Application Configuration
AppResponse 11 identifies applications that are communicating over the monitored network by matching traffic attributes against application definitions. If the traffic attributes match your definition of an application, then AppResponse 11 collects and reports traffic statistics and performance metrics for the application. For more details, see
Traffic Matching Mode below.
You can create the following types of definitions for applications:
◼
General - combinations of ports, protocols, server IP addresses and automatically recognized applications.
◼
URL - one or more URLs or patterns occurring in URLs.
◼
Web - one or more combinations of:
– URLs or patterns occurring in URLs
– Values of web page content
– Values of web page properties
◼
Auto-recognized - pre-configured application definitions. The product is shipped with a large library of definitions for common applications. It recognizes traffic from these applications automatically. These definitions can also be included as parts of General definitions.
Choosing Definitions > Applications displays the Application Configuration page, which includes a separate tab for each of these approaches to specifying application definitions. Additionally, it reports the number of General and URL applications for which high priority definitions have been enabled (up to 600) and the number of Advanced Web App for which definitions have been enabled (up to 300).
When a set of application definitions has been selected in the Portal Integration page to be managed solely from SteelCentral Portal, the relevant fields wil be visible in the Edit dialog, but will be read-only.
Importing Applications from an Upgraded AppResponse 9.6.x Appliance
Customers using a 2200, 3300, or 3800 appliance or a VMon or v2000 virtual appliance can choose to export applications and import them into AppResponse 11.1.0 (or later) when they upgrade their software. For information on exporting applications, see the AppResponse 9.6.2 release notes.
Corrupted application definitions in an exported .csv file generate errors. These definitions must be fixed before the .csv export file can be imported.
Importing 9.6.x Exported Applications
1. Choose Definitions > Applications to open the Application Configuration page in the AppResponse 11 web UI.
2. Click Import in the top-right corner of the page header.
3. Specify or choose the name of the exported .csv file in the window that opens, for example,
AR9-App-Export.csv.
4. General and server applications are imported as follows:
– URL applications are imported as Advanced Web applications, not URL applications. The server information for the URL applications is preserved in the import.
– Applications are imported as High Priority applications. AppResponse 11 supports up to 600 High Priority applications, If you have more than 600 applications, create two .csv files, one (FILE A.csv) with no more than 600 High Priority applications, the second (FILE B.csv)with the remaining applications. Import FILE B.csv first and then edit the applications to change each to Medium or Low Priority applications. Next, import FILEA.csv.
– AppResponse 11 application names are case-sensitive and must be unique. The names of the imported AppResponse 9.6.x applications cannot duplicate the name of existing AppResponse 11 applications. An error message with the list of duplicate names is displayed when duplicates are found during an import. Those application names must be changed in the .csv file before they can be imported.
Conflicts with AppResponse 11 Auto-Recognized applications may occur. For example, these default applications in AppResponse 9.6.x will have conflicting names during import: DNS, HTTP, ICMP, IMAP, POP3, RTCP, SMTP, and SSH. These applications can be imported by changing their names to all lowercase in the .csv file.
– When imported, an AppResponse 9.6.x Auto-Recognized application is replaced by the corresponding AppResponse 11 Auto-Recognized application.
Traffic Matching Mode
To ensure that the most useful and relevant traffic data is retained, AppResponse 11 applies a set of criteria to select the top network elements, such as applications, IP conversations, and web pages, for each time window. Detailed metric data is only kept for these top elements. However, AppResponse 11 calculates total traffic, throughput, and utilization metrics based on ALL the traffic seen. Priority, high to low, is used to determine what traffic has detailed metrics retained.
Traffic that is matched to URL applications is never matched to any other application type. As a result, any enabled URL application definition always has a Traffic Matching Mode of High Priority. This priority cannot be changed.
The matching process follows these steps:
1. High Priority Traffic Matching Mode
– General applications can be any combination of user-supplied ports, protocols, server IP addresses, and Auto-Recognized applications.
– High Priority applications are matched to all incoming traffic. If traffic, for example, an individual TCP connection, matches more than one General application it contributes metrics to all those applications.
– Performance data that ASA records for these applications are not affected by topping, that is, metrics for all General applications with high priority that were seen in a minute are recorded in the AppResponse 11 performance database.
2. Medium Priority Traffic Matching Mode
– These General applications also can be any combination of user-supplied ports, protocols, server IP addresses, and Auto-Recognized applications.
– These medium priority applications are matched to all incoming traffic. If traffic matches more than one General application with this priority setting it contributes metrics to all those applications.
– Performance data that ASA recorded could be affected by topping - this is why this is a lower priority than High.
3. Unmatched Traffic Priority
Traffic that doesn't match any application definitions in steps 1) and 2) is matched to Auto-Recognized applications that were not matched in steps 1) and 2). If the traffic matches more than one previously unmatched Auto-Recognized application, it contributes metrics to all those applications. Performance data that ASA recorded could be affected by topping.
4. Low Priority Traffic Matching Mode
– Users also can create General applications with Traffic Matching Mode set to Low Priority. AppResponse 11 prevents these General applications from using any Auto-Recognized application definitions. Instead, these General applications only use combinations of user-supplied port, protocols and server IP addresses.
– These applications will be matched against traffic that did not match any applications in steps 1), 2), and 3) above. These could be considered user-defined applications.
– Performance data that ASA recorded could be affected by topping.
5. Final matching
– Traffic that did not match any applications in steps 1) through 4) above is matched against Port Alias definitions. A user can modify port alias definitions or create new definitions of their own at Definitions > Port Aliases. Performance data that ASA recorded could be affected by topping.
General
On the General tab you can add an application to be tracked and then add one or more definitions for that application. If monitored traffic matches any one of the definitions, it is recognized as belonging to the application.
On the General tab you can:
◼ define an application more narrowly or more broadly than it is defined in the library of applications listed on the Auto-recognized tab.
◼ define an application that is not included in the library of applications listed on the Auto-recognized tab.
◼ enable or disable recognition of an application.
◼ change the matching mode for checking traffic against application definitions.
◼ edit or delete an existing application definition on the General tab. (This does not change any application definition in the library of auto-recognized applications.)
To specify application definitions in terms of ports, protocols, server IP addresses and auto-recognized applications
1. Choose Definitions > Applications to open the Application Configuration page. Click the General tab and choose Add.
2. Enter the name and description of the application as you want it to appear throughout the product.
3. Select Enabled to have AppResponse 11 start monitoring for the traffic as soon as you save your definition.
4. If you want auto-recognized apps to collect metric data separately, click the Collect Auto-Recognized Application data separately checkbox. Enabling this option allows included auto-recognized apps to calculate metric data. By default, metrics are not calculated for an auto-recognized app if that app was used in a General app definition.
5. Select the traffic matching mode you want to use for the application.
High and medium priority matching take precedence over matching the definitions in the library for auto-recognized applications. Low priority matching is used only if no definition in the library of auto-recognized applications has been found to match.
The product saves all statistics for applications configured for high priority matching. It saves statistics for applications set to medium and low priority matching modes if storage capacity is available. If storage capacity is limited, statistics for medium and low priority applications are saved for only the applications with the top traffic volumes. However, all traffic that matches any definition is included in computing performance metrics and reporting total traffic volumes.
6. Choose Add to open the new definition window.
7. Enter the values you want to include or else select them from the drop-down menus where they are provided.
The definition is the logical AND of all the elements you specify. That is, the traffic must meet all the criteria you specify in this definition in order to be recognized as belonging to the application. You can specify the definition entirely in terms of ports and protocols, or you can choose an auto-recognized application definition and restrict it to specified server IP addresses.
Note that auto-recognized applications cannot be used as part of Low priority matching criteria. This is because auto-recognized application definitions take precedence over Low priority definitions.
8. Click Save to save the definition and return to the New General Application window. The new definition is listed.
9. Choose Add again if you want to create another definition for the application. You can add many individual definitions. The product uses the logical OR of all the definitions you specify. That is, traffic that matches any one of the definitions is tagged as belonging to the application.
10. Click Save to save the definition and return to the New General Application window. The new definition is listed.
11. When you finish adding definitions for the application, choose Save on the New General Application page to return to the General tab. The new application is added to the list of applications on the General tab.
To delete an application from the General tab, either
◼ Hover your mouse over the entry for the definition and choose the delete (x) icon, or
◼ select one or more entries from the list of applications and choose Delete at the top of the table.
URL
The URL tab enables you to define application traffic in terms of one or more URLs or patterns occurring in URLs. If a page object matches any of the URLs or URL patterns, then the traffic containing that page object is tracked and reported as belonging to the application.
The traffic matching mode is always High for URL-based application definitions. A URL-based definition takes precedence over any definition in the library of auto-recognized applications. The product saves all statistics for application traffic that matches a URL-based definition.
To define an application in terms of URLs or patterns occurring in URLs
1. Choose Definitions > Applications to open the Application Configuration page. Click the URL tab and choose Add.
2. Enter the name and description of the application as you want it to appear throughout the product.
3. Select Enabled to have AppResponse 11 start monitoring for the traffic as soon as you save your definition.
4. Enter one or more URLs or patterns occurring in URLs. Press Enter after each entry.
If a page object matches any of the URLs or URL patterns, then the traffic containing that page object is tracked and reported as belonging to the application. You can include only a single wildcard character (“*”) in each entry.
5. Choose Save. The definition is saved and the application is added to the list of applications on the URL tab.
To delete an application from the URL tab, either
◼ Hover your mouse over the entry for the definition and choose the delete (x) icon, or
◼ select one or more entries from the list of applications and choose Delete at the top of the table.
Web
The Web tab enables you to track application traffic using highly specific matching criteria. You can define an application in terms of:
◼ URLs or patterns occurring in URLs
◼ Values of web page content
◼ Values of web page properties
The traffic matching mode is always High for application definitions on the Web tab. A Web definition takes precedence over any definition in the library of auto-recognized applications. The product saves all statistics for application traffic that matches a Web definition.
To define an application on the Advanced Web tab
1. Choose Definitions > Applications to open the Application Configuration page. Click the Web tab and choose Add.
2. Enter the name and description of the application as you want it to appear throughout the product.
3. Specify a Slow Page Threshold of 1 to 600 seconds.
If a web page matching this criteria does not load within the time you specify here, it is considered to be a slow page. AppResponse 11 can be configured to alert on slow pages.
4. Select Enabled to have AppResponse 11 start monitoring for the traffic as soon as you save your definition.
5. Specify any or all of the following page match criteria:
◼ URL Patterns - limit the match to patterns in the URL of the “MAIN” object (that is, the page, such as www.riverbed.com). If monitored traffic matches this specification, then the product tracks traffic for not only this page, but also any objects the page includes. Note that those objects could be referenced by URLs that do not include the URL patterns you specify in this section.
◼ Content Values - limit the match to web page specifications containing specific content values. Refer to the
Content Values Page Match Criteria section for descriptions and examples of content value specifications.
◼ Advanced - limit the match to web page specifications containing combinations of URL patterns, web page content or web page properties. Refer to the
Advanced Page Match Criteria section for descriptions and examples.
6. Choose Save. The definition is saved and the application is added to the list of applications on the Advanced Web App tab.
To delete an application from the Advanced Web App tab, either
◼ Hover your mouse over the entry for the definition and choose the delete (x) icon, or
◼ select one or more entries from the list of applications and choose Delete at the top of the table.
A deleted Web App is displayed as Unnamed: <xxxx> instead of Not Available as was done in earlier versions of AppResponse.
Content Values Page Match Criteria
The Content Values options in the Page Match Criteria section enable you to narrow the page match criteria to specific values being present or absent. The matching criteria for each type of page content can be set to equal or not equal patterns seen in the monitored traffic.
To specify web page content values
1. Expand the Content Values option in the Page Match Criteria section of the New Advanced Application page.
2. Select the format and location of the data.
3. Enter the name and value of the data to be matched. Refer to the examples below.
4. Specify whether all content values must match or if the traffic should be tracked if any of the content values match.
5. Choose Add to specify additional content values. Use the delete icon (x) at the end of the entry if you want to delete a content specification.
Examples of traffic equaling the content value you specify are as follows.
Content Type | Content Name (Example) | Content Value (Example) | Matched Traffic (Example) |
SOAP value | CustomerID | 12345 | <CustomerID>12345</CustomerID> |
URL parameter | trade | sell | path?type=web&trade=sell |
Form value | origin | web | transaction=sales&origin=web |
HTTP header value | X-DataType | customer | X-DataType: customer |
Cookie | beta | two | Cookie: alpha=one;beta=two
or
Set-Cookie: alpha=one;beta=two |
Custom Regular Expression | | DataField=[0-9]*XXX | DataField=43543XXX |
Advanced Page Match Criteria
The Advanced text box in the Page Match Criteria section enables you to narrow the page match criteria to specific properties of the page. AppResponse 11 provides predefined variables for most web page properties. You can specify the values of these property variables and combine them in expressions.
The table below lists the predefined web page properties for which you can specify values. For example, if you want to collect statistics about traffic for all web pages that use server port 8080, you could enter:
$serverPort=8080
After the table, rules for combining properties into expressions are presented.
Property Name (case insensitive) | Type |
clientContinent | String |
clientCountry | String |
clientIP | IP |
clientPort | Integer |
clientRegion | String |
hostname (normalized to lowercase) | String |
HTTPS | Boolean |
incomplete | Boolean |
incompleteObjects * | Objvector |
method | String |
numTcpConns * | Integer |
objects * | Objvector |
optimized (retrieved through a SteelHead) | Boolean |
optimizedObjects (retrieved through a SteelHead) * | Objvector |
originIP | IP |
pageTime * | Double |
path (normalized to UTF-8 and %HH for values < 0x20) | String |
requestBody | String |
requestBytes (sum of header + body) | Integer |
requestHeader | String |
responseBody | String |
responseBytes | Integer |
responseHeader | String |
serverContinent | String |
serverCountry | String |
serverIP | IP |
serverPort | Integer |
serverRegion | String |
session | String |
statusCode | Integer |
title | String |
URL | String |
username | String |
soapmethod * | String |
Notes on web page properties variables:
◼ Asterisks denote properties that apply to only pages and not to individual objects.
For example: $pageTime
◼ These properties (with the exception of those marked with an asterisk) are based on the main object of the page. For example, the "$method" of the page is actually the method of the main object (i.e., the first object) of the page.
◼ Type objvector - vector of objects, number with size(<var>), access Nth element with [N]
For example, an expression to detect pages that have any incomplete objects is:
size($incompleteObjects) > 0
The following rules apply when combining variable definitions into expressions to enter in the Advanced text box in the Page Match Criteria section.
◼ Expressions can be of any length within the limits of the Page Match Criteria section. Refer to the
Page Match Criteria Limits section below.
◼ If there is an error in the construction of the expression, then there will never be a match with monitored traffic.
◼ The expression can contain any of the following:
– References to properties in the table above by using a dollar variable.
For example: $url
– A match against a regular expression by using the “in” operator with the regex contained in quotes.
For example: $url in "pattern"
– A match against an IP address by using the “in” operator with the address in CIDR format.
For example: $serverIP in 192.168.1.0/24
– Numerical comparisons: <, <=, >, >=, =, <>, !=
For example: $packetsIn > 2
– Boolean logic: and, or, not
For example: $url in "pattern1" or $url in "pattern2" or not $url in "pattern3"
– Grouping (by using parenthesis).
For example: $url in "pattern" and ($serverIP in 192.168.1.0/24 or $pageTime > 5.0)
– Check against a set of values with the “in” operator and {{ }} as delimiters.
For example: $responseCode in {{ 404, 501, 502 }}
Page Match Criteria Limits
The Page Match Criteria section of the New Web Application dialog supports a total of approximately 600 tokens, where tokens are counted as follows:
◼ In the URL Patterns section, each URL pattern counts as two tokens.
◼ In the Content Values section, each entry counts as two tokens.
◼ In the Advanced section, each property variable counts as one token and each constant counts as one token. For example, the following expression has six tokens, which are indicated in boldface type:
($clientPort = 1001 or $clientPort = 1002) and $url in "mypage[0-9]*"
Operators (=, and, or, in) do not count as tokens.
Riverbed recommends that the combined total of the tokens in all three sections should not exceed 600. This number is a strong advisory, not an enforced limitation.
Auto-recognized
The Auto-recognized tab lists the applications that are already defined when you purchase or update AppResponse 11. These cannot be deleted or modified.
To track traffic for an auto-recognized application using a more inclusive or exclusive definition, add the application on the General tab and set the new definition to High priority or Medium priority. Alternatively, add the application to the URL tab or the Advanced Web tab.
Importing and Exporting Application Definitions
Definitions of general applications and URL applications can be exported to a CSV (comma separated value) file, a format used by many spreadsheet applications, edited in the CSV file, and subsequently imported back in to AppResponse 11. This provides a convenient mechanism for editing a large number of application definitions in a short amount of time. Definitions of web applications can be exported to a JSON file to be worked with in a similar way.
The Import and Export controls are located at the upper right of the Application Configuration page.
Clicking Export displays a dialog with checkboxes for General Applications, URL Applications, and Web Applications. Each is selected by default. Click Export to create a zip file that contains separate CSV files for URL applications and general applications, as well as a JSON file for web applications.
The general applications CSV file provides the existing application definitions with the following fields:
◼ Version [AR11]
◼ Data Type [general applications]
◼ Timestamp
◼ Name
◼ Description
◼ Enabled
◼ Priority
◼ Auto-recognized app definitions
◼ Transport protocol definitions
The URL applications CSV file provides the existing application definitions with the following fields:
◼ Version [AR11]
◼ Data Type [URL applications]
◼ Timestamp
◼ Name
◼ Description
◼ Enabled
◼ Preferred
◼ URLs
The Web applications JSON file provides the existing application definitions with the following fields:
◼ Version [AR11]
◼ Data Type [Web applications]
◼ Timestamp
◼ Slow Page Threshold
◼ Content Values
◼ Name
◼ Use Advanced Criteria
◼ Description
◼ Use URL Patterns
◼ Enabled
◼ Preferred
◼ URL Patterns
◼ Use Content Values
◼ Match
◼ Advanced Criteria
◼ Tags
To export application definitions to CSV file:
1. Choose Definitions > Applications to open the Application Configuration page.
2. Click Export at the upper right of the Application Configuration page. Clicking Export displays a dialog with checkboxes for General Applications, URL Applications, and Web Applications. Each is selected by default. Click Export to create a zip file that contains separate CSV files for URL applications and general applications, as well as a JSON file for web applications. By default, the file names are: “applications.zip”, “gen_apps_ar11.csv”, “url_apps_ar11.csv”, and “web_apps_ar11.json”. The application definitions table is written to the specified CSV file and/or JSON file immediately.
3. Double-click the file to open it in the associated application, or drag the file to a folder to edit it at a later time.
To import application definitions from CSV file:
1. Choose Definitions > Applications to open the Application Configuration page.
2. Click Import at the upper right of the Application Configuration page. A dialog box appears; type the name of the CSV file you want to import, or click Choose File to browse the file system and select it. Click Import to execute the process, and the contents of the file are read in to the application definition table.