User's Guide

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesReal-time Network and Application Insights from the Edge to the Data Center and into the Multi-Cloud

Table Of Contents

ExtremeAnalytics® User GuideVersion 8.4
Legal Notices
Trademarks
Contact
Extreme Networks® Software License Agreement
Table of Contents
ExtremeAnalytics™ Help
- Document Version
ExtremeAnalytics Licensing
- Using Licenses to Establish Flow Rate Capacity
- Getting Started with ExtremeAnalytics
- ExtremeAnalytics Access Requirements
- ExtremeAnalytics Engine Configuration
- Enable Flow Collection
- Enable Jumbo Frames
Configuring Enhanced Netflow for Extreme Analytics and Extreme Wireless Contr...
How to Deploy ExtremeAnalytics in an MSP or MSSP Environment
- Configuring Extreme Management Center Behind a NAT Router
- ExtremeAnalytics Application Data Collection
- Data Collection Overview
- Using Sites to Collect In-Network Traffic
- Data Collector Types
  - General Usage Collectors
    - Hourly General Usage Collectors
    - High-Rate General Usage Collectors
  - End-System Details Collector
- Flow Information Sources
  - Enabling ExtremeControl Integration
- Reports
  - Dashboard Report
  - Browser Reports
ExtremeAnalytics Tab Overview
- Dashboard
- Browser
- Application Flows
- Fingerprints
- Packet Captures
- Configuration
- Reports
ExtremeAnalytics Dashboard Overview
- Insights Dashboard Reports
- Client/Server Dashboard Reports
- Applications Browser Dashboard Report
- Industry Dashboards
- IP Reputation Dashboard
- Response Time Dashboard
- Network Service Dashboard
- Tracked Applications Dashboard
ExtremeAnalytics Insights Dashboard
- Insights
  - Ring Chart
  - Custom Dashboard
- How to Create an ExtremeAnalytics Insights Custom Dashboard
  - Custom Dashboard
  - Graphs
- ExtremeAnalytics Response Time Dashboard
- Overview
- Network Response Time Graph
- Application Response Time Graph
- ExtremeAnalytics Network Service Dashboard
- Overview
- Expected Response Time
- Historical Response Time
ExtremeAnalytics Tracked Applications Dashboard
- Overview
- Expected Response Time
- Historical Response Time
ExtremeAnalytics Browser Overview
- Overview
- Data Aggregation
- Options
ExtremeAnalytics Application Flows
- Overview
- Application Flows Tables
- Report Features
- ExtremeAnalytics Bidirectional Flow Table
- ExtremeAnalytics Unidirectional Flow Table
- ExtremeAnalytics Historical Flow Table
ExtremeAnalytics Fingerprints Overview
ExtremeAnalytics Custom Fingerprints
- Fingerprint Table
  - Menu
  - Column Definitions
Delete Custom Fingerprints
- Deleting a Custom Fingerprint
Custom Fingerprint Examples
- Fingerprints Based on a Flow
- Fingerprints Based on an Application or Application Group
- Fingerprints Based on a Destination Address
Create Custom Fingerprints Based on Flow
- Creating Fingerprints Based on a Flow
Create Custom Fingerprints Based on Destination Address
- Creating Fingerprints Based on a Destination Address
Create Custom Fingerprints Based on Application or Application Group
- Creating Fingerprints Based on an Application or Application Group
ExtremeAnalytics Packet Captures
ExtremeAnalytics Configuration Overview
- Engines
  - Status
  - Configuration
- Virtual Sensors
- Fingerprints
- Licenses
- Status
- Configuration
Virtual Sensors
- Virtual Sensors
- Virtual Machines
ExtremeAnalytics Engine Advanced Configuration
- Flow Collection Type
- Collection Privacy Levels
- Client Aggregation
- Slow Client Data
- Max End-Systems in Hourly Details
- Sensor Log Levels
- Store Application Site Data
- ExtremeControl Integration
- Flow Sources/Application Telemetry Sources
- Web Credentials
- Configuration Properties
- Sensor Modules
- Auditing
- Network Settings
ExtremeAnalytics Reports
- Reports
ExtremeAnalytics Report Descriptions
- Report Descriptions
Add and Modify Fingerprints
- Adding a Fingerprint
- Modifying a Fingerprint
- Enabling or Disabling a Fingerprint
- Deleting a Custom Fingerprint
- Updating Fingerprints
  - Perform a Fingerprint Update
  - Schedule Fingerprint Updates
Add Fingerprints
- Add a Fingerprint
Enable or Disable Fingerprints
- Enabling or Disabling a Fingerprint
Modify Fingerprints
- Modifying a Fingerprint
Update Fingerprints
- Updating Fingerprints
  - Perform a Fingerprint Update
  - Schedule Fingerprint Updates
Custom Fingerprint Examples
- Fingerprints Based on a Flow
- Fingerprints Based on an Application or Application Group
- Fingerprints Based on a Destination Address
How to Deploy ExtremeAnalytics in an MSP or MSSP Environment
- Configuring Extreme Management Center Behind a NAT Router
ExtremeAnalytics Virtual Sensor Configuration in Extreme Management Center
- Prerequisites
- Installing the Virtual Sensor Using the Extreme Management Center Server
  - Install Using Extreme Management Center
    - Configuring the VMware vSphere Module in ExtremeConnect
    - Adding the Virtual Sensor to Extreme Management Center
- Adding the Virtual Sensor in ExtremeAnalytics
- Configuring vCenter Settings for the Virtual Sensor
Stream Flow Data from ExtremeAnalytics into Splunk
- Environment
- Overview
- Part 1 – Making File Level Splunk Modifications
- Part 2 – Creating a New Stream using the Splunk web UI
- Part 3 – Configuring each Analytics Engine to Export IPFIX Data to the Splunk...
- Appendix
Stream Flow Data from ExtremeAnalytics into Elastic Stack
- Environment
- Overview
- Part 1 – Installing and Configuring ElastiFlow and Elastic Stack
- Part 2 – Configuring each Analytics Engine to export IPFIX data to the Elasti...
- Appendix: Files

Reports

61 of 218

number. For example, a botnet command and control node may be a legitimate

webserver, which is not suspicious. However, if there are flows certain botnets are

known to use specific ports on a node, these communications cause the IPaddress

to be flagged in this classification.

l DShield Top Attackers — The DShield project is a distributed security analysis effort

that collects logs, IDS/IPS events, and other data from volunteers around the

Internet. This data is analyzed by DShield and a list of the top set of IP addresses that

appear to be attacking other systems worldwide is provided by DShield. When

application flows appear within ExtremeAnalytics that match any of the IP addresses

from the DShield top attackers list, it is likely systems in the local network are being

actively attacked.

l Tor Exit Node, Relay or Router — This reputation feed provides a listing of known

Tor exit nodes, relays, and routers. Tor is a service that provides IP anonymity. It

functions as a distributed set of systems on the Internet and builds sets of "virtual

circuits" through this set of systems on behalf of users that do not want to reveal

their local IP address to destination servers. Typically, Tor is used to mask web

browsing communications, but other services can run over the Tor network.

Matches against this reputation feed indicate Tor usage on the local network.

NOTE: IP addresses that match multiple classifications (e.g. an IP address is listed as both a

CiArmy Top Attacker and a DShield Top Attacker) are only classified in the first category

in which they match, not in additional categories.

Response Time Dashboard

The Response Time Dashboard displays the response time in milliseconds of

application data grouped by different criteria, selected from the drop-down list.

The data is displayed as a line graph, which is updated periodically.

Network Service Dashboard

The Network Service Dashboard displays the response time of network services

for the top five worst-performing sites as well as the overall average of all sites.

The data for each network service at a site is displayed as a bar and line graph,

which is updated periodically.