Post on 04-Jul-2015
transcript
© SecurActive 2013
WHAT’S NEW IN VERSION
2.15?
© SecurActive 2013 2
PERFORMANCE VISION VERSION 2.15
Http Application Performance
BCN Workflow
Network Analysis
Configuration & Usability
© SecurActive 2013 3
HTTP APPLICATION PERFORMANCE
© SecurActive 2013 4
HTTP APPLICATION PERFORMANCE
500 - Internal Server Error, Service Temporarily Unavailable
Deal with End User complaints
Track Page / Hit load time
Identify Slow / Faulty transactions
© SecurActive 2013
H TTP
APPLICATION
PERFORMANCE
Response Status Code over Time
Response Times & Volumetry over Time
Flows grouped by Server IP
Flows grouped by Client IP
Flows grouped by Host
Flows grouped by User Agent
Web Pages Performance & Timeline Chart
Hits Performance & Inspection
5
© SecurActive 2013 6
HTTP STATUS
Response Status Code over Time
© SecurActive 2013 7
ARE THERE ERRORS?
© SecurActive 2013 8
ARE THERE ERRORS?
© SecurActive 2013 9
WHAT CAUSED THE ERRORS?
Hits Performance & Inspection
One-click Drilldown
© SecurActive 2013 10
WHAT CAUSED THE ERRORS?
Look at what happened:
Who is impacted (Client or Servers)?
What are the related resources?
© SecurActive 2013 11
PERFORMANCE OVER TIME
Response Times & Volumetry over Time
© SecurActive 2013 12
ARE THERE SLOW DOWNS?
Check Performance over time for:
Average Page Load Time
Average Hit Response Time
© SecurActive 2013 13
#HOW MANY RESOURCES ARE PROCESSED?
Evolution over time:
Number of Hits
Number of Pages
Number of Hits in Error (4xx & 5xx)
© SecurActive 2013 14
HTTP TOPS
Server IP
Client IP
Host
User Agent
Group HTTP Flows by:
© SecurActive 2013 15
WHAT ARE THE SLOWEST PAGES?
© SecurActive 2013 16
INTEREST OF STANDARD DEVIATION?
11
9
11
9
11
9
11
9
11
9
0
2
4
6
8
10
12
14
16
18
20
1 2 3 4 5 6 7 8 9 10
18
2
18
2
18
2
18
2
18
2
0
2
4
6
8
10
12
14
16
18
20
1 2 3 4 5 6 7 8 9 10
Page Load Average: 10
Standard Deviation: 1
Page Load Average: 10
Standard Deviation: 8
© SecurActive 2013 17
PAGE LEVEL ANALYSIS
Web Pages Performance & Timeline Chart
© SecurActive 2013 18
WHAT ARE THE SLOWEST PAGES?
Check performance indicators on:
Number of Elements composing a page
Page Load Time
Response Payload
© SecurActive 2013 19
SEE ISSUES AT A GLANCE: T IMELINE CHART
© SecurActive 2013
FULL
Q UERY / R ESPONSE
RETENTION
Inspection details of transaction:
Client Query
Server Response
20
© SecurActive 2013
FULL
Q UERY / R ESPONSE
RETENTION
Inspection details of transaction:
Client Query
Server Response
21
© SecurActive 2013 22
HIT LEVEL ANALYSIS
HTTP Hits Performance Analysis
© SecurActive 2013 23
LIST OF HTTP HITS
Detailed list of HTTP hits:
Data Transfer Time
Server Response Time
Payload
User Agent, Method, Status, Category, Flags, URL
© SecurActive 2013 24
HTTP SPECIFIC F ILTERS
Refine your search with HTTP analysis dedicated Filters
Method GET, HEAD, POST…
Status Success, Redirection, Error…
Host www.google.fr, pypi.rd.securactive.lan
URL Path /application1*, /intranet*/*app*…
User Agent Mozilla*, *Gecko*, *MSIE*…
Server Software Apache*, *nginx*, AmazonS3*…
HTTP Category HTML, Scripts, Style…
Be careful when using regular expressions, it can be Highly resource consuming
© SecurActive 2013 25
HTTP ANALYSIS FOR NPS/APS
NPSAPS
Flow metrics for both NPS & APS
HTTP Performance for APS Only
© SecurActive 2013 26
FORMER WEB BROWSING
Marked as Deprecated
Works like before
Should be Removed in an Upcoming Version
© SecurActive 2013 27
BCN WORKFLOW
Updated for drilldown
New
© SecurActive 2013 28
BCN WORKFLOW
BCN Workflow with Easy Drilldown
© SecurActive 2013 29
BUSINESS CRITICAL NETWORK DRILLDOWN
V2.12 V2.15
Link to Performance from the first zone to the second zone
Link to the Bandwidth chart between the two zones
Link to Oriented Conversations from the first zone to the second zone
Link to BCN Edition
Link to the Bandwidth chart between the two zones
© SecurActive 2013 30
SOURCE/DESTINATION PERFORMANCE
Display Source/Destination performance over time:
Data Transfer Time (DTT), Network Latency (RTT) Retransmission Delay (RD)
Retransmission Rate (RR)
Number of Packets
© SecurActive 2013 31
ORIENTED FLOW DETAIL
Display more Information on Source/Destination flows: OS Fingerprint, MAC Addresses, Port, QoS Field…
© SecurActive 2013 32
SOURCE/DESTINATION ADVANCED FILTERS
V2.12 V2.15
Source/Destination Advanced Filters have been Completed. They now Work like in Client/Server Mode.
© SecurActive 2013 33
NETWORK ANALYSIS
© SecurActive 2013 34
NETWORK ANALYSIS
NewUpdated
© SecurActive 2013
CHECK
Q OS CLASS
35
DiffServ FieldClient/Server
Source/Destination
© SecurActive 2013 36
DISPLAY MAC ADDRESSES
MAC AddressesClient/Server
Source/Destination
© SecurActive 2013 37
OPERATING SYSTEM FINGERPRINTING
OS FingerprintingClient/Server
Source/Destination
For TCP Only!
© SecurActive 2013 38
ETHERNET PROTOCOL / MAC VENDOR
Improved Display of Ethernet Protocol
Improved Display of MAC Address Vendor
© SecurActive 2013 39
CONFIGURATION & USABILITY
© SecurActive 2013 40
BETTER PERFORMANCE
Better performance for: Network Sniffing
Data Dumping
© SecurActive 2013 41
IMPROVED SRT & DTT COMPUTATION
In presence of lost TCP segments,more accurate: Server Response Time (SRT)
Data Transfer Time (DTT)
© SecurActive 2013 42
ZONE RULES CHECKER
Find the first Matching Rule for a Zone.
© SecurActive 2013 43
HTTP PERFORMANCE ANALYSIS CONFIGURATION
For performance reasons it is recommended to RestrictHTTP performance analysis only to appropriate traffic.
Select Zones on which HTTP performance analysis will be performed, by default: None!
Child zones will be automatically selected.
© SecurActive 2013 44
HTTP PERFORMANCE ANALYSIS IMPACT
HTTP performance analysis Impacts:
System workloadCheck CPU, RAM, Disk…
Database workloadCheck License limit (Virtual appliances)
© SecurActive 2013
HTTP P ORT
S IGNATURES
45
By default, HTTP performance analysis is performed on these ports. Add more ports to Extend analysis scope,
This is Global parameter (for all selected zones).
The more ports are added, the more CPU power is required!
© SecurActive 2013 46
AUTOPCAP CONFIGURATION
For Performance Reasons it is Recommended to RestrictAutoPCAP File Generation only to Appropriate Traffic.
Select Zones on which AutoPCAP files will be captured and generated.
Child Zones will be Automatically Selected.
© SecurActive 2013 47
CUSTOM FILTERS (BETA)
Available fields: app,
capture.begin, capture.end,
device,
diffserv, diffserv.clt, diffserv.srv,
domain,
ip, ip.clt, ip.dst, ip.src, ip.srv,
mac, mac.clt, mac.dst, mac.src, mac.srv,
os, os.clt, os.srv,
port.srv,
proto,
vlan,
zone, zone.clt, zone.dst, zone.src, zone.srv
Combine filters with logical operators: (or, and, not) Order sub expressions using Parentheses
Examples: (ip=10.10.*.* or ip.srv=10.20.30.*) and os.clt=‘linux’
zone in ‘/Private/Servers’ or port.srv < 1024
(proto=udp and port.srv=53) or zone in ‘/Private/DNS’
domain=‘~^www.google.(fr|com)$’
app=’http’ or app=’https’
© SecurActive 2013 48
BCN W ITH < 1 MIBPS LINKS
Business Critical Networks now supports links which available bandwidth is < 1 Mibps
© SecurActive 2013 49
DATA MERGING
Configure when to merge Data
© SecurActive 2013
DATA
M ERGING
50
Increasing levels can generate huge performance issues. In case of slowdowns, consider reducing merging levels.
Configure Merging Level
Begin Time End Time Zone IP Payload EURT
08:00 08:01 Internet 76.20.80.201 10 MB 100 ms
08:05 08:06 Internet 76.20.80.201 3 MB 200 ms
08:10 08:11 Internet 183.28.100.2 6 MB 150 ms
08:10 08:11 Internet 76.20.80.201 3 MB 200 ms
08:12 08:14 Lan/Server 192.168.100.8 5 MB 10 ms E x a m p le
© SecurActive 2013
DATA
M ERGING
51
Begin Time End Time Zone IP Payload EURT
08:00 08:11:00 Internet 76.20.80.201 16 MB 166 ms
08:10 08:11:00 Internet 183.28.100.2 6 MB 150 ms
08:12 08:14 Lan/Server 192.168.100.8 5 MB 10 ms
Begin Time End Time Zone IP Payload EURT
08:00 08:11:00 Internet - 22 MB 158 ms
08:12 08:14 Lan/Server 192.168.100.8 5 MB 10 ms
Data Aggregation
Data Merging
© SecurActive 2013 52
APPLICATIVE LOGS
Keep track of events
© SecurActive 2013 53
APPLICATIVE LOGS
Keep track of events on the probe.
Up to 7 days for internal processes
Up to 31 days for other events (ex: Errors)
© SecurActive 2013 54
ADVANCED SNIFFER CONFIGURATION
Advanced Sniffer Configuration
© SecurActive 2013 55
ADVANCED SNIFFER CONFIGURATION
Fine-tuning of the Sniffer’s parameters
© SecurActive 2013
SET
THE MTUOF A POLLER
56
Set the MTU of a Poller. It is a per poller setting
Default is 1800
Over 9000 is not recommended
Reboot is required! MTU
© SecurActive 2013
SNIFFER’S
C APTURE
L ENGTH
57
Defines the “Capture Length” used by the sniffer to analyze the traffic
For best accuracy it should be Equal to the highest poller’s MTU.
However high values are highly CPU Consuming
Smaller values will Save CPU processing power.
Sniffer Restart is required!
CAPTURE LENGTH
© SecurActive 2013 58
UPDATE LOG
Upgrade logs have now their own file:
log nova/install.log
© SecurActive 2013 59
DEFAULT SCREEN
New welcome screen during:
Updates
Services turned Off
© SecurActive 2013
Ve r s i o n 2 . 1 5
U s e r G u i d e
Re l e a s e N o t e s
D OCUMENTATION
UPDATE
60
Documentation update:
One-click access in the interface
Available on SecurActive web site
User guide and release notes
http://www.securactive.net/en/resource-library/usersguide
© SecurActive 2013 61
VERSION 2.15 IMPACTS
Impacts on existing metrics:
SRT, DTT, EURT…
Main Impacts compared to 2.12:
Database Migration Time: Small
Metrics Impact on database is small.
Update should take few minutes.
© SecurActive 2013 62
REBOOT AFTER UPDATE
After the update is completed
© SecurActive 2013 63
YOU’RE READY TO GO, ENJOY!
What’s New
in Version 2.1 5 ?
© SecurActive 2013
THANK YOU!
64
For any Questionsales@securactive.net
support@securactive.net
Follow Us on@SecurActivePV
www.securactive.netblog.securactive.net