- Print
- PDF
Overview
The main objective of an application definition is to easily categorize network usage. Through this concept, which is a key notion of Skylight sensor: capture, the administrator can group similar network usages into categories that will make sense for their network context. Additionally, by configuring Applications, reports on network traffic are made clearer and are readable by any user regardless of their understanding of the underlying infrastructure (IP addresses and subnet, or ports used by each application).
Customizable application definitions and auto-detected applications
The solution comes with both a set of predefined, changeable, custom application definitions (full list here: Pre-defined Applications) as well as a comprehensive non-editable updated database of SaaS applications - these are refered to as the Auto-detected applications, and typically act on latest known FQDN/IP ranges and ports for over 5000 common SaaS applications.
Definition of a custom application
A custom application is a set of network services which together correspond to a business application. For example, an application named ERP could be configured to match network traffic on port TCP/80 on a server Zone containing the specific server 192.168.20.4/32.
An application can be defined using a set of filters a flow must match in order to enter the application. These filters can use various elements of a flow, from its IP addresses to its ports, capture, protocols, and so on.
Notice that depending on what flow is considered, some of the information may not be available. For instance, the attribution of an application for a NetFlow cannot use anything besides bare IP addresses, protocol and ports. As a consequence, an application defined on a given VLAN, MAC address or protocol stack will never accept a NetFlow.
All rules are being checked in order of the list and even if there are multiple matches. Each rule that defines an application gets a priority assigned to it. The highest priority determines which match will be taken into account.
Put differently, applications are labels which are marked on incoming captured sensor data whenever that data matches a corresponding application’s rules.
Note: Applications are connected to the main Analytics application suite (dashboards, analysis views).
For more information about the configuration of applications, refer to the Configuration section.
Examples
An application which is run on a server that has an IP of 192.168.1.4 with MSSQL will be defined as follows:
- Server Port Range: 1433.
- IP protocol: TCP.
- IP Server: 192.168.1.4/32.
An HTTP application running on a server along with several other applications will be defined as follows:
- Web URL Pattern: intranet.securactive.lan.
Auto-detected SaaS Applications
Pre-configured SaaS applications are available for capture flow association for IPv4 flows. These auto-detected applications are organized into categories that can be activated at the capture sensor and profile levels through the Auto-detected applications configuration.
By default no categories are enabled.
For more information, see Sensor Management and Profile Management.
A link icon on the left of an application category indicates that it has an application that is enabled in a sensor profile or sensor.
Click an application within the category to view the sensor profiles or sensors in which the application is enabled.
You can then click the icon on the right of the sensor profile or sensor to open its category settings.
For categories without any sensor profile or sensor-enabled application, a message displays indicating that the category is not enabled. You can click Sensor profile configuration in the message to open the sensor profile page where you can enable the category in a sensor profile or sensor.
Main View
When going to the Applications table (Inventory ► Applications), the user is presented with the following table view. In this view the user can see a list of applications, as well as data about the current rules that are set up for that application.
Note: Hover on application names inside the dashboard tables to view a description (tooltip).
Fallback Zone and Not Classified Application
The Fallback zone or Not Classified (NC) application appears at the top of the table view. They are marked with the icon.
If the analyzed traffic does not match any zone rule, then the corresponding traffic is tagged with the Fallback zone.
For applications, if the analyzed traffic does not match any application rule, then the corresponding traffic is tagged with the NC (Not Classified) application.
User-created applications are tagged as Custom.
Note: The Fallback zone and NC application can be edited (including adding rules) but cannot be deleted.
Adding a New Application
To create a new application, there is a ➕ button at the top-right of the Applications view. This will bring up a sidebar which then allows the user to set the name, description and whether or not it should analyze HTTP pages. Likewise, the user is also able to add new rules to the application at this stage.
Note: The user can bulk delete applications.
The user can export applications that will open up a menu to download a JSON file of all the data. Likewise, they can import or restore the applications. Currently, importing a JSON or CSV file is supported. For further information, see Importing and Exporting Data.
Table
The table section of the Applications view is the main part of the initial view. Here, a user can select applications.
On the left is a category explorer pane that lets you filter the list of applications that you want to view.
- All applications: Select to display all custom and auto-detected applications.
- Custom: Select to display only user- and Accedian-provided applications.
- Auto-detected: Expand and then select a category to display a list of auto-detected applications on the table.
The name and description of the applications appear on the table, as well as a condensed information tag of the application's rules.
Clicking on a singular application will pull up the Application's information in the sidebar to the right of the screen.
Note: Auto-detected applications are predefined and are not editable. Only the name and description display for auto-detected applications.
Search
The search bar at the top-left of the screen enables a user to search the applications based on the application's names.
Note: Performing a search only searches from the list of filtered applications.
Sidebar - Configuration
Once a singular application is selected, a sidebar that allows configuration of that application will appear on the right-hand side of the screen; many of the configuration settings have tooltips explaining their purpose.
Here, the user can update the Name, Description, whether or not to analyze HTTP pages, and create and modify the rules; you can have multiple rules and even change the rule priority.
Sidebar - Rules
In the rules section, we can see a list of all current rules for the application.
With the table view, the user can see the list of all the rules displayed on the right side of the table.
New Rule
There is a ➕ button that will add a new rule, and start the editing of that new rule.
Once complete, click Save.
Edit Rule
Editing a rule brings up an almost identical sidebar as adding a new rule. The user can update all the fields related to the rule here. Rules may be edited by clicking the Edit icon or even the entire row.
Clone Rule
Clone the rule by clicking the Copy button.
Cloning a rule will make a complete copy of the rule selected to clone; this will copy all the values from the previous rule to a new rule. Then, the user can choose to edit it just as before.
Delete Rule
Rules are also able to be deleted from the application by clicking the Delete button.
Note: The user can hover over certain rules, especially ones that have large patterns involved, and allow a tooltip to show the full value.
Importing and Exporting Data
▶ To import and restore applications
- Click the ellipsis (...) menu in the top-right corner of the page and select Import and restore.
CAUTION: You are not simply importing additional applications, but also deleting applications that are not included in that file. Applications that are included in that file will be set to that version. This is less of an import and more of an import and restore because it will reset the whole application to whatever the input files provided.
- This will prompt you to select a JSON or CSV file that will result in replacing all the contents.
- If there are matching IDs, those applications will be updated to whatever version you are importing. However, any applications other than the default that do not exist, if they are not in the import file but they are on the system, will be deleted from the system.
Select the JSON or CSV file you wish to import by clicking Select file and then Open. This will display the name of the chosen file.
Click Import applications.
- You will be notified of all the applications that have been imported.
Note: If you select a CSV file as part of your import, the UI will automatically send that file to the appropriate API.
▶ To export applications
- Click the ellipsis (...) menu in the top-right.
- Select the option for your preferred file format:
- Export as CSV
- Export as JSON
An editable file will be downloaded.
Applications Bundled With Capture Orchestration
To see the full list of current default applications that are bundled with Skylight Capture Orchestration, click here.
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks