Network Policy Monitoring
About Network Policy Monitoring
This page shows you how to set up Network Policy Monitoring using NeDi and GroundWork Monitor.
To take full advantage of this powerful feature, you will need to connect NeDi to GroundWork using the NeDi connector in Cloud Hub. See NeDi for information on doing this. Also, you will probably want to create at least one capture container or NetFlow/sFlow collector. See GroundWork as a NetFlow Collector.
Once you have your system configured to send data to GroundWork from the NeDi module, you can proceed to policy monitoring.
Before you can use this advanced feature, you must enable it. Follow these steps:
Access the command line of the GroundWork server where you are running the Network Discovery (NeDi) container. Go to the gw8 directory:
Edit the nedi.conf file:
docker-compose exec nedi vi /usr/local/groundwork/config/nedi/nedi.confCODE
Un-comment the line that controls the policy module as shown here:
# Policy is useful for alerting and taking scripted actions, It is also powerful. Off by default. module System Policy hat3 mgr
- Save the file.
- You can then see the Policy option appear in the user interface under Configuration > Network Discovery > System > Policy.
Defining a Policy
To define a policy to monitor, you first must determine what type of policy you are interested in. Policies are extremely flexible and powerful, so we will describe them a little here. Further details are available in the context-sensitive help in the Network Discovery section. See the life ring icon far fa-life-ring on the menu bar to access it.
When the automated discovery runs, if you have enabled access to your network infrastructure, it will find all the connected ports and all the nodes on all the ports. The nodes can be of different types, such as phones or wireless access points, and GroundWork network discovery is smart enough to tell the types apart.
By default, the discovery runs once an hour.
This means you can set a policy to alert you when, for example, someone plugs in a device you don't want to have around, like a phone, or perhaps a camera. To set up such an alert, follow these steps:
- Go to Configuration > Network Discovery > System > Policy.
- In the Connection Type dropdown, select the desired device type, e.g., Video Camera:
- Next to Action, in the dropdown select Events, and click Add to the right. This is the flag that tells GroundWork to pay attention to this policy.
- Next, go to Configuration > Cloud Hub, and click Modify on the NeDi connector:
- Make sure you check Monitor Policies and set a Policy Host. Then click "Load Policies":
- Then click Next. The resulting Metrics screen will have a new section called Nedipolicy with one entry, which you can customize with a display name. Otherwise the policy is named for its type and the ordinal number of how many policies there are of that type, for example mac_1 means it's a MAC address policy and the first of its type. You probably want it to be called something like Camera_added to make sure it's easy to understand what is triggering it:
- Click Save and Next, and the policy will appear against the Policy Host in the Status dashboard starting out in Pending. You can then configure notifications for this service as you would for any service.
Network Traffic Policies
This type of policy requires that you have already set up at least one NetFlow/sFlow or packet capture container on the same host where you are running the GroundWork NeDi container. See GroundWork as a NetFlow Collector. Network Traffic policies are checked every 2-5 minutes, as opposed to at discovery time.
Once you set up the containers, you will be able to see the network traffic statistics in the Nodes > Traffic menu. Note that you may need to wait a few minutes for the data to arrive after initial setup.
Nodes > Traffic opens with an overview, but you can filter the display to specific collectors, protocols, and even specific hosts by using the filtering menu. Also, clicking on part of the resulting lists will result in filters being built automatically:
In this example, clicking 443 https in the destination port results in dst port 443 being added to the quick filter window. You can also type additional filter parameters in the same format as the popular TCPDUMP utility to further refine your filters. If you then click Show, a policy badge appears next to the Quick Filter selector:
Clicking this badge then takes you to the policy definition screen:
Here you can set thresholds for getting alerted when the filter is matched. Choose the units (e.g., Traffic Bytes), comparison (>, < etc.) and the quantity. For action set Events and then click Add, as for a connection policy. This policy will now be available to add to GroundWork as a service. Just follow the steps for loading policies and saving the metrics as you did for a connection policy.
Setting Policy Thresholds
For policy metrics that support numeric thresholds such as network traffic thresholds, you can set your own thresholds to override those you set when you create the policy. One limitation of policies you create is that they can't be edited once created, so you have to delete and re-create them. Alternatively, you can set the thresholds in Cloud Hub.
To continue the example above, simply add the policy, then:
- Go to Configuration > Cloud Hub and click Modify on the NeDi connector.
- Click Load Policies.
- Click Next. You can then expand the Nedipolicies line:
- You can now edit the threshold in the metric definition, or even add a warning threshold. Of course, you can also edit the display name to be more descriptive. Note the policies with numeric values can be graphed, so this checkbox should be checked as well.
- Click Save to save your changes, and the new policy will show up as a service against the policy host.