Rule Accounting and Rule Hit Reporting

---

Rule accounting and rule hit reporting provide the ability to collect data on how policy rules are being used on your network. Once you have configured the accounting and reporting functionality, you can view the rule usage data that is collected using the Rule Usage tabs or the Policy Rule Hit Reports.

When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. This information is displayed in the right-panel Rule Usage tabs. When Policy Rule Hit Reporting is also enabled, then rule hit data is also collected through syslog messages sent from the devices and stored in the NetSight database. This information is then displayed in the Policy Rule Hit Reports available from the View menu and the Rule Usage tabs.

Instructions on:

• Configuring Rule Accounting and Reporting
• Viewing Rule Usage Information
• Viewing Policy Rule Hit Reporting

Configuring Rule Accounting and Reporting

Use the following steps to enable rule accounting on a device and configure the rule accounting and rule hit reporting parameters.

	NOTE:	Rule accounting is used to show if a given rule has been used to classify traffic on a device, and on which port the rule hit occurred. When a rule is used on a port, an entry is made in the rule hit table. Subsequent rule hits do not alter this entry in the rule hit table, however you can use the "clear rule usage" options discussed below to customize the table to indicate how recently, or in what context, these rule hits have occurred. You can specify that a rule hit is cleared when the port link-status changes, when the role which defines the rule is assigned via a Role Mapping, and/or according to a set interval. Based on these options, you can determine how fresh your rule hit data is, and/or what the rule hit data is within a specific session. For example, if you specify a clear rule usage interval of 30 minutes, then you know that any rule hits displayed in the Rule Usage tab (after you click Retrieve) have been reported in the last 30 minutes. These clear rule usage options also control the frequency that the syslog messages containing the rule hit data are sent from the device for rule hit reporting.

 

	TIP:	Use the Device Configuration Wizard to enable Rule Accounting and reporting on multiple devices.

1. Select a device in the left-panel Network Elements tab, and click the Role/Rule tab in the right panel.  (If a device does not support the Rule Accounting feature, the rule accounting options will be grayed out.)
2. In the Rule Accounting section, enable Rule Accounting.
3. Enable the Use Expanded Format for Rule Hit System Log Messages option. When enabled, the device will provide additional information in Policy Rule Hit syslog messages. For example, the additional information may include what actions may have been initiated by the rule (if any).
4. Enable the Clear Rule Usage on Port Link-Status Change option if you want to clear rule usage data when the port has a link-status change when a user connects or disconnects.
5. Enable the Clear Rule Usage on Role Mapping Change option if you want to clear rule usage data when there's a role-mapping change. If a role-mapping is defined and traffic comes onto the device and is mapped to the defined role, then all rules in that role will have their rule hit data cleared. This option should be enabled for Policy Rule Hit Reporting. It allows you to start a new data collection when the name of the role changes on the port, providing for a cleaner data presentation.
6. For Policy Rule Hit Reporting, select the Enable Syslog Server checkbox to set up the device to send syslog messages.
7. In the Clear Rule Usage on Interval section:
   1. Enable the Clear Rule Usage on Interval option to clear the rule usage data at a set interval. This option should be enabled for Policy Rule Hit Reporting because it specifies the interval at which syslog messages will be sent to the server, thereby providing data samples at even intervals.
   2. Enter the desired interval (in minutes).
   3. Click Apply.
8. The Rule Usage Auto Clear Ports list must contain all ports where you want rule accounting to take place. If you have enabled any of the clear rule usage options, this list must specify the ports on the device where the clear operations will be performed. Click Add/Remove to open the Add Ports window where you can select ports to add to the list. Click Apply to set any changes you have made.
9. For each rule that you want to collect rule hit data on, you must specify the action to take place when a "rule hit" is reported. Select a rule in the left-panel Services tab, then select the Rule General tab in the right panel. In the Actions section, select the desired actions to take place when this rule is used:
   • Generate System Log on Rule Hit - A syslog message is generated when the rule is used. This option must be selected for Policy Rule Hit Reporting.
     

     	NOTE:	N-Series devices with firmware version 6.x or earlier must be added to a policy domain using the switch IP address and not the router IP address. This is because syslog messages contain the switch IP address, and this IP address must be found as a modeled device in a policy domain in order to match the rule to the domain's rule set. If a match is not found, the rule hit won't be written to the database.

   • Generate Audit Trap on Rule Hit - An audit trap is generated when the rule is used.
   • Disable Port on Rule Hit - Any port reported as using this rule will be disabled.

   	TIP:	You can also specify these rule usage actions when you create a rule using the Rule Wizard.

You are now ready to view rule usage and rule hit reporting information.

Viewing Rule Usage Information

Rule usage information provides a current snapshot of rule hits on a device. When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. This information is displayed in the Rule Usage tabs.

• To view the ports that a specific rule has been used on.
  Select a rule in the left-panel Services tab, then select the Rule Usage tab in the right panel. (If the rule type does not include any devices that support rule accounting, this tab will be grayed out.) Click the Retrieve button to display the ports where the rule was used. Use the Clear button to clear selected port(s) from the rule's usage list.
  
  
• To view the rules that have been used for a specific role or service, or on a specific device or port.
  Select a role, service, device, or port in the left-panel tree, then select the Rule Usage tab in the right panel. Click the Retrieve button to display the rule usage information. Use the Clear button to clear selected port(s) from the associated rule's usage list.
  
  
• To view any ports on a device that have been disabled due to rule usage.
  Select a device in the left-panel Network Elements tab, and click the Role/Rule tab in the right panel. Click the Retrieve button to display any disabled ports. Use the Clear button to clear any selected disabled ports, and re-enable them. Keep in mind that if the port continues to receive traffic that matches the rule, and the rule is still configured to disable the port, then the port will almost immediately reappear in the table.

Viewing Policy Rule Hit Reporting

Policy Rule Hit Reporting provides a historical look at rule usage over time for domains. When rule accounting is enabled on a device, the Policy Rule Hit data is collected through syslog messages sent from the device to the NetSight server and stored in the NetSight database. This information is displayed in Policy Rule Hit Reports.

• To view the rule hits for all devices in all domains as they are being received.
  From the Policy Manager View menu, select View > Policy  Rule Hit > Real Time Policy Rule Hits. This table displays real-time policy rule hits for all domains as they are being collected in the database. Viewing rule hits lets you know that rule hit data is being successfully collected. The "Time Received" column reflects the time the rule hit was received by the NetSight server. The Clear button empties the display table only. A right-click menu allows the report to be printed or exported to a file.
  
  
• To view rule hit data on a polling cycle.
  From the Policy Manager View menu, select View > Policy  Rule Hit > Policy Hit Accounting Tool. This tool shows the rule hits read from the database on a polling cycle. The data can be filtered by device and by the type of rules (all rules, hit rules, permit or discard rules). The graph is a bar chart and you can select to show rules, services, service groups, or roles. A right-click menu allows the graph to be printed or exported to a file. The polling interval is set in the Policy Rule Hit Reporting options panel.
  
  
• To view the top-10 rules used in the domain in the last 24 hours.
  From the Policy Manager View menu, select View > Policy  Rule Hit > Top-10 Policy Rule Hits (24 hours). The first chart shows the top ten rules in the current domain based on the last 24-hour period. The second chart shows an individual rule's usage mapped out by role along with a table that shows all the individual rule hits that make up the data for the second chart. The Retrieve button updates the report with data for the period ending with the current time. A right-click menu allows the report to be printed or exported to a file.
  
  
• To view the top-10 rules used in the domain in the last week.
  From the Policy Manager View menu, select View > Policy  Rule Hit > Top-10 Policy Rule Hits (1 week). The first chart shows the top ten rules in the current domain based on the last 7-day period. The second chart shows an individual rule's usage mapped out by role along with a table that shows all the individual rule hits that make up the data for the second chart. The Retrieve button updates the report with data for the period ending with the current time. A right-click menu allows the report to be printed or exported to a file.
  
  
• To view rule usage trends in the domain in the last week.
  From the Policy Manager View menu, select View > Policy  Rule Hit > Rule Usage Trend (1 week). This report shows the top five rules with the most rule hits in the current domain based on the last 7-day period. The first chart shows rule usage mapped out by time. The second chart shows an individual rule's usage mapped out by role along with a table that shows all the individual rule hits that make up the data for the second chart. The Retrieve button updates the report with data for the period ending with the current time. A right-click menu allows the report to be printed or exported to a file.
  
  
• To view rule hit data filtered on a role, service, rule, device, slot, or port.
  • Select a role, service, rule, device, slot, or port in the left-panel tree, right-click and select Policy Rule Hits from the menu. This report shows the last 100 rule hits for the selected item. The Clear button empties the display table only.
  • Select a role, service, rule, device, slot, or port in the left-panel tree, right-click and select Top-5 Rule Usage Trend (1 week) from the menu. This report shows the top five rules with the most rule hits based on the last 7-day period for the selected item. The Clear button empties the display table only.

---

Related Information

For information on related tasks:

• Using the Device Configuration Wizard
• Using the Classification Rule Wizard

For information on related tabs:

• Role/Rule Tab (Device)
• Port Properties - Rule Usage Tab
• Rule Usage Tab (Role/Service/Device)
• Rule Usage Tab (Rule)