- Related Topics
- Profiler Task Summary
Configuring Profiler Options (NSM Procedure)
You configure Profiler options to enable Profiler features, set network addresses and applications subject to profiling, and set alerts.
The following topics describe how to configure Profiler options:
Configuring General Settings
You use the Profiler Settings > General tab to enable Profiler features.
Figure 1 shows the General tab.
Figure 1: Profiler Settings: Enable AVT
To configure Profiler general settings:
- From NSM Device Manager, double-click a device and then click Profiler Settings.
- Click the General tab.
- Configure options.
- Click Apply.
 | Note: If you change Profiler settings, you must push a configuration update to the device before the new settings take effect. From the Device Manager, right-click the device, select Update Device, select the Restart IDP Profiler After Device Update check box, and click OK. |
Table 1 describes settings on the Profiler Settings > General tab.
Table 1: Profiler Settings: General Tab
Option | Function |
|---|---|
Enable Profiling | Enables the Profiler. |
Enable Application Profiling | Enables the Profiler to collect and track application data. This setting is enabled automatically when you start the Profiler and becomes automatically disabled when you stop the Profiler. |
Enable Application Volume Tracking | Enables Profiler to perform application volume tracking. |
Include Probe and Attempt | Enables the Profiler to collect and track specific probes and attempts. |
Include Non-tracked IP Profiles | Enables context-based profiling for hosts not in the tracked hosts list. If you enable this option, data for non-tracked hosts appears in the Protocol Profiler tab of the Profiler log viewer. |
db limit (in MB) | Sets the maximum Profiler database size. By default, the maximum database size is 3 GB. |
Enable OS Fingerprinting | Enables the Profiler to perform OS fingerprinting. OS fingerprinting detects the operating system of a host by analyzing TCP handshake packets. The OS fingerprinting process depends on an established TCP connection (one that has a SYN, a SYN/ACK, and a FIN connection). The OS fingerprinting process is capable of detecting the operating
systems listed in Note: The OS fingerprinting feature is unable to capture fingerprint information for destination servers. |
Refresh Interval (in secs) | Sets the time interval (in seconds) that the Profiler refreshes OS fingerprinting. By default, the Profiler refreshes OS fingerprinting data every 3600 seconds (60 minutes). |
Configuring Tracked Hosts
You configure Profiler tracked hosts and excluded host settings to specify the network segments where Profiler gathers data.
| Note: Profiler tracks all traffic through the IDP appliance, including traffic for hosts not in your tracked hosts list. It records a value of 73.78.69.84 for the IP address for hosts not defined in the Tracked Hosts tab, such as external hosts you would not know and therefore could not configure. |
Figure 2 shows the Tracked Hosts tab.
Figure 2: NSM Profiler Tracked Hosts Tab
To configure the tracked hosts and excluded host settings:
- From NSM Device Manager, double-click a device and then click Profiler Settings.
- Click the Tracked Hosts tab.
Click the + icon and select one of the following options to display a dialog box to build a tracked host list:
- Add Host
- Add Network
- Add Group
- Configure tracked host settings as described in Table 2.
- Click the Exclude tab.
Click the + icon and select one of the following options to display a dialog box to build an exclude host list:
- Add Host
- Add Network
- Add Group
- Configure exclude host settings as described in Table 2.
- Click Apply.
| Note: If you change Profiler settings, you must push a configuration update to the device before the new settings take effect. From the Device Manager, right-click the device, select Update Device, select the Restart IDP Profiler After Device Update check box, and click OK. |
Table 2: Profiler Settings: Tracked Hosts or Exclude List
Option | Function |
|---|---|
| New Host | |
Name | Specifies the hostname. |
Color | Specifies a color to help you monitor the host. |
Comment | Describes the host. |
IP/IP Address | Defines the host using an IP address. |
Domain Name/Domain Name | Defines the host using a domain name. |
Resolve | Uses DNS to resolve hostnames/IP addresses. |
| New Network | |
Name | Specifies an object name. |
IP Address | Specifies an IP address, used with the netmask, that defines the network. |
Netmask | Specifies a 32–bit netmask, used with the IP address, that defines the network. |
Use Wildcard Mask | Enables use of a wildcard mask. |
Wildcard Mask | Specifies the wildcard mask. A wildcard mask is like a subnet mask, with ones and zeros inverted; for example, a wildcard mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. |
Color | Specifies a color to help you monitor the network. |
Comment | Describes the network. |
| New Address Group | |
Name | Specifies an object name. |
Color | Specifies a color to help you monitor the address group. |
Comment | Describes the group. |
Member List | Adds hosts that belong to the group. |
Configuring Context Targets
You configure Profiler context settings to determine whether Profiler logs include not only host and application data but also data pulled from application contexts. For example, if you specify context targets for FTP usernames, the Profiler logs will include the username specified for the FTP connection in addition to the hostname and service (FTP).
Figure 3 shows the Contexts to Profile tab.
Figure 3: NSM Profiler Context to Profile Tab
To specify Profiler context targets:
- From NSM Device Manager, double-click a device and then click Profiler Settings.
- Click the Contexts to Profile tab.
- Browse and select from the predefined list of contexts.
- Click Apply.
| Note: If you change Profiler settings, you must push a configuration update to the device before the new settings take effect. From the Device Manager, right-click the device, select Update Device, select the Restart IDP Profiler After Device Update check box, and click OK. |
Configuring Alert Options
You configure Profiler alert options to determine whether you receive alerts when Profiler detects new hosts, protocols, or ports in use.
If you are configuring the Profiler for the first time, do not enable the new host, protocol, or port alerts. As the Profiler runs, the device views all network components as new, which can generate unnecessary log records. After the Profiler has learned about your network and has established a baseline of network activity, you should reconfigure the device to record new hosts, protocols, or ports discovered on your internal network.
Figure 4 shows the Alert tab.
Figure 4: Profiler Alert Tab
To specify Profiler alert options:
- From NSM Device Manager, double-click a device and then click Profiler Settings.
- Click the Alert tab.
- Configure alert settings as described in Table 3.
- Click Apply.
| Note: If you change Profiler settings, you must push a configuration update to the device before the new settings take effect. From the Device Manager, right-click the device, select Update Device, select the Restart IDP Profiler After Device Update check box, and click OK. |
Table 3: Profiler Alert Tab
Option | Function |
|---|---|
New Host Detected | Sends an alert when Profiler detects a new host. |
New Protocol Detected | Sends an alert when Profiler detects a new protocol. |
New Port Detected | Sends an alert when Profiler detects a new port. |
Database Limit Exceeded | Sends an alert to indicate the maximum database size has been reached. After a device reaches this limit, it begins purging the database. |
