Professional Documents
Culture Documents
i
Introduction
This document provides an example for using NTA/UBA to monitor the network traffic on a device in
real time through NetStream.
Prerequisites
Before you configure NTA/UBA and NetStream to monitor network traffic, complete the following
configurations:
Configure network settings to make sure the device can communicate with the NTA/UBA
server.
Enable NetStream on the device, so the NTA/UBA server can receive NetStream data from the
device.
Configure basic parameters on the device and the NTA/UBA server.
1
Figure 1 Network diagram
Procedures
Viewing IP addresses and interface information
1. Identify the IP address of the NTA/UBA server.
The IP address of the NTA/UBA server is 192.168.1.212/24.
2. Identify the management IP address of the MSR30-20 router.
The IP address of the MSR30-20 router is 90.16.0.240/24.
3. View interface information:
a. Click the Resource tab.
b. From the left navigation tree, select Resource Management > Add Device.
c. On the page that opens, type an IP address for Host Name/IP.
d. Configure the same SNMP, Telnet, and SSH settings as those on the device.
e. Click OK.
f. On the page that indicates the device has been successfully added, click the Device
Details link.
The Device Details page opens.
g. Click the Interface List link and the Interface List page opens, as shown in Figure 2.
2
Figure 2 Interface List page
Configuring NTA/UBA
Adding the MSR30-20 router
1. Click the Service tab.
2. From the left navigation tree, select Traffic Analysis and Audit > Settings.
The Settings page opens.
3. In the Guide to Quick Traffic Analysis And Audit Management area, click Device
Management.
The Device Management page opens.
4. Click Add.
The Add Device page opens.
5. Configure the router parameters and click OK, as shown in Figure 3.
Figure 3 Adding a device
3
Deploying server configuration
1. Click the Service tab.
2. From the left navigation tree, select Traffic Analysis and Audit > Settings.
The Settings page opens.
3. In the Guide to Quick Traffic Analysis And Audit Management area, click Server
Management.
The Server List page opens.
4. Click the Modify icon for the NTA/UBA server to which you want to deploy configurations.
The Server Configuration page opens.
5. Configure the NTA/UBA server parameters as needed, as shown in Figure 4:
a. Configure the same FTP main directory, username, and password as the FTP settings on
the NTA/UBA server.
b. Select the MSR30-20 router in the Traffic Analysis and User Behavior Audit areas.
c. Configure the Intranet monitor information for the device.
6. Click Deploy.
4
Figure 4 Server Configuration
5
Figure 5 Adding an interface traffic analysis task
6
Figure 6 Summary information for interface traffic analysis tasks
7
Figure 7 Traffic information for an interface traffic analysis task
8
Figure 8 Application information for an interface traffic analysis task
9
Figure 9 Session information for an interface traffic analysis task
10
Troubleshooting NTA/UBA and NetStream
No NetStream data received on the NTA/UBA server
To resolve the problem:
1. Verify that the UDP port number for receiving logs is the same on the device and the NTA
server.
2. Verify that the device and the NTA server can reach each other.
3. Determine whether the firewall is enabled on the NTA server. If the firewall is enabled, disable
the firewall, or bring up the UDP ports 9020, 9021, and 6343.
4. Determine whether there are a large number of files in the directories
$IMC_INSTALL/data/recieverData and $IMC_INSTALL/data/processorData/data.
5. If there are a large number of files in the directories, perform the following tasks:
a. Stop the IMC process.
b. Delete the files in the directories.
c. Clear the unba_slave.tbl_storing_task table in the database.
d. Restart the IMC process.
6. View the database disk usage:
a. Click the Service tab.
b. From the left navigation tree, select Traffic Analysis and Audit > Database Space.
7. If the disk usage has exceeded the usage threshold of the database disk, expand the disk
capacity or delete useless data.
11
No audit results on UBA
To resolve the problem:
1. Check the intranet information on the Server Configuration page.
If the IP address of the host that UBA monitors does not belong to the intranet network, the IP
address will not be monitored. Follow these steps to add the monitored IP address:
a. In the Intranet Monitor Information area, type the IP address of the monitored host in the
Intranet Information field.
b. Click Add, as shown in Figure 4.
The IP address is displayed in the Intranet Information area.
2. Log in to the database, and determine whether the unba_slave_tbl_nets_YYMMDDHH table
exists.
If the table exists, the NTA/UBA server can receive NetStream data. Make sure the time
setting and time zone of the device are consistent with the setting of the NTA/UBA server.
If the table does not exist, the NTA/UBA server cannot receive NetStream data. For more
information about resolving the problem, see "No NetStream data received on the NTA/UBA
server."
12