Traffic Sentinel configuration
When you have entered the software key and the server is started for the first time, it is automatically given a minimal configuration.
Manual Device Configuration
If your network includes devices that must be configured manually to send sFlow®, NetFlow™, IPFIX, or LFAP, configure these devices to send data to Traffic Sentinel on the ports given on the File>Status page. Depending on your configuration, the new agent will appear in the matching group. If the Traffic Sentinel configuration does not have a group that includes the agent IP address, then it will appear under Traffic>Status in a zone called "other". In the case of IPFIX, NetFlow and LFAP the interface counters are not included, so the server will automatically start to poll for them with SNMP.
Automatic Device Configuration
If your network includes devices that can be configured automatically via the sFlow MIB, then you must either add individual agent sections for each of them, or you can add agent-range sections and set the "scan" flag. To force changes to take effect immediately, use the File>Control page to initiate a new scan. Devices found this way will be tested for sFlow, and configured automatically if possible. These devices must be configured to accept SNMP SET requests from the server.
Note: If the sFlow MIB is not available and the HP XRMON MIB is present, then XRMON will be used instead.
Device Counter Polling
If your network includes devices that do not offer any of the embedded monitoring solutions supported by the server, you may still want to collect interface-counter trends, resolve topology and locate end-hosts to their ports. In that case, creating a separate agent section for each of those devices will cause the server to use SNMP to poll for interface counters, and also collect data used for topology discovery and end-host location.
As described above, this counter polling will also be initiated automatically for devices sending IPFIX, NetFlow™, or LFAP.
In order to ensure the maximum visiblity into your network, a large number of reports are available to be tailored for your network and scheduled to run regularly. To adapt Traffic Sentinel to your network, you should next configure reporting.
Traffic Sentinel starts with a number of useful security rules already included. These can trigger alerts as soon as a suspcious packet is matched by a rule. These rules can be tailored to your network, and new rules can be added to tighten security. For details, see Signatures>Configure .
Any events that appear under Events>List can be processed by a script and forwarded via:
- RSS feed
- system log
- SNMP trap
To use the RSS field, simply select the event list that you want to follow, then click the button. The other event forwarding options are possible because a script is called with each event: /usr/local/inmsf/scripts/eventScript. The script provided can be edited or replaced to customize this behavior. It will pick up settings from the global.prefs file. For example, to have events logged to the system log, forwarded by mail to the address email@example.com and sent as traps to the host 10.10.1.25, you can edit the file /usr/local/inmsf/etc/config/global.prefs and add the following lines:
event.syslog = YES
event.mail = firstname.lastname@example.org
event.trap = 10.10.1.25
For mail to be forwarded successfully the service sendmail must be configured on your server.
For traps to be forwarded successfully the rpm package net-snmp-utils must be installed. The traps are described by the trapMIB specification.