Use the New Application Agent

You can use the New Application agent to learn when an excessive number of classes are being created in your traffic tree with the auto-discovery feature. This agent is useful after the initial creation of your tree (you wouldn't want to enable the agent while the tree is in the process of being built). This agent can alert you of a possible threat to your network. For example, if someone was using a port scanner to look for open ports on your network to gain illegal entry, a large number of port numbered classes would be created in a short period of time.

The standard alert is a red indicator on the info tab (PacketWise) or configuration tab (PolicyCenter). In addition, you can have an email, SNMP trap, or syslog message sent when the number of auto-discovered classes crosses a predefined threshold; this method requires that you create an action file — a text file of PacketWise commands. The action file can take other actions, as well, such as disabling traffic discovery, and can include any CLI command that can run without additional user input. See Action File Overviews for more information.

In order to use this feature, the adaptive response feature must be enabled and you must create an agent based on the New Application template.

Note that this agent will always return a "green" status when traffic discovery is enabled. The New Application agent is intended to be used in conjunction with traffic discovery. If discovery is always disabled on your unit, you can disable this agent.

Create an Agent Based on the New Application Template

The New Application agent triggers "red" when the number of new auto-discovered classes exceeds the red threshold. However, the default red threshold is so high (99999 classes) that it will always report a green status, regardless of the number of new applications discovered in the interval. Therefore, you will need to modify the default settings to define your own red threshold according to what you think would be an excessive number of new classes to be discovered on your network during a set period of time. The default evaluation interval is one day (1440 minutes). You can adjust the duration if you want the agent to calculate the number of newly discovered applications more frequently.

To create a New Application agent:

1. On the setup tab, click the Adaptive Response Settings link.
   
   
2. Click add. The Add Agent Entry window will open.
   
   
3. In the create a new agent from this agent template drop-down list, choose New Application.
   
   
4. Enter a unique identifying name for the new agent in the Name field.
   
   
5. If desired, change the evaluation interval, in minutes (how often the agent should measure its target).
   
   
6. Click OK and Edit Parms. This will open the Edit Agent Entry window where you can define the parameter values for your new agent.
   
   
7. If desired, modify the threshold values:
   
   RedThreshold — The value at which the status of the agent turns red, and a red action file is triggered, if present. For the New Application agent, this number represents the number of new auto-discovered classes considered to be excessive. For instance, if the RedThreshold is set to 50, the agent's status will change to red when there are more than 50 new auto-discovered classes in the interval.
   
   GreenThreshold — The value at which the status of the agent turns green, and a green action file is triggered, if present. For instance, if the GreenThreshold is set to 40, the agent's status will be green when fewer than 40 classes are auto-discovered in the interval.
   
   
8. Click OK to save your changes.

After creating the agent, you will want to monitor it to see whether the number of new auto-discovered classes has come close to or exceeded the threshold.

Check the Agent Status

Note: Before you can check the status of the New Application agent, you will need to wait until the first evaluation interval has passed (1440 minutes, by default).

To check the status of the New Application agent:

1. Click the info tab. The PacketShaper’s info tab shows an icon for each agent category, and a colored status indicator for each. The New Application agent is in the Application Health category.
   
   
2. To see the status of each individual agent in the Application Health category, hover your mouse over the colored status indicator, as shown below.
   
   
   
   
3. In the pop-up window, locate the New Application agent. The value (20 in the figure above) indicates the number of auto-discovered classes during the interval.
   
   What color is its status indicator?
   
   Green — During the last evaluation interval, the number of new auto-discovered classes did not exceed the red threshold you defined. In other words, the number of classes being auto-discovered is not alarming.
   Yellow — During the last evaluation interval, the number of new auto-discovered classes was approaching the red threshold. (Yellow is the range between the red and green thresholds.)
   Red — During the last evaluation interval, the number of new auto-discovered classes exceeded the defined red threshold. In other words, an excessive number of classes were discovered and created during the interval.
   
   If the agent has ever changed status (from green/yellow to red or from red/yellow to green), a report icon with a link to a detailed report will be available for the agent.
   
   
4. If there is a report for the New Application agent, click the report icon. The incident report lists all the classes auto-discovered during the evaluation interval.
   
   
   
   

Create an Action File that Sends an Email Notification

If you would like to be notified via email when the number of new auto-discovered classes has exceeded the red threshold, you can create a command file that contains a single line: the send email command. By designating this command file as the red action file, an email will be sent when the red threshold is crossed.

Note: In order to send email notification, you must configure an SMTP server in PacketWise.

To create an action file that sends an email notification:

1. If the info tab is currently displayed, click the Settings link; otherwise, go to the setup tab and click the Adaptive Response Settings link.

2. Click the edit button next to the partition agent.

3. Click the browse files button. The File Browser window opens and shows the contents of the 9.258/agent/cmd directory (where action files need to be stored).

4. Click the new cmd file button. A command file window opens.

5. In the File Name field, enter a unique name for your action file up to eight characters long, including 0-9, a-z, AZ, -,_, and . (period). Spaces are not allowed. Example: red-new

6. In the Contents area, enter the following commands:

#Title: red action file for New Application agent
send email <address> "<subject>" ["<body>"]

where <address> is the email address of the recipient. For example:

send email raltman@test.com "New discovered classes" "$scorevalue applications were auto-discovered during the last interval."

The $scorevalue variable represents the number of classes that were auto-discovered during the interval. When the message is sent, the body of the email message would look something like this:

20 applications were auto-discovered during the last interval.

Note: If you want to send an email notification to more than one recipient, repeat the send email command for each email address.

7. Click save.

8. Enter the name of your action file in the Red Action File field (for example, red-new.cmd).

9. Click OK.

After the next evaluation interval, an email will be sent if and when the agent's red threshold is crossed.

You may also want to create a green action file to notify you when the New Application agent returns to a green status.