NG Firewall Performance Apps

 

This section discusses the following topics:

Bandwidth Control

Bandwidth Control allows you to monitor and control bandwidth usage on your network.


Bandwidth control can be used to ensure that your network continues to operate smoothly and that Bandwidth is shared optimally based on what is important to you. Many organizations need help with bandwidth problems, such as students watching online videos or clients using BitTorrent, while more important tasks are difficult to complete for Bandwidth. Using BitTorrent, you can use Bandwidth Control to prioritizePriorityhat or slow down all traffic from machines.

Note: Enabling Bandwidth Control automatically enables Quality of Service (QoS). But disabling Bandwidth does not automatically disable QoS.

Settings

This section discusses the different settings and configuration options available for Bandwidth Control.

Status

This displays the current status and some statistics.

About Bandwidth Control


Setup Wizard

The setup wizard configures the initial configuration of the Bandwidth Control. Pay attention to the prompts as they provide valuable information on how the application works and the answers to your questions will determine the configuration.
  • Configure WAN download and upload Bandwidth: After the welcome screen, you will be asked to set the bandwidth rates for your WAN interface. This is the most important setting in the configuration of Bandwidth Control. If you are unsure, it is recommended that you run some bandwidth tests when there is no other activity to determine the true download and upload rates of your WAN connection. Entering a value around 95%-100% of the measured value is typically ideal. If the value is too low, Bandwidth Control will unnecessarily limit Bandwidth to your entered value. If the value is too high, Bandwidth Control will be less effective as it will over-allocate Bandwidth and lose some ability to differentiate by priority. YPrioritybe asked to repeat this process for each WAN interface.
  • Choose a starting configuration: After setting the WAN settings, choose a configuration that best suits your organization. Each configuration's goals are described, as well as what is prioritized and deprioritized. These rules can be customized later. This is just a starting configuration.
  • Quotas: Quotas can be configured in addition to the starting configuration. Most sites will not need quotas, but they can be extremely useful in some scenarios to prevent users from monopolizing resources. Click Enable to enable quotas and provide information that best suits your organization.
    1. Quota Clients: The clients will be given quotas. Refrain from giving a range that includes servers and machines for which you don't want to have quotas.
    2. Quota Expiration: The expiration time of each quota (or the time the quota will be used.) After a quota expires, a new quota will be granted.
    3. Quota Size: The size of the quota each host is granted (in bytes).
    4. Quota Exceeded Priority: The priority giPriorityosts after they exceed their quota (if they do so).

More information on Quotas and how they work can be found in the Quotas section.

After this, your configuration of Bandwidth Control is complete, and Bandwidth Control is enabled!

Rules

The rules tab contains most configurations and settings controlling bandwidth control behavior. Rules determine the action taken when traffic passes through Bandwidth Control. For each session, the rules are evaluated in order until the first match is found; then, the action associated with the matching rule is performed, and the data chunk is sent. If no rule is found, no action is taken. If the session has been given no priority, it is given the default QoS priority, which is normally Medium.

Note: Unlike most Rules in other apps, the rules in Bandwidth Control are consulted not only when the session is formed but also again on the first ten packets because some matches, such as "HTTP: Hostname" or "Application Control: Application" are not known until several packets into the session. Also, all of a host's sessions will be reevaluated when added/removed to the penalty box or when a quota is exceeded, so active sessions will be reprioritized accordingly.

Extensive rule sets can be created (imported and exported) that carefully assign the correct priorities to the desired traffic and perform the desired actions at the desired times.

The Rules documentation describes how rules work and how they are configured.

Rule Actions
  • Set Priority SePriorityatching session to the chosen priority.
    1. PPriorityThe priority toPrioritygned.
  • Tag Host adds a tag to the host to mark it for further actions.
  • Give Host a Quota: Gives the host IP a quota.
    1. Quota Expiration defines how long their quota will last
      1. "End of Hour" means the quota will expire at the 59th minute of the hour.
      2. "End of Day" means the quota will expire at 11:59pm.
      3. "End of Week" means the quota will expire 1 minute before the end of the week (Saturday 11:59pm if US-localized)
      4. An integer can also be specified for the number of seconds the quota will last from the creation date.
    2. Quota Bytes define the number of bytes in their quota.
  • Give User a Quota: Gives the user a quota
    1. Quota Expiration defines how long their quota will last
      1. "End of Hour" means the quota will expire at the 59th minute of the hour.
      2. "End of Day" means the quota will expire at 11:59pm.
      3. "End of Week" means the quota will expire 1 minute before the end of the week (Saturday 11:59pm if US-localized)
      4. An integer can also be specified for the number of seconds the quota will last from the creation date.
    2. Quota Bytes define the number of bytes in their quota.

Priorities

The overall effect of Bandwidth Control is to map traffic to priorities that are enforced by the QoS engine. There are 7 Priorities: Very High, High, Medium, Low, Limited, Limited More, and Limited Severely.

The first four priorities can be considered "normal" - very High, High, Medium, and Low. They are given certain precedence over bandwidth rights. Very High traffic can consume bandwidth before High, Medium, and Low. The Very High bucket will be assigned the largest bandwidth, less to High, even less to Medium, and much less to Low.

The other three - Limited, Limited More, and Limited Severely - are different because they will never use all available bandwidth. The classes are punitive because they limit bandwidth to a percentage of the whole, even if more is available.

To read more in-depth about the effects of prioritization and how bandwidth allotment works, see Quality of Service (QoS).

Note: Effective bandwidth shaping is all about assigning the correct priorities so that important traffic is never starved by less important traffic.

A fundamental principle is that limiting traffic to fixed low-rate enforcement is almost never right because wasted bandwidth is irrecoverable.

In cases where the desire is to starve less important traffic, it should be assigned a lesser priority (medium or low) to consume all bandwidth if no more important tasks are available. This means the less important task will be finished quicker so that later, these resources will be free, which occurs definitionally at no expense to higher priority traffic.

The priorities that limit to less than 100% even when the bandwidth is unused (Limited, Limited More, and Limited Severely by default) are useful for punitive situations.

Quotas

Quotas are set amounts of data that can be used over a certain amount of time. This is useful for sites where you want to punish excessive usage. For example, in a hotel, we want each IP to get 1 GB a day, but if this amount is exceeded, it will be considered excessive, and that host can be treated differently (be blocked, receive less bandwidth, etc). By using quotas and rules, bandwidth abusers are handled automatically, requiring no administrator intervention.

Quotas can be assigned to Users or Hosts, and the current quota status can be viewed by clicking on Users or Hosts accordingly. All sessions' data passing through the NG Firewall gets counted against the corresponding Host or User.

Bandwidth Control Reports

The Reports tab provides a view of all reports and events for all traffic handled by Bandwidth Control.

You can access the applications' reports via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created. Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right. Pre-defined report queries:

Report Entry Description
Bandwidth Control Summary A summary of Bandwidth Control actions.
Bandwidth Usage The approximate averaged data transfer rate (total, sent, received) over time.
Top Hostnames Usage The bandwidth usage of the top hostnames.
Top Hostnames (by total bytes) The sum of the data transferred grouped by hostname.
Top Hostnames (by received bytes) The sum of the received data grouped by hostname.
Top Hostnames (by sent bytes) The sum of the sent data grouped by hostname.
Top Clients Usage The bandwidth usage of the top clients.
Top Clients (by total bytes) The sum of the data transferred grouped by client address.
Top Usernames Usage The bandwidth usage of the top usernames.
Top Usernames (by total bytes) The sum of the data transferred grouped by username.
Top Server Port Usage The bandwidth usage by top server port.
Top Ports (by total bytes) The sum of the data transferred grouped by server port.
Top Ports (by received bytes) The sum of the data received grouped by server port.
Top Ports (by sent bytes) The sum of the data sent grouped by server port.
Top Applications Usage The bandwidth usage of the top applications.
Top Application (by total bytes) The sum of the data transferred grouped by Application Control application.
Top Application (by received bytes) The sum of the data sent grouped by Application Control application.
Top Application (by sent bytes) The sum of the data sent grouped by Application Control application.
Top Categories Usage The bandwidth usage of the top application categories.
Top Category (by total bytes) The sum of the data transferred grouped by Application Control category.
Top Priorities Usage The bandwidth usage by priority.
Top Priorities (by total bytes) The sum of the data transferred grouped by priority.
Top Countries Usage The bandwidth usage by top countries.
Top Countries (by total bytes) The sum of the data transferred grouped by country.
Bypassed (by total bytes) The sum of the data transferred grouped by bypassed.
All Sessions All sessions are processed by Bandwidth Control.
Quota Events Shows when quotas are assigned or expired.
Prioritized Sessions All sessions are prioritized by Bandwidth Control.
The tables queried to render these reports:

Related Topics

Report Viewer

Reports

Branding Manager

The Branding Manager is designed to allow you to re-brand user-facing components by adding your company logo, name, URL, and contact email.


The Branding Manager will replace the "Arista Edge Threat Management" branding in all user-facing interactions, such as block pages, quarantine digest emails, quarantine digests, root certificate installer, etc. This is not meant to remove all Arista Edge Threat Management branding; the administrator UI still contains many references to the hNG Firewall. For HTML/CSS experts, combining Branding Manager with a custom block page skin and a custom rack skin gets you a fully customized style. Of course, you don't need a custom skin to change any branding elements. See the table below to see what you can change with Branding Manager!

Settings

Status

This displays the current status and some statistics.



Settings

This section reviews the different settings and configuration options available for Branding Manager.

Select the Settings button on the faceplate to modify your Branding Manager settings. This will bring up a menu where you can upload a custom logo and modify the name, URL, and contact settings. Note that the recommended resolution for logos is 150x100; the maximum resolution is 166x100. All image formats are supported; however, we do not recommend including animation, as it can affect the PDF reports. Branding Manager's text fields have a 256-character limit.


  • Logo: Use this option to upload a replacement logo.
  • Contact Information
    • Company Name: The name of your company.
    • Company URL: The URL for your website (for example, http://www.arista.com).
    • Contact Name: The name of the network administrator who should be contacted if questions or problems arise.
    • Contact Email: The email address of the network administrator (for example, 该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。)
  • Banner Message
    • Message Text: Text that will be displayed above login boxes. This is restricted to plain text.

Fine-tune Your Logo

You do not need to fine-tune your logo, but it will make it look more professional. Here are a few tips:
  • Convert your image to Greyscale: Using Adobe Photoshop, open your image and go to File > Save As Web & Devices , specify GIF and Greyscale, then Save.
  • Resize your image: Using Adobe Photoshop, open your image and go to File > Save As Web & Devices , click the Image tab, and resize to 150x100.
  • Place your logo on a background: Download the templates, then overlay your logo.

WAN Balancer

The WAN Balancer works with multiple ISPs to distribute your traffic across multiple connections. It will decide dynamically which WAN connection to send traffic over, maximizing your bandwidth usage.



Consider using WAN Failover in your network. It automatically reroutes traffic over working WAN links when one fails. If WAN Failover is running and detects a WAN as being down, the WAN Balancer will not balance traffic to that WAN.

Settings

This section discusses the different settings and configuration options available for the WAN Balancer.

Status

This tab displays information and statistics for each WAN interface.


Traffic Allocation

On the Traffic Allocation tab,

You set the weights for each WAN connection on the Traffic Allocation tab. If only one WAN is defined, you will see only one interface listed here. Enter the weighting you want, check that you are good with the percentages assigned to each WAN, and select Save.

As each WAN Balancer processes each new session, it decides which WAN it will use to send this traffic if there is no local route for the traffic. If traffic between these two IPs has occurred recently, a route is likely already in the cache. If so, this route will be used to send this new session. This ensures that all traffic between two IPs uses the same WAN consistently to avoid issues with cloud services.

If there is no route in the cache, then a WAN will be chosen based on the hash of the source and destination and the weights given in the Traffic Allocation settings. It is not that the traffic allocation weights don't determine exactly the percentages of traffic over the various WANs; it is only how sessions will be assigned to various WANs.


Route Rules

Route Rules determine which WAN will be used for traffic going to the internet (traffic with no local route). As described in the Rules documentation, the Route Rules are evaluated for new sessions, and the first matching rule will determine which WAN interface is used. If no matching rule is found or the first one has a Destination WAN set to Balance, the session will be randomly assigned a route based on Traffic Allocation settings. A limited set of conditions are available for WAN Balancer Route Rules, which include source, destination, port, and protocol.

This lets you specify which WAN is used for certain traffic based on various conditions. For example:
  • To put all traffic from one server on a specific WAN, add a rule with the condition "Source Address is server_ip" and the Destination WAN as the WAN to be used.
  • To send all SMTP to a specific WAN, add a rule with "Destination Port is 25," the Destination WAN is the WAN to be used.

This is also useful if you have one connection with less throughput but lower latency. In this case, you can specify that all VOIP or latency-sensitive traffic uses the lower latency connection.

Note: Unlike Routes, Route Rules that route traffic to a down WAN will automatically balance traffic to one of the active WANs. For example, if a rule says to send all port 25 traffic to WAN2, but WAN Failover knows WAN2 is down, this rule will effectively mean Balance, which means the session will be put on one of the other active WANs.
Note: Routes and routes based on the network configuration always override Route Rules. Route Rules only apply to sessions with no local route based on configuration on routes in Routes. Route Rules suggest that the traffic be routed out a specific WAN if no other route says where to send it.

WAN Balancer Reports

The Reports tab provides a view of all reports and events for all traffic handled by WAN Balancer.

Reports

The reports of this application can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports and custom reports created will be listed.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
WAN Balancer Summary A summary of WAN Balancer actions.
Sessions By Interface The number of sessions destined to each interface.
Bytes By Interface The number of bytes destined to each interface.
The tables queried to render these reports:

Related Topics

Report Viewer

Reports

WAN Failover

WAN Failover works with multiple ISPs to ensure that you maintain Internet connectivity if a loss of connectivity occurs on one of your WAN connections. If one of your ISP links goes down, WAN Failover will automatically route all traffic over the other WAN(s) until service is restored.

Consider using a WAN Balancer in your network. It allows you to maintain an automatic distribution of traffic over multiple WAN links rather than just failing over if one goes down.

Tests are configured for each WAN and run continuously to determine the current status of each interface. If enough tests fail on a given WAN to exceed the failure threshold, the WAN is considered down, and internet-bound traffic will not go out of that WAN. The lowest ID active WAN is the default WAN interface for internet-bound traffic.

Settings

This section discusses the different settings and configuration options available for WAN Failover.


Status

The Status tab overviews the WANs and the current test results.
  • Interface ID: The number of the interface.
  • Interface Name: The name of the interface in the NG Firewall GUI.
  • System Name: The name of the interface as seen by NG Firewall.
  • Online Status: True or False whether the WAN is online.
  • Current Tests Count: The total number of tests ran on that interface.
  • Tests Passed: The total number of tests ran on that interface that passed.
  • Tests Failed: The total number of failed tests ran on that interface.

Tests

WAN Failover must have tests set up for every WAN interface; these tests are set up on the Tests tab. Click Add, select your interface and test type, then run the test. If it passes, go ahead and save it.

Tests are how WAN Failover determines if the given WAN interface is up or down, so it is important to pick tests that correlate with that WAN connection's status. For example, pinging an ISP router is generally a good test because it usually fails when the ISP is down but works when connectivity is good. Pinging a public site like google.com may work, but sometimes have false positives or negatives. Pinging the gateway may also work but may sometimes provide false positives when the gateway is reachable but the ISP is offline.

The options are as follows:
Table 1. Options
Interface The interface for which you want to set up a test.
Description A description for this test.
Testing Interval Determines how often (in seconds) your specified test will be executed.
Timeout The maximum time that may pass without receiving a response to your test. This value should be less than the Testing Interval. Ensure that you allow enough time to pass if you have a poor connection to the internet or a connection that often has long latency (delays) associated with it.
Failure Threshold How many failures are acceptable during the testing period.
Test Type The specific method you will use to determine whether failover will be initiated.

Note on DNS tests:

Warning:DNS tests use all the DNS entries in the Interface WAN settings. If the DNS entries are only available on a specific WAN, for example, ISP DNS is only available on their network, then routes must be configured for those DNS servers. Otherwise, some DNS tests will fail as the DNS is not reachable on a non-ISP WAN, making NG Firewall falsely see the WAN as down.

WAN Failover Reports

 

The Reports tab provides a view of all reports and events for all traffic handled by WAN Failover.

Reports

You can access the applications' reports via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports and custom reports created will be listed.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
WAN Failover Summary A summary of WAN Failover actions.
WAN Disconnect Events The number of disconnect events grouped by WAN.
WAN Interface Outages The failed tests of each interface over time.
Outage Events Events where the failure threshold was exceeded and the WAN was considered offline.
Test Events All test events and their outcome.
Failed Test Events All tests that failed.
Success Test Events All tests that resulted in success.
The tables queried to render these reports:

Related Topics

Report Viewer

Reports

Web Cache

Web Cache application provides HTTP content caching: as web traffic passes through the NG Firewall server, it will be transparently cached. This will save bandwidth by serving repeat content from the local cache and improve user experience by loading cached sites faster.



Like Web Filter and other applications on the NG Firewall, Web Cache works transparently on traffic passing through the NG Firewall server. You do not need to change any settings on any of the PCs behind the NG Firewall to gain the benefits of web caching.

When content is downloaded from the web, it is stored in a local cache on the disk. Upon later requests of the same web document, the content is served directly from the local cache. The same document does not get downloaded multiple times, and the client gets a better user experience because they don't have to wait for subsequent downloads of the same document.

Cache Bypass

The Cache Bypass tab allows you to enter sites you do not want to be cached. Some sites do not operate properly with Web Cache working (such as Google Maps, which is bypassed by default), so you may need to add some sites to this list. Select Add, fill in the domain name, and save.


Settings

This section discusses the different settings and configuration options available for Web Cache.

Status

The Status tab displays statistics from Web Cache, but there are no settings to configure.
  • Statistics: The following information will help you understand the statistics Web Cache provides:
    • Cache Hit Count displays the total number of HTTP requests served from the cache.
    • Cache Miss Count displays the total number of HTTP requests that were not found in the cache and were thus served using content retrieved from the external server where the content resides.
    • Cache Hit Bytes displays the size, in bytes, of all HTTP requests that have been served from the cache.
    • Cache Miss Bytes displays the size, in bytes, of all HTTP requests not found in the cache.
    • User Bypass Count displays the number of HTTP sessions that bypassed the cache because the server hosting the content was listed in the user-managed cache bypass list.
    • System Bypass Count displays the number of HTTP sessions that bypassed the cache because the system determined they were incompatible with our caching model. Web Cache can generally handle all GET and HEAD requests, and we also allow smaller POST requests to transit through the cache logic. Everything else (i.e., Large POST requests, non-HTTP traffic, etc.) will bypass the cache entirely.
  • Clear Cache: If content stored in the cache becomes stale or corrupt, the Clear Cache button can be used to clear it. As noted in the GUI, clearing the cache requires restarting the caching engine, which will cause active web sessions to be dropped and may disrupt web traffic for several seconds.

Web Cache Reports

 

The Reports tab provides a view of all reports and events for all traffic handled by Web Cache.

Reports

You can access the applications' reports via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
Web Cache Summary A summary of Web Cache actions.
Cache Hit-Miss Statistics The number of cache hits, misses, and sessions bypassed over time.
Cache Size Statistics The amount of cached and uncached web data over time.
Web Cache Events All HTTP events are processed by Web Cache.
The tables queried to render these reports:

Related Topics

Report Viewer

Reports