Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-URL filtering configuration
- 03-Data filtering configuration
- 04-File filtering configuration
- 05-IPS configuration
- 06-DPI engine configuration
- 07-DLP configuration
- 08-Content moderation configuration
- 09-Network asset scan configuration
- 10-APT defense configuration
- 11-IP reputation configuration
- 12-Domain reputation configuration
- 13-URL reputation configuration
- 14-Data analysis center configuration
- 15-Anti-virus configuration
- 16-Proxy policy configuration
- 17-WAF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-Data analysis center configuration | 128.33 KB |
Configuring the data analysis center
About the data analysis center
Restrictions and guidelines: Data analysis center configuration
Data analysis center tasks at a glance
Configuring the range for asset traffic analysis statistics
Enabling real-time log display
Enabling real-time traffic statistics collection
Enabling log aggregation for services
Configuring report subscription
Configuring a report export template
Configuring an LB link statistics report
Configuring report export parameters
Configuring data storage limits for a service
Display and maintenance commands for data analysis center
Configuring the data analysis center
About the data analysis center
The data analysis center collects and analyzes log data for services and provides the analysis results in various forms of reports through the Web interface. It supports log data storage, traffic monitoring, and report analysis. This feature allows you to learn about the service traffic statistics and the network security status, helping you make decisions when customizing service policies.
Log data storage and analysis
The data analysis center collects log data from various service modules for central analysis and reporting. You can store the log data in a hard disk, a USB drive, SD card, or the memory according to the storage priority in descending order. If the storage media of a higher priority is not available or its space is full, the data is stored in the storage media of a lower priority. For example, the log data is preferably stored in a hard disk when hard disks, USB drives, and memory are available on the device.
Traffic monitoring
The data analysis center generates real-time traffic trend and statistics reports from various perspectives, such as user, application, and IP address. These reports help you monitor the network traffic, locate network vulnerabilities, and secure the network against potential attacks.
Reporting
The data analysis center can generate the multiple types of reports for you to understand the information such as service statistics, device running status, and network security status.
Restrictions and guidelines: Data analysis center configuration
You can configure the data analysis center at the CLI. The reports generated by the data analysis center are available only in the Web interface.
Data analysis center tasks at a glance
To configure the data analysis center, perform the following tasks:
· Enabling real-time log display
· Enabling real-time traffic statistics collection
· Enabling log aggregation for services
· Configuring the email server
· Configuring report subscription
· Configuring data storage limits for a service
Enabling log collection
About this task
The log collection feature enables the data analysis center to collect the log messages of specific services, extract the data for summarization and analysis, and generate the corresponding reports. You can see the relevant data analysis information in the dashboard and monitor pages of the Web interface. For more information about reports, see "Configuring report subscription."
Restrictions and guidelines
To collect the log messages for the traffic service, first enable the session statistics collection and then enable the log collection. For more information about the session statistics collection, see session management in Security Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable the log collection for a service.
dac log-collect service service-type service-name enable
By default, the log collection status for each service varies by service setting when the service module is registered to the DAC.
Configuring the range for asset traffic analysis statistics
About this task
To perform statistical analysis on asset traffic, you must configure an asset address range. The device will consider the specified address range as the internal network and addresses outside of this range as the external network. The device will analyze traffic between internal-to-internal, internal-to-external, and external-to-internal networks. If no asset address range is not configured, the device will only analyze traffic between Trust-Trust, Trust-Untrust, and Untrust-Trust security zones. The device will consider the Trust zone as the internal network and the Untrust zone as the external network, while traffic in other security zones will not be analyzed.
Procedure
1. Enter system view.
system-view
2. Specify the address range of internal IPv4 assets.
asset-manage asset-scope ipv4 subnet ip-address { mask-length | mask }
By default, no address range of internal IPv4 assets is configured and the device assumes no internal IPv4 assets exist.
3. Specify the address range of internal IPv6 assets.
asset-manage asset-scope ipv6 subnet { ipv6-address prefix-length | ipv6-address/prefix-length }
By default, no address range of internal IPv6 assets is configured and the device assumes no internal IPv6 assets exist.
Enabling real-time log display
About this task
With this feature enabled for a service, the data analysis center will send the service log messages to the Web interface in real time. You can see the real-time logs on the Web interface without refreshing the log lists manually.
Restrictions and guidelines
The real-time log display setting for a service takes effect only after the log collection for the service is enabled by the dac log-collect enable command.
Procedure
1. Enter system view.
system-view
2. Enable the real-time log display.
dac log-display service service-type service-name enable
The log collection status for each service varies by service setting when the service module is registered to the DAC.
Enabling real-time traffic statistics collection
About this task
The data analysis center can collect the user and application traffic statistics in real time and send the statistics result to the Web interface.
Restrictions and guidelines
To collect the traffic statistics in real time, you must first enable the session statistics collection. For more information about the session statistics collection, see session management in Security Configuration Guide.
Enabling this feature will have an impact on the CPU performance of the device. Make sure you are fully aware of the impact before you enable this feature in high traffic scenarios.
Procedure
1. Enter system view.
system-view
2. Enable real-time traffic statistics collection.
dac traffic-statistic { application | user } enable [ verbose ]
By default, the real-time collection of traffic statistics is disabled.
Enabling log aggregation for services
About this task
This feature allows the device to aggregate collected service logs within the specified interval to reduce the number of log messages. This helps the administrators to analyze log messages. You can obtain log data that has been aggregated from the monitor page on the Web interface of the device.
Restrictions and guidelines
This feature takes effect only after log collection is enabled.
Procedure
1. Enter system view.
system-view
2. Enable log aggregation for a service.
dac log-aggregation service service-type service-name enable
By default, log aggregation is disabled for a service.
3. Specify the log aggregation interval for a service.
dac log-aggregation service service-type service-name interval interval-value
By default, the log aggregation interval for a service is 60 seconds.
Configuring the email server
About this task
The report subscription feature requires an email server to function correctly. The email server will send the subscribed reports to the specified mail box.
Restrictions and guidelines
You can specify an email server by its IP address or host name. If the host name is used, make sure the device can obtain the IP address of the email server through DNS or DDNS and the device has routes to reach the email server. If the requirements are not met, email sending will fail. For more information about DNS and DDNS, see Layer 3—IP Services Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Specify the email server address.
dac email-server server-address address-string
By default, no email server is specified for the data analysis center.
3. Specify the email sender address.
dac email-server sender address-string
By default, the email sender address is not specified.
4. (Optional.) Configure email client authentication.
a. Enable email client authentication.
dac email-server client-authentication enable
By default, email client authentication is disabled.
b. Specify the username for email client authentication.
dac email-server username username
By default, no username is specified for email client authentication.
c. Specify the password for email client authentication.
dac email-server password { cipher | simple } string
By default, no password is specified for email client authentication.
d. Enable secure transmission of client authentication credentials.
dac email-server secure-authentication enable
By default, secure transmission of client authentication credentials is disabled.
Configuring report subscription
About this task
The report subscription allows the device to generate and send periodic reports to the subscriber mail box.
By default, the daily report is sent during the least busy hours (1 am. to 5 am.) and the monthly report of the previous month is sent on the first day of each month. The report sending time cannot be changed.
The following types of reports are supported:
· Summary report—Displays summarized service traffic statistics collected over a time range.
· Comparison report—Provides comparison of service traffic statistics collected over two time ranges that contain the same number of days.
· Intelligent report—Provides intelligent analysis of users' work efficiency, data leakage, and turnover risks based on their network access behaviors.
· Integrated report—Illustrates the overall device operational and network security status based on analysis of critical service statistics.
· Comprehensive security report—Displays the security risk overview, risk details for service hosts and user hosts, and risk assessment results and corresponding security protection recommendations for service hosts and user hosts over a time range.
Reports are used to analyze types of statistics. You can specify the range of statistics to be analyzed by a report. For example, if you specify top 20 statistics entries for the summary report, the generated report will contain the analysis results only about top 20 statistics entries from each service.
Prerequisites
For the subscribers to receive the reports, you must configure the email server.
Restrictions and guidelines
Before configuring report features, enable log collection for the related services. For more information about log collection, see "Enabling log collection."
· Before configuring summary report settings, enable log collection for traffic service, threat service, URL filtering service, and file filtering service.
· Before configuring comparison report settings, enable log collection for traffic service, threat service, URL filtering service, and file filtering service.
· Before configuring intelligent report settings, enable log collection for traffic service and URL filtering service.
· Before configuring comprehensive report settings, enable log collection for traffic service, threat service, URL filtering service, and file filtering service.
· Before configuring comprehensive security report settings, enable log collection for traffic service, threat service, WAF service, URL filtering service, file filtering service, and data filtering service.
Procedure
1. Enter system view.
system-view
2. Configure the subscription parameters for a report type.
dac report type { comparison | integrated | comprehensive-security | intelligent | summary } subscriber mail-address [ language { chinese | english } ]
By default, no report subscription parameters are configured.
3. Specify the range of statistics to be analyzed for a report type.
dac report type { comparison | integrated | comprehensive-security | intelligent | summary } top number
By default, top 5 statistics entries are specified to be analyzed for a report type.
Configuring report export
About report export
Report export periodically or immediately exports statistics reports for specified services. The following types of export methods are available:
· Automatic export—Exports periodic reports to the report destinations as scheduled. The report contents are defined in the report template.
· Manual export—Exports reports immediately after you define the statistics contents and time range of the data.
Restrictions and guidelines
Manual report export is supported only on the Web interface of the product.
Report export is available only for LB services. For more information about LB, see load balancing in Load Balancing Configuration Guide.
When the log volume is large, it is normal that report generation takes a long time.
Prerequisites
For the subscribers to receive the reports, you must configure the email server.
Configuring a report export template
About this task
In a report export template, you can define the following items:
· Report language.
· Statistics contents in the report.
Procedure
1. Enter system view.
system-view
2. Create a report export template and enter its view.
dac report export template template-name
3. (Optional.) Specify the language used in exported reports.
language { chinese | english }
By default, Chinese is used.
Configuring an LB link statistics report
1. Enter system view.
system-view
2. Enter the view of an existing report export template.
dac report export template template-name
3. Create the LB link statistics report view and enter the view.
export-service lb-link
4. Specify an LB link for the LB link statistics report.
statistics link name
By default, no LB link is specified for the LB link statistics report.
5. Specify the contents for the LB link statistics report.
statistics content { abnormal-flow | app | connection-count | connection-rate | delay | packet-loss | stability }*
By default, no content is specified for the LB link statistics report.
Configuring report export parameters
About this task
You can define the type of the periodic report, report template, and the destination to which the reports are exported.
Procedure
1. Enter system view.
system-view
2. Configure report export parameters.
dac report export period { day | hour | month | quarter | week | year } template template-name [ mail-address mail-address ]
By default, no report export parameters are configured.
Configuring data storage limits for a service
About this task
Perform this task to set the storage time limit, storage space usage limit, and the storage limit-violated action for a service.
The data analysis center periodically checks the data of each service to determine if the storage time or storage space usage limit is exceed.
· If a storage limit is exceeded and the action is delete, the system deletes the expired or the oldest service data. A log will be generated to report the event.
· If a storage limit is exceeded and the action is log-only, the system generates a log message. New data will not be saved.
Restrictions and guidelines
If data is stored in the memory, the system automatically deletes the oldest data when the storage space exceeds the limit.
If data is stored in a hard disk or a USB disk, the system performs operations based on the storage limit-violated action that you specify. If the action is delete, the system automatically deletes the oldest data when the storage space exceeds the limit.
Procedure
1. Enter system view.
system-view
2. Set the storage time limit, storage space usage limit, or the storage limit-triggered action for a service.
dac storage service service-type service-name limit { hold-time time-value | usage usage-value | action { delete | log-only } }
By default:
¡ The service data can be saved for a maximum of 365 days.
¡ The data of each service can occupy up to 20% of the total storage space.
¡ If the storage time or storage space usage limit is exceeded, the system deletes the expired or the oldest data.
Display and maintenance commands for data analysis center
Execute the display commands in any view.
|
Task |
Command |
|
Display the email server configuration. |
display dac email-server |
|
Display the log collection configuration for a service. |
display dac log-collect { all | service service-type service-name } |
|
Display the configuration of the real-time log display. |
display dac log-display { all | service service-type service-name } |
|
Display the report subscription information. |
display dac report [ comparison | comprehensive-security | integrated | intelligent | summary ] |
|
Display the service storage limit settings. |
display dac storage [ service-type service-name ] |
|
Display the configuration of the real-time traffic statistics collection. |
display dac traffic-statistic [ application | user ] |
