Using Event Rules 79
Monitoring WAN
Links and Backbone
Links
The Map can provide you with immediate information about which devices have been using particular servers.
Detecting Unauthorized Servers
You can use the Detect Network Sweep Attack rule to spot users creating unauthorized servers on the network. For example, you can detect unauthorized FTP servers by creating a rule which detects FTP traffic on the network, but which ignores traffic to and from known FTP servers.
Monitoring Congestion on WAN Links
You can configure a Monitor Critical Connections event rule to inform you when a link is becoming congested. You can either set an absolute threshold at a level of traffic which you think is acceptable on the link, or you can use the event rule to tell you when traffic levels on the link change significantly. A Connection Activity report can be used to give you regular information on the activity of a link. See “Connection Activity Report” on page 100 for more information.
Monitoring Single Devices Which are Overusing the Capacity of a Link
You can configure a Monitor Network Resource Usage event rule to tell you when one device is using a lot of bandwidth on a link. Similar information can be obtained on a regular basis using a Top N Connections report. See “Top N Connections Report” on page 105 for more information.
Detecting Network Misuse
Sometimes congestion on a link can be caused by misuse. You can configure a Detect Network Misuse event rule to spot users using a WAN link for Web traffic during working hours.
For example, if you know that a connection should only be used for Lotus Notes traffic then you could configure a Detect Network Misuse rule to spot any application except Notes. See Chapter 4, “Grouping Network Devices in the Map” for more information about applications.
If you have a network with multiple servers in different sites, you can configure a Detect Unauthorized Machine Access rule to make sure people access their local server rather than accessing a server across a WAN link.
