Configure SD-WAN Traffic Monitoring

Last updated
Save as PDF

For supported software information, click here.

You can configure Versa Operating System^TM (VOS^TM) devices to export log information. The VOS devices can send log data to Analytics nodes, syslog servers, or third-party Netflow collectors, which can analyze the data and generate reports.

To do this, you configure a logging profile, also known as a log export functionality (LEF) profile, to specify the destinations for the logs. One or two destinations can be active at any time, and this is known as the active collector or collectors of the logging profile. Then, you associate the logging profile with a traffic-monitoring policy, which specifies the traffic you want to monitor.

To configure a traffic monitoring policy, you define the rules for exporting log information. The rules consist of match criteria such as applications, source and destination IP address, and services. Traffic that matches the criteria is subject to the monitoring actions that you define in the policy.

This article describes how to configure a traffic monitoring policy.

Create a Traffic Monitoring Policy

You can create a traffic monitoring policy as part of a main template, or you can create it separately and then associate it with a main template. For more information on main templates, see Configure Main Templates.

To create a traffic monitoring policy for an existing main template:
1. In Tenant view, select Configure > SD-WAN > Main Templates.
2. Select the main template for which you want to configure the policy.
3. Click step 5, QoS, Traffic Steering, and Traffic Monitoring.
4. Click the Traffic Monitoring tab. The following screen displays.
5. Click Add New Traffic Monitoring Policy.
6. Continue to Configure SD-WAN Traffic Monitoring, below.

To create a traffic monitoring policy separately from a main template:
1. In Tenant view, select Configure > Secure SD-WAN > QoS & Traffic Steering > Traffic Monitoring.
  
  The following screen displays.
2. Click the + icon. The Add Traffic Monitoring Policy screen displays.
3. Continue to Configure SD-WAN Traffic Monitoring, below.

Configure Traffic Monitoring Rules

In the Add Traffic Monitoring Policy screen, click Add Traffic Monitoring Rule.

The screen displays the workflow to create a rule, beginning with step 1, Applications and URLs.
By default, all applications, URLs, and reputations are included in the match criteria. You can include or exclude specific applications, application groups, application categories, URL categories and URL reputations.

To specify traffic for application groups, specific applications, application categories, and URL categories and reputations for the rule:
1. Select the Applications > Application Groups tab.
2. To select specific application groups to include or exclude in the rule, click User Defined Application Groups, Predefined Application Groups, or both. Then select the application groups for the rule to match. You can use the Search bar to find specific application groups.
  - To create an Application Group object, click + Add Application Group.
3. Select the Applications > Applications tab.
4. To select specific applications, click User Defined Applications, Predefined Applications, or both. Then select the applications for the rule to match. You can use the Search bar to find specific applications.
  - To create an Application object, click + Add Application.
5. Select the Applications > Application Category tab.
6. Select one or more user-defined and predefined application categories for the rule to match. You can use the Search bar to find specific application categories.
  - To create an Application Category object, click + Add Application Category.
7. Select the URLs and Reputations tab.
8. In the URL Categories field, click the down arrow, and then select one or more URL categories for the rule to match.
  - To create a URL category, select + Add URL Category.
9. In the Reputations field, click the down arrow, and then select one or more reputations to include in the rule:
  - High risk
  - Low risk
  - Moderate risk
  - Suspicious
  - Trustworthy
  - Undefined
Click Next or select step 2, Source & Destination Traffic.
By default, traffic from all source and destination addresses and zones, and all sites, are included in the match criteria. You can include or exclude specific source and destination traffic to match the rule.

To match traffic from specific source and destination addresses, zones, and sites:
1. Select the Source Addresses tab.
2. Select a source address group or address object for the rule to match, or use the search box to find a source address group or object. To exclude the source address or addresses, click Negate Source Address.
  - To create an Address Group object, click the + icon. For more information, see Add Address Group.
  - To create an Address Object, click the + icon. For more information, see Add Address Object.
3. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields.
4. Select the Destination Addresses tab.
5. Select a destination address group or object for the rule to match, or use the search box to find a source address or object. To exclude the destination address or addresses, click Negate Source Address.
  - To create an Address Group object, click the + icon. For more information, see Add Address Group.
  - To create an Address Object, click the + icon. For more information, see Add Address Object.
6. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields.
7. Click the Enable Match Anycast Address to enable match on an anycast IP address, which is a shared default gateway IP address.
8. Select the Source Zones & Sites tab to specify source zones to include in the match criteria. Select one or more source zones or source sites from the lists. You can also select an ingress routing instance.
9. Select the Destination Zones & Sites tab to specify destination zones to include in the match criteria. Select one or more destination zones or destination sites from the lists. You can also select an egress routing instance.
Click Next to go to step 3, Source and Destination Geolocation.
Geolocation uses IP addresses to identify the location of connected devices. By default, source and destination traffic from all locations are included in the match criteria. You can specify the source and destination traffic to include or exclude in the match criteria based on geographic location.

To specify the geographic locations to include or exclude:
1. On the Source Geo Location tab, click the Country drop-down list to select a geographic category to search.
2. In the next field, type the name of the country, state, or city. When a match is found, it is added to the Selected list.
3. To remove a country from the list, click the X next to the country name. To remove all selections, click Clear All.
4. To exclude the selected geographic locations from the match criteria, click Negate Selection.
5. Click the Destination Geo Location tab, and repeat steps 8a through 8d.
Click Next to go to step 4, Services & DSCP.
By default, all services, service groups, and DSCPs are included in the match criteria. You can specify the services, service groups, and Differentiated Services Code Points (DSCPs) for the rule to match.

To specify services, service groups, and DSCP to include:
1. Select the Services tab.
2. Select the services to include in the match criteria. To filter the list, click All Services, and select Predefined or User Defined. You can also search by service name.
  - To create a services object, click the + icon. For more information, see Add a Service Object.
3. Select the Service Groups tab.
4. Select the service groups to include in the match criteria. You can search by service group name.
  - To create a service group object, click the + icon. For more information, see Add a Service Group.
5. Select the DSCP tab. By default, all DSCP decimal values are included in the match criteria. You can specify which DSCP decimal values to include.
6. Select one or more DSCP decimal values. The value range is 0 to 63. You can use the search bar to locate values.
Click Next to go to step 5, Enforcement.

To define the actions to take on traffic that matches the rule, enter information for the following fields.

Field	Description
Enable Flow Data (Group of Fields)	Click the toggle to enable the export of data about IP packet flows, and then enter information for the activated fields.
NetFlow Logging Setting	Select when to export logging records to a NetFlow collector: Interim—Log data at interim times when the flow is active for a long period of time. The default interim time is 1 minute, and this time is not configurable. Start—Log data at the start of each session. End—Log data at the end of each session. Start & End—Log data at the start and end of each session. Reset—Log data at the restart of a session.
Logging Profile	Select the logging profile that indicates where to forward the logs: Default Analytics—Click to use the default logging profile. Custom—Click to use a custom logging profile, and select a profile in the drop-down list. For information on creating a custom logging profile, see Configure Reusable Objects.
Enable Web Monitoring (Group of Fields)	Click the toggle to enable web monitoring, and then enter information for the activated fields.
Logging Profile	Select the logging profile that indicates where to forward the logs: Default Analytics—Click to use the default LEF profile. Custom—Click to use a custom logging profile, and select a profile in the drop-down list, or select + Create New to create a new profile.
Send SASE Web Data	Click to send saseWebLog logs.
Enable DNS Monitoring (Group of Fields)	Click the toggle to enable DNS monitoring, and then enter information for the activated fields.
Logging Profile	Select the logging profile that indicates where to forward the logs: Default Analytics—Click to use the default LEF profile. Custom—Click to use a custom logging profile, and select a profile in the drop-down list, or select + Create New to create a new profile.
Send DNS Metadata	Click to send logs for DNS traffic to Versa Analytics.
Enable Performance Monitoring	Click the toggle to enable performance monitoring, and then enter information for the activated fields.
Logging Profile	Select the logging profile that indicates where to forward the logs: Default Analytics—Click to use the default LEF profile. Custom—Click to use a custom logging profile, and select a profile in the drop-down list, or select + Create New to create a new profile.
Enable TCP Monitoring	Click to enable TCP-based application performance monitoring.

Click Next to go to step 6, Review and Submit.

In the General section, enter information for the following fields.

Field	Description
Name	Enter a name or the rule.
Description	(Optional) Enter a description for the rule.
Tags	(Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.
Schedule	Select a schedule to set the time and frequency at which the rule is in effect.
Rule Enabled	Click to disable the rule once it is saved. By default, the rule is enabled.

Review the remaining sections. Click the Edit icon in any section to make changes, as needed.
Click Save Traffic Monitoring Rule. The Add Traffic Monitoring Policy screen displays the saved rule.
To add another rule, click the + Add icon in the horizontal menu. You can also select an existing rule and perform the following operations:
- Clone —Creates a copy of the rule. You can change the default name of the cloned rule, if desired. The cloned rule then appears in the list of traffic steering rules.
- Reorder —Reorder the selected policy rule.
- Delete —Delete the selected policy rule.
Continue to Configure Permissions, Review, and Submit the Traffic Monitoring Policy.

Configure Permissions, Review, and Submit the Traffic Monitoring Policy

In the Add Traffic Monitoring Policy screen, click Step 2, Permissions. The following screen displays.
The permission for each role is selected by default, and you can update it. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role.
To change the permissions for a role, select Create, Read, Update, or Delete in the Permissions column.
Click Next to go to step 3, Review and Submit.

In the General section, enter information for the following fields.

Field	Description
Name	Enter a name for the access control policy.
Description	Enter a text description.
Tags	Enter a tag, and then press the Enter key. You can enter multiple tags. A tag is an alphanumeric text descriptor with no spaces or special characters. The tags are used for searching the objects.
Reuse Options	(For policies added through the Main Templates workflow.) Click Reusable on Other Templates to make the policy usable in other main templates. Otherwise, click Not Reusable. If you mark the policy as reusable, the policy is listed in the Traffic Monitoring Policies table at Configure > SD-WAN > QoS& Traffic Steering > Traffic Monitoring.

Review the settings you have selected. Click the Edit icon to change a setting, as needed.
Click Submit.

Manage SD-WAN Traffic Monitoring Policies

You can perform the following actions on traffic monitoring policies:

Edit
Clone
Delete
View references
Propagate
Compare versions
View the audit log
Enable and disable auto delete

For information about these actions, see Manage SD-WAN Policies and Profiles.

Supported Software Information

Releases 13.1.1 and later support all content described in this article.

Additional Information

View Analytics Logs Using Concerto
Manage SD-WAN Policies and Profiles