Monitor Bandwidth of New Applications

The High Bandwidth New App agent monitors the bandwidth usage of newly discovered classes on your network. If the traffic in a single new class exceeds a certain percent of the parent partition size, the adaptive response feature will alert you that a threshold has been exceeded. The standard alert is a red indicator on the info tab (PacketWise) or configuration tab (PolicyCenter). In addition, you can have an email, SNMP trap, or syslog message sent when a high bandwidth application has been found; this method requires that you create an action file — a text file of PacketWise commands. Taking it a few steps further, you can have the action file automatically create a partition to cap the bandwidth usage in the class. The action file can include any CLI command that can run without additional user input. See Action File Overviews for more information.

In order to use this feature, adaptive response and traffic discovery must be enabled and the High Bandwidth New App agent must be turned on.

Modify the Agent Settings

By default, the High Bandwidth New App agent checks hourly to see if a single class is using more than 10 percent of the parent partition's bandwidth (typically the Inbound or Outbound link size). If you want to change the evaluation interval (for instance, to every 30 minutes) or change the percentage at which an application is considered to be using too much bandwidth, you can edit the agent's settings.

1. On the setup tab, click the Adaptive Response Settings link.
   
   
2. Make sure the checkbox in the Agent On column is selected for the High Bandwidth New App agent.
   
   
3. Click edit next to the High Bandwidth New App agent. The Edit Agent Entry window will open.
   
   
4. If desired, change the evaluation interval, in minutes (how often the agent should measure its target.)
   
   
5. If desired, modify the threshold values:
   
   RedThreshold — The value at which the status of the agent turns red, and a red action file is triggered, if present. For the High Bandwidth New App agent, this number represents the percentage at which a newly discovered class is considered to be using too much bandwidth. For instance, if the RedThreshold is set to 10, the agent's status will change to red when the utilization of a single class is more than 10 percent of the parent partition size.
   
   GreenThreshold — The value at which the status of the agent turns green, and a green action file is triggered, if present. For instance, if the GreenThreshold is set to 5, the agent's status will be green when no single class has more than five percent utilization of its parent partition.
   
   
6. Click OK to save your changes.

Check the Agent Status

To check the status of the High Bandwidth New App agent:

1. Click the info tab. The PacketShaper’s info tab shows an icon for each agent category, and a colored status indicator for each. The High Bandwidth New App agent is in the Application Health category.
   
   
2. To see the status of the High Bandwidth New App agent, hover your mouse over the Application Health colored status indicator, as shown below.
   
   
   
   
3. In the pop-up window, observe the color of the High Bandwidth New App agent's status indicator.
   
   Green — During the last evaluation interval, usage of any single newly discovered class did not exceed the red threshold you defined. That is, no new class used a disproportionate share of bandwidth during the interval.
   Yellow — During the last evaluation interval, usage was approaching the red threshold (yellow is the range between the red and green thresholds).
   Red — During the last evaluation interval, usage exceeded the defined red threshold. In other words, at least one new class was using too much bandwidth. If the status indicator is red, you should look at the incident report for details.
   
   If the agent has ever changed status (from green/yellow to red or from red/yellow to green, a report icon with a link to a detailed report will be available for that agent.
   
   
4. If there is a report for the High Bandwidth New App agent, click the report icon. The incident report lists the name of the class that was consuming excessive bandwidth, the average bandwidth used in the interval, and a utilization graph of this class.
   
   
   
   

Create an Action File

There are different actions you might want to take if a High Bandwidth New App is found on your network. Perhaps you just want an email notification that indicates the name of the application that is consuming excessive bandwidth. Or perhaps you want to create a partition to limit the bandwidth used by the class.

Note: In order to send email notification, you must configure an SMTP server in PacketWise.

To create an action file:

1. If the info tab is currently displayed, click the Settings link; otherwise, go to the setup tab and click the Adaptive Response Settings link.

2. Click the edit button next to the High Bandwidth New App agent.

3. Click the browse files button. The File Browser window opens and shows the contents of the 9.258/agent/cmd directory (where action files need to be stored).

4. Click the new cmd file button. A command file window opens.

5. In the File Name field, enter a unique name for your action file up to eight characters long, including 0-9, a-z, A-Z, -,_, and . (period). Spaces are not allowed. Example: red-app

6. In the Contents area, enter the following commands:

#Title: red action file for High Bandwidth New App agent
partition apply $namelist 5% fixed
send email <address> "High Bandwidth Consuming New App found" "New class $namelist recently used $avg-bps bps, which is more than the Red Threshold ($RedThreshold percent). A partition was applied to Class $namelist."

where <address> is the email address of the recipient. The $namelist variable represents the name of the class that is using the most bandwidth in the interval. The $avg-bps variable is the class' utilization, in bits per second. To summarize, this action file will apply a partition to the class, restricting the amount of bandwidth available to the class; in this example, the partition size is 5% of the parent partition, but you can set any appropriate size. You will then be sent an email notifying that these actions have been taken.

Note: If you want to send an email notification to more than one recipient, repeat the send email command for each email address.

When the message is sent, the body of the email message would look something like this:

New class inbound/ftp recently used 762744 bps, which is more than the Red Threshold (10 percent). A partition was applied to Class $namelist.

If you simply want to receive an email notification that a new class is using excessive bandwidth, the action file would look like this:

#Title: red action file for High Bandwidth New App agent
send email <address> "High Bandwidth Consuming New App found" "New class $namelist recently used $avg-bps bps, which is more than the Red Threshold ($RedThreshold percent)."

7. Click save.

8. Enter the name of your action file in the Red Action File field (for example, red-app.cmd).

9. Click OK.

After the next evaluation interval, an email will be sent if and when the agent's red threshold is crossed.