HPE IMC NTA/UBA

NetStream Configuration Examples

Part number: 5200-4119

Software version: IMC NTA 7.3 (E0503)
Software version: IMC UBA 7.3 (E0503)

The information in this document is subject to change without notice.

© Copyright 2016 Hewlett Packard Enterprise Development LP
Contents
Introduction ·····················································································1
Prerequisites ···················································································1
Restrictions and guidelines ·································································1
Example: Using NTA/UBA for traffic monitoring through NetStream ············1
Network configuration ················································································································· 1
Procedures ······························································································································· 2
Viewing IP addresses and interface information ········································································· 2
Configuring NTA/UBA ·········································································································· 3
Configuring NetStream on the router ······················································································· 6
Viewing interface traffic information ························································································· 6
Auditing user behaviors ······································································································ 10
Troubleshooting NTA/UBA and NetStream ···················································································· 11
No NetStream data received on the NTA/UBA server ································································ 11
No NetStream data on NTA ································································································· 11
No audit results on UBA ······································································································ 12

i
Introduction
This document provides an example for using NTA/UBA to monitor the network traffic on a device in
real time through NetStream.

Prerequisites
Before you configure NTA/UBA and NetStream to monitor network traffic, complete the following
configurations:
 Configure network settings to make sure the device can communicate with the NTA/UBA
server.
 Enable NetStream on the device, so the NTA/UBA server can receive NetStream data from the
device.
 Configure basic parameters on the device and the NTA/UBA server.

Restrictions and guidelines

When you configure NTA/UBA NetStream, follow these restrictions and guidelines:
 NTA supports the following log types:
 IPFIX
 NetFlow v5
 NetFlow v9 (v5 and Cisco Flexible NBAR)
 NetStream v5
 NetStream v9 (H3C VPN, IPv4, and IPv6)
 sFlow v5
 UBA supports the following log types:
 Flow 1.0
 Flow 3.0
 IPFIX
 NAT 1.0
 NetFlow v5
 NetFlow v9 (v5 and Cisco Flexible NBAR)
 NetStream v5
 NetStream v9 (IPv4 and IPv6)

Example: Using NTA/UBA for traffic

monitoring through NetStream
Network configuration
As shown in Figure 1, configure NTA/UBA to analyze and monitor network traffic through NetStream.

1
 Figure 1 Network diagram

Procedures
Viewing IP addresses and interface information
1. Identify the IP address of the NTA/UBA server.
The IP address of the NTA/UBA server is 192.168.1.212/24.
2. Identify the management IP address of the MSR30-20 router.
The IP address of the MSR30-20 router is 90.16.0.240/24.
3. View interface information:
a. Click the Resource tab.
b. From the left navigation tree, select Resource Management > Add Device.
c. On the page that opens, type an IP address for Host Name/IP.
d. Configure the same SNMP, Telnet, and SSH settings as those on the device.
e. Click OK.
f. On the page that indicates the device has been successfully added, click the Device
Details link.
The Device Details page opens.
g. Click the Interface List link and the Interface List page opens, as shown in Figure 2.

2
 Figure 2 Interface List page

Configuring NTA/UBA
Adding the MSR30-20 router
1. Click the Service tab.
2. From the left navigation tree, select Traffic Analysis and Audit > Settings.
The Settings page opens.
3. In the Guide to Quick Traffic Analysis And Audit Management area, click Device
Management.
The Device Management page opens.
4. Click Add.
The Add Device page opens.
5. Configure the router parameters and click OK, as shown in Figure 3.
Figure 3 Adding a device

3
Deploying server configuration
1. Click the Service tab.
2. From the left navigation tree, select Traffic Analysis and Audit > Settings.
The Settings page opens.
3. In the Guide to Quick Traffic Analysis And Audit Management area, click Server
Management.
The Server List page opens.
4. Click the Modify icon for the NTA/UBA server to which you want to deploy configurations.
The Server Configuration page opens.
5. Configure the NTA/UBA server parameters as needed, as shown in Figure 4:
a. Configure the same FTP main directory, username, and password as the FTP settings on
the NTA/UBA server.
b. Select the MSR30-20 router in the Traffic Analysis and User Behavior Audit areas.
c. Configure the Intranet monitor information for the device.
6. Click Deploy.

4
 Figure 4 Server Configuration

Adding an interface traffic analysis task

1. Click the Service tab.
2. From the left navigation tree, select Traffic Analysis and Audit > Settings.
The Settings page opens.
3. In the Guide to Quick Traffic Analysis And Audit Management area, click Traffic Analysis
Task Management.
The Traffic Analysis Task Management page opens.
4. Click Add.
The Select Task Type page opens.
5. Select Interface and click Next.
The Add Traffic Analysis Task page opens.
6. Configure the basic task information, select the interface, and click OK, as shown in Figure 5.
This example uses Interface as the task name.

5
 Figure 5 Adding an interface traffic analysis task

Configuring NetStream on the router

Step Command Remarks
1. Enter system view. system-view N/A
2. Configure the destination
address and destination ip netstream export host By default, no destination
UDP port number for the ip-address udp-port [ vpn-instance address or destination UDP port
NetStream traditional data vpn-instance-name ] number is configured.
export.

3. Enter interface view. interface interface-type

N/A
interface-number
4. Enable NetStream on the ip netstream { inbound | By default, NetStream is disabled
interface. outbound } on the interface.

Viewing interface traffic information

Viewing summary information for interface traffic analysis tasks
1. Click the Service tab.
2. From the left navigation tree, select Traffic Analysis and Audit > Interface Traffic Analysis
Task.
The Interface Traffic page opens, as shown in Figure 6.

6
 Figure 6 Summary information for interface traffic analysis tasks

Viewing traffic information for an interface traffic analysis task

1. Click the Service tab.
2. From the left navigation tree, select Traffic Analysis and Audit > Interface Traffic Analysis
Task.
The Interface Traffic page opens.
3. To view traffic information for an interface traffic analysis task, do one of the following:
 On the Summary List, click the name of the interface traffic analysis task you want to view.
 In the left navigation tree, hover the mouse over the Expand icon next to Interface
Traffic Analysis Task and click Interface in the menu that opens.
The Interface traffic analysis page opens and displays total traffic information for the interface
traffic analysis task, as shown in Figure 7.

7
 Figure 7 Traffic information for an interface traffic analysis task

Viewing application information for an interface traffic analysis task

On the Interface traffic analysis page, click the Application tab. The tab displays application traffic
information for the interface traffic analysis task, as shown in Figure 8.

8
 Figure 8 Application information for an interface traffic analysis task

Viewing session information for an interface traffic analysis task

On the Interface traffic analysis page, click the Session tab. The tab displays session information
for the interface traffic analysis task, as shown in Figure 9.

9
 Figure 9 Session information for an interface traffic analysis task

Auditing user behaviors

1. Click the Service tab.
2. From the left navigation tree, select Traffic Analysis and Audit > User Behavior Audit.
The User Behavior Audit page opens.
3. Enter the audit conditions and click Audit.
The Audit Result page opens, as shown in Figure 10.
Figure 10 Log audit result

10
Troubleshooting NTA/UBA and NetStream
No NetStream data received on the NTA/UBA server
To resolve the problem:
1. Verify that the UDP port number for receiving logs is the same on the device and the NTA
server.
2. Verify that the device and the NTA server can reach each other.
3. Determine whether the firewall is enabled on the NTA server. If the firewall is enabled, disable
the firewall, or bring up the UDP ports 9020, 9021, and 6343.
4. Determine whether there are a large number of files in the directories
$IMC_INSTALL/data/recieverData and $IMC_INSTALL/data/processorData/data.
5. If there are a large number of files in the directories, perform the following tasks:
a. Stop the IMC process.
b. Delete the files in the directories.
c. Clear the unba_slave.tbl_storing_task table in the database.
d. Restart the IMC process.
6. View the database disk usage:
a. Click the Service tab.
b. From the left navigation tree, select Traffic Analysis and Audit > Database Space.
7. If the disk usage has exceeded the usage threshold of the database disk, expand the disk
capacity or delete useless data.

No NetStream data on NTA

To resolve the problem:
1. Determine whether the interface index for the device is the same as the interface index in a
NetStream packet.
2. If they are different, follow these steps to configure the interface index:
a. Click the Service tab.
b. From the left navigation tree, select Traffic Analysis and Audit > Settings.
The Settings page opens.
c. In the Guide to Quick Traffic Analysis And Audit Management area, click Traffic
Analysis Task Management.
The Task Management page opens.
d. On the Traffic Analysis Task List, click Add.
The Select Task Type page opens.
e. Select Interface and click Next.
The Add Traffic Analysis Task page opens.
f. Configure the basic task information, and click Select in the Interface Information area.
g. On the Add Interface page, click the Configure Manually tab.
h. On the page that opens, configure the interface index.
i. Click OK.

11
No audit results on UBA
To resolve the problem:
1. Check the intranet information on the Server Configuration page.
If the IP address of the host that UBA monitors does not belong to the intranet network, the IP
address will not be monitored. Follow these steps to add the monitored IP address:
a. In the Intranet Monitor Information area, type the IP address of the monitored host in the
Intranet Information field.
b. Click Add, as shown in Figure 4.
The IP address is displayed in the Intranet Information area.
2. Log in to the database, and determine whether the unba_slave_tbl_nets_YYMMDDHH table
exists.
 If the table exists, the NTA/UBA server can receive NetStream data. Make sure the time
setting and time zone of the device are consistent with the setting of the NTA/UBA server.
 If the table does not exist, the NTA/UBA server cannot receive NetStream data. For more
information about resolving the problem, see "No NetStream data received on the NTA/UBA
server."

12