PRTG & Troubleshooting

The following is an example of using a couple technologies working together to alert on a potential network problem and then investigating the problem source.

PRTG and Firewall Real World Troubleshooting

This example shows a combination of items. It starts with an example of a circuit use notification setting and then some investigative work. This was cobbled together from a couple different samples to protect the innocent, but the process sequence is exactly what I do to investigate abnormal traffic.

PRTG helps immensely to alert and assist in the process (coupled with historical charts). Additional detail is provided via a PAN Palo Alto Networks application aware firewall.
PRTG High Traffic Alert
Below is an example of a proactive traffic threshold alert setting. This will send an Email (or other) notification that the circuit has been busy for a period of time. That's the first clue that something unusual might be happening.

NOTE: While not shown, I could have additionally used a traffic chart to visually confirm the traffic spike and known the duration.

Result: From this we know that the circuit was busy for some period of time. We know the date/time, but not much else. Further investigation is warranted, but I prefer the system telling me versus getting a user complaint.
prtg traffic alert
PRTG NetFlow Reveal
Now that we know when, we'll use flow data to determine what devices and basic protocol information.

Flow data can show the source/destination IP addresses involved as well as the protocol. It's enough to potentially resolve the investigation. However, sometimes we need more.

Result: From this we know what type of protocol was involved and while not shown on the sample we would also know the source/destination address. That's good, but we don't yet know who as in user and we don't know a lot about the protocol.

NOTE: Network flow sensors are included with PRTG. You do need devices that can provide flow data to PRTG or use a span/mirror port.
PRTG flow example
PAN Firewall App Visibility
The previous data got me curious to know more. In this case we're showing the results from a next generation firewall to show more information.

NOTE: While PRTG provided the bread crumbs, we're using a next generation firewall to get more information beyond general ip address, protocol and date/time. At this point, we're looking at internal tools to further compliment what PRTG has alerted us to.

Result: This is good, we have confirmation now on the firewall of the observed traffic. I'm starting to feel relieved as now I know it was an apple update that occurred on one of my servers during the early morning hours.
Nextgen-Firewall-1
I feel relatively confident, but I want more data, so this confirms now the application, source and destination address (along with countries). Since this was a server versus a user, the source user isn't known, but isn't applicable.
Nextgen-firewall-2


I can now feel confident this was legitimate traffic.

We went from getting an abnormal traffic alert to learning what device was involved, when it was involved, what application generated it along with where it went.

We can now close this incident.

Other PRTG Network Monitoring Sensors

Overview
This is a partial list of PRTG sensors that can be used for network monitoring.

SNMP Traffic - Use to display live total traffic, traffic in, traffic out and optionally errors. Great way to detect how "busy" a circuit is.
Ping - Used to detect network latency (delay) to a particular destination address. Great way to determine how responsive a circuit is based upon a single or multiple destination address tests. Yes, ping isn't a perfect way.
Jitter - Loosely stated the variance of ping latency, important metric for phone calls (audio).
http - Used to detect web site availability and/or responsiveness.
http advanced - Good way to detect download bandwidth, use with discretion.
hops/traceroute - Good way to detect routing changes that impact site responsiveness.
SNMP RMON - Used to detect part statistics, see sensor for more information.
Flow data - Supports Netflow (Cisco) and SFlow (Sampled Flow data). Great way to look at current or historical top talking IP addresses and/or protocols.

© 2023 Altaware, Inc. | All rights reserved.

949-468-0020

CYBER SECURITY skills in ORANGE COUNTY, CA
Remote cyber security skills/services within the USA