Professional Documents
Culture Documents
16
NETSCOUT – Sightline/TMS
Chapters
2. Automate Mitigations
3. TMS Groups
NETSCOUT University
CONFIDENTIAL & PROPRIETARY
NETSCOUT – Sightline/TMS
Sightline/TMS
Unit Summary
• Create Managed Object
Configure Configure
Start Learning Configure • Run Inactive
Managed verify Mitigation & verify
NO Mitigation Filter Lists Mitigation
Object Template
• Name & Tags • Check DOS • Start Multiple • Customer • Use Learned Dataset NO • Assign new
• Host Detection Alerting after 24h instances if Specific Deny & • Consider specific Template to MO
• Profiled Detection • Check Traffic different type Allow List customer
Reports of servers information
behind MO
Onboarding Process
System-
Description
associated Tag
Custom Tag
Configuration (Cont.)
Sightline does a longest match of the source & destination IP from the
flow with the prefixes in BGP
11 Fields
‘Classical’ Flow Information
Src IP Dst IP Src Port Dst Port Proto Input Intf Output Intf ToS Flags Bytes pkts
19 Fields
‘Super’ Flow Information
Source Destination Dst Src Proto In Out ToS Flags Bytes pkts
IP Prefix NextHop ASPath Com IP Prefix NextHop ASPath Com Port Port Intf Intf
All other attributes are matched based on the prefix to source/destination IP match. For instance, a particular flow
will match a particular prefix and therefore that same flow will match that prefix’s ASPath, next-hops, and
communities as well.
CIDR Blocks - One or more CIDR block prefixes of the form A.B.C.D/N. Use spaces to separate multiple
prefixes. All CIDRs listed will be treated in aggregate for traffic reporting and DoS alert detection.
CIDR Groups - One or more CIDR block prefixes (of the form A.B.C.D/N) followed by the name you
would like to assign to this group and a semicolon. Use spaces (no commas) to separate multiple
prefixes. Each line should contain one or more prefixes and one group name. (This match type is not
available to scoped view users.) Each CIDR listed will be treated individually for DoS alert detection but
all CIDRs will be treated in aggregate for traffic reporting.
Advanced Boolean Matching - A matching expression including the other match types and the
operators: and, or, not. Note that advanced boolean matches cannot include SubASNs and CIDR blocks
entries cannot be parented by a clause that contains either the AND or NOT operator. For more
information on the FCAP language used for advanced boolean matches, see the "The FCAP Language"
appendix in the User Guide.
ASPath Regular Expression - A Cisco style, string based AS regular expression
Communities – A regular expression including one or more BGP communities in the form of X:Y, where
X represents the AS number and Y represents a number of local significance to AS X. Use commas (no
spaces) to separate multiple communities. The range of each X and Y must be within 0-65535.
FCAP Interfaces
• Used to monitor specific applications, attack vectors • Boundary defined for MO
or market verticals
– VOIP, DNS, SMTP, web, P2P, etc
– 40-byte packet traffic, etc.
• Match flows on any specified combination of
characteristics in the flow
Interfaces – Arbor Sightline bases this match on the defined interface boundary of the managed object.
Peer ASNs – One or more AS numbers of a peering network. These must be within the range of 1-65535
and must be unique across all customers.
Local ASN/SubAS - The AS number of a sub or local AS on your network. These must be within the
range of 1-65535 and must be unique across all customers.
Application ID - The ID number of an application. Arbor Sightline maps application ID numbers to
names, descriptions, and ports that is in sync with the mapping on the TMS devices.
TMS Ports – The TMS port (in, out, auto). Arbor Sightline maps the selected port to the managed object,
so traffic is into or out of the managed object. TMS ports represent a network boundary around a
managed object.
TMS VLANS - The VLANs associated with a TMS device. TMS VLANs require inline or span port TMS
deployment, not off-ramp TMS deployment.
Flow Filter - A fingerprint expression used to define which flows to match on.
Requirements:
➢ Sentinel License Any source going to mapped IP
* → a.b.x.d(ott.at)
➢ ISNG/vStream DNS
Probe Match Only if source resolved the mapped IP
w.x.y.z → a.b.x.d(ott.at)
1 - 10 domains RegEx
whose traffic is considered if
a corresponding mapping is
available in Sightline
*.ott.at = a.b.x.d TTL=xx
You need to permit the communication with the ISNG, therefore on the leader configure:
MO1 DNS
• Match *.ott.at w.x.y.z DNS Response
• Service IP Address only Type: A
Dyn match: * → a.b.c.d (nn) Reponse: a.b.c.d
MO2
• Match *.abc.org ISNG
Monitoring DNS
• Service IP Address only Request and Replies
UDP/6900
DNSName: news.ott.at
QueryIP: w.x.y.z
ServiceIP: a.b.c.d
Leader TTL: nn
Sightline
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16
There are two managed object configured by dynamic DNS matching. Sightline requires DNS updates
from NETSCOUT vStream to learn which IP addresses currently resolve to the configured domains.
The vStream Probe sees the DNS resolution of a client asking for ”news.ott.at” as soon the probe sees
the reply from the DNS Server it will update Sightline with the DNS binding information that news.ott.at is
equal to IP address a.b.c.d for the length of the TTL value.
Every NetFlow record that includes the IP address a.b.c.d will now be considered equal to *.ott.at domain
and will be matched and binned to the configured managed object.
MO2
• Match *.abc.org ISNG
Monitoring DNS
• Service IP Address only Request and Replies
Dyn match: * → a.b.c.d (nn)
UDP/6900
DNSName: bla.abc.org
• Service IP Address and Client IP
QueryIP: e.f.g.h
Dyn match: e.f.g.h → a.b.c.d (nn) ServiceIP: a.b.c.d
Leader TTL: nn
If multiple domains resolve to the
same IP but you need to individually
monitor those, then you must use
“Service IP and Client IP” matching Sightline
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17
Phase II.
Sightline has already learned that the IP address a.b.c.d is equal to the domain *.ott.at.
Now another client in the network tries to resolve an IP address for a resource called “bla.abc.org”, as
soon as the vStream sees the reply it will update Sightline with the information. In this case the resolved
IP address is again a.b.c.d, that means on that IP addresses are multiple different domains/services
hosted.
Managed Object configured to match on Service IP only will not be able to differentiate if the traffic
towards a.b.c.d is due to accessing *.ott.at or *.abc.org. So they will match both cases and are vulnerable
to overreporting.
Managed Objects configured to match on Service IP and Client IP will be able to differentiate if traffic is
targeting *.ott.at or *.abc.org as it has a list of client that explicit asked for a DNS resolution for *.abc.org
like on Managed Object 2. Whereas this overcomes potential overreporting it also requires that the DNS
requests and DNS replies for all clients are seen by the vStream and that all these information are send to
Sightline, which requires a proper sizing especially for the NETSCOUT vStream probes in the network.
Boundary
Manually selected
• Local Boundary – Set of explicit interfaces
selected interfaces where the
customer is connected.
Interface
Classification Rule
Boundaries are not used for
Host Detection or Profiled
Router Detection
Threshold Alerting
Mbps
to configure
• Can be assigned to an
automatic UDP filter
− Used by UDP Reflection/Amplification Protection countermeasure
− Used by Flow Spec Auto-Mitigations
Learning Mitigation
Learning Mitigation
Overview
Configure Configure
Start Learning Configure • Run Inactive
Managed verify Mitigation & verify
NO Mitigation Filter Lists Mitigation
Object Template
• Name & Tags • Check DOS • Start Multiple • Customer • Use Learned Dataset NO • Assign new
• Host Detection Alerting after 24h instances if Specific Deny & • Consider specific Template to MO
• Profiled Detection • Check Traffic different type Allow List customer
Reports of servers information
behind MO
Onboarding Process
Learning Mitigation
Configuration
Learning Mitigation
New Learning Mitigation
Copy Learning
Mitigation results
from a similar
Managed Object
It is highly recommended to give each Learning Mitigation a clear and meaningfull name, this should
include the Name of the Managed Object that was learned, which services were targeted like all for the
complete Managed-Object or Keywords like DNS, WEB, MAIL, VPN, PROXY, … The name should also
include the date when the learning was conducted, to ensure that over time when this process is repeated
that you identify which is the most decent set of information and will be more reliable in the mitigation
cycle.
Example:
Managed-Object-Name_Server-Type_Date => Bank-of-xxx_DNS_20200503
Learning Mitigation
Configuration (Cont.)
Mitigation Listing
Sightline counts all running learning mitigations toward your licensed mitigation limit. If you are approaching your
limit, while running one or more learning mitigations, and then try to start a regular mitigation, Sightline stops the
learning mitigation to allow the regular mitigation to start.
Learning mitigations can only be stopped in the CLI, use the command to stop all running learning mitigations
together: / services sp mitigation tms learning end_all
Learning Mitigation
Results
Sightline counts all running learning mitigations toward your licensed mitigation limit. If you are approaching your
limit, while running one or more learning mitigations, and then try to start a regular mitigation, Sightline stops the
learning mitigation to allow the regular mitigation to start.
Configure Configure
Start Learning Configure • Run Inactive
Managed verify Mitigation & verify
NO Mitigation Filter Lists Mitigation
Object Template
• Name & Tags • Check DOS • Start Multiple • Customer • Use Learned Dataset NO • Assign new
• Host Detection Alerting after 24h instances if Specific Deny & • Consider specific Template to MO
• Profiled Detection • Check Traffic different type Allow List customer
Reports of servers information
behind MO
Onboarding Process
≥9.3.x NEW
≥9.3.x ASERT provided list of IP addresses from known
AIF List attack reflectors
37
Amount of included
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY
IPs or CIDRs
Manually enter
filter list
Or upload local
file contents as
filter list
Filter Types
IPv4 Deny/Allow – An FCAP filter based on ports, protocols, IPv4 addresses, etc.
IPv6 Deny/Allow – An IPv6 FCAP filter based on ports, protocols, IPv6 addresses, etc.
DNS – A list of DNS regular expressions.
IP Location – A list of countries, as defined by their IP addresses.
IPv4 Address – A list of IPv4 addresses and CIDR blocks.
IPv6 Address – A list of IPv6 addresses and CIDR blocks.
URL – A list of URL regular expressions.
Sightline validates IPv4 Deny/Allow, IPv4 Address, IPv6 Address, URL, and DNS filters when you
configure and save them. If Sightline cannot validate a filter, the Filter List Validation Errors window
appears.
This table includes the Filter List mitigation limits for each series of appliances. In addition, there is a limit of
85.000 bytes (of FCAP expressions) for the combined size of Deny/Allow filter list and Deny List Fingerprints.
Use provided
Filter List in
Mitigations
Configure Configure
Start Learning Configure • Run Inactive
Managed verify Mitigation & verify
NO Mitigation Filter Lists Mitigation
Object Template
• Name & Tags • Check DOS • Start Multiple • Customer • Use Learned Dataset NO • Assign new
• Host Detection Alerting after 24h instances if Specific Deny & • Consider specific Template to MO
• Profiled Detection • Check Traffic different type Allow List customer
Reports of servers information
behind MO
Onboarding Process
Mitigation templates are preset groups of countermeasures and countermeasure settings that can be used to pre-
populate the settings of a TMS mitigation.
Mitigation templates are intended to be used as a tool to quickly set the countermeasure settings of a TMS
mitigation, allowing a mitigation to be started with minimal time and effort. With mitigation templates configured,
Arbor Sightline can even be configured to perform an automatic mitigation response.
A TMS mitigation template named “Default” always exists in the system configuration. Its settings are used as
default mitigation settings by any mitigation that is not set to use a different template. Networks that have one
generic template for initial attack response often choose to make it the Default template.
There are many strategies for building mitigation templates which will vary depending on customer needs. Some
ideas for mitigation templates are as follows:
Generic Template – A generic template enables some or all of the most common countermeasures. The purpose
of a generic template is to allow operators to quickly configure mitigations to block likely attacks as soon as
possible, before knowing anything about the attack, thereby reducing the impact of an attack as soon as possible
and easing pressure on operations staff until they can more carefully analyze the attack.
When more is known about an attack, the mitigation can be modified or replaced to adjust the countermeasures and
other settings. Most TMS implementations include at least one generic template to be used as a typical first
response.
Resource-based templates – Resource-based templates are mitigation templates that are set according to the
characteristics of a particular resource to be protected. For example, a web server would likely have HTTP
Authentication and Zombie filtering, but would not have a need for DNS or SIP countermeasures. A resource-
based template typically uses the Deny/Allow List to block all traffic that is not accepted by the resource, and also
enables countermeasures that are relevant for. Resource based templates are typically used in conjunction with
auto-mitigations.
(Continued on next page)
Continue
The mitigation template is associated with an Arbor Sightline managed object so that a mitigation using those
template settings is automatically activated whenever Sightline detects high-impact anomalous traffic toward the
resources defined by that managed object.
An example resource-based template for a DNS server group might use the Deny/Allow List to permit SSH and
SNMP traffic to and from operations center networks and to block all other traffic except for TCP port 53 and UDP
port 53, and to enable DNS Authentication and other DNS-related countermeasures.
Attack-based templates – Attack-based templates are mitigation templates that are set according to the
characteristics of a particular type of attack. The purpose of attack-based templates is to allow security-
knowledgeable administrators to create a collection of pre-defined defenses for various attack types. Operators are
then able to choose mitigation settings from the template collection based on the suspected attack. Settings
guesswork by operators is thus minimized and response time is decreased.
Some attack-based templates may be quite simple, yet still be useful. An example template for TCP SYN attacks
might enable only the TCP SYN Authentication and Zombie Detection countermeasures, and perhaps add a
Deny/Allow List rule to drop packets that have SYN set along with any of FIN, URG, or PSH.
Copy based on
existing template
By default, the mitigation template that is applied to all Managed Objects is the system-defined ”’Default
IPv4/IPv6’ template, which contains countermeasure settings for the most common types of DDoS attacks. This
might not be the most appropriate template given the asset under protection, therefore it might make sense to make
additional templates based on your needs.
Mitigation Templates can be managed by navigating to the Administration > Mitigation > Templates hierarchy
within the WebUI. All existing Mitigation Templates will be listed here and they can be edited or deleted. New
Mitigation Templates can be created by selecting the "Add Template" button.
When configuring a Mitigation Template, you will notice that the configuration looks identical to the configuration
of an actual mitigation. This is because the template settings will ultimately populated into a live mitigation and
determine which countermeasures are activated within that mitigation.
Select Enable CDN Proxy Support to prevent the blocking of a content delivery network (CDN) proxy. This
setting is a global setting that applies to all countermeasures in a mitigation that can block a source IP address
(more on this later).
Protect
route(s) including the
protection prefixes
• Allow the diversion route to
be propagated on the
Internet
• Specify TMS Group that should be used when mitigating the attack
TMS Appliances
Threshold =
highest value +
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 52
safety margin
Building Mitigation
Template assignment
Assign a mitigation
template to a
Managed Object to
be used in case of
Mitigation
an User-Initiated
and / or Auto-
Mitigation
Building Mitigation
BGP Diversion
Mitigation
information in your
network by adding BGP
communities.
Configure Configure
Start Learning Configure • Run Inactive
Managed verify Mitigation & verify
NO Mitigation Filter Lists Mitigation
Object Template
• Name & Tags • Check DOS • Start Multiple • Customer • Use Learned Dataset NO • Assign new
• Host Detection Alerting after 24h instances if Specific Deny & • Consider specific Template to MO
• Profiled Detection • Check Traffic different type Allow List customer
Reports of servers information
behind MO
Onboarding Process
Protect
(simulation, no real drop)
Mitigation
Run inactive mitigation and review the number of false positive drops
Balancing
• During the attack, passing legitimate traffic is a must. But some Traffic Removal
necessary countermeasure could drop some legitimate traffic.
• Inactive Mitigation allow you to check and tune the amount of
legitimate traffic drop.
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 59
Knowledge Check
Onboarding New Customers
Q1: What Managed Object types exist in Q3: Learning Mitigation can be launched in
Sightline? parallel to a mitigation that is protecting the
same IP Address
a) City
a) True
b) Customer
b) False
c) Country
d) Profile Q4: Where are Filter Lists configured?
a) Within the Mitigation template
Q2: Which Detection Mechanism uses misuse
types? b) Within the Managed Object settings
a) Profiled Router c) Globally
b) Traffic Thresholds
c) Profiled Network
d) Host Detection
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 60
Automate Mitigations
Sightline/TMS
Unit Summary
• Requirements for an auto-mitigation
Auto-Mitigation
Auto-Mitigation
Alert-Triggered
Auto-Mitigation
Mitigation Hierarchy
WEB Presence 1
WEB Presence 2
WEB Presence 1
WEB Presence 1
WEB Servers
Data Center
Data Center
+
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5
Auto-Mitigation
Configuration
Enable Auto-Mitigation
as a configuration option
Auto-Mitigation
Configuration (Cont.)
Prefixes that you want Sightline to exclude from all auto-mitigations, enter:
Auto-Mitigation
Configuration (Cont.)
Mitigation
Auto-Mitigation
Configuration (Cont.)
Mitigation
Ending Auto-Mitigations
Auto-Mitigation
Configuration (Cont.)
Do not use
complete MO IP
space, instead
Mitigation
identify top
attacked prefix
Auto-Mitigation
Configuration (Cont.)
Select Nexthop to be
used on advertisement
Mitigation
Auto-Mitigation
Configuration (Cont.)
Do not use
complete MO IP
space, instead
identify top
Mitigation
attacked prefix
Auto-Mitigation
Configuration (Cont.)
Configure
Communities and
Mitigation
Auto-Mitigation
Configuration (Cont.)
Select one or
more Providers
Auto-Mitigation
Multi-Layer Defense
9 Gbps
3 Gbps – TCP SYN Flood
TMS
(10Gbps)
Auto-Mitigation
Multi-Layer Defense
Gbps––NTP
88Gbps NTPAmplification
AmplificationAttack
Attack
Auto-Mitigation
Multi-Layer Defense
TMS
(10Gbps)
Auto-Mitigation
Multi-Layer Defense
TMS
(10Gbps)
Sightline Signal
Sightline
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19
Knowledge Check
Automate Mitigations
Q1: Which Alert Direction is required for DOS Q3: You can change the countermeasure
Alerts to be automatically mitigated? settings on a running auto-mitigation, and it
will still automatically stop when the
a) Outgoing
triggering DOS alert ended.
b) Incoming
a) True
Q2: An IP prefix can be part of several
b) False
running mitigation simultaneously.
a) True
b) False
TMS Groups
Sightline/TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 1
NETSCOUT – Sightline/TMS
Unit Summary
• Locations and traffic distribution
• Group Configuration
• Group Orchestration
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 2
NETSCOUT – Sightline/TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 3
NETSCOUT – Sightline/TMS
TMS
TMS TMS
TMS
West East
TMS
TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 4
NETSCOUT – Sightline/TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 5
NETSCOUT – Sightline/TMS
BGP
Route
Diversion a.b.c.d
B “a.b.c.d/255.255.255.255, NH:TMS”
TRA
versus
TMS
BGP
FlowSpec
Diversion a.b.c.d
FlowSpec
B “Destination Prefix:a.b.c.d/32, redirect to TMS”
enabled interface
TRA
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 6
NETSCOUT – Sightline/TMS
ECMP
Load
Layer 3 Traffic Balancing Balancing
Could be a Router, Switch
or Load Balancer
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 7
NETSCOUT – Sightline/TMS
DC1
DC2
Platinum
Gold
Best Effort
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 8
NETSCOUT – Sightline/TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 9
NETSCOUT – Sightline/TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 10
NETSCOUT – Sightline/TMS
Diversion
• Flowspec redirect
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 11
NETSCOUT – Sightline/TMS
Select complete
TMS appliances
or individual
interfaces as TMS
Group Members
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 12
NETSCOUT – Sightline/TMS
Deployment
behaviour if a member fails
Defaults
Mitigation Preconditions
conditions before a TMS
Groups accepts a any new
Mitigation
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 13
NETSCOUT – Sightline/TMS
If DNS Authentication countermeasure in Active UDP mode is used, the TMS should
know for which DNS Authoritative Servers 6 it should use which IP 7 for ‘redirecting’
during the authentication process.
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 14
NETSCOUT – Sightline/TMS
Mitigation Orchestration
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 15
NETSCOUT – Sightline/TMS
Mitigation Orchestration
Overview
The volume of attacks can change over time and therefore any current
combination of mitigations carried out simultaneously can lead to a
TMS appliance being overloaded according to its maximum capacity
Oversubscribed
bps
Maximum throughput of TMS Group
+C
+B
Mitigation C
Mitigation B A
Mitigation A
t
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 16
NETSCOUT – Sightline/TMS
Mitigation Orchestration
Configuration
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 17
NETSCOUT – Sightline/TMS
Mitigation Orchestration
Configuration (Cont.)
• On the TMS Group configure the bandwidth threshold that must be exceeded
before a mitigation can be moved
Mitigation Orchestration
• Specify the TMS Group to which the mitigation should be moved to (if there are
enough resources available)
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 18
NETSCOUT – Sightline/TMS
Mitigation Orchestration
Monitoring
• Successful:
• Failed:
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 19
NETSCOUT – Sightline/TMS
Knowledge Check
TMS Groups
Q1: By default, the failure of an individual Q3: Mitigation Orchestration is only used in
TMS would not bring down the complete TMS case of a TMS Group failure.
Group.
a) True
a) True
b) False
b) False
Q2: Which statement about TMS Groups is
true?
a) TMS Groups are created for a one-click hitless
software upgrade procedure
b) TMS Groups combine alerts of individual TMS
Appliances
c) TMS Groups control where a TMS mitigation will
be performed
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 20
NETSCOUT – Sightline/TMS
• Group Configuration
• Group Orchestration
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 21
NETSCOUT – Sightline/TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 22
NETSCOUT – Sightline/TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY
Corporate Headquarters This course material is based on
310 Little Road
Westford, MA 01886, USA
Arbor Sightline Release 9.5.0.0
Toll Free +1 888 357 7667
T +1 978 614 4000
Revised: 21st of March 2022
F +1 978 614 4004
www.netscout.com
Information presented in this document is subject to change without notice.
The contents of this publication may not be reproduced (in any part or as a
whole) without the permission of the publisher. Sightline is a trademark of
Copyright © 2022
NETSCOUT Inc. All other trademarks are the property of their respective
NETSCOUT, Inc.
All rights reserved.
owners.