Allot Manual

NetEnforcer®

Policy Based Bandwidth Management

User Guide Version 5.2

(Doc. No. D351006)

Important Notice

Important Notice Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to the end users using this manual, regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise. SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL, INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT. Please read the End User License Agreement and Warranty Certificate provided with this product before using the product. Please note that using the products indicates that you accept the terms of the End User License Agreement and Warranty Certificate. WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Copyright Copyright © 1997-2004 Allot Communications. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other language without a written permission and specific authorization from Allot Communications Ltd.

Trademarks Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation and to the owners' benefit, without intent to infringe. NetEnforcer®, NetBalancer®, CacheEnforcer® and the Allot Communications pyramid logo are registered trademarks of Allot Communications Ltd. NetPolicy™ is a trademark of Allot Communications Ltd.

NetEnforcer User Guide iii

Important Notice

Allot Communications

Americas 7664 Golden Triangle Drive Eden Prairie, MN 55344 Tel: (952) 944-3100 Toll free: (877) 255-6826 Fax: (952) 944-3555

Middle East and Africa 5 Hanagar Street Industrial Zone B, Hod-Hasharon, 45800, Israel Tel: 972-9-761-9200 Fax: 972-9-744-3626

Europe NCI – Les Centres d’Affaires Village d’Entreprises ‘Green Side’ Batiment 1B 400 Avenue Roumanille, BP309 06906 Sophia Antipolis Cedex France Tel: 33-(0)4-93-00-11-67 Fax: 33-(0)4-93-00-11-65

Japan Yajima Bldg 8F 7-11-3 Ginza, Chuo-Ku Tokyo 104-0061 Japan Tel: 81-(0)3-5537-7114 Fax: 81-(0)3-5537-5281

Asia Pacific 6, Ubi Road 1 Wintech Centre #06-12 Singapore 408726 Tel: 65 6841-3020 Fax: 65 6747-9173

Printing History First Edition: December 2001, Version 4.1 Second Edition: September 2002, Version 4.2 Third Edition: January 2004, Version 5.1 Fourth Edition: December 2004, Version 5.2

NetEnforcer User Guide iv

About This Guide

About This Guide The NetEnforcer User's Manual describes how to install and configure NetEnforcer in your network, and use NetEnforcer to prioritize your network traffic.

This manual contains the following chapters:

Chapter 1, Introducing NetEnforcer, introduces NetEnforcer and provides an overall description of the architecture and functioning of the system.

Chapter 2, Installing NetEnforcer, describes NetEnforcer hardware and the initial installation and setup requirements.

Chapter 3, Getting Started, describes how to connect to NetEnforcer through your Web browser, and describes the NetEnforcer Control Panel.

Chapter 4, Configuring NetEnforcer, describes how to modify NetEnforcer's configuration parameters from a Web browser.

Chapter 5, NetWizard Quick Start, describes NetWizard, an easy-to-use wizard that enables a network manager without a wide knowledge base to have an up-and-running NetEnforcer in a relatively short time.

Chapter 6, Monitoring Network Traffic, describes how to monitor and analyze network traffic using the NetEnforcer monitoring tools.

Chapter 7, Defining Catalog Entries, describes NetEnforcer Catalogs and how to define new Catalog entries.

Chapter 8, Defining Policies, describes the process of defining a QoS policy and optimizing this policy in your network environment.

Chapter 9, NetEnforcer Alerts, describes the NetEnforcer Alerts Editor and Alerts Log.

NetEnforcer User Guide v

About This Guide

Chapter 10, Detecting Security Threats, discusses the nature of DoS attacks and their impact on network performance, and describes the ways in which NetEnforcer detects and handles DoS attacks.

Chapter 11, SNMP Monitoring, describes NetEnforcer SNMP-based statistics and how to generate MRTG reports.

Appendix A, Hardware Specifications, lists the hardware specifications for all NetEnforcer models.

Appendix B, Fail-Safe Operation, describes the fail-safe methods implemented in NetEnforcer, such as how NetEnforcer can operate parallel to another NetEnforcer to provide full redundancy.

Appendix C, Hardware Configuration, describes how to access internal components of the NetEnforcer units, and explains DIP switch settings.

Appendix D, Rack Mount Installation, describes how to mount the NetEnforcer appliance.

Appendix E, NetEnforcer Port Reference, describes configuration requirements when using NetEnforcer with a firewall.

Appendix F, NetEnforcer Protocol Reference, lists protocols supported by NetEnforcer.

Appendix G, NetEnforcer Command Line Interface, describes how to use a command line interface to configure NetEnforcer.

Appendix H, Troubleshooting, describes some common situations that may arise when using NetEnforcer and their solutions.

Appendix I, Glossary, describes the terms used in the manual.

NetEnforcer User Guide vi

About This Guide

Conventions The following conventions are used in this manual:

Note Additional information that may be useful in understanding

or using functionality.

Tip A helpful hint for using functionality, for example, a

shortcut.

Security Note

A note that has security implications.

Caution Information that is important to consider when performing a

particular action and that may have hazardous implications.

NetEnforcer User Guide vii

Table of Contents

NetEnforcer User Guide viii

Table of Contents

Table of Contents CHAPTER 1: INTRODUCING NETENFORCER....................................................1-1 What is NetEnforcer?................................................................................................................................1-2

Optional Software Packages....................................................................................................................1-2 NetEnforcer Environments......................................................................................................................1-3

How Does NetEnforcer Deliver QoS? ......................................................................................................1-4 Monitor....................................................................................................................................................1-4 Classify....................................................................................................................................................1-5 Enforce ....................................................................................................................................................1-6 Report ......................................................................................................................................................1-7

Fail-Safe Operation ...................................................................................................................................1-7 Terms and Concepts ..................................................................................................................................1-8

QoS..........................................................................................................................................................1-8 Catalog Editors ........................................................................................................................................1-9 Pipes ........................................................................................................................................................1-9 Virtual Channels....................................................................................................................................1-10 Rules......................................................................................................................................................1-10 Templates ..............................................................................................................................................1-11 NetWizard .............................................................................................................................................1-12

NetEnforcer in Action .............................................................................................................................1-13 Scenario 1: Corporate............................................................................................................................1-13 Scenario 2: QoS in an Intranet...............................................................................................................1-15 Scenario 3: ISP ......................................................................................................................................1-17 Scenario 4: Satellite Provider ................................................................................................................1-19 Scenario 5: Enhancing Enterprise Security ...........................................................................................1-20

CHAPTER 2: INSTALLING NETENFORCER ........................................................2-1 Hardware Description ...............................................................................................................................2-2

NetEnforcer High Availability Platform .................................................................................................2-3 NetEnforcer Enhanced Platform............................................................................................................2-17 Out-of-Band Management.....................................................................................................................2-25 Monitoring Only Models (AC-202 and AC-402)..................................................................................2-26

NetEnforcer User Guide ix

Table of Contents

Placement in the Network....................................................................................................................... 2-27 Connecting NetEnforcer to the Network .............................................................................................. 2-27

Setting Up NetEnforcer .......................................................................................................................... 2-29 Configuring Via a Terminal or Telnet .................................................................................................. 2-29 Configuring Via the LCD Panel ........................................................................................................... 2-40

CHAPTER 3: GETTING STARTED.......................................................................... 3-1 Accessing NetEnforcer.............................................................................................................................. 3-2 NetEnforcer Control Panel....................................................................................................................... 3-3 Installing the Java Plug-in 1.3.................................................................................................................. 3-9

Installing the Java Plug-in from Internet Explorer................................................................................ 3-11 Installing the Java Plug-in from Netscape ............................................................................................ 3-14

CHAPTER 4: CONFIGURING NETENFORCER ................................................... 4-1 Overview .................................................................................................................................................... 4-2

Activating the NetEnforcer ..................................................................................................................... 4-5 NetEnforcer Configuration Window....................................................................................................... 4-7

Menu Bar ................................................................................................................................................ 4-7 Toolbar.................................................................................................................................................... 4-9

NetEnforcer Configuration Parameters................................................................................................ 4-10 Product IDs and Key............................................................................................................................. 4-11 Access Links......................................................................................................................................... 4-13 IP and Host Name................................................................................................................................. 4-15 Security ................................................................................................................................................. 4-18 NIC ....................................................................................................................................................... 4-20 Networking ........................................................................................................................................... 4-22 SNMP ................................................................................................................................................... 4-26 Connection Control............................................................................................................................... 4-27 Monitoring ............................................................................................................................................ 4-29 Internal Accounting Setup .................................................................................................................... 4-30 External Accounting Setup ................................................................................................................... 4-32 RADIUS Setup ..................................................................................................................................... 4-34 Accounting/RADIUS Storage............................................................................................................... 4-37 LDAP/Text Source ............................................................................................................................... 4-40 VLAN ................................................................................................................................................... 4-41 Alerts .................................................................................................................................................... 4-43 Denial of Service (DoS)........................................................................................................................ 4-44

NetEnforcer User Guide x

Table of Contents

Additional Configuration Options..........................................................................................................4-46 Backing Up Configuration ....................................................................................................................4-46 Restoring Configuration ........................................................................................................................4-47 Setting Date and Time...........................................................................................................................4-48 Verifying Configuration ........................................................................................................................4-49

CHAPTER 5: NETWIZARD QUICK START...........................................................5-1 Introducing NetWizard .............................................................................................................................5-2 Monitoring Network Traffic .....................................................................................................................5-3

Viewing Graphs.......................................................................................................................................5-8 Viewing Statistics..................................................................................................................................5-10 Viewing Information .............................................................................................................................5-12 Viewing the Log....................................................................................................................................5-14

Defining Policies.......................................................................................................................................5-15 QoS Examples .......................................................................................................................................5-18

CHAPTER 6: MONITORING NETWORK TRAFFIC ............................................6-1 Overview.....................................................................................................................................................6-2

Graph Types ............................................................................................................................................6-4 Graph Views............................................................................................................................................6-5 Graph Styles ............................................................................................................................................6-6 In/Out Bandwidth ....................................................................................................................................6-7

NetEnforcer Monitoring Window ............................................................................................................6-8 Accessing Monitoring Graphs.................................................................................................................6-9 Monitoring Window Menu Bar .............................................................................................................6-12 Monitoring Window Toolbar ................................................................................................................6-15

Monitoring Graphs..................................................................................................................................6-21 Pipes Distribution ..................................................................................................................................6-25 Virtual Channels Distribution................................................................................................................6-27 Bandwidth .............................................................................................................................................6-29 Connections...........................................................................................................................................6-31 Utilization..............................................................................................................................................6-32 Packets...................................................................................................................................................6-33 Most Active Pipes .................................................................................................................................6-35 Most Active Virtual Channels ...............................................................................................................6-37 Most Active Protocols ...........................................................................................................................6-39 Most Active Hosts .................................................................................................................................6-42

NetEnforcer User Guide xi

Table of Contents

Most Active Internal Hosts ................................................................................................................... 6-43 Most Active External Hosts .................................................................................................................. 6-45 Most Active Clients .............................................................................................................................. 6-47 Most Active Servers.............................................................................................................................. 6-49

Long-Term Monitoring........................................................................................................................... 6-51 Collecting Data for Long-Term Monitoring ......................................................................................... 6-51 Adding Graphs...................................................................................................................................... 6-62 Viewing Long-Term Monitoring Graphs.............................................................................................. 6-66

CHAPTER 7: DEFINING CATALOG ENTRIES..................................................... 7-1 Working with Catalog Editors ................................................................................................................. 7-2

Accessing Catalog Editors ...................................................................................................................... 7-3 Protected Entries ..................................................................................................................................... 7-5 Deleting Entries from a Catalog ............................................................................................................. 7-6 Policy Editor Toolbar.............................................................................................................................. 7-6

Host Catalog Editor .................................................................................................................................. 7-8 Defining Host Lists................................................................................................................................. 7-9 Grouping Hosts ..................................................................................................................................... 7-12 Defining LDAP-based Hosts ................................................................................................................ 7-14 Defining Text File-Based Hosts............................................................................................................ 7-17

Service Catalog Editor............................................................................................................................ 7-20 Defining TCP and UDP IP Protocols.................................................................................................... 7-21 Defining Non-TCP and Non-UDP IP Protocols ................................................................................... 7-23 Defining Non-IP Protocols ................................................................................................................... 7-24 Importing Protocols .............................................................................................................................. 7-26 Web Update .......................................................................................................................................... 7-29 Grouping Service Catalog Entries ........................................................................................................ 7-30 Adding Content..................................................................................................................................... 7-31

Time Catalog Editor ............................................................................................................................... 7-52 TOS (Type of Service) Catalog Editor .................................................................................................. 7-57

Free Format........................................................................................................................................... 7-61 VLAN Catalog Editor ............................................................................................................................. 7-63

Defining VLANs .................................................................................................................................. 7-64 Quality of Service Catalog Editor.......................................................................................................... 7-66

Ignoring Quality of Service .................................................................................................................. 7-68 Defining QoS for Pipes......................................................................................................................... 7-69 Defining QoS for Virtual Channels ...................................................................................................... 7-75

NetEnforcer User Guide xii

Table of Contents

Connection Control Catalog Editor .......................................................................................................7-81 Load-Balancing .....................................................................................................................................7-83 Cache Redirection .................................................................................................................................7-85

Data Source Catalog Editor ....................................................................................................................7-87

CHAPTER 8: DEFINING POLICIES.........................................................................8-1 NetEnforcer Policy.....................................................................................................................................8-2

Pipes ........................................................................................................................................................8-3 Virtual Channels......................................................................................................................................8-4 Rules........................................................................................................................................................8-4 Actions ....................................................................................................................................................8-5 Using Pipes, Virtual Channels and Rules................................................................................................8-9

NetEnforcer Policy Editor.......................................................................................................................8-11 View Options.........................................................................................................................................8-12 Policy Editor Menus and Toolbar..........................................................................................................8-13 Policy Editor Status Bar ........................................................................................................................8-19

Defining Policy .........................................................................................................................................8-20 Defining Your Network Requirements..................................................................................................8-21 Adding Pipes .........................................................................................................................................8-22 Adding Virtual Channels.......................................................................................................................8-24 Adding Rules.........................................................................................................................................8-26 Policy Table Order ................................................................................................................................8-28 Templates ..............................................................................................................................................8-28 Distributing Policy to Other NetEnforcers ............................................................................................8-35

CHAPTER 9: NETENFORCER ALERTS .................................................................9-1 Overview.....................................................................................................................................................9-2 Important Preparation..............................................................................................................................9-4 Alerts Editor...............................................................................................................................................9-5

Predefined Alerts.....................................................................................................................................9-5 Customized Actions ..............................................................................................................................9-11 Conditions for Alerts .............................................................................................................................9-12 Defined Alerts List ................................................................................................................................9-16 Alerts Editor Menus and Toolbar ..........................................................................................................9-17

NetEnforcer User Guide xiii

Table of Contents

Alerts Log................................................................................................................................................. 9-18 Alerts Log Menus and Toolbar ............................................................................................................. 9-21 Accessing Monitoring Graphs .............................................................................................................. 9-23 Filtering Alerts...................................................................................................................................... 9-24

Alerts Event Messages ............................................................................................................................ 9-27

CHAPTER 10: DETECTING SECURITY THREATS........................................... 10-1 Overview .................................................................................................................................................. 10-2 Detecting and Handling DoS Attacks .................................................................................................... 10-2

Denial of Service (DoS) Parameters ..................................................................................................... 10-3 Additional Protective Mechanisms ........................................................................................................ 10-5 Security Alerts ......................................................................................................................................... 10-6

CHAPTER 11: SNMP MONITORING..................................................................... 11-1 Viewing SNMP Statistics and Getting Traps........................................................................................ 11-2

Supported SNMP MIBs ........................................................................................................................ 11-2 Access Permissions............................................................................................................................... 11-3 Configuring Trap Destinations ............................................................................................................. 11-4 Traps ..................................................................................................................................................... 11-4 MIB-II Support ..................................................................................................................................... 11-5 Accessing the Allot MIBs..................................................................................................................... 11-8

Working with SNMP-Based Management Tools................................................................................ 11-11 Introducing MRTG ............................................................................................................................. 11-11 Installing MRTG for NetEnforcer ...................................................................................................... 11-12 Example MRTG Configuration File ................................................................................................... 11-15 Example NetEnforcer MRTG Graphs................................................................................................. 11-17

APPENDIX A: HARDWARE SPECIFICATIONS .................................................. A-1 Enhanced Platform..................................................................................................................................A-1 High Availability Platform .....................................................................................................................A-2 Standards, Compliance and Certifications ..............................................................................................A-4

APPENDIX B: FAIL-SAFE OPERATION ................................................................B-1 Bypass Mode..............................................................................................................................................B-2

Bypass Initiation .....................................................................................................................................B-3 Fiber Bypass and TAP (AC-802 Fiber) ..................................................................................................B-3

NetEnforcer User Guide xiv

Table of Contents

Connecting Two NetEnforcers in Full Redundancy .............................................................................. B-7 Status Indicators in Full Redundancy Mode........................................................................................... B-8 Secondary NetEnforcer Activation....................................................................................................... B-11 Primary and Secondary Definitions...................................................................................................... B-12 Full Redundancy Connection ............................................................................................................... B-14

High Availability Platform Power Redundancy................................................................................... B-18

APPENDIX C: HARDWARE CONFIGURATION..................................................C-1 Setting Dip Switches for the Enhanced Platform...................................................................................C-1

Enhanced Platform DIP Switches........................................................................................................... C-3

APPENDIX D: RACK MOUNT INSTALLATION ..................................................D-1

APPENDIX E: NETENFORCER PORT REFERENCE.......................................... E-1 Firewall Ports ............................................................................................................................................ E-1

APPENDIX F: NETENFORCER PROTOCOL REFERENCE .............................. F-1 Supported Protocols ................................................................................................................................. F-1

APPENDIX G: NETENFORCER COMMAND LINE INTERFACE ....................G-1 NetEnforcer Command Line Interface ...................................................................................................G-1

Command Execution Modes ..................................................................................................................G-1 Accessing the CLI .....................................................................................................................................G-2 Scripts ........................................................................................................................................................G-2 CLI Command Syntax..............................................................................................................................G-3 Online Help ...............................................................................................................................................G-4 Command Descriptions ............................................................................................................................G-4

ToS Catalog Editing ...............................................................................................................................G-5 Data Source Catalog Editing ..................................................................................................................G-5 VLAN Catalog Editing...........................................................................................................................G-6 QoS Catalog Editing...............................................................................................................................G-7 Host Catalog Editing ..............................................................................................................................G-9 Time Catalog Editing ...........................................................................................................................G-11 Service Catalog Editing........................................................................................................................G-12 Connection Control Catalog Editing ....................................................................................................G-15

NetEnforcer User Guide xv

Table of Contents

Policy Catalog Editing ..........................................................................................................................G-17 List ........................................................................................................................................................G-19 Configuration Settings ..........................................................................................................................G-20

APPENDIX H: TROUBLESHOOTING.................................................................... H-1

APPENDIX I: GLOSSARY...........................................................................................I-1 Glossary of Terms ......................................................................................................................................I-1

NetEnforcer User Guide xvi

List of Figures

List of Figures Figure 1-1 - Corporate Network Structure with Three Outgoing Wan Links ............................................1-13 Figure 1-2 - Policy for Corporate Traffic...................................................................................................1-14 Figure 1-3 - Managing an Intranet's Mission-Critical Traffic with the NetEnforcer .................................1-16 Figure 1-4 - Wireless ISP Network............................................................................................................1-17 Figure 1-5 - Policy For Wireless ISP Traffic.............................................................................................1-18 Figure 1-6 - NetEnforcer In Satellite Network ..........................................................................................1-19 Figure 1-7 - Preventing A Dos Attack With NetEnforcer..........................................................................1-21 Figure 2-1 – NetEnforcer Front Panel: High Availability Platform (Model AC-802).................................2-5 Figure 2-2 – Link Connections Area: Ac-802 Copper.................................................................................2-6 Figure 2-3 – Link Connections Area: Ac-802 Fiber ....................................................................................2-6 Figure 2-4 – NetEnforcer LCD Panel: High Availability Platform .............................................................2-8 Figure 2-5 – NetEnforcer Rear Panel: High Availability Platform (Model AC-802) ..................................2-9 Figure 2-6 – Copper Bypass Module .........................................................................................................2-12 Figure 2-7 – Connecting NetEnforcer AC-802 Copper to Copper Bypass Module...................................2-13 Figure 2-8 – Fiber Bypass Module ............................................................................................................2-14 Figure 2-9 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass Module .........................................2-15 Figure 2-10 – NetEnforcer Front Panel: Enhanced Platform.....................................................................2-18 Figure 2-11 – NetEnforcer LCD Panel: Enhanced Platform......................................................................2-22 Figure 2-12 – NetEnforcer Rear Panel: Enhanced Platform......................................................................2-23 Figure 2-13 - Management Port.................................................................................................................2-25 Figure 2-14 – LAN And WAN Placement of NetEnforcer........................................................................2-27 Figure 2-15 – NetEnforcer Setup Menu.....................................................................................................2-30 Figure 2-16 – Current Configuration (1) ...................................................................................................2-32 Figure 2-17 – Current Configuration (2) ...................................................................................................2-33 Figure 2-18 – Network Configuration .......................................................................................................2-34 Figure 2-19 – Password .............................................................................................................................2-37 Figure 2-20 – Time Setup ..........................................................................................................................2-38 Figure 2-21 – LCD Panel, Main Menu Options.........................................................................................2-41 Figure 3-1 – NetEnforcer Log On Dialog Box ............................................................................................3-2 Figure 3-2 – NetEnforcer Control Panel ......................................................................................................3-3 Figure 3-3 – Java Plug-In Software License Agreement Window.............................................................3-11 Figure 3-4 – Java Plug-In Security Warning Window...............................................................................3-12 Figure 3-5 - Java Plug-In Security Warning Pop-Up – Certificate Expiration Notice...............................3-13

NetEnforcer User Guide xvii

List of Figures

Figure 3-6 – Java Plug-In Icon.................................................................................................................. 3-14 Figure 3-7 – Plug-In Not Loaded Window................................................................................................ 3-15 Figure 3-8 – Java Plug-In Software License Agreement Window ............................................................ 3-15 Figure 3-9 – Java Plug-In Security Warning Window .............................................................................. 3-16 Figure 4-1 – NetEnforcer Configuration Window ...................................................................................... 4-3 Figure 4-2 – Confirmation Message............................................................................................................ 4-4 Figure 4-3 – Product Ids & Key Parameters ............................................................................................. 4-11 Figure 4-4 – Save confiGuration to NetEnforcer Message ....................................................................... 4-12 Figure 4-5 – Access Links Parameters ...................................................................................................... 4-13 Figure 4-6 – IP & Host Name Parameters................................................................................................. 4-15 Figure 4-7 – Out-of-Band Management .................................................................................................... 4-17 Figure 4-8 – Security Parameters .............................................................................................................. 4-18 Figure 4-9 – NIC Parameters .................................................................................................................... 4-20 Figure 4-10 – Networking Parameters ...................................................................................................... 4-22 Figure 4-11 – Monitoring Only Mode Error Message .............................................................................. 4-24 Figure 4-12 – Activating Monitoring Only Mode Message ...................................................................... 4-24 Figure 4-13 – Deactivating Monitoring Only Mode Message................................................................... 4-25 Figure 4-14 – SNMP Parameters .............................................................................................................. 4-26 Figure 4-15 – Connection Control Parameters.......................................................................................... 4-27 Figure 4-16 – Monitoring Parameters ....................................................................................................... 4-29 Figure 4-17 – Internal Accounting Parameters ......................................................................................... 4-30 Figure 4-18 – External Accounting Parameters ........................................................................................ 4-32 Figure 4-19 – Radius Setup Parameters .................................................................................................... 4-34 Figure 4-20 – Accounting/Radius Storage Parameters.............................................................................. 4-37 Figure 4-21 – LDAP/Text Source Parameters........................................................................................... 4-40 Figure 4-22 – VLAN Parameters .............................................................................................................. 4-41 Figure 4-23 – Alerts Parameters................................................................................................................ 4-43 Figure 4-24 – Denial of Service Parameters.............................................................................................. 4-44 Figure 4-25 – Backup Configuration Dialog Box ..................................................................................... 4-46 Figure 4-26 – restore Configuration Dialog Box ...................................................................................... 4-47 Figure 4-27 – Date and Time Configuration Dialog Box.......................................................................... 4-48 Figure 4-28 – System Message ................................................................................................................. 4-48 Figure 4-29 – Setup Verification Dialog Box ........................................................................................... 4-49 Figure 5-1 – NetWizard Setup Window...................................................................................................... 5-4 Figure 5-2 – NetWizard: Create New Pipe Window................................................................................... 5-5 Figure 5-3 – NetWizard Monitoring Window: Graphs View...................................................................... 5-6 Figure 5-4 – NetWizard Monitoring Window: Statistics View................................................................. 5-10 Figure 5-5 – NetWizard Monitoring Window: Information View ............................................................ 5-12

NetEnforcer User Guide xviii

List of Figures

Figure 5-6 – Netwizard Monitoring Window: Log View ..........................................................................5-14 Figure 5-7 – Policy Definition Window ....................................................................................................5-16 Figure 6-1 – Sample Favorite View.............................................................................................................6-3 Figure 6-2 – Graph Views ...........................................................................................................................6-5 Figure 6-3 – Bar Chart .................................................................................................................................6-6 Figure 6-4 – Pie Chart..................................................................................................................................6-6 Figure 6-5 – Line Chart ...............................................................................................................................6-6 Figure 6-6 – Area Chart ...............................................................................................................................6-6 Figure 6-7 – Displaying Bandwidth.............................................................................................................6-7 Figure 6-8 – Sample Monitoring Window...................................................................................................6-8 Figure 6-9 – NetEnforcer monitoring Menu ................................................................................................6-9 Figure 6-10 – Accessing Monitoring Graphs: Pipe Level .........................................................................6-10 Figure 6-11 – Accessing Monitoring Graphs: Virtual Channel Level .......................................................6-11 Figure 6-12 – Graphs Features Dialog Box ...............................................................................................6-18 Figure 6-13 – Pipes Distribution Graph.....................................................................................................6-25 Figure 6-14 – Selecting Other Graphs .......................................................................................................6-26 Figure 6-15 – Virtual Channels Distribution Graph ..................................................................................6-27 Figure 6-16 – Bandwidth Graph ................................................................................................................6-29 Figure 6-17 –Connections Graph...............................................................................................................6-31 Figure 6-18 – Utilization Graph.................................................................................................................6-32 Figure 6-19 –Packets Graph ......................................................................................................................6-33 Figure 6-20 – Most Active Pipes Graph ....................................................................................................6-35 Figure 6-21 – Cumulative Range Dialog Box ...........................................................................................6-36 Figure 6-22 – Most Active Virtual Channels Graph..................................................................................6-37 Figure 6-23 – Most Active Protocols Graph..............................................................................................6-39 Figure 6-24 – Select Pipe Dialog Box .......................................................................................................6-41 Figure 6-25 – Most Active Hosts Graph....................................................................................................6-42 Figure 6-26 – Most Active Internal Hosts Graph ......................................................................................6-44 Figure 6-27 – Most Active External Hosts Graph .....................................................................................6-46 Figure 6-28 – Most Active Clients Graph..................................................................................................6-48 Figure 6-29 – most Active Servers Graph .................................................................................................6-49 Figure 6-30 – Long-Term Monitoring Agent Window..............................................................................6-56 Figure 6-31 – Long-Term Monitoring First Steps .....................................................................................6-58 Figure 6-32 – Long-Term Monitoring Window ........................................................................................6-59 Figure 6-33 – Setting Long-Term Monitoring Location Dialog Box ........................................................6-60 Figure 6-34 – Long-Term Monitoring Window – Set Data Location........................................................6-61 Figure 6-35 – Long-Term Monitoring Window - Add New Graph...........................................................6-63 Figure 6-36 – Long-Term Monitoring Window – Graph Added ...............................................................6-64

NetEnforcer User Guide xix

List of Figures

Figure 6-37 – Long-Term Monitoring Agent Log .................................................................................... 6-65 Figure 6-38 – Graph Time Span Coverage for (NAME of Selected Graph) Window –

Relative Span Mode ......................................................................................................................... 6-67 Figure 6-39 – Graph Time Span Coverage for (Name of Selected Graph) Window –

Specific Span Mode.......................................................................................................................... 6-69 Figure 6-40 – Long-Term Monitoring Graph (Period Level).................................................................... 6-70 Figure 6-41 – Long-Term Monitoring Graph (Month Level) ................................................................... 6-73 Figure 6-42 – Long-Term Monitoring Graph (Day Level) ....................................................................... 6-74 Figure 6-43 – Long-Term Monitoring Graph (Hour Level)...................................................................... 6-75 Figure 6-44 – Long-Term Monitoring Graph (Five-Minute Level) .......................................................... 6-76 Figure 6-45 – Long-Term Monitoring Graph (Thirty-Second Level) ....................................................... 6-77 Figure 6-46 – Time Unit Selection FOR Detailed View Dialog Box........................................................ 6-78 Figure 6-47 – Collection Log File Dialog Box ......................................................................................... 6-80 Figure 7-1 – Sample Catalog Editor............................................................................................................ 7-4 Figure 7-2 – Policy Editor........................................................................................................................... 7-6 Figure 7-3 – Host Catalog Editor ................................................................................................................ 7-8 Figure 7-4 – New Host Entry Popup Menu................................................................................................. 7-9 Figure 7-5 – Host Catalog Editor: Adding Hosts ...................................................................................... 7-10 Figure 7-6 – Host Catalog Editor: Grouping Hosts................................................................................... 7-13 Figure 7-7 – Hosts Catalog Editor: Ldap-Based Hosts ............................................................................. 7-15 Figure 7-8 – Hosts Catalog Editor: Text File-Based Hosts ....................................................................... 7-18 Figure 7-9 – Service Catalog Editor.......................................................................................................... 7-20 Figure 7-10 – New Service Entry Popup Menu ........................................................................................ 7-21 Figure 7-11 – Service Catalog: Tcp/UDP Protocol ................................................................................... 7-22 Figure 7-12 – Service Catalog: Non-UDP/TCP IP Protocol ..................................................................... 7-23 Figure 7-13 – Service Catalog: Non-IP Protocol ...................................................................................... 7-25 Figure 7-14 – Protocols Library Dialog Box............................................................................................. 7-26 Figure 7-15 – Accessing Protocols Library Dialog Box from Policy Editor............................................. 7-27 Figure 7-16 – Protocols Library Dialog Box Accessed from Policy Editor .............................................. 7-28 Figure 7-17 – Web Update Message ......................................................................................................... 7-29 Figure 7-18 – Service Catalog Editor: Grouping Services ........................................................................ 7-30 Figure 7-19 – Service Catalog: Adding Content and File Name Tab........................................................ 7-32 Figure 7-20 – Service Catalog: Adding Content and URL Tab ................................................................ 7-35 Figure 7-21 – Adding Content: Methods Tab ........................................................................................... 7-36 Figure 7-22 – Adding Content: Hosts Tab ................................................................................................ 7-37 Figure 7-23 – Adding Content: Content Type Tab ................................................................................... 7-39 Figure 7-24 – Service Catalog: Adding Content and Service Tab ............................................................ 7-41 Figure 7-25 – Service Catalog: Adding Content and URL Tab ................................................................ 7-44

NetEnforcer User Guide xx

List of Figures

Figure 7-26 – Service Catalog: Adding Content IN H.323........................................................................7-46 Figure 7-27 – Service Catalog: Adding Content in Citrix .........................................................................7-48 Figure 7-28 – Adding Content: User Name Tab........................................................................................7-49 Figure 7-29 – Adding Content: Priority Tab..............................................................................................7-50 Figure 7-30 – Time Catalog Editor............................................................................................................7-52 Figure 7-31 – Time Entry Definition Dialog Box......................................................................................7-53 Figure 7-32 – Time Entry Definition: Daily ..............................................................................................7-54 Figure 7-33 – Time Entry Definition: Weekly...........................................................................................7-55 Figure 7-34 – Time Entry Definition: Monthly .........................................................................................7-55 Figure 7-35 – Time Entry Definition: Yearly ............................................................................................7-55 Figure 7-36 – Sample TOS Catalog Editor................................................................................................7-57 Figure 7-37 – TOS Catalog Editor: Differentiated Service........................................................................7-59 Figure 7-38 – Differentiated Service – Assured Forwarding.....................................................................7-60 Figure 7-39 – TOS Catalog Editor: Free Format .......................................................................................7-61 Figure 7-40 – Details OF The Ethernet Frame Before and After the Addition of

802.1q Frame Information. ...............................................................................................................7-63 Figure 7-41 – VLAN Catalog Editor .........................................................................................................7-64 Figure 7-42 – QOS Catalog Editor ............................................................................................................7-66 Figure 7-43 – Ignore QOS Warning ..........................................................................................................7-68 figure 7-44 – Defining QOS for Pipes .......................................................................................................7-69 Figure 7-45 – Inbound and Outbound Tab: Half-Duplex Pipe ..................................................................7-72 Figure 7-46 – Defining QOS for Pipes: General Tab ................................................................................7-73 Figure 7-47 – Defining QOS for Virtual Channels....................................................................................7-75 Figure 7-48 – CBR Parameters ..................................................................................................................7-78 Figure 7-49 – Defining Qos for Virtual Channels: General Tab................................................................7-79 Figure 7-50 – Connection Control Catalog Editor.....................................................................................7-81 Figure 7-51 – Connection Control Catalog Editor: Load Balancing..........................................................7-83 Figure 7-52 – Connection Control Catalog Editor: Cache Server .............................................................7-85 Figure 7- 53 – Data Source Catalog Editor................................................................................................7-87 Figure 7-54 – Data Source Catalog Editor: LDAP Server .........................................................................7-88 Figure 7-55 – Data Source Catalog Editor: Hosts Text File ......................................................................7-89 Figure 8-1 – Pipe/Virtual Channel/Rule Relationship .................................................................................8-2 Figure 8-2 – Policy Editor .........................................................................................................................8-11 Figure 8-3 – View Options ........................................................................................................................8-12 Figure 8-4 – Data Source Catalog Editor: Hosts Text File ........................................................................8-17 Figure 8-5 – Host Catalog Editor...............................................................................................................8-18 Figure 8-6 – Query Dialog.........................................................................................................................8-19 Figure 8-7 – Defining Policy Workflow....................................................................................................8-20

NetEnforcer User Guide xxi

List of Figures

Figure 8-8 – Insert Pipe Template............................................................................................................. 8-30 Figure 8-9 – New Pipe Template .............................................................................................................. 8-31 Figure 8-10 – Insert Virtual Channel Template ........................................................................................ 8-33 Figure 8-11 – New Virtual Channel Template .......................................................................................... 8-34 Figure 8-12 – Distribution List.................................................................................................................. 8-35 Figure 8-13 – Device Properties Dialog Box ............................................................................................ 8-36 Figure 8-14 – Distribution Report ............................................................................................................. 8-37 Figure 9-1 – NetEnforcer Configuration Window ...................................................................................... 9-4 Figure 9-2 – Alerts Editor ........................................................................................................................... 9-6 Figure 9-3 – Alerts Editor – Behavior Tab.................................................................................................. 9-8 Figure 9-4 – Alerts Log............................................................................................................................. 9-19 Figure 9-5 – Set Filters For Alerts Log Dialog Box: Severity Tab ........................................................... 9-24 Figure 9-6 – Set Filters For Alerts Log Dialog Box: Acknowledge Tab .................................................. 9-25 Figure 9-7 – Set Filters For Alerts Log Dialog Box: Source Type Tab .................................................... 9-25 Figure 9-8 – Set Filters For Alerts Log Dialog Box: Names & Description Tab...................................... 9-26 Figure 11-1 – Pipe/Vc Lookup For Snmp Dialog Box............................................................................ 11-13 Figure B-1 – Fiber Bypass Unit ..................................................................................................................B-4 Figure B-2 – Multimode Coupler Unit........................................................................................................B-4 Figure B-3 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass and Tap .........................................B-5 Figure B-4 – Connecting Two NetEnforcers in Full Redundancy ..............................................................B-8 Figure B-5 – Full Redundancy Setup Example.........................................................................................B-13 Figure B-6 – DIP Switch Configuration for Enhanced Platform at Full Redundancy ..............................B-17 Figure C-1 - DIP Switch Location: Enhanced Platform..............................................................................C-2

NetEnforcer User Guide xxii

Chapter 1: Introducing NetEnforcer

This chapter introduces NetEnforcer and explains how it delivers Quality of Service.

This chapter includes the following sections:

What is NetEnforcer?, page 1-2, introduces NetEnforcer, providing an overview of its functionality and describing typical environments for its use.

How Does NetEnforcer Deliver QoS?, page 1-4, provides an overview of the NetEnforcer workflow: monitor, classify, enforce and report.

Terms and Concepts, page 1-8, introduces some of the basic terms and concepts used in NetEnforcer.

NetEnforcer in Action, page 1-13, presents scenarios that provide examples of how NetEnforcer can optimize network traffic in a variety of working environments.

NetEnforcer User Guide 1-1


What is NetEnforcer? NetEnforcer is a network policy enforcement device that enables you to monitor, categorize and optimize network traffic by assigning Quality of Service (QoS) to specified classes of traffic. QoS is the ability to define a level of performance in a data communications system.

The exponential growth in the use of the Internet, combined with an increasing number of Web-based applications, has resulted in unprecedented demands on existing communication system technologies. In order to achieve an acceptable level of service and overcome the bandwidth bottleneck problem, network managers need the capability to control network traffic and develop prioritization policies appropriate to available bandwidth.

NetEnforcer gives you the power to intelligently shape network bandwidth and deliver system-wide service level guarantees based on the needs and priorities of the network service provider or corporation.

Optional Software Packages NetEnforcer can be further enhanced with the addition of optional software packages, as follows:

•

• •

NetAccountant: Provides policy-based tracking of bandwidth and transactions, usage-based reporting and billing.

CacheEnforcer: Enables the enforcement of network caching policies.

NetBalancer: Enables the distribution of traffic according to individual server capabilities.



NetEnforcer Environments Typical application environments for the NetEnforcer product family include:

•

•

•

•

•

Corporate Networks: NetEnforcer controls traffic flows from Web-based customers, internal users and remote offices to centralized corporate networks and services. Network managers can give high priority to mission-critical applications and assure necessary bandwidth to timing-critical applications such as voice and video.

Internet Service Providers: NetEnforcer manages and enforces SLAs (Service Level Agreements). ISPs are able to deliver advanced bandwidth capabilities to customers and provide differentiated services, partition bandwidth and support Web hosting. NetEnforcer is geared for ISP operations providing full SLA support and integration with ODBC and RADIUS-based billing packages, in addition to interfacing to LDAP-based user directories.

Educational Network: NetEnforcer limits the use of low priority traffic such as music and file-sharing applications, and assigns Quality of Service (QoS) for specific user groups. The NetEnforcer can limit students' access to particular sites and applications during business hours, while allowing high-priority access to faculty members or administrators.

Wireless ISP Network: NetEnforcer offers service providers a complete suite of tools for better managing over-subscription and enforcing SLAs. NetEnforcer allows providers to immediately identify, and then cap or limit bandwidth abusers. Its Web-based policy manager, traffic monitor and IP accounting tools offer superior functionality and ease-of-use for allowing the service provider to discover how Internet access is being used. NetEnforcer is an ideal platform for rapidly provisioning new subscribers, creating and enforcing multiple tiers of service, and collecting usage-based billing information for export to an external database.

Voice and Video Applications: NetEnforcer enables the prioritization of data applications and the guaranteeing of bandwidth to timing-critical, real-time applications like Voice over IP and Video. NetEnforcer allows control of your data and voice traffic. Through NetEnforcer, specific voice, video and multimedia traffic flows can be identified and the following actions can be assigned: minimum and maximum bandwidth, priorities, guaranteed rate, fairness and admission control.



• Satellite Network: Using NetEnforcer, satellite service providers reduce data retransmissions, assure fairness by prioritizing users and applications, and provide predictable, guaranteed bandwidth for video and voice-type streaming applications. NetEnforcer maximizes the efficiency of traffic flowing through satellite systems. Its advanced analysis capabilities allow the intelligent distribution of traffic through WAN channels based on the overall state of the satellite link, its delays and throughput. The end-result is a more efficient, reliable, and predictable system for delivering applications over the network.

How Does NetEnforcer Deliver QoS? NetEnforcer provides policy-based bandwidth management. Policy is defined by classifying traffic and assigning QoS to each classification. Your policy is built and defined over time and can be continuously adapted to meet your network requirement. The NetEnforcer workflow is as follows:

Monitor NetEnforcer's monitoring tools enable you to monitor in real-time the type of traffic flowing through your network and determine your current network application patterns. When and where your network has peaks, bursts and bottlenecks is hard to predict. The monitoring tools enable you to see these peaks in real time, which is crucial to managing these unwanted phenomena.



Different applications, such as e-Business, ERP and real-time applications, require performance guarantees. Other mission-critical applications may suffer from a shortage of bandwidth, while non-critical Web browsing and batch traffic, such as mail and FTP, may use up network resources. Using the monitoring tools, you can identify applications on your network that you consider mission-critical applications. These may be special applications that are time and/or resource sensitive to which you may want to provide increased bandwidth or server resources. Similarly, you can identify items on your network that you consider low priority. These may include traffic that you consider non-time and/or response sensitive, or applications that you wish to limit during busy hours, such as FTP traffic.

The NetEnforcer monitoring tools are described in Chapter 6, Monitoring Network Traffic.

Classify Once you understand your network traffic patterns, you define a policy to improve your network performance.

QoS policy consists of a set of conditions (a rule) and a set of actions that apply when the conditions are satisfied. The actions include the QoS to be applied. For example, a rule might be defined as traffic from source A to source B. When traffic is matched to that rule, the specified QoS is applied.

Classification is made easier with the use of Pipes and Virtual Channels. A Pipe and a Virtual Channel are defined by one or more rules and a set of actions.

Pipe Rule

Rule

Rule

Rule

Actions

Virtual Channel Rule

Rule

Rule

Actions



A Pipe includes one or more Virtual Channels. Thus, your policy consists of a hierarchy of classification. Every connection into NetEnforcer is matched to a rule, as follows:

•

•

•

Find the first Pipe rule that the connection matches. There is a default Pipe defined in NetEnforcer (Fallback Pipe). If a connection does not match the rules of any other Pipes, it matches the Fallback Pipe.

Within that Pipe, find the first Virtual Channel rule that the connection matches. Every Pipe includes a default Virtual Channel (Fallback). If a connection does not match the rules of any other Virtual Channels within the Pipe, it matches the Fallback Virtual Channel.

Apply the actions defined for that Virtual Channel.

Pipes enable ISPs to divide bandwidth into logical slices and offer them to customers. The customers can then further divide the slice of bandwidth using Virtual Channels. Similarly, enterprises with several links to the Internet can manage each link separately by defining a Pipe for each link.

To speed up the creation of your policy, you can use a Pipe or Virtual Channel template. Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other but with a different IP address as the source or destination. Thus, a template must include a list of IP addresses in the source or destination definition. A template saves the need to define similar Pipes or Virtual Channels when the only difference between them is the IP address in the source or destination.

Policy is defined in the Policy Editor (described in Chapter 8, Defining Policies). Values for the conditions that make up a rule and for actions are predefined in Catalogs (described in Chapter 7, Defining Catalog Entries).

Enforce The process of saving a policy saves the policy to NetEnforcer, which then begins to enforce the policy. NetEnforcer continuously prioritizes and shapes network bandwidth according to your defined and saved policy.



Report NetEnforcer's monitoring tools enable you to monitor in real-time the type of traffic flowing through your network and determine your current network application patterns.

Once again, NetEnforcer's monitoring tools enable you to monitor your network traffic and verify enforcement of the QoS policy. You can confirm that monitoring graphs reflect the behavior expected by the policy definition. You can monitor traffic in real-time and, using Long Term Monitoring, you can monitor your network's activity over a much longer period of time. If required, you can make adjustments to your QoS policy in order to fine-tune network performance.

The NetEnforcer monitoring tools are described in Chapter 6, Monitoring Network Traffic.

Fail-Safe Operation Allot NetEnforcer has two fail-safe features that ensure proper and continuous network function: Bypass and Full Redundancy.

All NetEnforcers contain a Bypass element that connects the Internal connector to the External connector in the case of a subsystem failure in NetEnforcer or a power loss. This mechanism ensures that traffic continues to pass through passive elements of the NetEnforcer should any hardware or software problem occur. The Bypass is an internal element on all models except the High Availability AC-802 models, where it is implemented as an external Bypass module.

Full Redundancy is a backup mechanism that handles the failure of a network device, and ensures the network continues to function. Full Redundancy is provided by connecting two NetEnforcers in parallel. The primary NetEnforcer handles the traffic and the secondary NetEnforcer is designed to be in Standby mode as long as the primary NetEnforcer is active. Only if, for any reason, the primary NetEnforcer is not able to function properly, does the secondary NetEnforcer become active.

In Full Redundancy mode, Bypass mode will be activated, in the event that both the Primary and Secondary NetEnforcer systems fail.



Terms and Concepts This section introduces some of the basic terms and concepts used in NetEnforcer.

QoS QoS is the ability to define a level of performance in a data communications system. In NetEnforcer, QoS is defined as an action applied to a connection when the conditions of a rule are satisfied. The QoS specified can include the following:

•

•

•

•

•

Prioritized Bandwidth: Delivers levels of service based on a connection's importance level and demand for traffic relative to other connections. During peak traffic periods, the NetEnforcer will slow down lower priority applications, resulting in increased bandwidth delivery to higher priority applications.

Guaranteed Bandwidth: Enables the assignment of fixed minimum and maximum amounts of bandwidth to specific Pipes, Virtual Channels and connections. By borrowing excess bandwidth when it is available, connections are able to burst above guaranteed minimum limits, up to the maximum guaranteed rate. Guaranteed rates also assure predictable service quality by enabling time-critical applications to receive constant levels of service during peak and non-peak traffic periods.

Reserved Bandwidth on Demand: Enables the reservation of the minimum bandwidth at the first byte of a connection until the connection is ended. This is useful when the bottleneck is not at the link governed by NetEnforcer. By limiting other connections (non-guarantees), NetEnforcer reserves enough bandwidth for the required Pipe or Virtual Channel.

TOS Marking: Enables the marking of connections admitted beyond the maximum connections allowed per Virtual Channel with a different TOS value. Additionally, out-of-profile traffic (beyond the guaranteed minimum) can be marked with a different TOS value than the in-profile traffic for each connection.

Access Control: Determines whether a connection is accepted, dropped or rejected. For example, you can specify the following Pipe: accept 1000 ICMP connections to Server1 and drop the rest. NetEnforcer can also be instructed to accept new connections with a lower priority.



• Admission Control: Determines the bandwidth granted to a flow based on your demand (for example, allocated minimum of 10kbps) and NetEnforcer's system state (meaning, there is enough bandwidth available).

Catalog Editors Catalog Editors enable you to define values for defining your policy. The possible values for each condition of a rule and for actions are defined in the Catalog entries in the Catalog Editors. A Catalog Editor enables you to give a logical name to a comprehensive set of parameters (a Catalog entry). This logical name then becomes a possible value for a condition or action. Catalog Editors are described in detail in Chapter 7, Defining Catalog Entries.

Pipes A Pipe provides a way of classifying traffic that enables you to divide the total bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of Virtual Channels from a QoS point of view. When you add a new Pipe, it always includes at least one Virtual Channel, the Fallback Virtual Channel. The rule of the Fallback Virtual Channel cannot be modified or deleted. A connection coming into NetEnforcer is matched to a Pipe according to whether the characteristics of the connection match any of the rules of the Pipe. The connection is then further matched to the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are enforced together with the actions of the Pipe.



Virtual Channels A Virtual Channel provides a way of classifying traffic and consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further matched to a Virtual Channel according to whether the characteristics of the connection match any of the rules of the Virtual Channel.

Rules A rule is a set of six conditions. Rules can be defined at Pipe level or Virtual Channel level. NetEnforcer matches connections to rules, first at the Pipe level and then at Virtual Channel level within a Pipe.

The five conditions that make up a rule are as follows:

•

•

•

•

•

Connection Source: Defines the source of the traffic. For example, a specific IP or MAC address, a range of IP addresses, IP Subnet addresses, or host names. The default value is Any which covers traffic from any source.

Connection Destination: Defines the destination of the traffic. For example, a specific IP or MAC address, a range of IP addresses, IP Subnet addresses, or host names. The default value is Any, which covers traffic to any destination.

Service: Defines the protocols relevant to a connection. Protocols may be TCP and UDP IP type, non-TCP and non-UDP type or non-IP type. TCP and UDP IP protocols are defined based on port type. HTTP protocols may include content definitions, such as specific Web directories, pages, or URL patterns. The default value is all, which covers all protocols.

TOS: Defines the TOS byte contained in the IP headers of the traffic. The default value is Any, which covers any TOS value.

VLAN: Defines VLAN bits contained in the VLAN header of the traffic. The default value is Any, which covers any VLAN value.



• Time: Defines the time period during which the traffic is received. For example daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM or on the 1st and 15th of the month. The default value is Always, which covers traffic at any time.

When a new Pipe or Virtual Channel is created, it is assigned a default rule with default values for each condition and you can modify these values as required.

Templates Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other. Templates work with host group entries and LDAP-based hosts entries defined in the Host Catalog. For example, if you had a host group entry in the Host Catalog called Gold Customers that consisted of Company X, Company Y and Company Z, you could define a Pipe template to be expanded for Gold Customers. This would result in Pipes being created for Company X, Company Y and Company Z when the Policy Editor is saved.

A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual Channels on source/destination differentiation. This means that you do not need to define similar Pipes and Virtual Channels when the only difference between them is the IP address in the source or destination.



NetWizard NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a network, enabling the network manager to quickly define QoS policies for each type of protocol in the network. This, in turn, improves the efficiency and application response time of the network.

NetWizard automatically identifies the traffic protocols in your network and then guides you through the QoS configuration process, allowing you to assign minimum and maximum bandwidth and priority for the various protocols.

With NetWizard, you need not be initially acquainted with every protocol or the traffic patterns in your network in order to define QoS policy. Once you make your initial selections, a QoS policy is generated, enabling NetEnforcer to enforce that policy in your network. Further refinement of the policy is possible when you have become more familiar with NetEnforcer tools, such as the Policy Editor and Catalog Editors.



NetEnforcer in Action The following scenarios provide examples of how NetEnforcer can optimize network traffic in a variety of working environments.

Scenario 1: Corporate In this example, the Pipe feature enables the network manager to manage traffic to three different WAN links and create a Pipe for each one of them.

Figure 1-1 - Corporate Network Structure with Three Outgoing WAN Links

The network manager would like to assign a maximum of 2Mbps for each WAN link. The multiple protocol traffic is going to different locations, based on the IP address.



Pipes are created as follows:

•

•

Link 1 traffic is limited to 2Mbps with Business applications (SAP) and Multimedia classified based on TOS marking.

Links 2 and 3 are also limited to 2Mbps.

All traffic to links is classified based on the destination address.

The Policy Editor is set up as follows:

Figure 1-2 - Policy for Corporate Traffic



Scenario 2: QoS in an Intranet Corporate Intranets have become key repositories of business information needed by employees across the enterprise. Companies also rely on the existence of network-based services for their businesses, running mission critical applications for ERP, CRM, eCommerce, and more. Poor application response times, caused by the mix of business-critical and non-critical traffic on the same network, quickly translate into decreased productivity, lost revenues and increased business costs. In addition, the penetration of time-sensitive video conferencing and voice over IP (VoIP) offer low-cost alternatives to expensive business trips and telephone conference calls, but these applications require sustained network performance and therefore place increased demands on the network.

NetEnforcer enables mission-critical applications to run smoothly over otherwise unmanaged and congested Intranets. NetEnforcer ensures the response time of mission-critical applications by prioritizing their traffic or guaranteeing them a portion of bandwidth. At the same time, traffic from less critical and less time-sensitive applications receive a limited amount of bandwidth or a lower priority. NetEnforcer guarantees the performance of business-critical applications by grouping and defining policies that will classify traffic into categories such as “Mission-Critical Billing Application” or “Time-Sensitive Voice over IP.”



The figure below illustrates how a NetEnforcer manages an Intranet's mission critical traffic.

Figure 1-3 - Managing an Intranet's mission-critical traffic with the NetEnforcer

A policy-based quality of service (QoS) solution ensures that mission-critical applications receive the bandwidth they require. NetEnforcer controls important network resources such as bandwidth, servers, applications and users. It also monitors and records traffic usage information based on clients, servers, application, time and DiffServ tagging.



Scenario 3: ISP An Internet Service Provider sells slices of bandwidth to subscribers (defined in Pipes), with an advanced offering of tiered services (for example, Gold, Silver and Bronze customers). Managing customer traffic with high granularity is needed. For example, to create a separate Pipe for each subscriber and divide traffic according to the customer needs.

Figure 1-4 - Wireless ISP Network

The ISP would like to control the maximum usage of each subscriber while limiting the total bandwidth used. Moreover, the ISP needs to over-subscribe customers (there are more customers than the bandwidth available for each VC/Pipe). The ISP would like to offer tiered services.

The ISP does the following:

• • •

Assigns Gold, Silver and Bronze service levels.

Sets a maximum of 8Mbps to Smart Building tenants (minimum 2Mbps).

Assigns a minimum of 60 Kbps and maximum of 100 Kbps to and every home user.



•

•

• •

Using templates, the ISP is able to over-subscribe tenants (since, most probably, not all of them will be active at the same time).

A Silver level is assigned to Regional Office 1 users with a minimum of 100 Kbps and a maximum of 250 Kbps.

Lotus Notes users are assured a minimum of 40 Kbps.

A Bronze level is assigned to Regional Office 2 (minimum 40 Kbps and maximum 250 Kbps).

The Policy Editor is set up as follows:


Figure 1-5 - Policy for Wireless ISP Traffic


Scenario 4: Satellite Provider Reduce Packet Loss and Network Delays

In today's typical LANs, routers or access devices simply drop packets when excess traffic congests. In a satellite network, the satellite link is the most expensive resource on the network. Long delays in packet transmission from a ground station to the satellite and then back to the ground causes serious degradation in the overall throughput of the system. This problem becomes compounded as other parts of the network introduce more, inconsistent delays, resulting in a very unpredictable end-to-end network environment. Because of this, it is critical in a satellite environment that lost traffic and packet retransmissions are reduced to a minimum.

Using NetEnforcer, satellite service providers reduce data retransmissions, assure fairness by prioritizing users and applications, and provide predictable, guaranteed bandwidth for video and voice-type streaming applications. NetEnforcer maximizes the efficiency of traffic flowing through satellite systems. Its advanced analysis capabilities allow the intelligent distribution of traffic through WAN channels based on the overall state of the satellite link, its delays and throughput. The end-result is a more efficient, reliable, and predictable system for delivering applications over the network.

Figure 1-6 - NetEnforcer in Satellite Network



Satellite service providers provide local services for allowing many customers to share a common satellite link to remote services. NetEnforcer is placed between the local network of the satellite provider and the remote users.

Assure Fairness

In most satellite environments, a single uplink from the service provider delivers bandwidth intended for multiple users while the downlink is broadcast simultaneously to many different networks. This results in a few low-priority users or applications taking up most of the available resources without regard to the applications’ importance or overall need for bandwidth. Using NetEnforcer in satellite networks assures fairness between users and applications.

Scenario 5: Enhancing Enterprise Security One of the best security practices for the enterprise is to design a multi-layered security system using NetEnforcer to monitor, alert and block DoS attacks, and enhance the overall security of the network. You can also use NetEnforcer to improve network performance by resource management and create a first line of protection from illegitimate users and applications that seize an undeserved share of resources.

NetEnforcer detects known DoS attacks and intelligently blocks new flows suspected as destructive traffic. Placing NetEnforcer at the edge of the enterprise network enhances the performance of firewalls and other internal network devices. NetEnforcer discards malicious traffic packets that slip past routers and firewalls to improve application performance and enhance network security.



How to setup your network with NetEnforcer to prevent DoS attacks is shown in the following diagram:

Figure 1-7 - Preventing a DoS Attack with NetEnforcer

An attacker sends broadcast pings using a victim's address as the source address. The pings go to all addresses on the subnet and each device on the subnet responds to the ping, flooding the victim with ICMP traffic. In a network protected with NetEnforcer, all ping (ICMP) traffic is monitored. When NetEnforcer detects excessive amounts of ICMP connections, it discards the malicious traffic, thereby blocking the DoS attack.




Chapter 2: Installing NetEnforcer

This chapter describes the NetEnforcer hardware and the initial installation and setup of NetEnforcer. NetEnforcer is a transparent learning bridge that is IEEE 802.1-compliant.

NetEnforcer contains a Bypass switch that connects the Internal connector to the External connector in the case of a subsystem failure in NetEnforcer or a power loss. The Bypass switch is an external component on the AC-802 High Availability models and an internal component on other models. This mechanism ensures that data passes through NetEnforcer should any hardware or software problem occur.


Hardware Description, page 2-2, describes the accessories included with NetEnforcer, and provides a physical description of the front and rear panels of NetEnforcer, and a description of the external Bypass used with the AC-802 High Availability models. It also describes the Enhanced platform.

Placement in the Network, page 2-27, describes where to place NetEnforcer in the network and how to connect NetEnforcer to the network.

Setting Up NetEnforcer, page 2-29, describes how to define the initial basic parameters required to work with NetEnforcer using a terminal or via the LCD panel.



Hardware Description NetEnforcer enables the definition and classification of traffic by users, applications and resources. Several NetEnforcer models are available to support large and small sites and different data network speeds. The following NetEnforcer models are available:

Model Bandwidth Pipes VCs (Total) Connections Platform

NetEnforcer Standard Platform

AC-202/MO 10M 128 1,024 24,000 Enhanced

AC-202/128 128K 128 1,024 6,000 Enhanced

AC-202/512 512K 128 1,024 6,000 Enhanced

AC-202/2M 2M 256 2,048 12,000 Enhanced

AC-202/10M 10M 512 2,048 24,000 Enhanced

AC-402/MO 100M 512 2,048 96,000 Enhanced

AC-402/10M 10M 512 2,048 24,000 Enhanced

AC-402/45M 45M 1,024 4,096 64,000 Enhanced

AC-402/100M 100M 1,024 4,096 96,000 Enhanced

NetEnforcer High-Availability Platform

AC-802/100M 100M 2,048 8,192 128,000 High Availability



AC-802/SP-100M 100M 4,096 28,672 256,000 High Availability





NetEnforcers are divided into two categories:

•

•

• • • •

High Availability Models: AC-802 is 3.5" high, (two rack units). For information on the High Availability platform, see page 2-3. Enhanced Models: AC-202 and AC-402 are 1.75" high, (one rack unit). For more information on the Enhanced platform, see page 2-17.

NetEnforcer High Availability Platform The NetEnforcer AC-802 offers carrier-grade design with redundant critical components for fail-safe operation. Redundant hardware components on the AC-802 include redundant fans and dual hot-swappable power supplies.

The AC-802 series consist of four models, as follows:

AC-802 Copper AC-802/SP Copper AC-802 Fiber AC-802/SP Fiber

These platforms come with an additional module known as a Copper Bypass (for the AC-802 Copper) and a Fiber Bypass (for the AC802 Fiber). These modules are external Bypass switches.

CAUTION:

All AC-802 models only work when the appropriate Bypass module is connected to it. This is to ensure continuous service in the event of failure.

High Availability Platform Unpacking Verify that the following items are included with NetEnforcer: • • • • •

NetEnforcer (hardware with pre-installed software) NetEnforcer User's Manual 2 Power Cables 2 Cross Ethernet Cables (for AC-802 Copper) 1 Serial Console Cable



• •

2 Side Mounting Brackets DB-9 Backup Cable

All NetEnforcer models contain a lithium battery on the main board.

CAUTION:

Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer.

Dispose of used batteries according to the manufacturer’s instructions.

NOTE:

The maximum Ethernet cable length is generally up to 50 meters.

High Availability Platform Front Panel The front panel of High Availability models includes the following ports:

• • • •

Network Connectors (Internal and External)

Management Port

Console Connecter

Backup (9-pin D-type) Connector

Management of NetEnforcer High Availability models can be via the Management port or network connectors.



AC-802 Models Front Panel

NetEnforcer connects to your network via connectors located on the front panel. These connectors and the LED indicators on the front panel are shown below:

LCD Panel Link Connections AreaAccessory Area

External/Internal Indicators

External/Internal Network Connectors

Management Port Management

Indicators Console Connector

Backup Connector

LCD Panel Link Connections AreaAccessory Area

External/Internal Indicators

External/Internal Network Connectors

Management Port Management

Indicators Console Connector

Backup Connector

Figure 2-1 – NetEnforcer Front Panel: High Availability Platform (Model AC-802)

CAUTION:

Motherboard contains lithium battery. Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer.

Dispose of used battery according to the manufacturer’s instructions.



The Link Connections Area differs slightly according to the model as shown in the following diagrams:

Figure 2-2 – Link Connections Area: AC-802 Copper

Figure 2-3 – Link Connections Area: AC-802 Fiber

CAUTION:

CLASS 1 LASER PRODUCT. DANGER! Invisible laser radiation when opened. AVOID DIRECT EXPOSURE TO BEAM.

The front panel of the AC-802 model contains LEDs that are positioned on each of the External, Internal and Management connectors or used as the Standby, Active and Power indicators.



The modes of operation of the External, Internal and Management indicators are described in the table below.

Extrnl/Intrnl/Mngmt NetEnforcer Status Green A link is detected.

Orange Blinks when traffic is detected on the interface.

Off No link activity is detected.

Table 2-1 – External/Internal/Management LED Conditions: AC-802

The modes of operation of the Standby, Active and Power indicators are described in the table below.

Indicator Status NetEnforcer Status

Standby On Two NetEnforcers are connected in Redundancy mode and this NetEnforcer is the secondary system.

Off If you have one NetEnforcer, this should be the normal state of the LED. If you have two NetEnforcers configured in Redundancy mode, this NetEnforcer is not in standby.

Active On NetEnforcer is in Active mode. Off NetEnforcer is in Bypass mode. Traffic passes through

NetEnforcer with no Quality of Service or traffic shaping. If you have two NetEnforcers configured in Redundancy mode, this is the secondary NetEnforcer in a Full Redundancy configuration and it is not active (In the other NetEnforcer this LED should be on).

Power On NetEnforcer is powered up. Off NetEnforcer is shut down.

Table 2-2 – Standby/Active/Power LED Conditions: AC-802



LCD Panel High Availability Platform

The LCD panel provides an indication of traffic usage and enables you to configure NetEnforcer directly without the need to connect a terminal.

On/Off Enter

Up Arrow

Display Area

Select

Power Indicator

Active Indicator

Standby Indicator

Left Arrow

Right Arrow

Down Arrow

On/Off Enter

Up Arrow

Display Area

Select

Power Indicator

Active Indicator

Standby Indicator

Left Arrow

Right Arrow

Down Arrow

Figure 2-4 – NetEnforcer LCD Panel: High Availability Platform

For a description of how to configure NetEnforcer using the LCD panel, refer to Configuring Via the LCD Panel, page 2-40.

Management Port

The Management port exists on the Enhanced and High Availability platforms. The dedicated Management port enables out-of-band management. Operating through the Management port denies management access to the device from Internal or External ports. Moreover, when there is a problem in the regular network you can still manage and monitor the NetEnforcer.

For more information on the Management port, see Out-of-Band Management, page 2-25.



High Availability Platform Rear Panel AC-802 Models Rear Panel

The rear panel of AC-802 contains the following:

• • • • •

Two Power Cable Connectors

Ground Connector

Keyboard Connector (used to connect a keyboard)

VGA Connector (used to connect a monitor)

Two Hot-swappable Power Supplies

VGA Connector

Ground Connector Hot Swappable

Power Supplies

Bi-Color Power LEDs

Keyboard Connector

VGA Connector

Ground Connector Hot Swappable

Power Supplies

Bi-Color Power LEDs

Keyboard Connector

Figure 2-5 – NetEnforcer Rear Panel: High Availability Platform (Model AC-802)

AC-802 Models Power Supply

NetEnforcer AC-802 includes two hot-swappable power supply modules and a dual line feed for Redundancy purposes. Each line feed is driving one power supply.



NOTE:

The power supply automatically adapts to voltages between 100 V and 240 V, 50/60 Hz.

Should you need to, you can replace one of the power supplies while NetEnforcer is connected and operating. Replacing a power supply while the unit is operating is possible since the remaining power supply will take the full load and maintain full operation.

NOTE:

To remove a power supply module, press the release button, pull the handle and slide the module out. Leave the power cord connected when removing a power supply module.

Each power supply has a bi-color power LED indicating input/output power status:

LED Power Supply Status Green A green light indicates that the power supply is connected to

power and no failure condition exists.

Red A red light indicates that a failure condition exists.

When power failure occurs, the power LED indication is Red and an internal buzzer beeps. You have to remove the power supply module to quiet the buzzer. Leave the power cord connected when removing a power supply module.

Key features of the power supply include:

• • • • •

Hot-pluggable, easy to maintain

Based on the N+1, load sharing

Universal AC input with Power Factor correction

Rear panel with bi-color LED indicating input/output power status

Power fault buzzer alarm system



Bypass Modules The AC-802 operates with an external Bypass module. The Bypass module is a mission-critical subsystem designed to ensure network connectivity at all times. The Bypass mechanism provides ‘connectivity insurance’ in the event of a NetEnforcer subsystems failure. The AC-802 Copper operates with a Copper Bypass and the AC-802 Fiber operates with a Fiber Bypass. The Bypass module is connected to NetEnforcer by a series of leads and cables.

CAUTION:

NetEnforcer AC-802 must be connected to the appropriate Bypass module. This is to ensure continuous service in the event of failure.

A separate NetEnforcer Bypass package is included with your AC-802 shipment. The box includes the following:

• • • •

NetEnforcer Copper Bypass or Fiber Bypass Module

Two side mounting brackets

Two straight Ethernet cables (AC-802 Copper)

Two cross-over Ethernet cables (AC-802 Copper)



Copper Bypass Module

The Copper Bypass module works in conjunction with NetEnforcer AC-802 Copper models.

To External Router

Connector To Internal Switch

Connector

External Connector

Internal Connector

Mode LED

Indicator

To Secondary NetEnforcer

Backup Connector

To Primary NetEnforcer Connector

To External Router

Connector To Internal Switch

Connector

External Connector

Internal Connector

Mode LED

Indicator

To Secondary NetEnforcer

Backup Connector

To Primary NetEnforcer Connector

Figure 2-6 – Copper Bypass Module

NOTE:

Use the supplied UTP CAT-5 straight Ethernet cables to connect link connections marked with Internal and External labels).

The Copper Bypass module includes RJ-45 connectors for Ethernet cables and two D-type 9-pin connectors for primary and redundant unit to backup connection.



The following procedure describes how to connect a Copper Bypass module to NetEnforcer. The procedure contains circled numbers, for example 11 , relating to reference numbers used in the diagram.

Figure 2-7 – Connecting NetEnforcer AC-802 Copper to Copper Bypass Module

To connect the Copper Bypass to NetEnforcer:

1. Connect the External cable from the External port on the Bypass module 77 , to the External port on NetEnforcer 11 .

2. Connect the Internal cable from the Internal port on the Bypass module 88 , to the Internal port on NetEnforcer 22 .

3. Connect the D-type connector from the Primary port on the Bypass module 99 , to the Backup port on NetEnforcer 33 .

4. Connect the External cable from the External port on the Bypass module 55 , to a router connector.



5. Connect the Internal cable from the Internal port on the Bypass module 44 , to a switch connector.

6. To connect a secondary NetEnforcer for Full Redundancy, you need two NetEnforcers and one Bypass module. Connect the backup D-type connector from the Secondary port on the Bypass module 66 , to another NetEnforcer.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass module.

•

Fiber Bypass Module

The Fiber Bypass module works in conjunction with NetEnforcer AC-802 Fiber.

To External NetworkConnector

To Primary NetEnforcerConnector

To Secondary NetEnforcerBackup Connector

Fiber Cable

To Internal NetworkConnector




Fiber Cable


Figure 2-8 – Fiber Bypass Module

NOTES:

Use 62.5/125µ or 50/125µ fiber optic cables with duplex SC connectors (not provided) to connect 1 Gbps ports of the switch and the router. Cables with duplex LC connectors (marked with Internal and External labels) are provided with the unit.



The Fiber Bypass module includes two duplex LC connectors, two built in fiber cables and two D-type 9-pin connectors for primary and redundant unit to backup connection.

The following procedure describes how to connect a Fiber Bypass module to NetEnforcer. The procedure contains circled numbers, for example 11 , relating to reference numbers used in the diagram.

Figure 2-9 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass Module

To connect the Fiber Bypass to NetEnforcer:

1. Connect the fiber cable labeled External from the Bypass module 77 , to the External port on NetEnforcer 11 .

2. Connect the fiber cable labeled Internal from the Bypass module 77 , to the Internal port on NetEnforcer 22 .




4. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on the Bypass module 55 , to a 1 Gbps router.

5. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on the Bypass module

66 , to a 1 Gbps switch.

6. To connect a secondary NetEnforcer for Full Redundancy, you need two NetEnforcers and one Bypass module. Connect the backup D-type connector from the Secondary port on the Bypass module 44 , to another NetEnforcer.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass module.

•

Powering Up The following procedure describes how to power up the High Availability platform models using the LCD panel.

AC-802 Models Powering Up

NOTE:

NetEnforcer and the Bypass module have to be fully plugged and connected before power is turned on. This is to ensure proper and systematic power up.

It is recommended to connect the two power line feeds to separate power sources to have full power redundancy. The two bi-color Power LEDs on the rear of NetEnforcer are lit indicating that the power supply is connected to power and no failure condition exists.

The Power LED on the LCD panel is lit and the Mode LED on the Bypass module is off, indicating that the power is on and NetEnforcer is bypassed.

The display area of the LCD panel indicates the following: Power On.

After a few seconds, the display area of the LCD panel indicates the following: System Loading *.



Once the system has completed loading, the following occurs:

•

•

• •

• •

• • • • • •

The Active LED on the LCD panel is lit and the Mode LED on the Bypass module is lit, meaning that NetEnforcer is now connected to the network.

The display area of the LCD panel indicates the default view - the current bandwidth consumption. For example: Inbound: XXX.X

Outbound: YYY.Y

You can now proceed to configure NetEnforcer, as required.

NetEnforcer Enhanced Platform The NetEnforcer AC-202 and AC-402 models feature a newly designed front panel that includes:

An easily visible LCD panel that indicates traffic usage. A keypad that enables direct configuration without the need to connect to a remote terminal; and the ability to start, reboot and shutdown from the front panel.

New features on the rear panel include: Additional serial port, (for future use). A backup (37-pin D-type backup) connector.

Enhanced Platform Unpacking Verify that the following items are included with NetEnforcer:

NetEnforcer (hardware with pre-installed software) NetEnforcer User's Manual 1 Power Cable 2 Cross Ethernet Cables 1 Serial Console Cable 2 19" Side Mounting Brackets



All NetEnforcer models contain a lithium battery on the main board.

CAUTION:

Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer.

Dispose of used batteries according to the manufacturer’s instructions.

NOTE:

The maximum cable length is generally up to 50 meters.

Enhanced Platform Front Panel The Enhanced Platform connects to your network via connectors located on the front panel. The LCD panel, connectors and LED indicators on the front panel, are shown below.

Internal/ExternalIndicators

Console Connector

LED Indicators

Management Port

LCD PanelInternal/ExternalIndicators

Console Connector

LED Indicators

Management Port

LCD Panel

Figure 2-10 – NetEnforcer Front Panel: Enhanced Platform



The front panel of the Enhanced Platform contains nine LEDs. Two LEDs are positioned on each of the External, Internal and Management network connectors. The remaining three LEDs are the Standby, Active and Power indicators.



The modes of operation of the External, Internal and Management indicators are described in the table below.


Green On A valid link is detected (either 10 or 100Mbps).

Off No valid link.

Orange On Blinks when traffic (activity) is detected on the interface.

Off No traffic (activity) is detected on the interface. Table 2-3 – External/Internal/Management LED Conditions: Enhanced Platform



The modes of operation of the Standby, Active and Power indicators are described in the table below.


Standby On Two NetEnforcers are connected in Redundancy mode and this NetEnforcer is the secondary system.

Off If you have one NetEnforcer, this should be the normal state of the LED. If you have two NetEnforcers configured in Redundancy mode, this NetEnforcer is not in standby.

Active On NetEnforcer is in Active mode. Off NetEnforcer is in Bypass mode. Traffic passes through

NetEnforcer with no Quality of Service or traffic shaping. If you have two NetEnforcers configured in Redundancy mode, this is the secondary NetEnforcer in a Full Redundancy configuration and it is not active (In the other NetEnforcer this LED should be on).

Power On NetEnforcer is powered up. Off NetEnforcer is shut down.

Table 2-4 – Standby/Active/Power LED Conditions: Enhanced Platform



Enhanced Platform LCD Panel

The LCD panel provides an indication of traffic usage and enables you to configure the system directly without the need to connect to a terminal. Standby Indicator

On/Off Select Enter

Display Area

Active Indicator

Power Indicator

Up Arrow

Right Arrow

Down Arrow

Left Arrow

Standby Indicator

On/Off Select Enter

Display Area

Active Indicator

Power Indicator

Up Arrow

Right Arrow

Down Arrow

Left Arrow Figure 2-11 – NetEnforcer LCD Panel: Enhanced Platform

For a description of how to configure the system using the LCD panel, refer to Configuring Via the LCD Panel, page 2-40.

Management Port

The Management port exists on the Enhanced and High Availability platforms. The dedicated Management port enables out-of-band management. Operating through the Management port denies management access to the device from Internal or External ports. Moreover, when there is a problem in the regular network you can still manage and monitor the NetEnforcer.

For more information on the Management port, see Out-of-Band Management, page 2-25.



Enhanced Platform Rear Panel The rear panel of Enhanced Platform contains the following:

• • • • •

Power Switch

Power Cable Connector

Backup (37-pin D-type) Connector

Ground Connector

Serial Port (for future use)

Power Cable Connector and

Fuse

Serial Connector

Backup Connector

Ground Connector

Power Switch


Fuse

Serial Connector

Backup Connector

Ground Connector

Power Switch


Fuse

Serial Connector

Backup Connector

Ground Connector

Power Switch


Fuse

Serial Connector

Backup Connector

Ground Connector

Power Switch

Figure 2-12 – NetEnforcer Rear Panel: Enhanced Platform

NOTE:

The power supply automatically adapts to voltages between 100V and 240V.

CAUTION:

The power supply unit includes an internal fuse. Only Allot Service personnel are authorized to replace it.



Enhanced Platform Powering Up Connect the NetEnforcer to an AC power source and put the Power switch (located on the rear panel) to On. The Power indicator on the LCD panel is lit. The display area of the LCD panel indicates the following: Power On.

After a few seconds, the display area of the LCD panel indicates the following: System Loading *.

Once the system has completed loading, the following occurs:

•

•

The Active LED on the LCD panel is lit, meaning that NetEnforcer is now connected to the network and it is ready.

The display area of the LCD panel indicates the default view - the current bandwidth consumption. For example: Inbound: XXX.X

Outbound: YYY.Y




Out-of-Band Management The dedicated Management port on NetEnforcer provides a secure solution for device management for enterprise and service providers. It enables you to permit access solely to a closed group of network administrators, so that ISP customers cannot "see" the Management port and therefore cannot access the NetEnforcer management. NetEnforcer lets you enable or disable this Management port, permitting either in-band or out-of-band management.

Figure 2-13 - Management Port



Using the Management port has the following benefits:

•

•

•

• •

•

•

•

Provides a security feature that prevents ISP customers from "seeing" the Management port and thus prevents access to NetEnforcer. When the Management port is enabled, the Internal and External ports are functioning solely to forward traffic. Consequently, only the Administrator (as the one with access to the Management port) has access to NetEnforcer.

Enables configuring, installing and upgrading while the unit is in Bypass mode. This is particularly important when the NetEnforcer is in carrier environments.

Improves NetEnforcer's forwarding performance by separating the management traffic from the regular traffic. In addition, if a problem exists in the regular network you can still communicate with NetEnforcer in order to resolve the problem.

Provides an infrastructure for improvements of the redundancy capabilities.

Has its own MAC and IP address.

Refer to the Out-of-Band Management section in Chapter 4, Configuring NetEnforcer, for instructions on how to configure the Management port.

Monitoring Only Models (AC-202 and AC-402) Monitoring Only models enable the user to use NetEnforcer in a non-intrusive mode. This mode enables connection without interference in the network activity, yet allows the use of the Monitoring function.

Using a Monitoring Only model has the following benefits:

Monitors the network activity in a non-intrusive mode. NetEnforcer behaves as a probe, as traffic is not going through NetEnforcer. The network can never “feel” NetEnforcer in this mode.

Enables you to view monitoring graphs, download accounting information via the ODBC or collect long term monitoring statistics.

Generates audits without interrupting your network activity.

When QoS software key is purchased and loaded (see Chapter 4: Configuring NetEnforcer), the NetEnforcer becomes a normal traffic enforcer.



Placement in the Network NetEnforcer is supplied with fast Ethernet or Gigabit Ethernet interfaces. NetEnforcer is normally placed on the internal side of your access router. The Internal port of NetEnforcer interfaces with your Local Area Network (LAN) and the External port of NetEnforcer interfaces with your access router. Refer to Figure 2-14 to see NetEnforcer’s placement in a network.

Connecting NetEnforcer to the Network When connecting NetEnforcer to the network, use the proper cable.

Figure 2-14 – LAN and WAN Placement of NetEnforcer



NetEnforcer is capable of operating parallel to another NetEnforcer to provide full redundancy. If you are using the NetEnforcers in Redundancy mode, refer to Appendix B, Fail-Safe Operation.

To connect NetEnforcer to your network:

1. Connect a Bypass module to NetEnforcer, as described in Bypass Modules, page 2-11. This is not necessary in Enhanced models where the Bypass is internal.

2. Connect the LAN side of your network to the Internal connector on the front panel of NetEnforcer (or the Bypass module).

3. Connect the Ethernet cable connected to the WAN side of your network to the External connector on the front panel of NetEnforcer (or the Bypass module).

NOTES:

To connect NetEnforcer directly to a router or to a host, use the supplied Ethernet crossover cables.

To connect AC-802 Fiber models, use fiber optic cables 62.5/125µ or 50/125µ, duplex SC connectors.

4. Connect the power cable and power up NetEnforcer, as described in Powering Up, page 2-16.

When connecting two NetEnforcers in Redundancy mode, use the special 37-pin cable (or 9-pin cable for Bypass module) supplied. For more information, refer to Appendix B, Fail-Safe Operation.

NOTE:

After you connect the cables (and the Active LED is on), the Internal and External Link LEDs on the front panel are on. When traffic is passing through the interface, the Activity LEDs blink.



Setting Up NetEnforcer In order to manage and configure NetEnforcer policies remotely from your Web browser, several basic parameters must be configured on NetEnforcer. You can configure these basic parameters using a terminal connected to NetEnforcer or by using the LCD panel.

Configuring Via a Terminal or Telnet You can use a standard terminal /PC running terminal emulation software connected to the Console port, or Telnet via the internet to configure a NetEnforcer. If you choose to connect via the Console port, most standard windows-based PC systems have a terminal emulation program called HyperTerminal that can be used for this purpose. Configure the terminal to run VT100 terminal emulation with the following parameters:

• • • • •

Baud rate 19200

8 bits

Stop bits 1

No flow control

No parity

To connect a terminal to NetEnforcer:

1. Use the supplied serial cable to connect the terminal to the Console Connector on the front panel of NetEnforcer.

2. Connect the power cable and power up NetEnforcer, as described in Powering Up, page 2-16 or 2-24.

3. At the terminal, select Start > Programs > Accessories and double-click on the HyperTerminal icon. Enter a name for the session and then to set the com port and the parameters (see above). The system boots up and you are prompted for a login and a password.



4. Enter admin for the login and allot for the password. (To change the password, see page 2-37.)

5. Press <Enter>. The NetEnforcer Setup Menu is displayed:

Figure 2-15 – NetEnforcer Setup Menu

To connect to a NetEnforcer via Telnet:

1. Open a Microsoft DOS window on a PC and at the C:\ prompt, enter Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you are prompted for a login and a password.

2. Enter admin for the login and allot for the password. (To change the password, see page 2-37.)

Press <Enter>. The NetEnforcer Setup Menu is displayed:



NetEnforcer Start Menu From this menu, you can perform the following tasks:

Display the current configuration, page 2-32. • • • •

Configure network parameters, page 2-34. Change the login password, page 2-37. Modify the date and time settings, page 2-38.

When all necessary parameters are set, NetEnforcer prompts you to reboot. After rebooting is completed, NetEnforcer is ready to be connected and to add Quality of Service in your network.



Displaying the Current Configuration You can display and view the currently set network configuration parameters at any time.

To display the current configuration:

1. In the NetEnforcer Setup Menu, enter 1 (List current configuration) and press <Enter>. The current network configuration parameters are displayed. A sample screen is shown below:

Figure 2-16 – Current Configuration (1)



2. Press <Enter> to show the second screen of parameters:

Figure 2-17 – Current Configuration (2)

3. Press <Enter> to return to the NetEnforcer Setup Menu.



Configuring Network Parameters You can define network parameters manually.

To define network parameters manually:

1. In the NetEnforcer Setup Menu, enter 2 (Network configuration) and press <Enter>. The Network Configuration menu is displayed:

Figure 2-18 – Network Configuration

2. Enter 2 (Manual configuration) and press <Enter>.



3. Enter values for the following IP parameters:

Device IP Address The IP address for your NetEnforcer, for example, 10.1.18.7.

Network mask The network mask for your NetEnforcer, for example, 255.0.0.0.

Device Hostname The host name for your NetEnforcer, for example, Jonny2.

Domain name A domain name for your NetEnforcer, for example, allot.com. Do not provide a leading ‘.’.

Default gateway IP address The IP address of your default gateway, for example, 10.0.02. If you do not have a default gateway, enter NONE.

Default gateway interface If you entered a default gateway in the previous step, the NetEnforcer interface to which it is connected, either 0 for Internal or 1 for External.

Primary name server IP address

If you have a Domain Name Server (DNS), its IP address. If you do not have a DNS, enter none.

Secondary name server IP address

If you have a second DNS, its IP address. If you do not have a second DNS, enter none.

Enable VLAN Environment.

Enables/disables the VLAN environment.

The Ethernet Adapter Settings screen is displayed.

4. Enter the following parameters to set up the NetEnforcer Ethernet adapters: The duplex type for the Internal interface. Enter full for full duplex, half for half duplex or auto for AutoSensing.

•

• If you selected full or half duplex, enter the link speed of the Internal interface, 10M or 100M. Use M for Mbps.



The duplex type for the External interface. Enter full for full duplex, half for half duplex or auto for AutoSensing.

•

• If you selected full or half duplex, enter the link speed of the External interface, 10M or 100M. Use M for Mbps.

NOTE:

AC-802 Copper models support also Gigabit Ethernet, AutoSensing, 10/100/1000Base-T.

When using NetEnforcer AC-802 Fiber models, you must set the interface of the device you are connecting to, as 1000Mbps Full Duplex, Auto-Negotiation Disable.

TIP:

When connecting NetEnforcer to a hub or a switch, ensure that the Ethernet adapter settings on both sides (meaning, NetEnforcer and the switch) are set to the same mode. In other words, if you wish to set the Ethernet adapters on your NetEnforcer to AutoSensing, ensure that the Ethernet adapter on the connected hub or switch is also set to AutoSensing, The same principle applies when setting the Ethernet adapters to Half or Full Duplex.

In addition, to ensure that the devices on both sides of the NetEnforcer (meaning, the devices connected to the Internal and External interfaces) can communicate in the event of the NetEnforcer going into Bypass, ensure that the Ethernet adapters on devices on both sides of the NetEnforcer are set to the same mode. (For further information, see Appendix B, Fail-Safe Operation.)

NOTE:

M = 1 million (1,000,000); K = 1 kilo (1,000)

5. Enter the following parameters to set up the Management Port: The duplex type for the Internal interface. Enter full for full duplex, half for half duplex or auto for AutoSensing.

•

•

•

•

If you selected full or half duplex, enter the link speed of the Internal interface, 10M or 100M. Use M for Mbps. The duplex type for the External interface. Enter full for full duplex, half for half duplex or auto for AutoSensing. If you selected full or half duplex, enter the link speed of the External interface, 10M or 100M. Use M for Mbps.



6. Press <Enter> to finish and return to the Network Configuration menu.

7. To save your configuration, enter 3 (Save latest settings as current configuration) from the Network Configuration menu. A message is displayed, asking whether you wish to make your changes effective immediately. Enter y or n.

Changing the Passwords You can change the login password for either the Admin user or the Monitor user. The Admin user has access to all NetEnforcer functions, while the Monitor user has read-only access. It is strongly recommended to change the default password (allot). NetEnforcer might enable access from anywhere on the Internet, and should therefore be protected with a unique password.

To change the users’ password: 1. In the NetEnforcer Setup Menu, enter 3 (Change password) and press <Enter>. The

Password screen is displayed:

Figure 2-19 – Password

2. Enter 1 or 2 to specify the type of user whose password you want to change and press <Enter>.

3. Enter a new password and press <Enter>. The password must be between 5 and 8 characters. You can use a combination of upper and lower case letters and numbers.

4. Re-enter the password and press <Enter>. If NetEnforcer detects a simple password, a warning is displayed on the screen.



CAUTION:

You must change the default passwords to ensure a minimum level of security.

NOTE:

The new user name and password will be used in the NetEnforcer Log In window when accessing NetEnforcer through a browser.

Modifying Date and Time Settings You can modify date and time settings as required. You can set the system time manually, or you can set up NetEnforcer to receive time checks from an NTP (Network Time Protocol) server, if you have one on your network.

To modify the date and time settings: 1. In the NetEnforcer Setup Menu, enter 4 (Set time) and press <Enter>. The Time

Setup screen is displayed:

Figure 2-20 – Time Setup

The current day, date, system time and time zone are displayed at the top of the screen.

2. To change the time zone, perform the following steps: Enter 1 and press <Enter>. •

• Enter y and press <Enter>. NetEnforcer displays a list of time zones.



Enter the required time zone and press <Enter>. •

• •

•

3. To change the system time, perform the following steps: Enter 2 and press <Enter>. Enter the new date and time in the format DD-MM-YYY -HH-mm. For example, 12-05-2001-11-20 for 12th May 2001, 11:20 am. Press <Enter> to set the time.

Changing the Root User Password You can change the root password that provides access to super-user rights.

To change the root password:

1. Use the supplied serial cable to connect the terminal to the Console Connector on the front panel of NetEnforcer.

2. Set the NetEnforcer power switch, located near the NetEnforcer power cable, to the ON position. The system boots up and on the terminal you are prompted for a login and a password.

3. At the terminal, press <Enter>. The system boots up and you are prompted for a login and a password.

4. Enter root for the login and bagabu for the password, and then press <Enter>.

5. Enter passwd and then press <Enter>.

6. Enter a new password and press <Enter>. The password must be between 5 and 8 characters. You can use a combination of upper and lower case letters and numbers.

7. Re-enter the new password and press <Enter>.

CAUTION:

If you forget this password, contact Allot Customer Support.

When all necessary parameters are set, NetEnforcer prompts you to reboot. After rebooting is completed, NetEnforcer is ready to be connected and to add Quality of Service in your network.



TIP:

You can further protect the access to NetEnforcer by limiting the hosts that are allowed to manage the unit. To configure the allowed host list, refer to Access Control in Chapter 4, Configuring NetEnforcer.

Configuring Via the LCD Panel The NetEnforcer Enhanced models (AC-202 and AC-402) and High Availability models (AC-802) provide an LCD panel from which you can configure basic NetEnforcer parameters without connecting a terminal. This enables quick and easy setting of basic parameters such as the IP address of NetEnforcer and NIC settings.

When you are not configuring NetEnforcer, the display area in the LCD panel indicates its default view, which is the current inbound and outbound bandwidth usage. The units are in Kbps or Mbps with one digit after the point and the display is refreshed every five seconds.

NOTE:

When you are configuring NetEnforcer and there is no activity for more than 30 seconds, the display area returns to the default view and any modifications to parameters that were not saved, are lost.

The Main Menu The LCD panel provides one main menu from where you can perform the following operations:

• • • • •

Configure NIC settings, page 2-41.

Set the NetEnforcer IP address, page 2-43.

Enable/disable the Management port, page 2-44.

Activate Bypass, page 2-46.

Reboot, shutdown or exit NetEnforcer, page 2-46.



The illustration below is a list of the main menu options from the LCD panel.

Figure 2-21 – LCD Panel, Main Menu Options

Getting Started on NetEnforcer In order to start working with NetEnforcer, press the Power button to turn on NetEnforcer. Once the system has completed loading, the display area of the LCD indicates its default view, the current bandwidth consumption of NetEnforcer. For example: Inbound: XX.XM

Outbound: YYY.YM


NOTE:

If QoS functionality is not included in your NetEnforcer (not enabled by your activation key), the default view indicates the following: Inbound:-, Outbound:-.

Configuring NIC Settings Configuring NIC settings enables you to configure the internal and external Ethernet adapters to either automatically sense the direction and speed of network traffic, or use a predetermined duplex type and speed.



To configure NIC settings:

1. With the display area displaying the default view, press the Select button. The main menu is displayed as follows: Main menu:

1. NIC Settings

2. Press the Select button. If the Management port is enabled, the display area indicates the following: 1-1.[M]anagement

[In]/[Ex]ternal

NOTE:

If the Management port is disabled, the display area indicates the following: 1-1.Interface: [In]/[Ex]ternal.

3. Use the arrow buttons to select the required interface and press the Enter button. The display area indicates the following: Mode: [A]uto or

[F]ull/[H]alf du

4. Use the arrow buttons to select the duplex type for the selected interface and press the Enter button. The display area indicates the following: Speed: [A]uto or

[100]/[10] Mbps

5. Use the arrow buttons to select the link speed of the selected interface and press the Enter button. The display area indicates the following: [S]ave/[C]ancel

6. Use the arrow buttons to select whether to save the settings or cancel and press the Enter button. The new NIC settings are applied and after a few moments, the display area displays its default view, the current bandwidth consumption.



Setting the NetEnforcer IP Address Setting the NetEnforcer IP address enables you to specify the IP address, netmask and default gateway for NetEnforcer.

To configure the IP address:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow once to display the following: Main menu:

2. Setup IP

3. Press the Select button. The display area indicates the following: 2-1.Set IP:

xxx.xxx.xxx.xxx (the current IP address definitions are displayed)

4. Specify the IP address of NetEnforcer. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

5. Press the Enter button. The display area indicates the following: 2-2.Set mask:

xxx.xxx.xxx.xxx (the current netmask definitions are displayed)

6. Specify the netmask of NetEnforcer. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

7. Press the Enter button. The display area indicates the following: 2-3 Gateway exists [Yes/No]

Select whether you have a gateway defined in your network. If you select N then you will exit to the next step, skipping step 2-4. If you have a gateway select Y and proceed:

2-4.Gateway:

xxx.xxx.xxx.xxx (the current gateway definitions are displayed)



8. Specify the IP address of the default gateway. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

9. Press the Enter button. The display area indicates the following: [S]ave/[C]ancel

10. Use the arrow buttons to select whether to save the settings or cancel and press the Enter button. The new IP and gateway settings are applied and after a few moments, the display area displays its default view, the current bandwidth consumption.

The following cases of failure may be indicated:

Failure Display

Register NIC Settings Fail: NE IP save

Chk NE IP config

Netmask Save Fail: MASK save

Chk NE IP config

Management NIC Save Fail: Mgmt save

Chk NE IP config

Gateway Save Fail: GW save

Chk NE IP config

Enabling/Disabling the Management Port Configuring the Management port enables you to specify whether management of NetEnforcer is via the Management port or the network connectors. Configuration via the Management port provides a more secure way to manage NetEnforcer and ensures no interruption to traffic.



To configure the Management port:


2. Press the down arrow twice to display the following: Main menu:

3. Mgmt Port

3. Press the Select button. If the Management port is enabled, the display area indicates the following:

Disable port?

[Y]es/[N]o

Use the arrow buttons to select whether to disable the Management port. When you select Yes, the display area indicates that the Management port is being disabled and after a few seconds displays its default view. When you select No, the display area returns to the Management port menu (shown in step 2).

•

• If the Management port is disabled, the display area indicates the following:

Enable port?

[Y]es/[N]o

Use the arrow buttons to select whether to enable the Management port. When you select Yes, the display area indicates that the Management port is being enabled and after a few seconds displays its default view. When you select No, the display area returns to the Management port menu (shown in step 2).

NOTE:

If for some reason the operation fails, the display area indicates Enabling Failed or Disabling Failed and the system displays its default view.



Activating Bypass

To configure a Bypass:


2. Press the down arrow three times to display the following: Main menu:

4. Bypass

3. Press the Select button. If the system is not in Bypass mode, the display area indicates the following: Go into Bypass?

[Y]es/[N]o

4. Use the arrow buttons to select whether to enter Bypass mode and press the Enter button. NetEnforcer switches to Bypass mode and after a few moments, the display area displays its default view, the current bandwidth consumption.

NOTE:

When the system is already in Bypass mode, you are prompted to select whether to exit Bypass mode. Use the arrow buttons to select whether to exit Bypass mode and press the Enter button.

Rebooting, Shutting Down and Exiting NetEnforcer You can reboot or shut down NetEnforcer and exit from LCD configuration as required.

To reboot NetEnforcer:


2. Press the down arrow four times to display the following: Main menu:

5. Reboot



3. Press the Select button. The display area indicates the following: Reboot?

[Y]es/[N]o

4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter button. NetEnforcer reboots and the display area indicates the following: System

Rebooting * (blinking asterisk)

NOTE:

This message is also displayed in the display area when NetEnforcer is rebooted using a terminal.

To shutdown NetEnforcer:


2. Press the down arrow five times to display the following: Main menu:

6. Shutdown

3. Press the Select button. The display area indicates the following: Shutdown?

[Y]es/[N]o

4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter button. NetEnforcer reboots and the display area indicates the following: System

Shutting down * (blinking asterisk) After a few seconds, the display area indicates that NetEnforcer may be powered off.

NOTE:

This message is also displayed in the display area when NetEnforcer is shutdown using a terminal.



To exit NetEnforcer:


2. Press the down arrow six times to display the following: Main menu:

7. Exit

3. Press the Enter or the Select button. The display area displays its default view, the current bandwidth consumption.


Chapter 3: Getting Started

This chapter explains how to connect to your client management station, provides an overview of the NetEnforcer interface, and describes how to install the Java Plug-in.


Accessing NetEnforcer, page 3-2, describes how to access NetEnforcer from your Web browser.

NetEnforcer Control Panel, page 3-3, describes the options available in the NetEnforcer Main Control Panel.

Installing the Java Plug-in 1.3, page 3-9, describes how to install the Java plug-in 1.3. The Java plug-in is a prerequisite for running the NetEnforcer application, which runs as a Java-based applet.

Once you have accessed the NetEnforcer application and installed the required plug-in, you can begin to work with NetEnforcer. The first step is to configure NetEnforcer, described in Chapter 4, Configuring NetEnforcer.



Accessing NetEnforcer Once you have completed the initial setup, as described in the previous chapter, you can access to NetEnforcer via your Web browser. The first time that you connect to NetEnforcer, you may be prompted to install Java plug-in 1.3. Refer to Installing the Java Plug-in 1.3, page 3-9, for further information.

To connect to NetEnforcer:

1. Open your browser, and enter http://(IP address of NetEnforcer). The NetEnforcer Log On dialog box is displayed:

Figure 3-1 – NetEnforcer Log On Dialog Box

2. In the User Name field, enter admin and in the Password field, enter allot or the password that was established at setup. This is the default user name and password. They may be different if you changed them during the initial configuration. Refer to Chapter 2, Installing NetEnforcer, Section Setting Up NetEnforcer.

3. Click Log On. The NetEnforcer Control Panel is displayed.

NOTE:

It may take a few moments to display the Control Panel.



NetEnforcer Control Panel The NetEnforcer Control Panel is the main NetEnforcer window, displayed when you connect to NetEnforcer.

Figure 3-2 – NetEnforcer Control Panel

The NetEnforcer Control Panel is the main navigation point for NetEnforcer. Each button in the Control Panel provides access to different NetEnforcer functionality. The buttons and their sub-options are described on the following pages.



Button Sub-options Description

Policies Provides access to the Policy Editor where you define QoS policy using Pipes, Virtual Channels and rules. (Refer to Chapter 8, Defining Policies for further information.)

From the Policy Editor, you also access and configure entries in the NetEnforcer Catalogs. Catalogs contain the possible values available when configuring Pipes, Virtual Channels and rules in the Policy Editor. (Refer to Chapter 7, Defining Catalog Entries for further information.)

NetWizard Provides access to NetWizard. NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a network, enabling you to quickly define QoS policies for each type of protocol in the network. (Refer to Chapter 5, NetWizard Quick Start for further information.)

Monitoring My Favorite View

Displays a saved arrangement of Monitoring windows as your favorite view. (Refer to Chapter 6, Monitoring Network Traffic for further information.)

NetEnforcer Level Enables you to monitor traffic and view current network behavior at the NetEnforcer level through NetEnforcer monitoring graphs. (Refer to Chapter 6, Monitoring Network Traffic for further information.)




Pipe Level Enables you to monitor traffic and view current network behavior at the Pipe level through NetEnforcer monitoring graphs. (Refer to Chapter 6, Monitoring Network Traffic for further information.)

Virtual Channel Level

Enables you to monitor traffic and view current network behavior at the Virtual Channel level through NetEnforcer monitoring graphs. (Refer to Chapter 6, Monitoring Network Traffic for further information.)

Settings Enables you to configure features of monitoring graphs (both current and history) as well as set up your favorite view. (Refer to Chapter 6, Monitoring Network Traffic for further information.)

Long-Term Enables you to collect and view long-term monitoring data. You can manipulate the data and produce reports, as required. (Refer to Chapter 6, Monitoring Network Traffic for further information.)

Alerts Alerts Log Provides access to the Alerts Log that includes a list of the alerts triggered by the alert definitions. (Refer to Chapter 9, NetEnforcer Alerts for further information.)




Alerts Editor Provides access to the Alerts Editor where you define events or conditions that will trigger alerts. (Refer to Chapter 9, NetEnforcer Alerts for further information.)

NetAccountant Design and generate template-based accounting reports. This functionality is only available when you have the NetAccountant module enabled in your NetEnforcer system. (Refer to the NetAccountant User’s Manual for further information.)

Configuration Enables you to specify system configuration and setup parameters. (Refer to Chapter 4, Configuring NetEnforcer for further information.)

Tools Download Long-Term Monitoring Agent

Enables you to download the Long-Term Monitoring Agent application. This application collects long-term monitoring data, which you can then view, as required. (Refer to the Long-term Monitoring section in Chapter 6, Monitoring Network Traffic for further information.)

Download MIBs Enables you to download the Allot Position MIBs and the Allot ID MIBs. (Refer to the Accessing the Allot MIBs section in Chapter 11, SNMP Monitoring for further information.)




Pipe/VC ID Lookup for SNMP

Enables you to obtain the internal IDs for Pipes and Virtual Channels. This is necessary if you are using the Allot ID MIBs. (Refer to the Installing MRTG for NetEnforcer section in Chapter 11, SNMP Monitoring for further information.)

Update Service Catalog from Allot Communications

Enables you to update the latest protocols to the Service Catalog. (Refer to the Service Catalog Editor section in Chapter 7, Defining Catalog Entries for further information.)

Send ‘Snapshot’ to Factory

Enables you to send an image of a screen to NetEnforcer Customer Support for debugging Purposes.

Download External Accounting Collector

Enables you to download the External Accounting Collector. This enables you to download and install two applications (Accounting Agent and Binary to ASCII Translator) on your computer. The Accounting Agent enables you to get the accounting data from the NetEnforcer; the Binary to ASCII Translator enables you to convert the binary stream into ASCII files. Once installed, the two applications are transparent to the user.

Register Product Enables you to register NetEnforcer with Allot Communications.




Window View by Application NetEnforcer applets are displayed in individual tabs in the main NetEnforcer window. For example, the NetEnforcer Configuration window is displayed in the Configuration tab and monitoring graphs are displayed in the Monitoring tab.

View All NetEnforcer applets are displayed in one tab (called View All) in the main NetEnforcer window. For example, the NetEnforcer Configuration window as well as monitoring graphs are displayed in the View All tab.

Close All Closes all NetEnforcer applets that are currently open.

Cascade Cascades all open NetEnforcer applets in the main NetEnforcer window.

Tile Tiles all open NetEnforcer applets in the main NetEnforcer window.

Below the Windows sub-options, there is a List of open NetEnforcer applets, for example, NetEnforcer Configuration, Alerts Editor, and so on.

Help Index Provides access to online help.

System Messages Details

Provides access to details about system messages.

Allot Communications Home Page

Provides access to the Allot Communications home page.




About Provides version information about NetEnforcer.

Log Off Exits the NetEnforcer Control Panel. A Log On button is then displayed enabling you to access the Control Panel once again.

Installing the Java Plug-in 1.3 NOTE:

If the Java plug-in is already installed on your PC and the version is less than 1.3, it should be removed before installing the Java plug-in 1.3.

The NetEnforcer application runs as a Java applet with the assistance of Sun Microsystems Java plug-in 1.3.

The minimum requirements for using the Java plug-in are Pentium 2 with 128Mb RAM.

This plug-in enables a Java applet to run using Sun’s Java Runtime Environment (JRE) on the following platforms:

•

•

• •

Microsoft’s Internet Explorer 6.0 on Win32 platforms (Windows 98, Windows 2000, Windows Millennium, Windows NT 4.0 and Windows XP)

Netscape Navigator 6 on Win32 platforms (Windows 98, Windows 2000, Windows Millennium, Windows NT 4.0 and Windows XP)

Solaris platforms (Solaris 2.5 or 2.6)

Linux 2.2



When the NetEnforcer application is loaded, the Java plug-in ensures that Sun’s Java Runtime Environment (JRE) is loaded to run the applet (and not the browser’s default JRE). This enforces a singular behavior (consistent look and feel) of the applet among the various browsers and their associated versions.

This section describes how to install the Java plug-in 1.3 from Microsoft Internet Explorer and Netscape.

If you have any earlier versions of the Java plug-in, you should uninstall them before installing version 1.3. For example, NetEnforcer 3.x users have Java plug-in 1.1.1 installed.



Installing the Java Plug-in from Internet Explorer You are prompted to install the Java plug-in during the initial connection procedure.

To install the Java plug-in from Internet Explorer:

1. In Internet Explorer, enter the NetEnforcer IP address and wait a few moments. The Software License Agreement window is displayed:

Figure 3-3 – Java Plug-in Software License Agreement Window

2. Click Yes. The Select Destination Location window is displayed.

3. Select a destination location for the plug-in or leave the default location.



4. Click Next and wait a few moments. The Java Plug-in Security Warning window is displayed:

Figure 3-4 – Java Plug-in Security Warning Window

5. Click Grant this session or Grant always. It is recommended to click Grant always. This enables the NetEnforcer application to access the local client machine. (Generally, Java applets running in a browser are not allowed to access the local client machine.) After a few seconds, the NetEnforcer Log On dialog box is displayed and you can log in, as described on page 3-2.



6. If you select Grant this session, each time you open the NetEnforcer GUI, or open the GUI on a new computer, after June 1, 2003, (the publisher's certificate expiry date), the following popup window is displayed:

Figure 3-5 - Java Plug-in Security Warning Pop-up – Certificate Expiration Notice

7. Click Yes to ignore the warning and proceed; Figure 3-4 is redisplayed.

8. Click Grant Always. (Refer to step 5, above).



Installing the Java Plug-in from Netscape When installing the Java plug-in from Netscape, you must first download the executable installation file and then run it. The following procedure describes how to install the Java plug-in from Netscape 6.1 and earlier.

NOTE:

If you are working with Netscape 6, you cannot control which Java plug-in is installed. When you enter the IP address of NetEnforcer, Netscape 6 automatically determines which Java plug-in version to install. You should follow the on-screen instructions.

To install the Java Plug-in from Netscape:

1. In Netscape, enter the NetEnforcer IP address and wait a few moments. The following screen is displayed:

Figure 3-6 – Java Plug-in Icon



2. Click the icon. If you are using a Windows-based platform, the following Plug-in Not Loaded window is displayed:

Figure 3-7 – Plug-in Not Loaded Window

3. Click Get the Plug-in. A standard Save As window is displayed.

4. Select the folder in which you want to save the Java plug-in executable installation file and click Save. The executable file is saved in the selected location.

5. Run the executable file saved in step 4, and wait a few moments. The Software License Agreement window is displayed:

Figure 3-8 – Java Plug-in Software License Agreement Window



6. Click Yes. The Select Destination Location window is displayed.

7. Select a destination location for the plug-in or leave the default location.

8. Click Next and wait a few moments. The Java Plug-in Security Warning window is displayed:

Figure 3-9 – Java Plug-in Security Warning Window

9. Click Grant this session or Grant always. It is recommended to click Grant always. This enables the NetEnforcer application to access the local client machine. (Generally, Java applets running in a browser are not allowed to access the local client machine.)

10. You may be prompted to reboot at this point. If so, restart your browser and connect to NetEnforcer, as described in Accessing NetEnforcer, page 3-2.


Chapter 4: Configuring NetEnforcer

This chapter describes how to modify NetEnforcer’s configuration parameters from a Web browser. You can also configure NetEnforcer using a command line interface, described in Appendix G, NetEnforcer Command Line Interface.


Overview, page 4-2, provides an introduction to the process of modifying configuration parameters from your browser.

NetEnforcer Configuration Window, page 4-6, describes the menu bar and toolbar in the NetEnforcer Configuration window.

NetEnforcer Configuration Parameters, page 4-9, describes the configuration parameters available in the NetEnforcer Configuration window.

Additional Configuration Options, page 4-45, describes how to change the date and time settings on NetEnforcer, how to backup, restore and verify configuration, as well as how to retrieve certain configuration parameters from a DHCP server.



Overview Once you have configured NetEnforcer for your network environment, described in Chapter 2, Installing NetEnforcer, you can modify configuration parameters remotely via your Web browser including initial setup parameters, as well as the following run-time parameters:

• •

•

•

• • • • • • • • •

System parameters, including software versions and keys

Access link parameters, including the duplex type and bandwidth of Internal and External interfaces

Network interface parameters, including IP addresses and mask/gateway parameters

Access control parameters that determine access to NetEnforcer management functions

Internal and external Ethernet adapter parameters

Networking parameters, including monitoring only mode and bridging protocol

Parameters that enable SNMP-compatible management functions

Connection parameters

Monitoring parameters

Accounting parameters

LDAP parameters

VLAN parameters

Denial of Service (DoS) parameters

Configuration parameters are modified from the NetEnforcer Configuration window. A general procedure for configuring NetEnforcer is presented on page 4-3. A description of all the possible configuration parameters begins on page 4-9.



To configure NetEnforcer: 1. From the NetEnforcer Control Panel, click Configuration. The NetEnforcer

Configuration window is displayed:

Figure 4-1 – NetEnforcer Configuration Window Configuration parameters are grouped in tabs. The configuration parameters are described in NetEnforcer Configuration Parameters, page 4-9. In each tab, edit the relevant configuration parameters, as required.

2. Click or select Save to NetEnforcer from the File menu to save the configuration. The following confirmation message is displayed:



Figure 4-2 – Confirmation Message

3. Click OK.

NOTE:

Rebooting the NetEnforcer is required when you make changes to either: • NetEnforcer Activation Key (Product IDs & Key tab) • NIC • Networking/ Accounting/ RADIUS Setup/ Restore Configuration • Time • Management port definition This is to ensure that the saved parameter values are committed and activated on NetEnforcer. You are automatically prompted to reboot.



Activating the NetEnforcer The Key Expiration date is displayed in Product IDs and Keys tab of the Configuration window. Some keys do not have an expiration date, and in those cases this field is empty.

Once the date has expired the box will reboot and the new module settings will be displayed showing all modules as disabled.



NetEnforcer Configuration Window The NetEnforcer Configuration window contains a menu bar, a toolbar, and tabbed pages of configuration parameters.

Menu Bar The menu bar in the NetEnforcer Configuration window includes five menus, described in the following sections.

File Menu

The File menu includes the following options:

Save to NetEnforcer Saves the configuration to NetEnforcer. This option is only enabled after changes have been made to the configuration.

Reboot NetEnforcer Enables you to reboot NetEnforcer.

Shutdown NetEnforcer Enables you to shut down NetEnforcer.

Print Enables you to print the configuration parameters in text format.

Exit Closes the NetEnforcer Configuration window.



Edit Menu

The Edit menu includes the following option:

Undo All Unsaved Changes

Undoes all changes that have not yet been saved.

Options Menu

The Options menu includes the following options:

Backup Configuration Enables you to save the configurations in a file. Refer to Backing Up Configuration, page 4-45.

Restore Configuration Enables you to open previously saved configurations. Refer to Restoring Configuration, page 4-46.

Set Date and Time Enables you to configure the date and time on NetEnforcer. Refer to Setting Date and Time, page 4-47.

Setup Verification Enables you to verify some basic configuration parameters. Refer to Verifying Configuration, page 4-48.

Help Menu

The Help menu includes the following option:

Index Provides access to online help.



Toolbar The toolbar in the Configuration window enables easy access to many of the functions available from the menu bar. The toolbar includes the following buttons:

Save to NetEnforcer Saves the configuration to NetEnforcer. This button is only enabled after changes have been made to the configuration.

Reboot NetEnforcer Enables you to reboot NetEnforcer.

Shutdown NetEnforcer Enables you to shut down NetEnforcer.

Print Enables you to print the configuration

parameters in text format.

Undo All Unsaved Changes Undoes all changes that have not yet been

saved.

Backup Configuration Enables you to save the configuration to a TFTP server

Restore Configuration Enables you to restore configuration from a TFTP server

Help Provides access to online help.



NetEnforcer Configuration Parameters The NetEnforcer Configuration window includes the following tabs:

• • • • • • • • • • • • • • • • •

Product IDs and Key, page 4-10

Access Links, page 4-12

IP & Host Name, page 4-14

Security, page 4-17 NIC, page 4-19 Networking, page 4-21 SNMP, page 4-25 Connection Control, page 4-26 Monitoring, page 4-28 Internal Accounting, page 4-29 External Accounting, page 4-31 RADIUS Setup, page 4-33 Accounting/RADIUS Storage, page 4-36 LDAP/Text Source, page 4-39 VLAN, page 4-40 Alerts, page 4-42 Denial of Service (DoS), page 4-43

Each tab includes parameters that can be configured as required. After modifying configuration parameters, you must select Save to NetEnforcer in order for the changes to take effect.

The parameters available in each tab are described in the following sections.



Product IDs and Key The Product IDs & Key tab includes parameters that provide system information and activate optional NetEnforcer modules.

Figure 4-3 – Product IDs & Key Parameters

The Product IDs & Key tab includes the following parameters:

Parameter Definition

Product Model The NetEnforcer model. This field is read only.

Software Version The software version on NetEnforcer. This field is read only.

Backplane Version The backplane version on NetEnforcer. This field is read only.

Box Number The ID number of NetEnforcer. This field is read only.




NetEnforcer Activation Key

The activation key to enable NetEnforcer. Enter the activation key supplied to you when purchasing NetEnforcer. The functionality enabled by the key is summarized in the fields below.

Quality of Service Quality of Service is enabled on NetEnforcer.

Load Balancing The NetBalancer module is enabled on NetEnforcer.

Cache Enforcer The CacheEnforcer module is enabled on NetEnforcer.

NetAccountant The NetAccountant module is enabled on NetEnforcer.

NetEnforcer Bandwidth Capacity

The maximum bandwidth capacity of NetEnforcer.

After entering an activation key, click Save. The following message is displayed:

Figure 4-4 – Save Configuration to NetEnforcer Message

Click Yes and NetEnforcer will automatically reboot. After the reboot, re-open the NetEnforcer Configuration window, select the Product IDs & Key tab and you can see the new settings based on the activation key.



Access Links The Access Links tab includes parameters that enable you to set the duplex type and bandwidth of the Internal and External interfaces. The internal side of NetEnforcer interfaces with your Local Area Network (LAN) and the external side of NetEnforcer interfaces with the Wide Area Network (WAN) via your access router.

Figure 4-5 – Access Links Parameters

The Access Links tab includes the following parameters for the Internal and External interfaces:


Type The type of interface. The options are as follows: Half Duplex: The access link can either transmit or receive traffic. Full Duplex: The access link can transmit and receive traffic simultaneously.




Outbound Bandwidth

The bandwidth of the link going away from NetEnforcer. When the Type is Half Duplex, the outbound bandwidth is valid for inbound and outbound traffic and the inbound bandwidth is not relevant.

Inbound Bandwidth The bandwidth of the link going into NetEnforcer.

TIP:

If you enter a maximum bandwidth setting of less than 1Kbps for either interface, the following message is displayed: ”A bandwidth rate of less than 1000 bits/sec has been entered for Internal outbound speed. This is very slow speed. Continue with save anyway?” Press Yes to confirm that this is the correct setting for the interface. Press No to re-enter another value. It is strongly recommended not to attempt to shape traffic of less that 1Kbps. Setting internal or external bandwidth of less than 1Kbps will cause normal network traffic to come to a halt. For example, shaping bandwidth of a short frame of 64 bytes to a bandwidth link of 1000 bps will result in less than two packets per second which is impractical in today's networks. Refer to the Release Notes for more information.



IP and Host Name The IP & Host Name tab includes parameters that enable you to modify the IP and host name configuration of your network interfaces.

Figure 4-6 – IP & Host Name Parameters

The IP & Host Name tab includes the following parameters:


IP Address of NetEnforcer The IP address of NetEnforcer.

Network Mask The network subnet mask.

Default Gateway The IP address of the default gateway.

The default gateway enables clients to access NetEnforcer remotely and to provide a path if NetEnforcer is on a different subnet than that of the client.




Host Name of NetEnforcer The host name of NetEnforcer.

Domain Name The domain name.

Primary Domain Name Server

The IP address of the primary domain name server.

Secondary Domain Name Server

The IP address of the secondary domain name server.

Primary NTP Time Server The name of the primary NTP (Network Time Protocol) server. This enables NetEnforcer to receive the date and time from an NTP server.

Secondary NTP Time Server

The name of the secondary NTP (Network Time Protocol) server.

Tertiary NTP Time Server The name of the tertiary NTP (Network Time Protocol) server.



Out-of-Band Management The dedicated Management port provides a secure solution for device management for enterprise and service providers. It enables you to permit access solely to a closed group of network administrators. ISP customers cannot "see" the Management port and therefore cannot access the NetEnforcer management. NetEnforcer confidently lets you enable or disable this Management port, permitting either In-Band or Out-of-Band management.

Out-of-Band mode is graphically illustrated as follows:

Figure 4-7 – Out-of-Band Management

The Management port is enabled by default in all NetEnforcers with a management port. Make sure that the Disable Management Port parameter in the IP & Host Name tab is unchecked, as described in the previous section.

NOTE:

To use In-Band management and manage the NetEnforcer via the Internal/External ports, select the Disable Management port option in the IP & Host Name tab.



Security The Security tab includes parameters that enable you to specify security parameters as well as control access to NetEnforcer management functions by specifying the names of hosts to whom you want to grant access permission.

CAUTION:

If no hosts are defined, anyone can access NetEnforcer management functions.

Figure 4-8 – Security Parameters

The Security tab includes the following parameters on the left side:


Enable Telnet Select this checkbox to enable remote Telnet communications with the NetEnforcer.

Enable SSH (Secure Shell) Select this checkbox to enable remote SSH communications with the NetEnforcer.




Enable Ping Select this checkbox to enable remote Ping communications with the NetEnforcer.

On the right side of the Security tab, is a list of hosts who have access permission to NetEnforcer management functions. When the Allowed Hosts list is empty, there is unrestricted access to NetEnforcer management functions. When there are hosts in the Allowed Hosts list, only those hosts are allowed access to NetEnforcer management functions. You can enter host details in either of the following formats:

• •

The name of the host.

The IP address of the host.

CAUTION:

If no hosts are defined, anyone with a user name and a password can access NetEnforcer management functions.

To add a host to the list:

1. Select Host or IP in the Host/IP Item area.

2. Specify the host name or IP address in the field to the right of the selected option.

3. Click Add. The specified host is added to the Allowed Hosts list.

You can add as many hosts as required.

To modify a host, select the host in the Allowed Hosts list to display the details in the fields on the left. Modify the details as required and click Update.

To remove a host, select the host in the Allowed Hosts list to display the details in the fields on the left and click Delete. If the host that you selected is the only one in the list, a message is displayed: "Deletion will leave ‘Allowed Hosts’ list empty. This means that all hosts will be able to access the NetEnforcer. Continue? Click Yes."



NIC The NIC tab includes parameters that enable you to configure the internal and external Ethernet adapters to either automatically sense the direction and speed of network traffic, or use a predetermined duplex type and speed. When working with AC-601/802 models, you can also specify the direction and speed of the management interface.

Figure 4-9 – NIC Parameters The NIC tab includes Mode and Speed parameters for the internal and external Ethernet adapters.

NOTE:

If the management interface is disabled, look in the IP & Host Name tab and confirm that the Disable Management Port checkbox is selected.




Mode The type of interface. The options are as follows: Auto: The interface automatically senses the direction of the traffic. Half Duplex: The interface can either transmit or receive traffic. Full Duplex: The interface can transmit and receive traffic simultaneously.

Speed The speed of the interface: Auto, 1000M, 100M or 10M. When the Mode is Auto, you cannot predefine the interface speed and Speed is set to Auto and cannot be modified.

NOTES:

For models AC-601 and AC-802 Copper, you can also select 1000M as the link speed for the Internal or External interfaces.

For model AC-802 Fiber, the settings for the Internal and External interfaces cannot be changed: the duplex type is full and the link speed is 1000M.

When you connect NetEnforcer to a hub or switch, ensure that the Ethernet adapter settings on both sides are set to the same mode. This ensures proper communication between the Ethernet adapters. For example, if you set the Ethernet adapter on NetEnforcer to Auto, you must also set the Ethernet adapter on the hub or switch connected to that interface to Auto. The same principle applies when setting Ethernet adapters to Half or Full Duplex mode. To ensure that the devices on both sides of NetEnforcer can communicate if NetEnforcer enters Bypass mode, make sure that the interfaces on the devices on both sides of NetEnforcer are set to the same NIC (Ethernet adapter) mode.



Networking The Networking tab includes parameters that enable you to configure network topology as well select to operate in Monitoring Only mode.

Figure 4-10 – Networking Parameters

The Networking tab includes the following parameters:


Support ‘Spanning Tree’ protocol

Whether you are using a second NetEnforcer as a backup system in a spanning tree configuration.

Disable Transport Layer Classification (TCP/UDP ports)

Whether NetEnforcer classifies by TCP/UDP ports and content inspection. Deselecting this checkbox reduces the number of connections seen by NetEnforcer and improves its performance.




Disable Application Layer Analysis in NetEnforcer

Whether NetEnforcer analyzes content of the application layer. Deselecting this checkbox disables content inspection and Napster and FTP identification and improves the performance of NetEnforcer.

NetEnforcer is Enabled for Monitoring Only

This checkbox only appears with the Enhanced Platforms AC-202 and AC-402.

Select this checkbox to enable the monitoring and viewing of traffic in graphical representation. Traffic is classified; however the NetEnforcer does not enforce or take action on policies. For a detailed description of Monitoring Only, mode, see below.

Monitoring Only Mode Monitoring Only mode allows the operator to install and use the NetEnforcer in listen-only mode. This mode enables connection without interference in the network activity.

Applying this mode has the following benefits:

•

•

• •

Monitors the network activity in a non-intrusive way. NetEnforcer behaves as a probe, as traffic is not going through NetEnforcer.

Enables you to view monitoring graphs, download accounting information via the ODBC or collect long term monitoring statistics.

Enables traffic to be shaped by simply switching NetEnforcer to Active mode.

Generates audits without interrupting your network activity.

Monitoring Only mode is activated/deactivated via the GUI or CLI. The activation of this “tapping” allows management only through the Management port and disables QoS and connection control activity.

See Figure 4-7 for a graphical representation of Monitoring Only mode.



Operating Monitoring Only Mode from the GUI

To activate Monitoring Only mode, select the NetEnforcer is enabled for monitoring only. QoS enforcement is disabled checkbox in the Networking tab, described on page 4-21.

When operating in Monitoring Only mode, you must use the Management port for managing the NetEnforcer. If the Management port is not enabled, for example, there is an incomplete connection, the following message is displayed:

Figure 4-11 – Monitoring Only Mode Error Message

When the Management port is enabled, and you have activated Monitoring Only mode, the following message is displayed:

Figure 4-12 – Activating Monitoring Only Mode Message

Click Yes to continue with Monitoring Only mode.



When you deactivate Monitoring Only mode, the system returns to its previous state and the following message is displayed:

Figure 4-13 – Deactivating Monitoring Only Mode Message

Click Yes to exit Monitoring Only mode.

Operating Monitoring Only Mode from the CLI

There is a CLI command that activates the Monitoring Only mode. The effect is the same as when it is activated from the GUI. See Appendix G, NetEnforcer Command Line Interface.

Operating Monitoring Only Mode from the LCD

The main menu includes an additional option that enables/disables Monitoring Only mode. See Configuring Via the LCD Panel in Chapter 2, Installing NetEnforcer.



SNMP The SNMP tab includes parameters that enable you to configure SNMP-compatible management functions.

Figure 4-14 – SNMP Parameters

The Simple Network Management Protocol (SNMP) is a commonly used network management protocol that allows SNMP-compatible management functions such as device discovery, monitoring and event generation. NetEnforcer support for SNMP includes MIB II with standard MIB II traps.

The SNMP tab includes the following parameters:


Read Community The SNMP community for devices reading SNMP variables from NetEnforcer.

Write Community The SNMP community for devices setting SNMP variables to NetEnforcer.




Trap Community The SNMP community to receive NetEnforcer SNMP traps.

Trap Destination The IP address of the Network Management Console that receives the NetEnforcer-generated SNMP traps. If there is no such destination, this parameter should be left blank.

Contact The contact person, for SNMP purposes.

Location The location of system, for SNMP purposes.

Connection Control The Connection Control tab includes parameters that enable you to configure timeouts and the number of retries for the NetBalancer and CacheEnforcer modules, as well as other connection parameters.

Figure 4-15 – Connection Control Parameters



The Connection Control tab includes the following parameters:


Server Tracking Timeout

The length of time that NetBalancer waits before concluding that the server is down. The value must be between 10 to 240 seconds.

Server Tracking Retries

The number of times that NetBalancer tries to connect to the server. The value must be between 1 to 100.

Connect Timeout The length of time that NetBalancer attempts to establish the availability of a server. The value must be between 10 to 240 seconds.

Service Tracking Timeout

The length of time that NetBalancer or CacheEnforcer waits before concluding that the service (for example, HTTP) is down. The value must be between 10 to 249 seconds.

Service Tracking Retries

The number of times that NetBalancer or CacheEnforcer tries to connect to the service. The value must be between 1 to 100.

Use Connection Control IP Address to Connect

If you are using content inspection and the cache server and cached traffic clients are on the same side as NetEnforcer, check this box.

NOTE:

The Connection Control parameters have no effect unless NetBalancer or CacheEnforcer are enabled on your system. For a description of NetBalancer functionality, refer to the NetBalancer User’s Manual. For a description of CacheEnforcer functionality, refer to the CacheEnforcer User’s Manual.



Monitoring The Monitoring tab includes parameters that display the monitoring sample period on NetEnforcer and enable you to configure whether NetEnforcer performs DNS resolving actions.

Figure 4-16 – Monitoring Parameters

The Monitoring tab includes the read-only parameter Monitoring Sample Period on NetEnforcer. This parameter displays the length of the sample period in the monitoring process.

Additionally, by selecting or deselecting the Resolve DNS Names for Monitoring Data checkbox, you can configure whether NetEnforcer performs DNS resolving actions. When selected, IP addresses are translated to host names for the Monitoring module. If you select this checkbox, ensure that you have defined a DNS server(s) in the IP & Host Name tab.



Internal Accounting Setup

NOTES:

The NetAccountant now has the following options for data storage:

• Locally on the NetEnforcer

• Externally on a Radius Server

• Externally on a Sybase database (via the NetAccountant Reporter)

• Exported via ODBC to an external PC.

Any or all of these options may be implemented at one time.

The Internal Accounting tab includes parameters that enable you to determine the frequency and granularity of data storage, and to control the quantity of data stored. The Internal Accounting parameters are only relevant when NetAccountant is enabled in your system. This is indicated in the Product Ids & Key tab. For more information concerning the NetAccountant module and Internal and External Accounting, see the NetAccountant User's Manual.

Figure 4-17 – Internal Accounting Parameters




Record Accounting Data Within the NetEnforcer Device Only

Whether NetEnforcer records accounting data to the accounting database located on NetEnforcer. This must be selected for accounting to be active.

Data will be Collected and Saved Every

The data storage frequency and the granularity (fine measurement) of the stored data. Granularity means that the larger the setting for this parameter, the less information is recorded about the exact time a connection occurred, so less data is stored. This enables you to store data from a longer period of time. The minimum setting for this parameter is one hour. This granularity will subsequently impact the granularity of accounting reports.

Data will be Deleted From Server After

The length of time data is stored in the database. You can ensure that data does not saturate NetEnforcer's hard disk by determining the quantity of data saved. For example, if you set this parameter to one month, then every day at midnight, data accumulated more than one month prior to the current date is removed. Configure this option with care to avoid filling NetEnforcer's hard disk with accounting traffic data. Note that subsequent accounting report spans cannot be longer that the deletion span.

Use ODBC to Read Accounting Data

Whether host IP addresses are translated to string representations so that ODBC applications can read the accounting data. The strings are then stored in the Hosts table in the NetAccountant database. The default setting for this option is deselected. This option is normally disabled if you do not use an ODBC interface.

CAUTION:

The default setting of the Use ODBC to Read Accounting Data checkbox results in the following: IP addresses that were not resolved to names are not stored in the Hosts table. Note that in previous softwarversions, IP addresses that were not resolved to names were stored in the Hosts table.




Resolve DNS Names for Accounting Data

Whether NetEnforcer performs DNS resolving actions. When selected, IP addresses are translated to host names for the Accounting module. Ensure that you have defined a DNS server(s) in the IP & Host Name tab.

In the example on page 4-29, data is recorded each hour (or when data reaches a certain amount of memory) and data is deleted from the server after seven days.

External Accounting Setup The External Accounting tab enables you to configure the dispatch of accounting data to an external accounting server.

Figure 4-18 – External Accounting Parameters




Dispatch Accounting Data to External Repository Defined Below

Determines whether NetEnforcer dispatches accounting data to the external server indicated in this tab. Accounting data will not be dispatched if this checkbox is not selected.

Primary Server Host Name / IP Address

The host name or IP address of the primary server of the external accounting server.

Secondary Server Host Name / IP Address

The host name or IP address of the secondary server of the external accounting server.



RADIUS Setup The RADIUS Setup tab includes parameters that enable you to export accounting data to a RADIUS server. The RADIUS Setup parameters are only relevant when NetAccountant is enabled in your system. (This is indicated in the Product Ids & Key tab.) The NetAccountant module is described in the NetAccountant User's Manual.

NOTE:

You can configure NetEnforcer to send accounting data to both its own accounting database and to a RADIUS server. If you are using RADIUS, ensure that you configure parameters in the Accounting/RADIUS Storage tab as well.

Figure 4-19 – RADIUS Setup Parameters



The RADIUS Setup tab includes the following parameters:


Export Data to RADIUS Servers

Whether NetEnforcer exports data to a RADIUS server. This must be selected for RADIUS to be active.

Data will be Collected and Dispatched Every

The frequency at which data is collected and dispatched.

Primary RADIUS Server Host Name/IP Addr

The IP address or host name of the primary RADIUS server.

Shared Secret The password/secret to access the primary RADIUS server.

Reenter Secret The password/secret to access the primary RADIUS server.

Secondary RADIUS Server Host Name/IP Addr

The IP address or host name of the secondary RADIUS server. The secondary RADIUS server becomes active upon unavailability or failure of the primary server.

Shared Secret The password/secret to access the secondary RADIUS server.

Reenter Secret The password/secret to access the secondary RADIUS server.

Message Send Failure Timeout

The period of time during which NetEnforcer tries unsuccessfully to send a message to a RADIUS server before stopping. The value must be between 1 to 60 seconds.

# of Retries for Attempting Message Send

The number of times that NetEnforcer attempts to send a message after a timeout occurs. The value must be between 1 and 10.




# of Failed Messages Before Switch to Other Server

The number of unsuccessful message sending attempts that NetEnforcer executes before switching to the secondary server. The value must be between 1 and 200.

Send RADIUS Stop Messages Only

Whether NetEnforcer sends only RADIUS stop messages to a RADIUS server.



Accounting/RADIUS Storage The Accounting/RADIUS Storage tab includes parameters that enable you to control the content of the traffic data stored on disk (in the case of accounting) or accumulated in memory prior to dispatch (in the case of RADIUS). This is done by selecting the components according to which traffic data is accumulated. To accumulate traffic data means to accumulate the byte count of connections with the same components. The Accounting/RADIUS Storage parameters are only relevant when NetAccountant is configured in your system. The NetAccountant module is described in the NetAccountant User's Manual.

NOTE:

If you are using accounting or RADIUS, ensure that you configure parameters in the Internal Accounting and RADIUS Setup tabs as well.

Figure 4-20 – Accounting/RADIUS Storage Parameters



When creating a report in NetAccountant, you select the connection components that will be included in the report. The connection components available for selection are determined by the parameters selected in the Accounting/RADIUS Storage tab.

For accounting users, it is recommended not to select too many parameters, in order to avoid overrunning the accounting database with information. The more entities you select, the longer it takes NetEnforcer to export and to save data and the longer it will take to generate accounting reports. For hosts, recording data on an internal/external hosts basis rather than on a client/server basis demands much less resources. It is therefore recommended to select the first radio button in the Hosts Recording area.

The items available for selection are described below.

In the Hosts Recording area, select one of the radio buttons.

•

•

•

•

•

•

•

•

•

If you select the first radio button, you can select one of the following from the dropdown list: Internal Hosts: Information about traffic coming from each internal IP address is

recorded. External Host: Information about traffic coming from each external IP address is

recorded. Internal & External Host: Information about traffic coming from each internal

and external IP address is recorded.

If you select the second radio button, you can select one of the following from the dropdown list: Client: Information about the source of traffic under which the traffic was

classified is recorded. Server: Information about the destination of traffic under which the traffic was

classified is recorded. Client & Server: Information about the source and the destination of traffic under

which the traffic was classified is recorded.

If you select the third radio button, no hosts are recorded.



CAUTION:

If you select to aggregate data by client or server, many records may be generated. For example, if you select server then a record is created for each connection to a server. This could be a very high number if you are, for example, browsing the Internet.

In addition, you can select any or all of the entities in the Entity Recording area:

Pipe Information about the Pipe under which the traffic was classified. This includes explicitly defined Pipes and any Pipe instances that result from a Pipe template.

Virtual Channel Information about the Virtual Channel under which the traffic was classified. This includes explicitly defined Virtual Channels and any Virtual Channel instances that result from a Pipe template.

Service Information about the Service Catalog entry under which the traffic was classified.



LDAP/Text Source The LDAP/Text Source tab includes parameters that define the refresh rate for Host Catalog definitions that reference an LDAP server or text source file.

Figure 4-21 – LDAP/Text Source Parameters

In the Host Catalog, entries may be the result of querying an LDAP server or text source file. The parameters in the LDAP/Text Source tab define how often this query is performed to cover changes in the LDAP server or text source file. The LDAP/Text Source tab includes the following parameters:


LDAP/Text Auto–Refresh Rate

The time period after which LDAP or text information is refreshed, meaning external devices are read. If the value is zero or there is no value entered, there is no automatic refresh. Additionally, if there is a failure to read the device initially, NetEnforcer will retry after this period.




Refresh any LDAP-based….

Select this checkbox to refresh LDAP and text information every time the Policy Editor is saved.

VLAN The VLAN (Virtual Local Area Network) tab enables you to determine that the NetEnforcer is managed through specified VLAN-tagged traffic. For more information on VLANs refer to VLAN Catalog Editor in Chapter 7, Defining Catalog Entries.

Figure 4-22 – VLAN Parameters



CAUTION:

Please remember that once this option is set and the VLAN ID is specified, the NetEnforcer will be waiting for management traffic tagged with this specified VLAN.

If you have specified an erroneous VLAN ID, the NetEnforcer GUI will be waiting for management traffic from that VLAN and thus will become disconnected from the network.

If this option is specified erroneously, please refer to Chapter 2, Installing NetEnforcer, Setting Up NetEnforcer. Alternatively contact an Allot Communications service engineer.

To work in a VLAN environment check the checkbox and insert a number in the VLAN ID field. Management of the NetEnforcer traffic can only be through one VLAN, therefore the VLAN ID number must be consistent for operations within a specific NetEnforcer.

The VLAN tab includes the following parameters:


The NetEnforcer’s Management Traffic is VLAN Tagged

Check this box to specify that the NetEnforcer is managed through a VLAN.

Checking this box enables the VLAN ID field.

VLAN ID Insert a VLAN ID number from 2 to 4094. The number specifies which VLAN ID the NetEnforcer will be managed through.



Alerts The Alerts tab enables you to configure alert functionality. For more information on alerts, refer to Chapter 9, NetEnforcer Alerts.

Figure 4-23 – Alerts Parameters In the NetEnforcer Alerts Editor, you can specify that alerts are sent (in addition to the NetEnforcer Alerts Log) to an SMS target, via SNMP or to one or two email addresses.

The actual SMS target and the email addresses are specified in the Alerts tab.

The Alerts tab includes the following parameters:


Activate Alert Dispatching on NetEnforcer

Select this box to activate alert dispatch on NetEnforcer.

Primary Email Address The email address of the primary recipient.

Secondary Email Address The email address of the secondary recipient.




SMS Email Address The email address of the SMS target.

Source Email Address The email address of the source (e.g., the IT manager’s email address).

SMTP Server The address of the SMTP server.

Denial of Service (DoS) The Denial of Service (DoS) tab includes parameters that enable you to determine the frequency and number of connections, thereby giving a level of protection from attacks on the network resources (such as internally connected servers).

Figure 4-24 – Denial of Service Parameters



The Denial of Service tab includes the following parameters:


In Case of Denial of Service Attack, News Flows will be

The action that NetEnforcer takes when it reaches the maximum rate of new connections allowed for the model. The options in the dropdown menu are as follows: Admitted without QoS: New connections (flows) are admitted, but are not classified, and no QoS policy is applied. This is the default setting. Dropped: New connections (flows) are dropped.

Number of Connections Within NetEnforcer will be Limited to

You are able to define the threshold, for traffic suspected as an attack, by specifying the number of connections allowed at any one time. The default is the maximum number of connections that can be handled by your NetEnforcer. For the maximum number of connections your NetEnforcer model can handle, see the hardware description table in Chapter 2, Installing NetEnforcer. To view the number of connections over a specified period of time, refer to the Connections graph in Chapter 6, Monitoring Network Traffic. This will assist in entering a realistic definition of an attack.

Maximum New Connections Establishment Rate (CER):

You are able to define the threshold, for traffic suspected as an attack, by specifying the number of new connections allowed per second. To view the number of connections per second, refer to the Connections graph in Chapter 6, Monitoring Network Traffic. This will assist in entering a realistic definition of an attack. If the field is left blank, the NetEnforcer uses its default setting.

NOTE:

For additional details regarding the prevention and handling of DoS attacks, refer to Chapter 10, Detecting Security Threats.



Additional Configuration Options Using additional configuration options, you can backup a configuration, save it as a configuration file and then restore it as required. You can also verify configuration, as well as retrieve certain configuration parameters from a DHCP server. Finally, you can change the date and time settings on NetEnforcer.

Backing Up Configuration The Backup Configuration option enables you to back up configuration to a server and restore it to NetEnforcer at any time.

To back up configuration

1. From the Options menu in the NetEnforcer Configuration window, select Backup Configuration. The Backup Configuration dialog box is displayed:

Figure 4-25 – Backup Configuration Dialog Box

2. In the TFTP Server Address to Backup to field, enter the IP address of the backup TFTP server.

3. In the Backup File Name field, enter a name for the backup file. The specified backup file must exist on the server.

4. Click Backup. The current configuration is backed up to the specified TFTP server with the specified file name.



Restoring Configuration The Restore Configuration option enables you to restore a backed up configuration file to NetEnforcer at any time.

To restore a configuration file:

1. From the Options menu in the NetEnforcer Configuration window, select Restore Configuration. The Restore Configuration dialog box is displayed:

Figure 4-26 – Restore Configuration Dialog Box

2. In the TFTP Server Address to Restore From field, enter the IP address of the TFTP server where the configuration file is saved.

3. In the File Name on Server field, enter the name of the configuration file.

4. Click Restore. The following message is displayed: “Restore Configuration will reboot the NetEnforcer if the operation succeeds. This operation may take a while. Are you sure you want to restore configuration followed by rebooting the NetEnforcer now?”

5. Click Yes to restore the configuration and reboot the NetEnforcer.



Setting Date and Time The Set Date and Time option enables you to change the date and time settings on NetEnforcer.

To set the date and time:

1. From the Options menu in the NetEnforcer Configuration window, select Set Date and Time. The Date and Time Configuration dialog box is displayed:

Figure 4-27 – Date and Time Configuration Dialog Box

2. In the Current Date field, select the required date from the calendar.

3. In the Current Time field, enter the required time.

4. From the Time Zone dropdown list, select the required time zone.

5. Click Save to NetEnforcer. The following message is displayed:

Figure 4-28 – System Message

6. Click Yes to save the time and date settings and reboot NetEnforcer.



Verifying Configuration The Setup Verification option enables you to verify the configuration of selected peripheral devices.

To verify configuration:

1. From the Options menu in the NetEnforcer Configuration window, select Setup Verification. The Setup Verification dialog box is displayed:

Figure 4-29 – Setup Verification Dialog Box

2. Click Verify Now. Where relevant, the configuration parameters for the listed devices are displayed, checked and verified.

3. Click Close to close the Setup Verification dialog box.


Chapter 5: NetWizard Quick Start

NetWizard is an easy-to-use wizard that enables a network manager without a wide knowledge base to have an up-and-running NetEnforcer in a relatively short time. This chapter introduces NetWizard, describes its interface and functions, and describes how to define Quality of Service (QoS) policies using NetWizard.


Introducing NetWizard, page 5-2, introduces NetWizard and describes how it can help you to get the system up and running, as well as define more efficient Quality of Service (QoS) policies.

Monitoring Network Traffic, page 5-3, describes how to use NetWizard to monitor your network traffic.

Defining Policies, page 5-15, describes how to define QoS policies and apply them in your network.



Introducing NetWizard NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a network, enabling the network manager to quickly define QoS policies for each type of protocol in the network. This, in turn, improves the efficiency and application response time of the network. Several NetWizards can run in parallel, allowing several links to be monitored and configured at once.

NetWizard automatically identifies the traffic protocols in your network and then guides you through the QoS configuration process, working together with the NetEnforcer Policy Editor, allowing you to assign minimum and maximum bandwidth and priority for the various protocols. Simply open the Policy Editor while working in NetEnforcer to have complete control over your new policies. NetWizard allows you to dynamically and interactively build the Policy Table based on real-time monitoring information.

With NetWizard, you need not be initially acquainted with every protocol or the traffic patterns in your network in order to define QoS policy. Once you make your initial selections, a QoS policy is generated, enabling NetEnforcer to enforce that policy in your network. NetWizard monitoring can be paused to allow you to add new Service VCs to the policy table and then restarted with the changes already in place. Further refinement of the policy is possible at any time with NetEnforcer tools such as the Policy Editor and Catalog Editors. Policies defined using the NetWizard will automatically update the policy table.



Monitoring Network Traffic NetWizard monitors traffic in your network, automatically discovering the traffic protocols in your network and recording the amount of bandwidth they use. This enables you to identify traffic patterns in your network during peak and off-peak hours. The information collected will help you define QoS policies.

Before NetWizard begins to monitor your network, you must specify the following:

•

•

Length of the monitoring session: This is the time during which NetWizard monitors your network traffic and collects information. This process pauses when you opt to define policies.

Pipe to monitor: This is the Pipe whose traffic NetWizard will monitor. During the monitoring session, you can see an up-to-date picture of protocol activity in your network and statistics about bandwidth usage.



To monitor network traffic:

1. From the NetEnforcer Control Panel, click NetWizard. The NetWizard opening window is displayed:

2. Click Next. The following window is displayed:

Figure 5-1 – NetWizard Setup Window

3. In the Traffic Monitoring Running Time area, specify the length of the monitoring session. This is the time interval during which NetEnforcer collects information about all the protocols passing through your network. Enter a value (1-999) and select a unit of measurement (Minutes, Hours, or Days) from the dropdown list. The default monitoring session is 30 minutes.

TIP:

In order to get a picture of network usage over peak and off-peak periods, you should specify a longer monitoring session, for example, one working day.



4. In the Pipe Coverage area, select the Pipe whose traffic NetWizard will monitor in one of the following ways:

Select Pipe, click the browse button and select a Pipe whose traffic NetWizard will monitor. By default, the default Fallback Pipe is selected. If you have not yet defined additional Pipes (described in Chapter 8, Defining Policies), there is no need to change the selection.

•

• Select A new pipe if you want to create a new Pipe whose traffic NetWizard will monitor.

5. Click Next. If you selected to create a new Pipe in Step 4, the following screen is displayed. (If you selected a specific Pipe in Step 4, go to Step 8.)

Figure 5-2 – NetWizard: Create New Pipe Window



6. In the New Pipe Name field, enter a name for the Pipe.

7. Define the addresses you want the Pipe to cover as follows: Select the required address type radio button and enter the relevant details in the corresponding text field. For example, select Host and enter the host name in the text field.

•

• Click . The address is added to the Target Address(es) list. Add further addresses as required. •

NOTE:

To remove an address from the Target Address(es) list, select the address in the list and click .

8. Click Next. The NetWizard Monitoring window is displayed, showing the Graphs view:

Figure 5-3 – NetWizard Monitoring Window: Graphs View



NOTE:

If for any reason your system crashed during a previous NetWizard monitoring session, a message is displayed asking whether you want to continue the previous session or start a new one.

You can view the information collected during the monitoring session either in real-time (during the monitoring session) or once the monitoring session is finished.

The progress of the monitoring session is indicated in the status bars in the lower section of the Monitoring window.

The status bar on the left estimates the amount of time left until NetEnforcer completes a sample and updates the Monitoring window. The default sample period is 30 seconds. In the example on page 5-6, there are 18 seconds left to the end of the sample period, at which time NetEnforcer will update the monitoring window.

The status bar on the right indicates the time remaining in the monitoring session. In the example on page 5-6, there are 29 minutes, 56 seconds left in the monitoring session.

The NetWizard Monitoring window includes the following buttons:

Button Description

Displays a graphical representation of bandwidth usage in your network and the cumulative protocol rate for the various protocols in your network traffic. Refer to Viewing Graphs, page 5-8, for more information.

Displays statistics relating to the protocols in your network traffic. Refer to Viewing Statistics, page 5-10, for more information.

Displays information relating to the monitoring sample. Refer to Viewing Information, page 5-12, for more information.

Displays a log of events used for system troubleshooting. Refer to Viewing the Log, page 5-14, for more information.



Button Description

Displays protocol information for outbound traffic only.

Displays protocol information for inbound traffic only.

Pauses the monitoring session and moves to the defining policy screen. Refer to Defining Policies, page 5-15, for more information.

Cancels the monitoring session and closes NetWizard.

Displays online help.

Viewing Graphs The Graphs view, shown on page 5-6, displays a graphical representation of bandwidth usage in your network and the cumulative protocol rate for the various protocols in your network traffic during the current monitoring session. You can display this information for either inbound or outbound traffic by clicking the Inbound/Outbound button at the top-right side of the Monitoring window. To display the Graphs view, click the Graphs button.

TIP:

Hold down the <Shift> key and drag the mouse in the pie chart area to toggle the 3D effect.

Bandwidth Usage The bandwidth usage graph on the left of Graphs view displays the percentage of the total capacity of bandwidth used by cumulative inbound/outbound traffic.

In the example shown on page 5-6, the maximum capacity of the WAN interface is 45Mbps and the total cumulative bandwidth usage is 0.01% of the available WAN bandwidth. The bar is blue when less than 60% of bandwidth is used, and becomes red when it passes 60%.



Cumulative Average Protocol Rate The protocol distribution pie chart on the right of Graphs view displays the ten most active protocols passing through NetEnforcer during the current monitoring session, and the average percentage of the total bandwidth that each protocol used. The Protocols legend on the right of the pie chart indicates the color used in the pie chart to represent each protocol and the percentage of total bandwidth used by each protocol. Protocols are listed in descending order, with the highest consumer of bandwidth at the top.

You can click a protocol in the pie chart or legend to display a popup box with the following information:

• • •

Protocol name

Percentage of total bandwidth used by this protocol in this monitoring session

Average number of kilobits used per second



Viewing Statistics The Statistics view, shown below, displays traffic usage statistics. You can display this information for either inbound or outbound by clicking the Outbound/Inbound button at the top-right side of the Monitoring window. To access the Statistics view, click the Statistics button.

Figure 5-4 – NetWizard Monitoring Window: Statistics View



The Statistics view displays a table of all protocols passing through your network during the monitoring session and includes the following information:

Protocol Name The name of the protocol.

% of Relative Usage The percentage of the total used bandwidth that the protocol used.

Rate (Kbps) The average number of kilobits per second used by the protocol.

% of Total BW The percentage of the total available bandwidth for the Pipe used by the protocol.

The protocols are displayed in descending order, with the most active protocol at the top. Below the table of protocols, the following bandwidth information is displayed:

Max. Used The maximum amount of bandwidth used during this monitoring session.

Cumulative Avg. Used The average bandwidth used during this monitoring session for all protocols.

Capacity The maximum amount of bandwidth available.



Viewing Information The Information view, shown below, displays information about the monitoring session. You can display this information for either inbound or outbound traffic by clicking the Inbound/Outbound button at the top-right side of the Monitoring window. To access the Information view, click the Information button.

Figure 5-5 – NetWizard Monitoring Window: Information View



The following read-only information is displayed:

Monitoring Start Time on NetEnforcer

The time the monitoring session began.

Monitoring End Time on NetEnforcer

The time the monitoring session ended/will end.

Sample Interval The length of the sample period. After each sample period, NetEnforcer updates the Monitoring window. The default sample period is 30 seconds. You can configure this period in the Monitoring tab of the NetEnforcer Configuration window, described in Chapter 4, Configuring NetEnforcer.

Estimated Total Samples to be Collected

The estimated number of samples that NetEnforcer will collect during a monitoring session.

Time Elapsed The amount of time that has elapsed since the monitoring session began.

Time Remaining The amount of time remaining in the monitoring session.

Number of Samples Collected

The number of samples that NetEnforcer has collected so far.

Estimated Number of Samples Remaining

The estimated number of samples that NetEnforcer has yet to collect.

Next Sample Time on NetEnforcer

The time at which NetEnforcer will begin collecting the next sample.

Error Count The number of errors encountered by NetEnforcer during the current monitoring session.



Viewing the Log The Log view, shown below, displays a log of events for the current session that can be used for system troubleshooting. To access the Log view, click the Log button.

Figure 5-6 – NetWizard Monitoring Window: Log View

The log is cleared at the end of each monitoring session.



Defining Policies A monitoring session may be paused at any time to allow you to compare the traffic statistics you have received thus far with the business priorities of your organization and use the information to begin creating a QoS policy to improve the performance of your network. Monitoring may be restarted once you have set the policies you wish. In this way, you can create your QoS policy step by step as you learn more about your network’s bandwidth usage.

In order to set a QoS policy for a protocol, you specify one or more of the following: • • •

The minimum bandwidth you want for the protocol. The maximum bandwidth you want for the protocol. The priority you want to give to the protocol.

NOTE:

QoS is defined for both inbound and outbound traffic.

When the monitoring session is paused, NetEnforcer stops monitoring network traffic for the time being and displays the Policy Definition window.



Figure 5-7 –Policy Definition Window

The Policy Definition window enables you to define QoS policies. The Monitoring Results area displays all protocols that passed through NetEnforcer thus far in the Monitoring process and all other protocols that have previously been assigned a QoS policy. For each protocol, you can see the average bandwidth used per second (Rate (Kbps)) and the percentage of the total bandwidth used by the protocol (% of Total BW). The protocols are listed according to the percentage of total bandwidth they used, in descending order. You can specify QoS policies in the Your QoS Definitions area, as described below.

The information in the Monitoring window is no longer updated and represents a final picture of traffic usage during the monitoring session. You can click Continue Monitoring in the Policy Definition window to Monitoring window in order to continue an ongoing Monitoring window session or to view the statistics of a concluded one.



If required, you can also end the monitoring session before it has finished. Click Cancel in the Monitoring window. A confirmation message is displayed. Click Yes to end the monitoring session. Any data collected up to that point will be lost.

To set QoS policy:

1. In the Policy Definition window, specify the minimum bandwidth to be assigned to a protocol by clicking the Min. BW (%) field, entering a percentage value and pressing <Enter>. For example, in Figure 5-7, if you want to ensure the HTTP protocol is minimally allocated 24% of the total available bandwidth at all times, enter 24.

2. Specify the maximum bandwidth to be assigned to a protocol by clicking the Max. BW (%) field, entering a percentage value and pressing <Enter>.

NOTE:

You can specify either a minimum or maximum bandwidth for a protocol, or both.

3. Specify the priority given to a specific protocol by clicking the Priority field and selecting High, Medium or Low from the dropdown list. For example, if you want a specific protocol to receive top priority, select high from the dropdown list.

NOTE:

If two protocols have the same priority and there is not enough bandwidth available for both, the available bandwidth is split evenly between them.

4. Select the Assign checkbox to the left of the protocol name to assign the QoS policy that you defined in steps 2 through 4 to the protocol upon saving.

NOTE:

You do not have to specify all three of the QoS definitions for each protocol.

5. In the Fallback fields at the lower left of the screen, repeat steps 2 through 4 to define a default QoS policy. This policy is applied to protocols that do not have a specific policy defined for them.

NOTE:

If required, click Assigned in the View Protocols area to display only those protocols that have been assigned a QoS policy. Clicking All redisplays all protocols.

6. Click Save. A confirmation message is displayed.



7. Click Yes to save your definitions. NetEnforcer now enforces the QoS policies that you defined.

8. Click Close to close NetWizard.

QoS Examples This section provides some examples of QoS settings and how they may affect your network traffic.

Example 1 NETBIOS-UDP Protocol Min BW: 20% Inbound traffic has a maximum capacity of 100Mbps and outbound traffic has a maximum capacity of 50Mbps.

This means that inbound NETBIOS-UDP traffic is guaranteed 20Mbps of bandwidth and outbound NETBIOS-UDP traffic is guaranteed 10Mbps of bandwidth.

Example 2 HTTP Protocol Priority: High

FTP Protocol Priority: Medium Total bandwidth for inbound traffic is 30Mbps. If 20Mbps of HTTP traffic and 20Mbps of FTP traffic come together, the HTTP traffic is given priority. Thus the HTTP traffic receives 20Mbps of bandwidth and the FTP traffic gets 10Mbps. When more bandwidth is available, the FTP traffic will get the rest.


Chapter 6: Monitoring Network Traffic

This chapter describes monitoring with the NetEnforcer monitoring tool. The monitoring tool helps you analyze the traffic flowing through your NetEnforcer and aids you in determining the optimum configuration for your system.


Overview, page 6-1, provides an overview of the NetEnforcer monitoring tool and how you can monitor your network traffic.

NetEnforcer Monitoring Window, page 6-8, describes the menu bar and toolbar in the NetEnforcer Monitoring window.

Monitoring Graphs, page 6-21, describes the different monitoring graphs available in NetEnforcer.

Long-term Monitoring, page 6-51, describes how to use Long Term Monitoring in NetEnforcer.



Overview NetEnforcer's monitoring tool enables you to monitor applications, protocols, policies, clients and servers in real time and to verify enforcement of the most suitable QoS policy.

Different applications, such as e-Business, ERP and real-time applications require performance guarantees. Other mission-critical applications may suffer from a shortage of bandwidth, while non-critical Web browsing and batch traffic, such as mail and FTP, may use up network resources. In other network setups, some users require a higher level of service than others. For example, internationally dispersed branch offices have expensive narrow WAN links to headquarters and many different users share the same bandwidth. On campuses, students overload network resources (WAN connection, caches, servers) with excessive requests for service (audio traffic), while the administration suffers from reduced available bandwidth and longer response time.

Therefore, your ability to monitor network performance determines your success in fine-tuning network performance based on your business requirements. The monitoring tool is designed to help you fine-tune your network performance.

When and where your network has peaks, bursts and bottlenecks is hard to predict. The monitoring tool enables you to see these peaks in real time, which is crucial to managing these unwanted phenomena.

NetEnforcer enables you to monitor network traffic on three levels, as follows:

• • •

NetEnforcer Level: Where you can monitor traffic on NetEnforcer as a whole.

Pipe Level: Where you can monitor traffic for a specific Pipe(s).

Virtual Channel Level: Where you can monitor traffic for a specific Virtual Channel(s) within Pipe(s).



Using the monitoring tool, you can view different graphs at each level. The different graphs are described in Monitoring Graphs, page 6-21. All graphs are displayed in the NetEnforcer Monitoring window and share common functionality. A quick tour of the NetEnforcer Monitoring window is provided on page 6-6. You can display up to ten monitoring windows at the same time and display them as your Favorite View.

Figure 6-1 – Sample Favorite View

There are several different types of graphs, and different formats in which graphs can be displayed. Graph types and formats are described in the following pages.



Graph Types NetEnforcer displays monitoring information in two types of graphs, as follows:

• Current/Cumulative: Displays information for sample periods. A Current-type graph displays information for the latest whole sample period only. The sample period is defined in your system parameters, described in Chapter 4, Configuring NetEnforcer. A Cumulative-type graph displays information for an average sample period, where the average is calculated for data accumulated during the last X samples (where X is between 1 to 144, and is defined in the graph settings, described on page 6-18). For example, where X is defined as 100. When a graph is created, the cumulative refers to the samples from the beginning of the graph and forward, until 100 samples have passed. When the sample number 101 arrives, the samples taken into account are samples 2 through 101, and so on. Only the 100 last samples are used to calculate the average. Current-type graphs can also be displayed as Cumulative-type graphs and vice versa.

NOTE:

The Utilization graph, described on page 6-32, can only be displayed as a Current-type graph.

• Continuous: Displays information for a range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph, and is defined in the graph settings, described on page 6-18. The Pipes Distribution, Virtual Channels Distribution, Dropped Packets, Bandwidth and Connections graphs are Continuous-type graphs.



Graph Views By default, data is displayed in a chart or graph. However, you can also display the values in table format, as well as the definitions for each graph. These different views are called Chart View, Table View and Definitions View, and examples are shown below.

Definitions View

Table View

Chart View Figure 6-2 – Graph Views



Graph Styles When in Chart View, you can alternate the layout style of the graph between a Bar chart and a Pie chart or between a Line chart and a stacked Area chart. Different graphs have different styles. For example, a Pipes Distribution graph (described on page 6-25) can be displayed as a Line chart or Area chart. A Most Active Clients graph (described on page 6-48) can be displayed as a Bar chart or Pie chart.

Following are examples of different graph styles.

Figure 6-3 – Bar Chart Figure 6-4 – Pie Chart

Figure 6-5 – Line Chart Figure 6-6 – Area Chart



You can manipulate graphs as follows:

•

•

Zoom into a graph by holding down the <Shift> key and dragging a box around the area that you want to zoom in the graph.

Move a graph by holding down the <Ctrl> key and dragging the graph.

Press <r> to reset the graph.

TIP:

Click in the toolbar at anytime to display a tooltip describing these zoom and move actions.

In/Out Bandwidth The monitoring graphs display information about bandwidth consumed by inbound and outbound traffic, as follows:

Inbound Bandwidth consumed by incoming traffic only.

Outbound Bandwidth consumed by outgoing traffic only.

In/Out Bandwidth consumed by both incoming and outgoing traffic.

Clicking a point in a monitoring graph displays the bandwidth value at the selected point, as shown below:

Figure 6-7 – Displaying Bandwidth



NetEnforcer Monitoring Window The different NetEnforcer monitoring graphs are displayed in a Monitoring window. A sample Monitoring window is shown below:

Graph Display AreaStatus Bar Graph View

ToolbarMenu Bar

Graph Display AreaStatus Bar Graph View

ToolbarMenu Bar

Figure 6-8 – Sample Monitoring Window



The menu bar and toolbar are similar for all graph types, and are described on the following pages. The graph display area varies according to the graph displayed. The different monitoring graphs are described on page 6-21.

NOTE:

Up to ten Monitoring windows can be displayed simultaneously.

Accessing Monitoring Graphs In NetEnforcer, you can access monitoring graphs for all network traffic, or filtered for specific Pipes or Virtual Channels. A table of the graphs available at each level is shown on page 6-24. Access is available through the Monitoring menu in the NetEnforcer Control Panel.

Figure 6-9 – NetEnforcer Monitoring Menu

Access varies according to the monitoring level.

To access a monitoring graph at the NetEnforcer level:

• From the Monitoring menu, select NetEnforcer Level and then select the monitoring graph required. The selected monitoring graph is displayed in the Monitoring window.

NOTE:

Monitoring graphs are named as follows: (name of graph) for (name of VC)_(name of Pipe). For example, Most Active Servers for VC1_Gold Pipe.



To access a monitoring graph at the Pipe level:

1. From the Monitoring menu, select Pipe Level and then select the monitoring graph required. A window showing the Pipes defined in your NetEnforcer is displayed.

Figure 6-10 – Accessing Monitoring Graphs: Pipe Level

NOTE:

You can expand a Pipe template to see instances of its corresponding Pipes.

2. Select the Pipe by which to filter the selected monitoring graph and click OK. The selected monitoring graph for the selected Pipe is displayed in the Monitoring window.

NOTE:

You can also display a monitoring graph for a Pipe by right-clicking the Pipe in the Policy Editor and selecting Monitoring, then the monitoring graph required.



To access a monitoring graph at the Virtual Channel level: 1. From the Monitoring menu, select Virtual Channel Level and then select the

monitoring graph required. A window showing the Pipes and Virtual Channels defined in your NetEnforcer is displayed.

Figure 6-11 – Accessing Monitoring Graphs: Virtual Channel Level

NOTE:

You can expand a Pipe or Virtual Channel template to see instances of its corresponding Pipes or Virtual Channels.

2. Select the Virtual Channel by which to filter the selected monitoring graph and click OK. The selected monitoring graph for the selected Virtual Channel is displayed in the Monitoring window.

NOTE:

You can also display a monitoring graph for a Virtual Channel by right-clicking the Virtual Channel in the Policy Editor and selecting Monitoring, then the monitoring graph required.



Monitoring Window Menu Bar The menu bar in the NetEnforcer Monitoring window includes four menus, described in the following sections.

File Menu

The File menu includes the following options:

Pause Graph Suspends the visual update of the graph. Clicking Pause Graph again restores the visual update.

Print Prints the graph.

Add to Long-Term Monitoring Requests

Enables a selected graph to be available through NetHistory. Refer to Long-term Monitoring with NetHistory on page 6-51.

Exit Closes the graph.

Edit Menu

The Edit menu includes the following options:

Other Graphs for… Enables you to quickly open any other graph for the same target. For example, when a graph is opened at NetEnforcer level, you can open any other graph at NetEnforcer level.



Other Targets for… Enables you to quickly open the same graph for a different target. For example, when the Most Active Clients graph is open at NetEnforcer level, you can also open the Most Active Clients graph at Pipe and Virtual Channel level.

View Menu

The View menu includes the following options:

Chart Displays the graph in Chart View. Refer to Graph Views, page 6-5. Table Displays the graph in Table View. Refer to Graph Views,

page 6-5. Definitions Displays the graph in Definitions View. Refer to Graph Views,

page 6-5. In-Bandwidth Displays the graph for incoming bandwidth only. Out-Bandwidth Displays the graph for outgoing bandwidth only. In+Out Bandwidth

Displays the graph for both incoming and outgoing bandwidth.

Average Bandwidth

Displays the average bandwidth consumed by traffic, meaning the amount of bandwidth consumed divided by the length of the sample period.



Active Average Bandwidth

Displays the active average bandwidth consumed by traffic, meaning the amount of bandwidth consumed divided by the length of the sample period when there actually was traffic.

Current View Displays the graph for the latest whole sample period only. Refer to Graph Types, page 6-4.

Cumulative View

Displays the graph for an average sample period. Refer to Graph Types, page 6-4.

Cumulative Range View

Enables you to select a more specific and limited range within the cumulative period. The cumulative period is the last X samples, where X is defined in the graph settings, described on page 6-18. You select a start time and an end time, which define the time period for the calculation of the average sample period shown in Cumulative View.

Style Menu

The Style menu includes the following options:

Hide Menu Bar Hides/displays the Monitoring window menu bar and toolbar. After hiding the menu bar and toolbar, you can re-display them by clicking displayed at the top right of the Monitoring window.

Show/Hide 'All Others' Hides/displays statistics for All Others in the monitoring graphs. This is useful when bandwidth for All Others is large compared to the selected Pipe or Virtual Channel.



Bar Chart Displays a Pie chart as a Bar chart. Refer to Graph Styles, page 6-6.

Pie Chart Displays a Bar chart as a Pie chart. Refer to Graph Styles, page 6-6.

Line Chart Displays a stacked Area chart as a Line chart. Refer to Graph Styles, page 6-6.

Area Chart Displays a Line chart as a stacked Area chart. Refer to Graph Styles, page 6-6.

Help Menu

The Help menu includes the following option:


Monitoring Window Toolbar The toolbar in the Monitoring window enables easy access to many of the functions available from the menu bar. The toolbar includes the following buttons:

Pause Graph Suspends the visual update of the graph.

Clicking Pause Graph again restores the visual update.

Print Prints the graph.

Other Graphs for … Enables you to quickly open any other graph

for the same target. For example, when a graph is opened at NetEnforcer level, you can open any other graph at NetEnforcer level.



Other Targets for … Enables you to quickly open the same graph

for a different target. For example, when the Most Active Clients graph is open at NetEnforcer level, you can also open the Most Active Clients graph at Pipe and Virtual Channel level.

Chart Displays the graph in Chart View. Refer to

Graph Views, page 6-5.

Table Displays the graph in Table View. Refer to

Graph Views, page 6-5.

Definitions Displays the graph in Definitions View.

Refer to Graph Views, page 6-5.

Style Enables you to change the style of the graph.

Refer to Graph Styles, page 6-6.

Hide Menu Bar Hides the menu bar, toolbar and status bar.

Click the icon at the top of the graph to redisplay the menu bar, toolbar and status bar. This is useful for maximizing graph space.

Zoom Displays a tooltip describing the zoom and

move graph functions.

Help Provides access to online help.



Setting Up and Using a Favorite View You can display up to ten Monitoring windows at the same time and arrange them as required. You can save a particular arrangement of Monitoring windows as your Favorite View. The default Favorite View displays the following monitoring graphs: • • • • •

•

Utilization for NetEnforcer Virtual Channels Distribution for NetEnforcer Most Active Protocols for NetEnforcer (Total) Internal Hosts for NetEnforcer (Total) External Hosts for NetEnforcer (Total)

To display the Favorite View:

From the Monitoring menu, select My Favorite View. The Favorite View is displayed.

To set the Favorite View:

1. Arrange the Monitoring windows as required.

2. From the Monitoring menu, select Settings and then Save as My Favorite View. The current arrangement of Monitoring windows is saved as the Favorite View. The Favorite View is also preserved for future sessions when NetEnforcer is accessed from the same client machine.



Monitoring Settings The Monitoring Settings enable you to specify the number of Pipes, Virtual Channels, Protocols, Clients and Servers displayed in the Most Active graphs, and the time span for continuous graphs.

To define settings:

1. From the Monitoring menu, select Settings and then Graphs Features. The Graphs Features dialog box is displayed:

Figure 6-12 –Graphs Features Dialog Box



2. Modify the values for each parameter, as follows:

Number of Most Active Pipes and VCs (1-25)

The number, between 1 and 25, of Pipes and Virtual Channels that will be displayed in the Most Active Pipes and Most Active Virtual Channels graphs.

Number of Most Active Protocols (1-25)

The number, between 1 and 25, of Protocols that will be displayed in the Most Active Protocols graphs.

Number of Most Active Hosts, Clients and Servers (1-25)

The number of Hosts, Clients and Servers, between 1 and 25, that will be displayed in the Most Active Hosts, Clients and Servers graphs.

Time Span for Continuous Graphs

Minutes (1-60) Hours 1-24

The period of time, between 1 and 60 minutes, or between 1 and 24 hours, over which the data for Continuous-type graphs is displayed. This is the maximal width of the X-axis for these graphs.

Data Collection Range (in number of samples) for Cumulative Graphs (1-144)

The number of samples used to calculate the average sample for Cumulative-type graphs. For example, when 10 is specified, a Cumulative-type graph will display an average for the data collected during the last 10 sample periods.

Number of Last Used Graphs (1-15)

The number of the most recently viewed graphs to display below the other options in the Monitoring menu.



Details for ‘Most Active’ Graphs

If you select Yes, the following occurs:

In Protocols graphs, for any protocol that is not a service, the port number is displayed as part of the legend.

In any Hosts/Clients/Servers graphs, the IP is displayed as part of the legend, as shown below:

No is the default setting.

3. Click Save to save your settings to NetEnforcer.



Monitoring Graphs The NetEnforcer Monitoring window provides many different graphs. Some of the graphs can be displayed for all three levels, while others can only be displayed for a single level. At NetEnforcer level, some graphs can be displayed for the whole NetEnforcer or for a selected Protocol, Host, Client or Server. At all levels, some graphs can be displayed showing inbound bandwidth only, outbound bandwidth only or total bandwidth.

The following table lists the monitoring graphs, indicating at which level they are available as well as their graph type:

Graph Name NetEnforcer Level

Pipe Level VC Level Graph Type

Pipes Distribution

Continuous

Virtual Channels Distribution

Continuous

Bandwidth Continuous

Connections Continuous

Utilization Current

Packets Continuous

Most Active Pipes

Current/ Cumulative

Most Active Virtual Channels

Current/ Cumulative





Most Active Protocols

You can select the Most Active Protocols graph for the following: •

•••

For the Whole NetEnforcer

For a Host For a Client For a Server

For each you can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.


Current/ Cumulative

Most Active Hosts

You can select the Most Active Hosts graph for the following: •

•


For a Protocol




Current/ Cumulative





Most Active Internal Hosts

You can select the Most Active Internal Hosts graph for the following: •

•

For the Whole NetEnforcer For a Protocol




Current/ Cumulative

Most Active External Hosts

You can select the Most Active External Hosts graph for the following: •

•

For the Whole NetEnforcer For a Protocol




Current/ Cumulative





Most Active Clients

You can select the Most Active Clients graph for the following: •

•


For a Protocol




Current/ Cumulative

Most Active Servers

You can select the Most Active Servers graph for the following: •

•


For a Protocol




Current/ Cumulative

Table 6-1 – Available Monitoring Graphs

NOTE:

Pipes or Virtual Channels that are defined as Ignore QoS cannot be seen in the monitoring graphs.



Pipes Distribution The Pipes Distribution monitoring graph is available at the NetEnforcer level only. It displays the bandwidth consumed by the Pipes in your network. You can view inbound and outbound bandwidth together (shown below) or separately.

Figure 6-13 – Pipes Distribution Graph

The Pipes Distribution graph can be displayed as a stacked Area chart (above) or as a Line chart.

As a Continuous-type graph, the Pipes Distribution graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.

NOTE:

Clicking a point in a Continuous-type graph displays the bandwidth value at the selected point.



The Pipes Distribution graph displays the average bandwidth in Kbps consumed by each selected Pipe. You can also display the active average bandwidth consumed by each Pipe, meaning the amount of bandwidth consumed divided by the length of the sample period when there actually was traffic.

You can simultaneously view other monitoring graphs for a specific Pipe by right-clicking the required Pipe in the graph, or in the list on the right side of the window, and selecting the graph that you want to see from the displayed popup menu.

Figure 6-14 – Selecting Other Graphs



Virtual Channels Distribution The Virtual Channels Distribution monitoring graph is available at the NetEnforcer level only. It displays the bandwidth consumed by the Virtual Channels in your network. You can view inbound and outbound bandwidth together or separately.

Figure 6-15 – Virtual Channels Distribution Graph

The Virtual Channels Distribution graph can be displayed as a stacked Area chart or as a Line chart (above).

As a Continuous-type graph, the Virtual Channels Distribution graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.



The Virtual Channels Distribution graph displays the average bandwidth in Kbps consumed by each selected Virtual Channel. You can also display the active average bandwidth consumed by each Virtual Channel, meaning the amount of bandwidth consumed divided by the length of the sample period when there actually was traffic.

NOTE:

For example, in a sample period of 60 seconds, traffic is 300Kbps for 30 seconds, and there is no traffic for the remaining 30 seconds. The average bandwidth is 150Kbps since the whole sample period is considered. The active average bandwidth is 300Kbps.

You can simultaneously view other monitoring graphs for a specific Virtual Channel by right-clicking the required Virtual Channel in the graph or in the list on the right side of the window, and selecting the graph that you want to see from the displayed popup menu.



Bandwidth The Bandwidth monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays bandwidth information for NetEnforcer or a selected Pipe or Virtual Channel.

Figure 6-16 – Bandwidth Graph

The Bandwidth graph is displayed as a Line chart. You cannot change this display.

As a Continuous-type graph, the Bandwidth graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.

The following information can be viewed in the Bandwidth graph:

In-Bandwidth The bandwidth consumed by incoming traffic for the selected Pipe or Virtual Channel.

Out-Bandwidth The bandwidth consumed by outgoing traffic for the selected Pipe or Virtual Channel.



Lines indicating the minimum and maximum bandwidth may be displayed in the graph, using additional options available in the Style menu, as follows:

•

•

•

No Min/Max Lines: No lines indicating minimum or maximum bandwidth are displayed in the Bandwidth graph. This is the default display.

Inbound Min/Max Lines: Lines indicating minimum and maximum inbound bandwidth are displayed in the Bandwidth graph.

Outbound Min/Max Lines: Lines indicating minimum and maximum outbound bandwidth are displayed in the Bandwidth graph.

NOTE:

These additional options are only available when minimum and maximum bandwidths are defined for the Pipe or Virtual Channel (in the QoS Catalog entry selected as the value for the QoS of the Pipe or Virtual Channel).



Connections The Connections monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays connections information for NetEnforcer or a selected Pipe or Virtual Channel.

Figure 6-17 –Connections Graph

SECURITY NOTE:

The Connections graph helps in DoS attack monitoring and enables you to detect DoS attacks in real time. Look for a high number of live connections or new connections per second. This may be an indication of a DoS attack.

The Connections graph is displayed as a Line chart. You cannot change this display.

The Connections graph has two Y-axes. On the left is the scale for live and new connections and on the right is the scale for new connections per second. The scales are very different.

As a Continuous-type graph, the Connections graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.



The following information can be viewed in the Connections graph:

Live Connections The number of currently open connections for the selected Pipe or Virtual Channel.

New Per-Second Connections

The average number of new connections, meaning the number of new connections divided by the interval period.

Utilization The Utilization monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays the inbound and outbound bandwidth consumed by NetEnforcer, or a selected Pipe or Virtual Channel, in relation to the minimum and maximum bandwidth defined for NetEnforcer or the selected Pipe or Virtual Channel.

Figure 6-18 – Utilization Graph

The Utilization graph is displayed as two horizontal bars representing inbound and outbound bandwidth. You cannot change this display. The bandwidth consumed is displayed in the horizontal bar and, above the horizontal bar, the consumed bandwidth as a percentage of the maximum bandwidth is displayed



NOTE:

The Utilization graph is not available for a Pipe or Virtual Channel for which no maximum bandwidth has been defined (in the QoS Catalog entry selected as the value for the QoS of the Pipe or Virtual Channel).

The Utilization graph is a Current-type graph only. This means that it displays information for the latest whole sample period only. It cannot be displayed as a Cumulative-type graph to provide information for accumulated data.

Packets The Packets monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays the number of packets passed in relation to NetEnforcer or a selected Pipe or Virtual Channel. This enables you to plan future bandwidth requirements by following historical trends. Refer to Long-Term Monitoring, page 6-51, on how to view long-term trends.

You can view packets relating to inbound and outbound traffic together (shown below) or separately.

Figure 6-19 –Packets Graph



The Packets graph is displayed as a Line chart. You cannot change this display. The Y-axis is the scale for the number of packets passed.

As a Continuous-type graph, the Packets graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.



Most Active Pipes The Most Active Pipes monitoring graph is available at the NetEnforcer level only. It displays the average inbound and outbound bandwidth consumed by the most active Pipes defined in the Policy Editor. The maximum number of Pipes displayed, between 1 and 15, is defined in the graph settings, described on page 6-18.

Figure 6-20 – Most Active Pipes Graph

The Most Active Pipes graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active Pipes graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)



You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed.

Figure 6-21 – Cumulative Range Dialog Box

Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK.

You can simultaneously view other monitoring graphs for a specific Pipe by right-clicking the required Pipe in the graph or in the list on the right side of the window, and selecting the graph that you want to see from the displayed popup menu.



Most Active Virtual Channels The Most Active Virtual Channels monitoring graph is available at the NetEnforcer and Pipe levels. It displays the average inbound and outbound bandwidth consumed by the most active Virtual Channels defined in the Policy Editor. The maximum number of Virtual Channels displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Figure 6-22 – Most Active Virtual Channels Graph

The Most Active Virtual Channels graph can be displayed as a Bar chart or as a Pie chart (above).



As a Current/Cumulative-type graph, the Most Active Virtual Channels graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK. You can simultaneously view other monitoring graphs for a specific Virtual Channel by right-clicking the required Virtual Channel in the graph or in the list on the right side of the window, and selecting the graph that you want to see from the displayed popup menu.



Most Active Protocols The Protocols Distribution monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays the average inbound and outbound bandwidth consumed by the most active Protocols in your network.

At the NetEnforcer level, you can select to display the Most Active Protocols graph for the whole NetEnforcer or for a selected Host, Client or Server. At all levels, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

Figure 6-23 – Most Active Protocols Graph

The Most Active Protocols Distribution graph can be displayed as a Pie chart (above) or as a Bar chart.



As a Current/Cumulative-type graph, the Most Active Protocols graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK.

Adding Virtual Channels From the Most Active Protocols graph, you can create a Virtual Channel based on a selected protocol.



To add a Virtual Channel:

1. Right-click a protocol in the Most Active Protocols graph and select Add Virtual Channel with Service (selected service name) on. The Policy Editor opens and the Select Pipe dialog box is displayed.

Figure 6-24 – Select Pipe Dialog Box

2. Select a Pipe and click OK. A Virtual Channel is added to the selected Pipe based on the selected service.

NOTE:

You select a Pipe only if the Most Active Protocols graph was opened at NetEnforcer Level. If it was opened on Pipe or Virtual Channel level, the new Virtual Channel is added automatically to the Pipe on which the Most Active Protocols graph was opened initially.

If the selected protocol exists as an entry in the Service Catalog, the existing service (protocol) is used. If the selected protocol does not exist as an entry in the Service Catalog, a new service entry is created based on the monitored protocol.



Most Active Hosts The Most Active Hosts monitoring graph is available at NetEnforcer, Pipe and Virtual Channel level. It displays the average inbound and outbound bandwidth consumed by the hosts that are on the internal and external side of the NetEnforcer (clients or servers). NetEnforcer monitors the amount of data to and from each host.

You can select to display the Most Active Hosts graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

The maximum number of hosts displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Figure 6-25 – Most Active Hosts Graph

The Most Active Hosts graph can be displayed as a Bar chart (above) or as a Pie chart.



As a Current/Cumulative-type graph, the Most Active Hosts graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)


Most Active Internal Hosts The Most Active Internal Hosts monitoring graph is available at NetEnforcer, Pipe and Virtual Channel level. It displays the average inbound and outbound bandwidth consumed by the hosts that are on the internal side of the NetEnforcer (clients or servers). NetEnforcer monitors the amount of data to and from each internal host.

You can select to display the Most Active Internal Hosts graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.




Figure 6-26 – Most Active Internal Hosts Graph

The Most Active Internal Hosts graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active Internal Hosts graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)




Most Active External Hosts The Most Active External Hosts monitoring graph is available at NetEnforcer, Pipe and Virtual Channel level. It displays the average inbound and outbound bandwidth consumed by the hosts that are on the external side of the NetEnforcer (clients or servers). NetEnforcer monitors the amount of data to and from each external host.

You can select to display the Most Active External Hosts graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.




Figure 6-27 – Most Active External Hosts Graph

The Most Active External Hosts graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active External Hosts graph displays information for sample periods. It can be displayed as a Current-type graph to provide information for the latest whole sample period only, or as a Cumulative-type graph (above) to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)




Most Active Clients The Most Active Clients monitoring graph is available at NetEnforcer, Pipe and Virtual Channel level. It displays the average inbound and outbound bandwidth consumed by the most active Clients. NetEnforcer monitors the amount of data from each source and to each destination. The amount of data flowing in each connection is added to the connection source total as Client data.

You can select to display the Most Active Clients graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

The maximum number of Clients displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.



Figure 6-28 – Most Active Clients Graph

The Most Active Clients graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active Clients graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)



Most Active Servers The Most Active Servers monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays the average inbound and outbound bandwidth consumed by the most active Servers. NetEnforcer monitors the amount of data from each source and to each destination. The amount of data flowing in each connection is added to the connection destination total as Server data.

You can select to display the Most Active Servers graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

The maximum number of Servers displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Figure 6-29 – Most Active Servers Graph

The Most Active Servers graph can be displayed as a Bar chart (above) or as a Pie chart.



As a Current/Cumulative-type graph, the Most Active Servers graph displays information for sample periods. It can be displayed as a Current-type graph to provide information for the latest whole sample period only, or as a Cumulative-type graph (above) to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)



Long-Term Monitoring NetEnforcer's monitoring tool provides real-time data in intervals of one to 10 minutes for the previous 24 hours, enabling you to monitor applications, protocols, users and servers and to enforce the most suitable QoS policy. NetEnforcer’s long-term monitoring tool enables you to monitor your network's activity over a much longer period of time with the same look and feel as the real-time monitoring graphs. Using long-term monitoring, data from as far back as one to two years is stored as .csv files on a dedicated server for use by other reporting tools. Each server can store data from multiple NetEnforcers at intervals of every 30 seconds for the last 10-40 days or at intervals of one hour for up to 1 year ago or longer.

The ability to monitor applications and users is crucial in order to employ traffic priorities based on business requirements. Monitoring helps the user to fine-tune the network performance.

NOTE:

You must wait at least two hours before seeing any long-term graphs. If you try to view graphs before two hours have passed, error messages will pop up.

Collecting Data for Long-Term Monitoring In order to view long-term monitoring graphs, you must install the Long-Term Monitoring Agent. The Long-Term Monitoring Agent requests the required graphs from the monitoring server, receives the data, and writes it to files. NetEnforcer takes the data from these files when you select to display long-term monitoring graphs. More than one Long term agent may be installed on a single server, in order to collect data from multiple NetEnforcers.

Once the Long-Term Monitoring Agent has been installed and run, you can activate and manage long-term monitoring graphs from the NetEnforcer main GUI.

The Long-Term Monitoring Agent writes the data to files located at a shared directory on a network drive, so that the history graphs based on those files are available from every PC in the LAN, and not only from one PC.



NOTE:

It is reasonable to install the Long-Term Monitoring Agent itself on the same network PC to which it writes the files, and to choose for that purpose an ‘enduring’ machine which will be ‘up’ permanently.

You must first install the Long-Term Monitoring Agent and then you can configure it to collect data according to your requirements.

TIP:

Problem: Identify the source of congestion Solution: Use Monitoring drill-down capabilities to find it.

Here is how: Look at the Pipes Distribution graph and identify the saturated link. If the saturation is identified as inbound traffic, for example, for a Particular Pipe, drill-down to see the Top Inbound Protocols graph for the particular Pipe. If you discover that the majority of the inbound traffic is KaZaa, for instance, drill-down to see the Top Internal Clients graph for KaZaa. The specific host that is saturating the link can then be identified

Installing the Long-Term Monitoring Agent The Long-Term Monitoring Agent is an application, which must be downloaded and installed (on any Windows operating system).

You can run several agents (one per NetEnforcer).

To download and install the Long-Term Monitoring Agent:

1. From the network PC that you have selected to be the long term monitoring server, open the NetEnforcer GUI.

NOTE:

The long term monitoring server should be up at all times.

2. From the NetEnforcer Control Panel, click Tools and then select Download Long-Term Monitoring Agent. The File Download dialog box is displayed.

3. Click Open and follow the on-screen instructions to install the Collector application. Note the following:

Specify the location where the Collector application should be installed. • • Enter the IP address of NetEnforcer from where you want to collect data.



If required, you can insert details of a user name and password. If you do this, you will not have to log in each time that the Collector is started. However, there will be no way to connect to a different NetEnforcer without downloading and installing the Collector again. Therefore, it is recommended only to insert these details if there is only one NetEnforcer from which you want to collect data.

•

• •

•

When the installation process is completed, you will have the following:

A shortcut icon on your desktop called NetEnforcer Long Term Monitoring Agent.

A new entry in your Start > Programs folder called NetEnforcer Long Term Monitoring Agent.

The Long-Term Monitoring Agent also appears in Startup, enabling it to run automatically on each reboot of your computer.

Running the Long-Term Monitoring Agent The Long-Term Monitoring Agent starts automatically when the PC starts. A login window is displayed requesting a user name, password and the IP address of NetEnforcer/

TIP:

You can avoid this login window by adding parameters to the Long-Term Monitoring Agent in the Startup menu, as described in the following tip, which is displayed the first time the Long-Term Monitoring Agent starts.

It is highly recommended to follow this tip.



After login, the Long-Term Monitoring Agent runs in the Windows system tray, as shown below:

NOTE:

After login, you may also see the following message:

This is expected at this stage and you should simply click OK.

The Long-Term Monitoring Agent icon in the system tray may appear in any of the following ways:

Icon Status

The Long-Term Monitoring Agent is disconnected.

The Long-Term Monitoring Agent is running (recording).

The Long-Term Monitoring Agent is paused (not recording).



Right-clicking the Long-Term Monitoring Agent in the system tray displays the following menu:

The options are as follows:

Option Description

Open Opens the Long-Term Monitoring Agent window.

Record Starts collecting data.

Pause Stops collecting data.

Location Enables you to change the location where the Long-Term Monitoring Agent stores collected data.

Graphs Displays a list of graphs for which the Long-Term Monitoring Agent collects data - the graphs you have made available for long-term monitoring. Refer to Adding Graphs, page 6-62.

Log Displays Long-Term Monitoring Agent log messages.

Help Provides access to NetEnforcer long term monitoring help.

About Displays version information about the Long-Term Monitoring Agent.

Exit Closes the Long-Term Monitoring Agent application.



Collecting Data The Long-Term Monitoring Agent application may often be left open for very long periods of time (for example, days or weeks) in order to collect data. The Long-Term Monitoring Agent application is robust and maintains an accurate record of data even when the system is shutdown and rebooted. In this situation, when the Long-Term Monitoring Agent is restarted, data collection resumes and data is appended to the data collected prior to the shutdown.

In order to collect data for long-term monitoring, you must specify a graph as available to long-term monitoring. Refer to Adding Graphs, page 6-62.

To collect data:

1. Open the Long-Term Monitoring Agent application using the shortcut icon on your desktop, from the Start menu or by clicking the Long-Term Monitoring Agent icon in the system tray. The Long-Term Monitoring Agent window is displayed.

Figure 6-30 – Long-Term Monitoring Agent Window



2. If you want to adjust the location where the collected files are saved, click Pause and click the browse button to select an alternative location. You should select a shared directory on this network PC.

3. Click Record.

The Long-Term Monitoring Agent is now ready for collecting data.

The buttons available in the Long-Term Monitoring Agent window are as follows:

Option Description

Pause/Record Stops/starts collecting data.

Graphs Displays a list of graphs for which the Long-Term Monitoring Agent collects data - the graphs you have made available for long-term monitoring.

Log Displays Long-Term Monitoring Agent log messages.

Close Closes the Long-Term Monitoring Agent window.

Help Provides access to NetEnforcer long term monitoring help.

About Displays version information about the Long-Term Monitoring Agent.

Configuring the Long Term Monitoring Data Location on NetEnforcer You must ensure that the long-term monitoring data location configured on NetEnforcer is the same as that specified in the Long-Term Monitoring Agent.



To configure the long-term monitoring data location on NetEnforcer:

1. From the NetEnforcer Control Panel, click Long-Term. The first time you do this after installing the Long-Term Monitoring Agent, the following First Steps window is displayed:

Figure 6-31 – Long-Term Monitoring First Steps

NOTE:

This is an explanatory window. It is only displayed the first time you click Long-Term. To display it again, click Help and then First Steps in the Long Term Monitoring window.



2. Click OK, or if it is not the first time you have selected the Long-Term option, and the Long Term Monitoring window is displayed.

Figure 6-32 – Long-Term Monitoring Window

When the Long-Term Monitoring window is first opened, the long-term monitoring data location is by default set as C:. You must change this location to the same location as you specified in the Long-Term Monitoring Agent. Until you do so, a warning (in red) is displayed in the upper right corner of the Long-Term Monitoring window.



3. Click the browse button to the right of the Long-Term Monitoring Data Source field. The Setting Long-Term Monitoring Location dialog box is displayed.

Figure 6-33 – Setting Long-Term Monitoring Location Dialog Box

4. Enter the location of the saved data as specified in the Long-Term Monitoring Agent (which should be on a shared network drive) and click Save.



If the data location is the same as that specified on the Long-Term Monitoring Agent, the warning in red should no longer appear in the top right corner of the Long-Term Monitoring window.

Figure 6-34 – Long-Term Monitoring Window – Set Data Location

Now both the Long-Term Monitoring Agent and NetEnforcer are correctly configured and you begin to work with long-term monitoring graphs.

NOTES:

If the data location has been configured correctly but the Long-Term Monitoring Agent is not running, a warning message is displayed (in red) in the upper right corner: Long-Term Monitoring Agent is not running.

In order for the warning messages in red to disappear, the problem must be resolved AND the Long-Term Monitoring window must be closed and re-opened.



Adding Graphs In order to collect data for long-term monitoring, you must specify a graph as available to long-term monitoring. This can be done from a real-time monitoring window or from the Long Term Monitoring window.

Adding a graph to long-term monitoring is only available to an administrator user with write permissions. This is because adding a graph to long-term monitoring actually writes a “request” file at the files location directory on the Long-Term Monitoring Agent LAN PC. Issues of access and write permissions are therefore very critical.

To add a graph from a real-time monitoring window:

• From the File menu in a Monitoring window, select Add to Long-Term Monitoring Requests. The graph displayed in the Monitoring window is available in long-term monitoring.



To add graphs from the Long Term Monitoring window:

1. From the NetEnforcer Control Panel, click Long-Term. The Long Term Monitoring window is displayed.

2. Click the Add New Graph button. Further menus are displayed –as when you select Monitoring in the Control Panel.

Figure 6-35 – Long-Term Monitoring Window - Add New Graph



3. Select the graph you want to add to long-term monitoring. It is added to the table of graphs in the Long-Term Monitoring window. For example, if you select The Virtual Channels Distribution for NetEnforcer graph, the Long-Term Monitoring window is displayed as follows:

Figure 6-36 – Long-Term Monitoring Window – Graph Added

The graph is immediately collected, as indicated by the selected checkbox in the Collect column.

As many graphs as you require can be added to long-term monitoring but only ten graphs can be collected at the same time. Thus, once ten graphs have been added, subsequent graphs do not have a selected checkbox in the Collect column.

NOTE:

To change this limit, please contact Allot Communications.

You must wait for a minimum of 2 hours before you can open the graph.



You can manipulate graphs in the Long-Term Monitoring window as follows:

•

•

• • •

Select or deselect the checkbox in the Collect column to determine whether the graph is collected or not.

Select a graph and click Open to display the graph. Refer to Viewing Long-Term Monitoring Graphs, page 6-66.

Select a graph and click Rename to rename a graph.

Select a graph and click Delete to delete a graph from long-term monitoring.

Click Log to display the Long-Term Monitoring Agent Log. This enables you to see the status and actions of the Long-Term Monitoring Agent. For example, whether it is up, whether it is recording or paused, and so on.

Figure 6-37 – Long-Term Monitoring Agent Log



Viewing Long-Term Monitoring Graphs Data should be collected for at least two hours (approximately) using Long Term Monitoring Agent before you view it. Long-term monitoring graphs are produced using data from the long-term monitoring directory (C:/NEData, by default) saved in the files called (request)_hour.xml.



To view data:

1. From the NetEnforcer Control Panel, click Long-Term. The Long Term Monitoring window is displayed:

2. Select the graph you want to view and click Open (or double-click the graph). The Graph Time Span Coverage for (name of selected graph) window is displayed.

Figure 6-38 – Graph Time Span Coverage for (Name of Selected Graph) Window – Relative Span Mode



TIP:

To get the most out of your Long Term Monitoring it is recommended that you configure the following graphs on the NetEnforcer level: Top Protocols, Top Internal Hosts, Top External Hosts, NetEnforcer Connections, NetEnforcer Bandwidth Distribution and VC/Pipes graphs where relevant

This window enables you to select a specific time period for the graph you want to view. The collected data could cover a long time period and you may just want to focus on part of it.

3. From the Span Mode dropdown list, select one of the following time measurements: Relative: Select the number of hours, days or months of data required. This period is counted from the end of the available data period backwards. If you select a month, the period covers the last calendar month. This means that if the data ended on 17 February, you would see data from the 1-17 February.

•

• Specific: Select the exact dates of the time period. By default the start and end dates are the beginning and end of the entire available period.



Figure 6-39 – Graph Time Span Coverage for (Name of Selected Graph) Window – Specific Span Mode

TIP:

The practical meaning of your selection is displayed in the lower area of the window.



4. Click Continue. The data is retrieved from the collection files. The graph is displayed before all the data is retrieved and you can see the percentage of data retrieved in the status bar. While you are waiting for this to complete, you can use other functionality of the long-term monitoring graph.

Figure 6-40 – Long-Term Monitoring Graph (Period Level)

Long-term monitoring graphs have the same look and feel as real-time monitoring graphs. Most of the functionality available in real-time graphs is available for long-term monitoring graphs. For example, graph types and graph styles. These features are explained in the first sections of this chapter.

The main differences between real-time graphs and long-term monitoring graphs are as follows:

•

•

Only two graph views, Chart View and Table View, are available with long-term monitoring graphs.

Long-term monitoring graphs have a light green background color while real-time graphs have a green background color.



• The long-term monitoring window has an additional Page menu and toolbar buttons, as follows

Back

Forward

Start

End

These arrow buttons enable you to move forward and backwards through the pages of a long-term monitoring graph.

• The File menu in the long-term monitoring window includes an additional option called Collection Log File.

Manipulating Long-Term Monitoring Graphs When a long-term monitoring graph is first displayed, the data is shown in the broadest resolution (full view). For example, where data is requested that spans several months, the data is presented according to month. When data is requested that spans several years, the data is presented by year. The actual unit is seen on the horizontal axis.



You can drill down into the long-term monitoring graph to see more details. For example, data presented according to days of a selected month or hours of a selected day or even minutes of a selected hour. This drilling down action enables you to move between the following levels:

Level Continuous-type graphs (for example, Bandwidth, Pipes Distribution

‘Most Active’ graphs (for example, Most Active Virtual Channels)

Period Data is displayed for the entire time span, for example, several months or several days.

Data is displayed for the entire time span, for example, several months or several days.

Month Data is displayed for each day in a month.

Data is displayed for the whole month in one view.

Day Data is displayed for each hour in a day.

Data is displayed for the whole day in one view.

Hour Data is displayed for each 5 minutes in an hour.

Data is displayed for the whole hour in one view.

Minute Data is displayed for each 30 seconds in a five-minute period.

Data is displayed for the whole five-minute period in one view.

Second Data is displayed for the whole thirty-second period in one view.

You can drill down using the right-click menu in a step-by-step fashion or directly to a selected level.

Drilling Down Step-By-Step

This method enables you to drill down slowly through the different resolutions of the graph. You can begin by viewing data over a long period and zoom slowly in to see data for a very specific period.



To drill down step-by-step:

1. With the long-term monitoring graph displayed at the broadest (period) level, proceed as follows:

In a ‘Most Active’ graph, right-click inside the area of the graph and select Drill-down to Month. The Drill-down to dialog box is displayed. Select the month within the period that you would like to view, for example, September, and click OK.

•

• In a continuous-type graph, right-click inside the month area of the graph on which you want to focus and select Drill-down to (selected month).

The graph now displays data for the selected month.

Figure 6-41 – Long-Term Monitoring Graph (Month Level)

You can move through other months using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution.



2. Continue to the next level as follows: In a ‘Most Active’ graph, right-click inside the area of the graph and select Drill-down to Day. The Drill-down to dialog box is displayed.

Select the day within the month that you would like to view and click OK.

•

In a continuous-type graph, right-click inside the day area of the graph on which you want to focus and select Drill-down to (selected day).

•

The graph now displays data for the selected day. For example, drilling down a level to a specific day, September 12th, shows the most active protocols for that day.

Figure 6-42 – Long-Term Monitoring Graph (Day Level)

You can move through other days using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution.



3. Continue to the next level as follows: In a ‘Most Active’ graph, right-click inside the area of the graph and select Drill-down to Hour. The Drill-down to dialog box is displayed.

Select the hour within the day that you would like to view, for example, Sep 12 10:00, and click OK.

•

In a continuous-type graph, right-click inside the hour area of the graph on which you want to focus and select Drill-down to (selected hour).

•

TIP:

You can right-click and select Back to Full View to return to period level or select Up One Level to return to the previous level.

The graph now displays data for the selected hour of the selected day. For example, Figure 6-42 shows the most active protocols for September 12th. Drilling down a level to a specific hour, 10.00, shows the most active protocols for that hour.

Figure 6-43 – Long-Term Monitoring Graph (Hour Level)



You can move through other hours using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution

4. Continue to the next level as follows: In a ‘Most Active’ graph, right-click inside the area of the graph and select Drill-down to Minutes. You cannot select which specific five-minute period to view. The graph will show the first five-minute period of the hour and you can scroll through subsequent five-minute periods.

•

• In a continuous-type graph, right-click inside the five-minute area of the graph on which you want to focus and select Drill-down to (selected five-minute period). In this type of graph, you can select which specific five-minute period you want to view.

TIP:


The graph now displays data for a five-minute period. For example, Figure 6-43 shows the most active protocols during the hour 10.00 to 11.00 on September 12th. Drilling down a level shows the most active protocols for the first five-minute period of that hour.

Figure 6-44 – Long-Term Monitoring Graph (Five-Minute Level)



You can move through other five-minute periods using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution

5. Continue to the next level as follows: In a ‘Most Active’ graph, right-click inside the area of the graph and select Drill-down to Seconds. You cannot select which specific thirty-second period to view. The graph will show the first thirty-second period of the five minute period and you can scroll through subsequent thirty-second periods.

•

TIP:


The graph now displays data for a thirty-second period. For example, Figure 6-44 shows the most active protocols during the five-minute period 10.00 to 10.05 on September 12th. Drilling down a level shows the most active protocols for the first thirty seconds of that five-minute period.

Figure 6-45 – Long-Term Monitoring Graph (Thirty-Second Level)

You can move through other thirty-second periods using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution



Drilling Down Directly

This method enables you to drill down quickly from a broad resolution to a narrow resolution. For example, you can be viewing data for an entire year and zoom straight into viewing data for a selected day.

NOTE:

You cannot drill down directly to the Minute level or Seconds level.

To drill down directly:

1. From the Page menu, select Detailed View. The Time Unit Selection for Detailed View dialog box is displayed:

Figure 6-46 – Time Unit Selection for Detailed View Dialog Box

NOTE:

This dialog box is correct for Most Active graphs. For continuous-type graphs, you cannot select Hour as the Time Unit.



2. Specify details of the exact year, month, day and hour to which you want to drill down and click OK. You can go straight from period level to day level without first going to month level.

As with real-time graphs, you can zoom into a long-term monitoring graph by holding down the <Shift> key and dragging a box around the area that you want to zoom in the graph. However, this method does not change the resolution of the graph, it provides a closer look at a particular area at the same resolution.

TIP:

You can access real-time graphs from a long-term monitoring graph. Right-click in the graph and you can select from real-time graphs for the current entity (Pipe or Virtual Channel).



Data Coverage Although you may have selected a large period, for example, 5 months, the period could include interruptions where data collection stopped for a few days or a few hours. The period coverage is indicated in the status bar (Period/Month/Day/Hour/5-Minutes Coverage). If the percentage is low, perhaps around 85%, you can use the collection log file to view the exact times when data collection was not active.

To view the collection log file:

• From the File menu in the long-term monitoring window, select Collection Log File.

Figure 6-47 – Collection Log File Dialog Box

The Collection Log File dialog box provides a list of dates and times within the selected period that collection was not active.


Chapter 7: Defining Catalog Entries

This chapter describes Catalog Editors and how to define new Catalog entries.


Working with Catalog Editors, page 7-2, describes the features common to the Catalog Editors, and provides a general description of how to add and delete entries in Catalogs.

Host Catalog Editor, page 7-8, describes the Host Catalog Editor, where you define possible values for the Connection Source and Connection Destination of a policy.

Service Catalog Editor, page 7-20, describes the Service Catalog Editor, where you define possible values for the Service of a policy.

Time Catalog Editor, page 7-52, describes the Time Catalog Editor, where you define possible values for the Time of a policy.

TOS (Type of Service) Catalog Editor, page 7-57, describes the TOS Catalog Editor, where you define possible values for the TOS of a policy.

VLAN Catalog Editor, page 7-63, describes the VLAN Catalog Editor, where you define possible VLAN values of a policy.

Quality of Service Catalog Editor, page7-66, describes the QoS Catalog Editor, where you define possible values for the Quality of Service applied to a policy.

Connection Control Catalog Editor, page 7-81, describes the Connection Control Catalog Editor, where you define possible values for the Connection Control applied to a policy.

Data Source Catalog Editor, page 7-87, describes the Data Source Catalog Editor, where you define LDAP servers with which NetEnforcer can work.



Working with Catalog Editors Catalogs contain the possible values available when defining policies in the Policy Editor. For example, when selecting the Connection Source of a Pipe, Virtual Channel or Rule, the possible values are the entries in the Host Catalog. Catalog Editors enables you to add, change or delete entries in Catalogs. Entries are comprehensive sets of parameters with logical names. These logical names then become the possible values available in the Policy Editor.

A logical entity, such as a specific user or Quality of Service definition, can be defined once, using the appropriate Catalog Editor, and then used many times in the Policy Editor.

NetEnforcer includes the following Catalogs:

•

•

•

•

•

Host Catalog: The entries in the Host Catalog are the possible values for the Connection Source and Connection Destination conditions defined for a Pipe, Virtual Channel and Rule. The Connection Source and Connection Destination define the source and destination of the traffic. Refer to Host Catalog Editor, page 7-8.

Service Catalog: The entries in the Service Catalog are the possible values for the Service condition defined for a Pipe, Virtual Channel and Rule. The Service represents the protocols relevant to a connection. Refer to Service Catalog Editor, page 7-20.

Time Catalog: The entries in the Time Catalog are the possible values for the Time condition defined for a Pipe, Virtual Channel and Rule. The Time defines the applicability of a Pipe, Virtual Channel or Rule during certain time periods. Refer to Time Catalog Editor, page 7-52.

TOS Catalog: The entries in the TOS Catalog are the possible values for the TOS condition defined for a Pipe, Virtual Channel and Rule. The TOS is the TOS byte contained in the IP header of the packet. TOS entries are also used in QoS Catalog entry definitions. Refer to Type of Service Catalog Editor, page 7-57.

VLAN Catalog: The entries in the VLAN Catalog are the possible VLAN values of a policy and their priority. Refer to VLAN Catalog Editor, page 7-63.



•

•

•

• • •

QoS Catalog: The entries in the QoS Catalog are the possible values for the Quality of Service action defined for a Pipe and Virtual Channel. The Quality of Service allocates bandwidth, traffic priority, TOS marking and connection count limits. Refer to Quality of Service Catalog Editor, page 7-66.

Connection Control Catalog: The entries in the Connection Control Catalog are the possible values for the Connection Control action defined for a Pipe and Virtual Channel. The Connection Control refers to server load balancing and cache redirection. Refer to Connection Control Catalog Editor, page 7-81.

Data Source Catalog: The entries in the Data Source Catalog are the possible LDAP servers with which NetEnforcer can work. These definitions can then be referenced in Data Source Query definitions in the Host Catalog Editor. Refer to Data Source Catalog Editor, page 7-87.

Each Catalog has its own editor where you can add new entries and modify existing entries.

Accessing Catalog Editors Catalog Editors can be accessed from any of the following places:

The Catalogs menu in the Policy Editor

The toolbar in the Policy Editor

Right-clicking a cell in the Policy Editor and selecting Edit Catalog Entry



All Catalog Editors have some common fields and functionality, which are described in this section. A sample Catalog Editor is shown below:

List Pane Definition Pane

Specific Entry ButtonsGlobal Catalog Editor Buttons


Global Catalog Editor Buttons




Global Catalog Editor Buttons




Global Catalog Editor Buttons Figure 7-1 – Sample Catalog Editor

The List pane displays a list of the current entries defined in the Catalog. Selecting an entry in the List pane displays its name at the top of the Definition pane, and its properties or definition below its name. The Definition pane is the working area of a Catalog Editor in which entries are defined.



All Catalogs contain three global buttons that apply to the Catalog as a whole and three specific buttons that apply to the currently selected entry as follows: Specific Entry Buttons

Adds a new Catalog entry.

Deletes a selected Catalog entry. You can only delete entries that are Unprotected. (Refer to Protected Entries, below.)

Undoes the changes made, since the last save, to the current entry.

Global Buttons

Saves changes in a Catalog Editor. In order to save the contents of the Catalog Editor to NetEnforcer, you must also save the Policy Editor.

Exits the Catalog Editor. Any unsaved changes are lost.

Displays online help relevant to the Catalog Editor in a separate window.

Protected Entries Each Catalog includes default entries whose definitions cannot be modified. Such entries are called Protected entries. When you select a Protected entry, such as Any in the Host Catalog Editor, the Delete and Undo buttons are automatically disabled. A user-defined entry is always Unprotected.



Deleting Entries from a Catalog Only Unprotected entries can be deleted from a Catalog. (Refer to Protected Entries, page 7-5.)

To delete an entry from a Catalog:

1. Select the entry to be deleted from the List pane.

2. Click Delete. The entry is no longer displayed in the List pane and it is deleted from the Catalog.

You must save the Policy Editor for the deletion to take effect.

Catalog entries that are referenced in a policy definition cannot be deleted.

Policy Editor Toolbar Catalog Editors can also be accessed by clicking on the required icon in the Policy Editor.

Figure 7-2 – Policy Editor



Below is a list of the Catalog Editor menu options, tools and shortcut key options available in the Policy Editor:

Host Opens the Host Catalog Editor, enabling you to define possible Connection Source and Destination conditions.

Service Opens the Service Catalog Editor, enabling you to define possible Service conditions.

Time Opens the Time Catalog Editor, enabling you to define possible Time conditions.

TOS Opens the TOS Catalog Editor, enabling you to define possible Type of Service conditions.

VLAN

Opens the VLAN Catalog Editor, enabling you to define possible VLAN conditions.

Quality of Service Opens the QoS Catalog Editor, enabling you to define possible Quality of Service actions.

Connection Control Opens the Connection Control Catalog Editor, enabling you to define possible Connection Control actions.

Data Source Opens the Data Source Catalog Editor, enabling you to define the LDAP servers with which NetEnforcer can work or to define Hosts Text File.



Host Catalog Editor The Host Catalog contains entries that are the possible values for the Connection Source and Connection Destination conditions of a Pipe, Virtual Channel or Rule. A sample Host Catalog Editor is shown below:

Figure 7-3 – Host Catalog Editor

NOTE:

The Any, Internal and External entries are Protected, meaning the definitions for this entry cannot be modified.



You can enter the host details individually, or NetEnforcer can retrieve IP addresses or host names from a specified LDAP directory server or text source file. (LDAP servers and text source files with which NetEnforcer can work are defined in the Data Source Catalog, page 7-87.) Once you have defined the hosts in a host list, you can group several host lists together in one Catalog entry.

Defining Host Lists A host list is a list of one or more hosts. Hosts can be network IP addresses, IP address ranges, host names and IP subnet addresses. Following are examples of host entries:

•

• • •

•

Host: If NetEnforcer is configured to support DNS, you can use logical DNS names.

IP: The IP address of a host. For example, 172.16.1.31.

IP Subnet: For example, 10.10.10.0 with a subnet mask of 255.255.255.0.

IP Range: A range of IP addresses. For example, 10.1.2.3-10.1.3.7 means the ranges 10.1.2.3-10.1.2.255 and 10.1.3.1-10.1.3.7.

MAC: The MAC address of a host..

To define a host:

1. In the Host Catalog Editor, click New. The following popup menu is displayed:

Figure 7-4 – New Host Entry Popup Menu



2. Select Host List. A new entry is added to the List pane in the Host Catalog.

Figure 7-5 – Host Catalog Editor: Adding Hosts

3. Edit the name of the entry in the Contents of field, if required.

4. In the Host Item area, click on the required host type radio button and input the relevant details in the corresponding text field.

5. From the Interface Loc of Host dropdown list, select the location of the host relative to NetEnforcer: Anywhere, Internal or External.

6. Click Add. The defined host is displayed in the Defined Items area.

NOTE:

The list of hosts in the Defined Items area can be sorted by clicking on any column header. For example, click Type to sort the list by type of host.



7. Repeat steps 4-6 to add other hosts, as required. You can add up to 10,000 entries in a host list.

NOTE:

To delete a host from the list, select the host in the Defined Items area and click Delete. To edit a host in the list, select the host in the Defined Items area, make the changes required to the definition and click Update.

8. Click OK. The new entry (entries) is saved in the Host Catalog and the Host Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Applying NetEnforcer in DHCP Environment DHCP clients are those with a time-limited IP address. Dynamic IP addresses are supported and handled as follows:

•

• • •

•

Today most DNS servers support dynamic update. This means that a DHCP server can dynamically inform the DNS server of any IP assignment.

DHCP update includes the computer name to which an IP address was assigned.

The DNS Server enters the update as part of the client name space.

The NetEnforcer supports DNS queries. It decides whether or not to redirect specific traffic, based on the DNS-defined computer name.

A policy is defined to redirect only those clients that require it. Other privileged addresses go directly without content filtering.



Grouping Hosts A host group is a collection of previously defined Host Catalog entries of Host List type grouped together in an additional entry. This eliminates the need to create several similar Pipes, Virtual Channels or Rules for hosts. The QoS defined for the group applies to all the hosts in the group. For example, you can create a group of hosts, called Division 1. Division 1 can contain three Host List catalog entries: Department A (employees a, b and c), Department B (employees d, e and f) and Department C (employees g, h and j). Groups are useful when working with templates. For more information, refer to the Templates section in Chapter 8, Defining Policies.



To group Host Catalog entries:

1. In the Host Catalog Editor, click New. The new host entry popup menu is displayed, as shown in Figure 7-4.

2. Select Group of Hosts. A new entry is added to the List pane in the Host Catalog Editor, as follows:

Figure 7-6 – Host Catalog Editor: Grouping Hosts


The list in the Available Host Lists area displays all the available host list Catalog entries that can be added to the host group. The list in the Selected Lists in Group area displays the Catalog entries that you have selected to include in this host group.



4. Add Catalog entries to the group using the following buttons:

Adds the entries selected in the Available Host Lists area to the Selected Lists in Group area.

Adds all the entries in the Available Host Lists area to the Selected Lists in Group area.

Removes the entries selected in the Selected Lists in Group area and returns them to the Available Host Lists area.

Removes all the entries from the Selected Lists in Group area and returns them to the Available Host Lists area.

NOTE:

The entries in the Selected Lists in Group area can be sorted alphabetically by clicking on the column header.

5. Click OK. The new entry is saved in the Host Catalog and the Host Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Defining LDAP-based Hosts LDAP (Lightweight Directory Access Protocol) is a communications protocol that enables NetEnforcer to retrieve hosts from an LDAP directory server associated with your NetEnforcer. Before creating Host Catalog entries using LDAP definitions, you must enter LDAP server details in the Data Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87.

You can specify (in the Policy Server tab of the NetEnforcer Configuration window) how often the LDAP director server is read and the host information in NetEnforcer refreshed. For more details, refer to Chapter 4, Configuring NetEnforcer, Section Policy Server.



To define an LDAP-based host:

1. In the Host Catalog Editor, click New. The new host popup menu is displayed, as shown on page 7-9.

2. Select Data Source Query and then select the appropriate source from the list displayed. The list displays the LDAP servers and text files defined in the Data Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87. A new entry is added to the List pane in the Host Catalog Editor, as follows:

Figure 7-7 – Hosts Catalog Editor: LDAP-based Hosts




4. Define the query to the LDAP server, as follows: In the Directory Subtree Root field, enter the root in the LDAP server that NetEnforcer will search.

•

•

•

In the LDAP Directory Main Filter field, enter the filter string that defines the criteria for the query according to RFC 1960.

In the Addresses Attribute Name field, enter the name of the attribute that holds the IP addresses of the entries, as follows: Attribute Name Format Example

Network Address <IP V4>:<Mask bits> 172.16.1.152:24

IP Range <IP V4>:<IP V4> 172.16.1.1:172.16.1.23

Any Address 3

Host Name 4:<Host name> allot.com

In the Group Selector field, enter the attribute by which NetEnforcer will search for group entries.

•

5. Click Fetch & View Contents to preview the hosts retrieved from the LDAP directory server.


NOTE:

The actual execution of the LDAP query occurs when the Policy Editor is saved (or resaved). If the Fetch operation fails, NetEnforcer will retry the operation according to the retry interval parameter, defined in the LDAP/Text Source tab of the NetEnforcer Configuration window. Refer to the LDAP/Text Source section in Chapter 4, Configuring NetEnforcer.



Defining Text File-Based Hosts NetEnforcer can extract host addresses from a text file (CSV file). Before creating Host Catalog entries using a text file as a data source, you must enter the text file details in the Data Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87.

You can specify (in the LDAP/Text Source tab of the NetEnforcer Configuration window) how often the text file is read and the host information in NetEnforcer refreshed. For more details, refer to the LDAP/Text Source section in Chapter 4, Configuring NetEnforcer.



To define a text file-based host:

1. In the Host Catalog Editor, click New. The new host entry popup menu is displayed, as shown in Figure 7-4.

2. Select Data Source Query and then select the appropriate source from the list displayed. The list displays the LDAP servers and text files defined in the Data Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87. A new entry is added to the List pane in the Host Catalog Editor, as follows:

Figure 7-8 – Hosts Catalog Editor: Text File-Based Hosts


4. In the Text File Path field, enter the location of the text file data source. This is the path or the host, as defined in the text source definitions, described on page 7-88.

5. In the Delimiter area, select the delimiter used in the text (CSV) file.



6. In the Location & Positions area, enter the following information: In the Start Query at Row field, enter the number of the row where NetEnforcer should start reading the data. (First row is 1.)

•

•

•

In the Address Field Position field, enter the number of the column where the address is located. (First column is 1.)

In the Group Selector Field Pos field, enter the number of the group selector field. This parameter is used to create (internally) a host entry name for each line in the text file.

7. Click Fetch & View Contents to preview the hosts retrieved from the text file.


NOTE:

The actual execution of the query occurs when the Policy Editor is saved (or resaved). If the Fetch operation fails, NetEnforcer will retry the operation according to the retry interval parameter, defined in the LDAP/Text Source tab of the NetEnforcer Configuration window. Refer to the LDAP/Text Source section in Chapter 4, Configuring NetEnforcer.



Service Catalog Editor The Service Catalog contains entries that are the possible values for the Service of a policy. The Service defines the protocol of the connection passing through NetEnforcer. The entries are applications or protocol specifications, including network protocols, transport protocols and application protocols. When you define an HTTP, Oracle, H.323 and Citrix application, you can also add content definitions under it. A sample Service Catalog Editor is shown below:

Figure 7-9 – Service Catalog Editor

NOTE:

The All IP, All Service, All TCP and All UDP entries are Protected, meaning the definitions for these entries cannot be modified.

You can enter the application details individually, or you can import services from a protocols library. Once you have defined the applications, you can group several entries together in one Catalog entry.



From the Service Catalog Editor, you can define the following types of applications: • • • •

TCP and UDP IP Protocols, page 7-21. Non-TCP and non-UDP IP Protocols, page 7-23. Non-IP Protocols, page 7-24. You can also define content for http, Oracle, H.323 and Citrix and other applications. For more information, refer to Adding Content, page 7-31.

Defining TCP and UDP IP Protocols When the connection is based on either TCP or UDP protocol, you define destination ports (meaning the target of the connection) as well as timeouts for the protocol.

To define TCP and UDP IP protocols:

1. In the Service Catalog Editor, click New. The following popup menu is displayed:

Figure 7-10 – New Service Entry Popup Menu

2. Select Application. A new entry is added to the List pane in the Service Catalog Editor.


4. In the Protocol Definition area, select IP from the Network Protocol dropdown list.



5. From the Transport Protocol dropdown list, select TCP or UDP.

Figure 7-11 – Service Catalog: TCP/UDP Protocol

6. From the Application Protocol dropdown list, select the application protocol.

7. In the Ports tab, specify the target of the connection (destination port) as follows: • In the Destination Ports list, click the next available row and enter a destination

port number.

NOTES:

Port ranges can be entered as well. For example, enter 110-125 to indicate ports numbered 110 through 125. You can delete destination or source ports by selecting the port and pressing <Delete>.

8. In the Advanced tab, enter the amount of time NetEnforcer allows a connection to remain open with no traffic passing through it before closing it.

9. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.



Defining Non-TCP and Non-UDP IP Protocols When the connection is IP, the protocol parameters vary according to whether the selected IP protocol is TCP/UDP or others.

To define non-TCP and non-UDP IP protocols:

1. In the Service Catalog Editor, click New. The new service entry popup menu is displayed, as shown in Figure 7-10.


3. In the Protocol Definition area, select IP from the Network Protocol dropdown list.

4. From the Transport Protocol dropdown list, select a protocol that is not UDP or TCP. If the non-TCP/non-UDP protocol that you require does not appear in the Transport Protocol dropdown list, you can add it by clicking the browse button and entering the protocol number in its digital-numeric format (not its Hex format) and clicking OK.

Figure 7-12 – Service Catalog: Non-UDP/TCP IP Protocol





Defining Non-IP Protocols When the connection is non-IP, you simply specify the required protocol in the Service Catalog entry.

To define non-IP protocols:




4. In the Protocol Definition area, select the required non-IP protocol from the Network Protocol dropdown list. If the protocol that you require does not appear in the list, you can add it by clicking the browse button and entering the protocol number in its digital-numeric format (not its Hex format) and clicking OK.



Figure 7-13 – Service Catalog: Non-IP Protocol

TIP: If you select a non-IP service as the Service condition in the Policy Editor, you must select Any for the Connection Source and Connection Destination conditions, since all other Host Catalog entries are IP-based. You should also define TOS as Ignored.





Importing Protocols You can create entries in the Service Catalog by importing services from a protocols library. This library includes a selection of about 8000 services and is based on the IANA list of protocols.

To import protocols:


2. Select Import from Protocols Library. The Protocols Library dialog box is displayed.

Figure 7-14 – Protocols Library Dialog Box



NOTE:

Protocols that have already been added to the Service Catalog appear disabled (grayed out) in the Protocols Library dialog box.

3. Select the checkbox in the Add column for the protocols you want to add to the Service Catalog and click Add to Catalog. The selected protocols are added as entries to the Service Catalog.

TIP: To filter the protocols displayed, select a grouping from the Display dropdown list. For example, if you select TCP protocols, only TCP protocols are listed in the dialog box.

4. Click Close to close the Protocols Library dialog box.

Importing Protocols from the Policy Editor You can also import protocols from the Policy Editor. Using this procedure, you change the service of a rule and also import the new protocol into the Service Catalog.

To import protocols from the Policy Editor:

1. In the Policy Editor, right-click an entry in the Service column. The following popup menu is displayed:

Figure 7-15 – Accessing Protocols Library Dialog Box From Policy Editor



2. Click Select from Protocols Library. The Protocols Library dialog box is displayed.

Figure 7-16 – Protocols Library Dialog Box Accessed From Policy Editor

3. Select a single protocol from the list and click Select. The selected entry in the Policy Editor is replaced with the new protocol and the selected protocol is added to the Service Catalog.



Web Update You can also use the Web Update feature to automatically add new protocols and applications (when available and announced from Allot Communications) to the service catalog, without having to perform software updates.

Service Web updates adds both the service entries and the relevant Layer-7 signatures for the protocols and applications. The new service entries are also automatically added to the relevant default service groups. For example, if there are new P2P applications, they are automatically added to the default P2P service group.

Note: This service is intended for customer with valid support agreements only.

To perform service Web update:

1. From the Tools menu, select Update Service Catalog from Allot Communications. The service catalog update message is displayed, as shown in Figure 7-17.

Figure 7-17 – Web Update Message

2. Click OK.

NOTE:

An alert is displayed in the Alerts log indicating the success or failure of the Web Update process.



Grouping Service Catalog Entries You can group together a collection of previously defined Service Catalog entries in an additional entry. This eliminates the need to create several similar Pipes, Virtual Channels or Rules for services. The QoS defined for the group applies to all the services in the group.

To group Service Catalog entries:


4. Select Group of Services. A new entry is added to the List pane in the Service Catalog Editor.

Figure 7-18 – Service Catalog Editor: Grouping Services




The list in the Available Services area displays all the available Service Catalog entries that can be added to the service group. The list in the Selected Services in Group area displays the Catalog entries that you have selected to include in this service group.

6. Add Catalog entries to the group using the following buttons:

Adds the entries selected in the Available Services area to the Selected Services in Group area.

Adds all the entries in the Available Services area to the Selected Services in Group area.

Removes the entries selected in the Selected Services in Group area and returns them to the Available Services area.

Removes all the entries from the Selected Services in Group area and returns them to the Available Services area.


Adding Content Most Application Protocols deal with classifying traffic according to its specific protocol. The Transport Protocols enable you to specify destination ports and some will apply to any traffic no matter which port.

This section provides instructions regarding how to classify traffic according to content in certain Application Protocols (some examples of these protocols are: HTTP, Oracle, H.323, SMTP, FTP, Citrix and others like some P2P applications.



Defining FTP Content FTP (File Transfer Protocol) is traditional Web protocol used for file transfer. In addition to the NetEnforcer ability to recognize FTP traffic, it is possible to define FTP content based classification. You can define independent Service Catalog entries that reference FTP content, by entering various information in the Command and File Name tabs. These entries can subsequently be used in the Policy Editor. As an example, by using the Command field it is possible to distinguish FTP Upload from FTP download. File Transfer field can be used to recognize FTP traffic according to the name of the file transferred over an FTP session.

To add FTP content:

1. In the Service Catalog Editor, select the FTP-Sig protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected “FTP Sig” Service in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-19 – Service Catalog: Adding Content and File Name Tab



NOTE:

The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant line in the text content list and click the preferred option. A window opens with the option to perform the selected operation.

2. Edit the name of the entry, if required, in the Contents of field.

NOTE:



4. In the File Name tab, enter a URL as follows: Click Add. The Add Item dialog box is displayed.

•

Enter the required URL and click Add. The URL is displayed in the File Name tab.

•

•

•

Add further URLs using the Add Item dialog box as required.

Click Close to close the Add Item dialog box.




Defining HTTP Content HTTP (Hyper Text Transfer Protocol) is one of the dominant protocols on the Web. It is mainly used for Web surfing but has many other uses such as File Transfer, Streaming media and P2P application (as transport infrastructure). The NetEnforcer automatically recognizes “non traditional” applications using HTTP as base protocol (e.g. Kazaa, Gnutella, HTTP Streaming) by their official name, those applications are not considered as HTTP and therefore are not covered by this section.

For traditional HTTP uses, such as Web surfing and File Transfer, the NetEnforcer allows content-based classification. You can define independent Service Catalog entries that reference HTTP content by entering information in the four tabs: URL, Methods, Hosts and Content-Type. These entries can subsequently be used in the Policy Editor. For example, the URL field can be used to differentiate between file names or URLs transferred over HTTP. Methods filed can be used to distinguish between HTTP transactions by methods, such as “GET” or “PUT”. Hosts field can be used to differentiate between Web Servers using the same IP address (“Virtual Hosts”). Content-Type can be used to distinguish the type of traffic forwarded over HTTP transaction (e.g. “text/html”, “image/jpeg”).

You can define independent Service Catalog entries that reference HTTP content. These entries can subsequently be used in the Policy Editor.



To add HTTP content:

1. In the Service Catalog Editor, select the HTTP Sig protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected HTTP Sig protocol in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-20 – Service Catalog: Adding Content and URL Tab

NOTE:





3. In the URL tab, enter a URL as follows: Click Add. The Add Item dialog box is displayed.

•

Enter the required URL and click Add. The URL is displayed in the URL tab. •

•

•


Click Close to close the Add Item dialog box. A Web request carries this identifier (which can be represented by an HTML page, an image, a Java applet or a CGI program). For a complete description of how to set up a policy that will match a URL, see the tip on page 7-40.

NOTE:

You can delete a URL by selecting the URL and pressing <Delete> on your keyboard or by clicking Remove in the URL tab.

4. Select the Methods tab.

Figure 7-21 – Adding Content: Methods Tab



5. In the Methods tab, enter an HTTP method as follows: Click Add. The Add Item dialog box is displayed with a predefined list of methods.

•

Select the required method and click Add. The method is displayed in the Methods tab.

•

•

•

Add further methods using the Add Item dialog box as required.

Click Close to close the Add Item dialog box. HTTP uses seven methods to exchange information between clients and servers: GET, PUT, POST, OPTIONS, HEAD, DELETE and TRACE. It is possible to base service on one or more HTTP methods.

NOTE:

You can delete a method by selecting the method and pressing <Delete> on your keyboard or by clicking Remove in the Methods tab.

6. Select the Hosts tab.

Figure 7-22 – Adding Content: Hosts Tab



7. In the Hosts tab, enter a host as follows: Click Add. The Add Item dialog box is displayed.

•

Enter the required host and click Add. The host is displayed in the Hosts tab. •

•

•

Add further hosts using the Add Item dialog box as required.

Click Close to close the Add Item dialog box. The host string is compared against the value of the host keyword in the HTTP header of an HTTP request sent by a client (such as Netscape Navigator or Internet Explorer). This string is usually the name of the host that the user requested, possibly suffixed with the string ":port". (Port is the port number that the browser uses to connect to the server. For HTTP, this is usually port 80.)

For example, a browser that sends an HTTP request to www.cnn.com will put the string www.cnn.com or www.cnn.com:80 in the request header for the host keyword. If you wish to detect all traffic to a host, add * at the end of the string, for example, www.cnn.com*. Another way to identify a host is by its IP addresses with the following format: IP Address or IP Address:Port Number, for example: 173.17.1.1:80.

The typical usage for this kind of match is in virtual hosting, where more than one Web site is hosted in the same IP address, which is possible if a DNS translates many names to one IP address.

NOTE:

You can delete a host by selecting the host and pressing <Delete> on your keyboard or by clicking Remove in the Hosts tab.



8. Select the Content Type tab.

Figure 7-23 – Adding Content: Content Type Tab

9. In the Content Type tab, enter a content type as follows: Click Add. The Add Item dialog box is displayed with a predefined list of content types.

•

Select the required content type and click Add. The content type is displayed in the Content Type tab.

•

•

•

Add further content types using the Add Item dialog box as required.

Click Close to close the Add Item dialog box. The predefined list contains classification according to the content-type, this is the information that is transferred on the HTTP protocol. For example, you may want to specify all forms of audio applications, but allow all HTML files and pictures.




TIP:

Defining URL and Application-Level Rules

NetEnforcer enables you to reference Service entries in Pipes, Virtual Channels, and Rules by application and content type, including:

• HTTP URL addresses.

• Web directories and pages.

• Application content types.

URLs are the addresses by which documents are identified on the World Wide Web. A rule can be defined to match a specific URL, a list of URLs or a pattern of URLs, for example, *.gif or /document/*.

A URL has the following structure: <scheme>://<server name>[:<port>]/<relative path of query from HTTP server root>

Where:

• Scheme is the transmission protocol. For example, HTTP (Hypertext Transmission Protocol) or FTP (File Transfer Protocol).

• Server name is the IP address of the server on which the document resides, or its DNS name.

• Path describes the location of the document on the server with reference to the server's root directory. To define a rule that will match a set of URLs of a specific type (for example, HTTP) on a specific host, two sections in the Service Catalog must be defined: a Host and a URL. The part of the URL relevant for the Host is the server name, and the part relevant for the URL is the section that includes the scheme, port and path. For example: for the URL http://www.allot.com/news/index.html, www.allot.com will be in the Host section and /news/index.htm or /news/* will be in the URL section. This bears no relation to entries in the Host Catalog.



Defining Oracle Content Defining Oracle content enables you to define all Oracle traffic based on database names and/or user names. These entries can subsequently be used in the Policy Editor.

To add Oracle content:

1. In the Service Catalog Editor, select the Oracle TCP protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected Oracle protocol in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-24 – Service Catalog: Adding Content and Service Tab

NOTE:





3. In the Service Name tab, enter the database name as follows: Click Add. The Add Item dialog box is displayed.

•

Enter the required database name and click Add. The database name is displayed in the Service Name tab.

•

•

•

Add further database names using the Add Item dialog box as required.


4. Select the User Name tab.

5. In the User Name tab, enter user names as follows: Click Add. The Add Item dialog box is displayed.

•



Enter the required user name and click Add. The user name is displayed in the User Name tab.

•

•

•

Add further user names using the Add Item dialog box as required.



Defining SMTP Content SMTP (Simple Mail Transfer Protocol) is the de facto mail transfer protocol used on the Internet. The NetEnforcer is able to distinguish between different SMTP sessions according to the “From” field which represent the address (e.g. “[email protected]”) or the domain (e.g. “allot.com”) of the email originator. For example, you can use a SMTP content based rule to identify SMTP traffic containing emails originating from your company's domain and assign it higher priority. Another example would be to only allow SMTP traffic containing emails originating from well known domains in order to protect from SPAM.

You can define independent Service Catalog entries that reference SMTP content. These entries can subsequently be used in the Policy Editor.



To add SMTP content:

1. In the Service Catalog Editor, select the SMTP protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected SMTP protocol in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-25 – Service Catalog: Adding Content and URL Tab

NOTE:



3. In the File Name tab, enter a URL as follows:



Click Add. The Add Item dialog box is displayed.

•

Enter the required URL and click Add. The URL is displayed in the Domains tab.

•

•

•




Defining H.323 Content You can define independent Service Catalog entries that reference H.323 content. These entries can subsequently be used in the Policy Editor.

Defining H.323 content enables you to classify audio and video H.323 traffic. In the audio classification, extra capabilities are provided according to Codec, which indicates the bandwidth requirements of audio transmissions. The Codec encapsulates the analog (audio) information and converts it into digital information. The NetEnforcer can then classify this type of traffic and apply a policy to it.



To add H.323 content:

1. In the Service Catalog Editor, select an H.323 protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected H.323 protocol in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-26 – Service Catalog: Adding Content in H.323

NOTE:





3. In the Codec tab, enter H.323 content as follows: Click Add. The Add Item dialog box is displayed with a predefined list of H.323 content.

•

Select the required H.323 content and click Add. The content is displayed in the Codec tab.

•

•

•

Add further H.323 content using the Add Item dialog box as required.



Defining Citrix Content Citrix® is a global leader in access infrastructure solutions. Their software enables people in businesses, governments and educational institutions to securely and instantly access software applications and information via a thin client.

In Citrix topology, a client initiates a session to a Citrix server which provides access to various applications such as “Desktop” or “Publish Applications”. Using Citrix content based services, the NetEnforcer can distinguish between different characteristics of Citrix sessions. For example, the App Name field in a Citrix content based service can identify a session by its published application name. In addition, the User Name field can be used to identify the Citrix session, and the Priority Bit field can be used to distinguish between Citrix Print traffic and standard Citrix traffic.



To add Citrix content:

1. In the Service Catalog Editor, select a Citrix protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected Citrix protocol in the List pane and the Service Catalog Editor is displayed.

NOTE:

Citrix MetaFrame traffic may be classified by application or user name, with priority optional by selecting CITRIX in the Service Catalog.

Citrix - NFuse traffic may be classified by application or user name, with priority optional, by selecting CITRIX – NFUSE in the Service Catalog.

Citrix traffic can be classified by Priority Bit/Print Traffic only by selecting CITRIX-ICA in the Service Catalog.

Figure 7-27 – Service Catalog: Adding Content in Citrix

NOTE:





3. In the App Name tab, define the application being used through the Citrix protocol, for example Microsoft Word or Excel, as follows:

Click Add. The Add Item dialog box is displayed.

•

Enter the required application name and click Add. The application name is displayed in the App Name tab.

•

•

•

Add further application names using the Add Item dialog box as required.


4. Select the User Name tab.

Figure 7-28 – Adding Content: User Name Tab



5. In the User Name tab, enter user names as follows: Click Add. The Add Item dialog box is displayed.

•

Enter the required user name and click Add. The user name is displayed in the User Name tab.

•

•

•

Add further user names using the Add Item dialog box as required.


6. Select the Priority tab.

Figure 7-29 – Adding Content: Priority Tab



7. In the Priority tab, enter the priority as follows: Click Add. The Add Item dialog box is displayed with a predefined list of priorities.

•

Select the required priority and click Add. The priority is displayed in the Priority tab.

•

•

•

Add further priorities using the Add Item dialog box as required.



NOTE:

NetEnforcer features layer 7+ analysis, utilizing advanced signature recognition, of many Peer to Peer (P2P) applications. Some of the applications which are automatically recognized and classified are:

KaZaA (V1 & V2) Grokster iMesh Poisned DietKaza eDonkey (eDonkey; eMule) xMule Overnet Gnutella Shareaza Morpheus

Gnucleus XoloX LimeWire FreeWire Bearshare Acquisition Nova Phex Gtk-Gnutella NEoNapster WinMX (WinMX Direct connect, Direct Connect)

DC++ BCDC++ Hotline (in the first update) Madster BitTorrent MP2PMotilino Blubster Piolet RockitNet (in the first update) SoulSeek Winny.



Time Catalog Editor The Time Catalog contains entries that are the possible values for the Time of a policy, meaning the time period when a policy is active. A sample Time Catalog Editor is shown below:

Figure 7-30 – Time Catalog Editor

NOTE:

The Anytime entry is Protected, meaning the definitions for this entry cannot be modified.

Time periods can have ranges of hours and minutes in which they are active, or they can be active during whole days. An entry in the Time Catalog has one or several time periods when policies assigned this entry are active.



To define a time period:

1. In the Time Catalog Editor, click New. A new entry is added to the List pane in the Time Catalog Editor.


3. In the Defined Time Entries area, click Add. The Time Entry Definition dialog box is displayed:

Figure 7-31 – Time Entry Definition Dialog Box

4. In the Frequency dropdown list, select the frequency of the time period. The options are as follows:

Daily A period of time that occurs on a daily basis.

Weekly A period of time that occurs on a weekly basis. For example, Monday from 8:00 to 17:00.

Monthly A period of time that occurs on a monthly basis. For example, the 15th day of the month.

Yearly A period of time that occurs on an annual basis. For example, January 1st may be defined as a yearly event.



5. The remaining fields in the dialog box vary according to the frequency you select. If you select Daily, select the time span for the time period from the dropdown list in the Time Span field: All day Sets the time period as active for the whole day. From – Through Enables you to select the exact time that the period will

begin, and the exact time that it will end.

Figure 7-32 – Time Entry Definition: Daily

6. If you select Weekly, select the day of the week for the time period from the dropdown list in the Day of Week field and the time span from the dropdown list in the Time Span field, as described in step 5.

Figure 7-33 – Time Entry Definition: Weekly



7. If you select Monthly, select the day of the month for the time period from the Day of Month field and the time span from the dropdown list in the Time Span field, as described in step 5.

Figure 7-34 – Time Entry Definition: Monthly

8. If you select Yearly, select the month for the time period from the dropdown list in the Month field, select the day of the month from the Day of Month field, and the time span from the dropdown list in the Time Span field, as described in step 5.

Figure 7-35 – Time Entry Definition: Yearly



9. Click OK. The specified time period is displayed in the Defined Time Entries area in the Definition pane of the Time Catalog Editor.

10. Repeat steps 3 through 9 to add additional time periods as required.

NOTE:

You can edit or delete the time periods using the Edit and Delete buttons in the Defined Time Entries area.

11. Click OK. The new entry (entries) is saved in the Time Catalog. In order to save the new entry (entries) to the database, you must save the Policy Editor.

TIP: Adding a new policy with time-dependent traffic classification is effective only on new connection attempts. Any existing connection that may fall under that policy continues to pass under its original policy. If a Reject or Drop action is specified, these actions are applied only to new connection attempts.

NOTE:

A discrete time range cannot be created. For example, March 15, 2001 from 2:00 PM through 5:00 PM cannot be created. However, it can be approximated by Yearly, March 15, 2:00 PM through 5:00 PM.



TOS (Type of Service) Catalog Editor The TOS Catalog contains entries that are the possible values for the TOS condition of a Pipe, Virtual Channel or Rule. The entries in the TOS Catalog are also possible values for the TOS marking parameters in the QoS Catalog (refer to page 7-71). A sample TOS Catalog Editor is shown below:

Figure 7-36 – Sample TOS Catalog Editor

NOTE:

All of the entries in Figure 7-36 are predefined public domain TOS definitions and are Protected, meaning that they cannot be modified.



The TOS is a byte in the IP header of a packet that contains information about routing recommendations. NetEnforcer classifies traffic based on the TOS byte marking contained in the IP headers of the packets passing through it. Differentiated Services standard, for example, defines TOS byte marking for traffic classification. Using Differentiated Services, the TOS header can have three major traffic classes: Expedited, Assured Forwarding and Best Effort. Assured Forwarding includes a priority class and drop precedence level (making a total of 12 combinations). All of these TOS byte markings are predefined in the TOS Catalog. Further information regarding TOS standards can be found at www.ietf.org/rfc/rfc2475.txt.

NetEnforcer also supports TOS classification by Free Format, which can be used to classify traffic marked per Cisco Precedence Bits method.

In the TOS Catalog Editor, you can view the properties of predefined entries and create entries that classify the TOS byte using Free Format, page 7-61.



To view predefined entries:

• In the TOS Catalog Editor, select a predefined entry in the List pane. When you select the Ignore TOS entry, the Definition pane is displayed as shown on page 7-57. When you select an entry based on Differentiated Services (Best Effort or Expedited), the Definition pane is displayed as follows:

Figure 7-37 – TOS Catalog Editor: Differentiated Service

The Service field displays the selected differentiated service, as follows: Best Effort Traffic is forwarded if and when possible. Expedited Traffic receives priority treatment. Assured Forwarding Forwarding of traffic is guaranteed.



When Assured Forwarding is displayed, two additional fields, Priority Class and Drop Precedence, are displayed:

Figure 7-38 – Differentiated Service – Assured Forwarding

The Priority Class field displays the class (1 to 4). The priority class determines the priority level of the traffic: Class 1 is the lowest (no priority) and Class 4 is the highest.

The Drop Precedence field displays the precedence (Low, Medium or High). Drop precedence refers to the fact that in times of heavy congestion, some packets will be dropped. Low means that the packet will be dropped as a last resort, whereas High means that the packet can be dropped before any others.

NOTE:

The graphic representation of the TOS byte that will be checked against the IP header is displayed in the Resultant TOS Byte Bit Settings field.



Free Format TOS classification using Free Format enables you to classify traffic marked according to the Cisco Precedence Bits method.

To define a TOS using free format:

1. In the TOS Catalog Editor, click New. A new entry is added to the List pane in the TOS Catalog Editor and the Definition pane is displayed as follows:

Figure 7-39 – TOS Catalog Editor: Free Format


3. Define the TOS by selecting the individual bits in the graphic representation of the TOS byte in the Selected TOS Byte Bit Settings field.



4. Click OK. The new entry (entries) is saved in the TOS Catalog. In order to save the new entry (entries) to the database, you must save the Policy Editor.

TIP:

NetEnforcer in an MPLS Environment MPLS (Multi-protocol Label Switching) has become an important networking technology in last few years. This protocol is the first backbone related protocol to provide scalable, service-oriented infrastructure for the Internet. MPLS (an IETF standard, architecture defined in RFC 3031) uses the concept of label switching which creates a 'virtual circuit' between two end-points, rather than the legacy IP packet-by-packet routing.

MPLS allows the implementation of QoS controlled services (especially in IP-VPN environment) and is already deployed by several major carriers. The main use of MPLS is to create high quality VPNs (Virtual Private Networks). In addition, MPLS may be used to allow integrated-access services such as voice/video and data over IP.

A small label is added to each packet that tells the router how to process it (that is, on which link it should be sent) in a route that was created in advance. This pre-determined route can be associated a certain QoS level and the routers along the way can, for example, ensure that a certain amount of bandwidth will be allocated to that route.

When combined with the Differentiated Services standard (DiffServ, IETF RFCs 2474 and 2475) the network operator may combine service level (implemented by DiffServ) and routing decisions or traffic engineering (implemented by MPLS) into one system in which the DiffServ behavior is managed by the MPLS routing. A simple approach is to map DiffServ code point (or in simple terms, IP header TOS byte values) into different MPLS paths.

Integration of the NetEnforcer in an MPLS network

The fundamental assumption is that the MPLS networks are built by edge and transit (backbone) devices. The edge device performs the traffic classification and the transit devices (usually a fast core router) performs the fast, low overhead, label switching.

The NetEnforcer can control every session that enters the MPLS network, and is able to:

• Classify each session, based on defined polices (conditioned by layer2 to layer7 information – such as addresses, protocols, application data and time of day).

• Mark (“color”) every packet with a DiffServ code point (IP TOS value) based on the classification and user’s definitions for the desired Quality of Service.

In addition, the NetEnforcer continues to control and manage the network access by implementing other QoS behavior actions such as access control, bandwidth guarantees and limitations.



VLAN Catalog Editor The VLAN catalog contains Virtual LAN entities defined in 802.1 Standard.

TIP:

Since Ethernet broadcast and multicast traffic is distributed to all devices in a LAN, LANs that are based on hubs and shared cabling cannot grow with the organization and become very large to be effective. One solution is to break large networks into smaller "islands", in order to prevent broadcast and multicast traffic propagating network wide.

The VLAN 802.1Q standard addresses these issues and establishes a way to insert Virtual Local Area Network (VLAN) information into the Ethernet frames. VLANs are LANs that are interconnected by a virtual Layer 2, and therefore behave as if they are separate physical LANs.

The result is that Layer 2 (MAC) broadcast remains confined in the VLAN, even though VLANs are L2 physical interconnected. This structure creates the additional benefit of a higher level of security between segments of internal networks.

VLANs are commonly used with campus environment networks. This gives the ability to make network changes, without physically moving cables or equipment.

Figure 7-40 – Details of the Ethernet Frame Before and After the Addition of 802.1Q Frame Information.



Defining VLANs NetEnforcer supports VLAN traffic classification according to VLAN ID (VLAN Identifier) tags, consisting of 12 bits, and according to tagging priority bits, consisting of three bits. These definitions are set in the VLAN Catalog Editor, as shown below:

Figure 7-41 – VLAN Catalog Editor

According to the policies you define, the NetEnforcer assigns each packet a mapping priority and QoS definition.

The VLAN definition value is comprised as follows:

• • •

Bits 1 – 12 specify the VLAN ID.

Bit 13 is the reserved bit.

Bits 14 – 16 specify the user priority (where 7 is highest priority, and 1 is lowest priority).



When opening this window, either to create a new VLAN or to edit a previous VLAN, both boxes are checked, thereby preventing you altering the bit values.

To create a VLAN:

1. Enter the name of the VLAN in the Contents of: field.

2. Uncheck the Any User Priority and/or Any VLAN ID check boxes to insert new bit values.

3. Insert bit values in one of the following ways: Insert a decimal value in the User Priority and/or VLAN ID fields; the binary equivalent is displayed in the bit value fields.

•

• Click the bit value field boxes (zero is indicated as gray and black as one); the decimal equivalent is displayed in the User Priority and VLAN ID fields.

4. Click OK. The new entry is saved in the VLAN Catalog. In order to save the new entry to the database, you must save in the Policy Editor.



Quality of Service Catalog Editor The QoS Catalog contains entries that are the possible values for the Quality of Service action. This is the QoS applied to traffic when it meets the definitions of a policy. A sample QoS Catalog Editor is shown below:

Figure 7-42 – QoS Catalog Editor

NOTE:

The Ignore QoS, Normal Priority - Pipe and Normal Priority - VC entries are Protected, meaning the definitions for these entries cannot be modified.

The QoS Catalog Editor enables you to define QoS for a Pipe or Virtual Channel. You can prioritize connections and specify minimum and maximum bandwidth per



Pipe/Virtual Channel or per individual connections, and you can specify traffic-shaping techniques (CBR or Burst) for Virtual Channels. You can also specify TOS markings.

In the Quality of Service Catalog Editor, there is a pre-defined entry called Ignore QoS that you cannot delete or create additional entries that ignore QoS.

You can create entries that assign QoS to Pipes, Virtual Channels and connections. You can give the same QoS definitions to both directions of traffic, or define QoS parameters for both directions independently.

Rules adopt the actions of their parent Pipe or Virtual Channel.

TIP:

Priority

A priority definition implies a relative bandwidth allocation relationship to other defined priorities. It does not indicate absolute bandwidth allocations. If you require absolute bandwidth allocation, refer to the descriptions of the minimum, maximum and guaranteed bandwidth fields. Priorities 1 through 10 represent an increasing hyperbolic curve. It is important to recognize that priorities 1 through 10 do NOT represent a linear relative relationship. The following table helps explain this and shows the priorities and resultant relative bandwidth ratios:

Priority

2 1.1

3 1.2 1.1

4 1.4 1.2 1.1

5 1.6 1.5 1.3 1.1

6 2.0 1.8 1.6 1.4 1.2

7 2.5 2.2 2.0 1.7 1.5 1.2

8 3.3 3.0 2.7 2.4 2.0 1.7 1.4

9 5.0 4.5 4.0 3.5 3.0 2.5 2.0 1.5

10 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0

Priority 1 2 3 4 5 6 7 8 9



For example:

1. Assume two Virtual Channel definitions, VC1 and VC2. VC1 has a priority of four, and VC2 has a priority of 10. Connections satisfying VC2 will be allocated seven times more bandwidth than VC1.

2. Assume total bandwidth = 150Kbps; VC1 = Minimum 30Kbps, Priority 4; VC2 = Minimum 40Kbps, Priority 10. The bandwidth allocation would then be: VC1 = 40 (30 minimum + 10 on priority basis) VC2 = 110 (40 minimum + 70 on priority basis)

Ignoring Quality of Service The inbound and outbound traffic bypasses NetEnforcer's QoS mechanism if the Ignore QoS option is selected, thereby potentially saving physical bandwidth for other traffic. However, using Ignore QoS in a policy definition leads to an attempt to satisfy any bandwidth request. This may adversely affect other bandwidth definitions.

TIP: This option is normally used in networks where internal traffic stays within the LAN domain, for example, when DMZ-bound traffic stays local and is not destined to go on the physical WAN bandwidth. For further information on interfacing to firewalls, refer to the Allot Communications Web solutions section : http://www.allot.com/pages/solutions_index.asp?intGlobalId=11 .

To view the Ignore QoS entry:

• In the QoS Catalog Editor, select Ignore QoS in the List pane. The following warning is displayed in the Definition pane of the QoS Catalog Editor:

Figure 7-43 – Ignore QoS Warning



Defining QoS for Pipes Entries in the QoS Catalog that are defined for Pipes are available when assigning QoS to Pipes in the Policy Editor.

To define QoS for Pipes:

1. Click New and then select Pipe Allocation from the popup menu displayed. A new entry is added to the List pane in the QoS Catalog with the default name New QoS and the Definition pane of the QoS Catalog Editor is displayed, as follows:

Figure 7-44 – Defining QoS for Pipes

NOTE:

Entries defined as Pipe-based are available for Pipe definitions in the Policy Editor, while Virtual Channel-based entries are not. Similarly, entries defined as Virtual Channel-based are available for Virtual Channel definitions in the Policy Editor, while Pipe-based entries are not.



2. Edit the name of the entry, if required, and press <Enter>.

3. From the Pipe-based QoS Coverage dropdown list select one of the three options: Both Directions Defined the Same: Define QoS for both the inbound and outbound traffic together (in the General tab and the Inbound and Outbound tab). This option is normally used in a symmetric environment where inbound and outbound traffic requirements are identical. Continue with step 4 below.

•

•

•

•

•

•

•

Each Direction Defined Separately: Define QoS for the inbound and outbound traffic individually (in the General tab, the Inbound tab and the Outbound tab). Continue with step 4 below.

Half-Duplex Pipe: Define QoS for both the inbound and outbound traffic together (in the General tab and the Inbound and Outbound tab) in half-duplex mode. Half-duplex pipe communications can be wireless networks centered on base-stations that configure as hubs working in Half-duplex mode, which suddenly send packets in only one direction. Continue with step 5.

4. In the Inbound and Outbound tab (for Both Directions Defined the Same and Each Direction Defined Separately), define the Quality of Service as follows:

In the Pipe Priority field, select a priority between 1 (lowest) and 10 (highest).

(Optional) In the Minimum Bandwidth for Pipe (Kbits/sec) field, enter the minimum bandwidth that will be assigned to the Pipe. As long as there is traffic requiring bandwidth in this channel, the bandwidth allocated will never be lower than this limit. Getting bandwidth above the minimum, however, depends on the traffic priority, should there be competition for the bandwidth.

In the Minimum Bandwidth Reserved on Use, select Yes to reserve the full minimum amount of bandwidth for any future traffic in the Pipe, even when the full minimum bandwidth is not currently required. The actual reservation occurs when the first connection is established within a Pipe.

(Optional) In the Maximum Bandwidth for Pipe (Kbits/sec) field, enter the maximum bandwidth assigned to the entire Pipe. The total bandwidth of all traffic allocated in this Pipe will not exceed this limit.



NOTE:

To specify a guaranteed bandwidth for a Pipe, specify the same minimum and maximum bandwidth, for example, 100Kbps.

. •

• In the Mark Out-of-Profile Traffic with TOS field, select the TOS marking to be applied to each packet in traffic whose bandwidth allocation has reached the minimum allocated for the Pipe. If you do not want to change the marking, select Ignore TOS.

NOTE:

The possible values in these TOS marking fields are the entries in the TOS Catalog, described on page 7-57.

Continue with step 6. •



5. In the Inbound and Outbound tab (for Half-Duplex Pipe), define the Quality of Service as follows:

Figure 7-45 – Inbound and Outbound Tab: Half-Duplex Pipe

In the Pipe Priority field, select a priority between 1 (lowest) and 10 (highest). •

• In the Available Bandwidth (Kbits/sec) field, enter the bandwidth assigned to the entire Pipe. The total bandwidth of all traffic allocated in this Pipe will not exceed this limit.



6. Select the General tab.

Figure 7-46 – Defining QoS for Pipes: General Tab



7. In the General tab, define connection data, as follows: •

•

•

•

(Optional) In the Max # of Connections Allowed in Pipe (All Directions) field, enter the maximum number of connections allowed for a Pipe. A new connection that exceeds this maximum will be treated according to the method selected in the Conditional Admission area.

From the first dropdown list in the Conditional Admission area, select one of the following:

Admit by Priority: Accept the new connection, but do not assign the minimum bandwidth. The new connection gets bandwidth per priority.

Drop: All packets are dropped. The user is disconnected and may see the message Connection timed-out.

NOTE:

The Drop option is provided for environments such as UDP where a client does not expect acknowledgements (ACKs).

Reject: All packets are dropped. In TCP, an RST packet is sent to the client and the user may see the message Connection Closed by Server.

•

• If you select Admit by Priority, select the TOS marking to be applied to traffic through the Pipe from the second dropdown list in the Conditional Admission area. If you do not want to change the marking, select Ignore.

8. Click OK. The new entry (entries) is saved in the QoS Catalog. In order to save the new entry (entries) to the database, you must save the Policy Editor.



Defining QoS for Virtual Channels Entries in the QoS Catalog that are defined for Virtual Channels are available when assigning QoS to Virtual Channels in the Policy Editor.

To define QoS for Virtual Channels:

1. Click New and then select Virtual Channel Allocation from the popup menu displayed. A new entry is added to the List pane in the QoS Catalog with the default name NewQoS# and the Definition pane of the QoS Catalog Editor is displayed, as follows:

Figure 7-47 – Defining QoS for Virtual Channels

2. Edit the name of the entry, if required, and press <Enter>.



3. From the Virtual Channel-based QoS Coverage dropdown list, select whether you want to define QoS for inbound and outbound together or separately. If you select Both Directions Defined the Same, you define QoS for both the inbound and outbound traffic (in the General tab and the Inbound and Outbound tab). If you select Each Direction Defined Separately, you define QoS for the inbound and outbound traffic individually (in the General tab, the Inbound tab and the Outbound tab).

NOTE:

The parameters in the Outbound tab, the Inbound tab and the Outbound and Inbound tab are the same.

TIP:

The Both Directions Defined the Same option is normally used in a symmetric environment where inbound and outbound traffic requirements are identical.

4. In the Inbound/Outbound tab, define the Quality of Service as follows: In the Priority per Virtual Channel field, select a priority between 1 and 10. (10 is the highest priority).

•

•

•

(Optional) In the Minimum Bandwidth (Kbits/sec) field, enter the minimum bandwidth that will be assigned to the Virtual Channel. As long as there is traffic requiring bandwidth in this channel, the bandwidth will never be lower than this limit. Getting bandwidth above the minimum, however, depends on the traffic priority.

(Optional) In the Maximum Bandwidth (Kbits/sec) field, enter the maximum bandwidth assigned to the entire Virtual Channel. The total bandwidth of all traffic in this channel will not exceed this limit.

NOTE:

To specify a guaranteed bandwidth for a Virtual Channel, specify the same Minimum and Maximum bandwidth, for example, 100Kbps.



TIP: When working with traffic that consists of very short connections (one or two packets per connection), it is recommended to specify a minimum bandwidth (such as 50Kbps) per Virtual Channel, rather than specifying a priority (such as 6). This is because using minimum bandwidth per Virtual Channel results in a more effective QoS policy.

In the Mark Traffic with TOS field, select the TOS marking to be applied to traffic through the Virtual Channel. If you do not want to change the marking, select Ignore.

•

•

•

•

•

5. In the Traffic-Shaping Method field, select either the Burst or CBR (Constant Bit Rate) radio button to define how the traffic will be shaped.

6. When Burst is selected, enter connection-based information in the following fields (shown on page 7-75):

(Optional) In the Minimum Bandwidth (Kbits/sec) field, enter the bandwidth that will be assigned to the connection. As long as there is traffic requiring bandwidth in this channel, the bandwidth will never be lower than this limit. Getting bandwidth above the minimum, however, depends on the traffic priority.

(Optional) In the Maximum Bandwidth (Kbits/sec) field, enter the maximum bandwidth assigned to the entire connection. The total bandwidth of all traffic in this channel will not exceed this limit.

(Optional) In the Burst Size (Kbits/sec) field, enter the Burst size for the connection. The Burst size setting allows the traffic to exceed the allotted bandwidth for a certain fraction of a second. It is allowed to exceed the maximum (to burst) during that fraction of a second, as long as the traffic does not exceed the maximum during the whole period of one second.

For example, if you enter a Burst size of 150Kbps and a maximum of 100Kbps, NetEnforcer will allow traffic to be 150Kbps for a fraction of a second, as long as the traffic does not exceed the maximum of 100Kbps.

TIP:

The Burst Size parameter is useful in environments such as satellite communications, where bandwidth is an expensive resource that must be utilized efficiently.



7. When CBR is selected, the following fields are displayed in the Connection Allocations area:

Figure 7-48 – CBR Parameters

The CBR (Constant Bit Rate) setting provides the ability to smooth traffic. Traffic exits NetEnforcer at a constant rate defined in the CBR, as long as the traffic entering NetEnforcer does so at a rate equal to or greater than the CBR. This ensures smoothing for streaming applications. Enter information in the fields, as follows:

In the Guaranteed Bandwidth (KBits/sec) field, enter the guaranteed bandwidth for the connection. Guaranteed Bandwidth is the minimum bandwidth assigned to each connection in the Virtual Channel. Each connection will receive, if required, at least the bandwidth specified in this parameter. Each connection can receive more bandwidth than the guaranteed value, up to the maximum defined for the Virtual Channel, and according to the priority of the Virtual Channel. Guaranteed Bandwidth provides the most predictable results for critical traffic and allows other connections to borrow the bandwidth when it is not in use. Guaranteed Bandwidth always supersedes the needs of other, non-guaranteed connections.

•

TIP: This is useful in multimedia applications, such as Voice over IP.



In the Delay (Microseconds) field, enter the delay value. The default delay value is 1 second and is hidden. However, you can specify any delay, as long as it does not exceed 1 second. If you specify a delay other than the default, you need to know your application’s buffering capability. The bigger the buffering capability of your application, the larger the delay you can specify. The optimum delay facilitates a better bandwidth management because it sets a lower limit to the Quality of Service mechanism that decides whether to throw away or keep a packet. The objective of setting the optimum delay is to keep jitter at a minimum (0 at best).

•

8. Select the General tab.

Figure 7-49 – Defining QoS for Virtual Channels: General Tab

9. (Optional) In the Maximum # of Connections Allowed (All Directions) field, enter the maximum number of connections allowed for a Virtual Channel. A new connection that exceeds this maximum will be treated according to the method selected in the Conditional Admission area.



10. From the dropdown list in the Conditional Admission area, select one of the following:

Admit by Priority: Accept the new connection, but do not assign the minimum bandwidth. The new connection gets bandwidth per priority.

•

• Drop: All packets are dropped. The user is disconnected and may see the message Connection timed-out. NOTE:

The Drop option is provided for environments such as UDP where a client does not expect acknowledgements (ACKs).

Reject: All packets are dropped. In TCP, an RST packet is sent to the client and the user may see the message Connection Closed by Server.

•

11. Click OK. The new entry (entries) is saved in the QoS Catalog. In order to save the new entry (entries) to the database, you must save the Policy Editor.



Connection Control Catalog Editor The Connection Control Catalog contains entries that are the possible values for the Connection Control action. This is the action applied to traffic when it meets the definitions of a policy. A sample Connection Control Catalog Editor is shown below:

Figure 7-50 – Connection Control Catalog Editor

NOTE:

The Pass as is entry is Protected, meaning the definitions for this entry cannot be modified.



The Connection Control Catalog Editor enables you to define load balancing and cache redirection servers in entries. This means that when traffic meets the definitions of a policy, it can be forwarded to a load-balancing or cache redirection server. You can only define entries that specify a load-balancing server or cache server when your NetEnforcer system includes the optional NetBalancer or CacheEnforcer modules.

For normal traffic, without either cache redirection or load-balancing requirements, the predefined entry, Pass as is, should be used. You cannot delete the predefined Pass as is entry nor can you create additional entries with Pass as is selected in the Servers Used for field.



Load-Balancing When your system includes the NetBalancer module, you can add an entry to the Connection Control Catalog that defines a load-balancing server.

To define a load-balancing server:

1. In the Connection Control Catalog Editor, click New and then Load Balancing from the popup menu displayed. A new entry is added to the List pane and the Connection Control Catalog Editor is displayed, as follows:

Figure 7-51 – Connection Control Catalog Editor: Load Balancing




3. Double-click in the Host Name / IP field and enter the load-balancing server (by host name or IP address). The system automatically recognizes the format and displays the appropriate entry in the Type column.

For more information on the parameters for configuring load-balancing options, refer to the NetBalancer User's Manual.



Cache Redirection When your system includes the CacheEnforcer module, you can add an entry to the Connection Control Catalog that defines a cache server.

To define a cache server:

1. In the Connection Control Catalog Editor, click New and then Cache Redirection from the popup menu displayed. A new entry is added to the List pane and the Connection Control Catalog Editor is displayed, as follows:

Figure 7-52 – Connection Control Catalog Editor: Cache Server




3. Double-click in the Host Name / IP /MAC field and enter the cache redirection server (by host name format, IP address or MAC address). The system automatically recognizes the format and displays the appropriate entry in the Type column.

For more information on the parameters for configuring cache-redirecting options, refer to the CacheEnforcer User's Manual.



Data Source Catalog Editor The entries in the Data Source Catalog are the LDAP servers or text source files available when defining hosts using data source queries in the Host Catalog. In the Data Source Catalog Editor, you define the LDAP servers as well as text file data sources that are the possible LDAP servers or text source files with which NetEnforcer works.

A selection between LDAP and Text:

Figure 7- 53 – Data Source Catalog Editor



To define an LDAP server:

1. In the Data Source Catalog Editor, click New and then LDAP Server from the popup menu displayed. A new entry is added to the List pane and the Data Source Catalog Editor is displayed as follows:

Figure 7-54 – Data Source Catalog Editor: LDAP Server


3. In the Host (Host/Host Port) field, enter the IP address of the LDAP server.

4. Enter the user name and password required to access the LDAP server in the relevant fields.

5. In the Description field, enter a description for the LDAP server, if required.

6. Click OK. The new entry is saved in the Data Source Catalog and the Data Source Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.



To define a text source file:

1. In the Data Source Catalog Editor, click New and then Hosts Text File from the popup menu displayed. A new entry is added to the List pane and the Data Source Catalog Editor is displayed as follows:

Figure 7-55 – Data Source Catalog Editor: Hosts Text File


3. In the Host field, enter the IP address or host name of the location of the text source file.

4. In the Description field, enter a description for the text source file, if required.

5. Click OK. The new entry is saved in the Data Source Catalog and the Data Source Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.




Chapter 8: Defining Policies

This chapter describes the process of defining a QoS policy and optimizing this policy in your particular network environment. In NetEnforcer, policy is defined using Pipes, Virtual Channels, and rules.


NetEnforcer Policy, page 8-2, provides an overview about how QoS policy is defined in NetEnforcer using Pipes, Virtual Channels and rules.

NetEnforcer Policy Editor, page 8-11, provides a quick tour of the menu options, tools and shortcut keys available in the NetEnforcer Policy Editor.

Defining Policy, page 8-20, describes how to define Pipes, Virtual Channels and rules in order to build your QoS policy. It also describes how to create Pipe and Virtual Channel templates.



NetEnforcer Policy NetEnforcer enables you to classify traffic and enforce Quality of Service according to high-level, easy-to-understand concepts. Traffic can be logically grouped into categories such as Mission Critical, Timing Critical, or Low Priority. These result in the desired network actions when matched to network traffic.

QoS policy consists of a set of conditions (rules) and a set of actions that apply as a consequence of the conditions being satisfied. Traffic is classified using Pipes and Virtual Channels. A Pipe and a Virtual Channel are defined by one or more rules and a set of actions. A Pipe includes one or more Virtual Channels.

A sample Policy showing the relationship between Pipes, Virtual Channels and rules is illustrated below:

Figure 8-1 – Pipe/Virtual Channel/Rule Relationship

Every connection passing through NetEnforcer is matched to a rule at Pipe level. This means that NetEnforcer looks to match the connection to any of the sets of conditions defined for a Pipe. If a match is found, the connection is then matched to a rule at Virtual Channel level. This means that NetEnforcer looks to match the connection to any of the sets of conditions defined for the Virtual Channels within the Pipe.



In short, the process of rule matching is as follows:

• •

Find the Pipe rule that the connection matches.

Within that Pipe, find the Virtual Channel rule that the connection matches.

NetEnforcer searches the Policy table from the top down. Thus as soon as a Pipe rule is found to match the connection, NetEnforcer looks at no more Pipes. Similarly, within the matched Pipe, as soon a Virtual Channel rule is found to match the connection, NetEnforcer looks no further.

There is a default Pipe defined in NetEnforcer, Fallback Pipe. If a connection does not match the rules of any other Pipes, it matches the Fallback Pipe. Furthermore, every Pipe always includes a default Virtual Channel, Fallback. If a connection does not match the rules of any other Virtual Channels within a Pipe, it matches the Fallback Virtual Channel.

The rules of the Fallback Pipe and Fallback Virtual Channels cannot be deleted or modified. They allow all traffic to and from all hosts, all of the time.

Pipes A Pipe provides a way of classifying traffic that enables you to divide the total bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of Virtual Channels from a QoS point of view. When you add a new Pipe, it always includes at least one Virtual Channel, the Fallback Virtual Channel. The rule of the Fallback Virtual Channel cannot be modified or deleted. A connection coming into NetEnforcer is matched to a Pipe according to whether the characteristics of the connection match any of the rules of the Pipe. The connection is then further matched to the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are enforced together with the actions of the Pipe.



Virtual Channels A Virtual Channel provides a way of classifying traffic and consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further matched to a Virtual Channel according to whether the characteristics of the connection match any of the rules of the Virtual Channel.

Rules A rule is a set of six conditions. Rules can be defined at Pipe level or Virtual Channel level. NetEnforcer matches connections to rules, first at the Pipe level and then at Virtual Channel level within a Pipe.

The six conditions that make up a rule are as follows:

•

•

•

•

•

Connection Source: Defines the source of the traffic. For example, specific IPs or MAC addresses, a range of IP addresses, IP Subnet addresses, or host names. The default value is Any which covers traffic from any source.

Connection Destination: Defines the destination of the traffic. For example, specific IPs or MAC addresses, a range of IP addresses, IP Subnet addresses, or host names. The default value is Any which covers traffic to any destination.

Service: Defines the protocols relevant to a connection. Protocols may be TCP and UDP IP type, non-TCP and non-UDP type or non-IP type. TCP and UDP IP protocols are defined based on port type. HTTP protocols may include content definitions, such as specific Web directories, pages, or URL patterns. The default value is All which covers all protocols.

TOS: Defines the TOS byte contained in the IP headers of the traffic. The default value is Any which covers any TOS value.

VLAN: Defines VLAN traffic classification according to VLAN ID (VLAN Identifier) tags, consisting of 12 bits, and according to tagging priority bits, consisting of three bits.



• Time: Defines the time period during which the traffic is received. For example daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM or on the 1st and 15th of the month. The default value is Always which covers traffic at any time.

When a new Pipe or Virtual Channel is created, it is assigned a default rule with default values for each condition and you can modify these values as required.

The possible values for each condition are defined in the Catalog entries in the Catalog Editors. A Catalog Editor enables you to give a logical name to a comprehensive set of parameters (a Catalog entry). This logical name then becomes a possible value for a condition. Catalog Editors are described in detail in Chapter 7, Defining Catalog Entries.

TIP:

If you classify traffic by a specific Connection Source or Connection Destination, make sure your definition applies to both directions, from the Source to the Destination and from the Destination to the Source. For example, if you define HostName as the Connection Source and Any as the Connection Destination, make sure that the rule is bi-directional, so that traffic from Any to HostName is also covered.

Actions Pipes and Virtual Channels include a set of actions that is assigned to traffic once it meets any of the rules defined for the Pipe or Virtual Channel. There are two actions that can be defined for a Pipe: Access Control and Quality of Service, and three actions that can be defined for a Virtual Channel: Access Control, Quality of Service and Connection Control. Only if Access Control is set to Accept may the other actions apply.

Access Control This action determines the access given to traffic. The possible values are as follows: Accept The connection is accepted and traffic is granted access. This is the default

value. Drop All packets are dropped. In TCP traffic, an RST packet is sent to the client

and the user may see the message Connection Closed by Server.



Reject All packets are dropped. The user is disconnected and may see the message Connection timed-out.

If the Access Control for a Pipe or Virtual Channel is specified as Reject or Drop, all traffic meeting the rules of the Pipe or Virtual Channel is dropped and no other Quality of Service or Connection Control actions are applied.

Quality of Service This action determines the QoS given to traffic. The QoS specified can include the following:

• • • • •

• • • •

Priority per Pipe/Virtual Channel

Minimum and maximum bandwidth per Pipe/Virtual Channel

Minimum and maximum bandwidth per connection (Virtual Channels only)

Guaranteed bandwidth per connection (Virtual Channels only)

Traffic shaping by enforcing Constant Bit Rate (CBR) or Burst level (Virtual Channels only)

TOS marking per channel

Admission Control (number of connections)

Reserve on Demand (Pipes only)

Conditional Admission

The default Quality of Service action for Pipes or Virtual Channels is Normal Priority, which has Level 4 priority, no bandwidth definitions, no TOS marking and no connection limitations.

The possible values for the Quality of Service action are defined in a Catalog entry in the Quality of Service Catalog Editor. A Catalog Editor enables you to assign a logical name to a comprehensive set of parameters. This logical name then becomes a possible value for an action. Catalog Editors are described in detail in Chapter 7, Defining Catalog Entries.



TIP:

To evaluate what Quality of Service to set for each Pipe or Virtual Channel, consider the following:

• Do you know the applications running in your network? (For more information, refer to Chapter 6, Monitoring Network Traffic.)

• During peak periods, what percentage of total traffic does each Pipe or Virtual Channel represent?

• Do you want to guarantee some minimum bandwidth for time-critical applications?

• Do you want to assign a higher priority to some applications?

It is recommended to start out simply and then, over time, to fine-tune the Pipes, Virtual Channels and rules to meet your needs. Assign each of your Pipes and Virtual Channels a classification by protocol Normal priority or use the default set of Pipes and Virtual Channels included with NetEnforcer. Monitor the results for a period of time, using a tool such as NetWizard (described in Chapter 5, NetWizard Quick Start) and observe how much bandwidth each of the Pipes and Virtual Channels utilizes during peak hours. Then, using this data, create new QoS Catalog entries and assign them to the Pipes and Virtual Channels.

Now gradually increase the priority of one or two of your high-priority applications, and decrease the priority of one or two of your lower priority ones. Observe response time during a typical day’s traffic cycle (peak and non-peak).

Gradually fine-tune the system. Increase the number of Pipes and Virtual Channels by dividing one Pipe or Virtual Channel into several distinct ones, as the need arises. The process of assigning Quality of Service should continue by limiting lower priority traffic and increasing bandwidth to those applications that need or deserve more bandwidth. For high-priority traffic, you should gradually increase the priority and assign more minimum or fixed bandwidth. For lower priority traffic, you can lower its priority and assign a maximum bandwidth during peak periods. You can also limit the number of active connections for that channel. For example, if you wish to limit FTP traffic, you can specify a maximum number of connections for all FTP traffic.

Internet connection bandwidth consumption with and without NetEnforcer is shown below:

Internet connection withoutNetEnforcer

Email60%

Other20%

e-Business20%

Internet connection withNetEnforcer

e-Business60%

Other10%

Email30%

Without NetEnforcer, Internet connection bandwidth is consumed by batch traffic such as Email, while e-Business traffic is inhibited by lengthy response time (meaning e-Business gets only 20% of bandwidth).



With NetEnforcer used for bandwidth management, Internet connection traffic is managed according to business priorities. For example, email is limited to 30% of bandwidth, while e-Business is granted a higher bandwidth portion, up to 60% of bandwidth. The end result is that critical application users enjoy a better response time.

Connection Control This action determines whether the traffic is redirected to a specialty load-balancing or cache server. The default value is Pass As Is, which means that the traffic is not redirected. In order to specify other values for this action, you must have the NetBalancer or the CacheEnforcer optional modules activated in your NetEnforcer system. Refer to Chapter 4, Configuring NetEnforcer for more details.

This action can only be defined for Virtual Channel. The Connection Control for a Pipe is always Pass As Is.

The possible values for the Connection Control action are defined in a Catalog entry in the Connection Control Catalog Editor. A Catalog Editor enables you to assign a logical name to a comprehensive set of parameters. This logical name then becomes a possible value for an action. Catalog Editors are described in detail in Chapter 7, Defining Catalog Entries.

The functions of NetBalancer and CacheEnforcer are as follows:

•

•

CacheEnforcer directs requests to a cache server. You can add cache servers and determine the action to be taken when the server list is exhausted. CacheEnforcer lists alternate servers, enabling a request to be redirected to other servers on the list should a server not respond. If and when all the listed servers do not respond, you can determine the action that is to be taken. Refer to the CacheEnforcer User’s Manual for more information.

NetBalancer enables you to distribute traffic loads between servers. Refer to the NetBalancer User’s Manual for more information.



Using Pipes, Virtual Channels and Rules The following examples show how Pipes and Virtual Channels might be used: •

•

•

An Internet Service Provider sells slices of bandwidth to customers (defined in a Pipe template), each based on the Quality of Service granted to that category of customer (such as Gold, Silver and Bronze customers). A university wants to control Internet traffic congestion across the network involving students and faculty, in particular, to limit FTP use and give preferential bandwidth allocation to faculty during weekday hours. The university defines Virtual Channels for faculty usage, student usage, and student usage during night hours. A further rule is then defined under the student usage Virtual Channel that specifies a different service for students accessing FTP. An organization has several links to the Internet. Only one NetEnforcer is required with Pipes defined for every link enabling traffic to be managed on every link independently.

NetEnforcer includes a default starting database that contains common types of traffic written in sample Pipes, Virtual Channels and rules. You can edit, disable or delete these as required.

Using Templates Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other. Templates work with host entries defined in the Host Catalog.

Using Import from LDAP or Text Files You can now use additional data source definition options: LDAP or Text File (using the Data Source Catalog Editor). The text file can be located on a remote server.



Order of Policy Definitions You should define Pipes and Virtual Channels so that those that are more specific are defined before those that are more general. This is because NetEnforcer searches the Policy table from the top down. Thus as soon as a Pipe rule is found to match the connection, NetEnforcer looks at no more Pipes. Similarly, within the matched Pipe, as soon a Virtual Channel rule is found to match the connection, NetEnforcer looks no further. For example, if you define a Virtual Channel that includes all HTML (*.html) files, that Virtual Channel must come after a Virtual Channel with a rule that specifies a specific HTML file. Otherwise, NetEnforcer will always arrive at the general rule first, assign the action defined in the Virtual Channel of that rule, and not assign the action defined for the more specific rule.



NetEnforcer Policy Editor You set your QoS policy by defining Pipes and Virtual Channels in the NetEnforcer Policy Editor.

To access the Policy Editor:

From the NetEnforcer Control Panel, click Policies and then Policy Editor. The Policy Editor is displayed:

Menu Bar Rule (Conditions)

Virtual Channels

Toolbar

Pipe

Menu Bar ActionsToolbarMenu Bar Rule (Conditions)

Virtual Channels

Toolbar

Pipe

Menu Bar ActionsToolbar

Figure 8-2 – Policy Editor

The Policy Editor provides a tree-table of the Pipes and Virtual Channels currently defined in your NetEnforcer. Each line in the table represents a single rule (of a Pipe or a Virtual Channel). A Pipe can be defined by one of more rules and can include one or more Virtual Channels. A Virtual Channel can be defined by one or more rules.



NOTE:

The first rule of a Pipe or Virtual Channel is visually embedded in the first line of the Pipe or Virtual Channel so there is no rule icon associated with this first rule. Other rules have icons.

There is always one default Pipe, called Fallback Pipe, in the Policy Editor. The conditions or rule of this default Pipe cannot be modified or deleted.

Every Pipe has a default Virtual Channel called Fallback. The conditions or rule of this default Virtual Channel cannot be modified or deleted, but you can delete the Pipe entirely. You can expand/collapse Pipes and Virtual Channels in the Policy Editor by clicking the or on the left of a Pipe or Virtual Channel, or pressing <Shift + right arrow> or <Shift + left arrow> on your keyboard.

View Options You can modify the Policy Editor view by selecting to hide or display the available columns.

To customize the Policy Editor view:

1. From the Settings menu, select View Options. The View Options dialog box is displayed.

Figure 8-3 – View Options



2. Select the checkboxes to the left of the columns you want to display in the Policy Editor.

3. Click OK.

Policy Editor Menus and Toolbar The menu options, tools and shortcut key options available in the Policy Editor are as follows:

Menu/Command Button Shortcut Function

File

Save

Ctrl + S Saves the changes to the policy configuration in the NetEnforcer database and activates the new configuration.

Save & Distribute Saves the current policy to all NetEnforcers on the distribution list. Refer to Distributing Policy, page 8-32.

Reload Reloads the current policy from NetEnforcer.

Print Enables you to print the policy table displayed in the Policy Editor.

Exit Closes the Policy Editor.

Edit

Cut

Ctrl + X Cuts the currently selected Pipe, Virtual Channel or rule from the Policy Editor and places it in memory.

Copy

Ctrl + C Copies the currently selected Pipe, Virtual Channel or rule from the Policy Editor and places it in memory.




Paste Ctrl + V Pastes the currently selected Pipe, Virtual Channel or rule from memory into the current location.

Delete

Delete Deletes the selected Pipe, Virtual Channel or rule.

Rename Ctrl + N Enables you to rename the selected Pipe or Virtual Channel.

Enable Ctrl + E Enables the selected Pipe, Virtual Channel or rule. A Pipe, Virtual Channel or rule must be enabled in order for NetEnforcer to take it into account.

Disable Ctrl + D Disables the selected Pipe, Virtual Channel or rule. When a Pipe, Virtual Channel or rule is disabled, NetEnforcer does not consider it. A disabled Pipe, Virtual Channel or rule is ignored in traffic management, monitoring, accounting, and so on.

Find Ctrl + F Enables you to search for and locate Pipes, Virtual Channels, and rules in the policy table.

Insert

Pipe

Ctrl + P Inserts a new Pipe with default settings. Refer to Adding Pipes, page 8-22.

Virtual Channel

Ctrl + L Inserts a new Virtual Channel with default settings. Refer to Adding Virtual Channels, page 8-24.

Rule

Ctrl + K Inserts a new rule with default settings. Refer to Adding Rules, page 8-26.




Templates Enables you to insert Pipe templates or Virtual Channel templates. Refer to Templates, page 8-28.

Catalogs

Host Opens the Host Catalog Editor, enabling you to define possible Connection Source and Destination conditions.

Service Opens the Service Catalog Editor, enabling you to define possible Service conditions.

Time Opens the Time Catalog Editor, enabling you to define possible Time conditions.

TOS Opens the TOS Catalog Editor, enabling you to define possible Type of Service conditions.

VLAN

Opens the VLAN Catalog Editor, enabling you to define possible VLAN actions.

Quality of Service Opens the QoS Catalog Editor, enabling you to define possible Quality of Service actions.

Connection Control Opens the Connection Control Catalog Editor, enabling you to define possible Connection Control actions.




Data Source Opens the Data Source Catalog Editor, enabling you to define the LDAP servers with which NetEnforcer can work.

Can now define a text file data source in the Data Source catalog editor.

The text file can be located on a remote server instead of the NetEnforcer. Data transferred via TFTP.

Settings

Distribution List Enables you to specify other NetEnforcer addresses that will receive a policy when distributed. Refer to Distributing Policy, page 8-32.

View Options Enables you to modify the Policy Editor view. Refer to View Options, page 8-12.

Help


Cache Redirection Provides access to online help for the CacheEnforcer module.

Load Balancing Provides access to online help for the NetBalancer module.

NOTE:

Some of these options are also available when right-clicking a line in the Policy Editor. In addition, you can access monitoring graphs from the right-click menu of a Pipe or Virtual Channel. Monitoring graphs are described in Chapter 6, Monitoring Network Traffic.



Data Source Catalog Editor:

Figure 8-4 – Data Source Catalog Editor: Hosts Text File



To define a text file data source:

Figure 8-5 – Host Catalog Editor

To define host entries using a text file data source:

1. Select the Data Source Query to be used.

2. Define the name and location of the text file.

3. Define the properties of the text file in the Host Catalog.

4. In the Host Catalog, select Fetch & View Contents to view the contents of the text file.



Figure 8-6 – Query Dialog

5. Press Close and save the new host entry.

Policy Editor Status Bar The status bar in the Policy Editor provides the following information:

• •

•

General Messages

Mod Flag: Mod is displayed to indicate that the policy has been changed but not yet saved.

Key: Quality of Service not activated is displayed when the Quality of Service key is missing or erroneous. The Quality of Service key is specified in the Product IDs & Keys tab of the NetEnforcer Configuration window.



Defining Policy The typical workflow for configuring your QoS policy is shown in the following diagram:

DefineVirtual Channels

Define Your NetworkRequirements

Define Pipes

Figure 8-7 – Defining Policy Workflow

Each step of the workflow is described in the following sections. You can also define Pipes and Virtual Channels using templates, described on page 8-28.



Defining Your Network Requirements Before defining Pipes or Virtual Channels, you must determine the type of traffic flowing through your network. Using NetEnforcer’s Monitoring functions (described in Chapter 6, Monitoring) or NetWizard functions (described in Chapter 5, NetWizard Quick Start), you can determine your current network application patterns, and define the necessary QoS classification and actions.

The following are examples of traffic patterns and required QoS policy:

•

•

•

•

•

•

Applications on your network that you consider “mission-critical” applications. These may be special applications that are time and/or resource sensitive. You may want to provide increased bandwidth or server resources.

Items on your network that you consider low priority. These may include traffic that you consider non-time and/or response sensitive, or applications that you wish to limit during busy hours, such as FTP traffic.

Applications that you do not want used on your network during certain times, such as new file-sharing applications that enable clients in your network to function as servers, thereby drastically increasing outbound traffic volume.

Background tasks that are important, but can be performed at a slower rate. These may include email traffic or certain file transfers.

Time-sensitive network applications. These may include streaming applications such as real-time audio or video.

Customers or groups of customers categorized into various “tiered” levels. For example, you may wish to have Gold-level customers.

Once you have classified your network traffic, you can define your QoS policy.



Adding Pipes Each Pipe is defined by at least one rule (set of conditions), and any traffic meeting those conditions is channeled to that Pipe. The actions defined for the Pipe are then applied to the traffic.

To add a pipe:

1. Add a Pipe in one of the following ways: Select a Pipe in the policy table and click (blue icon) in the toolbar. • Select a Pipe in the policy table and select Pipe from the Insert menu. •

•

•

Right-click a Pipe in the policy table and select Insert and then Pipe from the popup menus that are displayed. Press <Ctrl + P> on your keyboard (at the same time).

A new Pipe is added above the selected Pipe. The new Pipe contains a default Virtual Channel (Fallback), and has default values for its rule (conditions) and actions.

2. Edit the name of the Pipe, if required, and press <Enter>. Assigning a logical name to the Pipe helps you to classify your traffic.

NOTE:

You can rename a Pipe at any time by selecting Rename from the Edit menu.

3. Modify the rule of the Pipe by clicking the cell in the relevant column and selecting the required condition from the dropdown list that is displayed. The rule is made up of the following conditions:

Connection Source The source of the traffic.

Connection Destination The destination of the traffic.

Service The protocol relevant to a connection.

Time The time of the connection.

TOS The TOS marking of the connection.

VLAN The destination of VLAN traffic.



4. Modify the actions of the Pipe by clicking the cell in the relevant column and selecting the required action from the dropdown list that is displayed. The actions are as follows: Access The access given to traffic. Quality of Service The quality of service applied to traffic given access.

The QoS determines priority, minimum and maximum bandwidth and the maximum number of connections.

NOTE:

The Connection Control action for a Pipe is always Pass As Is.

5. Specify the direction of the traffic between the selected source and destination by clicking in the Dir field and selecting one of the following: Bidirectional The flow of traffic in either direction between the

selected source and destination (default). Unidirectional The flow of traffic from the selected source to the

selected destination.

6. When a new Pipe is created, it is automatically enabled, meaning once the Policy Editor is saved to NetEnforcer, the Pipe is taken into account by NetEnforcer. You can enable or disable the Pipe in one of the following ways:

Select Enable or Disable from the Edit menu. • •

•

Right-click in the In Use column and select Enable or Disable from the popup menu. Click the Enable or Disable button.

NOTE:

When a Pipe is disabled, its rules and the Virtual Channels under the Pipe are disabled automatically.

7. Click to save the new Pipe to NetEnforcer.

TIP:

You can also add a new Pipe by copying and pasting an existing Pipe and modifying its definition.

You can now define further rules for the Pipe or add further Virtual Channels to the Pipe, as required.



Adding Virtual Channels A Virtual Channel is added to a Pipe. A Virtual Channel is defined by at least one rule set of conditions), and any traffic meeting those conditions is channeled to that Virtual Channel. The actions defined for the Virtual Channel are then applied to the traffic.

NOTE:

The actions of the Pipe influence all the Virtual Channels under that Pipe and will be enforced together with the Virtual Channel's actions on every connection that is matched to the Pipe.

To add a Virtual Channel:

1. Add a Virtual Channel in one of the following ways: Select a Pipe or Virtual Channel in the policy table and click in the toolbar. • Select a Pipe or Virtual Channel in the policy table and select Virtual Channel from the Insert menu.

•

•

•

Right-click a Pipe or Virtual Channel in the policy table and select Insert and then Virtual Channel from the popup menus that are displayed. Press <Ctrl + L> on your keyboard (at the same time).

A new Virtual Channel is added to the selected Pipe, or to the Pipe to which the selected Virtual Channel belongs. The new Virtual Channel has default values for its rule (conditions) and actions.

2. Edit the name of the Virtual Channel, if required, and press <Enter>. Assigning a logical name to the Virtual Channel helps you to classify your traffic. NOTE:

You can rename a Virtual Channel at any time by selecting Rename from the Edit menu.

3. Modify the rule of the Virtual Channel in the same way as for a Pipe, described on page 8-22.



4. Modify the actions of the Virtual Channel by clicking the cell in the relevant column and selecting the required action from the dropdown list that is displayed. The actions are as follows: Access The access given to traffic. Quality of Service The quality of service applied to traffic given access.

The QoS determines priority, minimum and maximum bandwidth, traffic-shaping techniques (CBR or Burst) and the maximum number of connections.

Connection Control The redirection of traffic to a load-balancing server or cache server, if required.




6. When a new Virtual Channel is created, it is automatically enabled, meaning once the Policy Editor is saved to NetEnforcer, the Virtual Channel is taken into account by NetEnforcer. You can enable or disable the Virtual Channel in one of the following ways:


•

Right-click in the In Use column and select Enable or Disable from the popup menu. Click the Enable or Disable button. Press <Ctrl + E> to enable. •

• Press <Ctrl + D> to disable. NOTE:

When a Virtual Channel is disabled, its rules are disabled automatically.



7. Click to save the new Virtual Channel to NetEnforcer.

TIP:

You can also add a new Virtual Channel by copying and pasting an existing Virtual Channel and modifying its definition.

You can now define further rules for the Virtual Channel, as required.

Adding Rules A rule is made up of six conditions. When traffic meets the conditions of a rule, it is assigned to that rule. The actions assigned to the traffic are the actions defined for the Pipe or Virtual Channel to which the rule belongs.

To add a rule:

1. Add a rule in one of the following ways:

Select a Pipe, Virtual Channel or rule in the policy table and click (purple icon) in the toolbar.

•

Select a Pipe, Virtual Channel or rule in the policy table and select Rule from the Insert menu.

•

•

•

Right-click a Pipe, Virtual Channel or rule in the policy table and select Insert and then Rule from the popup menus that are displayed. Press <Ctrl + K> on your keyboard.

A new rule is added to the selected Pipe or Virtual Channel, or to the Pipe or Virtual Channel to which the selected rule belongs. NOTE:

Rules do not have names.

2. Specify the conditions for the rule in the same way as for a Pipe, described on page 8-22.






4. When a new rule is defined for a Pipe or Virtual Channel, it is automatically enabled, meaning once the Policy Editor is saved to NetEnforcer, the rule is taken into account by NetEnforcer. You can enable or disable the rule in one of the following ways:


•

Right-click in the In Use column and select Enable or Disable from the popup menu. Click the Enable or Disable button. Press <Ctrl + E> to enable. •

• Press <Ctrl + D> to disable.

You can continue to define further Pipes, Virtual Channels and rules, as required. To speed up the process, you can copy and paste existing Pipes, Virtual Channels and rules and then modify their settings, as required. Remember, when you have completed your

editing session, click to save the new rules, Virtual Channels and Pipes to NetEnforcer

You can also create and insert a Pipe or Virtual Channel template as described on page 8-28.



Policy Table Order You should define Pipes and Virtual Channels so that those that are more specific are defined before those that are more general. Similarly, the rules defined for a Pipe or Virtual Channel should follow this order. This is because NetEnforcer searches the Policy table from the top down. Thus as soon as a Pipe rule is found to match the connection, NetEnforcer looks at no more Pipes. Similarly, within the matched Pipe, as soon a Virtual Channel rule is found to match the connection, NetEnforcer looks no further.

Using cut and paste, you can change the order of the policy table, as follows:

• • •

Change the order of Pipes within the policy table

Change the order of Virtual Channels within Pipes

Change the order of rules within Pipes or Virtual Channels

You cannot change the position of the Fallback Pipe or Fallback Virtual Channels. The Fallback Pipe is always at the bottom of the policy table and the Fallback Virtual Channels are always the last Virtual Channel in a Pipe.

Templates Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other. Templates work with host entries defined in the Host Catalog. For example, if you had a Host Group type entry in the Host Catalog called Gold Customers that consisted of Company X, Company Y and Company Z, you could define a Pipe template to be expanded for Gold Customers. This would result in Pipes being created for Company X, Company Y and Company Z when the Policy Editor is saved.

With Host List type entries, templates are only effective when the Host List entry includes more than one host or IP address or a range of IP addresses. For example, creating a Pipe template based on a Host List type entry that includes a range of IP addresses generates a Pipe instance for each IP in the range.



NOTE:

It is not possible to view Pipe instances in the Policy Editor. However, the instances are available for selection in the Monitoring module, described in Chapter 6, Monitoring Network Traffic.

A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual Channels on source/destination differentiation. This means that you do not need to define similar Pipes and Virtual Channels when the only difference between them is the IP address in the source or destination.

New features include:

• New Template on Range feature allows user to define a range of IPs or subnet.

• Expand feature removed, template automatically implies expansion.

Creating Pipe Templates Pipe templates represent instances of the same Pipe for every host in a selected Host Catalog entry. Pipe templates are added at the same hierarchy level as Pipes.

To create a Pipe template:

1. Add a Pipe template in one of the following ways: Select a Pipe in the policy table and select Template and then Pipe Template from the Insert menu.

•

•

•

Right-click a Pipe in the policy table and select Insert, Templates and then Pipe Template from the popup menus that are displayed. Press <Ctrl + SHIFT + P> on your keyboard.



The Insert Pipe Template dialog box is displayed.

Figure 8-8 – Insert Pipe Template

2. Select the Host Catalog entry for which you want to create Pipe instances from the dropdown list. NOTE:

You can open the Host Catalog Editor and add or modify entries as required by clicking Host Editor.

3. In the Direction Settings area, select whether to expand the Pipe by connection source or destination or both.

If you select Bi-Directional, an instance of the Pipe will be generated for all hosts specified in the selected Host Catalog entry. The Pipes will be bi-directional, meaning that the traffic can be flowing either to or from the host in order to match the Pipe.

•



If you select Uni-Directional, you must then select whether to expand the Pipe by connection source or destination. When Connection Source is selected, the Pipes generated will be uni-directional from the source, meaning that the traffic must be flowing from the host in order to match the Pipe. When Connection Destination is selected, the Pipes generated will be uni-directional to the destination, meaning that the traffic must be flowing to the host in order to match the Pipe.

•

4. Click OK. A new Pipe template is added to the policy table.

5. Edit the name of the Pipe template, if required. The new Pipe template is displayed in the policy table with the selected Host Catalog entry as the Connection Source or Connection Destination.

Figure 8-9 – New Pipe Template

6. Modify the Pipe template as required. You can modify its existing rule (conditions), modify its actions, define further rules and add Virtual Channels. The resulting Pipe instances receive any modifications or additions made to the Pipe template.

NOTE:

You can change the Host Catalog entry for which you want to define Pipe instances at any time by right-clicking the Pipe template name and selecting Expand by and then selecting another Host Catalog entry.

Pipes identical to the Pipe template but with a different Connection Source or Connection Destination are created for every member of the selected Host Catalog entry upon saving the Policy Editor. These Pipes are not displayed in the policy table. A Pipe is indicated as a template or master Pipe by the symbol in its icon and the symbol next to the entry in the Connection Source or Connection Destination field.



Creating Virtual Channel Templates The process for creating Virtual Channel templates is similar to the one used for creating Pipe templates. Virtual Channel templates represent instances of the same Virtual Channel for every host in a selected Host Catalog entry. Virtual Channel templates are added at the same hierarchy level as Virtual Channels but they cannot be created beneath a Pipe template.

To create a Virtual Channel template:

1. Add a Virtual Channel template in one of the following ways: Select a Pipe or Virtual Channel in the policy table and select Template and then Virtual Channel Template from the Insert menu.

•

•

•

Right-click a Pipe or Virtual Channel in the policy table and select Insert, Templates and then Virtual Channel Template from the popup menus that are displayed. Press <Ctrl + SHIF + L> on your keyboard.



The Insert Virtual Channel Template dialog box is displayed.

Figure 8-10 – Insert Virtual Channel Template

2. Select the Host Catalog entry for which you want to create Virtual Channel instances from the dropdown list. NOTE:

You can open the Host Catalog Editor and add or modify entries as required by clicking Host Editor.

3. In the Direction Settings area, select whether to expand the Virtual Channel by connection source or destination or both.

If you select Bi-Directional, an instance of the Virtual Channel will be generated for all hosts specified in the selected Host Catalog entry. The Virtual Channels will be bi-directional, meaning that the traffic can be flowing either to or from the host in order to match the Virtual Channel.

•



If you select Uni-Directional, you must then select whether to expand the Virtual Channel by connection source or destination. When Connection Source is selected, the Virtual Channels generated will be uni-directional from the source, meaning that the traffic must be flowing from the host in order to match the Virtual Channel. When Connection Destination is selected, the Virtual Channels generated will be uni-directional to the destination, meaning that the traffic must be flowing to the host in order to match the Virtual Channel.

•

4. Click OK. A new Virtual Channel template is added to the policy table.

5. Edit the name of the Virtual Channel template, if required. The new Virtual Channel template is displayed in the policy table with the selected Host Catalog entry as the Connection Source or Connection Destination.

Figure 8-11 – New Virtual Channel Template

6. Modify the Virtual Channel template as required. You can modify its existing Rule (conditions), modify its actions and define further Rules. The resulting Virtual Channel instances receive any modifications or additions made to the Virtual Channel template. NOTE:

You can change the Host Catalog entry for which you want to define Virtual Channel instances at any time by right-clicking the Virtual Channel template name and selecting Expand by and then selecting another Host Catalog entry.

Virtual Channels identical to the Virtual Channel template but with a different Connection Source or Connection Destination are created for every member of the selected host entry. These Virtual Channels are not displayed in the policy table. A Virtual Channel is indicated as a template or master Virtual Channel by the symbol in its icon and the symbol next to the entry in the Connection Source or Connection Destination field.



NOTE:

For example, tiered services may defined quickly using templates. Create one template to represent Platinum service with a minimum of 500Kbps per user, a second to represent Gold service with a minimum of 250Kbps per user and a third to represent Silver service with a maximum of 100 Kbps per user.

Distributing Policy to Other NetEnforcers You can save and simultaneously distribute your QoS policy to other NetEnforcers if required. The policy is distributed to all devices on the distribution list. You can add devices to the distribution list as required.

To configure the distribution list:

1. From the Settings menu, select Distribution List. The Distribution List is displayed.

Figure 8-12 – Distribution List

NOTE:

You can distribute policy to other NetEnforcers, only if they are of the same model and have the same software version as the one from which you are distributing.



2. To add a device to the distribution list, click Add. The Device Properties dialog box is displayed.

Figure 8-13 – Device Properties Dialog Box

3. In the Host field, specify the IP address of the NetEnforcer device.

4. Specify the user name and password in the relevant fields.

5. Click OK. The device is added to the distribution list.

You can further modify the distribution list in the following ways:

•

•

•

Select a device in the list and click Edit. Modify the properties of the device in the Device Properties dialog box as required.

Select a device in the list and click Delete. The selected device is deleted from the distribution list.

Click Delete All to delete all devices from the distribution list.



To distribute the QoS policy to the devices on the distribution list, select Save & Distribute from the File menu. A report on the results of the distribution is displayed, for example:

Figure 8-14 – Distribution Report




Chapter 9: NetEnforcer Alerts

This chapter describes the NetEnforcer Alerts Editor and Alerts Log.


Overview, page 9-2, provides an overview of the NetEnforcer Alerts Editor and Log and how you can use them to monitor your network status.

Alerts Editor, page 9-5, describes the NetEnforcer Alerts Editor and how to define events or conditions that will trigger alerts.

Alerts Log, page 9-22, describes the NetEnforcer Alerts Log that includes a list of the alerts triggered by the alert definitions.

Alerts Event Messages, page Error! Bookmark not defined., describes the default Event Alerts that may be seen in the NetEnforcer Alerts module.



Overview The Alerts feature allows the user to not only monitor the state of the system, but also be alerted when certain thresholds are met. For example, users can set an alert to identify when the bandwidth for a particular link/customer is close to reaching its maximum. Utilizing the Alert mechanism, an action can be taken before network problems occur (e.g., before the line is get fully utilized and congestion exists). Thresholds can be set to alert to identify excessive connections or abnormal behavior on the line.

TIP:

Users can be alerted of potential virus attacks by setting alerts on certain connection limits.

The Alerts feature enables user to set Actions to occur when certain user-defined thresholds are reached for the following entities:

• NetEnforcer

• Pipe

• VC

• System

Within each entity there are various conditions that can be monitored as well as numerous actions that can be taken in the event of an alert. The basic actions are:

• Send SNMP trap

• Send email (up to two addresses)

• Send SMS

• Change access control

• Change priority



• Send NetEnforcer into bypass

• Reboot NetEnforcer

The Alerts log provides a list of all the alerts (including predefined ones) and replaces the Log Viewer found in previous NetEnforcer versions. Acknowledging an Alert event allows the tracking of that Alert to continue, enabling a record of the event to be built up in the Alerts log.



Important Preparation In order to work with alerts, you must specify the following parameters in the Alerts tab of the NetEnforcer Configuration window:

• Select the Activate Alert Dispatching on NetEnforcer checkbox. This is checked by default.

Figure 9-1 – NetEnforcer Configuration Window

• •

Define any relevant email addresses and SMS targets for alerts.

Click or select Save to NetEnforcer from the File menu in the NetEnforcer Configuration window to save the configuration.

The NetEnforcer Configuration window is described in Chapter 4, Configuring NetEnforcer.



Alerts Editor The Alerts Editor enables you to define events or conditions that will trigger alerts (alert definitions). Alerts can be triggered according to conditions existing in NetEnforcer, a selected Pipe or Virtual Channel, or in the system generally. You can define up to 100 alert definitions in the Alerts Editor.

When an alert is triggered, it is displayed in the Alerts Log. You can also send notification of alerts by SMS, email or SNMP.

Predefined System Alerts Some alerts are predefined. This means that when certain conditions exist, an alert is triggered and displayed in the Alerts Log. There is no need to define an alert definition for a predefined alert in the Alerts Editor. Predefined alerts are not sent to any defined email, SMS or SNMP targets.

All predefined alerts relate to the system, meaning they occur when a certain condition exists in the system.

The following table lists the possible default event Alerts that may be seen in the NetEnforcer Alerts module.

Alert Message Alert Syntax (Module#Severity#Message)

Definition

Connection to both RADIUS servers lost.

Accounting#Critical#Connection to both RADIUS servers lost.

Indicates that the NetAccountant’s connection to both the primary and secondary (if relevant) RADIUS servers has failed. This could be due to difficulties on either side of the connection.




Definition

Accounting is not active. Invalid key.

Accounting#Major#Accounting is not active. Invalid key.

Indicates that the key entered in the NetEnforcer GUI is not a valid key for activating the NetAccountant Module. Check the key or contact Allot Customer Support.

Failed to read configuration parameters.

Accounting#Major#Failed to read configuration parameters.

Indicates that the NetAccountant configuration parameters in the NetEnforcer GUI have not been entered.

Accounting is not active.

Accounting#Major#Accounting is not active.

Indicates that the NetAccountant module has not been enabled in the NetEnforcer GUI.

Failed to connect to primary server. Connecting to secondary server.

Accounting#Major#Failed to connect to primary server. Connecting to secondary server.

Indicates that the NetAccountant Module was unable to connect to the primary external server entered in the NetEnforcer GUI.

Failed to connect to secondary server.

Accounting#Major#Failed to connect to secondary server.

Indicates that the NetAccountant Module was unable to connect to the secondary external server entered in the NetEnforcer GUI.

Failed to connect to either primary or secondary server - data send aborted.

Accounting#Critical#Failed to connect to either primary or secondary server - data send aborted.

Indicates that the NetAccountant Module was unable to connect to the primary or secondary external server entered in the NetEnforcer GUI and that any Accounting data for this interval has been lost.




Definition

Failed to retrieve data - data send aborted.

Accounting#Major#Failed to retrieve data - data send aborted.

Indicates that the NetAccountant Module was unable to gather the Accounting data from the Stats Collector and that any Accounting data for this interval has been lost.

Low disk space. Failed to save accounting data. Please consult customer support.

Accounting#Critical#Low disk space. Failed to save accounting data. Please consult customer support.

Indicates that the NetAccountant Module was unable to save Internal accounting data to the NetEnforcer’s hard disc due to a lack of space.

Number of accounting records exceeded limit of <#> records.

Accounting#Major#Number of accounting records exceeded limit of %s records.

Indicates that the number of accounting records to be saved (based on the configuration in the NetEnforcer GUI) has exceeded the maximum for the unit.

Accounting database error. Table <#> is corrupted.

Accounting#Major#Accounting database error. Table %s is corrupted.

Indicates that a specific accounting data table is corrupted.

The system has reached the maximum number of rules.

Policy Database#Critical#The system has reached the maximum number of rules.

Indicates that the number of rules (based on the configuration in the NetEnforcer GUI) has exceeded the maximum for the unit.

Event/s of access deny.

Rule matching#Normal#Event/s of access deny.

Indicates that an event has triggered a preset alert action, switching the QoS apply to “deny packets”.

Event/s of admission control failure.

Rule matching#Normal#Event/s of admission control failure.




Definition

Event/s of Connection Control server not available.

Connection Control#Major#Event/s of Connection Control server not available.

Server <SERVER_NAME> of Connection control is down.

Connection Control#Major#Server '%s' of Connection control is down.

Indicates that the Connection Control server entered in the NetEnforcer GUI is down.

Server <SERVER_NAME> of Connection control is up.

Connection Control#Major#Server '%s' of Connection control is up.

Indicates that the Connection Control server entered in the NetEnforcer GUI has come back up.

Service <SERVICE_NAME> of Connection control is down.

Connection Control#Major#Service '%s' of Connection control is down.

Indicates that the specific service on the Connection Control server is not responding.

Service <SERVICE_NAME> of Connection control is up.

Connection Control#Major#Service '%s' of Connection control is up.

Indicates that the specific service on the Connection Control server is responding again.

Failed to read RADIUS dictionary. Please consult customer support.

Accounting#Critical#Failed to read RADIUS dictionary. Please consult customer support.

Indicates that the NetAccountant module is unable to communicate with the RADIUS server.

Connection to primary RADIUS server lost. Trying secondary server.

Accounting#Major#Connection to primary RADIUS server lost. Trying secondary server.

Indicates that the NetAccountant’s connection to the primary RADIUS servers has failed. This could be due to difficulties on either side of the connection.




Definition

Failed to dispatch accounting data. This may be due to a lack of disk space at destination.

Accounting#Major#Failed to dispatch accounting data. This may be due to a lack of disk space at destination.

Indicates that the NetAccountant module was unable to send the accounting data to an external server.

The Service catalog update failed.

Service update#Info#The Service catalog update failed.

Indicates that the online Service catalog update failed and was aborted.

The Service catalog update was completed successfully.

Service update#Info#The Service catalog update was completed successfully.

Indicates that the online Service catalog update was successful.

Additionally, there are three types of system alerts, as follows:

Alert Module Failure If the alert functionality within NetEnforcer fails, an alert is triggered.

DoS Attack If there is a DoS attack within NetEnforcer, an alert is triggered. Additional information is described in Chapter 10, Detecting Security Threats).

Access Control Exceptional Events

If an unauthorized user tries to enter NetEnforcer, an alert is triggered.

Authorized users are specified in the Access Control tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer).



To define alerts in the Alerts Editor:

1. From the NetEnforcer Control Panel, click Alerts and then select Alerts Editor. The Alerts Editor is displayed.

Figure 9-2 – Alerts Editor

The tabs on the left are where you define the alert and the list on the right displays a list of all the alert definitions.

2. Select the Definition tab.

3. In the Name field, enter a name for the alert.



4. From the Object Type dropdown list, select the object to observe. This is the object where once a specified condition exists then this alert is triggered. Select from one of the following:

NetEnforcer • • • •

Pipe Virtual Channel System

5. If you selected Pipe or Virtual Channel in step 4, the Selected Pipe or Selected VC field is displayed below the Object Type dropdown list. Select the Pipe or Virtual

Channel to observe by clicking the button and browsing to the required Pipe or Virtual Channel.

6. In the Condition area, select the condition that must exist on the selected object in order for the alert to occur. The available conditions vary according to the object type selected. Additionally each condition may have different parameters. For a full list of conditions and their parameters, refer to 9-12. When you have selected a condition, a summary of the alert definition is provided in the Condition area. For example, when NetEnforcer is selected as the Object Type and Any Traffic selected as the Condition, then an alert is triggered whenever there is “any traffic flowing in NetEnforcer”.



7. Select the Behavior tab.

Figure 9-3 – Alerts Editor – Behavior Tab

The Behavior tab is where you specify what will happen if the defined conditions in the Definition tab are fulfilled.



8. In the Enable area, select the Alert is Enabled checkbox to enable the alert definition.

9. From the Alert Severity dropdown list, select the severity of the alert from the following:

Information • • • • •

Normal Minor Major Critical

10. In the Dispatch & Action area, select to where the alert will be sent (in addition to the Alerts Log) and any action that should result. SMS The alert is sent to the SMS address specified in the Alerts tab

in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer.

SNMP Trap Clients

The alert is sent as an SNMP trap according to the SNMP details specified in the SNMP tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer.

Email (Primary) The alert is sent to the primary email address specified in the Alerts tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer.

Email (Secondary)

The alert is sent to the secondary email address specified in the Alerts tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer.

NOTE:

If details have not been provided in the Alerts and SNMP tabs of the NetEnforcer Configuration window, a warning is displayed.



11. If required, from the Action dropdown list, select a predefined action that will result when the alert is triggered. The list below is a set of predefined actions available for selection. The action is implied in the name.

ChangeAccessControlToAccept • • • • • • • • •

•

•

ChangeAccessControlToDrop ChangeAccessControlToReject ChangePriorityToHigh ChangePriorityToLow ChangePriorityToNormal IgnoreQoS NetEnforcerBypass Reboot

Additional custom actions can be added.

12. In the Action Following Alert area, select whether NetEnforcer will continue to check for the alert from the following:

Restart Checking After: Once the alert has occurred, check to see if the condition exists again after a specified time. Restart Checking After Alert Acknowledged: Once the alert has occurred, only start checking to see if the condition exists again once the alert is acknowledged.

13. Click Add. The alert definition is complete and the alert is added to the list of alerts in the Defined Alerts List.

14. In order for the alert definition to be applied, you must save it to NetEnforcer. Select Save to NetEnforcer from the Alerts Editor File menu or click on the toolbar.

NOTE:

Saving the Alerts Editor re-arms all alert definitions. For a “one time only” alert definition, if the alert condition exists, an alert is again dispatched. For a “periodic” alert definition, if the alert condition exists, an alert is dispatched.



Customized Actions Additional actions may be defined by the user. These actions are added to the drop-down list and appear along with the predefined actions. Actions are added through the use of scripts. These are simply CLI commands saved in a specific location on the NetEnforcer.

Writing the Script The script may be saved as a text file and imported into the NetEnforcer with an FTP client or it can be written directly in the CLI interface using the vi text editor.

Implementing the Script Scripts written as .txt files must be saved in the usr/local/swg/Alerts/scripts folder. Once they are saved in the folder, they appear in the drop down menu under Action in the Behavior tab of the Alerts Editor. In addition, scripts must be made executable after they are saved. To do this, enter the following command: chmod +x <script_file_name>

For more information, please contact your Allot support representative.



Conditions for Alerts The possible conditions for alerts vary according to the object type selected. The following table details the conditions available for selection for each object type as well as the parameters that are displayed according to the condition selected.

Condition Object Type Parameters to Specify Meaning

Any Traffic NetEnforcer

Pipe

Virtual Channel

No parameters required. When any traffic is in NetEnforcer or the selected Pipe or the selected Virtual Channel, an alert is triggered.

No Traffic NetEnforcer

Pipe

Virtual Channel

No parameters required. When no traffic is in NetEnforcer or the selected Pipe or the selected Virtual Channel for 30 seconds, an alert is triggered.

Traffic Flow NetEnforcer

Pipe

Virtual Channel

You can specify one or both parameters.

When the traffic flow in NetEnforcer or the selected Pipe or the selected Virtual Channel is less than or more than the specified amounts, an alert is triggered.




Connection Count

NetEnforcer

Pipe

Virtual Channel


When the number of live connections in NetEnforcer or the selected Pipe or the selected Virtual Channel is less than or more than the specified amounts, an alert is triggered.

Connection Establishment Rate

NetEnforcer

Pipe

Virtual Channel


When the number of new connections per second in NetEnforcer or the selected Pipe or the selected Virtual Channel is less than or more than the specified amounts, an alert is triggered.

Pipe Count NetEnforcer


When the number of active Pipes in NetEnforcer is less than or more than the specified amounts, an alert is triggered.




Virtual Channel Count

NetEnforcer


When the number of active Virtual Channels in NetEnforcer is less than or more than the specified amounts, an alert is triggered.

Alert Module Fails

System No parameters required. If the alert functionality within NetEnforcer fails, an alert is triggered.

Accounting/ RADIUS

System No parameters required. If there are exceptional and unusual events in the Accounting/RADIUS mechanism within NetEnforcer, an alert is triggered.

DoS Attack System No parameters required. If there is a DoS attack within NetEnforcer, an alert is triggered.

Access Control

System No parameters required. If an unauthorized user tries to enter NetEnforcer, an alert is triggered.

Authorized users are specified in the Access Control tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer).




Router Interface

System

Specify the router’s IP address, the SNMP community of the router, and the interface you want to monitor (the interface number of the primary or the backup link). The Alert on Change to field enables you to decide when you want the alert to be issued – when the link goes down, when the link goes up or every time the link changes status (up/down).

If the link on the access router goes up or down (or either), an alert is triggered.

This enables you to set an alert when the primary link goes down and the backup link goes into action.

TIP:

Router Interface

The NetEnforcer is sometimes located at the access point, just behind the access router that connects the enterprise to the Internet. In some cases the access router has two uplinks, one is the primary and one is a backup link. Usually the backup link will have a lower speed than the primary link.

In these environments there is a need to have the ability to change the policy defined in NetEnforcer when the primary link at the router fails and the backup link goes into action.

This can be achieved with the NetEnforcer’s Alert module. The Router Interface condition enables you to define an event of link up/down that happens on the access router. This enables you to set that an alert is triggered when the primary link goes down and the backup link goes into action.



Defined Alerts List You can define as many alerts as required. All alert definitions are displayed in the Defined Alerts List. If an alert is enabled and has been saved to NetEnforcer, then the alert definition is active in NetEnforcer. This means that should the condition specified in the definition arise, an alert is triggered.

The Defined Alerts List displays a summary of the alert definition as follows:

Enabled Whether or not the alert definition is enabled.

Name The name of the alert definition.

Severity The severity of the alert definition. The background color of this field reflects the severity as follows: Information: Green Normal: Green Minor: Yellow Major: Orange Critical: Red

Type The type of object: NE (NetEnforcer), Pipe, VC (Virtual Channel) or System.

Src Name When Pipe or VC is the object type, the name of the Pipe or Virtual Channel.

Condition A summary of the condition that must exist in order for the alert to be triggered.

Disp Where the alert will be sent (in addition to the Alerts Log) and what action will occur when the alert is triggered.

Recheck Once the alert has occurred, whether (and if so, when) NetEnforcer will continue to check for the alert.

You can sort the list of alert definitions by clicking a column header. For example, clicking Type sorts the alerts according to type.



From the Defined Alerts List, you can enable and disable alerts as required. Simply select or deselect the Enabled checkbox on the left of the list.

To modify an alert definition, select it in the Defined Alerts List, make the required changes in the Definition and Behavior tabs and click Update.

To delete an alert definition, select it in the Defined Alerts List and click Delete.

NOTE:

You can also delete an alert definition by right-clicking it in the Defined Alerts List and selecting Delete.

Alerts Editor Menus and Toolbar The menu options and toolbar buttons available in the Alerts Editor are as follows:

Menu/Command Button Function

File

Save to NetEnforcer Saves the alert definitions to NetEnforcer. Saving the Alerts Editor re-arms all alert definitions.

Reload Alerts Reloads the last set of saved alert definitions in the Alerts Editor.

Print Enables you to print the list of alert definitions.

Exit Closes the Alerts Editor.

Edit

Delete Deletes the selected alerts definition.

Enable All Enables all the alert definitions in the list.

Disable All Disables all the alert definitions in the list. When an alert definition is disabled, NetEnforcer does not consider it.

Select All Selects all the alert definitions in the list.




View

Sort by Enables you to sort the list of alert definitions according to column headers.

Options

Load Alert Log Opens the Alerts Log. You can also access the Alerts Log by right-clicking an alert definition in the Defined Alerts List and selecting Open Alerts Log.

Help


The status bar in the Alerts Editor provides the following information:

• • • •

Last action performed.

Selected alert/Total number of alert definitions.

Sort condition.

Mod is displayed when alert definitions have been modified. It is removed once the alert definitions have been saved to NetEnforcer.

Alerts Log The Alerts Log displays a list of the alerts triggered by the alert definitions. Information such as the date of the alert, the source of the alert as well as the severity of the alert is displayed.

TIP:

The color of the Alerts button in the NetEnforcer Control Panel reflects the most severe unacknowledged alert in the Alerts Log. If the color is gray, an undetermined state exists. This is normally when there is a communication problem.



To open the Alerts Log:

Access the Alerts Log in any of the following ways:

• • •

From the NetEnforcer Control Panel, click Alerts and then select Alerts Log.

In the Alerts Editor, select Load Alert Log from the Options menu.

In the Alerts Editor, right-click an alert definition and select Load Alert Log.

An example Alerts Log is shown below:

Figure 9-4 – Alerts Log



The Alerts Log, which is automatically refreshed every 30 seconds, provides the following information for each alert:

Ack Whether or not you have acknowledged the alert. Acknowledging an alert re-arms the alert definition so that NetEnforcer again checks to see if the alert condition exists.

NetEnforcer Date The time and date on NetEnforcer when the event triggering the alert occurred.

Alert Name The name of the alert definition.

Source The type of object where the event triggering the alert occurred: NE (NetEnforcer), Pipe, VC (Virtual Channel) or System.

Source Name When the Source is Pipe or VC, the name of the Pipe or Virtual Channel.

Severity The severity of the alert. The background color of this field reflects the severity as follows: Information: Green Normal: Green Minor: Yellow Major: Orange Critical: Red

Description A summary of the event triggering the alert.

You can sort the list of alerts by clicking a column header. For example, clicking NetEnforcer Date sorts the alerts according to date and displays them in date order.



Alerts Log Menus and Toolbar The menu options and toolbar buttons available in the Alerts Log are as follows:


File

Reload Rereads the alert log data on NetEnforcer and refreshes the display of the Alerts Log.

Print Enables you to print the list of alerts.

Exit Closes the Alerts Log.

Edit

Clear Selected Clears selected alerts from the Alerts Log. You can also clear alerts from the Alerts Log by right-clicking the alert and selecting Clear.

Clear All Clears all alerts from the Alerts Log.

Acknowledge Selected Acknowledges selected alerts in the Alerts Log. Acknowledging an alert re-arms the alert definition so that NetEnforcer again checks to see if the alert condition exists.

Unacknowledge Selected

Unacknowledges selected alerts in the Alerts Log.

Acknowledge All Acknowledges all alerts in the Alerts Log.

Unacknowledge All Unacknowledges all alerts in the Alerts Log.

Select All Selects all alerts in the Alerts Log.

View

Sort by Enables you to sort the list of alerts according to column headers.




Set Filters Enables you to filter the display of alerts.

Clear Filters Clears any filters applied to the display of alerts and displays all alerts.

Search

Find Enables you to search the list of alerts for a specified keyword or phrase.

Options

Edit Alert Definition

Opens the Alerts Editor enabling you to modify alert definitions as required. You can also access the Alerts Editor by right-clicking an alert definition in the Alerts Log and selecting Edit Definition.

Help

Index

Provides access to online help.

The status bar in the Alerts Log provides the following information:

• • • •

Last action performed.

Selected alert/Total number of alerts.

Sort condition.

Whether a filter is in effect.



Accessing Monitoring Graphs The Alerts Log provides direct access to real-time monitoring graphs. This is very useful and enables you to quickly access a monitoring graph for closer inspection of a problematic situation. For example, if an alert is triggered on a particular Pipe because the number of live connections in the Pipe has exceeded a specified amount, you can access the real-time monitoring graphs for the Pipe to understand more clearly if there is a problem or if your QoS policy requires modification.

To access monitoring graphs from the Alerts Log, right-click an alert and select from the options displayed. The monitoring graphs available vary according to the object type selected.



Filtering Alerts You can apply a filter to the Alerts Log so that only alerts matching the filter are displayed. This is useful because the Alerts Log may include up to 10,000 alerts.

To define a filter:

1. From the View menu in the Alerts Log, select Set Filters or click in the toolbar. The Set Filters for Alerts Log dialog box is displayed:

Figure 9-5 – Set Filters for Alerts Log Dialog Box: Severity Tab

2. Select Filter Alerts as Indicated.



3. Define the filter parameters in the different tabs as follows (only the alerts that match the filter parameters will be displayed):

In the Severity tab, select the Severity levels as required: Critical, Major, Minor, Normal, Info.

•

• In the Acknowledge tab, select Acknowledged or Unacknowledged.

Figure 9-6 – Set Filters for Alerts Log Dialog Box: Acknowledge Tab

In the Source Type tab, select the object type: NE, System, Pipe, VC.

Figure 9-7 – Set Filters for Alerts Log Dialog Box: Source TypeTab

•



In the Names & Description tab, select from the following specifying key words as required: Match Source Names Containing, Match Descriptions Containing, Match Alert Names Containing.

Figure 9-8 – Set Filters for Alerts Log Dialog Box: Names & Description Tab

•

NOTE:

The relationship between the parameters on each tab is AND. The relationship between the tabs is OR.

4. Click OK.

The filter is applied. Only the alerts that match the filter parameters are displayed in the Alerts Log and Filtered is displayed in the status bar.

To clear a filter, select Clear Filters from the View menu or click in the toolbar.


Chapter 10: Detecting Security Threats

This chapter describes the threat of DoS attacks on network performance and the ways in which NetEnforcer detects and handles DoS attacks.


Overview, page 10-1, describes the basic idea behind DoS attacks on the network.

Detecting and Handling DoS Attacks, page 10-2, describes how NetEnforcer identifies and responds to DoS attacks, as well as the DoS parameters configured in the Denial of Service (DoS) tab of the NetEnforcer Configuration window.

Additional Protective Mechanisms, page 10-5, describes some of the NetEnforcer's built-in mechanisms for protection against DoS attacks.

Security Alerts, page 10-6, describes the security alerts issued when a suspected attack has been detected.



Overview As the reliance on Internet communications increases, the importance of maintaining the security and reliability of network services has become an increasingly critical issue.

Denial of Service (DoS) attacks are some of the most common ways in which hackers attempt to disrupt network services. A DoS attack is an attack on a system or network that causes a loss of service to users, typically the loss of network connectivity and services by overloading the computational resources of the victim system.

DoS attacks are typically executed by sending multiple packets to a targeted Internet server (usually a Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Any system that is connected to the Internet and is equipped with TCP-based network services is subject to attack.

Detecting and Handling DoS Attacks During a DoS attack, unwanted traffic deluges the network alongside the legitimate traffic on the network. By monitoring the rate of new connections, NetEnforcer is able to detect attempted DoS attacks and take the necessary actions to minimize their impact on legitimate network traffic by identifying the focal point of the attack.

Normal traffic patterns are defined in the NetEnforcer. When significant irregularities are detected, the traffic most likely to be part of the attack is identified and handled according to the configured DoS parameters.

For example, in normal conditions, non-TCP/IP traffic (e.g. ICMP traffic) typically constitutes less than 10% of the total network connections. A Smurf DoS attack, which uses a forged ICMP echo request, generates multiple ICMP connections. Upon detecting a high level of new ICMP connection (greater than 10% of all new connections), NetEnforcer drops the ICMP connections while maintaining the connections for other protocols.



Similarly, NetEnforcer can be configured to identify problematic ports which have been identified as commonly used by known Worms. When NetEnforcer detects abnormal or increased incidence of new connections on such a ports, the traffic on the specific port can be dropped without affecting other TCP connections. The source IP address that generated these connections is saved in the log file.

NOTE:

To view the list of worm source IP addresses in the log,

Denial of Service (DoS) Parameters NetEnforcer analyzes the distribution of traffic across the various protocols and ports, and admits or drops excess traffic when predefined thresholds have been exceeded, according to the DoS parameters configured in the Denial of Service (DoS) tab of the NetEnforcer Configuration window.

NOTE: For details on NetEnforcer configuration, refer to Chapter 4, Configuring NetEnforcer.

The Denial of Service (DoS) tab includes parameters that enable you to determine the frequency and number of connections, as follows:


In Case of Denial of Service Attack, News Flows will be

The action that NetEnforcer takes when it reaches the maximum rate of new connections allowed for the model. The options in the dropdown menu are as follows: Admitted without QoS: New connections (flows) are admitted, but are not classified, and no QoS policy is applied. This is the default setting.

Dropped: New connections (flows) are dropped.




Number of Connections Within NetEnforcer will be Limited to

You are able to define the threshold, for traffic suspected as an attack, by specifying the number of connections allowed at any one time.

The default is the maximum number of connections your NetEnforcer model can handle. For the maximum number of connections your NetEnforcer model can handle, see the hardware description table on page 2-2 in Chapter 2, Installing NetEnforcer.

To view the number of connections over specified period of time, refer to the Connections graph in Chapter 6, Monitoring Network Traffic. This will assist in entering a realistic definition of an attack.

Maximum New Connections Establishment Rate (CER):

You are able to define the threshold, for traffic suspected as an attack, by specifying the number of new connections allowed per second.

To view the number of connections per second, refer to the Connections graph in Chapter 6, Monitoring Network Traffic. This will assist in entering a realistic definition of an attack. If the field is left blank, the NetEnforcer uses its default setting.



Additional Protective Mechanisms NetEnforcer has four additional built-in mechanisms for protection against DoS attacks, as follows:

•

•

•

•

NetEnforcer drops ICMP packets beyond the maximum number of new connections per second, before they are inserted into its internal buffer. This number varies between NetEnforcer models.

When NetEnforcer detects a high connection rate beyond the maximum number of new connections per second, it drops TCP/UDP packets of new flows.

When NetEnforcer detects a high connection rate that seems to be an attack targeted for a specific address, then it drops TCP / UDP packets with the same destination IP (spoofed) address, before they are inserted into its internal buffer.

NetEnforcer limits the number of connections per interface, Virtual Channel or Pipe (for example, cap ICMP packets to a server farm to a limit, say 500).



Security Alerts Alerts are issued by NetEnforcer when a suspected security threat has been detected. The following alert messages are defined in the system by default.

Alert Message Description

“DoS attack suspected: Connection establishment rate is close to the threshold”

The NetEnforcer monitors the rate connections flowing through the unit are established. This alert is triggered when the connections rate is unusually high.

“DoS attack suspected: Abnormal high connection establishment rate of XXX”

The NetEnforcer monitors the rate connections of various types are established. The types of connections monitored are AnyIP (IP traffic which is not TCP or UDP), TCP, UDP. This alert is triggered when the rate connections established of certain type are unusually high.

“DoS attack suspected: Abnormal high connection establishment rate on port XXX”

The NetEnforcer monitors the rate TCP connections on various ports are established. This alert is triggered when the rate connections established on a specific port are unusually high.

“Alarm Max Connections XXX triggered”

The NetEnforcer monitors the number of concurrent connections flowing through the unit. In case the number of concurrent connections reaches to the unit overall limit, this alert is triggered. The limit can be manually defined on the NetEnforcer GUI under the Configuration menu.

“Alarm Max Connections resolved”

This alert is triggered after a “Alarm Max Connections XXX triggered” alarm has been triggered and the number of connections has returned to normal (below 95% of the defined limit).



Alert Message Description

“DoS attack of the type 'smurf' started”

The NetEnforcer has detected an attack characterized by large number of ICMP packets.

“DoS attack of the type 'smurf' ended”

This alert is triggered after a “DoS attack of the type 'smurf' started” alarm has been triggered and the conditions have returned to normal.

“DoS attack of the type 'UDP flood' started”

The NetEnforcer has detected an attack characterized by large number of UDP packets.

“DoS attack of the type 'UDP flood' ended”

This alert is triggered after a “DoS attack of the type 'UDP flood' started” has been triggered and the conditions have returned to normal.

“DoS attack of the type 'SYN' started”

The NetEnforcer has detected an attack characterized by large number of TCP packets.

“DoS attack of the type 'SYN' ended”

This alert is triggered after a “DoS attack of the type 'SYN' started” alarm has been triggered and the conditions have returned to normal.

The alert messages are displayed in the Alerts log.




Chapter 11: SNMP Monitoring

This chapter describes the NetEnforcer SNMP-based statistics and how to generate MRTG reports.


Viewing SNMP Statistics and Getting Traps, page 11-2, provides an overview of the SNMP statistics available in NetEnforcer.

Working with SNMP-Based Management Tools, page 11-11, describes MRTG and describes how to install and use the MRTG tool in NetEnforcer.



Viewing SNMP Statistics and Getting Traps

NetEnforcer generates traffic statistics and standard SNMP MIB-II statistics. A standard SNMP viewer, such as SNMPc (see http://www.castlerock.com) polls NetEnforcer using a standard SNMP GET command and presents the statistics in a graph.

NetEnforcer SNMP-based statistics enables you to automatically generate MRTG (a very well known and free tool for viewing SNMP-type statistics) reports daily, weekly, monthly and yearly.

MRTG-type reports are ready to view with any browser (HTML format) and contain a two dimensional graphic representation of the statistics. For example, you can view bandwidth usage on each defined Virtual Channel or Pipe and also on the internal/external interfaces.

An example for setting up a specific view is provides although more graphs can be generated. For more information on MRTG see http://people.ee.ethz.ch/~oetiker/ webtools/mrtg.

NetEnforcer supports SNMP traps and you can use your SNMP management station to get traps (alerts) for various system and network events.

Supported SNMP MIBs NetEnforcer includes an SNMP (Simple Network Management Protocol) agent that supports the RFC 1213/MIB-II standard and Allot MIBs. The agent provides MIB information when polled and issues traps for specific conditions.



NetEnforcer is the authoritative source of the following MIB files that include measurement engine variables recorded on a one-second basis and are available via the Tools button on your NetEnforcer Control Panel:

• • • •

• • •

COMPANY-MIB.txt - includes traps.

VC-MIB.txt - includes Virtual Channel related statistics.

PIPE-MIB.txt - includes Pipe related statistics.

NE-STAT-MIB.txt - includes NetEnforcer level related statistics.

The private MIB of Allot includes SNMP statistics, as follows:

Bytes in/out/total per Virtual Channel, Pipe and NetEnforcer

Packets in/out/total per Virtual Channel, Pipe and NetEnforcer

Number of connections and number of new connections per second

NOTE:

Specifications of MIB-II (rfc1213.mib) can be found at http://www.ietf.org/rfc1213.txt?number=1213.

Access Permissions To get SNMP statistics, you need to enter community (password) parameters. The community parameters, found in the SNMP tab of the NetEnforcer Configuration window, are as follows:

Read Community The SNMP community for devices reading SNMP variables from NetEnforcer.

Write Community The SNMP community for devices setting SNMP variables to NetEnforcer.

Trap Community The SNMP community to receive NetEnforcer SNMP traps.

Trap Destination The IP address of the Network Management Console that receives the NetEnforcer-generated SNMP traps. It can be a local host.

Refer to Chapter 4, Configuring NetEnforcer, for further information.



Configuring Trap Destinations NetEnforcer supports one destination for SNMP traps. Configure the address via your browser in the SNMP tab of the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer). The destination can also be set via SNMP itself.

Traps The NetEnforcer SNMP agent issues the following traps:

Trap Name Action Number Cold Start Reboot and restart the SNMP process. 0 Link Down Disconnecting the internal or external interface

forces the Link Down trap to occur. When, after rebooting, NetEnforcer becomes active, the Link Down trap occurs according to the internal and external NIC status.

2

Link Up Connecting both the internal and external interfaces, forces the Link Up trap to occur. When, after rebooting, NetEnforcer becomes active, the Link Up trap occurs according to the internal and external NIC status.

3

Authentication failure Request with wrong community. 4 NePrimaryActive This trap is sent when the primary NetEnforcer

changes to Active mode. 6-11

NePrimaryBypass This trap is sent when the primary NetEnforcer changes to Bypass mode.

6-12

NeSecondaryActive This trap is sent when the secondary NetEnforcer changes to Active mode.

6-13

NeSecondaryStandBy This trap is sent when the secondary NetEnforcer changes to Standby mode.

6-14

NeSecondaryBypass This trap is sent when the secondary NetEnforcer changes to Bypass mode.

6-15



MIB-II Support The NetEnforcer SNMP agent supports the following MIB-II groups: System, Interfaces, Address Translation, IP, ICMP, TCP, UDP and SNMP.

The MIB-II object groups are shown in the following tree diagram:

iso (1)

org (3)

dod (6)

internet (1)

directory (1)

mgmt (2)

mib-2 (1)

system (1)

interfaces (2)

snmp (11)experimental (3)

private (4)

enterprises (1)

AllotCom(2603)

iso (1)

org (3)

dod (6)

internet (1)

directory (1)

mgmt (2)

mib-2 (1)

system (1)

interfaces (2)

snmp (11)experimental (3)experimental (3)

private (4)

enterprises (1)

AllotCom(2603)



The Allot MIB tree is shown in the following tree diagram:

neStatistics (1)

neStatMIB(1)

neStat (1)

neByteCountIn (1)

neByteCountOut (2)

pipeEntry(1)

AllotCom (2603)

pipePosition (1)*

pipeInstancePosition (2)*

pipeName (3)

pipeByteCountIn (4)

pipeByteCountOut (5)

pipeByteCountTotal (6)

neByteCountTotal (3)

pipeStat (1)

pipeStatTable(1)

pipeStatMIB(2)

* = index of table

neLiveConnections (4)

neNewConnections (5)

nePacketsIn (6)

nePacketsOut (7)

nePacketsTotal (8)

pipeLiveConnections (7)

pipeNewConnections (8)

pipePacketsIn (9)

pipePacketsOut (10)

pipePacketsTotal (11)

neStatistics (1)

neStatMIB(1)

neStat (1)

neByteCountIn (1)

neByteCountOut (2)

pipeEntry(1)

AllotCom (2603)

pipePosition (1)*

pipeInstancePosition (2)*

pipeName (3)

pipeByteCountIn (4)

pipeByteCountOut (5)

pipeByteCountTotal (6)

neByteCountTotal (3)

pipeStat (1)

pipeStatTable(1)

pipeStatMIB(2)

* = index of table

neLiveConnections (4)

neNewConnections (5)

nePacketsIn (6)

nePacketsOut (7)

nePacketsTotal (8)

pipeLiveConnections (7)

pipeNewConnections (8)

pipePacketsIn (9)

pipePacketsOut (10)

pipePacketsTotal (11)



vcEntry (1)

vcPipePosition (1)*

vcPipeInstancePosition (2)*

vcName (5)

vcByteCountIn (6)

vcByteCountOut (7)

vcByteCountTotal (8)

vcStat (1)

vcStatTable(1)

vcStatMIB(3)

vcPosition (3)*

vcInstancePosition (4)*

* = index of table

vcNewConnections (10)

vcPacketsIn (11)

vcPacketsOut (12)

vcPacketsTotal (13)

vcLiveConnections (9)

qidPipeStat (1)

qidPipeEntry (1)

qidPipeTemplateId (1)*

qidPipeInstanceId (2)*

qidPipeByteCountTotal (5)

qidPipeLiveConnectiosn (6)

qidPipeNewConnections (7)

qidPipePacketsIn (8)

qidPipeStatTable (1)

qidPipeStatMIB (4)

qidPipeByteCountIn (3)

qidPipeByteCountOut (4)

qidPipePacketsTotal (10)

qidPipePacketsOut (9)

vcEntry (1)

vcPipePosition (1)*

vcPipeInstancePosition (2)*

vcName (5)

vcByteCountIn (6)

vcByteCountOut (7)

vcByteCountTotal (8)

vcStat (1)

vcStatTable(1)

vcStatMIB(3)

vcPosition (3)*

vcInstancePosition (4)*

* = index of table

vcNewConnections (10)

vcPacketsIn (11)

vcPacketsOut (12)

vcPacketsTotal (13)

vcLiveConnections (9)

qidPipeStat (1)

qidPipeEntry (1)








qidPipeStatMIB (4)





qidPipeEntry (1)








qidPipeStatMIB (4)







NeTraps (2)

nePrimaryActive (11)

nePrimaryBypass (12)

neSecondaryActive (13)

neSecondaryStandBy (14)

neSecondaryBypass (15)

qidVcEntry (1)

qidVcTemplateId (3)*

qidVcInstanceId (4)*

qidVcByteCountTotal (7)

qidVcLiveConnectiosn (8)

qidVcNewConnections (9)

qidVcPacketsIn (10)

qidVcStatTable (1)

qidVcStatMIB (5)

qidVcByteCountIn (5)

qidVcByteCountOut (6)

qidVcPacketsTotal (12)

qidVcPacketsOut (11)

qidVcStat (1)

qidVcPipeTemplateId (1)*

qidVcPipeInstanceId (2)*

neAlertEvent (22)

NeTraps (2)

nePrimaryActive (11)

nePrimaryBypass (12)

neSecondaryActive (13)

neSecondaryStandBy (14)

neSecondaryBypass (15)

qidVcEntry (1)

qidVcTemplateId (3)*

qidVcInstanceId (4)*

qidVcByteCountTotal (7)

qidVcLiveConnectiosn (8)

qidVcNewConnections (9)

qidVcPacketsIn (10)

qidVcStatTable (1)

qidVcStatMIB (5)

qidVcByteCountIn (5)

qidVcByteCountOut (6)

qidVcPacketsTotal (12)

qidVcPacketsOut (11)

qidVcStat (1)

qidVcPipeTemplateId (1)*

qidVcPipeInstanceId (2)*

neAlertEvent (22)

Accessing the Allot MIBs You must download the Allot MIBs via the Tools button in the NetEnforcer Control Panel. There are two zip files containing slightly different MIBs, as follows:

Mibs.zip MibsQID.zip

COMPANY-MIB.txt COMPANY-MIB.txt

NE-STAT-MIB.txt NE-STAT-MIB.txt

PIPE-MIB.txt QID-PIPE-MIB.txt

VC-MIB.txt QID-VC-MIB.txt

MRTG_Config_for_MIBs.cfg MRTG_Config_for_MIBs.cfg



Mibs.zip provides position MIBs whereby the index of the MIBs is according to the position of the Pipe or Virtual Channel in the policy table. MibsQID.zip provides ID MIBs whereby the index of the MIBs is according to the internal ID of the Pipe or Virtual Channel. You can download one or both of these zip files.

Both of the zip files also contain the Allot configuration file (MRTG_Config_for_MIBs.cfg).

To download Allot MIBs:

1. From the NetEnforcer Control Panel, click Tools and select Download Allot MIBs and then VC/Pipe by ID or VC/Pipe by Position.

2. Download the files contained in the zip file to a local drive.

3. Repeat steps 1 and 2 for the second MIB zip file if required.

4. Use your network management application's MIB integration tool to compile the Allot MIBs.

5. Query the Allot MIB objects using your network management application. You can produce graphs based on the statistics generated.

Using the Allot Position MIBs The Allot MIBs provide expansion to the basic SNMP (MIB-II) and includes information on Pipes and Virtual Channels in the form of tables. These tables are ordered according the policy table (in the Policy Editor), described in Chapter 8, Defining Policies.

The object ID of an entry in the Pipe table is constructed from the Pipe position in the policy table and the Pipe instance (host) position in the host group. The object ID of an entry in the Virtual Channel table is constructed from the Pipe position in the policy table, the Pipe instance (host) position in the host group, the Virtual Channel position in the Pipe and the Virtual Channel instance (host) position in the host group.



When the policy table is modified and the new table is reloaded to the SNMP agent, the changes will affect the SNMP Pipe and Virtual Channel tables. Thus, a change in the Pipe/Virtual Channel position will change its object ID accordingly. For example:

Original Policy Table Object ID Pipe1 1.0 Pipe1_Vc1 1.0.1.0 Pipe1_Vc2 1.0.2.0 Pipe2 2.0 Pipe2_Vc1 2.0.1.0 Pipe2_Vc2 2.0.2.0 Pipe3 3.0 Pipe3_Vc1 3.0.1.0 Pipe3_Vc2 3.0.2.0

Now Pipe 3 has been moved up and the table looks as follows:

Modified Policy Table Object ID Pipe1 1.0 Pipe1_Vc1 1.0.1.0 Pipe1_Vc2 1.0.2.0 Pipe3 2.0 Pipe3_Vc1 2.0.1.0 Pipe3_Vc2 2.0.2.0 Pipe2 3.0 Pipe2_Vc1 3.0.1.0 Pipe2_Vc2 3.0.2.0



Working with SNMP-Based Management Tools

This section describes MRTG (one example of an SNMP-based management tool) and describes how to install and use the MRTG tool in NetEnforcer.

Introducing MRTG The MRTG (Multi Router Traffic Grapher) tool is used to monitor the traffic load on your NetEnforcer and is free for personal use. You can download it from http://people.ee.ethz.ch/~oetiker/webtools/mrtg. A network manager may view bandwidth usage on each defined Virtual Channel or Pipe and also on the internal/external interfaces.

The MRTG tool generates HTML pages that present traffic graphs. Using a standard Web browser, you can view pages, each containing graphs showing daily, weekly, monthly and yearly information.

Traffic statistics are generated by NetEnforcer and written in a standard SNMP MIB format. The MRTG tool, using PERL scripts, polls NetEnforcer using a standard SNMP GET command and saves the data in the host (management PC) log. The log is automatically consolidated and while the log saves data for the last two years, it does not grow over time.

NOTE:

If you want to preserve the highest rates as seen on the daily graph, use the "With Peak" option. This will show the highest values that were recorded in addition to the averages.



Installing MRTG for NetEnforcer The following procedure describes how to prepare NetEnforcer to work with the MRTG tool.

To install MRTG:

1. Install MRTG on your computer. (MRTG can be installed on both Unix/Linux and Windows.)

NOTE:

Download sources or binaries from http://people.ee.ethz.ch/~oetiker/webtools/mrtg/.

2. Install PERL if you do not have it installed. PERL for Windows can be downloaded from http://www.ActiveState.com.

3. If you have not already done so, download the Allot position MIBs and/or ID MIBs including the Allot configuration file (MRTG_Config_for_MIBs.cfg). This procedure is described on page 11-8.

NOTE:

Save the .txt files to C:/Mrtg. If you want to save them to another directory, change the directory defined in the LoadMIBs line in the configuration file. Save the configuration file (MRTG_Config_for_MIBs.cfg) to C:/MRTG/bin. This directory is generated during the MRTG installation.



4. If you are using the ID MIBs, you must get the internal IDs for Pipes and Virtual Channels for which you want to generate MRTG graphs. From the NetEnforcer Control Panel, click Tools and select Pipe/VC ID Lookup for SNMP. The Pipe/VC Lookup for SNMP dialog box is displayed:

Figure 11-1 – Pipe/VC Lookup for SNMP Dialog Box

5. Select a Pipe or Virtual Channel and the ID for the selected item is displayed in the Entity ID for Selection Above field. Copy and paste the IDs into the configuration file (MRTG_Config_for_MIBs.cfg).

NOTE:

You could also write down the IDs and then add them to the configuration file.



6. Repeat step 5 to retrieve IDs for all the Pipes and Virtual Channels for which you want to generate MRTG graphs.

7. Adapt the MRTG_Config_for_MIBs.cfg file to your setup. For example, specify the NetEnforcer IP address, location of MIB files, SNMP community name and OIDs of the counters you would like to monitor. Refer to the comments in the allot.cfg file for more information.

To install MRTG daemon:

• Start MRTG as a daemon, passing path to MRTG_Config_for_MIBs.cfg as a command line parameter. For example, you install MRTG on Windows in directory C:\mrtg and you also copy the MRTG_Config_for_MIBs.cfg and MIB files to C:\mrtg. The following command will start MRTG in Daemon mode with the proper configuration: Start /b perl C:\mrtg\bin\mrtg C:\mrtg\ MRTG_Config_ for_MIBs.cfg.

NOTE:

The MIB files must be the same as the files on your NetEnforcer. The files may also be found on NetEnforcer in /usr/local/share/snmp/mibs/.

In general, you can monitor the following NetEnforcer SNMP counters with MRTG: • • • • • • • • •

• • • • • • • • •

• •

vcByteCountIn vcByteCountOut vcByteCountTotal pipeByteCountIn pipeByteCountOut pipeByteCountTotal neByteCountIn neByteCountOut neByteCountTotal

vcPacketCountIn vcPacketCountOut vcPacketCountTotal pipePacketCountIn pipePacketCountOut pipePacketCountTotal nePacketCountIn nePacketCountOut nePacketCountTotal

Number of connections Number of new connections per second



Example MRTG Configuration File This example refers to a configuration file named MRTG_Config_for_MIBs.cfg and a NetEnforcer with IP address 10.10.10.10 and community name, public.

The MIB files are located in drive D.

LoadMIBS: d:\COMPANY-MIB.TXT, d:\NE-STAT-MIB.TXT, d:\PIPE-MIB.TXT, d:\VC-MIB.TXT.

RunAsDaemon: Yes

WorkDir: d: This target refers to the inbound and outbound bytes on the Fallback Virtual Channel in the default database.

Target[vc] vcByteCountIn.1.0.6.0&vcByteCountOut.1.0.6.0:public@ 10.10.10.10:::::2

Options[vc] growright, nobanner

MaxBytes[vc] 50000000

Title[vc] Traffic Analysis for AC

PageTop[vc] <H1>Traffic Analysis – AC</H1>\n VC Out / VC In

WithPeak[vc] d,w,m,y

Suppress[vc] y,m



This target refers to the inbound and outbound bytes on the Fallback Pipe in the default database.

Target[pipe] pipeByteCountIn.1.0.0&pipeByteCountOut.1.0:public@ 10.10.10.10:::::2

Options[pipe] growright, nobanner

MaxBytes[pipe] 50000000

Title[pipe] Traffic Analysis for AC

PageTop[pipe] <H1>Traffic Analysis – AC</H1>\n PIPE Out / PIPE In

WithPeak[pipe] d,w,m,y

Suppress[pipe] y,m



Example NetEnforcer MRTG Graphs




Appendix A: Hardware Specifications

This appendix lists the hardware specifications for all NetEnforcer models.

Enhanced Platform Dimensions Standard 1U by 19-inch, rack mountable

Height 1.73 in (44 mm)

Width 17.32 in (440 mm)

Depth 11.73 in (298 mm)

Weight 12 lbs (5.5 kg)

Power Requirements Input Voltage 100 - 240 V

Frequency 47 - 63 Hz

Current 2 A

Power consumption AC-302 53 W AC-402 70 W

NetEnforcer User Guide A-1


Operating Environment Temperature 32° F to 104° F (0° to 40° C)

Humidity 5% to 95% (non condensing)

Heat Dissipation AC-302 181 BTU/Hour AC-402 240 BTU/Hour

EMI Residential, commercial and light industry.

High Availability Platform Dimensions Standard 2U by 19-inch, rack mountable

AC-802

Height 3.46 in (88 mm)

Width 17.32 in (440 mm)

Depth 14.76 in (375 mm)

Weight Copper: 24.9 lbs (11.3 kg) Fiber: 25.3 lbs (11.48 kg)

NOTE:

The weight of the Copper Bypass module is 3.86 lbs (1.75 kg) and the weight of the Fiber Bypass module is 4.28 lbs (1.94 kg).



Power Requirements AC-802

Input Voltage 100 - 240 V

Frequency 50/60 Hz

Current 7 - 3.5 A

Power consumption

Operating Environment AC-802

Temperature 32° F to 104° F (0° to 40° C)

Humidity 5% to 95% (non condensing)

Heat Dissipation

EMI



Standards, Compliance and Certifications All Allot models hold certificates for and comply with the standards listed below.

EMC

• • • • • • • • •

• • •

• •

• • •

EMC Directive 89/336/EEC, article 7(1)

EN 55022:1998+A1(00) class A

EN 61000-3-2:1995_A1(98)+A2(98)

EN 61000-3-3:1995

EN 55024:1998+A1(01)

FCC 47 CFR part 15, subpart B, class A

ICES-003:1997, class A

VCCI:2002, class B

NEBS: GR-1089-Core*

Safety

IEC 60950:1999 with Japanese deviations

EN 60950:2000

NEBS: GR-1089-Core*

UL 1950 NetEnforcer UL File number: E206586 CAN/CSA C22.2 No.60950-00 * UL 60950, third edition

Environmental ETS 300 019-2-2 T 2.1 ETS 300 019-2-3 T 3.1 NEBS: GR-63-Core*

* NetEnforcer is designed to meet these standards.


Appendix B: Fail-Safe Operation

This appendix describes the fail-safe operation implemented in NetEnforcer. NetEnforcer has two fail-safe features that ensure proper and continuous network function: Bypass and Full Redundancy.

All NetEnforcers include a Bypass element (either an external Bypass module or an internal Bypass switch) that connects the Internal connector to the External connector in the case of a subsystem failure in NetEnforcer or a power loss. This mechanism ensures that traffic continues to pass through the passive elements of NetEnforcer should any hardware or software problem occur.

Full Redundancy is a backup mechanism that handles the failure of a network device, and ensures the network continues to function. Full Redundancy is provided by connecting two NetEnforcers in parallel. The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is designed to be in Standby mode as long as the Primary NetEnforcer is active. Only if, for any reason, the Primary NetEnforcer is not able to function properly, does the Secondary NetEnforcer become active.

When NetEnforcer is in Full Redundancy mode, Bypass mode will be activated, in the event that both the Primary and Secondary NetEnforcer systems fail.

As part of the fail-safe considerations, power redundancy is also provided.

NetEnforcer User Guide B-1


Bypass Mode The Enhanced platform models (AC-202 and AC-402) operate with an internal Bypass element and the AC-802 operates with an external Bypass module. The AC-802 Copper operates with a Copper Bypass and the AC-802 Fiber operates with a Fiber Bypass.

CAUTION:

NetEnforcer AC-802 must be connected to the appropriate Bypass module. This is to ensure continuous service in the event of failure.

The Bypass module is a mission-critical subsystem designed to handle the failure of a network device and still ensure that the network functions properly. The Bypass module provides "connectivity insurance" in the event of a NetEnforcer subsystems failure. NetEnforcer is factory configured to ensure normal network operation during power loss and other critical hardware and software failure.

The Bypass module works by shorting the Internal interface to the External interface. While the NetEnforcer is bypassed, all traffic goes through passive elements only.

When the system goes into Bypass mode, the status indicators immediately indicate it, in the following way:

• • •

The Active LED on the front panel of NetEnforcer turns OFF.

The Standby LED on the front panel of NetEnforcer is OFF.

The Mode LED on the Bypass module turns OFF.

For more information regarding the status indicators, refer to Chapter 2, Installing NetEnforcer.



Bypass Initiation When a single NetEnforcer is installed, it will go into Bypass mode under the following conditions:

• • • •

Upon a subsystem failure.

During the booting of NetEnforcer.

Upon any NetEnforcer power feed failure and power OFF conditions.

When the Bypass module is not connected properly to the NetEnforcer Backup connector, even with all other connectors fully plugged. (This is not relevant to the Enhanced platform.)

NOTES:

NetEnforcers in full Redundancy configuration that have gone into Bypass mode indication upon a subsystem failure will not restart automatically. It is recommended to perform a reboot.

Fiber Bypass and TAP (AC-802 Fiber) TAP mode enables the operator to install and use NetEnforcer in a non-intrusive mode. Using this mode has the following benefits:

•

•

It enables monitoring of network traffic without active interference in the network activity.

It enables gradual installation of NetEnforcer – first in non-intrusive mode and later with policy enforcement.

CAUTION:

NetEnforcer must be connected to the Fiber Bypass module. This is to ensure continuous service in the event of failure.






Fiber Cable





Fiber Cable


Figure B-1 – Fiber Bypass Unit

IMPORTANT NOTE:

To work properly, NetEnforcer and the Bypass module have to be fully plugged and connected before power is turned on.

A separate NetEnforcer Fiber Bypass module is included with your NetEnforcer AC-802 Fiber shipment. For more information on installing a special Fiber TAP package please contact Allot Customer Support. A recommended Fiber TAP package would include two Multimode Couplers.

Each Coupler has three built-in Multimode fiber cables with SC connectors. One side of the coupler has a single Multimode fiber that is marked as Tx, and on the other side, there are two built-in Multimode fiber cables marked as Rx [1] and Rx [2].

Figure B-2 – Multimode Coupler Unit

IMPORTANT NOTE:

The Multimode Coupler is not a standard part of NetEnforcer.



Connecting the Fiber Bypass and the TAP The following procedure describes how to connect the Fiber Bypass module and the TAP to NetEnforcer. The procedure contains circled numbers, for example, 11 , relating to reference numbers used in the following diagram.

Figure B-3 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass and TAP



To connect the Fiber Bypass:

1. Connect the fiber cable labeled External from the Bypass module 77 , to the External port on NetEnforcer 11 .

2. Connect the fiber cable labeled Internal from the Bypass module 77 , to the Internal port on NetEnforcer 22 .


4. Connect the first Multimode coupler as follows: Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps router (1000Base-SX port).

•

•

•

•

•

•

Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps switch (1000Base-SX port). Connect the coupler Rx [2] fiber optic cable to the External Rx input of the Fiber bypass module (5).

5. Connect the second Multimode coupler as follows: Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps switch (1000Base-SX port). Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps router (1000Base-SX port). Connect the coupler Rx [2] fiber optic cable to the Internal Rx input of the Fiber bypass module (6).



Connecting Two NetEnforcers in Full Redundancy

Failure of a network device can be catastrophic, causing network downtime and lost business. The key to designing any mission-critical network is to recognize that these failures can occur, and to design a network that can handle failures and still allow the network to function. In order to do this, it is important to use the most reliable equipment, with redundancy built in to all mission-critical equipment.

NetEnforcer can operate in parallel to provide Full Redundancy. Full Redundancy requires two NetEnforcer systems and, where an external Bypass module is used, a single Bypass module.

The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is designed to be in Standby mode as long as the Primary NetEnforcer is active. Only if, for any reason, the Primary NetEnforcer is not able to function properly does the Secondary NetEnforcer become active.

Both NetEnforcers receive traffic from the internal network, but only the Primary NetEnforcer is passing the traffic to the external network.

While the Primary NetEnforcer receives and handles traffic coming from the external network, the Secondary External interface is disabled, since the system is in Standby mode. If the Primary NetEnforcer should fail, the Secondary NetEnforcer automatically takes control of the traffic, and enables its External interface.

In Full Redundancy mode, the Bypass mode is activated in the event that both the Primary and Secondary NetEnforcers fail.



The following diagram shows how to connect two NetEnforcers in full Redundancy:

Figure B-4 – Connecting Two NetEnforcers in Full Redundancy

Status Indicators in Full Redundancy Mode When operating in Full Redundancy mode, two NetEnforcer units are connected in parallel to the Copper or Fiber Bypass module. The NetEnforcer unit connected to the Primary port on the Bypass module is the Primary NetEnforcer and the NetEnforcer unit connected to the Secondary port on the Bypass module is the Secondary NetEnforcer. During operation, the LED indicators on NetEnforcer and on the Bypass module give various readings. The LEDs relevant to operations in Full Redundancy mode are the Standby, Active and Power LEDs on the NetEnforcer LCD panel, and the Mode LED on the Bypass module.



The modes of operation of the indicators are described in the following tables:

For NetEnforcer AC-802 Copper of Fiber connected to a Bypass module, the LED indicators are as follows:

Standby LED

Active LED

Power LED

Mode LED

Analysis

Primary Unit

OFF ON ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

ON OFF ON Secondary NetEnforcer is in Standby mode, ready to take over.

Primary Unit

ON OFF ON Primary NetEnforcer fails or is now booting.

Secondary Unit

OFF ON ON ON Secondary NetEnforcer took over and is now in Active mode.

Primary Unit

OFF OFF OFF Primary NetEnforcer is powered OFF.

Secondary Unit

OFF ON ON ON Secondary NetEnforcer took over and is now in Active mode.

Primary Unit

OFF ON ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

OFF OFF OFF Secondary NetEnforcer is not powered ON. The only fail-safe mode available now is Bypass.

Primary Unit

OFF OFF ON OFF Primary NetEnforcer failed or did not complete booting.



Standby LED

Active LED

Power LED

Mode LED

Analysis

Secondary Unit

OFF OFF ON OFF Secondary NetEnforcer failed or did not complete booting. Bypass is now active and all traffic is going through Bypass.

Table B-1 – LED Conditions: Copper or Fiber Bypass, Full Redundancy Mode

For Enhanced platform, the LED indicators are as follows:

Standby LED

Active LED

Power LED

Analysis

Primary Unit

OFF ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

ON OFF ON Secondary NetEnforcer is in Standby mode, ready to take over.

Primary Unit

OFF OFF ON Primary NetEnforcer fails or is now booting.

Secondary Unit

OFF ON ON Secondary NetEnforcer took over and it is in Active mode.

Primary Unit

OFF OFF OFF Primary NetEnforcer is powered OFF.

Secondary Unit

OFF ON ON Secondary NetEnforcer took over and it is in Active mode.



Standby LED

Active LED

Power LED

Analysis

Primary Unit

OFF ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

OFF OFF OFF Secondary NetEnforcer is powered OFF. The only Fail-safe mode available now is Bypass.

Primary Unit

OFF OFF ON Primary NetEnforcer failed or not completed booting.

Secondary Unit

OFF OFF ON Secondary NetEnforcer failed or not completed booting. Bypass is activated (in the primary unit and all traffic is going through Bypass.

Table B-3 – LED Conditions: Enhanced platform, Full Redundancy Mode

Secondary NetEnforcer Activation When two NetEnforcers are connected in parallel (Redundancy mode), the Secondary NetEnforcer will take control and become the active unit under the following conditions:

• •

• •

•

Upon a Primary subsystem failure.

During booting of the Primary NetEnforcer platform. When booting is completed, the Primary unit automatically takes control again.

Upon any Primary NetEnforcer power feed failure and power OFF condition.

Upon the Primary NetEnforcer Ethernet cable disconnecting from either the Internal or External ports. After reconnecting the cable and rebooting, the Primary NetEnforcer takes control again.

When the Bypass module is not connected properly to the NetEnforcer Backup connector, even with all other connectors fully plugged.



NOTES:

The NetEnforcer's Ethernet Adapter can detect Ethernet cable disconnection. NetEnforcers in redundant configuration react to such events by having the Primary NetEnforcer lose control until the next machine reboot, and the Secondary NetEnforcer becoming the active unit.

If a cable is disconnected, it is recommended to reboot the Primary NetEnforcer after reconnecting the cable.

Primary and Secondary Definitions Each system is defined as Primary or Secondary according to the backup cable connection order.

When two NetEnforcers are connected in parallel using a backup cable, the Primary system is as follows:

•

•

•

•

In the case of AC-802 models, the NetEnforcer that is connected to the Primary connector of the Bypass module is automatically configured to act as the Primary system.

In the case of Enhanced platform models, the NetEnforcer that is connected to the Primary side of the backup cable is the Primary system.

When two NetEnforcers are connected in parallel using a backup cable, the Secondary system is as follows:

In the case of AC-802 models, the NetEnforcer that is connected to the Secondary connector of the Bypass module is automatically configured to act as the Secondary system.

In the case of Enhanced platform models, the NetEnforcer that is connected to the Secondary side of the backup cable is the Secondary system.

NOTE:

When you order an AC-802 model, a Backup Cable is included with the accessory kit.

A Primary configuration is indicated by LEDs, as follows:

• •

The Active LED on the front panel of NetEnforcer is ON.

The Standby LED on the front panel of NetEnforcer is OFF.



A Secondary configuration is indicated by LEDs, as follows:

• •

The Active LED on the front panel of NetEnforcer is OFF.

The Standby LED on the front panel of NetEnforcer is ON. The following diagram shows the layout of a Full Redundancy setup.

The following diagram shows the layout of a Full Redundancy setup for the AC-202 or AC-402 models.

Figure B-5 – Full Redundancy Setup Example

If the Primary system fails, the Secondary system automatically takes control of the traffic, and enables its External interface. The LEDs indicate the Secondary system status change as follows:

• Enhanced Platform and AC-802 model: On the Secondary system, the Standby LED turns OFF and the Active LED turns ON. (See Table B-2 and Table B-3)



Full Redundancy Connection The connection requirements for Full Redundancy vary slightly according to the model.

AC-802 Models

To connect two AC-802 NetEnforcers in Full Redundancy:

Before using NetEnforcers in Full Redundancy mode, make sure that the configuration of both NetEnforcers is identical; except for their IP addresses, which must be unique for each unit. You can use the Save & Distribute option to distribute the same QoS policy to both NetEnforcers. For more information, refer to Chapter 8, Defining Policies.

NOTE:

You can distribute policy to other NetEnforcers, only if they are of the same model as the one from which you are distributing.

After ensuring identical configuration, test each NetEnforcer (while connected to the network as a single device) and verify that they are operating identically to one another.

1. Designate one of your NetEnforcers to be the default Primary, and connect the end of the Backup cable to the Backup connector of the NetEnforcer.

2. Connect the other end of the backup cable to the Primary connector of the Bypass module.

3. Designate the other NetEnforcer to be the Secondary and connect one end of the Backup cable to the Backup connector of the Secondary NetEnforcer.

4. Connect the other end of the Backup cable to the Secondary connector of the Bypass module. NOTE:

For more information, see the Bypass Modules section in Chapter 2, Installing NetEnforcer.



5. Ensure that the status indicators of both systems are indicating that the systems are configured correctly, as follows:

• • • •

The Active LED of the Primary NetEnforcer is ON.

The Standby LED of the Primary NetEnforcer is OFF.

The Active LED of the Secondary NetEnforcer is OFF.

The Standby LED of the Secondary NetEnforcer is ON.

CAUTION:

When two NetEnforcers are connected in Redundancy mode with a switch on each interface, if the Primary NetEnforcer fails and the Secondary system takes control of traffic, the redundant unit may take some time to activate. This is normal switch behavior. The switch will continue to redirect packets to the Primary NetEnforcer, instead of to the Secondary NetEnforcer.

Enhanced Platform Models Before using NetEnforcers in full Redundancy mode, make sure that the configuration of both NetEnforcers is identical; except for their DIP switch settings and IP addresses, which must be unique for each unit. You can use the Save & Distribute option to distribute the same QoS policy to both NetEnforcers. For more information, refer to Chapter 8, Defining Policies.

CAUTION:

Please note that only a certified Allot Communications Service Engineer is authorized to remove the NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover from the NetEnforcer, its warranty becomes void.

NOTE:

You can distribute policy to other NetEnforcer s, only if they are of the same model as the one from which you are distributing.

After ensuring identical configuration, test each NetEnforcer (while connected to the network as a single device) and verify that they are operating identically to one another.



1. Set the DIP Switches to Full Redundancy mode. See Figure B-6. 2. Designate one of your NetEnforcers to be the default Primary, and connect the end

of the Backup cable marked Primary to the backup connector of the unit. Connect the other end of the backup cable to the backup connector of the Secondary NetEnforcer.

3. After booting ensure that the Active LED is ON and the Standby LED is OFF. On the Secondary NetEnforcer, the Active LED is OFF and the Standby LED is ON.

CAUTION:

When two NetEnforcers are connected in Redundancy mode with a switch on each interface, if the Primary NetEnforcer fails and the Secondary system takes control of traffic, the redundant unit may take some time to activate. That this is normal switch behavior. The switch will continue to redirect packets to the Primary NetEnforcer, instead of to the Secondary NetEnforcer.

Configuration for Enhanced Platform

NetEnforcer Enhanced Platform models have the option of working in Full Redundancy, where one system is in Float mode and the other is not. This enables one system to cancel the other system’s Bypass mode. When this feature is activated (DIP switch 6 is set to ON), the active system cancels the Bypass mode of the other system, if it exists.

If the Primary NetEnforcer fails, the Secondary NetEnforcer becomes active and cancels the Primary Bypass. If the Secondary NetEnforcer also fails, it releases its control over of the primary NetEnforcer that will move to Bypass mode.



The recommended configuration as shown in Figure B-6, is to set the Primary NetEnforcer to Bypass mode (switches 1 to 5 are set to ON) and the Secondary NetEnforcer to Float mode (switches 1 to 5 are set to OFF, and switch 6, Control Over, is set to ON).

Primary Secondary87654321ON

87654321ON

BYPASS FLOAT

CONTROL OVER

Figure B-6 – DIP Switch Configuration for Enhanced Platform at Full Redundancy

If there is a problem with the Primary NetEnforcer, the box should be disconnected from the network and the DIP switches on the Secondary NetEnforcer should be set to standalone configuration.

CAUTION:

Please note that only a certified Allot Communications Service Engineer is authorized to remove the NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover from the NetEnforcer, its warranty becomes void.

CAUTION:

In standalone mode, NetEnforcer DIP switches should remain in the factory default settings.

To have the NetEnforcer in standalone mode, switches 1 to 5 are set to ON and switches 6 to 8 are set to OFF. (To access the DIP Switches, see Appendix C, Hardware Configuration).



High Availability Platform Power Redundancy

NetEnforcer High Availability platform models include two hot-swappable power supply modules and a dual line feed for Redundancy purposes.

Each line feed is driving one power supply. It is recommended to connect the two power line feeds to separate power sources to have full power redundancy.

Should you need to, you can replace one of the power supplies while NetEnforcer is connected and operating. Replacing a power supply, while the unit is operating, is possible since the remaining power supply will take the full load and maintain full operation.

• •

•

If one power module fails or turns OFF, the other module will take over the load.

When the power supply output is short to GND, it will shutdown. Auto recovery is possible when the short circuit condition is removed.

Each module has over voltage and short circuit protection.

In the case of a power failure, the fail alarm is activated and the power supply’s buzzer beeps. For more information on AC-802 model handling of power failure, please refer to Chapter 2.


Appendix C: Hardware Configuration

This appendix describes how to set the DIP switches for Enhanced Platform models.

Setting Dip Switches for the Enhanced Platform

In order to access internal components of the Enhanced Platform NetEnforcer units, including the DIP switches, the main cover must be removed.

CAUTION:

Only a certified Allot Communications Service Engineer is authorized to remove the NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover from the NetEnforcer, its warranty becomes void.

In circumstances where you to need to remove the main cover, carefully follow the instructions below.

To remove the main cover:

1. Remove the fourteen screws (five on each side of the main cover and four at the back) using a small Philips screwdriver.

2. Stand in a position where you are facing the back of the unit. With both hands, pull the cover towards you, until approximately a third of the unit is exposed.

3. Remove the cover by lifting it from the overhanging rear section and then pull the cover away from the main unit. This will expose the inside components of the NetEnforcer.

To set the DIP switches for the Enhanced Platform, refer to page C-3.

NetEnforcer User Guide C-1


Below is a schematic diagram of an opened Enhanced Platform unit, with an enlargement of the DIP switches.

Figure C-1 - DIP Switch Location: Enhanced Platform



Enhanced Platform DIP Switches The service panel contains eight DIP switches. Their functions are described below:

Switch No. Function

8 ON = Forced Active (Factory Default = OFF)

7 For future use (Factory Default = OFF)

6 ON = Peer Bypass control (Factory Default = OFF) For more information see Appendix B, Fail-Safe Operation, Figure B-3

5 ON = Bypass connected, OFF = Bypass float (Factory Default = ON)





Table C-1 – DIP Switch Functions: Enhanced Platform

The unit is shipped with the factory defaults indicated above. This setup ensures the normal operation of the Bypass switch (meaning that it is activated upon a failure), and that the Active status is not forced. For normal device behavior, it is strongly recommended not to change DIP switch factory settings.

NOTE:

For full Redundancy mode operational needs, DIP switch modifications should be performed with guidance from an Allot Communications service engineer.




Appendix D: Rack Mount Installation

The NetEnforcer and the Bypass module may be mounted in an open or closed standard 19-inch (48.26 mm) rack using the rack-mount bracket kit. This appendix describes how to prepare the device and rack for installation and how to mount the device in the rack.

Connection to Supply Circuit The electrical power cords are intended to serve to disconnect the device. The user can power down the device only by removing the two electrical power cords form the power source or the device itself.

CAUTION:

Make sure the wall socket outlet is installed near the equipment and that the socket is easy to access. It is recommended that the wall power outlet be connected to the building installation protection.

When connecting a NetEnforcer to 120 VAC supply, plug into 15 A service receptacles, type N5/15 or NEMA 5-15R.

Ambient Temperature The device has a maximum operation ambient of 104° F (40° C). The ambient temperatures around the rack should not exceed this temperature.

Airflow To ensure proper cooling, airflow should be unrestricted within or around the rack. Keep the area four to six inches behind the enclosure unobstructed. Make sure that there is proper airflow around all of the NetEnforcer's vent openings.

NetEnforcer User Guide D-1

Appendix D: Rack Mount Installation

Reliable Grounding Make sure that each installation site has a suitable ground connection. Please connect ground to all the metal racks, enclosures, boxes and raceways. The NetEnforcer equipment should be reliably grounded through the power supply cord.

Preparing the NetEnforcer for Rack Installation Attach the mounting brackets of the device included in the NetEnforcer accessory kit to both sides of the device using all eight Phillips pan-head screws included in the NetEnforcer accessory kit. Insert the screws into the holes on both sides of the device.

Preparing the Bypass Module for Rack Installation Use a Philips screwdriver to remove the six Phillips flat-head screws from each side of the Bypass module device.

Attach the mounting brackets of the Bypass module included in the Bypass accessory kit to both sides of the device. Re-insert the flat-head screws into the holes from which the screws were removed.

Rack Mechanical Loading

When mounting the device in the rack, ensure that a hazardous condition does not result due to uneven mechanical loading.

NetEnforcer User Guide D-2

Appendix E: NetEnforcer Port Reference

This appendix describes the required ports for NetEnforcer.

Firewall Ports If your NetEnforcer is working behind a firewall, the following ports must be opened on the firewall to enable access to the NetEnforcer management functions:

Firewall Port Gives Access To

TCP Port: 23 Telnet

TCP Port: 80 Web Server/GUI

TCP Port: 56000 Internal Accounting GUI Access

TCP Port: 51000 Policy Editor GUI Access

TCP Port: 52000 Monitoring GUI Access

TCP Port: 53000 Alerts GUI Access

TCP Port: 53306 MySQL Access

TCP Port: 56000 External Accounting Data Transfer Access

NetEnforcer User Guide E-1

Appendix E: NetEnforcer Port Reference

If you want to use secure transmission methods, the following ports must be opened:

Firewall Port Gives Access To

TCP Port: 443 Encrypted HTTP (HTTPS)

TCP Port: 22 SSH (Encrypted Telnet)

NetEnforcer User Guide E-2

Appendix F: NetEnforcer Protocol Reference

This appendix describes protocols supported by NetEnforcer.

Supported Protocols The following list represents the most common protocols and services supported by NetEnforcer and available in the default Service Catalog database. There are thousands of other protocols which are not included and that can be found in the NetEnforcer Advanced Service Catalog.

The protocols are divided into several groups in the following list in order to ease the finding and understanding of each protocol. In order to catch-up with the frequent appearance of new applications and protocols, mainly Peer-to-Peer protocols, a web-based update for the NetEnforcer Service Catalog is available.

Web HTTP

Method (e.g. GET, POST)

URL (e.g. File Types)

Host Names

Mime Types

HTTP-PROXY

HTTPS

NNTP-TCP

NetEnforcer User Guide F-1


P2P KAZAA

KaZaa (V1 & V2)

Grokster

iMesh

Poisned

Diet Kaza

Upload/Download

EDONKEY eDonkey

eMule

xMule

GNUTELLA Shareaza

Morpheus

Gnucleus

XoloX

LimeWire

FreeWire

Bearshare

Acquisition

Nova

Phex

Gtk-Gnutella

Upload/Download



Warez

Ares 0

Swapper.NET

ShareAza – supports both gnutella ver 1 and gnutella ver 2

LimeWire

BearShare

freewire (Limewire)

zultrax

Xolox

Morpheus 4

BitTorrent

WINMX

DIRECT CONNECT Direct connect

DC++

BCDC++

OverNet

MP2P Motilino

Blubster

Piolet

RockitNet

Winny Winny 1

Winny 2



HOTLINE

JABBER

MADSTER-AIMSTER

SoulSeek

IM/Chat MSN-MESSENGER

AOL/ICQ

Yahoo

IRC

Email POP

POP2

POP3

SMTP SMTP by Sender/Sender Domain

SMTP by Sender email address/Sender domain

MS Exchange Passive/Active RPC

IMAP IMAP2-TCP

IMAP3-TCP



IMAPS (Secure IMAP)

CC-MAIL

LOTUS-NOTES BIFF

Streaming RTSP

RTP/AVP

Streaming

RDT

X-PN-TNG

Interleaved

Winamp

MSplayer

Realone

Quicktime

iTunes

NETSHOW

REALAUDIO



Games ALIENS

ANARCHY

ASHERONS CALL

BLACK AND WHITE

COUNTERSTRIKE

DARK REIGN

DIABLO

DOOM

ELITE FORCE

F16

F22 SIMULATOR

FIGHTERACE

HEXEN

KALI

KOHAN IMMORTAL SOVEREIGNS

MOTORHEAD

MSN GAME

MYTH

NEED FOR SPEED

OPERATION FLASH POINT

OUTLAWS



QUAKE-TCP

SWAT3-TCP

ULTIMA

UNREAL TOURNAMENT

ZNES

File Transfer/File System FTP

FTP – Passive/Active

FTP – Method (upload/download)

FTP - Filename

FTP – File Extension

TFTP

NETBIOS-IP

NFS

SYSLOG

PRINTER

PRINT-SRV

RCP

SUNRPC

CMD



VoIP SKYPE

MGCP Audio/Video/Data

Codec Name (Manual Definition)

H.323 Audio/Video

Gate Keeper

MCU (Centrelized)

codec:H.323 Video Default Codec

codec:H.323 H261 Codec



codec:H.323 Audio Default Codec

codec:H.323 G711-64K Codec





codec:H.323 G7231 Codec
















T.120

VOCALTEC-IPHONE

PHILIPS-VC-TCP

Terminal Servers CITRIX

CITRIX-ICA

CITRIX NFUSE

Citrix User Name

Citrix Publish Application name

Citrix Priority (Print)

CITRIX DATACOLLEC

CITRIX IMA CLIENT

CITRIX MGMTCONSOLE

MS-RDP-CLIENT

PCANYWHERE



TELNET

TELNETS

SSH

RLOGIN

RTELNET

X11-TCP

Transactions/Databases Oracle

Oracle Service name/DB name

Oracle User name

ORACLE-COAUTHOR

ORACLE-EM1

ORACLE-EM2

ORACLENAMES

ORACLE-NET8CMAN-ADMIN

ORACLE-NET8CMAN

ORACLE-ORASRV

ORACLE-REMOTE-DATABASE

ORACLE-TLISRV

ORACLE-VP1

ORACLE-VP2



SAP SAP-DIALOGSERVICE

SAP-INFOSERVICE

SAP-ROUTER

SAP-TO-ADABAS

SAP-TO-INFORMIX

SQL SQL*NET

SQLSERVICE

MS-SQL SERVER

LDAP

LDAPS

CORBA CORBA-IIOP-TCP

CORBA-IIOP-TCP-SSL

CORBA-IIOP-UDP

CORBA-IIOP-UDP-SSL

CYBERCASH

EXEC

Security GRE

IPSEC IPSEC-AH



IPSEC-ESP

PPTP

SUGP

SWIPE

Network Infrastructure ARP

AUTH

BGP

BOOTP (DHCP) BOOTP-CLIENT

BOOTP-SERVER

CHARGEN

CMIP CMIP-AGENT

CMIP-MAN

DNS

ECHO

EGP

FINGER

ICMP

IGMP



Local MGMT

NPP

NTP

OSPF

PPPoE PPP0E-CONTROL

PPP0E-DISCOVERY

RIP

RMON

SNMP SNMP-TRAP

SNMP-Mon

TIMESERVER

TIME

WHO

WHOIS

TACACS

RADIUS RADIUS-AUTH

RADIUS-ACCT



Legacy protocols NETWARE-IP

APPLETALK

APPLETALK Over IP

GGP

GOPHER

I-NLSP

IPX

IPX Over IP

MS-IPX

NETBEUI

NETWARE

Manolito Clients Piolet - Search is over UDP port 41170

Blubster

Tunneling socks2http

httpTunnel

socks 4/5


Appendix G: NetEnforcer Command Line Interface

This appendix describes the command line interface that can be used to configure NetEnforcer. You can also configure NetEnforcer from a Web browser, described in Chapter 4, Configuring NetEnforcer.

NetEnforcer Command Line Interface The NetEnforcer CLI can be used to define Pipes, Virtual Channels, Rules and Catalog entries whenever you want to enter multiple entries without having to use the browser interface described in the preceding chapters. For example, if you need to add 1000 new hosts to the Host Catalog. In addition, you can also use the CLI to set system parameters and device settings.

The CLI enables you to modify the NetEnforcer database from a command line. The CLI supplies a set of commands to add, change, rename and remove NetEnforcer entities, such as, Pipes, Virtual Channels or other Catalog entries and change the configuration of NetEnforcer. This section describes how to access the CLI and describes how to work with the CLI.

Command Execution Modes The NetEnforcer CLI can operate in two different modes, as follows:

• •

Single command mode – whereby each command is executed separately.

Cyclic mode – whereby multiple CLI commands are aggregated for execution at set time intervals.

To enable Cyclic execution, enter the following command:

"go config policy_srv -cli_timeout X" (X in seconds).

NetEnforcer User Guide G-1


This CLI command will make the system execute the CLI commands every X seconds instead of executing them immediately. This improves the efficiency of the CLI execution process.

Accessing the CLI The CLI is accessed through the Console interface of your NetEnforcer.

To access the CLI:

1. Connect to NetEnforcer using one of the following methods: •

• •

• •

From a local host: Using a monitor and keyboard connected directly to NetEnforcer. Via Telnet from a workstation located on the same network as NetEnforcer.

From a remote host: Using a CLI executable, enter the IP address of the remote host.

2. Login to NetEnforcer as the root user. The default password is bagabu.

IMPORTANT:

It is strongly recommended that you change the default password of the “root” user. For details on how to change the password, please refer to Chapter 2, Installing NetEnforcer.

Scripts You can write scripts containing both CLI and Linux commands that will automate the data entry process. For example, you can write a script that will add 40 rules to 30 different Virtual Channels.

A script can be written on a remote workstation, using your preferred text editor, and then sent to NetEnforcer using FTP. Alternatively, you can create the script directly on NetEnforcer using the built in VI editor. In both cases, ensure that the script has Execute attributes. (For more details on file attributes, please refer to a Linux manual.)



NOTE:

It is recommended that you save your scripts in a new directory on NetEnforcer (for example, /root/scripts), so that they will not be overwritten should you upgrade your NetEnforcer software in the future.

CLI Command Syntax The CLI consists of several commands, each of which has a switch and one or more parameters. The syntax of the CLI is: go <action> <switch> <parameter> <parameter value> <parameter> <parameter value>

Where:

go precedes all CLI commands.

<action> is the command to perform. This can be add, delete, change, rename, list or config.

<switch> is the object (for example, Pipe) upon which the command is performed.

<parameter> is the parameter required (for example, host name).

<parameter value> is the value of the parameter.

Additional optional parameters may be used, as follows:

-f: This parameter disconnects the other client with write permissions and gives the write permissions to the CLI client. To use with all switches except list.

NOTE:

When working with Pipes, Virtual Channels, Rules or Catalog entries, you must enclose the name of the Pipe, Virtual Channel, Rule or Catalog entry in quotation marks if it contains more than one word. For example, go add vc Gold:PipeGold is accepted, as well as go add vc “Gold Service:PipeGold”. However, the command go add vc Gold Service:PipeGold will return an error message.



Online Help If you are unsure as to which parameters are used with a specific command, you can enter an incomplete command (for example, without the parameters), and the CLI will list all the available parameters for that action and switch. For example, if you were to enter the command go add time, you will receive the following output:

Usage: go add time {Name} [<-OPTION> <VALUE>...] {ITEM_FORMAT,ITEM_FORMAT,...}

Defined Formats of the Time Item are: # daily[:<Time>]

# weekly[:<WeekDay:Time>]

# monthly[:<MonthDay:Time>]

# yearly[:<Month:MonthDay:Time>]

Acceptable values for WeekDay are: sun, mon, tue, wed, thu, fri, sat ('sun' by default)

Acceptable values for Months are: 1 - 12 (1 by default)

Acceptable values for MonthDay are: 1 - 31 (1 by default)

Time format should be 'HH.mm-HH.mm' or 'allDay' ('allDay' by default)

Options: -f: force the write permissions to CLI client

Command Descriptions This section describes the commands available.

{param} – required parameter

[param ] – optional parameter



ToS Catalog Editing Commands available:

• • • •

go add tos {newName } {tosByte}

go change tos {tosName } {tosByte}

go delete tos {tosName }

go rename tos {tosName:newName }

Parameter Description Parameter Description

newName The new name to be set to the ToS Catalog entry.

tosName The name of the existing ToS Catalog entry.

tosByte Enumeration of the selected bit numbers with ',' between them: 1 - 8.

Data Source Catalog Editing Commands available:

• • • • •

go add datasrc {newName:ldap } {location:user:passwd[:description]} go add datasrc {newName:txtfile } {location[:description]}

go change datasrc {dsName } {location:user:passwd[:description]}

go delete datasrc {dsName }

go rename datasrc {dsName:newName }




newName The new name to be set for the Data Source Catalog entry.

dsName The name of the existing Data Source Catalog entry.

location IP/hostname of LDAP/TFTP server.

user The username assigned to the LDAP user.

passwd The password assigned to the LDAP user.

description The description of the data source (optional parameter).

VLAN Catalog Editing Commands available:

• • • •

go add vlan {newName} {priority_bits_state:priority_bits:vlan_id_state:vlan_id}

go change vlan {vlanName} {priority_bits_state:priority_bits:vlan_id_state:vlan_id}

go delete vlan {vlanName}

go rename vlan {vlanName:newName}


newName The new name to be set for the VLAN Catalog entry.

vlanName The name of the existing VLAN Catalog entry.

priority_bits_state Enabling/disabling of the Vlan priority bits: enable, disable.

priority_bits The priority bits number: 0 – 7.

vlan_id_state Enabling/disabling of the Vlan ID: enable, disable.

vlan_id The Vlan ID number: 0 – 4095.



QoS Catalog Editing Commands available:

•

•

•

•

•

• •

go add/change qos {newName:pipe_both} -prior P -max_bw Max -min_bw Min[:minReserved] -tos tos_in:tos_out -general maxCon:admissionCtrl:tos_admit

go add/change qos {qosName:pipe_each } -prior P1,P2 -max_bw Max1,Max2 -tos tos_in1:tos_out1,tos_in2:tos_out2 -min_bw Min1[:minReserved], Min2[:minReserved] -general maxCon:admissionCtrl:tos_admit

go add/change qos {qosName:pipe_half_duplex} -prior P1 -avail_bw Bw -general maxCon:admissionCtrl:tos_admit

go add/change qos {qosName:vc_both} -prior P -tos tos_mark -max_bw Max -min_bw Min -general maxCon:admissionCtrl -con_alloc burst:maxBw:size:minBw/cbr:bw:delay

go add/change qos {qosName:vc_each } -prior P1, P2 -tos tos_mark1,tos_mark2 -max_bw Max1,Max2 -min_bw Min1,Min2 -general maxCon:admissionCtrl -con_alloc burst:maxBw1:size1:minBw1/cbr:bw1:delay1, burst:maxBw2:size2:minBw2/cbr:bw2:delay2

go delete qos {qosName }

go rename qos {qosName:newName }


newName The new name to be set for the QoS Catalog entry.

qosName The name of the existing QoS Catalog entry.

-prior The priority per VC or Pipe: 1-10 (default: 4).

-max_bw The maximum bandwidth for a VC or Pipe, for example, 10M or 100K.

-min_bw The minimum bandwidth for a VC or Pipe, for example, 10M or 100K.



Parameter Description

-avail_bw The available bandwidth for a Full Duplex Pipe, for example, 10M or 100K.

minReserved The minimum bandwidth reserve available: yes or no (default: no).

tos_admit The name of the ToS Catalog entry to mark the admitted traffic.

tos_in The name of the ToS Catalog entry to mark in-profile traffic.

tos_out The name of the ToS Catalog entry to mark out-of-profile traffic.

tos_mark The name of the ToS Catalog entry to mark traffic.

maxCon The maximum number of connections allowed on the VC or Pipe.

admissionCtrl The admission control: reject, drop, admit.

Connection allocation parameters when a traffic shaping method is burst:

maxBw The maximum bandwidth per connection, for example, 10M or 100K.

minBw The minimum bandwidth per connection, for example, 10M or 100K.

size The burst size in K/M bit per second

Connection allocation parameters when a traffic shaping method is cbr:

bw The bandwidth per connection, for example, 10M or 100K.

delay The delay in microseconds: 100 - 1,000,000.

When a type of QoS entry is vc_each or pipe_each, then all of the parameters (except for –general) require two values separated with a , (comma). The first value is for inbound traffic and the second is for outbound traffic. If you do not want to specify an inbound parameter, use a empty field in format, for example, -prior ,2.



Host Catalog Editing Commands available:

• • • •

• • • • • •

• •

go add host {newName:addresses} {type:value[:interface], type:value,…}

go add host {newName:group} {host1,host2}

go add host { newName:ldap} {dataSource:root:address_attr:name_attr:filter}

go add host { newName:txtfile} {dataSrc:file:start_row:address_pos: name_pos:delimiter}

go change host {hostName} {-/+type:value[:interface],-/+type:value[:interface]}

go change host {hostName} {-/+host1,-/+host2,…}

go change host {hostName} {=type:value[:interface],type:value[:interface],…}

go change host {hostName} {=host1,host2,…}

go change host { hostName} {dataSource:root:address_attr:name_attr:filter}

go change host { hostName} {dataSrc:file:start_row:address_pos:name_pos: delimiter}

go delete host {hostName }

go rename host {hostName:newName }


newName The new name to be set for the Host Catalog entry.

hostName The name of the existing Host Catalog entry.

Parameters to Host Entry of type addresses:

type Type of address: name, range, netaddr, ipaddr, macaddr.

value Address according to the type specified.

interface Interface type : internal, external, anywhere (by default).




Parameters to Host Entry of type group:

host1,host2 The names of previously defined Host Catalog entries separated by comma, which will be joined in a group.

Parameters to Host Entry of type ldap:

dataSource The name of the previously defined Data Source Catalog entry.

root LDAP Directory subtree root.

address_attr The addresses attribute name.

name_attr The name attribute name.

filter LDAP Directory search filter.

Parameters to Host Entry of type txtfile:

file The full file path on remote host.

start_row The row number from which to start reading data in a text file.

address_pos The position of address field.

name_pos The position of name field.

delimiter The separator character that separates a text file row into fields: comma, space, semicolon or other character.

When changing the addresses or group list of the Host Entry, use prefixes ‘-‘ or ‘+’ to each address or group item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at beginning for replacing list with entered new one. For example, go change host Test1 -ipaddr:2.2.2.2,+range:1.1.1.1-1.1.1.9 -f

go change host Test2 +host8,-host9 –f

go change host Test2 =host10,host11 –f



When changing the Host Entry of type txtfile or ldap , use empty fields for parameters you do not want to change.

For example, command to change LDAP filter only: go change host Test1 ::::servicegroup=gold

Time Catalog Editing Commands available:

• • • • •

go add time {newName} {item1,item2,...}

go change time {tmName} {-/+item1,-/+item2,...}

go change time {tmName} {=item1,item2,...}

go delete time {tmName }

go rename time {tmName:newName }


newName The new name to be set to the ToS Catalog entry.

tmName The name of the existing ToS Catalog entry.

daily[:time]

weekly[:day[:time] ]

monthly[:month_day[:time]]

yearly[:month :month_day[:time]]

The Time item formats defined.

time The range of hours and minutes: HH.mm-HH.mm, allDay (default: allDay).

day The day of the week: sun, mon, tue, wed, thu, fri, sat. This is valid for weekly time periods.




month The month: 1-12. This is valid for yearly time periods.

month_day The day of the month: 1-31. This is valid for monthly and yearly time periods.

When changing the Time Entry, use prefixes ‘– ‘ or ‘+’ to each time item ( ‘– ‘ to remove item, ‘+’ to add new item ), or prefix ‘=’ once at the beginning for replacing a list with a new one. For example, go add time Test1 daily:10.00-20.00,weekly:5:08.20-20.00 -f

go change time Test1 –daily:10.00-20.00,+monthly:15 -f

go change time Test1 =daily:14.00-20.00,monthly:25 -f

Service Catalog Editing Commands available:

•

•

• •

• •

•

go add service {newName:appl } -protocol net[:ip[:app]] -dst_ports p1,p2,… -port_type pt -parse_by_port enable|disable -coll_filter filter

go add service {newName:group} [-group_report enable|disable] {srvName1,srvName2,...}

go add service {newName:content:parentName} {content1,content2,...}

go change service {srvName} -protocol net[:ip[:app]] -dst_ports -/+p1,-/+p2 -port_type pt -parse_by_port enable|disable -coll_filter filter

go change service {srvName} -dst_ports =p1,p2,…

go change service {grName} [-group_report enable|disable] {-/+srvName1,-/+srvName2,...}

go change service {contName} {-/+content1, -/+content2,...}



• •

go delete service {srvName }

go rename service {srvName:newName }


newName The new name to be set to the Service Catalog entry.

srvName The name of the existing Service Catalog entry.

–protocol The protocol of Service entry. By default IP:TCP:Other TCP

net The network protocol to be used by the Catalog entry: IP, ARP, Banyan-Vines, DEC-DECNET, DEC-LAT, DEC-Ethernet, Appletalk, SNA, IPX, Ipv6, MS-IPX, NetBEUI, ANY, PPPoE-Discovery, PPPoE-Control or whole number in interval 1 – 65534

ip The transport protocol, if the Network Protocol is IP only: TCP, UDP, EIGRP, ICMP, IGMP, EGP, RSVP, OSPFIGP, SIPP-ESP, SIPP-AH, I-NLSP, SWIPE, GGP, GRE, ANY or whole number in interval 1 - 255

app The name of the Application protocol when the Transport Protocol is TCP or UDP only

–dst_ports The list of ports on the destination host at which the traffic should arrive: x, x-y.

-port_type The Port type: all, other, list.

-coll_filter The Collection filter: service, appl.

content Value Format of the Content is: <type:value>. Content Types and Values are depending on the Application.




Acceptable Contents to the Application HTTP are: • •

• •

• •

• •

• • •

•

•

•

url method - with one of values CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, TRACE host content-type - command 'go list content' shows the all of acceptable values

Acceptable Contents to the Application FTP are: command - with one of values Download, Upload, Other file

Acceptable Contents to the Application Oracle are: service user

Acceptable Contents to the Application Citrix are: appl user Priority - with one of values High, Medium, Low, Print Traffic

Acceptable Contents to the Application H.323 are: codec - with one of values H.323 G711-64K Codec, H.323 G711-56K Codec, H.323 G722-64K Codec, H.323 G722-56K Codec, H.323 G722-48K Codec, H.323 G7231 Codec, H.323 G728 Codec, H.323 G729 Codec, H.323 H261 Codec, H.323 H262 Codec, H.323 H263 Codec, H.323 Audio Default Codec, H.323 Video Default Codec

Acceptable Contents to the Application KaZaA and Gnutella are: Direction - with one of values Upload, Download

Acceptable Contents to the Application Citrix ICA are: Priority - with one of values High, Medium, Low, Print Traffic




Acceptable Contents to the Application SMTP are: • •

• • •

• •

domains_file - with name of the file containing domains Domains

Acceptable Contents to the Application Citrix NFuse are: appl user Priority - with one of values High, Medium, Low, Print Traffic

Acceptable Contents to the Application MGCP are: codec Media Type - with one of values Audio, Video, Application, Data, All

When changing the port list of Service Entry, use prefixes ‘– ‘ or ‘+’ to each port number or port range (‘– ‘ to remove port, ‘+’ to add new port), or prefix ‘=’ once at beginning for replacing ports list with entered new one. The same prefixes should be used for update the Service Group list and Content Inspection list. For example, go add service Test1:appl –dst_ports 333,3456-3460 -f

go change service Test1 –dst_ports +2222-2228,-333

go change service Test1 –dst_ports =2222-2228,4444 -f

Connection Control Catalog Editing Commands available:

•

• •

go add coc {newName: lb:<Technique:PortUse>} -behaviour NoSrvAction[:Backup:Sticky] -servers Host:[Port:Weight],Host:[Port:Weight],...

go add coc {newName:cache} –behaviour NoSrvAction -servers Host,Host

go change coc {cocName} –behaviour NoSrvAction[:Backup:Sticky] -servers -/+ Host[:Port:Weight],-/+Host[:Port:Weight],...



• •

go delete coc {cocName }

go rename coc {cocName:newName }


newName The new name to be set to the Connection Control Catalog entry.

cocName The name of the existing Connection Control Catalog entry.

Host Hostname or IP address of Load Balancing/Cache server.

NoSrvAction No Server action: drop, reject, pass-as-is (by default).

Parameters to Connection Control entry of type lb only:

Technique The load balancing technique being used: rr, fa, wrr (by default).

PortUse The load balancing port being used: original (by default), assigned, fixed:<PortNumber>

Backup Whether to activate load balancing on server failure: yes, no (by default).

Sticky The timeout (in seconds) for sticky connections: 0 - 999999.

Port The port number on load balancing server.

Weight The weight number on load balancing server, when Technique is defined as wrr.

When changing the servers list of the Connection Control entry, use prefixes ‘-‘ or ‘+’ for each server item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at the beginning when replacing a list with a new one. For example, go add coc Test1:lb:wrr:fixed:777 –servers 10.1.1.4::3 -f

go change coc Test1 –servers –10.1.1.4::3,+10.1.1.10::5 -f



Policy Catalog Editing Commands available:

•

• • • •

•

• • •

•

• •

•

•

go add pipe {newName[:state]} –expand exp –src Src –dst Dest –service Serv –time Time –tos ToS –vlan Vlan –access Access –qos QoS –offset X -dir X

go change pipe {pName[:state]} –expand exp –access Access –qos QoS

go delete pipe {pName }

go rename time {pName:newName }

go add vc {newName:pName[:state]} –expand exp –src Src –dst Dest –service Serv –time Time –tos ToS –vlan Vlan –access Access –qos QoS –coc Coc –offset X -dir X

go change vc {vcName:pName[:state]} -expand exp -access Access -qos QoS -coc Coc

go delete vc {vcName:pName }

go rename vc {vcName:newName:pName }

go add prule {pName[:state]} –src Src –dst Dest -service Serv -time Time -tos ToS -vlan Vlan -offset X -dir X

go change prule {pName:offset[:state]} –src Src –dst Dest –service Serv –time Time –tos ToS –vlan Vlan -dir X

go delete prule {pName:offset}

go add vcrule {vcName:pName[:state]} –src Src –dst Dest –service Serv -time Time -tos ToS -vlan Vlan -offset Offset -dir X

go change vcrule {vcName:pName:offset[:state]} –src Src –dst Dest –service Serv –time Time –tos ToS –vlan Vlan -dir X

go delete vcrule {vcName:pName:offset}




newName The new name to be set for the Pipe or Virtual Channel.

PName The name of the existing Pipe.

VcName The name of the existing Virtual Channel.

State The status of the Pipe, Virtual Channel or Rule: enable, disable (default: enable)

-expand The location of the Host Catalog entry for template expansion: none (no template), src, dst.

-src The Connection Source condition of the Pipe or Virtual Channel: any entry from the Host Catalog. (default: Any)

-dst The Connection Destination condition of the Pipe or Virtual Channel: any entry from the Host Catalog. (default: Any)

-service The Service condition of the Pipe or Virtual Channel: any entry from the Service Catalog. (default: All IP)

-time The Time condition of the Pipe or Virtual Channel: any entry from the Time Catalog. (default: Anytime)

-tos The ToS condition of the Pipe or Virtual Channel: any entry from the TOS Catalog. (default: Ignore)

-vlan The Vlan condition of the Pipe or Virtual Channel: any entry from the Vlan Catalog. (default: Any)

-qos The QoS action of the Pipe or Virtual Channel: any entry from the QoS Catalog. (default: Normal Priority – Pipe/ Normal Priority – Virtual Channel)

-access The Access action of the Pipe or Virtual Channel: Accept, Reject, Drop (default: Accept.).

-coc The Connection Control action of the Virtual Channel: any entry name from the Connection Control Catalog.




-dir The direction of traffic to which the Pipe or Virtual Channel applies: 1, 2. (default: 2)

-offset The position of the Pipe, Virtual Channel or Rule – offset from first position in the policy table

When adding a new Pipe or Virtual Channel without parameter ‘-offset’ , it will be added on next to last position (before Fallback Pipe/VC).

List The list action displays the entries defined in the different Catalogs.

Commands available:

• go list {object} [-full]

Parameter Description Object Parameter Description

host -full Displays the contents of the Host Catalog. If ‘-full’ parameter is specified, additional information is shown for entries from LDAP/Text file Data Source

time - Displays the contents of the Time Catalog.

tos - Displays the contents of the ToS Catalog.

qos - Displays the contents of the QoS Catalog.

service -full Displays the contents of the Service Catalog.

datasrc - Displays the contents of the Data Source Catalog.

vlan - Displays the contents of the Vlan Catalog.

coc - Displays the contents of the Connection Control Catalog.



Object Parameter Description

pipes -full Displays a list of defined Pipes. If ‘-full’ parameter is specified, additional information is shown for each Virtual Channel in the Pipe.

pipedata {pName} Displays full data for a single Pipe identified by name.

vc {vcName:pName}

Displays full data for a single VC identified by name.

Configuration Settings The config action enables you to configure NetEnforcer. A description of the switches and parameters available are shown below.

Commands available:

• • • •

• •

• • • •

go config key {Key}

go config nic -internal link -external link –mgmt link

go config access_control {host_list}

go config snmp –community read:write:trap -trap_dest Dest -contact Contact –location Loc

go config vlan { vlan_env:vlan_id}

go config ips –h Hostname –d Domain -g Gateway -ip ip:mask –dns dns1:dns2 –ts ts1:ts2:ts3 –mgmt check -reject_ip ip:mask|none

go config access_link -internal link -external link

go config policy_srv –auto_refresh X -save_refresh check

go config monitoring –resolve_dns check -sample_period sp

go config coc –pass_through check -retries server:service -timeout server:service:connect



•

•

• • •

•

• • • • •

go config acct_setup [enable|disable] -resolve_dns check -odbc check -collect_data period -del_data period –ip IP1:IP2

go config radius_setup [enable|disable] -stop_only check -collect_data period -server1 addr –server2 addr -send_timeout X –retries Y -failed_msg N

go config acct_radius_storage –pipe check –vc check –service check -hosts hr

go config dos [admit|drop] –max_conn X –max_cer Y

go config security –connect Mode –telnet check –ping check -timeout X –root_login check -ssh check

go config network –transport check -appl check –sptree check -mesh check –mom check –ar -/+route1, -/+route2,…|none

go config alerts [enable|disable] –email e1:e2 –sms SMS –src _email -smtp

go config time –t date_time –tz zone

go config setup_verify

go config send_snapshot

go config view [cfg_tab]

Parameter Description Config Tab Parameter Description

key Key The new box activation key or none.

access_control Host_list Update the list of hosts allowed access to NetEnforcer. Any hosts not entered into this list will be barred access to NetEnforcer. The format is IP addresses/host names with prefix –(minus) or + (plus) separated by , (comma) or all.

For example, go config access_control –10.10.10.1, +10.10.10.2.

snmp –community The SNMP read, write and trap community.



Config Tab Parameter Description

-trap_dest The SNMP trap destination address.

-contact The SNMP contact.

–location The SNMP location.

vlan_env The Vlan environment setting: enable, disable. vlan

vlan_id The Vlan ID: 1 – 4094.

-h The host name of NetEnforcer.

-d The domain name where NetEnforcer is located. For example, allot.com.

-g The IP address of the gateway or none.

-ip The IP address of NetEnforcer and network subnet mask.

-dns The IP address of your Primary/ Secondary DNS server, or none.

ips

-ts IP address of the Primary/ Secondary/ Tertiary Time server, or none.

nic -internal

-external

-mgmt

Internal/External/Management Interface NIC settings in format [mode:speed]. The Mode values are: auto, half, full. The Speed values are: auto, 10, 100, 1000(according to the box type)

-resolve_dns Resolve DNS names for Accounting data: enable, disable.

-odbc Use ODBC to read Accounting data: enable [:Username:Passw], disable.

acct_setup (these parameters are for Internal Accounting)

-collect_data The timespan of saved Accounting data: Xminutes, Xhours, Xdays.




-del_data The timespan of deleted Accounting data: Xdays, Xmonths.

acct_setup (these parameters are for External Accounting)

-ip IP1:IP2 are primary and secondary IP addresses of external accounting servers.

access_link -internal

-external

Internal/External Interface Link settings in format [type:outBW:inBW]. The bandwidth must be defined using K/M unit. The Link Types are: half, full.

For example, go config access_link –internal full:1000M:100M

–auto_refresh Auto refresh rate for any LDAP/Text file-based query found in policy catalog : Xsec, Xmin, Xhours, Xdays or none.

policy_srv

-save_refresh Refresh any LDAP/Text file-based query found in policy catalog when saving policy database: enable, disable.

–resolve_dns Resolve DNS names for monitoring data: enable, disable.

monitoring

-sample_period

The monitoring sample period: 30sec, 1min, 2min, 3min, 4min, 5min, 6min, 7min, 8min, 9min, 10min.

-pass_through Pass all cached traffic through QoS device: enable, disable.

-retries The Server/Service tracking retries: 1 – 100.

coc

-timeout The Server/Connect tracking timeout: 10 – 240.

Service tracking timeout: 10 – 249.




-stop_only Send RADIUS Stop messages only: enable, disable.

-collect_data The period of saving RADIUS data: Xminutes, Xhours, Xdays.

-server1 -server2

The Primary/Secondary RADIUS server in format <addr[/port]:secret> or none.

-send_timeout The Timeout on the message send failure: 1 – 60.

-retries The Number of retries for attempting message send: 1 – 10.

radius_setup

-failed_msg The Number of failed messages before switch to other server: 1 – 200.

–pipe Save item 'Pipe' in each Accounting record: enable, disable.

–vc Save item 'Virtual Channel' in each Accounting record: enable, disable.

–service Save item 'Service' in each Accounting record: enable, disable.

acct_radius_storage

–host Host recording in Accounting: int_host, ext_host, int_ext_host, client, server, client_server, disable.

–max_conn Maximum number of connections in case of DoS attack: 1 - Value (value according to NetEnforcer type).

dos

-max_cer Maximum new connections establishment rate: 1 – Value (value according to NetEnforcer type).




–connect The connection mode: ssl, non-ssl, both.

–telnet Enable/disable telnet: enable, disable.

–ping Enable/disable ping replies: enable, disable.

-timeout The timeout while connected via console or telnet. The shells will automatically logout after the specified number of seconds. If 0, no automatic logout.

-root_login Enable/disable ability to log in as user “root”: enable, disable.

(modifies files /etc/security and /etc/ssh/sshd_config)

security

-ssh Enable/disable Secure Shell communications: enable, disable. (run / stop sshd)

-transport Transport Layer Classification (TCP/UDP ports): enable, disable.

-sptree Support ‘Spanning Tree’ protocol: enable, disable.

-appl Application Layer Analysis: enable, disable.

-mesh Support Meshed network topology: enable, disable.

network

-mom 'Monitoring Only' mode: enable, disable.




-ar Additional routes.The format is -/+<destIP:mask:gateway:destType:interface>,…

Destination types: host, network

Interfaces: 0, 1, 2

Prefixes : '-' to delete selected route from Routing Table; '+' to add new route to Routing Table.

time -t The system time in format DD-MM-YYYY-HH-mm.

-tz Time zone settings. Enter one from the following list of parameters:

US/Alaska, US/Aleutian, US/Arizona, US/Central, US/East-Indiana, US/Eastern, US/Hawaii, US/Indiana-Starke, US/Michigan, US/Mountain, US/Pacific, US/Samoa, Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura,Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda,



Config Tab Parameter Description Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/Windhoek, America/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Araguaina, America/Aruba, America/Asuncion, America/Atka, America/Barbados, America/Belem, America/Belize, America/Boa_Vista, America/Bogota, America/Boise, America/Buenos_Aires, America/Cambridge_Bay, America/Cancun, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago, America/Chihuahua, America/Cordoba, America/Costa_Rica, America/Cuiaba, America/Curacao, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/Eirunepe, America/El_Salvador, America/Ensenada, America/Fort_Wayne, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Hermosillo,



Config Tab Parameter Description America/Indiana/Indianapolis, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Vevay, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/Lima, America/Kentucky/Louisville, America/La_Paz, America/Kentucky/Monticello, America/Knox_IN, America/Los_Angeles, America/Louisville, America/Maceio, America/Managua, America/Manaus, America/Martinique, America/Mazatlan, America/Mendoza, America/Menominee, America/Merida, America/Mexico_City, America/Miquelon, America/Monterrey, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince, America/Port_of_Spain, America/Porto_Acre, America/Porto_Velho, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Recife, America/Regina, America/Rosario, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current, America/Tegucigalpa, America/Thule,



Config Tab Parameter Description America/Thunder_Bay, America/Tijuana, America/Tortola, America/Vancouver, America/Virgin, America/Whitehorse, America/Winnipeg, America/Yakutat, America/Yellowknife, Antarctica/Casey, Antarctica/Davis, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/South_Pole, Antarctica/Syowa, Arctic/Longyearbyen, Asia/Aden, Asia/Almaty,Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashgabat, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dhaka, Asia/Dili,Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hong_Kong, Asia/Hovd, Asia/Irkutsk, Asia/Istanbul, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Katmandu, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pyongyang, Asia/Qatar, Asia/Rangoon ,Asia/Riyadh, Asia/Riyadh87, Asia/Riyadh88, Asia/Riyadh89, Asia/Saigon, Asia/Samarkand, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Tel_Aviv, Asia/Thimbu, Asia/Thimphu, Asia/Tokyo, Asia/Ujung_Pandang,



Config Tab Parameter Description Asia/Ulaanbaatar, Asia/Ulan_Bator, Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan, Atlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/Stanley, Australia/ACT, Australia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Canberra, Australia/Darwin, Australia/Hobart, Australia/LHI, Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/NSW, Australia/North, Australia/Perth, Australia/Queensland, Australia/South, Australia/Sydney, Australia/Tasmania, Australia/Victoria, Australia/West, Australia/Yancowinna, Brazil/Acre, Brazil/DeNoronha, Brazil/East,Brazil/West, CET, CST6CDT, Canada/Atlantic, Canada/Central, Canada/East-Saskatchewan, Canada/Eastern, Canada/Mountain, Canada/Newfoundland, Canada/Pacific, Canada/Saskatchewan, Canada/Yukon, Chile/Continental, Chile/EasterIsland, Cuba, EET, EST, EST5EDT, Egypt, Eire, Etc/GMT, Etc/GMT+0, Etc/GMT+1, Etc/GMT+10, Etc/GMT+11, Etc/GMT+12, Etc/GMT+2, Etc/GMT+3, Etc/GMT+4, Etc/GMT+5, Etc/GMT+6, Etc/GMT+7, Etc/GMT+8, Etc/GMT+9, Etc/GMT-0, Etc/GMT-1, Etc/GMT-10, Etc/GMT-11, Etc/GMT-12,



Config Tab Parameter Description Etc/GMT-13, Etc/GMT-14, Etc/GMT-2, Etc/GMT-3, Etc/GMT-4, Etc/GMT-5, Etc/GMT-6, Etc/GMT-7, Etc/GMT-8, Etc/GMT-9, Etc/GMT0, Etc/Greenwich, Etc/UCT, Etc/UTC, Etc/Universal, Etc/Zulu, Europe/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Nicosia, Europe/Oslo, Europe/Paris, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Tiraspol, Europe/Uzhgorod, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Warsaw, Europe/Zagreb, Europe/Zaporozhye, Europe/Zurich, Factory, GB, GB-Eire, GMT, GMT+0, GMT-0, GMT0, Greenwich, HST, Hongkong, Iceland, Indian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe,



Config Tab Parameter Description Indian/Maldives, Indian/Mauritius, Indian/Mayotte, Indian/Reunion, Iran, Israel, Jamaica, Japan, Kwajalein, Libya, MET, MST, MST7MDT, Mexico/BajaNorte, Mexico/BajaSur, Mexico/General, Mideast/Riyadh87, Mideast/Riyadh88, Mideast/Riyadh89, NZ, NZ-CHAT, Navajo, PRC, PST8PDT, Pacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Samoa, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap, Poland, Portugal, ROC, ROK, Singapore, Turkey, UCT, UTC, Universal, W-SU, WET, Zulu




view cfg_tab Display the current configuration parameters for tab specified: key, ips, snmp, access_link, access_control, vlan, acct_setup, monitoring, policy_srv, acct_radius_storage, dos , security, alerts, time. If tab was not specified, then all of the configuration parameters will be displayed

–email The Primary/ Secondary email address of alert target

alerts

–sms The SMS address of alert target setup_verify - Perform the setup verification.

Send_snapshot - Send snapshot to Allot from NetEnforcer




Appendix H: Troubleshooting

This appendix describes some common situations that may occur when using NetEnforcer and how to deal with them.

Problem Solution

No Link with the NetEnforcer

I cannot ping to the NetEnforcer and cannot see a link on the interfaces of the NetEnforcer.

Ensure that you are connected with the correct cables. If NetEnforcer is directly connected to another device, such as a router, firewall or PC, you should be connected using a cross cable. A straight cable is used when connecting to a hub or a switch.

No Link with the NetEnforcer/Link Up, Link Down

My link with the NetEnforcer appears to keep disconnecting. I see huge packet loss when I ping and I can also see the link light going off intermittently.

This is probably due to the fact that the two NICs (NetEnforcer's and its connected device) are not synchronized properly. It is mandatory to set both the NetEnforcer's NIC and the adjacent device's NIC to the same speed and Duplex mode. This can be done via the NetEnforcer Setup Menu (Network configuration, Manual configuration), described in Chapter 2, Installing NetEnforcer. Alternatively, the NIC settings can be changed via the browser interface in the Configuration window (Advanced view) under the NIC tab, described in Chapter 4, Configuring NetEnforcer.

NetEnforcer User Guide H-1


Problem Solution

Cannot Access the NetEnforcer

I can ping through the NetEnforcer and browse to the Internet but I am unable to access the NetEnforcer directly via telnet or the browser interface.

Check that your IP routing is defined correctly on the NetEnforcer. The Default Gateway definition should refer to the default gateway used by your clients from different subnets, to access the subnet on which the NetEnforcer sits.

Monitoring Graph does not Appear Accurate

I defined CBR for a connection but the monitoring graph always displays the throughput as less than this value. In general the values displayed in the monitoring chart appear to be inaccurate.

The monitoring graph has two display modes, "Average" and "Active Average".

The "Average" option displays an average throughput rate over the whole sample time, meaning total bytes sent (or received)/one sample time. The result is that if a connection is only sending traffic for a third of that time period, the actual throughput rate over the whole sample time will be reduced to a third of its actual rate.

The "Active Average" option displays the throughput rate only for the time period that the connection was sending traffic. This provides a 'true' representation of the throughput rate.

In order to change the display mode, select the appropriate monitoring mode from the View menu.



Problem Solution

Host IPs / Names are not added to the Access Control List

When I add an IP address to the access control list via the Configuration window (Access Control tab), it disappears when I select Add.

This problem is as a result of the browser cache size being too small. To change the cache size, follow the instructions below:

For Microsoft Internet Explorer:

1. From the Tools menu, select Internet Options.

2. Select the General tab and then select Settings from the Temporary Internet Files section.

3. Ensure that the Amount of disk space to be used is at least 10 Kbytes.

4. Click OK to return to the General tab, and click OK again to close the Internet Options dialog box.

5. Restart Internet Explorer.

For Netscape Navigator:

1. From the Edit menu, choose Preferences.

2. In the Categories window, click on the plus ("+") sign next to Advanced, and select Cache.

3. Ensure that the Disk Cache is set to at least 10 Kbytes, and click OK.

4. Restart Navigator.



Problem Solution

Changing the RadiusServerPort

My Radius server does not run on the default port. I would like to export my accounting data to the radius server. How do I do this?

1. Open the Configuration window (Advanced View).

2. Select the RADIUS Setup tab.

3. In the Primary RADIUS Server Host Name/IP Address field, enter the IP address/host name of your RADIUS server and the port number that the server runs on. For example, if your RADIUS server runs on port 2222 and the IP address of the server is 1.2.3.4 then you would enter the information as follows: 1.2.3.4:2222.

Applications Disconnect with Low Priority

I am trying to run a particular application but every time I try to do anything it disconnects. The only Quality of Service definition I have defined is Priority 1. I have many high priority applications, some with guaranteed bandwidth definitions.

The difference between the highest priority applications and the lowest priority applications should usually be very small (1-2 steps). Large differences in priority (9 or 10 steps) for many applications may cause excessive timeouts. If your link is congested, then applications with very low priorities will be assigned only small bandwidth allocations. In some cases, this bandwidth is not enough for the application to function and so it becomes "starved" and eventually times out.

Unable to Connect to the NetEnforcer via HyperTerminal

I am trying to connect to the NetEnforcer via HyperTerminal. All my settings are correct but I am still not able to access the NetEnforcer.

In some cases you may need to ground the NetEnforcer. At the rear of the NetEnforcer there is a ground connector. Connect this to a grounding cable and try the HyperTerminal connection again.



Problem Solution

Software Version and AC Model

How do I find out what NetEnforcer model I have and what software version it is running.

Open the Configuration window and select the Product IDs and Key tab. The model is listed under Product Name and the version under Version.

Backup of VC Table and Configuration Information

How do I back up my policy data and configuration information?

Refer to Chapter 4, Configuring NetEnforcer, Additional Configuration Options.

What Does Raw TCP mean?

In the protocol distribution window of the monitoring graph I see "Raw TCP." What does this mean?

The NetEnforcer reports TCP traffic as Raw when it does not see all packets within a connection. This can be when NetEnforcer is rebooted, since it becomes active while many connections are already active. In this case, the amount of Raw TCP traffic will decrease over time as existing connections are closed and new connections are opened. Another cause of Raw TCP traffic is if NetEnforcer is sitting in a 'meshed' network. This means that the packets can take more than one path to reach the same destination. In this case not all packets will pass through NetEnforcer. In any situation where NetEnforcer only receives part of the packets within a connection, the traffic will be reported as RAW.



Problem Solution

Maximum per VC is exceeded

I have defined a maximum per VC of 10Kbps. In the Inbound monitoring graph I always see more than 10Kbps.

A regular packet size is 12Kb. Therefore if you define a maximum value lower than 12 you will still see a throughput of at least 12Kbps.


Appendix I: Glossary

This appendix defines the terms used throughout the manual.

Glossary of Terms Access Control

An action that specifies the access for a connection. You can select the Access Control to accept, drop, or reject a connection.

Access Link

Internal and External logical interfaces. Access links may be smaller or equal to the Ethernet Adapter values.

Action

The operation performed on a connection once it matches a rule. A combination of Access Control, QoS and Connection Control.

Address – IP

A list of logical entities representing IP Version 4 (IPv4) addresses, which are comprised of 32 bits.

Address – MAC

A list of logical entities representing Media Access Control (MAC) addresses, which are comprised of a 48-bit source or destination address. The source address is the sender's globally unique device address.

Admin The default user name for administrating NetEnforcer, with the default password allot. It is strongly recommended to change this password.

NetEnforcer User Guide I-1


Admission Control A step in every flow activation, when the required bandwidth is allocated (or not) according to user demand (minimum bandwidth and maximum number of connections) and system state.

Application Binding The process of finding the correct application type for a flow (in case the flow is TCP or UDP).

Application Recognition The classification of protocols/applications by their unique "signature".

Application Type The application type is defined by the destination port number.

Backplane Watchdog Timer

The backplane internal hardware timer that initiates the bypass in case there was no software visit (the software visit restarts the timer).

Bandwidth

A parameter that defines the rate at which data flows.

Blocked Queue

A queue that holds packets that are over the maximum bandwidth defined for the connection/Virtual Channel/Pipe.

Borrowing Bandwidth

A Pipe/Virtual Channel defined with a minimum bandwidth will receive only the minimum necessary bandwidth, even if that value falls below the guaranteed minimum. For example, if a Virtual Channel is currently defined for 100 Kb minimum but needs only 50 Kb, 50 Kb is all that will be reserved, and the remainder of the bandwidth will be allocated to another Virtual Channel. This means that unused bandwidth is never wasted.



Burst Mode

When burst size is defined, the system will allow traffic to burst for a certain amount of time, but the average traffic for the whole period will still be bounded by the maximum.

Cache Redirection (CacheEnforcer) A network device that intercepts client HTTP requests and forwards them to one or more cache servers.

Catalog

A list of user-defined entries used when defining Pipes, Virtual Channels and rules in the Policy Editor.

CBR See Constant Bit Rate.

Centralized Monitoring and Accounting

Provision of centralized policy-based accounting and remote monitoring services. The Allot Communications NetPolicy provides a comprehensive, policy-based system that allows the network manager to define, in a concise and organized fashion, policies that automatically effect change on specific equipment in the network environment.

Classification

The procedure by which a flow or connection is associated to a Pipe and a Virtual Channel. This procedure occurs every time a new flow passes through NetEnforcer.

Classification Element

Definition of partial criteria for a match to an attribute of network traffic. One rule is a set of five classification elements or conditions. See Condition.

COC

See Connection Control.



Condition

A criteria with which to classify traffic. Conditions include Connection Source, Connection Destination, Service, ToS, and Time.

Connection

A flow from a source to a destination and from the destination back to the source.

Connection Control

Defines whether a flow is directed to Load balancing, cache redirection, or pass as is.

Connection Control Catalog

A Catalog that enables the user to define different load-balancing and cache-redirection definitions.

Constant Bit Rate

Offers constant throughput. When CBR is defined, the system will not allow traffic to exceed the maximum boundary defined.

Constant Connection

Offers constant throughput. When CBR is defined, the system will not allow traffic to exceed the maximum boundary defined.

Content Inspection

The ability to analyze packet content on a per-flow basis. This feature is the capability to filter packets per user’s content requests. Content based packet classification is based on any combination of source address, destination address, protocol, type, or content URL, including URL patterns.

Delay Specifies the maximum delay that a packet stays in NetEnforcer. If the packet exceeds this delay, the packet is discarded.



DDoS Attack

Distributed Denial of Service Attack. These attacks are more intense and damaging than DoS attacks. In DDoS attacks, multiple machines unknowingly participate in an attack against a single host target.

DHCP

Dynamic Host Configuration Protocol. Used for automated allocation, configuration and management of IP addresses and TCP/IP protocol stack parameters.

DoS Attack

Denial of Service Attack. Most DoS attacks are overloading servers with redundant traffic. All servers can handle traffic volume up to a maximum, beyond which they become disabled.

Drop

All packets are dropped. The user is disconnected and may see the message Connection timed-out.

Flow

A series of packets with common attributes. Since these attributes do not change in time, it is possible to identify a flow by its first packet only. TCP and UDP flows are identified by the IP and port of the source and destination. Any other IP flow is identified by the source IP, destination IP and protocol number. Non-IP flows are identified by protocol number only. See Connection.

Flow Attribute

Data belonging to a flow that differentiates that flow from others.

Fraggle Attack

When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast addresses, all of it having a fake source address. This is a simple rewrite of the Smurf code.



Guaranteed Bandwidth

A per-connection parameter, which means that every connection will be granted “N bytes/bits per second”.

Host Catalog

A Catalog that enables the user to define the Connection Source and Connection Destination, two of the classification elements or conditions of a rule. Hosts can be network IP addresses, IP address ranges, host names, IP Subnet addresses or MAC addresses.

Inbound Traffic

Traffic that flows into the External link and out from the Internal link.

Java Applet

A program written in the Java™ (Sun Microsystems Inc trademark) language. The applet's code is transferred to your system and executed by the browser's Java Virtual Machine (JVM) (see more at: http://java.sun.com/applets/).

Light Directory Access Protocol (LDAP)

A standard communication protocol that allows clients, servers and applications to access directory services. NetEnforcer includes an LDAP client for communication with the LDAP directory.

Load Balancing

A mechanism that enables balancing traffic between different servers. All traffic is directed to a single IP, but the load-balancer smartly divides the traffic between the different servers.

Maximum Bandwidth

A parameter that defines the upper limit of the bandwidth provision of NetEnforcer, a Pipe, a Virtual Channel or a connection. NetEnforcer ensures that the bandwidth will not exceed this value.



Minimum Bandwidth

A parameter that defines the lower limit of bandwidth provision, and states that NetEnforcer will provide a particular Pipe, Virtual Channel or connection with “at least N bytes/bits per second”. NetEnforcer guarantees that the bandwidth will not fall below this value.

Monitor

The default basic user name for monitoring NetEnforcer, with the default password allot. It is strongly recommended to change this password.

MPLS

Multi-protocol Label Switching. This protocol, relevant in networking technology, provides scalable infrastructure for the Internet. MPLS uses the concept of label switching to create a 'virtual circuit' between two-end points. The main use of MPLS is to create high quality VPNs (Virtual Private Networks). In addition, MPLS may be used to allow integrated-access services such as voice/video and data over IP.

MRTG

Multirouter Traffic Grapher. The MRTG tool generates HTML pages that present traffic statistic graphs. Using a standard Web browser, you can view pages, each containing graphs showing daily, weekly, monthly and yearly information.

NetHistory

A software module that enables the user to view network behavior at any time in the past.

NIC

Network Interface Card. Located in one device and physically connected to the Ethernet cable going into another device.

Number of Connections

The number of open connections (sessions from the software point of view) in NetEnforcer.



ODBC

Microsoft Open Database Connectivity interface. An application programming interface (API) for database access. It uses Structured Query Language (SQL) as its database access language.

Outbound Traffic

Traffic that flows into the Internal link and out from the External link.

P2P Applications

These "Peer-to-Peer" applications turn network clients into servers, using expensive WAN bandwidth and potentially distributing worms throughout the network. Napster is a well-known P2P application.

Packets Per Second (PPS)

The number of packets that were sent by NetEnforcer in a second.

Per Flow Queuing (PFQ)

Allot Communications QoS algorithm that defines a process where the scheduler empties the queue according to each flow policy and fairness. Allot Communications implements a smart queue scheduling algorithm, with accurate timing for receiving and sending packets. The timing is such that the applications on both sides are within the timing tolerances, while NetEnforcer precisely controls the bandwidth.

Allot Communications PFQ maximizes WAN link utilization and minimizes bandwidth waste. Allot Communications utilizes standard mechanisms built in to the TCP to maximize WAN utilization. It also uses a unique combination of PFQ and Smart Queue Scheduling to precisely control bandwidth for both the incoming and outgoing traffic. Policies are based on a variety of criteria, including when needed, data located within the traffic, and so on.

Ping of Death

When an attacker sends illegitimate, oversized ICMP (ping) packets. These attacks are targeted at specific TCP stacks that cannot handle this type of packet and overload the victim's servers.



Pipe

A grouping of traffic defined by conditions (rules) and actions that owns sub-groupings called Virtual Channels.

Policy

The regulation of access to network resources and services based on (business) administrative criteria.

Policy Server

A server which administers QoS requests and sends out information necessary (policy) to enforce QoS.

Port Number

A 16-bit integer appended to a message and passed between client and server transport layers.

Priority

A parameter that identifies the relative importance of traffic on a particular Pipe or Virtual Channel compared to other Pipes or Virtual Channels. Priority does not explicitly define the speed of communication, but assigns a weight value, for example, for every 2 bytes of priority 3, send 4 bytes of priority 7. It does not define how long it takes to send priority 7 or priority 3 bytes.

Process Watchdog

A software process that is responsible for keeping the system in a normal operation state. It watches the aliveness of processes and restarts a process or the whole system when required.

QoS

See Quality of Service.



QoS Action

Defines a level of bandwidth agreement using parameters such as minimum/maximum bandwidth, priority, and so on. You can select the QoS action for Pipes, Virtual Channels and connections.

QoS Catalog

A Catalog that enables the user to define possible values for the QoS action.

QoS Gateway

Provision of end-to-end policy enforcement and management via standards-based signal provisioning protocols, including Differentiated Services, ToS, RSVP, MPLS, and 802.1P.

QoS of UDP Traffic Allot Communications supports QoS for UDP traffic by using the token bucket mechanism (for CBR sessions), combined with the leaky bucket mechanism (to supply rate limits).

Quality of Service

Enforcing a network policy that will impact bandwidth, delay (jitter), or traffic reliability.

Queuing Method used by routers to control the flow of traffic. Packets are placed in holding queues and retransmitted based on CBQ and WFQ algorithms. When traffic overflows the queue, packets are discarded to reduce network congestion.

RADIUS Remote Authentication Dial In User Services protocol. Specifies accounting, log and analysis parameters for IP users accessing via dial in services.



Redundancy Configuration

A configuration in which two NetEnforcers are connected in parallel using a flat cable. If one NetEnforcer goes down, the other one takes over immediately. One NetEnforcer is automatically the primary system (defined by the flat cable hardware), and the Primary and Active LEDs on the front panel are lit. The other NetEnforcer is the secondary system, and the Secondary LED on the front panel is lit. The flat cable is connected between the Backup connectors.

Reject

All packets are dropped. In TCP traffic, an RST packet is sent to the client and the user may see the message Connection Closed by Server.

Reserve on Demand

A minimum bandwidth demand mode that reserves allocated bandwidth and, even if it is not all used or required, does not provide it for other traffic.

Rule

A combination of classification elements or conditions comprised of Connection Source, Connection Destination, Service, TOS and Time. Together these conditions form complete criteria for classifying network traffic. Conjunction is made with the AND operator.

Rule Matching

The process of finding the first matching rule for a flow or connection.

Schedule Queue

A queue in which the packets wait to be transmitted. The schedule is defined by the minimum bandwidth and priority parameters.

Service

Protocol- or application-based criteria for traffic classification.



Service Catalog

A Catalog that enables the user to define possible values for the Service condition. It includes a list of different network/transport/applications protocols defined by the protocol number (L2, L3, L4 or L5 layer) and destination port number (L4).

Smurf Attack

When a perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast addresses, using a fake source address. The source address will be flooded with simultaneous replies.

SNMP

Simple Network Management Protocol. Sets up the rules for exchanging network information through messages (which contain variables with values). The following types of messages are defined: read, write and trap.

Spanning Tree

A link management protocol that provides path redundancy while preventing undesirable loops in the network.

Spoofing

When an attacker uses a fake Internet address so that the source address of an IP packet is not the actual source. An attacker from outside of the network (meaning, from the Internet) may send packets with a source address on the LAN. This deceives the internal servers into identifying the attacker as a legitimate internal network user and the internal address becomes the victim. Spoofing is used in most of the well-known DOS attacks.

Standalone Configuration

A configuration in which only one NetEnforcer is connected to the network (in contrast to the redundancy configuration). In case of system crash, NetEnforcer becomes a wire, meaning that NetEnforcer continues to forward traffic without performing policy enforcement functions.



SYN Attack

When an attacker sends a series of SYN requests to a target (victim). The target sends a SYN ACK in response and waits for an ACK to come back to complete the session set up. Since the source address was fake, the response never comes, filling the victim's memory buffers so that it can no longer accept legitimate session requests.

Template – Virtual Channel or Pipe

A master Virtual Channel or Pipe that represents a class of Virtual Channels or Pipes, that only differ in one of their Host catalog conditions.

Time Catalog

A Catalog that enables the user to define possible values for the Time condition. NetEnforcer is capable of classifying traffic based on packet and time parameters.

ToS

See Type of Service.

ToS Catalog

A Catalog that enables the user to define possible values for the ToS condition.

Traffic Classification

NetEnforcer classifies traffic per IP source/destination including networks, subnets, hostnames, list and ranges of addresses; TCP/UDP ports including lists of ports, port ranges and HTTP header parameters; URL (including wildcards - *), methods, host names (in the header) and FTP control to data connection correlation.



Type of Service

A byte in the IP header that defines the Type of Service that should be given to that packet. Two types are implemented: IP Precedence bits (mostly in Cisco equipment) or DiffServ (IETF standard). When used for IP Precedence, utilizes bits 0-2 to signify 8 priority values 0-7. When used as DiffServ Code Point Description (DSCP), utilizes only 6 out of the 8 bits. IP Precedence and DiffServ are prioritizing methods for IP traffic going through the network.

By setting the Type of Service (ToS) bits in accordance with network policy, end-to-end QoS can be achieved in a heterogeneous environment.

Virtual Channel

A grouping of traffic defined by conditions (rules) and actions that can be owned by Pipes.

Virtual Connection

Class of network traffic that defines traffic classification criteria and policies.

VLAN

Virtual Local Area Network refers to LANs that are interconnected by a virtual Layer 2. The NetEnforcer enables you to apply VLAN tags to its management traffic. VLANs are commonly used with campus environment networks. This enables network changes to be made without physically moving cables or equipment.

Well-Known Ports

Some services are conventionally assigned a permanent port number. For a well-known port list see, for example: http://www.isi.edu/in-notes/iana/assignments/port-numbers.

Worms

This self-propagating code floods networks with email and adds Registry entries to users' clients. Worms may be transmitted via email, sharing infected files, or via Internet Chat. Worms take advantage of "back doors" or "holes" in popularly used email software and operation systems. "Malicious" worms may also erase or hide certain types of files.


Index

A Access Control, 8-5 Access Links

Configuring, 4-13 Accessing

Catalog Editor, 7-3 Command Line Interface, G-2 NetEnforcer, 3-2 Policy Editor, 8-11

Accounting Internal, 4-30, 4-32 Storage, 4-37

Actions Access Control, 8-5 Connection Control, 8-8 Policy, 8-5 Quality of Service, 8-6

Activation Key, 4-12 Alerts

Conditions, 9-12 Configuring, 4-43 Defining, 9-6 Filtering, 9-24 List, 9-16 Resulting Action, 9-10 Security, 10-6 Severity, 9-9 Unilateral, 9-5

Alerts Editor, 9-5 Defining Alerts, 9-6 Menus, 9-17 Status Bar, 9-18 Toolbar, 9-17

Alerts Log, 9-18 Menus, 9-21 Monitoring Graphs, 9-23 Status Bar, 9-22 Toolbar, 9-21

B Backup Configuration, 4-46 Bandwidth

Guaranteed, 7-78 Inbound, 6-7 Outbound, 6-7

Bandwidth Monitoring Graph, 6-29 Bypass, 2-46, B-1

Initiation, B-3 Bypass Mode, B-2 Bypass Module, 2-11

Copper, 2-12 Fiber, 2-14, B-3

C CacheEnforcer, 1-2, 4-27, 7-85, 8-8 Catalog Editor, 1-9

Accessing, 7-3 Connection Control. See Connection Control

Catalog Data Source. See Data Source Catalog Deleting Entries, 7-6 Host. See Host Catalog Protected Entries, 7-5 Quality of Service. See Quality of Service Catalog Service. See Service Catalog Time. See Time Catalog


Index

Type of Service. See TOS Catalog VLAN. See VLAN Catalog Working with, 7-2

CBR. See Constant Bit Rate Classifying

Traffic, 1-5 CLI. See Command Line Interface Collector Application

Collecting Data, 6-56 Command Line Interface, G-1

Accessing, G-2 Command Syntax, G-3 Online Help, G-4 Scripts, G-2

Command Line Interface Command Descriptions Config, G-20 List, G-19

Configuration Window, 4-7 Menu Bar, 4-7 Standard View, 4-10 Toolbar, 4-9

Configuring Access Links, 4-13 Accounting Storage, 4-37 Alerts, 4-43 Backup, 4-46 Connection Control Parameters, 4-27 Date and Time, 4-48 DoS, 4-44 Host Name, 4-15 Internal Accounting Parameters, 4-30, 4-32 IP Parameters, 2-43, 4-15 LDAP/Text Source, 4-40 Monitoring, 4-29 NetEnforcer from Web Browser, 4-3 Network Parameters, 2-34 Network Topology, 4-22 Networking Parameters, 4-22 NIC Settings, 2-41, 4-20 Product Details, 4-11 Product IDs and Key, 4-11 RADIUS Setup Parameters, 4-34

RADIUS Storage, 4-37 Restore, 4-47 Routing Table, 4-22 Security, 4-18 Setup Verification, 4-49 SNMP Parameters, 4-26 VLAN, 4-41

Configuring NetEnforcer Via LCD Panel, 2-40 Via Terminal, 2-29

Connecting NetEnforcer to Network, 2-27, 2-28 Terminal, 2-29

Connection Control, 8-8 Cache Redirection, 7-85 Configuring Parameters, 4-27 Load-Balancing, 7-83

Connection Control Catalog, 7-81 Connections Monitoring Graph, 6-31 Constant Bit Rate

Parameters, 7-78 Control Panel, 3-3 Copper Bypass Module, 2-12

D Data Source Catalog, 7-87 Date and Time

Configuring, 4-48 Date and Time Settings, 2-38 Debugging, 3-7 Detecting Security Threats, 10-1 DIP Switches

Enhanced Platform, C-1, C-3 Distributing Policy, 8-35 DoS

Configuration, 4-44 Setup, 4-44

DoS Attacks, 10-2 DoS parameters, 10-3 Dropped Packets Monitoring Graph, 6-33


Index

E Enforcing, 1-6 Enhanced Platform

DIP Switches, C-1, C-3 Fail-Safe Configuration, B-16 Front Panel, 2-18 LCD Panel, 2-22 Rear Panel, 2-23 Status Indicators, 2-19 Unpacking, 2-17

F Fail-Safe

Mode, 1-7 Operation, B-1

Fail-Safe Configuration Enhanced Platform, B-16

Favorite View, 6-17 Fiber Bypass Module, 2-14, B-3 Firewall Ports, E-1 Front Panel

Enhanced Platform, 2-18 High Availability Platform, 2-5

Full Redundancy, B-1 Status Indicators, B-8

G Graph Styles, 6-6 Graph Types, 6-4 Graph Views, 6-5 Graphs

Accessing, 6-9

H Hardware Specifications

NetEnforcer, A-1 High Availability Platform

Front Panel, 2-5 LCD Panel, 2-8 Rear Panel, 2-9 Unpacking, 2-3

Host Catalog, 4-40, 7-8 Defining Host Lists, 7-9 Grouping Hosts, 7-12 LDAP, 7-14 Text Source, 7-17

Host Name Configuring, 4-15

I In/Out Bandwidth, 6-7 IP Parameters

Configuring, 2-43, 4-15

J Java Plug-in, 3-9

Installing from Internet Explorer, 3-11 Installing from Netscape, 3-14

L LCD Panel, 2-40


LDAP, 7-88 Configuring, 4-40

Long-term Monitoring, 6-51 Adding Graphs, 6-62 Collecting Data, 6-56 Data Coverage, 6-80 Day Level Graph, 6-74 Five-Minute Level Graph, 6-76 Hour Level Graph, 6-75 Manipulating Graphs, 6-71 Month Level Graph, 6-73 Period Level Graph, 6-70


Index

Thirty-Second Level Graph, 6-77 Viewing Data, 6-66

M Management Port, 2-44 Menu Bar

Alerts Editor, 9-17 Alerts Log, 9-21 Configuration Window, 4-7 Monitoring Window, 6-12 Policy Editor, 8-13

MIB Allot, 11-3, 11-6, 11-8, 11-9

MIB-II, 11-5 Monitoring, 1-4

Accessing Graphs, 6-9 Configuration, 4-29 Favorite View, 6-17 Graph Styles, 6-6 Graph Types, 6-4 Graph Views, 6-5 In/Out Bandwidth, 6-7 Long-term, 6-51 Network Traffic, 6-2 Setup, 4-29

Monitoring Graphs, 6-21 Alerts Log, 9-23 Bandwidth, 6-29 Connections, 6-31 Dropped Packets, 6-33 Most Active Clients, 6-47 Most Active External Hosts, 6-45 Most Active Internal Hosts, 6-42, 6-43 Most Active Pipes, 6-35 Most Active Servers, 6-49 Most Active Virtual Channels, 6-37 Pipes Distribution, 6-25 Protocols Distribution, 6-39 Utilization, 6-32 Virtual Channels Distribution, 6-27

Monitoring Only Mode, 2-26, 4-24

Monitoring Window, 6-8 Menu Bar, 6-12 Settings, 6-18 Toolbar, 6-15

Most Active Clients Monitoring Graph, 6-47 Most Active External Hosts Monitoring Graph, 6-45 Most Active Internal Hosts Monitoring Graph, 6-42,

6-43 Most Active Pipes Monitoring Graph, 6-35 Most Active Servers Monitoring Graph, 6-49 Most Active Virtual Channels Monitoring Graph, 6-37 MPLS Environment, 7-62 MRTG, 11-11

Example Configuration File, 11-15 Example Graphs, 11-17 Installing, 11-12 Introducing, 11-11

N NetAccountant, 1-2, 4-30, 4-32, 4-34, 4-37 NetBalancer, 1-2, 4-27, 7-83, 8-8 NetEnforcer

Accessing, 3-2 Changing Password, 2-37 Command Line Interface, G-1 Configuration Window, 4-7 Configuring from Web Browser, 4-3 Connecting to Network, 2-27, 2-28 Control Panel, 3-3 Current Configuration, 2-31, 2-32 Delivering QoS, 1-4 Enhanced Platform, 2-17 Environments, 1-3 Hardware, 2-2 Hardware Specifications, A-1 High Availability Platform, 2-3, 2-40 IP Address, 4-15 Logging Off, 3-9 Models, 2-2 Modifying Date Settings, 2-38 Modifying Time Settings, 2-38


Index

Monitoring Network Traffic, 6-2 Monitoring Window, 6-8 Overview, 1-2 Policy, 8-2 Policy Editor, 8-11 Ports, E-1 Protocols, F-1 Redundancy, B-7 Registering, 3-7 Scenarios, 1-13 Setting Up, 2-29 Shutting Down, 2-46 Standards Compliance, A-4 Viewing Applets, 3-8

NetWizard Defining Policies, 5-15 Ending the Monitoring Session, 5-15 Introducing, 1-12, 5-2 Monitoring Network Traffic, 5-3 Monitoring Window, 5-7 QoS Examples, 5-18 Viewing Graphs, 5-8 Viewing Information, 5-12 Viewing Statistics, 5-10 Viewing the Log, 5-14

Network Parameters Configuring, 2-34

Network Requirements Policy, 8-21

Network Topology Configuring, 4-22

Networking Parameters Configuring, 4-22

NIC Settings Configuring, 2-41, 4-20

O Options

View, 8-12 Out-of-Band Management, 2-8, 2-22, 2-25, 4-17

Monitoring Only Mode, 2-26

P Password

Changing Login, 2-37 Changing Root, 2-39

Pipes, 1-9, 8-3 Access Control, 8-5 Adding, 8-22 Creating Templates, 8-29 Examples, 8-9 Policy Editor, 8-11 Quality of Service Catalog, 7-69

Pipes Distribution Monitoring Graph, 6-25

Policy, 8-2 Adding Pipes, 8-22 Adding Rules, 8-26 Adding Virtual Channels, 8-24 Distributing, 8-35 Network Requirements, 8-21 Order, 8-28 Pipes, 8-3 Rules, 8-4 Templates, 1-11, 8-28 View Options, 8-12 Virtual Channels, 8-4 Workflow, 8-20

Policy Editor, 8-11 Importing Protocols, 7-27, 7-29 Menus, 8-13 Order, 8-28 Order of Definitions, 8-10 Pipes, 8-11 Status Bar, 8-19 Toolbar, 8-13 Virtual Channels, 8-11

Policy Table. See Policy Editor Power Redundancy, B-18 Power Supply, 2-9

LEDs, 2-10 Priority, 7-67


Index

Product Details Configuring, 4-11

Product IDs and Key Configuring, 4-11

Protocols Distribution Monitoring Graph, 6-39

Q QoS. See Quality of Service Quality, 5-18 Quality of Service, 1-4, 1-8, 8-6

Ignoring, 7-68 Pipes, 7-69 Virtual Channels, 7-75

Quality of Service Catalog, 7-66

R RADIUS

Setup, 4-34 Storage, 4-37

Rear Panel Enhanced Platform, 2-23 High Availability Platform, 2-9

Redundancy, B-7 Registering NetEnforcer, 3-7 Reporting, 1-7 Restoring Configuration, 4-47 Routing Table

Configuring, 4-22 Rules, 1-10, 8-4

Adding, 8-26 Examples, 8-9

S Security

Alerts, 10-6 Configuring, 4-18 Detecting Threats, 10-1 DoS Attacks, 10-2

Protective Mechanisms, 10-5 Risks, 10-2

Service Catalog, 7-20 Adding Content, 7-31 Defining Citrix Content, 7-47 Defining H.323 Content, 7-34, 7-43, 7-45 Defining Oracle Content, 7-41 Grouping Entries, 7-30 Importing Protocols, 7-26 Non-IP Protocols, 7-24 Non-TCP IP Protocols, 7-23 Non-UDP IP Protocols, 7-23 TCP IP Protocols, 7-21 UDP IP Protocols, 7-21

Setting Up NetEnforcer, 2-29 SNMP

Access Permissions, 11-3 Statistics, 11-2 Supported MIBs, 11-2

SNMP Parameters Configuring, 4-26

Standard View Configuration Window, 4-10

Status Indicators Enhanced Platform, 2-19

Storage Accounting, 4-37 RADIUS, 4-37

T TAP Mode, B-3 Templates, 8-28

Pipes, 8-29 Policy, 1-11 Virtual Channels, 8-32

Text Source, 7-89 Configuring, 4-40

Time and Date Settings, 2-38 Time Catalog, 7-52

Defining Time, 7-53


Index

Toolbar Alerts Editor, 9-17 Alerts Log, 9-21 Configuration Window, 4-9 Monitoring Window, 6-15 Policy Editor, 8-13

TOS Catalog, 7-57 Free Format, 7-61 Predefined Entries, 7-59

Traffic Classification, 1-5 Traffic Shaping, 7-77 Traps, 11-2, 11-4

Configuring Destinations, 11-4

U Unpacking


Utilization Monitoring Graph, 6-32

V Verifying Configuration, 4-49 Virtual Channels, 1-10, 8-4

Access Control, 8-5 Adding, 8-24 Creating Templates, 8-32 Examples, 8-9 Policy Editor, 8-11 Quality of Service Catalog, 7-75

Virtual Channels Distribution Monitoring Graph, 6-27

VLAN Configuration, 4-41 Setup, 4-41

VLAN Catalog, 7-63


Index


Date post:	08-Nov-2014
Category:	Documents
Upload:	maayanay
View:	409 times
Download:	83 times

Allot Manual

Documents