Learn more

This article is applicable to customers that use a Cloud Access Security Broker (CASB) service to manage their users’ access to web apps. In these cases, the goal is to quickly detect and alert on any issues users are having reaching the web apps they use. In addition, monitoring results help answer the questions:

  • What apps are users actually using? (Usage)
  • How much bandwidth is being used by each app? (Usage)
  • Which users are consuming the most bandwidth? (Usage)
  • What sort of app performance are my users experiencing? (Experience)
  • Is traffic being routed as expected? (Delivery)
  • Are my service providers living up to their SLAs? (Delivery)
  • How do I determine where network problems are originating? (Delivery)

What does this guide cover

  • The recommended approach to monitoring with AppNeta Performance Manager (APM) in a CASB environment.
  • Where and how to deploy Monitoring Points.
  • How to configure the APM components (Usage, Experience, and Delivery) to monitor in a CASB environment.
  • How to get notified when a network issue occurs.
  • How to gain insight into how your web apps, your network, and your CASB service are performing.

AppNeta recommends deploying a Monitoring Point to each location where there are users accessing web apps (for example, the Headquarters, Branch offices, and Home offices). Once the Monitoring Points are deployed, they can be configured to measure bandwidth attributable to each web app and each user (Usage), to emulate users accessing the web apps (Experience), and to monitor network health (Delivery). The difference in a CASB environment is that, if the CASB service blocks ICMP traffic, the single-ended network paths associated with web paths terminate at CASB. Because of this, we recommend creating additional single-ended paths that bypass CASB.

Network diagram showing Monitoring Points in the Headquarters, a Branch office, and a home office with paths to a CASB service, the web app, and an AppNeta GMT.

In this example, when Experience monitoring is configured, web paths are created that target the web app (solid red lines) and, like all user traffic, they pass through the CASB service before they get to the web app. These web paths enable you to determine that the web app can be accessed and to see how it is performing from a user perspective. Note that the Native Monitoring Point (NMP), deployed in the Home office, does not support Experience monitoring so there is no web path from it.

When the web paths are created, single-ended network paths (dotted red lines) are automatically generated to the same target. But, in the cases where the CASB service does not pass ICMP traffic (which is what single-ended network paths use for monitoring), these paths terminate at the CASB service. Even though they don’t go through the CASB service, these network paths enable you to determine the routing and performance of the network to the CASB service.

In order to determine the routing and performance of the network to the web app without the influence of CASB, additional single-ended network paths (dashed blue lines) that bypass the CASB service are created from each remote location to the web app.

Finally, in order to determine that the internet can be accessed and to determine whether there are network performance issues to or from the internet, dual-ended network paths (double-dashed blue lines) are created from each remote location to AppNeta Global Monitoring Targets (GMTs).

Step 1: Deploy Monitoring Points

  1. Deploy Monitoring Points in your Headquarters, Branch offices, and Home offices in order to provide full coverage. The following are typical Monitoring Point deployments:
  2. Connect each Monitoring Point to the same network subnet/segment as users in those locations in order to monitor from a user perspective. A Monitoring Point can be connected to multiple networks simultaneously if necessary (wired/wireless/VLAN using IPv4 or IPv6).
  3. In the Headquarters and Branch offices, connect the Monitoring Point’s Usage monitoring port to a SPAN/mirror of the WAN traffic (prior to any NAT or encapsulation) at each location. The egress interface of the core switch is typically the best place for this. If a SPAN/mirror connection is not possible, connect the Monitoring Point inline.

Step 2: Understand WAN traffic

Usage monitoring is used to monitor WAN traffic to and from a site. It helps you to answer the questions:

  • What apps are users using (to confirm that only sanctioned apps are being used and that they are being accessed through CASB)?
  • How much bandwidth is devoted to each app?
  • Which users are consuming the most bandwidth?
  • Which users are having performance issues and which apps are they having those issues with (using latency and retransmit metrics)?

Usage monitoring prerequisites

Headquarters and Branch Office Monitoring Points deployed with capture interface(s) connected to switch ports that SPAN/mirror all WAN traffic.

Usage monitoring procedure

  1. Configure Traffic Direction by adding local subnet(s).
  2. Ensure Usage monitoring is running on the capture interfaces.
  3. Open the Top Applications chart for the Monitoring Point you are interested in.
    • If you are not seeing the data that you expect, make sure you’ve identified internal or industry specific applications by configuring Custom Applications.
    • If you are still having issues, see Usage Troubleshooting.

Step 3: Emulate web app users

By emulating a user, Experience monitoring helps you answer the question:

  • What sort of app performance are my users experiencing?

It allows you to:

  • Monitor key applications to identify any issues affecting end user experience.
  • Compare user complaints about poor web app performance against a consistent baseline.
  • Use associated Delivery paths to see the path taken to the CASB service.

Experience monitoring prerequisites

Monitoring Points should be deployed with interface(s) connected to the applicable (typically end-user) subnets.

Experience monitoring procedure

  1. Create a Web App Group for each web app you want to monitor.
    • Include at least one interface on each of the Headquarters and Branch office Monitoring Points as a test source.
    • Use the web app URL as the test target.
    • Add a Selenium workflow that accesses the web app. At a minimum, it should login to the web app. Web paths are created for all combinations of source, target, and workflow.
  2. Tag web paths in order to group them in ways that make sense to your business.

Note that for each web path created, an associated single-ended network path is also created.

Step 4: Monitor network health

Delivery monitoring, using both single-ended and dual-ended network paths, provides insight into network health and into the paths traffic takes through the network.

Delivery monitoring can help you answer the questions:

  • Is traffic being routed as expected?
  • Are my service providers living up to their SLAs?
  • How do I determine where network problems are originating?

It allows you to:

  • Monitor network performance and routing to the CASB service.
  • Monitor network performance and routing to the web apps.
  • Monitor network performance and routing to and from the internet.
  • Determine whether the root cause of a web app performance issue is due to the application or the network (when compared with Experience monitoring results).

Delivery monitoring prerequisites

  • Monitoring Points should be deployed with interface(s) connected to the applicable (typically end-user) subnets.
  • The single-ended network paths associated with web paths created above should be available.

Delivery monitoring procedure - single-ended paths

Single ended-paths to the CASB service are already created at this point. Those that target the web app still need to be created.

  1. Create a Path Template Group to monitor the health of the network between the remote locations and the web apps you are using.
    • Use the web app URL as the target.
    • Add source interfaces from each remote Monitoring Point (typically the “Auto” interface) to create paths.
  2. Tag network paths in order to group them in ways that make sense to your business.

Delivery monitoring procedure - dual-ended paths

Dual-ended network paths to Global Monitoring Targets (GMTs) should be added if you want to monitor location specific performance.

  1. Create a Path Template Group to monitor internet health in both directions at each of the remote locations.
    • Use gmt.pm.appneta.com as the target to create a path to the nearest AppNeta GMT.
    • Specify “Dual Ended” paths.
    • Add source interfaces from each remote Monitoring Point (typically the “Auto” interface) to create paths.
  2. Tag network paths in order to group them in ways that make sense to your business.

Step 5: Set up alert notifications

Consider who will need to be notified in real time when issues are detected, what systems they use to manage alerts, and how to integrate AppNeta notifications with those systems. AppNeta Performance Manager supports notification via:

  • Email - Use this method if you don’t have any other event monitoring infrastructure or if you prefer email alerts. Set up using the Update Notification Options page in APM.
  • Event integration - Use this method if you already have an event monitoring system in place. Integrate directly with that system via POSTs that contain JSON event payloads.
  • SNMP notifications - Use this method if you are integrating with an SNMP system. Set up using the Manage SNMP page in APM.

Adjusting alert profiles if required

For Usage monitoring, there is no default alert profile. For Experience and Delivery monitoring, there are default alert profiles assigned to web paths and network paths when they are created. If you are receiving too many or too few alerts you can create or modify alert profiles as necessary.

Step 6: Analyze monitoring results

When you receive alert notifications, use the procedures in Investigating Violation Events to investigate the cause.

Use dashboards for an “at a glance” way to view the status of your web app and your network.

  • Application Quality dashboard - enables you to view the performance of the network and web paths that deliver an application over time (up to 30 days).
  • Web App Violation Summary dashboard - provides an at-a-glance view of the most significant web path violations over a selected period.
  • Network Violation Summary dashboard - provides an at-a-glance view of the most significant network path violations over a selected period.
  • Current Network Violation Map dashboard - provides a geographical view of your current network status. With this dashboard, issues occurring on multiple paths in a particular geographic region are easily identified.

Schedule reports to be delivered via email to those in your organization interested in web app and/or network performance.

  • Application Quality report - enables you to view the performance of the network and web paths that deliver an application over time (up to 1 year). It combines raw data and violations sourced from Experience and Delivery across a selection of applications, networks, and geographical locations to enable a high-level overview of the performance and trends over time. This report can scale up to span quarterly results and includes a one page summary aimed at an executive audience.
  • Location Bandwidth Quality report - compares the performance of a WAN network path to the stated performance of the internet service package you purchased from your ISP. It enables you to determine whether your service providers are living up to their SLAs.