User input
ATM IP
Request port
Login (1)
User IP
From RADIUS
From RADIUS
From RADIUS
X
User IP (add 0)
ATM IP
1: START
2: STOP
0-4
ATM
ATM
1: User Request
2: Lost Carrier
4: Idle Timeout
5: Session Timeout
6: Admin Reset
7: Admin Reboot
ATM
Ethernet (15)
0: eth0
1: eth1
101: ADMINISTRATOR
102: SUPERUSER
103: VIEWING-ONLY
104: Sub-Network-USER
0: WESTERM
1: TRADITIONAL-CHINESE
2: SIMPLIFIED-CHINESE
3: SHIFT-JIS
1: ACTIVE
0: INACTIVE
1: Normal-Mode
2: Enable-Mode
3: Configure-Mode
320

GenieATM ISPEdition UserManual v5.3.2 Eng (NetStream) PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GenieATM ISPEdition UserManual v5.3.2 Eng (NetStream) PDF

Uploaded by

Copyright:

Available Formats

GenieATM

Copyright 2009 belongs to Genie Network Resource Management Inc.

Product Serial Number

System and Functions Overview ...............................................................................2

System Overview ................................................................................................2

System Functions Overview ...................................................................................... 6

Login the system.......................................................................................................11

Logging out the system............................................................................................ 12

System Admin Function ...........................................................................................13

Local User Account .................................................................................................. 13

Online User .............................................................................................................. 20

Flow Load Balancers ............................................................................................... 29

Home Network ............................................................................................. 33

ATD White List.............................................................................................. 35

Recomm. to Add/Edit ................................................................................... 47

Recomm. to Remove ................................................................................... 48

Internet Boundary .................................................................................................... 49

MSP Customer ............................................................................................. 72

Boundary Template ...................................................................................... 75

MSP User Account ....................................................................................... 77

Privilege Template ........................................................................................ 77

Home Network ......................................................................................................... 33

Filter Batch ................................................................................................. 93

2009 Genie Network Resource Management Inc. All Rights Reserved.

Anomaly ............................................................................................................... 100

Protocol-Misuse Anomaly......................................................................... 101

Application Anomaly................................................................................. 102

Template .............................................................................................................. 108

Baseline Template .................................................................................... 108

Sub-Network Boundary .............................................................................117

Server-farm Boundary.............................................................................. 120

Server TopN Report ................................................................................. 122

Blackhole ............................................................................................................... 129

Device .................................................................................................................... 133

Guard ......................................................................................................... 133

Eudemon .................................................................................................... 137

Global ......................................................................................................... 141

Status ..................................................................................................................... 142

Report .................................................................................................................... 146

Notification ............................................................................................................. 148

System Notification .................................................................................... 149

Router Notification...................................................................................... 151

Sub-Network Notification............................................................................ 152

MSP Customer Notification ........................................................................ 153

Filter Notification ........................................................................................ 154

Name Mapping....................................................................................................... 155

Protocols .................................................................................................... 157

ASNs .......................................................................................................... 158

Group ..................................................................................................................... 163

Sub-Network .............................................................................................. 168

Server-farm ................................................................................................ 170

Filter ........................................................................................................... 175

MSP Customer User .................................................................................. 177

Baseline History ..................................................................................................... 179

Sub-Network Baseline History ................................................................... 179

MSP Customer Baseline History................................................................ 180

Filter Baseline History ................................................................................ 182

Offline Report ......................................................................................................... 183

Scheduler Template ................................................................................... 183

Sub-Network .............................................................................................. 185

Report Rebuild ................................................................................................188

MSP Server............................................................................................................ 193