ON THIS PAGE
Types of Tagging
Paragon Insights supports static tagging and dynamic tagging.
Static Tagging
In static tagging, the tagging profile is applied to values stored in the time series data base (TSDB). These values do not vary a lot with time. In static tagging, you can avoid using When statements, and you can add Then statements to a tagging profile.
Sample Static Tagging Configuration
healthbot { ingest-settings { data-enrichment { tagging-profile profile { policy policy1 { rules *; term term1 { then { add-key "tenant-id" { value tenant1; } } } } } } } }
In this sample static tagging configuration, the lack of a when statement means that any device that this tagging
profile is applied to will have the field tenant-id assigned with the value tenant1. The fields
and values defined in this profile are assigned to all rules that
are applied to a device or device-group because of the *
in the rules parameter.
You can also create a static tagging profile from the Paragon Automation graphical user interface (GUI). Navigate to Configuration > Sensor > Settings > Tagging Profile page to create a tagging profile.
Application Identification
Table 1 shows an example application identification scenario based on source-port, destination-port, and protocol of traffic seen in a NetFlow stream.
source-port |
destination-port |
protocol |
derived-application |
---|---|---|---|
2541 |
Any |
6 (TCP) |
NetChat |
Any |
2541 |
6 (TCP) |
|
1755 |
Any |
17 (UDP) |
MS-streaming |
Any |
830 |
6 (TCP) |
netconf-ssh |
7802 |
Any |
17 (UDP) |
vns-tp |
To create the derived-application field as given in Table 1 from the received data (data under source-port, destination port, and protocol), you must use a tagging profile definition that looks like this:
healthbot { ingest-settings { data-enrichment { tagging-profile profile1 { policy policy1 { rules *; term term1 { when { matches-with "$source-port" "$netchat-source-port"; matches-with "$protocol" "6 (TCP)"; } then { add-key "application" { value netchat; } } } term term2 { when { matches-with "$protocol" "6 (TCP)"; matches-with "$destination-port" "$netchat-dest-port"; } then { add-key "application" { value netchat; } } } term term3 { when { matches-with "$source-port" "$ms-streaming-source-port"; matches-with "$protocol" "17 (UDP)"; } then { add-key "application" { value ms-streaming; } } } term term4 { when { matches-with "$source-port" "$netconf-ssh-source-port"; matches-with "$protocol" "6 (TCP)"; } then { add-key "application" { value netconf-ssh; } } } term term5 { when { matches-with "$source-port" "$vns-tp-source-port"; matches-with "$protocol" "17 (UDP)"; } then { add-key "application" { value vns-tp; } } } } } } } }
Dynamic Tagging
Paragon Insights supports dynamic tagging. In dynamic tagging, you can set conditions in a tagging profile, that in turn are checked against values that are stored in Redis database. When these conditions are met, they are applied to incoming data before Paragon Insights processes the data.
Benefits of Dynamic Tagging
Values stored in Redis database are current and dynamic.
Redis database can be used as a cache memory to store real-time data.
Understanding Redis Database and Dynamic Tagging Configurations
Understanding Redis Database and Dynamic Tagging Configurations
Key structure is
<Device-group-name>::<device-id>::<key-name> __network::<network-group-name>::<key-name>
, where::
is the key separator.Example key structures:
Device Group
Core:r1::/components/
Network Group
network::net_check::topic/rule
Values are stored in JSON string format
<json dump as string>
in Redis. However, values are provided in string, integer, and float formats.Example value formats:
Core:r1::/components/= value1
Core:r1::/components/='{“key1”: value1, “key2”: value2}’
Core:r1::/components/='{“key1”: {“key2”: value1, “key3”: value2}’
Core:r1::/components/='{“key1”: {“key2”: ‘[list of values]’, “key3”: value1}’
Sample
tagging-profile
configurations usingwhen
statement."when" : { "matches-with" : [ { "left-operand" : "$field1", "right-operand" : “/interfaces/.key1”, “in-memory”: true } ] }
Use a
.
operator between interfaces.In the following example,
key3
interface is nested withinkey2
interface in the right operand."when" : { "matches-with" : [ { "left-operand" : "$field1", "right-operand" : “/interfaces/.key2.key3”, } ] }
Sample
tagging-profile
configurations usingthen
statement."then" : { "add-field" : [ { "name" : "field1", "value" : "redis-key", "type" : "integer", "in-memory": true } ] }
Use a
.
operator between interfaces.In the following example,
key3
interface is nested withinkey2
interface in the right operand."then" : { "add-field" : [ { "name" : "field2", "value" : "redis-key1.redis-key2.redis-key3", "type" : "integer", "in-memory": true } ] }
Using
exist
operator in configurations.Using
exist
as key.Redis Data Structure
“Core:r1::/interfaces/” = ‘{“ge-1/0/2”: {“key1”: value1, “key2”: value2}’
tagging-profile Using when Statement
“when”: { “exists”: { “field”: “$interface-name”, “path”: “/interfaces/”, “in-memory”: true } “then”: { do-something.. }
Using
exist
as value in list.Redis Data Structure
“Core:r1::/interfaces/” = ‘{“key1”: {“key2”: [‘ge-1/0/2’, ‘ge-1/0/3’], “key3”: value1}}
tagging-profile Using when Statement
“when”: { “exists”: { “field”: “$interface-name”, “path”: “/interfaces/.key1.key2” , “in-memory”: true } }, “then”: { “add-field”: [ “name”: “field1”, “value”: “/interfaces/.key1.key3”, “in-memory”: true ] }
Using $ in then statements.
When you use
$<field-name>
within a Redis key,$<field-name>
is replaced with a value from the already processed database value.As an example, consider that ge-1/0/2 is present within Redis key.
Redis Data Structure
“Core:r1::/interfaces/” = ‘{“ge-1/0/2”: {“key1”: value1, “key2”: value2}, “ge-1/0/3”: {“key1”: value1, “key2”: value2}’
Example tagging -profile
“when”: { “exists”: [ { “field”: “$interface-name”, “path”: “/interfaces/”, “in-memory”: true } ], “greater-than”: [ { “left-operand”: “30”, “right-operand”: “/interfaces/.$interface-name.key1” , “in-memory”: true } ] }, “then”: { “add-field”: [ “name”: “interface-meta-data”, “value”: “/interfaces/.$interface-name.key2”, “in-memory”: true ] }
In this scenario, the
tagging-profile
checks if$interface-name
is present in the Redis database, and ifkey1
value for the given interface name is greater than 30. If the statement is true, thetagging-profile
fetcheskey2
value fromname
field. In this example tagging profile, the name value isinterface-meta-data
.To enable dynamic tagging, set
in-memory
value to true.By default
in-memory
value is set to false.“when”: { “exists”: { “field”: “$interface-name”, “path”: “/interfaces/.key1.key2” , “in-memory”: true } } “then”: { “add-field”: [ “name”: “interface-meta-data”, “value”: “/interfaces/.$interface-name.key2”, “in-memory”: true ] }