Net Enforcer Operation Guide v5.5

513

Transcript of Net Enforcer Operation Guide v5.5

Page 1: Net Enforcer Operation Guide v5.5
Page 2: Net Enforcer Operation Guide v5.5

NetEnforcer® AC-400/800 Series

Policy Based Bandwidth Management

Operation Guide Version 5.5

P/N D364001

Page 3: Net Enforcer Operation Guide v5.5

Important Notice Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to the end users using this manual, regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise. SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL, INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT. Please read the End User License Agreement and Warranty Certificate provided with this product before using the product. Please note that using the products indicates that you accept the terms of the End User License Agreement and Warranty Certificate. WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Copyright Copyright © 1997-2006 Allot Communications. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other language without a written permission and specific authorization from Allot Communications Ltd.

Trademarks Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation and to the owners' benefit, without intent to infringe. NetEnforcer® and the Allot Communications logo are registered trademarks of Allot Communications Ltd.

Page 4: Net Enforcer Operation Guide v5.5

Printing History

First Edition: December 2001, Version 4.1 Second Edition: September 2002, Version 4.2 Third Edition: January 2004, Version 5.1 Fourth Edition: December 2004, Version 5.2 Fifth Edition: September, 2006, Version 5.5

Page 5: Net Enforcer Operation Guide v5.5
Page 6: Net Enforcer Operation Guide v5.5
Page 7: Net Enforcer Operation Guide v5.5

About This Guide

NetEnforcer Operation Guide v5.5 v

About This Guide The NetEnforcer User's Manual describes how to install and configure NetEnforcer in your network, and use NetEnforcer to prioritize your network traffic.

This manual contains the following chapters:

Chapter 1, Introducing NetEnforcer, introduces NetEnforcer and provides an overall description of the architecture and functioning of the system.

Chapter 2, AC-400 Series, describes the NetEnforcer AC-400 Series, including its hardware, initial installation and setup requirements.

Chapter 3, AC-800 Series, describes the NetEnforcer AC-800 Series, including its hardware, initial installation and setup requirements.

Chapter 4, Configuring NetEnforcer, describes how to modify NetEnforcer's configuration parameters from a Web browser.

Chapter 5, NetWizard Quick Start, describes NetWizard, an easy-to-use wizard that enables a network manager without a wide knowledge base to have an up-and-running NetEnforcer in a relatively short time.

Chapter 6, Monitoring Network Traffic, describes how to monitor and analyze network traffic using the NetEnforcer monitoring tools.

Chapter 7, Defining Catalog Entries, describes NetEnforcer Catalogs and how to define new Catalog entries.

Chapter 8, Defining Policies, describes the process of defining a QoS policy and optimizing this policy in your network environment.

Chapter 9, NetEnforcer Alerts, describes the NetEnforcer Alerts Editor and Alerts Log.

Page 8: Net Enforcer Operation Guide v5.5

About This Guide

NetEnforcer Operation Guide v5.5 vi

Chapter 10, Detecting Security Threats, discusses the nature of DoS attacks and their impact on network performance, and describes the ways in which NetEnforcer detects and handles DoS attacks.

Chapter 11, SNMP Monitoring, describes NetEnforcer SNMP-based statistics and how to generate MRTG reports.

Appendix A, NetEnforcer Command Line Interface, describes how to use a command line interface to configure NetEnforcer.

Page 9: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 vii

Table of Contents CHAPTER 1: INTRODUCING NETENFORCER....................................................1-1 What is NetEnforcer?................................................................................................................................1-2

Optional Software Packages....................................................................................................................1-2 NetEnforcer Environments......................................................................................................................1-3

How Does NetEnforcer Deliver QoS? ......................................................................................................1-4 Monitor....................................................................................................................................................1-4 Classify....................................................................................................................................................1-5 Enforce ....................................................................................................................................................1-6 Report ......................................................................................................................................................1-7

Fail-Safe Operation ...................................................................................................................................1-7 Terms and Concepts ..................................................................................................................................1-8

QoS..........................................................................................................................................................1-8 Catalog Editors ........................................................................................................................................1-9 Pipes ........................................................................................................................................................1-9 Virtual Channels....................................................................................................................................1-10 Rules......................................................................................................................................................1-10 Templates ..............................................................................................................................................1-11 NetWizard .............................................................................................................................................1-12

NetEnforcer in Action .............................................................................................................................1-13 Scenario 1: Corporate............................................................................................................................1-13 Scenario 2: QoS in an Intranet...............................................................................................................1-15 Scenario 3: ISP ......................................................................................................................................1-17 Scenario 4: Satellite Provider ................................................................................................................1-19 Scenario 5: Enhancing Enterprise Security ...........................................................................................1-20

CHAPTER 2: AC-400 SERIES ....................................................................................2-1 AC-400 Series Packing List ....................................................................................................... 2-2 AC-400 Series Front Panel ........................................................................................................ 2-3

AC-402 Front Panel.................................................................................................................. 2-3 AC-404 Front Panel.................................................................................................................. 2-5 AC-400 Series LCD Panel........................................................................................................ 2-7

Page 10: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 viii

Management Port ......................................................................................................................2-7 AC-404 Interfaces .....................................................................................................................2-7

AC-400 Series Rear Panel ..........................................................................................................2-9 Rack Mounting the Unit...........................................................................................................2-10

Connection to Supply Circuit..................................................................................................2-10 Ambient Temperature .............................................................................................................2-10 Airflow....................................................................................................................................2-10 Reliable Grounding.................................................................................................................2-10 Preparing the NetEnforcer for Rack Installation.....................................................................2-11 Rack Mechanical Loading ......................................................................................................2-11

AC-400 Series Powering Up.....................................................................................................2-12 Setting Up the NetEnforcer......................................................................................................2-13

Configuring Via a Terminal or Telnet ....................................................................................2-13 Configuring Via the LCD Panel..............................................................................................2-24

Redundancy...............................................................................................................................2-31 Parallel Redundancy ...............................................................................................................2-31 Active Redundancy .................................................................................................................2-40

AC-400 Hardware Specifications ............................................................................................2-43 Standards, Compliance and Certifications ..............................................................................2-44

Firewall Port Reference ...........................................................................................................2-46

CHAPTER 3: AC-800 SERIES .................................................................................... 3-1 AC-800 Series Packing List........................................................................................................3-2 AC-800 Series Front Panel.........................................................................................................3-3

AC-802 Front Panel ..................................................................................................................3-4 AC-804 Front Panel ..................................................................................................................3-5 AC-808 Front Panels.................................................................................................................3-6 AC-800 Series LCD Panel ........................................................................................................3-8

AC-800 Series Rear Panel ........................................................................................................3-10 AC-800 Series Power Supply .................................................................................................3-11 Cabling....................................................................................................................................3-13 Connectors ..............................................................................................................................3-18

Bypass Units ..............................................................................................................................3-19 AC-802 Bypass Units..............................................................................................................3-19 AC-804 Bypass Unit ...............................................................................................................3-23

Page 11: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 ix

AC-808 Bypass Unit............................................................................................................... 3-28 Powering Up ............................................................................................................................. 3-31 Setting Up the NetEnforcer ....................................................................................................... 3-1

Configuring Via a Terminal or Telnet ...................................................................................... 3-1 Configuring Via the LCD Panel ............................................................................................. 3-12

Redundancy .............................................................................................................................. 3-17 Parallel Redundancy ............................................................................................................... 3-17 Active Redundancy................................................................................................................. 3-21 Serial Redundancy.................................................................................................................. 3-26

AC-800 Hardware Specifications............................................................................................ 3-30 Standards, Compliance and Certifications.............................................................................. 3-31

Firewall Port Reference ........................................................................................................... 3-33

CHAPTER 4: CONFIGURING NETENFORCER....................................................4-1 Overview.....................................................................................................................................................4-2

Activating the NetEnforcer......................................................................................................................4-5 NetEnforcer Configuration Window........................................................................................................4-7

Menu Bar.................................................................................................................................................4-7 Toolbar ....................................................................................................................................................4-9

NetEnforcer Configuration Parameters ................................................................................................4-10 Product IDs and Key .............................................................................................................................4-11 Access Links .........................................................................................................................................4-13 IP and Host Name..................................................................................................................................4-15 Security..................................................................................................................................................4-18 NIC........................................................................................................................................................4-20 Networking............................................................................................................................................4-22 SNMP....................................................................................................................................................4-26 Connection Control ...............................................................................................................................4-27 Monitoring.............................................................................................................................................4-29 Internal Accounting Setup.....................................................................................................................4-30 External Accounting Setup....................................................................................................................4-32 RADIUS Setup......................................................................................................................................4-34 Accounting/RADIUS Storage ...............................................................................................................4-37 LDAP/Text Source ................................................................................................................................4-40 VLAN....................................................................................................................................................4-41 Alerts .....................................................................................................................................................4-43 Denial of Service (DoS) ........................................................................................................................4-44

Page 12: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 x

Additional Configuration Options ......................................................................................................... 4-46 Backing Up Configuration.................................................................................................................... 4-46 Restoring Configuration ....................................................................................................................... 4-47 Setting Date and Time .......................................................................................................................... 4-48 Verifying Configuration ....................................................................................................................... 4-49

CHAPTER 5: NETWIZARD QUICK START .......................................................... 5-1 Introducing NetWizard............................................................................................................................. 5-2 Monitoring Network Traffic .................................................................................................................... 5-3

Viewing Graphs ...................................................................................................................................... 5-8 Viewing Statistics ................................................................................................................................. 5-10 Viewing Information............................................................................................................................. 5-12 Viewing the Log ................................................................................................................................... 5-14

Defining Policies ...................................................................................................................................... 5-15 QoS Examples ...................................................................................................................................... 5-18

CHAPTER 6: MONITORING NETWORK TRAFFIC............................................ 6-1 Overview .................................................................................................................................................... 6-2

Graph Types............................................................................................................................................ 6-4 Graph Views ........................................................................................................................................... 6-5 Graph Styles............................................................................................................................................ 6-6 In/Out Bandwidth ................................................................................................................................... 6-7

NetEnforcer Monitoring Window............................................................................................................ 6-8 Accessing Monitoring Graphs ................................................................................................................ 6-9 Monitoring Window Menu Bar ............................................................................................................ 6-12 Monitoring Window Toolbar................................................................................................................ 6-15

Monitoring Graphs ................................................................................................................................. 6-21 Pipes Distribution ................................................................................................................................. 6-25 Virtual Channels Distribution ............................................................................................................... 6-27 Bandwidth............................................................................................................................................. 6-29 Connections .......................................................................................................................................... 6-31 Utilization ............................................................................................................................................. 6-32 Packets .................................................................................................................................................. 6-33 Most Active Pipes................................................................................................................................. 6-35 Most Active Virtual Channels .............................................................................................................. 6-37 Most Active Protocols .......................................................................................................................... 6-39 Most Active Hosts ................................................................................................................................ 6-42

Page 13: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 xi

Most Active Internal Hosts....................................................................................................................6-43 Most Active External Hosts...................................................................................................................6-45 Most Active Clients...............................................................................................................................6-47 Most Active Servers ..............................................................................................................................6-49

Long-Term Monitoring ...........................................................................................................................6-51 Collecting Data for Long-Term Monitoring..........................................................................................6-51 Adding Graphs ......................................................................................................................................6-62 Viewing Long-Term Monitoring Graphs ..............................................................................................6-66

CHAPTER 7: DEFINING CATALOG ENTRIES .....................................................7-1 Working with Catalog Editors..................................................................................................................7-2

Accessing Catalog Editors.......................................................................................................................7-3 Protected Entries......................................................................................................................................7-5 Deleting Entries from a Catalog ..............................................................................................................7-6 Policy Editor Toolbar ..............................................................................................................................7-6

Host Catalog Editor...................................................................................................................................7-8 Defining Host Lists .................................................................................................................................7-9 Grouping Hosts .....................................................................................................................................7-12 Defining LDAP-based Hosts.................................................................................................................7-14 Defining Text File-Based Hosts ............................................................................................................7-17

Service Catalog Editor.............................................................................................................................7-20 Defining TCP and UDP IP Protocols ....................................................................................................7-21 Defining Non-TCP and Non-UDP IP Protocols....................................................................................7-23 Defining Non-IP Protocols ....................................................................................................................7-24 Importing Protocols...............................................................................................................................7-26 Web Update...........................................................................................................................................7-29 Grouping Service Catalog Entries .........................................................................................................7-30 Adding Content .....................................................................................................................................7-31

Time Catalog Editor ................................................................................................................................7-52 TOS (Type of Service) Catalog Editor ...................................................................................................7-57

Free Format ...........................................................................................................................................7-61 VLAN Catalog Editor..............................................................................................................................7-63

Defining VLANs ...................................................................................................................................7-64 Quality of Service Catalog Editor ..........................................................................................................7-66

Ignoring Quality of Service ...................................................................................................................7-68 Defining QoS for Pipes .........................................................................................................................7-69 Defining QoS for Virtual Channels .......................................................................................................7-75

Page 14: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 xii

Connection Control Catalog Editor....................................................................................................... 7-81 Load-Balancing..................................................................................................................................... 7-83 Cache Redirection................................................................................................................................. 7-85

Data Source Catalog Editor ................................................................................................................... 7-87

CHAPTER 8: DEFINING POLICIES ........................................................................ 8-1 NetEnforcer Policy .................................................................................................................................... 8-2

Pipes........................................................................................................................................................ 8-3 Virtual Channels ..................................................................................................................................... 8-4 Rules ....................................................................................................................................................... 8-4 Actions.................................................................................................................................................... 8-5 Using Pipes, Virtual Channels and Rules ............................................................................................... 8-9

NetEnforcer Policy Editor ...................................................................................................................... 8-11 View Options ........................................................................................................................................ 8-12 Policy Editor Menus and Toolbar ......................................................................................................... 8-13 Policy Editor Status Bar........................................................................................................................ 8-19

Defining Policy......................................................................................................................................... 8-20 Defining Your Network Requirements ................................................................................................. 8-21 Adding Pipes......................................................................................................................................... 8-22 Adding Virtual Channels ...................................................................................................................... 8-24 Adding Rules ........................................................................................................................................ 8-26 Policy Table Order................................................................................................................................ 8-28 Templates.............................................................................................................................................. 8-28 Distributing Policy to Other NetEnforcers............................................................................................ 8-35

CHAPTER 9: NETENFORCER ALERTS................................................................. 9-1 Overview .................................................................................................................................................... 9-2 Important Preparation ............................................................................................................................. 9-4 Alerts Editor .............................................................................................................................................. 9-5

Predefined Alerts .................................................................................................................................... 9-5 Customized Actions.............................................................................................................................. 9-11 Conditions for Alerts ............................................................................................................................ 9-12 Defined Alerts List................................................................................................................................ 9-16 Alerts Editor Menus and Toolbar ......................................................................................................... 9-17

Page 15: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 xiii

Alerts Log .................................................................................................................................................9-18 Alerts Log Menus and Toolbar..............................................................................................................9-21 Accessing Monitoring Graphs...............................................................................................................9-23 Filtering Alerts ......................................................................................................................................9-24

Alerts Event Messages .............................................................................................................................9-27

CHAPTER 10: DETECTING SECURITY THREATS ...........................................10-1 Overview...................................................................................................................................................10-2 Detecting and Handling DoS Attacks.....................................................................................................10-2

Denial of Service (DoS) Parameters......................................................................................................10-3 Additional Protective Mechanisms.........................................................................................................10-5 Security Alerts..........................................................................................................................................10-6

CHAPTER 11: SNMP MONITORING.....................................................................11-1 Viewing SNMP Statistics and Getting Traps ........................................................................................11-2

Supported SNMP MIBs.........................................................................................................................11-2 Access Permissions ...............................................................................................................................11-3 Configuring Trap Destinations ..............................................................................................................11-4 Traps......................................................................................................................................................11-4 MIB-II Support......................................................................................................................................11-5 Accessing the Allot MIBs .....................................................................................................................11-8

Working with SNMP-Based Management Tools ................................................................................11-11 Introducing MRTG..............................................................................................................................11-11 Installing MRTG for NetEnforcer .......................................................................................................11-12 Example MRTG Configuration File....................................................................................................11-15 Example NetEnforcer MRTG Graphs .................................................................................................11-17

APPENDIX A: NETENFORCER COMMAND LINE INTERFACE.....................A-1 NetEnforcer Command Line Interface ................................................................................... A-1

Command Execution Modes ................................................................................................... A-1 Accessing the CLI...................................................................................................................... A-2 Scripts......................................................................................................................................... A-2 CLI Command Syntax.............................................................................................................. A-3 Online Help ................................................................................................................................ A-4 Command Descriptions............................................................................................................. A-4

ToS Catalog Editing ................................................................................................................ A-5

Page 16: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 xiv

Data Source Catalog Editing.................................................................................................... A-5 VLAN Catalog Editing ............................................................................................................ A-6 QoS Catalog Editing ................................................................................................................ A-7 Host Catalog Editing................................................................................................................ A-9 Time Catalog Editing ............................................................................................................. A-11 Service Catalog Editing ......................................................................................................... A-12 Connection Control Catalog Editing...................................................................................... A-15 Policy Catalog Editing ........................................................................................................... A-17 List ......................................................................................................................................... A-19 Configuration Settings ........................................................................................................... A-20

Page 17: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 xv

Page 18: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 1-1

Chapter 1: Introducing NetEnforcer

This chapter introduces NetEnforcer and explains how it delivers Quality of Service.

This chapter includes the following sections:

What is NetEnforcer?, page 1-2, introduces NetEnforcer, providing an overview of its functionality and describing typical environments for its use.

How Does NetEnforcer Deliver QoS?, page 1-4, provides an overview of the NetEnforcer workflow: monitor, classify, enforce and report.

Terms and Concepts, page 1-8, introduces some of the basic terms and concepts used in NetEnforcer.

NetEnforcer in Action, page 1-13, presents scenarios that provide examples of how NetEnforcer can optimize network traffic in a variety of working environments.

Page 19: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-2

What is NetEnforcer? NetEnforcer is a network policy enforcement device that enables you to monitor, categorize and optimize network traffic by assigning Quality of Service (QoS) to specified classes of traffic. QoS is the ability to define a level of performance in a data communications system.

The exponential growth in the use of the Internet, combined with an increasing number of Web-based applications, has resulted in unprecedented demands on existing communication system technologies. In order to achieve an acceptable level of service and overcome the bandwidth bottleneck problem, network managers need the capability to control network traffic and develop prioritization policies appropriate to available bandwidth.

NetEnforcer gives you the power to intelligently shape network bandwidth and deliver system-wide service level guarantees based on the needs and priorities of the network service provider or corporation.

Optional Software Packages NetEnforcer can be further enhanced with the addition of optional software packages, as follows:

• NetAccountant: Provides policy-based tracking of bandwidth and transactions, usage-based reporting and billing.

• CacheEnforcer: Enables the enforcement of network caching policies.

• NetBalancer: Enables the distribution of traffic according to individual server capabilities.

Page 20: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-3

NetEnforcer Environments Typical application environments for the NetEnforcer product family include:

• Corporate Networks: NetEnforcer controls traffic flows from Web-based customers, internal users and remote offices to centralized corporate networks and services. Network managers can give high priority to mission-critical applications and assure necessary bandwidth to timing-critical applications such as voice and video.

• Internet Service Providers: NetEnforcer manages and enforces SLAs (Service Level Agreements). ISPs are able to deliver advanced bandwidth capabilities to customers and provide differentiated services, partition bandwidth and support Web hosting. NetEnforcer is geared for ISP operations providing full SLA support and integration with ODBC and RADIUS-based billing packages, in addition to interfacing to LDAP-based user directories.

• Educational Network: NetEnforcer limits the use of low priority traffic such as music and file-sharing applications, and assigns Quality of Service (QoS) for specific user groups. The NetEnforcer can limit students' access to particular sites and applications during business hours, while allowing high-priority access to faculty members or administrators.

• Wireless ISP Network: NetEnforcer offers service providers a complete suite of tools for better managing over-subscription and enforcing SLAs. NetEnforcer allows providers to immediately identify, and then cap or limit bandwidth abusers. Its Web-based policy manager, traffic monitor and IP accounting tools offer superior functionality and ease-of-use for allowing the service provider to discover how Internet access is being used. NetEnforcer is an ideal platform for rapidly provisioning new subscribers, creating and enforcing multiple tiers of service, and collecting usage-based billing information for export to an external database.

• Voice and Video Applications: NetEnforcer enables the prioritization of data applications and the guaranteeing of bandwidth to timing-critical, real-time applications like Voice over IP and Video. NetEnforcer allows control of your data and voice traffic. Through NetEnforcer, specific voice, video and multimedia traffic flows can be identified and the following actions can be assigned: minimum and maximum bandwidth, priorities, guaranteed rate, fairness and admission control.

Page 21: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-4

• Satellite Network: Using NetEnforcer, satellite service providers reduce data retransmissions, assure fairness by prioritizing users and applications, and provide predictable, guaranteed bandwidth for video and voice-type streaming applications. NetEnforcer maximizes the efficiency of traffic flowing through satellite systems. Its advanced analysis capabilities allow the intelligent distribution of traffic through WAN channels based on the overall state of the satellite link, its delays and throughput. The end-result is a more efficient, reliable, and predictable system for delivering applications over the network.

How Does NetEnforcer Deliver QoS? NetEnforcer provides policy-based bandwidth management. Policy is defined by classifying traffic and assigning QoS to each classification. Your policy is built and defined over time and can be continuously adapted to meet your network requirement. The NetEnforcer workflow is as follows:

Monitor NetEnforcer's monitoring tools enable you to monitor in real-time the type of traffic flowing through your network and determine your current network application patterns. When and where your network has peaks, bursts and bottlenecks is hard to predict. The monitoring tools enable you to see these peaks in real time, which is crucial to managing these unwanted phenomena.

Page 22: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-5

Different applications, such as e-Business, ERP and real-time applications, require performance guarantees. Other mission-critical applications may suffer from a shortage of bandwidth, while non-critical Web browsing and batch traffic, such as mail and FTP, may use up network resources. Using the monitoring tools, you can identify applications on your network that you consider mission-critical applications. These may be special applications that are time and/or resource sensitive to which you may want to provide increased bandwidth or server resources. Similarly, you can identify items on your network that you consider low priority. These may include traffic that you consider non-time and/or response sensitive, or applications that you wish to limit during busy hours, such as FTP traffic.

The NetEnforcer monitoring tools are described in Chapter 6, Monitoring Network Traffic.

Classify Once you understand your network traffic patterns, you define a policy to improve your network performance.

QoS policy consists of a set of conditions (a rule) and a set of actions that apply when the conditions are satisfied. The actions include the QoS to be applied. For example, a rule might be defined as traffic from source A to source B. When traffic is matched to that rule, the specified QoS is applied.

Classification is made easier with the use of Pipes and Virtual Channels. A Pipe and a Virtual Channel are defined by one or more rules and a set of actions.

Pipe Rule

Rule

Rule

Rule

Actions

Virtual Channel Rule

Rule

Rule

Actions

Page 23: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-6

A Pipe includes one or more Virtual Channels. Thus, your policy consists of a hierarchy of classification. Every connection into NetEnforcer is matched to a rule, as follows:

• Find the first Pipe rule that the connection matches. There is a default Pipe defined in NetEnforcer (Fallback Pipe). If a connection does not match the rules of any other Pipes, it matches the Fallback Pipe.

• Within that Pipe, find the first Virtual Channel rule that the connection matches. Every Pipe includes a default Virtual Channel (Fallback). If a connection does not match the rules of any other Virtual Channels within the Pipe, it matches the Fallback Virtual Channel.

• Apply the actions defined for that Virtual Channel.

Pipes enable ISPs to divide bandwidth into logical slices and offer them to customers. The customers can then further divide the slice of bandwidth using Virtual Channels. Similarly, enterprises with several links to the Internet can manage each link separately by defining a Pipe for each link.

To speed up the creation of your policy, you can use a Pipe or Virtual Channel template. Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other but with a different IP address as the source or destination. Thus, a template must include a list of IP addresses in the source or destination definition. A template saves the need to define similar Pipes or Virtual Channels when the only difference between them is the IP address in the source or destination.

Policy is defined in the Policy Editor (described in Chapter 8, Defining Policies). Values for the conditions that make up a rule and for actions are predefined in Catalogs (described in Chapter 7, Defining Catalog Entries).

Enforce The process of saving a policy saves the policy to NetEnforcer, which then begins to enforce the policy. NetEnforcer continuously prioritizes and shapes network bandwidth according to your defined and saved policy.

Page 24: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-7

Report NetEnforcer's monitoring tools enable you to monitor in real-time the type of traffic flowing through your network and determine your current network application patterns.

Once again, NetEnforcer's monitoring tools enable you to monitor your network traffic and verify enforcement of the QoS policy. You can confirm that monitoring graphs reflect the behavior expected by the policy definition. You can monitor traffic in real-time and, using Long Term Monitoring, you can monitor your network's activity over a much longer period of time. If required, you can make adjustments to your QoS policy in order to fine-tune network performance.

The NetEnforcer monitoring tools are described in Chapter 6, Monitoring Network Traffic.

Fail-Safe Operation Allot NetEnforcer has two fail-safe features that ensure proper and continuous network function: Bypass and Full Redundancy.

All NetEnforcers contain a Bypass element that connects the Internal connector to the External connector in the case of a subsystem failure in NetEnforcer or a power loss. This mechanism ensures that traffic continues to pass through passive elements of the NetEnforcer should any hardware or software problem occur. The Bypass is an internal element on all models except the High Availability AC-802 models, where it is implemented as an external Bypass module.

Full Redundancy is a backup mechanism that handles the failure of a network device, and ensures the network continues to function. Full Redundancy is provided by connecting two NetEnforcers in parallel. The primary NetEnforcer handles the traffic and the secondary NetEnforcer is designed to be in Standby mode as long as the primary NetEnforcer is active. Only if, for any reason, the primary NetEnforcer is not able to function properly, does the secondary NetEnforcer become active.

In Full Redundancy mode, Bypass mode will be activated, in the event that both the Primary and Secondary NetEnforcer systems fail.

Page 25: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-8

Terms and Concepts This section introduces some of the basic terms and concepts used in NetEnforcer.

QoS QoS is the ability to define a level of performance in a data communications system. In NetEnforcer, QoS is defined as an action applied to a connection when the conditions of a rule are satisfied. The QoS specified can include the following:

• Prioritized Bandwidth: Delivers levels of service based on a connection's importance level and demand for traffic relative to other connections. During peak traffic periods, the NetEnforcer will slow down lower priority applications, resulting in increased bandwidth delivery to higher priority applications.

• Guaranteed Bandwidth: Enables the assignment of fixed minimum and maximum amounts of bandwidth to specific Pipes, Virtual Channels and connections. By borrowing excess bandwidth when it is available, connections are able to burst above guaranteed minimum limits, up to the maximum guaranteed rate. Guaranteed rates also assure predictable service quality by enabling time-critical applications to receive constant levels of service during peak and non-peak traffic periods.

• Reserved Bandwidth on Demand: Enables the reservation of the minimum bandwidth at the first byte of a connection until the connection is ended. This is useful when the bottleneck is not at the link governed by NetEnforcer. By limiting other connections (non-guarantees), NetEnforcer reserves enough bandwidth for the required Pipe or Virtual Channel.

• TOS Marking: Enables the marking of connections admitted beyond the maximum connections allowed per Virtual Channel with a different TOS value. Additionally, out-of-profile traffic (beyond the guaranteed minimum) can be marked with a different TOS value than the in-profile traffic for each connection.

• Access Control: Determines whether a connection is accepted, dropped or rejected. For example, you can specify the following Pipe: accept 1000 ICMP connections to Server1 and drop the rest. NetEnforcer can also be instructed to accept new connections with a lower priority.

Page 26: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-9

• Admission Control: Determines the bandwidth granted to a flow based on your demand (for example, allocated minimum of 10kbps) and NetEnforcer's system state (meaning, there is enough bandwidth available).

Catalog Editors Catalog Editors enable you to define values for defining your policy. The possible values for each condition of a rule and for actions are defined in the Catalog entries in the Catalog Editors. A Catalog Editor enables you to give a logical name to a comprehensive set of parameters (a Catalog entry). This logical name then becomes a possible value for a condition or action. Catalog Editors are described in detail in Chapter 7, Defining Catalog Entries.

Pipes A Pipe provides a way of classifying traffic that enables you to divide the total bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of Virtual Channels from a QoS point of view. When you add a new Pipe, it always includes at least one Virtual Channel, the Fallback Virtual Channel. The rule of the Fallback Virtual Channel cannot be modified or deleted. A connection coming into NetEnforcer is matched to a Pipe according to whether the characteristics of the connection match any of the rules of the Pipe. The connection is then further matched to the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are enforced together with the actions of the Pipe.

Page 27: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-10

Virtual Channels A Virtual Channel provides a way of classifying traffic and consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further matched to a Virtual Channel according to whether the characteristics of the connection match any of the rules of the Virtual Channel.

Rules A rule is a set of six conditions. Rules can be defined at Pipe level or Virtual Channel level. NetEnforcer matches connections to rules, first at the Pipe level and then at Virtual Channel level within a Pipe.

The five conditions that make up a rule are as follows:

• Connection Source: Defines the source of the traffic. For example, a specific IP or MAC address, a range of IP addresses, IP Subnet addresses, or host names. The default value is Any which covers traffic from any source.

• Connection Destination: Defines the destination of the traffic. For example, a specific IP or MAC address, a range of IP addresses, IP Subnet addresses, or host names. The default value is Any, which covers traffic to any destination.

• Service: Defines the protocols relevant to a connection. Protocols may be TCP and UDP IP type, non-TCP and non-UDP type or non-IP type. TCP and UDP IP protocols are defined based on port type. HTTP protocols may include content definitions, such as specific Web directories, pages, or URL patterns. The default value is all, which covers all protocols.

• TOS: Defines the TOS byte contained in the IP headers of the traffic. The default value is Any, which covers any TOS value.

• VLAN: Defines VLAN bits contained in the VLAN header of the traffic. The default value is Any, which covers any VLAN value.

Page 28: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-11

• Time: Defines the time period during which the traffic is received. For example daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM or on the 1st and 15th of the month. The default value is Always, which covers traffic at any time.

When a new Pipe or Virtual Channel is created, it is assigned a default rule with default values for each condition and you can modify these values as required.

Templates Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other. Templates work with host group entries and LDAP-based hosts entries defined in the Host Catalog. For example, if you had a host group entry in the Host Catalog called Gold Customers that consisted of Company X, Company Y and Company Z, you could define a Pipe template to be expanded for Gold Customers. This would result in Pipes being created for Company X, Company Y and Company Z when the Policy Editor is saved.

A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual Channels on source/destination differentiation. This means that you do not need to define similar Pipes and Virtual Channels when the only difference between them is the IP address in the source or destination.

Page 29: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-12

NetWizard NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a network, enabling the network manager to quickly define QoS policies for each type of protocol in the network. This, in turn, improves the efficiency and application response time of the network.

NetWizard automatically identifies the traffic protocols in your network and then guides you through the QoS configuration process, allowing you to assign minimum and maximum bandwidth and priority for the various protocols.

With NetWizard, you need not be initially acquainted with every protocol or the traffic patterns in your network in order to define QoS policy. Once you make your initial selections, a QoS policy is generated, enabling NetEnforcer to enforce that policy in your network. Further refinement of the policy is possible when you have become more familiar with NetEnforcer tools, such as the Policy Editor and Catalog Editors.

Page 30: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-13

NetEnforcer in Action The following scenarios provide examples of how NetEnforcer can optimize network traffic in a variety of working environments.

Scenario 1: Corporate In this example, the Pipe feature enables the network manager to manage traffic to three different WAN links and create a Pipe for each one of them.

Figure 1-1 - Corporate Network Structure with Three Outgoing WAN Links

The network manager would like to assign a maximum of 2Mbps for each WAN link. The multiple protocol traffic is going to different locations, based on the IP address.

Page 31: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-14

Pipes are created as follows:

• Link 1 traffic is limited to 2Mbps with Business applications (SAP) and Multimedia classified based on TOS marking.

• Links 2 and 3 are also limited to 2Mbps.

All traffic to links is classified based on the destination address.

The Policy Editor is set up as follows:

Figure 1-2 - Policy for Corporate Traffic

Page 32: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-15

Scenario 2: QoS in an Intranet Corporate Intranets have become key repositories of business information needed by employees across the enterprise. Companies also rely on the existence of network-based services for their businesses, running mission critical applications for ERP, CRM, eCommerce, and more. Poor application response times, caused by the mix of business-critical and non-critical traffic on the same network, quickly translate into decreased productivity, lost revenues and increased business costs. In addition, the penetration of time-sensitive video conferencing and voice over IP (VoIP) offer low-cost alternatives to expensive business trips and telephone conference calls, but these applications require sustained network performance and therefore place increased demands on the network.

NetEnforcer enables mission-critical applications to run smoothly over otherwise unmanaged and congested Intranets. NetEnforcer ensures the response time of mission-critical applications by prioritizing their traffic or guaranteeing them a portion of bandwidth. At the same time, traffic from less critical and less time-sensitive applications receive a limited amount of bandwidth or a lower priority. NetEnforcer guarantees the performance of business-critical applications by grouping and defining policies that will classify traffic into categories such as “Mission-Critical Billing Application” or “Time-Sensitive Voice over IP.”

Page 33: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-16

The figure below illustrates how a NetEnforcer manages an Intranet's mission critical traffic.

Figure 1-3 - Managing an Intranet's mission-critical traffic with the NetEnforcer

A policy-based quality of service (QoS) solution ensures that mission-critical applications receive the bandwidth they require. NetEnforcer controls important network resources such as bandwidth, servers, applications and users. It also monitors and records traffic usage information based on clients, servers, application, time and DiffServ tagging.

Page 34: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-17

Scenario 3: ISP An Internet Service Provider sells slices of bandwidth to subscribers (defined in Pipes), with an advanced offering of tiered services (for example, Gold, Silver and Bronze customers). Managing customer traffic with high granularity is needed. For example, to create a separate Pipe for each subscriber and divide traffic according to the customer needs.

Figure 1-4 - Wireless ISP Network

The ISP would like to control the maximum usage of each subscriber while limiting the total bandwidth used. Moreover, the ISP needs to over-subscribe customers (there are more customers than the bandwidth available for each VC/Pipe). The ISP would like to offer tiered services.

The ISP does the following:

• Assigns Gold, Silver and Bronze service levels.

• Sets a maximum of 8Mbps to Smart Building tenants (minimum 2Mbps).

• Assigns a minimum of 60 Kbps and maximum of 100 Kbps to and every home user.

Page 35: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-18

• Using templates, the ISP is able to over-subscribe tenants (since, most probably, not all of them will be active at the same time).

• A Silver level is assigned to Regional Office 1 users with a minimum of 100 Kbps and a maximum of 250 Kbps.

• Lotus Notes users are assured a minimum of 40 Kbps.

• A Bronze level is assigned to Regional Office 2 (minimum 40 Kbps and maximum 250 Kbps).

The Policy Editor is set up as follows:

Figure 1-5 - Policy for Wireless ISP Traffic

Page 36: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-19

Scenario 4: Satellite Provider Reduce Packet Loss and Network Delays

In today's typical LANs, routers or access devices simply drop packets when excess traffic congests. In a satellite network, the satellite link is the most expensive resource on the network. Long delays in packet transmission from a ground station to the satellite and then back to the ground causes serious degradation in the overall throughput of the system. This problem becomes compounded as other parts of the network introduce more, inconsistent delays, resulting in a very unpredictable end-to-end network environment. Because of this, it is critical in a satellite environment that lost traffic and packet retransmissions are reduced to a minimum.

Using NetEnforcer, satellite service providers reduce data retransmissions, assure fairness by prioritizing users and applications, and provide predictable, guaranteed bandwidth for video and voice-type streaming applications. NetEnforcer maximizes the efficiency of traffic flowing through satellite systems. Its advanced analysis capabilities allow the intelligent distribution of traffic through WAN channels based on the overall state of the satellite link, its delays and throughput. The end-result is a more efficient, reliable, and predictable system for delivering applications over the network.

Figure 1-6 - NetEnforcer in Satellite Network

Page 37: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-20

Satellite service providers provide local services for allowing many customers to share a common satellite link to remote services. NetEnforcer is placed between the local network of the satellite provider and the remote users.

Assure Fairness

In most satellite environments, a single uplink from the service provider delivers bandwidth intended for multiple users while the downlink is broadcast simultaneously to many different networks. This results in a few low-priority users or applications taking up most of the available resources without regard to the applications’ importance or overall need for bandwidth. Using NetEnforcer in satellite networks assures fairness between users and applications.

Scenario 5: Enhancing Enterprise Security One of the best security practices for the enterprise is to design a multi-layered security system using NetEnforcer to monitor, alert and block DoS attacks, and enhance the overall security of the network. You can also use NetEnforcer to improve network performance by resource management and create a first line of protection from illegitimate users and applications that seize an undeserved share of resources.

NetEnforcer detects known DoS attacks and intelligently blocks new flows suspected as destructive traffic. Placing NetEnforcer at the edge of the enterprise network enhances the performance of firewalls and other internal network devices. NetEnforcer discards malicious traffic packets that slip past routers and firewalls to improve application performance and enhance network security.

Page 38: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-21

How to setup your network with NetEnforcer to prevent DoS attacks is shown in the following diagram:

Figure 1-7 - Preventing a DoS Attack with NetEnforcer

An attacker sends broadcast pings using a victim's address as the source address. The pings go to all addresses on the subnet and each device on the subnet responds to the ping, flooding the victim with ICMP traffic. In a network protected with NetEnforcer, all ping (ICMP) traffic is monitored. When NetEnforcer detects excessive amounts of ICMP connections, it discards the malicious traffic, thereby blocking the DoS attack.

Page 39: Net Enforcer Operation Guide v5.5

Chapter 1: Introducing NetEnforcer

NetEnforcer Operation Guide v5.5 1-22

Page 40: Net Enforcer Operation Guide v5.5

NetEnforcer User Guide 2-1

Chapter 2: AC-400 Series

The Allot NetEnforcer AC-400 Series enables the definition and classification of traffic by users, applications and resources. Several NetEnforcer AC-400 models are available to support large and small sites and different data network speeds.

The AC-400 Series platform is 1.75" high (one rack unit).

Several NetEnforcer AC-400 models are available to support large and small sites and different data network speeds.

Each model type has a different number of ports to accommodate different requirements:

• AC-402: Two Ports, 1 Line

• AC-404: Four Ports, 2 Lines

All NetEnforcer AC-400 series units support

• 96,000 connections (192,000 flows)

• 1,024 Pipes

• 4,096 Virtual Channels

The NetEnforcer AC-402 is a general-purpose device with one line (two port) connectivity for small enterprises. The device is available with AC power supplies and copper interfaces. The AC-402 may be ordered with an upgradable throughput of 2 Mbps, 10 Mbps, 45 Mbps or 100 Mbps (full duplex).

The NetEnforcer AC-404 is intended to be used in medium sized enterprise networks that require the ability to handle dual network segments. The AC-404 has two line (four port) connectivity. The device is available with AC power supplies and with copper interfaces. The AC-404 may be ordered with an upgradable throughput of 2 Mbps, 10 Mbps, 45 Mbps or 100 Mbps (full duplex).

Page 41: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-2

AC-400 Series Packing List Verify that the following items are included with the NetEnforcer:

• NetEnforcer (hardware with pre-installed software) • NetEnforcer Documentation • 1 Power Cable • 1 Cross Ethernet Cables • 1 Serial Console Cable • 2 19" Side Mounting Brackets

All NetEnforcer models contain a lithium battery on the main board.

CAUTION Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions.

NOTE The maximum Ethernet cable length is generally up to 50 meters.

Page 42: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-3

AC-400 Series Front Panel The NetEnforcer AC-400 Series connects to your network via connectors located on the front panel. The LCD panel, connectors and LED indicators on the front panel for each model, are shown following.

AC-402 Front Panel

Figure 2-1 – NetEnforcer Front Panel: AC-402

The front panel of the AC-402 contains nine LEDs. Two LEDs are positioned on each of the External, Internal and Management network connectors. The remaining three LEDs are the Standby, Active and Power indicators.

The modes of operation of the External, Internal and Management indicators are described in the table below.

Indicator Status NetEnforcer Status

Green On A valid link is detected (either 10 or 100Mbps).

Off No valid link.

Orange On Blinks when traffic (activity) is detected on the interface.

Off No traffic (activity) is detected on the interface. Table 2-1 – External/Internal/Management LED Conditions: AC-402

Page 43: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-4

The modes of operation of the Standby, Active and Power indicators are described in the table below.

Indicator Status NetEnforcer Status

Standby On Two NetEnforcers are connected in Redundancy mode and this NetEnforcer is the secondary system.

Off If you have one NetEnforcer, this should be the normal state of the LED. If you have two NetEnforcers configured in Redundancy mode, this NetEnforcer is not in standby.

Active On NetEnforcer is in Active mode. Off NetEnforcer is in Bypass mode. Traffic passes through

NetEnforcer with no Quality of Service or traffic shaping. If you have two NetEnforcers configured in Redundancy mode, this is the secondary NetEnforcer in a Parallel Redundancy configuration and it is not active (In the other NetEnforcer this LED should be on).

Power On NetEnforcer is powered up. Off NetEnforcer is shut down.

Table 2-2 – Standby/Active/Power LED Conditions: AC-402

Page 44: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-5

AC-404 Front Panel

Figure 2-2 – NetEnforcer Front Panel: AC-404

The front panel of the AC-404 contains thirteen LEDs. Two LEDs are positioned on each of the External, Internal and Management network connectors. The remaining three LEDs are the Standby, Active and Power indicators.

The modes of operation of the External, Internal and Management indicators are described in the table below.

Indicator Status NetEnforcer Status

Green On A valid link is detected (either 10 or 100Mbps).

Off No valid link.

Management Port

LCD Panel Line 1 Internal/External Ports

Line 2 Internal/External Ports

Console Port

Page 45: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-6

Indicator Status NetEnforcer Status

Orange On Line 1: Blinks when traffic (activity) is transmitted on the interface.

Line 2: Blinks when traffic (activity) is transmitted or received on the interface.

Off No traffic (activity) is detected on the interface. External/Internal/Management LED Conditions: AC-404

The modes of operation of the Standby, Active and Power indicators are described in the table below.

Indicator Status NetEnforcer Status

Standby On Two NetEnforcers are connected in Parallel Redundancy mode and this NetEnforcer is the secondary system.

Off If you have one NetEnforcer, this should be the normal state of the LED. If you have two NetEnforcers configured in Parallel Redundancy mode, this NetEnforcer is not in standby.

Active On NetEnforcer is in Active mode. Off NetEnforcer is in Bypass mode. Traffic passes through

NetEnforcer with no Quality of Service or traffic shaping. If you have two NetEnforcers configured in Parallel Redundancy mode, this is the secondary NetEnforcer in the configuration and it is not active (In the other NetEnforcer this LED should be on).

Power On NetEnforcer is powered up. Off NetEnforcer is shut down.

Standby/Active/Power LED Conditions: AC-404

Page 46: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-7

AC-400 Series LCD Panel The LCD panel provides an indication of traffic usage and enables the system to be configured directly without connecting a terminal. Standby Indicator

On/Off Select Enter

Display Area

Active Indicator

Power Indicator

Up Arrow

Right Arrow

Down Arrow

Left Arrow

Standby Indicator

On/Off Select Enter

Display Area

Active Indicator

Power Indicator

Up Arrow

Right Arrow

Down Arrow

Left Arrow Figure 2-3 – NetEnforcer LCD Panel: AC-400 Series

Management Port The dedicated Management port on all NetEnforcer models enables out-of-band management of the device. Operating through the Management port increases security by denying access to the device via the Internal or External ports. Moreover, when there is a problem in the regular network it is still possible to manage and monitor the NetEnforcer.

AC-404 Interfaces The AC-404 has two different interface types:

• Internal1 and External1 are 100BaseT interfaces • Internet2 and External2 are 1000BaseT interfaces

All interfaces function as terminal interfaces (DTE) and as such need to be connected to DCE with a straight cable. The following should be noted.

• When connecting the AC-404 to devices that function as DCE (e.g. switch port, hub etc.) via 10BaseT or 100BaseT, a straight CAT-5 cable should be used.

Page 47: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-8

• When connecting the AC-404 to devices that function as DTE (e.g. router) via 10BaseT or 100BaseT, a crossed CAT-5 cable should be used.

• When connecting the AC-404 to devices via 1000BaseT (available only on INTERNAL2 and EXTERNAL2), a straight CAT-5 cable should always be used.

Page 48: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-9

AC-400 Series Rear Panel The rear panel of the NetEnforcer AC-400 Series contains the following:

• Power Switch • Power Cable Connector • Backup (37-pin D-type) Connector • Ground Connector • Serial Port (for future use)

Figure 2-4 – NetEnforcer Rear Panel: AC-400 Series

CAUTION The power supply unit includes an internal fuse. Only Allot Service personnel are authorized to replace it.

NOTE The power supply automatically adapts to voltages between 100V and 240V.

Power Switch

Power Cable Connector and

Fuse

Serial Connector

Backup Connector

Grounding Screw

Page 49: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-10

Rack Mounting the Unit The NetEnforcer may be mounted in an open or closed standard 19-inch (48.26 mm) rack using the rack-mount bracket kit. This appendix describes how to prepare the device and rack for installation and how to mount the device in the rack.

Connection to Supply Circuit The electrical power cords are intended to serve to disconnect the device. The user can power down the device only by removing the two electrical power cords form the power source or the device itself.

CAUTION Make sure the wall socket outlet is installed near the equipment and that the socket is easy to access. It is recommended that the wall power outlet be connected to the building installation protection. When connecting a NetEnforcer to 120 VAC supply, plug into 15 A service receptacles, type N5/15 or NEMA 5-15R.

Ambient Temperature The device has a maximum operation ambient of 104° F (40° C). The ambient temperatures around the rack should not exceed this temperature.

Airflow To ensure proper cooling, airflow should be unrestricted within or around the rack. Keep the area four to six inches behind the enclosure unobstructed. Make sure that there is proper airflow around all of the NetEnforcer's vent openings.

Reliable Grounding Make sure that each installation site has a suitable ground connection. Please connect ground to all the metal racks, enclosures, boxes and raceways. The NetEnforcer equipment should be reliably grounded through the power supply cord.

Page 50: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-11

Preparing the NetEnforcer for Rack Installation Attach the mounting brackets of the device included in the NetEnforcer accessory kit to both sides of the device using all eight Phillips pan-head screws included in the NetEnforcer accessory kit. Insert the screws into the holes on both sides of the device.

Rack Mechanical Loading When mounting the device in the rack, ensure that a hazardous condition does not result due to uneven mechanical loading.

Page 51: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-12

AC-400 Series Powering Up Connect the NetEnforcer to an AC power source and put the Power switch (located on the rear panel) to On. The Power indicator on the LCD panel is lit.

The display area of the LCD panel indicates the following: Power On.

After a few seconds, the display area of the LCD panel indicates the following: System Loading *.

Once the system has completed loading, the following occurs: • The Active LED on the LCD panel is lit, meaning that NetEnforcer is now

connected to the network and it is ready. • The display area of the LCD panel indicates the default view - the current

bandwidth consumption. For example: Inbound: XXX.X

Outbound: YYY.Y

You can now proceed to configure the NetEnforcer, as required.

Page 52: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-13

Setting Up the NetEnforcer In order to manage and configure NetEnforcer policies remotely from your Web browser, several basic parameters must be configured on NetEnforcer. You can configure these basic parameters using a terminal connected to NetEnforcer or by using the LCD panel.

Configuring Via a Terminal or Telnet You can use a standard terminal /PC running terminal emulation software connected to the Console port, or Telnet via the internet to configure a NetEnforcer. If you choose to connect via the Console port, most standard windows-based PC systems have a terminal emulation program called HyperTerminal that can be used for this purpose. Configure the terminal to run VT100 terminal emulation with the following parameters:

• Baud rate 19200 • 8 bits • Stop bits 1 • No flow control • No parity

Page 53: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-14

To connect a terminal to the NetEnforcer:

1. Use the supplied serial cable to connect the terminal to the Console Connector on the front panel of the NetEnforcer.

2. Connect the power cable and power up NetEnforcer, as described in Powering Up, page 2-10.

3. At the terminal, select Start > Programs > Accessories and double-click on the HyperTerminal icon. Enter a name for the session and then to set the com port and the parameters (see above). The system boots up and you are prompted for a login and a password.

4. Enter admin for the login and allot for the password. (To change the password, see page 2-21.)

5. Press <Enter>. The NetEnforcer Setup Menu is displayed:

Figure 2-5 – NetEnforcer Setup Menu

Page 54: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-15

To connect to a NetEnforcer via Telnet:

1. Open a Microsoft DOS window on a PC and at the C:\ prompt, enter Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you are prompted for a login and a password.

2. Enter admin for the login and allot for the password. (To change the password, see page 2-21.)

Press <Enter>. The NetEnforcer Setup Menu is displayed:

NetEnforcer Start Menu From this menu, you can perform the following tasks:

• Display the current configuration, page 2-16. • Configure network parameters, page 2-18. • Change the login password, page 2-21. • Modify the date and time settings, page 2-22.

When all necessary parameters are set, NetEnforcer prompts you to reboot. After rebooting is completed, NetEnforcer is ready to be connected and to add Quality of Service in your network.

Page 55: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-16

Displaying the Current Configuration You can display and view the currently set network configuration parameters at any time.

To display the current configuration:

1. In the NetEnforcer Setup Menu, enter 1 (List current configuration) and press <Enter>. The current network configuration parameters are displayed. A sample screen is shown below:

Figure 2-6 – Current Configuration (1)

Page 56: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-17

2. Press <Enter> to show the second screen of parameters:

Figure 2-7 – Current Configuration (2)

3. Press <Enter> to return to the NetEnforcer Setup Menu.

Page 57: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-18

Configuring Network Parameters You can define network parameters manually.

To define network parameters manually:

1. In the NetEnforcer Setup Menu, enter 2 (Network configuration) and press <Enter>. The Network Configuration menu is displayed:

Figure 2-8 – Network Configuration

2. Enter 2 (Manual configuration) and press <Enter>.

Page 58: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-19

3. Enter values for the following IP parameters:

Device IP Address The IP address for your NetEnforcer, for example, 10.1.18.7.

Network mask The network mask for your NetEnforcer, for example, 255.0.0.0.

Device Hostname The host name for your NetEnforcer, for example, Jonny2.

Domain name A domain name for your NetEnforcer, for example, allot.com. Do not provide a leading ‘.’.

Default gateway IP address The IP address of your default gateway, for example, 10.0.02. If you do not have a default gateway, enter NONE.

Default gateway interface If you entered a default gateway in the previous step, the NetEnforcer interface to which it is connected, either 0 for Internal or 1 for External.

Primary name server IP address

If you have a Domain Name Server (DNS), its IP address. If you do not have a DNS, enter none.

Secondary name server IP address

If you have a second DNS, its IP address. If you do not have a second DNS, enter none.

Enable VLAN Environment.

Enables/disables the VLAN environment.

Page 59: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-20

The Ethernet Adapter Settings screen is displayed.

4. Enter the following parameters to set up the NetEnforcer Ethernet adapters: • The duplex type for the Internal interface. Enter full for full duplex, half for half

duplex or auto for AutoSensing. • If you selected full or half duplex, enter the link speed of the Internal interface,

10M or 100M. Use M for Mbps. • The duplex type for the External interface. Enter full for full duplex, half for half

duplex or auto for AutoSensing. • If you selected full or half duplex, enter the link speed of the External interface,

10M or 100M. Use M for Mbps.

5. Enter the following parameters to set up the Management Port: • The duplex type for the Internal interface. Enter full for full duplex, half for half

duplex or auto for AutoSensing. • If you selected full or half duplex, enter the link speed of the Internal interface,

10M or 100M. Use M for Mbps. • The duplex type for the External interface. Enter full for full duplex, half for half

duplex or auto for AutoSensing. • If you selected full or half duplex, enter the link speed of the External interface,

10M or 100M. Use M for Mbps.

NOTE If the NetEnforcer unit is being managed via NetXplorer, only the Management Port can be configured on the Ethernet Adapter Settings screen.

6. Press <Enter> to finish and return to the Network Configuration menu.

7. To save your configuration, enter 3 (Save latest settings as current configuration) from the Network Configuration menu. A message is displayed, asking whether you wish to make your changes effective immediately. Enter y or n.

Page 60: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-21

Changing the Passwords You can change the login password for either the Admin user or the Monitor user. The Admin user has access to all NetEnforcer functions, while the Monitor user has read-only access. It is strongly recommended to change the default password (allot). NetEnforcer might enable access from anywhere on the Internet, and should therefore be protected with a unique password.

To change the users’ password:

1. In the NetEnforcer Setup Menu, enter 3 (Change password) and press <Enter>. The Password screen is displayed:

Figure 2-9 – Password

2. Enter 1 or 2 to specify the type of user whose password you want to change and press <Enter>.

3. Enter a new password and press <Enter>. The password must be between 5 and 8 characters. You can use a combination of upper and lower case letters and numbers.

4. Re-enter the password and press <Enter>. If NetEnforcer detects a simple password, a warning is displayed on the screen.

NOTE The new user name and password will be used in the NetEnforcer Log In window when accessing NetEnforcer through a browser.

Page 61: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-22

Modifying Date and Time Settings You can modify date and time settings as required. You can set the system time manually, or you can set up NetEnforcer to receive time checks from an NTP (Network Time Protocol) server, if you have one on your network.

To modify the date and time settings:

1. In the NetEnforcer Setup Menu, enter 4 (Set time) and press <Enter>. The Time Setup screen is displayed:

Figure 2-10 – Time Setup

The current day, date, system time and time zone are displayed at the top of the screen.

Page 62: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-23

2. To change the time zone, perform the following steps: • Enter 1 and press <Enter>. • Enter y and press <Enter>. NetEnforcer displays a list of time zones. • Enter the required time zone and press <Enter>.

3. To change the system time, perform the following steps: • Enter 2 and press <Enter>. • Enter the new date and time in the format DD-MM-YYY -HH-mm. For example,

12-05-2001-11-20 for 12th May 2001, 11:20 am. • Press <Enter> to set the time.

Changing the Root User Password You can change the root password that provides access to super-user rights.

To change the root password:

1. Use the supplied serial cable to connect the terminal to the Console Connector on the front panel of NetEnforcer.

2. Set the NetEnforcer power switch, located near the NetEnforcer power cable, to the ON position. The system boots up and on the terminal you are prompted for a login and a password.

3. At the terminal, press <Enter>. The system boots up and you are prompted for a login and a password.

4. Enter root for the login and bagabu for the password, and then press <Enter>.

5. Enter passwd and then press <Enter>.

Page 63: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-24

6. Enter a new password and press <Enter>. The password must be between 5 and 8 characters. You can use a combination of upper and lower case letters and numbers.

7. Re-enter the new password and press <Enter>.

When all necessary parameters are set, NetEnforcer prompts you to reboot. After rebooting is completed, NetEnforcer is ready to be connected and to add Quality of Service in your network.

TIP You can further protect access to the NetEnforcer by limiting the hosts that are allowed to manage the unit.

Configuring Via the LCD Panel All NetEnforcer models provide an LCD panel from which you can configure basic NetEnforcer parameters without connecting a terminal. This enables quick and easy setting of basic parameters such as the IP address of NetEnforcer and NIC settings.

When not being used to configure the NetEnforcer, the display area in the LCD panel displays its default view, which is the current inbound and outbound bandwidth usage. The units are in Kbps or Mbps with one digit after the point and the display is refreshed every five seconds.

NOTE When you are configuring NetEnforcer and there is no activity for more than 30 seconds, the display area returns to the default view and any modifications to parameters that were not saved are lost.

The Main Menu The LCD panel provides one main menu from where you can perform the following operations:

Page 64: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-25

• Configure NIC settings, page 2-25. • Set the NetEnforcer IP address, page 2-26. • Activate Bypass, page 2-28. • Reboot, shutdown or exit NetEnforcer, page 2-29.

Getting Started on NetEnforcer In order to start working with NetEnforcer, press the Power button to turn on NetEnforcer. Once the system has completed loading, the display area of the LCD indicates its default view, the current bandwidth consumption of NetEnforcer. For example: Inbound: XX.XM

Outbound: YYY.YM

You can now proceed to configure NetEnforcer, as required.

NOTE If QoS functionality is not included in your NetEnforcer (not enabled by your activation key), the default view indicates the following: Inbound:- Outbound:-.

Configuring NIC Settings Configuring NIC settings enables you to configure the internal and external Ethernet adapters to either automatically sense the direction and speed of network traffic, or use a predetermined duplex type and speed.

NOTE If the NetEnforcer unit is being managed via NetXplorer, only the Management Port can be configured via the LCD.

To configure NIC settings:

1. With the display area displaying the default view, press the Select button. The main menu is displayed as follows: Main menu:

1. NIC Settings

Page 65: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-26

2. Press the Select button. If the Management port is enabled, the display area indicates the following: 1-1.[M]anagement

[In]/[Ex]ternal

NOTE If the Management port is disabled, the display area indicates the following: 1-1.Interface [In]/[Ex]ternal.

3. Use the arrow buttons to select the required interface and press the Enter button. The display area indicates the following: Mode: [A]uto or

[F]ull/[H]alf du

4. Use the arrow buttons to select the duplex type for the selected interface and press the Enter button. The display area indicates the following: Speed: [A]uto or

[100]/[10] Mbps

5. Use the arrow buttons to select the link speed of the selected interface and press the Enter button. The display area indicates the following: [S]ave/[C]ancel

6. Use the arrow buttons to select whether to save the settings or cancel and press the Enter button. The new NIC settings are applied and after a few moments, the display area displays its default view, the current bandwidth consumption.

Setting the NetEnforcer IP Address Setting the NetEnforcer IP address enables you to specify the IP address, netmask and default gateway for NetEnforcer.

Page 66: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-27

To configure the IP address:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow once to display the following: Main menu:

2. Setup IP

3. Press the Select button. The display area indicates the following: 2-1.Set IP:

xxx.xxx.xxx.xxx (the current IP address definitions are displayed)

4. Specify the IP address of NetEnforcer. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

5. Press the Enter button. The display area indicates the following: 2-2.Set mask:

xxx.xxx.xxx.xxx (the current netmask definitions are displayed)

6. Specify the netmask of NetEnforcer. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

7. Press the Enter button. The display area indicates the following: 2-3 Gateway exists [Yes/No]

Select whether you have a gateway defined in your network. If you select N then you will exit to the next step, skipping step 2-4. If you have a gateway select Y and proceed: 2-4.Gateway:

xxx.xxx.xxx.xxx (the current gateway definitions are displayed)

8. Specify the IP address of the default gateway. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

Page 67: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-28

9. Press the Enter button. The display area indicates the following: [S]ave/[C]ancel

10. Use the arrow buttons to select whether to save the settings or cancel and press the Enter button. The new IP and gateway settings are applied and after a few moments, the display area displays its default view, the current bandwidth consumption.

The following cases of failure may be indicated:

Failure Display

Register NIC Settings Fail: NE IP save

Chk NE IP config

Netmask Save Fail: MASK save

Chk NE IP config

Management NIC Save Fail: Mgmt save

Chk NE IP config

Gateway Save Fail: GW save

Chk NE IP config

Activating Bypass

To send the NetEnforcer into Bypass:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow three times to display the following: Main menu:

4. Bypass

3. Press the Select button. If the system is not in Bypass mode, the display area indicates the following: Go into Bypass?

Page 68: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-29

[Y]es/[N]o

4. Use the arrow buttons to select whether to enter Bypass mode and press the Enter button. NetEnforcer switches to Bypass mode and after a few moments, the display area displays its default view, the current bandwidth consumption.

NOTE When the system is already in Bypass mode, you are prompted to select whether to exit Bypass mode. Use the arrow buttons to select whether to exit Bypass mode and press the Enter button.

Rebooting, Shutting Down and Exiting the NetEnforcer You can reboot or shut down the NetEnforcer and exit from LCD configuration as required.

To reboot the NetEnforcer:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow four times to display the following: Main menu:

5. Reboot

3. Press the Select button. The display area indicates the following: Reboot?

[Y]es/[N]o

4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter button. NetEnforcer reboots and the display area indicates the following: System

Rebooting * (blinking asterisk)

NOTE This message is also displayed in the display area when NetEnforcer is rebooted using a terminal.

Page 69: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-30

To shutdown the NetEnforcer:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow five times to display the following: Main menu:

6. Shutdown

3. Press the Select button. The display area indicates the following: Shutdown?

[Y]es/[N]o

4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter button. NetEnforcer reboots and the display area indicates the following: System

Shutting down * (blinking asterisk) After a few seconds, the display area indicates that NetEnforcer may be powered off.

NOTE This message is also displayed in the display area when NetEnforcer is shutdown using a terminal.

To return to LCD default view:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow six times to display the following: Main menu:

7. Exit

3. Press the Enter or the Select button. The display area displays its default view, the current bandwidth consumption.

Page 70: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-31

Redundancy Parallel Redundancy Failure of a network device can be catastrophic, causing network downtime and lost business. The key to designing any mission-critical network is to recognize that these failures can occur, and to design a network that can handle failures and still allow the network to function. In order to do this, it is important to use the most reliable equipment, with redundancy built in to all mission-critical equipment.

NetEnforcer can operate in parallel to provide Parallel Redundancy. Parallel Redundancy requires two NetEnforcer systems and, where an external Bypass module is used, a single Bypass module.

The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is designed to be in Standby mode as long as the Primary NetEnforcer is active. Only if, for any reason, the Primary NetEnforcer is not able to function properly does the Secondary NetEnforcer become active.

Both NetEnforcers receive traffic from the internal network, but only the Primary NetEnforcer is passing the traffic to the external network.

While the Primary NetEnforcer receives and handles traffic coming from the external network, the Secondary External interface is disabled, since the system is in Standby mode. If the Primary NetEnforcer should fail, the Secondary NetEnforcer automatically takes control of the traffic, and enables its External interface.

In Parallel Redundancy mode, the Bypass mode is activated in the event that both the Primary and Secondary NetEnforcers fail.

Page 71: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-32

The following diagram shows how to connect two NetEnforcers in Parallel Redundancy:

Figure 2-11 – Connecting Two NetEnforcers in Parallel Redundancy

Page 72: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-33

Status Indicators in Parallel Redundancy Mode When operating in Parallel Redundancy mode, two NetEnforcer units are connected. During operation, the LED indicators on NetEnforcer give various readings. The LEDs relevant to operations in Parallel Redundancy mode are the Standby, Active and Power LEDs on the NetEnforcer LCD panel.

The modes of operation of the indicators are described in the following tables:

Standby LED

Active LED

Power LED

Analysis

Primary Unit

OFF ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

ON OFF ON Secondary NetEnforcer is in Standby mode, ready to take over.

Primary Unit

OFF OFF ON Primary NetEnforcer fails or is now booting.

Secondary Unit

OFF ON ON Secondary NetEnforcer took over and it is in Active mode.

Primary Unit

OFF OFF OFF Primary NetEnforcer is powered OFF.

Secondary Unit

OFF ON ON Secondary NetEnforcer took over and it is in Active mode.

Primary Unit

OFF ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

OFF OFF OFF Secondary NetEnforcer is powered OFF. The only Fail-safe mode available now is Bypass.

Page 73: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-34

Standby LED

Active LED

Power LED

Analysis

Primary Unit

OFF OFF ON Primary NetEnforcer failed or not completed booting.

Secondary Unit

OFF OFF ON Secondary NetEnforcer failed or not completed booting. Bypass is activated (in the primary unit and all traffic is going through Bypass.

Table 2-1 – LED Conditions: AC-400 Series, Parallel Redundancy Mode

Secondary NetEnforcer Activation When two NetEnforcers are connected in Parallel Redundancy mode, the Secondary NetEnforcer will take control and become the active unit under the following conditions: • Upon a Primary subsystem failure. • During booting of the Primary NetEnforcer platform. When booting is

completed, the Primary unit automatically takes control again. • Upon any Primary NetEnforcer power feed failure and power OFF condition. • Upon the Primary NetEnforcer Ethernet cable disconnecting from either the

Internal or External ports. After reconnecting the cable and rebooting, the Primary NetEnforcer takes control again.

• When the Bypass module is not connected properly to the NetEnforcer Backup connector, even with all other connectors fully plugged.

NOTE The NetEnforcer's Ethernet Adapter can detect Ethernet cable disconnection. NetEnforcers in redundant configuration react to such events by having the Primary NetEnforcer lose control until the next machine reboot, and the Secondary NetEnforcer becoming the active unit. If a cable is disconnected, it is recommended to reboot the Primary NetEnforcer after reconnecting the cable.

Page 74: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-35

Parallel Redundancy Connection Before using NetEnforcers in Parallel Redundancy mode, make sure that the configuration of both NetEnforcers is identical; except for their DIP switch settings and IP addresses, which must be unique for each unit. You can use the Save & Distribute option to distribute the same QoS policy to both NetEnforcers.

CAUTION Please note that only a certified Allot Communications Service Engineer is authorized to remove the NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover from the NetEnforcer, its warranty becomes void.

NOTE You can distribute policy to other NetEnforcer s, only if they are of the same model as the one from which you are distributing.

Setting Dip Switches

In order to access internal components of the NetEnforcer units, including the DIP switches, the main cover must be removed.

CAUTION Only a certified Allot Communications Service Engineer is authorized to remove the NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover from the NetEnforcer, its warranty becomes void.

In circumstances where you to need to remove the main cover, carefully follow the instructions below.

To remove the main cover:

1. Remove the fourteen screws (five on each side of the main cover and four at the back) using a small Philips screwdriver.

2. Stand in a position where you are facing the back of the unit. With both hands, pull the cover towards you, until approximately a third of the unit is exposed.

Page 75: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-36

3. Remove the cover by lifting it from the overhanging rear section and then pull the cover away from the main unit. This will expose the inside components of the NetEnforcer.

Below is a schematic diagram of an opened Enhanced Platform unit, with an enlargement of the DIP switches.

Figure 2-12 - DIP Switch Location: AC-400 Series

Page 76: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-37

DIP Switches

The service panel contains eight DIP switches. Their functions are described below:

Switch No. Function

8 ON = Forced Active (Factory Default = OFF)

7 For future use (Factory Default = OFF)

6 ON = Peer Bypass control (Factory Default = OFF) For more information see Appendix B, Fail-Safe Operation, Figure B-3

5 ON = Bypass connected, OFF = Bypass float (Factory Default = ON)

4 ON = Bypass connected, OFF = Bypass float (Factory Default = ON)

3 ON = Bypass connected, OFF = Bypass float (Factory Default = ON)

2 ON = Bypass connected, OFF = Bypass float (Factory Default = ON)

1 ON = Bypass connected, OFF = Bypass float (Factory Default = ON)

Table 2-3 – DIP Switch Functions: Enhanced Platform

The unit is shipped with the factory defaults indicated above. This setup ensures the normal operation of the Bypass switch (meaning that it is activated upon a failure), and that the Active status is not forced. For normal device behavior, it is strongly recommended not to change DIP switch factory settings.

After ensuring identical configuration, test each NetEnforcer (while connected to the network as a single device) and verify that they are operating identically to one another.

4. Set the DIP Switches to Parallel Redundancy mode. See Figure 2-13. 5. Designate one of your NetEnforcers to be the default Primary, and connect the end

of the Backup cable marked Primary to the backup connector of the unit. Connect the other end of the backup cable to the backup connector of the Secondary NetEnforcer.

Page 77: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-38

6. After booting ensure that the Active LED is ON and the Standby LED is OFF. On the Secondary NetEnforcer, the Active LED is OFF and the Standby LED is ON.

CAUTION When two NetEnforcers are connected in Redundancy mode with a switch on each interface, if the Primary NetEnforcer fails and the Secondary system takes control of traffic, the redundant unit may take some time to activate. This is normal switch behavior. The switch will continue to redirect packets to the Primary NetEnforcer, instead of to the Secondary NetEnforcer.

NetEnforcer AC-400 Series models have the option of working in Parallel Redundancy, where one system is in Float mode and the other is not. This enables one system to cancel the other system’s Bypass mode. When this feature is activated (DIP switch 6 is set to ON), the active system cancels the Bypass mode of the other system, if it exists.

If the Primary NetEnforcer fails, the Secondary NetEnforcer becomes active and cancels the Primary Bypass. If the Secondary NetEnforcer also fails, it releases its control over of the primary NetEnforcer that will move to Bypass mode.

The recommended configuration as shown in Figure 2-13, is to set the Primary NetEnforcer to Bypass mode (switches 1 to 5 are set to ON) and the Secondary NetEnforcer to Float mode (switches 1 to 5 are set to OFF, and switch 6, Control Over, is set to ON).

Page 78: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-39

Primary Secondary87654321ON

87654321ON

BYPASS FLOAT

CONTROL OVER

Figure 2-13 – DIP Switch Configuration for Parallel Redundancy

If there is a problem with the Primary NetEnforcer, the box should be disconnected from the network and the DIP switches on the Secondary NetEnforcer should be set to standalone configuration.

CAUTION Please note that only a certified Allot Communications Service Engineer is authorized to remove the NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover from the NetEnforcer, its warranty becomes void.

CAUTION In standalone mode, NetEnforcer DIP switches should remain in the factory default settings. To have the NetEnforcer in standalone mode, switches 1 to 5 are set to ON and switches 6 to 8 are set to OFF.

Page 79: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-40

Active Redundancy In the Active Redundancy configuration, each NetEnforcer AC-404 manages a single link while duplicating the link’s traffic to the other NetEnforcer. Both NetEnforcers are active. Each unit shapes the traffic of one link only, but the shaping algorithm considers traffic of both links. Such configuration is recommended for network topologies where both links are active in load-balancing mode.

NOTE Active Redundancy is not available on AC-402 models.

Failover In the event that one of the links fails due to router, switch or line malfunction, the network redundancy mechanism (for example, spanning tree) will ensure that traffic is routed or switched via the other link and managed by the second NetEnforcer. Since both NetEnforcers maintain a constant view of the two links, there will be no loss of flow's state and other information required for correct shaping and application classification. Note that the bypass function is not used in such configurations.

Policy Configuration In the Active Redundancy configuration, the two NetEnforcers should share the same policy configuration.

Page 80: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-41

Connecting the NetEnforcer in Active Redundancy Line 1 is used to pass actual traffic – these interfaces will be used to connect the AC-404s to the corresponding switches or routers.

Figure 2-14 – Active Redundancy – AC-404

Line 2 is used to duplicate traffic and pass it to the second NetEnforcer. Traffic that is passed between NetEnforcers is not sent to adjacent network devices – it is only used for monitoring and classification purposes.

Configuring the NetEnforcer In order to configure active redundancy, it is necessary to configure the network interfaces and enable active redundancy. This is done in the following order:

Configuring Interfaces 1. Configure the Management Port interface via the LCD on the front panel of

the NetEnforcer.

2. Open the NetXplorer GUI by clicking on the icon found on the desktop or from the Start menu. If no icon is installed, browse to the IP of the server.

3. From the GUI, select the relevant NetEnforcer. Right-click and select Configuration.

Page 81: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-42

4. Select the NIC tab and configure the remaining network interfaces.

The interfaces can also be configured by opening a console connection to the NetEnforcer and using the following command:

go config nic

• Options are:

o internal1 MODE:SPEED

o internal2 MODE:SPEED

o external1 MODE:SPEED

o external2 MODE:SPEED

For example: go config nic –internal1 full:100

Note: The Internal1 and External1 interfaces support speeds of 10 and 100, while the Internal2 and External2 interfaces support speeds of 10, 100, and 1000.

Page 82: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-43

AC-400 Hardware Specifications Dimensions Standard 1U by 19-inch, rack mountable

Height 1.73 in (44 mm)

Width 17.32 in (440 mm)

Depth 11.73 in (298 mm)

Weight 12 lbs (5.5 kg)

Power Requirements Input Voltage 100 - 240 V

Frequency 47 - 63 Hz

Current 2 A

Power consumption AC-302 53 W AC-402 70 W

Operating Environment Temperature 32° F to 104° F (0° to 40° C)

Humidity 5% to 95% (non condensing)

Heat Dissipation AC-302 181 BTU/Hour AC-402 240 BTU/Hour

EMI Residential, commercial and light industry.

Page 83: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-44

Standards, Compliance and Certifications All AC-400 models hold certificates for and comply with the standards listed below.

EMC EMC Directive 89/336/EEC, article 7(1)

EN 55022:1998+A1(00) class A

EN 61000-3-2:1995_A1(98)+A2(98)

EN 61000-3-3:1995

EN 55024:1998+A1(01)

FCC 47 CFR part 15, subpart B, class A

ICES-003:1997, class A

VCCI:2002, class B

NEBS: GR-1089-Core*

Safety IEC 60950:1999 with Japanese deviations

EN 60950:2000

NEBS: GR-1089-Core*

UL 1950 NetEnforcer UL File number: E206586

CAN/CSA C22.2 No.60950-00 * UL 60950, third edition

Page 84: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-45

Environmental ETS 300 019-2-2 T 2.1

ETS 300 019-2-3 T 3.1

NEBS: GR-63-Core*

* NetEnforcer is designed to meet these standards.

Page 85: Net Enforcer Operation Guide v5.5

Chapter 2: AC-400 Series

NetEnforcer Operation Guide v5.5 2-46

Firewall Port Reference If your NetEnforcer using Basic Management is working behind a firewall, the following ports must be opened on the firewall to enable access to the NetEnforcer management functions:

Firewall Port Gives Access To

TCP Port: 23 Telnet

TCP Port: 80 Web Server/GUI

TCP Port: 56000 Internal Accounting GUI Access

TCP Port: 51000 Policy Editor GUI Access

TCP Port: 52000 Monitoring GUI Access

TCP Port: 53000 Alerts GUI Access

TCP Port: 53306 MySQL Access

TCP Port: 56000 External Accounting Data Transfer Access

Page 86: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

The Allot NetEnforcer AC-800 Series enables the definition and classification of traffic by users, applications and resources. Several NetEnforcer AC-800 models are available to support large and small sites and different data network speeds.

Each model type has a different number of ports to accommodate different requirements:

• AC-802: Two Ports, 1 Line

• AC-804: Four Ports, 2 Lines

• AC-808: Eight Ports, 4 Lines

All NetEnforcer AC-800 series units support

• 256,000 connections (512,000 flows)

• 2,048 Pipes

• 8,192 Virtual Channels

Additional Pipes and Virtual Channels can also be purchased separately per device.

The NetEnforcer AC-802 is a general-purpose device with one line (two port) connectivity for small or medium sized enterprises. The device is available with either AC or DC power supplies and with copper, SX fiber or LX5 fiber. The AC-802 may be ordered with an upgradable throughput of 54Mbps, 100 Mbps, 155 Mbps or 310 Mbps.

The NetEnforcer AC-804 is intended to be used in medium sized or large enterprise networks that require the ability to handle dual network segments. The AC-804 has two line (four port) connectivity. The device is available with either AC or DC power supplies and with copper, SX fiber or LX5 fiber. The AC-804 may be ordered with an upgradable throughput of 54Mbps, 100 Mbps, 155 Mbps or 310 Mbps.

Page 87: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-2

The NetEnforcer AC-808 is a four line (eight port) unit intended for large enterprise networks or small service providers/carriers. The device is available with either AC or DC power supplies and with copper, SX fiber or LX5 fiber. The AC-808 may be ordered with an upgradable throughput of 54Mbps, 100 Mbps, 155 Mbps or 310 Mbps.

The NetEnforcer AC-800 Series offers redundant critical components for fail-safe operation. Redundant hardware components on the AC-800 Series include redundant fans and dual hot-swappable power supplies.

These platforms come with an additional module known as a Copper Bypass or a Fiber Bypass (depending on the interface type). These Units are external Bypass switches.

CAUTION All AC-800 Series models only function when the appropriate Bypass Unit is connected to it. This is to ensure continuous service in the event of failure.

AC-800 Series Packing List Verify that the following items are included with NetEnforcer:

• NetEnforcer (hardware with pre-installed software) • NetEnforcer Hardware Manual • 3 Power Cables (AC or DC) • Bypass Cables (number and specifications depends upon model and interface

type) • 1 Serial Console Cable • 1 Management Cable • 2 Side Mounting Brackets • DB-9 Parallel Redundancy Cable

A DB-9 Serial Redundancy Cable (P/N C411012) may be ordered from Allot.

All NetEnforcer models contain a lithium battery on the main board.

Page 88: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-3

CAUTION Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions.

AC-800 Series Front Panel The front panels of AC-800 Series models include the following ports:

• Network Connectors (Internal and External) • Management Port • Console Connecter • Backup (9-pin D-type) Connector

Management of the NetEnforcer AC-800 Series can be via the Management port or network connectors.

NetEnforcer connects to your network via connectors located on the front panel. These connectors and the LED indicators on the front panel are shown below:

Figure 3-1 – NetEnforcer AC-800 Series Front Panel (Model AC-802 Copper)

Page 89: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-4

AC-802 Front Panel

Figure 3-2 – Front Panel: AC-802 Copper

Figure 3-3 – Front Panel: AC-802 Fiber

Page 90: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-5

AC-804 Front Panel

Figure 3-4 – Front Panel: AC-804 Copper

Figure 3-5 – Front Panel: AC-804 Fiber

Page 91: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-6

AC-808 Front Panels

Figure 3-6 – Front Panel: AC-808 Copper

Figure 3-7 – Front Panel: AC-808 Fiber

CAUTION CLASS 1 LASER PRODUCT. DANGER! Invisible laser radiation when opened. AVOID DIRECT EXPOSURE TO BEAM.

Page 92: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-7

The front panel of the AC-800 Series contains LEDs that are positioned on each of the External, Internal and Management connectors or used as the Standby, Active and Power indicators.

The modes of operation of the External, Internal and Management indicators are described in the table below.

Extrnl/Intrnl/Mngmt NetEnforcer Status Green A link is detected.

Orange Blinks when traffic is detected on the interface.

Off No link activity is detected.

Table 3-1 – External/Internal/Management LED Conditions: AC-800 Series

The modes of operation of the Standby, Active and Power indicators are described in the table below.

Indicator Status NetEnforcer Status

Standby On Two NetEnforcers are connected in Parallel Redundancy mode and this NetEnforcer is the secondary system.

Off If you have one NetEnforcer, this should be the normal state of the LED. If you have two NetEnforcers configured in Redundancy mode, this NetEnforcer is not in standby.

Active On The NetEnforcer is in Active mode. Off The NetEnforcer is in Bypass mode. Traffic passes

through the NetEnforcer with no Quality of Service or traffic shaping. If you have two NetEnforcers configured in Parallel Redundancy mode, this is the secondary NetEnforcer in a Parallel Redundancy configuration and it is not active (In the other NetEnforcer this LED should be on).

Page 93: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-8

Indicator Status NetEnforcer Status

Power On The NetEnforcer is powered up. Off The NetEnforcer is shut down.

Table 3-2 – Standby/Active/Power LED Conditions: AC-800 Series

AC-800 Series LCD Panel The LCD panel provides an indication of traffic usage and enables you to configure the NetEnforcer directly without connecting a terminal.

On/Off Enter

Up Arrow

Display Area

Select

Power Indicator

Active Indicator

Standby Indicator

Left Arrow

Right Arrow

Down Arrow

On/Off Enter

Up Arrow

Display Area

Select

Power Indicator

Active Indicator

Standby Indicator

Left Arrow

Right Arrow

Down Arrow

Figure 3-8 – NetEnforcer LCD Panel: AC-800 Series

For a description of how to configure the NetEnforcer using the LCD panel, refer to Configuring Via the LCD Panel, page 3-12.

Page 94: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-9

Management Port The dedicated Management port on all NetEnforcer models enables out-of-band management of the device. Operating through the Management port increases security by denying access to the device via the Internal or External ports. Moreover, when there is a problem in the regular network it is still possible to manage and monitor the NetEnforcer.

Page 95: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-10

AC-800 Series Rear Panel The rear panel of the AC-800 Series contains the following:

• Grounding Screw • Three Hot-swappable Power Supplies

Figure 3-9 – NetEnforcer Rear Panel: AC-800 Series

Page 96: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-11

AC-800 Series Power Supply The NetEnforcer AC-800 Series includes three hot-swappable power supply modules and a dual line feed for Redundancy purposes. Each line feed drives one power supply.

NOTE The power supply automatically adapts to voltages between 100 V and 240 V, 50/60 Hz.

Should it be necessary, the power supplies can be replaced while the NetEnforcer is connected and in operation. Replacing a power supply while the unit is in operation is possible since the remaining power supply will take the full load and maintain full operation.

Figure 3-10 – NetEnforcer AC Power Supply: AC-800 Series

Page 97: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-12

Figure 3-11 – NetEnforcer DC Power Supply: AC-800 Series

NOTE AC Power Supply modules and DC Power Supply modules are interchangeable.

To remove a power supply module, press the release button, pull the handle and slide the module out. Leave the power cord connected when removing a power supply module.

Each power supply has a two color power LED indicating input/output power status:

LED Power Supply Status Green Indicates that the power supply is connected to power and is

functioning.

Red Indicates that the power supply has failed.

When power failure occurs, the power LED indication turns Red and an internal buzzer sounds. The power supply module must be removed to silence the buzzer. Leave the power cord connected when removing a power supply module.

Page 98: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-13

Key features of the power supply include: • Hot-pluggable, easy to maintain • Based on the N+1, load sharing • Universal AC input with Power Factor correction • Rear panel with bi-color LED indicating input/output power status • Power fault buzzer alarm system

Cabling AC-800 Series Copper NOTE Ethernet Cables may be Straight or Cross, depending upon your network.

For those Ethernet cables which are included with the NetEnforcer, see AC-800 Series Packing List on p. 3-2 for type details.

Connections Cable Type Connector Type

To NetEnforcer Management Port

Ethernet (Cat-6) (Included, P/N C411011) RJ-45

To NetEnforcer Console Port

Ethernet (Cat-6) (Included, P/N C002005B) RJ-45

Primary NetEnforcer Internal/Eternal to Bypass Unit Internal/External

Ethernet (Cat 6) (Included, P/N C411008 x2) RJ-45

Secondary NetEnforcer Internal/External to Network

Ethernet (Cat 6) RJ-45

Page 99: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-14

Connections Cable Type Connector Type

NetEnforcer Backup Connector to Bypass Unit

DB-9 Cable (Included, P/N C702001) D-Type 9-Pin

Bypass Unit Internal to Switch Ethernet (Cat 6) RJ-45

Bypass Unit External to Router Ethernet (Cat 6) RJ-45

AC-802/804 Multi Mode (SX) Fiber NOTE Ethernet Cables may be Straight or Cross, depending upon your network.

For those Ethernet cables which are included with the NetEnforcer, see AC-800 Series Packing List on p. 3-2 for type details.

Connections Cable Type Connector Type

To NetEnforcer Management Port

Ethernet (Cat-6) (Included, P/N C411011) RJ-45

To NetEnforcer Console Port

Ethernet (Cat-6) (Included, P/N C002005B) RJ-45

Primary NetEnforcer to Bypass Unit (Internal/External)

Built In Built In

NetEnforcer Backup Connector to Bypass Unit

DB-9 Cable (Included, P/N C702001) D-Type 9-Pin

Secondary NetEnforcer to Network (Internal/External)

62.5/125μ fiber optic cable Dual SC

Page 100: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-15

Connections Cable Type Connector Type

Bypass Unit Internal to Switch 62.5/125μ fiber optic cable Dual SC

Bypass Unit External to Router 62.5/125μ fiber optic cable Dual SC

AC-808 Multi Mode (SX) Fiber NOTE Ethernet Cables may be Straight or Cross, depending upon your network.

For those Ethernet cables which are included with the NetEnforcer, see AC-800 Series Packing List on p. 3-2 for type details.

Connections Cable Type Connector Type

To NetEnforcer Management Port

Ethernet (Cat-6) (Included, P/N C411011) RJ-45

To NetEnforcer Console Port

Ethernet (Cat-6) (Included, P/N C002005B) RJ-45

Primary NetEnforcer to Bypass Unit (Internal/External)

9/125μ fiber optic cable (Included, P/N C411014 x2)

Dual LC

NetEnforcer Backup Connector to Bypass Unit

DB-9 Cable (Included, P/N C702001) D-Type 9-Pin

Secondary NetEnforcer to Network (Internal/External)

9/125μ fiber optic cable Dual LC

Bypass Unit Internal to Switch 9/125μ fiber optic cable Dual LC

Page 101: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-16

Connections Cable Type Connector Type

Bypass Unit External to Router 9/125μ fiber optic cable Dual LC

AC-800 Series Single Mode (LX) Fiber NOTE Ethernet Cables may be Straight or Cross, depending upon your network.

For those Ethernet cables which are included with the NetEnforcer, see AC-800 Series Packing List on p. 3-2 for type details.

Connections Cable Type Connector Type

To NetEnforcer Management Port

Ethernet (Cat-6) (Included, P/N C411011) RJ-45

To NetEnforcer Console Port

Ethernet (Cat-6) (Included, P/N C002005B) RJ-45

Primary NetEnforcer to Bypass Unit (Internal/External)

9/125μ fiber optic cable (Included, P/N C411015) Dual LC

NetEnforcer Backup Connector to Bypass Unit

DB-9 Cable (Included, P/N C702001) D-Type 9-Pin

Secondary NetEnforcer to Network (Internal/External)

9/125μ fiber optic cable Dual LC

Bypass Unit Internal to Switch 9/125μ fiber optic cable Dual LC

Page 102: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-17

Connections Cable Type Connector Type

Bypass Unit External to Router 9/125μ fiber optic cable Dual LC

Page 103: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-18

Connectors NetEnforcer Single and Double Bypass Units using Multi Mode fiber (SX) utilizes dual SC Connectors.

Figure 3-12 – Dual SC Connector

NetEnforcer Single and Double Bypass Units using Single Mode fiber (LX) and all Multi-Port Bypass Units utilize dual LC connectors.

Figure 3-13 – Dual LC Connector

NOTE Color and appearance of actual connectors may vary.

Page 104: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-19

Bypass Units The AC-800 Series operates with an external Bypass Unit. The Bypass Unit is a mission-critical subsystem designed to ensure network connectivity at all times. The Bypass mechanism provides ‘connectivity insurance’ in the event of a NetEnforcer subsystems failure. AC-800 Series Copper units operate with a Copper Bypass and AC-800 Fiber units operate with a Fiber Bypass. The AC-802 requires the Single Bypass Unit while the AC-804 requires a Double Bypass Unit and the AC-808 requires a Multi-port Bypass Unit. Bypass Units are connected to NetEnforcer by a series of leads and cables.

CAUTION All AC-800 Series models only function when the appropriate Bypass Unit is connected to it. This is to ensure continuous service in the event of failure.

AC-802 Bypass Units Single Copper Bypass Unit The Single Copper Bypass Unit works in conjunction with NetEnforcer AC-802 Copper models.

Figure 3-14 – Single Copper Bypass Unit

NOTE Use the supplied UTP CAT-6 straight Ethernet cables to connect link connections marked with Internal and External labels. The maximum Ethernet cable length is generally 50 meters.

The Single Copper Bypass Unit includes RJ-45 connectors for Ethernet cables and two D-type 9-pin connectors for primary and redundant unit to backup connection.

Page 105: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-20

The following procedure describes how to connect a Single Copper Bypass Unit to NetEnforcer.

Figure 3-15 – Connecting the NetEnforcer AC-802 Copper to the Single Copper Bypass Unit

To connect the Single Copper Bypass to the NetEnforcer:

NOTE For important information regarding cable and connector types, see Cabling on p. 3-13.

1. Connect the External cable from the External port on the Bypass Unit to the External port on NetEnforcer.

2. Connect the Internal cable from the Internal port on the Bypass Unit, to the Internal port on NetEnforcer.

To External Router

To Internal Switch

Page 106: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-21

3. Connect the D-type connector from the Primary port on the Bypass Unit, to the Backup port on NetEnforcer.

4. Connect the External cable from the External port on the Bypass Unit, to a router connector.

5. Connect the Internal cable from the Internal port on the Bypass Unit, to a switch connector.

NOTES To connect a secondary NetEnforcer for Parallel Redundancy, you need two NetEnforcers and one Bypass Unit.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass Unit.

Single Fiber Bypass Unit The Single Fiber Bypass Unit works in conjunction with NetEnforcer AC-802 Fiber.

There are two different Single Fiber Bypass units, one for Multi Mode connections (SX fiber) and one for Single Mode (LX fiber).

Figure 3-16 –Single Fiber Bypass Unit – Multi Mode

Figure 3-17 –Single Fiber Bypass Unit – Single Mode

Page 107: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-22

NOTE Use 62.5/125μ or 9/125μ fiber optic cables with dual LC connectors (not provided) to connect 1 Gbps ports of the switch and the router.

The Single Fiber Bypass Unit includes either two duplex LC connectors and one built in fiber cables (for Multi Mode connections) or two quad LC connectors (for Single Mode connections), along with two D-type 9-pin connectors for primary and redundant unit to backup connection.

The following procedure describes how to connect a Single Fiber Bypass Unit to NetEnforcer.

Figure 3-18 – Connecting NetEnforcer AC-802 Fiber to Single Fiber Bypass Unit – Multi Mode

To connect the Single Fiber Bypass to NetEnforcer:

NOTE For important information regarding cable and connector types, see Cabling on p. 3-13.

To Internal Switch

To External Router

Page 108: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-23

1. Connect the fiber cable labeled External from the Bypass Unit, to the External port on NetEnforcer.

2. Connect the fiber cable labeled Internal from the Bypass Unit, to the Internal port on NetEnforcer.

3. Connect the D-type connector from the Primary port on the Bypass Unit, to the Backup port on NetEnforcer.

4. Connect a 62.5/125μ or 9/125μ External fiber optic cable from the External port on the Bypass Unit, to a 1 Gbps router.

5. Connect a 62.5/125μ or 9/125μ Internal fiber optic cable from the Internal port on the Bypass Unit, to a 1 Gbps switch.

NOTES To connect a secondary NetEnforcer for Parallel Redundancy, you need two NetEnforcers and one Bypass Unit.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass Unit.

AC-804 Bypass Unit Double Copper Bypass Unit The Double Copper Bypass Unit works in conjunction with NetEnforcer AC-804 Copper.

NOTE Use the supplied UTP CAT-6 straight Ethernet cables to connect link connections marked with Internal and External labels. The maximum Ethernet cable length is generally 50 meters.

The Double Copper Bypass Unit includes RJ-45 connectors for Ethernet cables and D-type 9-pin connectors for primary and redundant unit to backup connection.

Page 109: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-24

The following procedure describes how to connect a Double Copper Bypass Unit to NetEnforcer AC-804.

Figure 3-19 – Connecting the NetEnforcer AC-804 to Double Copper Bypass Unit

To connect the Double Copper Bypass to the NetEnforcer:

NOTE For important information regarding cable and connector types, see Cabling on p. 3-13.

1. Connect the External cable from the To NetEnforcer External port (Link 1) on the Bypass Unit to the External port on the NetEnforcer (Link 1).

2. Connect the Internal cable from the To NetEnforcer Internal port (Link 1) on the Bypass Unit to the Internal port on NetEnforcer (Link 1).

3. Connect the External cable from the External port on the Bypass Unit, to a router (1000Base-T) connector.

To Internal Switch

To External Router

Page 110: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-25

4. Connect the Internal cable from the Internal port on the Bypass Unit, to a switch connector.

5. Repeats Steps 1 to 4 for Link 2.

6. Connect the D-type High Density connector from the Primary port on the Bypass Unit, to the Backup port on NetEnforcer.

NOTES To connect a secondary NetEnforcer for Parallel Redundancy, you need two NetEnforcers and one Bypass Unit.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass Unit.

Double Fiber Bypass Unit The Double Fiber Bypass Unit works in conjunction with NetEnforcer AC-804 Fiber.

There are two different Double Fiber Bypass units, one for Multi Mode connections (SX fiber) and one for Single Mode (LX fiber).

Figure 3-20 – Double Fiber Bypass Unit - MultiMode

Page 111: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-26

Figure 3-21 – Double Fiber Bypass Unit – Single Mode

NOTE Use 62.5/125μ or 9/125μ fiber optic cables with duplex LC connectors (not provided) to connect 1 Gbps ports of the switch and the router.

The Double Fiber Bypass Unit includes connectors for connecting to Link 1 and Link 2 on the AC-804. The Link Connectors area includes either two duplex LC connectors, and one built in fiber cables (for Multi Mode connections) or two quad LC connectors (for Single Mode connections) for each link. In addition, the Double Fiber Bypass Unit includes two D-type 9-pin connectors for primary and redundant unit to backup connection.

Page 112: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-27

The following procedure describes how to connect a Double Fiber Bypass Unit to NetEnforcer AC-804.

Figure 3-22 – Connecting the NetEnforcer AC-804 to Double Fiber Bypass Unit – Single Mode

To Internal Switch

To External Router

Page 113: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-28

To connect the Double Fiber Bypass to the NetEnforcer:

NOTE For important information regarding cable and connector types, see Cabling on p. 3-13.

1. Connect the fiber cable labeled To NetEnforcer External (Link 1) from the Bypass Unit to the External port on the NetEnforcer (Link 1).

2. Connect the fiber cable labeled To NetEnforcer Internal (Link 1) from the Bypass Unit to the Internal port on the NetEnforcer (Link 1).

3. Connect a 62.5/125μ or 9/125μ External fiber optic cable from the External (link 1) port on the Bypass Unit to a 1 Gbps router.

4. Connect a 62.5/125μ or 9/125μ Internal fiber optic cable from the Internal port on the Bypass Unit to a 1 Gbps switch.

5. Repeats Steps 1 to 4 for Link 2.

6. Connect the D-type High Density connector from the Primary port on the Bypass Unit, to the Backup port on the Primary NetEnforcer.

NOTES To connect a secondary NetEnforcer for Parallel Redundancy, you need two NetEnforcers and one Bypass Unit.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass Unit.

AC-808 Bypass Unit Multi-Port Copper Bypass Unit The Multi-port Copper Bypass Unit works in conjunction with the NetEnforcer AC-808.

Page 114: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-29

Figure 3-23 – Multi-Port Copper Bypass Unit

NOTE Use the supplied UTP CAT-6 straight Ethernet cables to connect link connections marked with Internal and External labels. The maximum Ethernet cable length is generally 50 meters.

The Copper Bypass Unit includes RJ-45 connectors for Ethernet cables and D-type 9-pin connectors for primary and redundant unit to backup connection.

The following procedure describes how to connect the Bypass Unit to NetEnforcer AC-808.

To connect the Bypass Unit to the NetEnforcer AC-808:

NOTE For important information regarding cable and connector types, see Cabling on p. 3-13.

2. Connect the External cable from the To NetEnforcer External port (Link 1) on the Bypass Unit to the External port on NetEnforcer (Link 1).

2. Connect the Internal cable from the To NetEnforcer Internal port (Link 1) on the Bypass Unit to the Internal port on NetEnforcer (Link 1).

3. Connect the External cable from the External port on the Bypass Unit to a router (100Base-T) connector.

4. Connect the Internal cable from the Internal port on the Bypass Unit, to a switch connector.

5. Repeats Steps 1 to 4 for Link 2 to 4.

6. Connect the D-type High Density connector from the Primary port on the Bypass Unit to the Backup port on NetEnforcer.

Page 115: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-30

NOTE To connect a secondary NetEnforcer for Parallel Redundancy, you need two NetEnforcers and one Bypass Unit.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass Unit.

Multi-Port Fiber Bypass Unit The Multi-Port Fiber Bypass Unit works in conjunction with the NetEnforcer AC-808 Fiber. This unit is used for both Multi Mode (SX fiber) and Single Mode (LX fiber) connections.

Figure 3-24 – Multi-Port Fiber Bypass Unit

NOTE Use 62.5/125μ or 9/125μ fiber optic cables with duplex SC connectors (not provided) to connect 1 Gbps ports of the switch and the router.

The Multi-Port Fiber Bypass Unit includes connectors for connecting to Link 1 through Link 4 on the AC-808. The Link Connectors area includes two quad LC connectors for each link. In addition, the Multi-Port Fiber Bypass Unit includes two D-type 9-pin connectors for primary and redundant unit to backup connection.

The following procedure describes how to connect a Multi-Port Fiber Bypass Unit to the NetEnforcer AC-808.

To connect the Multi-Port Fiber Bypass to the NetEnforcer:

NOTE For important information regarding cable and connector types, see Cabling on p. 3-13.

Page 116: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-31

1. Connect the fiber cable labeled To NetEnforcer External (Link 1) from the Bypass Unit to the External port on the NetEnforcer (Link 1).

2. Connect the fiber cable labeled To NetEnforcer Internal (Link 1) from the Bypass Unit to the Internal port on the NetEnforcer (Link 1).

3. Connect a 62.5/125μ or 9/125μ External fiber optic cable from the External port on the Bypass Unit to a 1 Gbps router.

4. Connect a 62.5/125μ or 9/125μ Internal fiber optic cable from the Internal port on the Bypass Unit to a 1 Gbps switch.

5. Repeats Steps 1 to 4 for Link 2-4.

6. Connect the D-type High Density connector from the Primary port on the Bypass Unit, to the Backup port on the NetEnforcer.

NOTES To connect a secondary NetEnforcer for Parallel Redundancy, you need two NetEnforcers and one Bypass Unit.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass Unit.

Powering Up The following procedure describes how to power up the AC-800 series using the LCD panel.

NOTE NetEnforcer and the Bypass Unit have to be fully plugged and connected before power is turned on. This is to ensure proper and systematic power up.

It is recommended to connect the three power line feeds to separate power sources to have full power redundancy. The three bi-color Power LEDs on the rear of NetEnforcer are lit indicating that the power supply is connected to power and no failure condition exists.

The Power LED on the LCD panel should be lit and the Mode LED on the Bypass Unit is off, indicating that the power is on and NetEnforcer is bypassed.

Page 117: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer Operation Guide v5.5 3-32

The display area of the LCD panel indicates the following: Power On.

After a few seconds, the display area of the LCD panel indicates the following: System Loading *.

Once the system has completed loading, the following occurs: • The Active LED on the LCD panel is lit and the Mode LED on the Bypass

Unit is lit, meaning that the NetEnforcer is now connected to the network. • The display area of the LCD panel indicates the default view - the current

bandwidth consumption. For example: Inbound: XXX.X Outbound: YYY.Y

You can now proceed to configure the NetEnforcer, as required.

Page 118: Net Enforcer Operation Guide v5.5

NetEnforcer User Guide 3-1

Setting Up the NetEnforcer In order to manage and configure NetEnforcer policies remotely from your Web browser, several basic parameters must be configured on NetEnforcer. You can configure these basic parameters using a terminal connected to NetEnforcer or by using the LCD panel.

Configuring Via a Terminal or Telnet You can use a standard terminal /PC running terminal emulation software connected to the Console port, or Telnet via the internet to configure a NetEnforcer. If you choose to connect via the Console port, most standard windows-based PC systems have a terminal emulation program called HyperTerminal that can be used for this purpose. Configure the terminal to run VT100 terminal emulation with the following parameters:

• Baud rate 19200 • 8 bits • Stop bits 1 • No flow control • No parity

Page 119: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-2

To connect a terminal to the NetEnforcer:

1. Use the supplied serial cable to connect the terminal to the Console Connector on the front panel of the NetEnforcer.

2. Connect the power cable and power up the NetEnforcer, as described in Powering Up, page 3-30.

3. At the terminal, select Start > Programs > Accessories and double-click on the HyperTerminal icon. Enter a name for the session and then to set the com port and the parameters (see above). The system boots up and you are prompted for a login and a password.

4. Enter admin for the login and allot for the password. (To change the password, see page 3-9.)

5. Press <Enter>. The NetEnforcer Setup Menu is displayed:

Figure 3-25 – NetEnforcer Setup Menu

Page 120: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-3

To connect to a NetEnforcer via Telnet:

1. Open a Microsoft DOS window on a PC and at the C:\ prompt, enter Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you are prompted for a login and a password.

2. Enter admin for the login and allot for the password. (To change the password, see page 3-9.)

Press <Enter>. The NetEnforcer Setup Menu is displayed:

NetEnforcer Start Menu From this menu, you can perform the following tasks:

• Display the current configuration, page 3-3. • Configure network parameters, page 3-6. • Change the login password, page 3-9. • Modify the date and time settings, page 3-10.

When all necessary parameters are set, the NetEnforcer prompts you to reboot. After rebooting is completed, the NetEnforcer is ready to be connected.

Displaying the Current Configuration You can display and view the currently set network configuration parameters at any time.

Page 121: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-4

To display the current configuration:

1. In the NetEnforcer Setup Menu, enter 1 (List current configuration) and press <Enter>. The current network configuration parameters are displayed. A sample screen is shown below:

Figure 3-26 – Current Configuration (1)

2. Press <Enter> to show the second screen of parameters:

Page 122: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-5

Figure 3-27 – Current Configuration (2)

3. Press <Enter> to return to the NetEnforcer Setup Menu.

Page 123: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-6

Configuring Network Parameters You can define network parameters manually.

To define network parameters manually:

1. In the NetEnforcer Setup Menu, enter 2 (Network configuration) and press <Enter>. The Network Configuration menu is displayed:

Figure 3-28 – Network Configuration

2. Enter 2 (Manual configuration) and press <Enter>.

Page 124: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-7

3. Enter values for the following IP parameters:

Device IP Address The IP address for your NetEnforcer, for example, 10.1.18.7.

Network mask The network mask for your NetEnforcer, for example, 255.0.0.0.

Device Hostname The host name for your NetEnforcer, for example, Jonny2.

Domain name A domain name for your NetEnforcer, for example, allot.com. Do not provide a leading ‘.’.

Default gateway IP address The IP address of your default gateway, for example, 10.0.0.2. If you do not have a default gateway, enter NONE.

Primary name server IP address

If you have a Domain Name Server (DNS), its IP address. If you do not have a DNS, enter none.

Secondary name server IP address

If you have a second DNS, its IP address. If you do not have a second DNS, enter none.

VLAN ID, or NONE [NONE]

Allows the mgmt port to be connected to a VLAN tagged interface.

CAUTION: Misconfiguring this parameter will result in a loss of connection to the NetEnforcer.

4. Enter the following parameters to set up the Management Port: • The duplex type for the Internal interface. Enter full for full duplex, half for half

duplex or auto for AutoSensing. • If you selected full or half duplex, enter the link speed of the Internal interface,

10M or 100M. Use M for Mbps.

Page 125: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-8

• The duplex type for the External interface. Enter full for full duplex, half for half duplex or auto for AutoSensing.

• If you selected full or half duplex, enter the link speed of the External interface, 10M or 100M. Use M for Mbps.

NOTE If the NetEnforcer unit is being managed via NetXplorer, only the Management Port can be configured on the Ethernet Adapter Settings screen.

5. Press <Enter> to finish and return to the Network Configuration menu.

6. To save your configuration, enter 3 (Save latest settings as current configuration) from the Network Configuration menu. A message is displayed, asking whether you wish to make your changes effective immediately. Enter y or n.

Page 126: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-9

Changing the Passwords You can change the login password for either the Admin user or the Monitor user. The Admin user has access to all NetEnforcer functions, while the Monitor user has read-only access. It is strongly recommended to change the default password (allot). NetEnforcer might enable access from anywhere on the Internet, and should therefore be protected with a unique password.

To change the users’ password:

1. In the NetEnforcer Setup Menu, enter 3 (Change password) and press <Enter>. The Password screen is displayed:

Figure 3-29 – Password

2. Enter 1 or 2 to specify the type of user whose password you want to change and press <Enter>.

3. Enter a new password and press <Enter>. The password must be between 5 and 8 characters. You can use a combination of upper and lower case letters and numbers.

4. Re-enter the password and press <Enter>. If the NetEnforcer detects a simple password, a warning is displayed on the screen.

NOTE The new user name and password will be used in the NetEnforcer Log In window when accessing the NetEnforcer through a browser.

Page 127: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-10

Modifying Date and Time Settings You can modify date and time settings as required. You can set the system time manually, or you can set up the NetEnforcer to receive time checks from an NTP (Network Time Protocol) server, if you have one on your network.

To modify the date and time settings:

1. In the NetEnforcer Setup Menu, enter 4 (Set time) and press <Enter>. The Time Setup screen is displayed:

Figure 3-30 – Time Setup

The current day, date, system time and time zone are displayed at the top of the screen.

2. To change the time zone, perform the following steps: • Enter 1 and press <Enter>. • Enter y and press <Enter>. NetEnforcer displays a list of time zones. • Enter the required time zone and press <Enter>.

3. To change the system time, perform the following steps: • Enter 2 and press <Enter>.

Page 128: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-11

• Enter the new date and time in the format DD-MM-YYY -HH-mm. For example, 12-05-2001-11-20 for 12th May 2001, 11:20 am.

• Press <Enter> to set the time.

Changing the Root User Password You can change the root password that provides access to super-user rights.

To change the root password:

1. Use the supplied serial cable to connect the terminal to the Console Connector on the front panel of the NetEnforcer.

2. Set the NetEnforcer power switch, located near the NetEnforcer power cable, to the ON position. The system boots up and on the terminal you are prompted for a login and a password.

3. At the terminal, press <Enter>. The system boots up and you are prompted for a login and a password.

4. Enter root for the login and bagabu for the password, and then press <Enter>.

5. Enter passwd and then press <Enter>.

6. Enter a new password and press <Enter>. The password must be between 5 and 8 characters. You can use a combination of upper and lower case letters and numbers.

7. Re-enter the new password and press <Enter>.

When all necessary parameters are set, NetEnforcer prompts you to reboot. After rebooting is completed, NetEnforcer is ready to be connected and to add Quality of Service in your network.

TIP You can further protect access to the NetEnforcer by limiting the hosts that are allowed to manage the unit.

Page 129: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-12

Configuring Via the LCD Panel All NetEnforcer AC-800 Series models provide an LCD panel from which you can configure basic NetEnforcer parameters without connecting a terminal. This enables quick and easy setting of basic parameters such as the IP address of NetEnforcer.

When not being used to configure the NetEnforcer, the display area in the LCD panel displays its default view, which is the current inbound and outbound bandwidth usage. The units are in Kbps or Mbps with one digit after the point and the display is refreshed every five seconds.

NOTE When you are configuring the NetEnforcer and there is no activity for more than 30 seconds, the display area returns to the default view and any modifications to parameters that were not saved are lost.

The Main Menu The LCD panel provides one main menu from where you can perform the following operations:

• Set the NetEnforcer IP address, page 3-13. • Activate Bypass, page 3-14. • Reboot, shutdown or exit the NetEnforcer, page 3-15.

Getting Started on NetEnforcer In order to start working with the NetEnforcer, press the Power button to turn on NetEnforcer. Once the system has completed loading, the display area of the LCD indicates its default view, the current bandwidth consumption of NetEnforcer. For example: Inbound: XX.XM Outbound: YYY.YM

You can now proceed to configure the NetEnforcer, as required.

Page 130: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-13

NOTE If QoS functionality is not included in your NetEnforcer (not enabled by your activation key), the default view indicates the following: Inbound:- Outbound:-.

Setting the NetEnforcer IP Address Setting the NetEnforcer IP address enables you to specify the IP address, netmask and default gateway for NetEnforcer.

To configure the IP address:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow once to display the following: Main menu: 2. Setup IP

3. Press the Select button. The display area indicates the following: 2-1.Set IP:

xxx.xxx.xxx.xxx (the current IP address definitions are displayed)

4. Specify the IP address of the NetEnforcer. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

5. Press the Enter button. The display area indicates the following: 2-2.Set mask:

xxx.xxx.xxx.xxx (the current netmask definitions are displayed)

6. Specify the netmask of the NetEnforcer. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

7. Press the Enter button. The display area indicates the following: 2-3 Gateway exists [Yes/No]

Page 131: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-14

Select whether you have a gateway defined in your network. If you select N then you will exit to the next step, skipping step 2-4. If you have a gateway select Y and proceed: 2-4.Gateway:

xxx.xxx.xxx.xxx (the current gateway definitions are displayed)

8. Specify the IP address of the default gateway. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

9. Press the Enter button. The display area indicates the following: [S]ave/[C]ancel

10. Use the arrow buttons to select whether to save the settings or cancel and press the Enter button. The new IP and gateway settings are applied and after a few moments, the display area displays its default view, the current bandwidth consumption.

The following cases of failure may be indicated:

Failure Display

Netmask Save Fail: MASK save Chk NE IP config

Management NIC Save Fail: Mgmt save Chk NE IP config

Gateway Save Fail: GW save Chk NE IP config

Activating Bypass

To send the NetEnforcer into Bypass:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow three times to display the following: Main menu: 4. Bypass

Page 132: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-15

3. Press the Select button. If the system is not in Bypass mode, the display area indicates the following: Go into Bypass? [Y]es/[N]o

4. Use the arrow buttons to select whether to enter Bypass mode and press the Enter button. The NetEnforcer switches to Bypass mode and after a few moments, the display area displays its default view, the current bandwidth consumption.

Rebooting, Shutting Down and Exiting the NetEnforcer You can reboot or shut down the NetEnforcer and exit from LCD configuration as required.

To reboot the NetEnforcer:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow four times to display the following: Main menu: 5. Reboot

3. Press the Select button. The display area indicates the following: Reboot? [Y]es/[N]o

4. Use the arrow buttons to select whether to reboot the NetEnforcer and press the Enter button. The NetEnforcer reboots and the display area indicates the following: System

Rebooting * (blinking asterisk)

NOTE This message is also displayed in the display area when the NetEnforcer is rebooted using a terminal.

Page 133: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-16

To shutdown the NetEnforcer:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow five times to display the following: Main menu: 6. Shutdown

3. Press the Select button. The display area indicates the following: Shutdown? [Y]es/[N]o

4. Use the arrow buttons to select whether to reboot the NetEnforcer and press the Enter button. The NetEnforcer reboots and the display area indicates the following: System

Shutting down * (blinking asterisk) After a few seconds, the display area indicates that the NetEnforcer may be powered off.

NOTE This message is also displayed in the display area when NetEnforcer is shutdown using a terminal.

To return to LCD default view:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow six times to display the following: Main menu: 7. Exit

3. Press the Enter or the Select button. The display area displays its default view, the current bandwidth consumption.

Page 134: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-17

Redundancy

Parallel Redundancy Failure of a network device can be catastrophic, causing network downtime and lost business. The key to designing any mission-critical network is to recognize that these failures can occur, and to design a network that can handle failures and still allow the network to function. In order to do this, it is important to use the most reliable equipment, with redundancy built in to all mission-critical equipment.

A NetEnforcer can operate in parallel to provide Parallel Redundancy. Parallel Redundancy requires two NetEnforcer systems and, where an external Bypass Unit is used, a single Bypass Unit.

The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is designed to be in Standby mode as long as the Primary NetEnforcer is active. Only if, for any reason, the Primary NetEnforcer is not able to function properly does the Secondary NetEnforcer become active.

Both NetEnforcers receive traffic from the internal network, but only the Primary NetEnforcer is passing the traffic to the external network.

While the Primary NetEnforcer receives and handles traffic coming from the external network, the Secondary External interface is disabled, since the system is in Standby mode. If the Primary NetEnforcer should fail, the Secondary NetEnforcer automatically takes control of the traffic, and enables its External interface.

In Parallel Redundancy mode, the Bypass mode is activated in the event that both the Primary and Secondary NetEnforcers fail.

Page 135: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-18

Status Indicators in Parallel Redundancy Mode When operating in Parallel Redundancy mode, two NetEnforcer units are connected. During operation, the LED indicators on NetEnforcer give various readings. The LEDs relevant to operations in Parallel Redundancy mode are the Standby, Active and Power LEDs on the NetEnforcer LCD panel.

The modes of operation of the indicators are described in the following tables:

Standby LED

Active LED

Power LED

Analysis

Primary Unit

OFF ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

ON OFF ON Secondary NetEnforcer is in Standby mode, ready to take over.

Primary Unit

OFF OFF ON Primary NetEnforcer fails or is now booting.

Secondary Unit

OFF ON ON Secondary NetEnforcer took over and it is in Active mode.

Primary Unit

OFF OFF OFF Primary NetEnforcer is powered OFF.

Secondary Unit

OFF ON ON Secondary NetEnforcer took over and it is in Active mode.

Primary Unit

OFF ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

OFF OFF OFF Secondary NetEnforcer is powered OFF. The only Fail-safe mode available now is Bypass.

Page 136: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-19

Standby LED

Active LED

Power LED

Analysis

Primary Unit

OFF OFF ON Primary NetEnforcer failed or not completed booting.

Secondary Unit

OFF OFF ON Secondary NetEnforcer failed or not completed booting. Bypass is activated (in the primary unit and all traffic is going through Bypass.

Table 3-1 – LED Conditions: AC-800 Series, Parallel Redundancy Mode

Secondary NetEnforcer Activation When two NetEnforcers are connected in Parallel Redundancy mode, the Secondary NetEnforcer will take control and become the active unit under the following conditions:

• Upon a Primary subsystem failure. • During booting of the Primary NetEnforcer platform. When booting is

completed, the Primary unit automatically takes control again. • Upon any Primary NetEnforcer power feed failure and power OFF condition. • Upon the Primary NetEnforcer Ethernet cable disconnecting from either the

Internal or External ports. After reconnecting the cable and rebooting, the Primary NetEnforcer takes control again.

• When the Bypass Unit is not connected properly to the NetEnforcer Backup connector, even with all other connectors fully plugged.

NOTE If a cable is disconnected, it is recommended to reboot the Primary NetEnforcer after reconnecting the cable.

Page 137: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-20

To connect two AC-800 Series NetEnforcers in Parallel Redundancy:

Before using NetEnforcers in Parallel Redundancy mode, make sure that the configuration of both NetEnforcers is identical; except for their IP addresses, which must be unique for each unit. You can use the Save & Distribute option to distribute the same QoS policy to both NetEnforcers.

NOTE You can distribute policy to other NetEnforcers, only if they are of the same model as the one from which you are distributing.

After ensuring identical configuration, test each NetEnforcer (while connected to the network as a single device) and verify that they are operating identically to one another.

1. Designate one of your NetEnforcers to be the default Primary, and connect the end of the Backup cable to the Backup connector of the NetEnforcer.

2. Connect the other end of the backup cable to the Primary connector of the Bypass Unit.

3. Designate the other NetEnforcer to be the Secondary and connect one end of the Backup cable to the Backup connector of the Secondary NetEnforcer.

4. Connect the other end of the Backup cable to the Secondary connector of the Bypass Unit.

5. Ensure that the status indicators of both systems are indicating that the systems are configured correctly, as follows:

• The Active LED of the Primary NetEnforcer is ON. • The Standby LED of the Primary NetEnforcer is OFF. • The Active LED of the Secondary NetEnforcer is OFF. • The Standby LED of the Secondary NetEnforcer is ON.

CAUTION When two NetEnforcers are connected in Parallel Redundancy mode with a switch on each interface, if the Primary NetEnforcer fails and the Secondary system takes control of traffic, the redundant unit may take some time to activate. This is normal switch behavior. The switch will continue to redirect packets to the Primary NetEnforcer, instead of to the Secondary NetEnforcer.

Page 138: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-21

Active Redundancy NOTE Active Redundancy is only relevant to AC-804 and AC-808 units. The AC-

802 cannot support Active Redundancy.

In the Active Redundancy configuration, each NetEnforcer manages a single link while duplicating the link’s traffic to the other NetEnforcer. Both NetEnforcers are active. Each unit shapes the traffic of one link only, but the shaping algorithm considers traffic of both links. Such configuration is recommended for network topologies where both links are active in load-balancing mode.

Failover In the event that one of the links fails due to router, switch or line malfunction, the network redundancy mechanism (for example, spanning tree) will ensure that traffic is routed or switched via the other link and managed by the second NetEnforcer. Since both NetEnforcers maintain a constant view of the two links, there will be no loss of flow's state and other information required for correct shaping and application classification. Note that the bypass function is not used in such configurations.

Policy Configuration In the Active Redundancy configuration, the two NetEnforcers should share the same policy configuration.

Page 139: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-22

Connecting the NetEnforcer in Active Redundancy Line 1 (and 3 in the AC-808) is used to pass actual traffic – these interfaces will be used to connect the NetEnforcers to the corresponding switches or routers.

Line 2 (and 4 in the AC-808) is used to duplicate traffic and pass it to the second NetEnforcer. Traffic that is passed between NetEnforcers is not sent to adjacent network devices – it is only used for monitoring and classification purposes.

Active Redundancy for the AC-804 In this configuration the operator uses two links to access the Internet. To achieve redundancy, each link will use a separate switch and router. Each link requires an AC-804 unit and a bypass unit to enable Active Redundancy.

Figure 3-31 – Active redundancy using AC-804

Page 140: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-23

Each link has a similar structure. The switch port is connected to the Internal port of the first line card’s bypass unit. The corresponding port is connected to the Internal port of the AC-804. The External port of the AC-804 is connected to the external port of the bypass unit while its corresponding port connects to the router. The other ports of the bypass unit remain unconnected. The two AC-804 cross-connect one to another with two links to enable synchronization of traffic between the two units.

Configuring the AC-804

In order to configure active redundancy, it is necessary to configure the network interfaces and enable active redundancy. This is done in the following order:

1. Configure the Management Port interface via the LCD on the front panel of the NetEnforcer.

2. Log into the NetEnforcer via the Management Port or Telnet.

3. Open a console connection to the NetEnforcer and use the following CLI command:

go config nic

• Options are:

o internal1 MODE:SPEED

o internal2 MODE:SPEED

o external1 MODE:SPEED

o external2 MODE:SPEED

For example: go config nic –internal1 full:100

Page 141: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-24

Active Redundancy for the AC-808 This configuration is suitable for a high-availability fully meshed environment, where operators use two switches and two routers to connect their networks to the Internet. Each switch connects to the two routers to provide redundancy.

In this scenario, two AC-808 units are installed together with two bypass units. The connectivity among the different network elements is shown in Figure 3-32.

Figure 3-32 – Active Redundancy using AC-808

• The two AC-808 units cross-connect one to another with four links to synchronize the traffic information between themselves.

• Each AC-808 unit connects via its corresponding bypass unit to the two switches (via two internal interfaces) and to a router (via two external interfaces).

Page 142: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-25

• The remaining interfaces of the bypass units remain unconnected.

Configuring the AC-808

In order to configure active redundancy, it is necessary to configure the network interfaces and enable active redundancy. This is done in the following order:

1. Configure the Management Port interface via the LCD on the front panel of the NetEnforcer.

2. Log into the NetEnforcer via the Management Port or Telnet.

3. Open a console connection to the NetEnforcer and use the following CLI command:

go config nic

• Options are:

o internal1 MODE:SPEED

o internal2 MODE:SPEED

o internal3 MODE:SPEED

o internal4 MODE:SPEED

o external1 MODE:SPEED

o external2 MODE:SPEED

o external3 MODE:SPEED

o external4 MODE:SPEED

For example: go config nic –internal1 full:100

Page 143: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-26

Serial Redundancy In Serial Redundancy two bypass units are connected to the network in serial and the two NetEnforcers work in Active/Bypass mode.

NOTE In Serial Redundancy mode the two bypass units are connected to each other via a DB-9 cable (P/N C411012) available separately from Allot. This cable is labeled as the Serial Redundancy cable with its PN number and should NOT be confused with the Parallel Redundancy cable. They are NOT interchangeable. The Serial Redundancy cable connects to the Primary port of one unit and the Secondary port of the other.

One probe is in active mode at all times, and the other is in bypass mode. There is no probe is standby mode. When the active probe moves to bypass, the passive probe switches to active.

Even if the previously active probe recovers, it will remain in bypass. The system will not try to converge to a pre-determined configuration, as it does in parallel redundancy

In a normal situation the Primary Bypass forwards all traffic to the Primary NetEnforcer’s which is in Active mode.

Figure 3-33 – Serial Redundancy – Normal Scenario

Page 144: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-27

NetEnforcer Failover In case the Primary NetEnforcer fails, it will go in to bypass mode forwarding all traffic directly to the network bypassing the failed NetEnforcer. The Secondary NetEnforcer will go into active mode forwarding all traffic via the secondary unit. NetEnforcer functionality will be maintained.

In the unlikely situation where the Secondary unit fails, it will go in to bypass mode bypassing the failed NetEnforcer. Network connectivity will maintain but all NetEnforcer functionality will be lost.

Bypass unit is provided with each NetEnforcer units. In case of failover situation (including power-loss), the links connected to the bypass will be wired (cross connected) and traffic will not be disturbed. The bypass unit is a passive device and does not require external power supply.

Figure 3-34 – Serial Redundancy – Failover Scenario

Page 145: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-28

Figure 3-35 – Serial Redundancy – Bypass Scenario

Serial Redundancy in Mesh Topologies Serial Redundancy can support mesh topology configurations. In the network diagram described below, each of the NetEnforcer units should be able to handle two links which requires it to have four network interfaces. The AC-804 can be used in such a configuration.

Page 146: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-29

Figure 3-36 – Serial Redundancy – Mesh Scenario

In a network configuration with four network interfaces, each of the NetEnforcer units must have eight network interfaces. The AC-808 can be used in such a configuration.

Page 147: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-30

AC-800 Hardware Specifications Dimensions Standard 2U by 19-inch, rack mountable

Height 3.46 in (88 mm)

Width 17.32 in (440 mm)

Depth 14.76 in (375 mm)

Weight Copper: 24.9 lbs (11.3 kg) Fiber: 25.3 lbs (11.48 kg)

NOTE The weight of the Copper Bypass Unit is 3.86 lbs (1.75 kg) and the weight of the Fiber Bypass Unit is 4.28 lbs (1.94 kg).

Power Requirements Input Voltage 100 - 240 V

Frequency 50/60 Hz

Current 7 - 3.5 A

Operating Environment Temperature 32° F to 104° F (0° to 40° C)

Humidity 5% to 95% (non condensing)

Page 148: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-31

Standards, Compliance and Certifications All AC-800 models hold certificates for and comply with the standards listed below.

EMC EMC Directive 89/336/EEC, article 7(1) EN 55022:1998+A1(00) class A EN 61000-3-2:1995_A1(98)+A2(98) EN 61000-3-3:1995 EN 55024:1998+A1(01) FCC 47 CFR part 15, subpart B, class A ICES-003:1997, class A VCCI:2002, class B NEBS: GR-1089-Core*

Safety IEC 60950:1999 with Japanese deviations EN 60950:2000 NEBS: GR-1089-Core*

UL 1950 NetEnforcer UL File number: E206586 CAN/CSA C22.2 No.60950-00 * UL 60950, third edition

Page 149: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-32

Environmental ETS 300 019-2-2 T 2.1 ETS 300 019-2-3 T 3.1 NEBS: GR-63-Core*

*NetEnforcer is designed to meet these standards.

Page 150: Net Enforcer Operation Guide v5.5

Chapter 3: AC-800 Series

NetEnforcer User Guide 3-33

Firewall Port Reference If your NetEnforcer using Basic Management is working behind a firewall, the following ports must be opened on the firewall to enable access to the NetEnforcer management functions:

Firewall Port Gives Access To

TCP Port: 23 Telnet

TCP Port: 80 Web Server/GUI

TCP Port: 56000 Internal Accounting GUI Access

TCP Port: 51000 Policy Editor GUI Access

TCP Port: 52000 Monitoring GUI Access

TCP Port: 53000 Alerts GUI Access

TCP Port: 53306 MySQL Access

TCP Port: 56000 External Accounting Data Transfer Access

Page 151: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 4-1

Chapter 4: Configuring NetEnforcer

This chapter describes how to modify NetEnforcer’s configuration parameters from a Web browser. You can also configure NetEnforcer using a command line interface, described in Appendix G, NetEnforcer Command Line Interface.

This chapter includes the following sections:

Overview, page 4-2, provides an introduction to the process of modifying configuration parameters from your browser.

NetEnforcer Configuration Window, page 4-6, describes the menu bar and toolbar in the NetEnforcer Configuration window.

NetEnforcer Configuration Parameters, page 4-9, describes the configuration parameters available in the NetEnforcer Configuration window.

Additional Configuration Options, page 4-45, describes how to change the date and time settings on NetEnforcer, how to backup, restore and verify configuration, as well as how to retrieve certain configuration parameters from a DHCP server.

Page 152: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-2

Overview Once you have configured NetEnforcer for your network environment, described in Chapter 2, Installing NetEnforcer, you can modify configuration parameters remotely via your Web browser including initial setup parameters, as well as the following run-time parameters:

• System parameters, including software versions and keys

• Access link parameters, including the duplex type and bandwidth of Internal and External interfaces

• Network interface parameters, including IP addresses and mask/gateway parameters

• Access control parameters that determine access to NetEnforcer management functions

• Internal and external Ethernet adapter parameters

• Networking parameters, including monitoring only mode and bridging protocol

• Parameters that enable SNMP-compatible management functions

• Connection parameters

• Monitoring parameters

• Accounting parameters

• LDAP parameters

• VLAN parameters

• Denial of Service (DoS) parameters

Configuration parameters are modified from the NetEnforcer Configuration window. A general procedure for configuring NetEnforcer is presented on page 4-3. A description of all the possible configuration parameters begins on page 4-9.

Page 153: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-3

To configure NetEnforcer: 1. From the NetEnforcer Control Panel, click Configuration. The NetEnforcer

Configuration window is displayed:

Figure 4-1 – NetEnforcer Configuration Window Configuration parameters are grouped in tabs. The configuration parameters are described in NetEnforcer Configuration Parameters, page 4-9. In each tab, edit the relevant configuration parameters, as required.

2. Click or select Save to NetEnforcer from the File menu to save the configuration. The following confirmation message is displayed:

Page 154: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-4

Figure 4-2 – Confirmation Message

3. Click OK.

NOTE:

Rebooting the NetEnforcer is required when you make changes to either: • NetEnforcer Activation Key (Product IDs & Key tab) • NIC • Networking/ Accounting/ RADIUS Setup/ Restore Configuration • Time • Management port definition This is to ensure that the saved parameter values are committed and activated on NetEnforcer. You are automatically prompted to reboot.

Page 155: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-5

Activating the NetEnforcer The Key Expiration date is displayed in Product IDs and Keys tab of the Configuration window. Some keys do not have an expiration date, and in those cases this field is empty.

Once the date has expired the box will reboot and the new module settings will be displayed showing all modules as disabled.

Page 156: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-6

NetEnforcer Configuration Window The NetEnforcer Configuration window contains a menu bar, a toolbar, and tabbed pages of configuration parameters.

Menu Bar The menu bar in the NetEnforcer Configuration window includes five menus, described in the following sections.

File Menu

The File menu includes the following options:

Save to NetEnforcer Saves the configuration to NetEnforcer. This option is only enabled after changes have been made to the configuration.

Reboot NetEnforcer Enables you to reboot NetEnforcer.

Shutdown NetEnforcer Enables you to shut down NetEnforcer.

Print Enables you to print the configuration parameters in text format.

Exit Closes the NetEnforcer Configuration window.

Page 157: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-7

Edit Menu

The Edit menu includes the following option:

Undo All Unsaved Changes

Undoes all changes that have not yet been saved.

Options Menu

The Options menu includes the following options:

Backup Configuration Enables you to save the configurations in a file. Refer to Backing Up Configuration, page 4-45.

Restore Configuration Enables you to open previously saved configurations. Refer to Restoring Configuration, page 4-46.

Set Date and Time Enables you to configure the date and time on NetEnforcer. Refer to Setting Date and Time, page 4-47.

Setup Verification Enables you to verify some basic configuration parameters. Refer to Verifying Configuration, page 4-48.

Help Menu

The Help menu includes the following option:

Index Provides access to online help.

Page 158: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-8

Toolbar The toolbar in the Configuration window enables easy access to many of the functions available from the menu bar. The toolbar includes the following buttons:

Save to NetEnforcer Saves the configuration to NetEnforcer. This button is only enabled after changes have been made to the configuration.

Reboot NetEnforcer Enables you to reboot NetEnforcer.

Shutdown NetEnforcer Enables you to shut down NetEnforcer.

Print Enables you to print the configuration

parameters in text format.

Undo All Unsaved Changes Undoes all changes that have not yet been

saved.

Backup Configuration Enables you to save the configuration to a TFTP server

Restore Configuration Enables you to restore configuration from a TFTP server

Help Provides access to online help.

Page 159: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-9

NetEnforcer Configuration Parameters The NetEnforcer Configuration window includes the following tabs:

• Product IDs and Key, page 4-10

• Access Links, page 4-12

• IP & Host Name, page 4-14

• Security, page 4-17 • NIC, page 4-19 • Networking, page 4-21 • SNMP, page 4-25 • Connection Control, page 4-26 • Monitoring, page 4-28 • Internal Accounting, page 4-29 • External Accounting, page 4-31 • RADIUS Setup, page 4-33 • Accounting/RADIUS Storage, page 4-36 • LDAP/Text Source, page 4-39 • VLAN, page 4-40 • Alerts, page 4-42 • Denial of Service (DoS), page 4-43

Each tab includes parameters that can be configured as required. After modifying configuration parameters, you must select Save to NetEnforcer in order for the changes to take effect.

The parameters available in each tab are described in the following sections.

Page 160: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-10

Product IDs and Key The Product IDs & Key tab includes parameters that provide system information and activate optional NetEnforcer modules.

Figure 4-3 – Product IDs & Key Parameters

The Product IDs & Key tab includes the following parameters:

Parameter Definition

Product Model The NetEnforcer model. This field is read only.

Software Version The software version on NetEnforcer. This field is read only.

Backplane Version The backplane version on NetEnforcer. This field is read only.

Box Number The ID number of NetEnforcer. This field is read only.

Page 161: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-11

Parameter Definition

NetEnforcer Activation Key

The activation key to enable NetEnforcer. Enter the activation key supplied to you when purchasing NetEnforcer. The functionality enabled by the key is summarized in the fields below.

Quality of Service Quality of Service is enabled on NetEnforcer.

Load Balancing The NetBalancer module is enabled on NetEnforcer.

Cache Enforcer The CacheEnforcer module is enabled on NetEnforcer.

NetAccountant The NetAccountant module is enabled on NetEnforcer.

NetEnforcer Bandwidth Capacity

The maximum bandwidth capacity of NetEnforcer.

After entering an activation key, click Save. The following message is displayed:

Figure 4-4 – Save Configuration to NetEnforcer Message

Click Yes and NetEnforcer will automatically reboot. After the reboot, re-open the NetEnforcer Configuration window, select the Product IDs & Key tab and you can see the new settings based on the activation key.

Page 162: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-12

Access Links The Access Links tab includes parameters that enable you to set the duplex type and bandwidth of the Internal and External interfaces. The internal side of NetEnforcer interfaces with your Local Area Network (LAN) and the external side of NetEnforcer interfaces with the Wide Area Network (WAN) via your access router.

Figure 4-5 – Access Links Parameters

The Access Links tab includes the following parameters for the Internal and External interfaces:

Parameter Definition

Type The type of interface. The options are as follows: Half Duplex: The access link can either transmit or receive traffic. Full Duplex: The access link can transmit and receive traffic simultaneously.

Page 163: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-13

Parameter Definition

Outbound Bandwidth

The bandwidth of the link going away from NetEnforcer. When the Type is Half Duplex, the outbound bandwidth is valid for inbound and outbound traffic and the inbound bandwidth is not relevant.

Inbound Bandwidth The bandwidth of the link going into NetEnforcer.

TIP:

If you enter a maximum bandwidth setting of less than 1Kbps for either interface, the following message is displayed: ”A bandwidth rate of less than 1000 bits/sec has been entered for Internal outbound speed. This is very slow speed. Continue with save anyway?” Press Yes to confirm that this is the correct setting for the interface. Press No to re-enter another value. It is strongly recommended not to attempt to shape traffic of less that 1Kbps. Setting internal or external bandwidth of less than 1Kbps will cause normal network traffic to come to a halt. For example, shaping bandwidth of a short frame of 64 bytes to a bandwidth link of 1000 bps will result in less than two packets per second which is impractical in today's networks. Refer to the Release Notes for more information.

Page 164: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-14

IP and Host Name The IP & Host Name tab includes parameters that enable you to modify the IP and host name configuration of your network interfaces.

Figure 4-6 – IP & Host Name Parameters

The IP & Host Name tab includes the following parameters:

Parameter Definition

IP Address of NetEnforcer The IP address of NetEnforcer.

Network Mask The network subnet mask.

Default Gateway The IP address of the default gateway.

The default gateway enables clients to access NetEnforcer remotely and to provide a path if NetEnforcer is on a different subnet than that of the client.

Page 165: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-15

Parameter Definition

Host Name of NetEnforcer The host name of NetEnforcer.

Domain Name The domain name.

Primary Domain Name Server

The IP address of the primary domain name server.

Secondary Domain Name Server

The IP address of the secondary domain name server.

Primary NTP Time Server The name of the primary NTP (Network Time Protocol) server. This enables NetEnforcer to receive the date and time from an NTP server.

Secondary NTP Time Server

The name of the secondary NTP (Network Time Protocol) server.

Tertiary NTP Time Server The name of the tertiary NTP (Network Time Protocol) server.

Page 166: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-16

Out-of-Band Management The dedicated Management port provides a secure solution for device management for enterprise and service providers. It enables you to permit access solely to a closed group of network administrators. ISP customers cannot "see" the Management port and therefore cannot access the NetEnforcer management. NetEnforcer confidently lets you enable or disable this Management port, permitting either In-Band or Out-of-Band management.

Out-of-Band mode is graphically illustrated as follows:

Figure 4-7 – Out-of-Band Management

The Management port is enabled by default in all NetEnforcers with a management port. Make sure that the Disable Management Port parameter in the IP & Host Name tab is unchecked, as described in the previous section.

NOTE:

To use In-Band management and manage the NetEnforcer via the Internal/External ports, select the Disable Management port option in the IP & Host Name tab.

Page 167: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-17

Security The Security tab includes parameters that enable you to specify security parameters as well as control access to NetEnforcer management functions by specifying the names of hosts to whom you want to grant access permission.

CAUTION:

If no hosts are defined, anyone can access NetEnforcer management functions.

Figure 4-8 – Security Parameters

The Security tab includes the following parameters on the left side:

Parameter Definition

Enable Telnet Select this checkbox to enable remote Telnet communications with the NetEnforcer.

Enable SSH (Secure Shell) Select this checkbox to enable remote SSH communications with the NetEnforcer.

Page 168: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-18

Parameter Definition

Enable Ping Select this checkbox to enable remote Ping communications with the NetEnforcer.

On the right side of the Security tab, is a list of hosts who have access permission to NetEnforcer management functions. When the Allowed Hosts list is empty, there is unrestricted access to NetEnforcer management functions. When there are hosts in the Allowed Hosts list, only those hosts are allowed access to NetEnforcer management functions. You can enter host details in either of the following formats:

• The name of the host.

• The IP address of the host.

CAUTION:

If no hosts are defined, anyone with a user name and a password can access NetEnforcer management functions.

To add a host to the list:

1. Select Host or IP in the Host/IP Item area.

2. Specify the host name or IP address in the field to the right of the selected option.

3. Click Add. The specified host is added to the Allowed Hosts list.

You can add as many hosts as required.

To modify a host, select the host in the Allowed Hosts list to display the details in the fields on the left. Modify the details as required and click Update.

To remove a host, select the host in the Allowed Hosts list to display the details in the fields on the left and click Delete. If the host that you selected is the only one in the list, a message is displayed: "Deletion will leave ‘Allowed Hosts’ list empty. This means that all hosts will be able to access the NetEnforcer. Continue? Click Yes."

Page 169: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-19

NIC The NIC tab includes parameters that enable you to configure the internal and external Ethernet adapters to either automatically sense the direction and speed of network traffic, or use a predetermined duplex type and speed. When working with AC-601/802 models, you can also specify the direction and speed of the management interface.

Figure 4-9 – NIC Parameters The NIC tab includes Mode and Speed parameters for the internal and external Ethernet adapters.

NOTE:

If the management interface is disabled, look in the IP & Host Name tab and confirm that the Disable Management Port checkbox is selected.

Page 170: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-20

Parameter Definition

Mode The type of interface. The options are as follows: Auto: The interface automatically senses the direction of the traffic. Half Duplex: The interface can either transmit or receive traffic. Full Duplex: The interface can transmit and receive traffic simultaneously.

Speed The speed of the interface: Auto, 1000M, 100M or 10M. When the Mode is Auto, you cannot predefine the interface speed and Speed is set to Auto and cannot be modified.

NOTES:

For models AC-601 and AC-802 Copper, you can also select 1000M as the link speed for the Internal or External interfaces.

For model AC-802 Fiber, the settings for the Internal and External interfaces cannot be changed: the duplex type is full and the link speed is 1000M.

When you connect NetEnforcer to a hub or switch, ensure that the Ethernet adapter settings on both sides are set to the same mode. This ensures proper communication between the Ethernet adapters. For example, if you set the Ethernet adapter on NetEnforcer to Auto, you must also set the Ethernet adapter on the hub or switch connected to that interface to Auto. The same principle applies when setting Ethernet adapters to Half or Full Duplex mode. To ensure that the devices on both sides of NetEnforcer can communicate if NetEnforcer enters Bypass mode, make sure that the interfaces on the devices on both sides of NetEnforcer are set to the same NIC (Ethernet adapter) mode.

Page 171: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-21

Networking The Networking tab includes parameters that enable you to configure network topology as well select to operate in Monitoring Only mode.

Figure 4-10 – Networking Parameters

The Networking tab includes the following parameters:

Parameter Definition

Support ‘Spanning Tree’ protocol

Whether you are using a second NetEnforcer as a backup system in a spanning tree configuration.

Disable Transport Layer Classification (TCP/UDP ports)

Whether NetEnforcer classifies by TCP/UDP ports and content inspection. Deselecting this checkbox reduces the number of connections seen by NetEnforcer and improves its performance.

Page 172: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-22

Parameter Definition

Disable Application Layer Analysis in NetEnforcer

Whether NetEnforcer analyzes content of the application layer. Deselecting this checkbox disables content inspection and Napster and FTP identification and improves the performance of NetEnforcer.

NetEnforcer is Enabled for Monitoring Only

This checkbox only appears with the Enhanced Platforms AC-202 and AC-402.

Select this checkbox to enable the monitoring and viewing of traffic in graphical representation. Traffic is classified; however the NetEnforcer does not enforce or take action on policies. For a detailed description of Monitoring Only, mode, see below.

Monitoring Only Mode Monitoring Only mode allows the operator to install and use the NetEnforcer in listen-only mode. This mode enables connection without interference in the network activity.

Applying this mode has the following benefits:

• Monitors the network activity in a non-intrusive way. NetEnforcer behaves as a probe, as traffic is not going through NetEnforcer.

• Enables you to view monitoring graphs, download accounting information via the ODBC or collect long term monitoring statistics.

• Enables traffic to be shaped by simply switching NetEnforcer to Active mode.

• Generates audits without interrupting your network activity.

Monitoring Only mode is activated/deactivated via the GUI or CLI. The activation of this “tapping” allows management only through the Management port and disables QoS and connection control activity.

See Figure 4-7 for a graphical representation of Monitoring Only mode.

Page 173: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-23

Operating Monitoring Only Mode from the GUI

To activate Monitoring Only mode, select the NetEnforcer is enabled for monitoring only. QoS enforcement is disabled checkbox in the Networking tab, described on page 4-21.

When operating in Monitoring Only mode, you must use the Management port for managing the NetEnforcer. If the Management port is not enabled, for example, there is an incomplete connection, the following message is displayed:

Figure 4-11 – Monitoring Only Mode Error Message

When the Management port is enabled, and you have activated Monitoring Only mode, the following message is displayed:

Figure 4-12 – Activating Monitoring Only Mode Message

Click Yes to continue with Monitoring Only mode.

Page 174: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-24

When you deactivate Monitoring Only mode, the system returns to its previous state and the following message is displayed:

Figure 4-13 – Deactivating Monitoring Only Mode Message

Click Yes to exit Monitoring Only mode.

Operating Monitoring Only Mode from the CLI

There is a CLI command that activates the Monitoring Only mode. The effect is the same as when it is activated from the GUI. See Appendix G, NetEnforcer Command Line Interface.

Operating Monitoring Only Mode from the LCD

The main menu includes an additional option that enables/disables Monitoring Only mode. See Configuring Via the LCD Panel in Chapter 2, Installing NetEnforcer.

Page 175: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-25

SNMP The SNMP tab includes parameters that enable you to configure SNMP-compatible management functions.

Figure 4-14 – SNMP Parameters

The Simple Network Management Protocol (SNMP) is a commonly used network management protocol that allows SNMP-compatible management functions such as device discovery, monitoring and event generation. NetEnforcer support for SNMP includes MIB II with standard MIB II traps.

The SNMP tab includes the following parameters:

Parameter Definition

Read Community The SNMP community for devices reading SNMP variables from NetEnforcer.

Write Community The SNMP community for devices setting SNMP variables to NetEnforcer.

Page 176: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-26

Parameter Definition

Trap Community The SNMP community to receive NetEnforcer SNMP traps.

Trap Destination The IP address of the Network Management Console that receives the NetEnforcer-generated SNMP traps. If there is no such destination, this parameter should be left blank.

Contact The contact person, for SNMP purposes.

Location The location of system, for SNMP purposes.

Connection Control The Connection Control tab includes parameters that enable you to configure timeouts and the number of retries for the NetBalancer and CacheEnforcer modules, as well as other connection parameters.

Figure 4-15 – Connection Control Parameters

Page 177: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-27

The Connection Control tab includes the following parameters:

Parameter Definition

Server Tracking Timeout

The length of time that NetBalancer waits before concluding that the server is down. The value must be between 10 to 240 seconds.

Server Tracking Retries

The number of times that NetBalancer tries to connect to the server. The value must be between 1 to 100.

Connect Timeout The length of time that NetBalancer attempts to establish the availability of a server. The value must be between 10 to 240 seconds.

Service Tracking Timeout

The length of time that NetBalancer or CacheEnforcer waits before concluding that the service (for example, HTTP) is down. The value must be between 10 to 249 seconds.

Service Tracking Retries

The number of times that NetBalancer or CacheEnforcer tries to connect to the service. The value must be between 1 to 100.

Use Connection Control IP Address to Connect

If you are using content inspection and the cache server and cached traffic clients are on the same side as NetEnforcer, check this box.

NOTE:

The Connection Control parameters have no effect unless NetBalancer or CacheEnforcer are enabled on your system. For a description of NetBalancer functionality, refer to the NetBalancer User’s Manual. For a description of CacheEnforcer functionality, refer to the CacheEnforcer User’s Manual.

Page 178: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-28

Monitoring The Monitoring tab includes parameters that display the monitoring sample period on NetEnforcer and enable you to configure whether NetEnforcer performs DNS resolving actions.

Figure 4-16 – Monitoring Parameters

The Monitoring tab includes the read-only parameter Monitoring Sample Period on NetEnforcer. This parameter displays the length of the sample period in the monitoring process.

Additionally, by selecting or deselecting the Resolve DNS Names for Monitoring Data checkbox, you can configure whether NetEnforcer performs DNS resolving actions. When selected, IP addresses are translated to host names for the Monitoring module. If you select this checkbox, ensure that you have defined a DNS server(s) in the IP & Host Name tab.

Page 179: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-29

Internal Accounting Setup

NOTES:

The NetAccountant now has the following options for data storage:

• Locally on the NetEnforcer

• Externally on a Radius Server

• Externally on a Sybase database (via the NetAccountant Reporter)

• Exported via ODBC to an external PC.

Any or all of these options may be implemented at one time.

The Internal Accounting tab includes parameters that enable you to determine the frequency and granularity of data storage, and to control the quantity of data stored. The Internal Accounting parameters are only relevant when NetAccountant is enabled in your system. This is indicated in the Product Ids & Key tab. For more information concerning the NetAccountant module and Internal and External Accounting, see the NetAccountant User's Manual.

Figure 4-17 – Internal Accounting Parameters

Page 180: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-30

Parameter Definition

Record Accounting Data Within the NetEnforcer Device Only

Whether NetEnforcer records accounting data to the accounting database located on NetEnforcer. This must be selected for accounting to be active.

Data will be Collected and Saved Every

The data storage frequency and the granularity (fine measurement) of the stored data. Granularity means that the larger the setting for this parameter, the less information is recorded about the exact time a connection occurred, so less data is stored. This enables you to store data from a longer period of time. The minimum setting for this parameter is one hour. This granularity will subsequently impact the granularity of accounting reports.

Data will be Deleted From Server After

The length of time data is stored in the database. You can ensure that data does not saturate NetEnforcer's hard disk by determining the quantity of data saved. For example, if you set this parameter to one month, then every day at midnight, data accumulated more than one month prior to the current date is removed. Configure this option with care to avoid filling NetEnforcer's hard disk with accounting traffic data. Note that subsequent accounting report spans cannot be longer that the deletion span.

Use ODBC to Read Accounting Data

Whether host IP addresses are translated to string representations so that ODBC applications can read the accounting data. The strings are then stored in the Hosts table in the NetAccountant database. The default setting for this option is deselected. This option is normally disabled if you do not use an ODBC interface.

CAUTION:

The default setting of the Use ODBC to Read Accounting Data checkbox results in the following: IP addresses that were not resolved to names are not stored in the Hosts table. Note that in previous softwarversions, IP addresses that were not resolved to names were stored in the Hosts table.

Page 181: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-31

Parameter Definition

Resolve DNS Names for Accounting Data

Whether NetEnforcer performs DNS resolving actions. When selected, IP addresses are translated to host names for the Accounting module. Ensure that you have defined a DNS server(s) in the IP & Host Name tab.

In the example on page 4-29, data is recorded each hour (or when data reaches a certain amount of memory) and data is deleted from the server after seven days.

External Accounting Setup The External Accounting tab enables you to configure the dispatch of accounting data to an external accounting server.

Figure 4-18 – External Accounting Parameters

Page 182: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-32

Parameter Definition

Dispatch Accounting Data to External Repository Defined Below

Determines whether NetEnforcer dispatches accounting data to the external server indicated in this tab. Accounting data will not be dispatched if this checkbox is not selected.

Primary Server Host Name / IP Address

The host name or IP address of the primary server of the external accounting server.

Secondary Server Host Name / IP Address

The host name or IP address of the secondary server of the external accounting server.

Page 183: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-33

RADIUS Setup The RADIUS Setup tab includes parameters that enable you to export accounting data to a RADIUS server. The RADIUS Setup parameters are only relevant when NetAccountant is enabled in your system. (This is indicated in the Product Ids & Key tab.) The NetAccountant module is described in the NetAccountant User's Manual.

NOTE:

You can configure NetEnforcer to send accounting data to both its own accounting database and to a RADIUS server. If you are using RADIUS, ensure that you configure parameters in the Accounting/RADIUS Storage tab as well.

Figure 4-19 – RADIUS Setup Parameters

Page 184: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-34

The RADIUS Setup tab includes the following parameters:

Parameter Definition

Export Data to RADIUS Servers

Whether NetEnforcer exports data to a RADIUS server. This must be selected for RADIUS to be active.

Data will be Collected and Dispatched Every

The frequency at which data is collected and dispatched.

Primary RADIUS Server Host Name/IP Addr

The IP address or host name of the primary RADIUS server.

Shared Secret The password/secret to access the primary RADIUS server.

Reenter Secret The password/secret to access the primary RADIUS server.

Secondary RADIUS Server Host Name/IP Addr

The IP address or host name of the secondary RADIUS server. The secondary RADIUS server becomes active upon unavailability or failure of the primary server.

Shared Secret The password/secret to access the secondary RADIUS server.

Reenter Secret The password/secret to access the secondary RADIUS server.

Message Send Failure Timeout

The period of time during which NetEnforcer tries unsuccessfully to send a message to a RADIUS server before stopping. The value must be between 1 to 60 seconds.

# of Retries for Attempting Message Send

The number of times that NetEnforcer attempts to send a message after a timeout occurs. The value must be between 1 and 10.

Page 185: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-35

Parameter Definition

# of Failed Messages Before Switch to Other Server

The number of unsuccessful message sending attempts that NetEnforcer executes before switching to the secondary server. The value must be between 1 and 200.

Send RADIUS Stop Messages Only

Whether NetEnforcer sends only RADIUS stop messages to a RADIUS server.

Page 186: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-36

Accounting/RADIUS Storage The Accounting/RADIUS Storage tab includes parameters that enable you to control the content of the traffic data stored on disk (in the case of accounting) or accumulated in memory prior to dispatch (in the case of RADIUS). This is done by selecting the components according to which traffic data is accumulated. To accumulate traffic data means to accumulate the byte count of connections with the same components. The Accounting/RADIUS Storage parameters are only relevant when NetAccountant is configured in your system. The NetAccountant module is described in the NetAccountant User's Manual.

NOTE:

If you are using accounting or RADIUS, ensure that you configure parameters in the Internal Accounting and RADIUS Setup tabs as well.

Figure 4-20 – Accounting/RADIUS Storage Parameters

Page 187: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-37

When creating a report in NetAccountant, you select the connection components that will be included in the report. The connection components available for selection are determined by the parameters selected in the Accounting/RADIUS Storage tab.

For accounting users, it is recommended not to select too many parameters, in order to avoid overrunning the accounting database with information. The more entities you select, the longer it takes NetEnforcer to export and to save data and the longer it will take to generate accounting reports. For hosts, recording data on an internal/external hosts basis rather than on a client/server basis demands much less resources. It is therefore recommended to select the first radio button in the Hosts Recording area.

The items available for selection are described below.

In the Hosts Recording area, select one of the radio buttons.

• If you select the first radio button, you can select one of the following from the dropdown list: • Internal Hosts: Information about traffic coming from each internal IP address is

recorded. • External Host: Information about traffic coming from each external IP address is

recorded. • Internal & External Host: Information about traffic coming from each internal

and external IP address is recorded.

• If you select the second radio button, you can select one of the following from the dropdown list: • Client: Information about the source of traffic under which the traffic was

classified is recorded. • Server: Information about the destination of traffic under which the traffic was

classified is recorded. • Client & Server: Information about the source and the destination of traffic under

which the traffic was classified is recorded.

• If you select the third radio button, no hosts are recorded.

Page 188: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-38

CAUTION:

If you select to aggregate data by client or server, many records may be generated. For example, if you select server then a record is created for each connection to a server. This could be a very high number if you are, for example, browsing the Internet.

In addition, you can select any or all of the entities in the Entity Recording area:

Pipe Information about the Pipe under which the traffic was classified. This includes explicitly defined Pipes and any Pipe instances that result from a Pipe template.

Virtual Channel Information about the Virtual Channel under which the traffic was classified. This includes explicitly defined Virtual Channels and any Virtual Channel instances that result from a Pipe template.

Service Information about the Service Catalog entry under which the traffic was classified.

Page 189: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-39

LDAP/Text Source The LDAP/Text Source tab includes parameters that define the refresh rate for Host Catalog definitions that reference an LDAP server or text source file.

Figure 4-21 – LDAP/Text Source Parameters

In the Host Catalog, entries may be the result of querying an LDAP server or text source file. The parameters in the LDAP/Text Source tab define how often this query is performed to cover changes in the LDAP server or text source file. The LDAP/Text Source tab includes the following parameters:

Parameter Definition

LDAP/Text Auto–Refresh Rate

The time period after which LDAP or text information is refreshed, meaning external devices are read. If the value is zero or there is no value entered, there is no automatic refresh. Additionally, if there is a failure to read the device initially, NetEnforcer will retry after this period.

Page 190: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-40

Parameter Definition

Refresh any LDAP-based….

Select this checkbox to refresh LDAP and text information every time the Policy Editor is saved.

VLAN The VLAN (Virtual Local Area Network) tab enables you to determine that the NetEnforcer is managed through specified VLAN-tagged traffic. For more information on VLANs refer to VLAN Catalog Editor in Chapter 7, Defining Catalog Entries.

Figure 4-22 – VLAN Parameters

Page 191: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-41

CAUTION:

Please remember that once this option is set and the VLAN ID is specified, the NetEnforcer will be waiting for management traffic tagged with this specified VLAN.

If you have specified an erroneous VLAN ID, the NetEnforcer GUI will be waiting for management traffic from that VLAN and thus will become disconnected from the network.

If this option is specified erroneously, please refer to Chapter 2, Installing NetEnforcer, Setting Up NetEnforcer. Alternatively contact an Allot Communications service engineer.

To work in a VLAN environment check the checkbox and insert a number in the VLAN ID field. Management of the NetEnforcer traffic can only be through one VLAN, therefore the VLAN ID number must be consistent for operations within a specific NetEnforcer.

The VLAN tab includes the following parameters:

Parameter Definition

The NetEnforcer’s Management Traffic is VLAN Tagged

Check this box to specify that the NetEnforcer is managed through a VLAN.

Checking this box enables the VLAN ID field.

VLAN ID Insert a VLAN ID number from 2 to 4094. The number specifies which VLAN ID the NetEnforcer will be managed through.

Page 192: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-42

Alerts The Alerts tab enables you to configure alert functionality. For more information on alerts, refer to Chapter 9, NetEnforcer Alerts.

Figure 4-23 – Alerts Parameters In the NetEnforcer Alerts Editor, you can specify that alerts are sent (in addition to the NetEnforcer Alerts Log) to an SMS target, via SNMP or to one or two email addresses.

The actual SMS target and the email addresses are specified in the Alerts tab.

The Alerts tab includes the following parameters:

Parameter Definition

Activate Alert Dispatching on NetEnforcer

Select this box to activate alert dispatch on NetEnforcer.

Primary Email Address The email address of the primary recipient.

Secondary Email Address The email address of the secondary recipient.

Page 193: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-43

Parameter Definition

SMS Email Address The email address of the SMS target.

Source Email Address The email address of the source (e.g., the IT manager’s email address).

SMTP Server The address of the SMTP server.

Denial of Service (DoS) The Denial of Service (DoS) tab includes parameters that enable you to determine the frequency and number of connections, thereby giving a level of protection from attacks on the network resources (such as internally connected servers).

Figure 4-24 – Denial of Service Parameters

Page 194: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-44

The Denial of Service tab includes the following parameters:

Parameter Definition

In Case of Denial of Service Attack, News Flows will be

The action that NetEnforcer takes when it reaches the maximum rate of new connections allowed for the model. The options in the dropdown menu are as follows: Admitted without QoS: New connections (flows) are admitted, but are not classified, and no QoS policy is applied. This is the default setting. Dropped: New connections (flows) are dropped.

Number of Connections Within NetEnforcer will be Limited to

You are able to define the threshold, for traffic suspected as an attack, by specifying the number of connections allowed at any one time. The default is the maximum number of connections that can be handled by your NetEnforcer. For the maximum number of connections your NetEnforcer model can handle, see the hardware description table in Chapter 2, Installing NetEnforcer. To view the number of connections over a specified period of time, refer to the Connections graph in Chapter 6, Monitoring Network Traffic. This will assist in entering a realistic definition of an attack.

Maximum New Connections Establishment Rate (CER):

You are able to define the threshold, for traffic suspected as an attack, by specifying the number of new connections allowed per second. To view the number of connections per second, refer to the Connections graph in Chapter 6, Monitoring Network Traffic. This will assist in entering a realistic definition of an attack. If the field is left blank, the NetEnforcer uses its default setting.

NOTE:

For additional details regarding the prevention and handling of DoS attacks, refer to Chapter 10, Detecting Security Threats.

Page 195: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-45

Additional Configuration Options Using additional configuration options, you can backup a configuration, save it as a configuration file and then restore it as required. You can also verify configuration, as well as retrieve certain configuration parameters from a DHCP server. Finally, you can change the date and time settings on NetEnforcer.

Backing Up Configuration The Backup Configuration option enables you to back up configuration to a server and restore it to NetEnforcer at any time.

To back up configuration

1. From the Options menu in the NetEnforcer Configuration window, select Backup Configuration. The Backup Configuration dialog box is displayed:

Figure 4-25 – Backup Configuration Dialog Box

2. In the TFTP Server Address to Backup to field, enter the IP address of the backup TFTP server.

3. In the Backup File Name field, enter a name for the backup file. The specified backup file must exist on the server.

4. Click Backup. The current configuration is backed up to the specified TFTP server with the specified file name.

Page 196: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-46

Restoring Configuration The Restore Configuration option enables you to restore a backed up configuration file to NetEnforcer at any time.

To restore a configuration file:

1. From the Options menu in the NetEnforcer Configuration window, select Restore Configuration. The Restore Configuration dialog box is displayed:

Figure 4-26 – Restore Configuration Dialog Box

2. In the TFTP Server Address to Restore From field, enter the IP address of the TFTP server where the configuration file is saved.

3. In the File Name on Server field, enter the name of the configuration file.

4. Click Restore. The following message is displayed: “Restore Configuration will reboot the NetEnforcer if the operation succeeds. This operation may take a while. Are you sure you want to restore configuration followed by rebooting the NetEnforcer now?”

5. Click Yes to restore the configuration and reboot the NetEnforcer.

Page 197: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-47

Setting Date and Time The Set Date and Time option enables you to change the date and time settings on NetEnforcer.

To set the date and time:

1. From the Options menu in the NetEnforcer Configuration window, select Set Date and Time. The Date and Time Configuration dialog box is displayed:

Figure 4-27 – Date and Time Configuration Dialog Box

2. In the Current Date field, select the required date from the calendar.

3. In the Current Time field, enter the required time.

4. From the Time Zone dropdown list, select the required time zone.

5. Click Save to NetEnforcer. The following message is displayed:

Figure 4-28 – System Message

6. Click Yes to save the time and date settings and reboot NetEnforcer.

Page 198: Net Enforcer Operation Guide v5.5

Chapter 4: Configuring NetEnforcer

NetEnforcer Operation Guide v5.5 4-48

Verifying Configuration The Setup Verification option enables you to verify the configuration of selected peripheral devices.

To verify configuration:

1. From the Options menu in the NetEnforcer Configuration window, select Setup Verification. The Setup Verification dialog box is displayed:

Figure 4-29 – Setup Verification Dialog Box

2. Click Verify Now. Where relevant, the configuration parameters for the listed devices are displayed, checked and verified.

3. Click Close to close the Setup Verification dialog box.

Page 199: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 5-1

Chapter 5: NetWizard Quick Start

NetWizard is an easy-to-use wizard that enables a network manager without a wide knowledge base to have an up-and-running NetEnforcer in a relatively short time. This chapter introduces NetWizard, describes its interface and functions, and describes how to define Quality of Service (QoS) policies using NetWizard.

This chapter includes the following sections:

Introducing NetWizard, page 5-2, introduces NetWizard and describes how it can help you to get the system up and running, as well as define more efficient Quality of Service (QoS) policies.

Monitoring Network Traffic, page 5-3, describes how to use NetWizard to monitor your network traffic.

Defining Policies, page 5-15, describes how to define QoS policies and apply them in your network.

Page 200: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-2

Introducing NetWizard NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a network, enabling the network manager to quickly define QoS policies for each type of protocol in the network. This, in turn, improves the efficiency and application response time of the network. Several NetWizards can run in parallel, allowing several links to be monitored and configured at once.

NetWizard automatically identifies the traffic protocols in your network and then guides you through the QoS configuration process, working together with the NetEnforcer Policy Editor, allowing you to assign minimum and maximum bandwidth and priority for the various protocols. Simply open the Policy Editor while working in NetEnforcer to have complete control over your new policies. NetWizard allows you to dynamically and interactively build the Policy Table based on real-time monitoring information.

With NetWizard, you need not be initially acquainted with every protocol or the traffic patterns in your network in order to define QoS policy. Once you make your initial selections, a QoS policy is generated, enabling NetEnforcer to enforce that policy in your network. NetWizard monitoring can be paused to allow you to add new Service VCs to the policy table and then restarted with the changes already in place. Further refinement of the policy is possible at any time with NetEnforcer tools such as the Policy Editor and Catalog Editors. Policies defined using the NetWizard will automatically update the policy table.

Page 201: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-3

Monitoring Network Traffic NetWizard monitors traffic in your network, automatically discovering the traffic protocols in your network and recording the amount of bandwidth they use. This enables you to identify traffic patterns in your network during peak and off-peak hours. The information collected will help you define QoS policies.

Before NetWizard begins to monitor your network, you must specify the following:

• Length of the monitoring session: This is the time during which NetWizard monitors your network traffic and collects information. This process pauses when you opt to define policies.

• Pipe to monitor: This is the Pipe whose traffic NetWizard will monitor. During the monitoring session, you can see an up-to-date picture of protocol activity in your network and statistics about bandwidth usage.

Page 202: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-4

To monitor network traffic:

1. From the NetEnforcer Control Panel, click NetWizard. The NetWizard opening window is displayed:

2. Click Next. The following window is displayed:

Figure 5-1 – NetWizard Setup Window

3. In the Traffic Monitoring Running Time area, specify the length of the monitoring session. This is the time interval during which NetEnforcer collects information about all the protocols passing through your network. Enter a value (1-999) and select a unit of measurement (Minutes, Hours, or Days) from the dropdown list. The default monitoring session is 30 minutes.

TIP:

In order to get a picture of network usage over peak and off-peak periods, you should specify a longer monitoring session, for example, one working day.

Page 203: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-5

4. In the Pipe Coverage area, select the Pipe whose traffic NetWizard will monitor in one of the following ways: • Select Pipe, click the browse button and select a Pipe whose traffic NetWizard

will monitor. By default, the default Fallback Pipe is selected. If you have not yet defined additional Pipes (described in Chapter 8, Defining Policies), there is no need to change the selection.

• Select A new pipe if you want to create a new Pipe whose traffic NetWizard will monitor.

5. Click Next. If you selected to create a new Pipe in Step 4, the following screen is displayed. (If you selected a specific Pipe in Step 4, go to Step 8.)

Figure 5-2 – NetWizard: Create New Pipe Window

Page 204: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-6

6. In the New Pipe Name field, enter a name for the Pipe.

7. Define the addresses you want the Pipe to cover as follows: • Select the required address type radio button and enter the relevant details in the

corresponding text field. For example, select Host and enter the host name in the text field.

• Click . The address is added to the Target Address(es) list. • Add further addresses as required.

NOTE:

To remove an address from the Target Address(es) list, select the address in the list and click .

8. Click Next. The NetWizard Monitoring window is displayed, showing the Graphs view:

Figure 5-3 – NetWizard Monitoring Window: Graphs View

Page 205: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-7

NOTE:

If for any reason your system crashed during a previous NetWizard monitoring session, a message is displayed asking whether you want to continue the previous session or start a new one.

You can view the information collected during the monitoring session either in real-time (during the monitoring session) or once the monitoring session is finished.

The progress of the monitoring session is indicated in the status bars in the lower section of the Monitoring window.

The status bar on the left estimates the amount of time left until NetEnforcer completes a sample and updates the Monitoring window. The default sample period is 30 seconds. In the example on page 5-6, there are 20 seconds left to the end of the sample period, at which time NetEnforcer will update the monitoring window.

The status bar on the right indicates the time remaining in the monitoring session. In the example on page 5-6, there are 28 minutes, 13 seconds left in the monitoring session.

The NetWizard Monitoring window includes the following buttons:

Button Description

Displays a graphical representation of bandwidth usage in your network and the cumulative protocol rate for the various protocols in your network traffic. Refer to Viewing Graphs, page 5-8, for more information.

Displays statistics relating to the protocols in your network traffic. Refer to Viewing Statistics, page 5-10, for more information.

Displays information relating to the monitoring sample. Refer to Viewing Information, page 5-12, for more information.

Displays a log of events used for system troubleshooting. Refer to Viewing the Log, page 5-14, for more information.

Page 206: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-8

Button Description

Displays protocol information for outbound traffic only.

Displays protocol information for inbound traffic only.

Pauses the monitoring session and moves to the defining policy screen. Refer to Defining Policies, page 5-15, for more information.

Cancels the monitoring session and closes NetWizard.

Displays online help.

Viewing Graphs The Graphs view, shown on page 5-6, displays a graphical representation of bandwidth usage in your network and the cumulative protocol rate for the various protocols in your network traffic during the current monitoring session. You can display this information for either inbound or outbound traffic by clicking the Inbound/Outbound button at the top-right side of the Monitoring window. To display the Graphs view, click the Graphs button.

TIP:

Hold down the <Shift> key and drag the mouse in the pie chart area to toggle the 3D effect.

Bandwidth Usage The bandwidth usage graph on the left of Graphs view displays the percentage of the total capacity of bandwidth used by cumulative inbound/outbound traffic.

In the example shown on page 5-6, the maximum capacity of the WAN interface is 45Mbps and the total cumulative bandwidth usage is 0.01% of the available WAN bandwidth. The bar is blue when less than 90% of bandwidth is used, and becomes red when it passes 90%.

Page 207: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-9

Cumulative Average Protocol Rate The protocol distribution pie chart on the right of Graphs view displays the ten most active protocols passing through NetEnforcer during the current monitoring session, and the average percentage of the total bandwidth that each protocol used. The Protocols legend on the right of the pie chart indicates the color used in the pie chart to represent each protocol and the percentage of total bandwidth used by each protocol. Protocols are listed in descending order, with the highest consumer of bandwidth at the top.

You can click a protocol in the pie chart or legend to display a popup box with the following information:

• Protocol name

• Percentage of total bandwidth used by this protocol in this monitoring session

• Average number of kilobits used per second

Page 208: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-10

Viewing Statistics The Statistics view, shown below, displays traffic usage statistics. You can display this information for either inbound or outbound by clicking the Outbound/Inbound button at the top-right side of the Monitoring window. To access the Statistics view, click the Statistics button.

Figure 5-4 – NetWizard Monitoring Window: Statistics View

Page 209: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-11

The Statistics view displays a table of all protocols passing through your network during the monitoring session and includes the following information:

Protocol Name The name of the protocol.

% of Relative Usage The percentage of the total used bandwidth that the protocol used.

Rate (Kbps) The average number of kilobits per second used by the protocol.

% of Total BW The percentage of the total available bandwidth for the Pipe used by the protocol.

The protocols are displayed in descending order, with the most active protocol at the top. Below the table of protocols, the following bandwidth information is displayed:

Max. Used The maximum amount of bandwidth used during this monitoring session.

Cumulative Avg. Used The average bandwidth used during this monitoring session for all protocols.

Capacity The maximum amount of bandwidth available.

Page 210: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-12

Viewing Information The Information view, shown below, displays information about the monitoring session. You can display this information for either inbound or outbound traffic by clicking the Inbound/Outbound button at the top-right side of the Monitoring window. To access the Information view, click the Information button.

Figure 5-5 – NetWizard Monitoring Window: Information View

Page 211: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-13

The following read-only information is displayed:

Monitoring Start Time on NetEnforcer

The time the monitoring session began.

Monitoring End Time on NetEnforcer

The time the monitoring session ended/will end.

Sample Interval The length of the sample period. After each sample period, NetEnforcer updates the Monitoring window. The default sample period is 30 seconds. You can configure this period in the Monitoring tab of the NetEnforcer Configuration window, described in Chapter 4, Configuring NetEnforcer.

Estimated Total Samples to be Collected

The estimated number of samples that NetEnforcer will collect during a monitoring session.

Time Elapsed The amount of time that has elapsed since the monitoring session began.

Time Remaining The amount of time remaining in the monitoring session.

Number of Samples Collected

The number of samples that NetEnforcer has collected so far.

Estimated Number of Samples Remaining

The estimated number of samples that NetEnforcer has yet to collect.

Next Sample Time on NetEnforcer

The time at which NetEnforcer will begin collecting the next sample.

Error Count The number of errors encountered by NetEnforcer during the current monitoring session.

Page 212: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-14

Viewing the Log The Log view, shown below, displays a log of events for the current session that can be used for system troubleshooting. To access the Log view, click the Log button.

Figure 5-6 – NetWizard Monitoring Window: Log View

The log is cleared at the end of each monitoring session.

Page 213: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-15

Defining Policies A monitoring session may be paused at any time to allow you to compare the traffic statistics you have received thus far with the business priorities of your organization and use the information to begin creating a QoS policy to improve the performance of your network. Monitoring may be restarted once you have set the policies you wish. In this way, you can create your QoS policy step by step as you learn more about your network’s bandwidth usage.

In order to set a QoS policy for a protocol, you specify one or more of the following: • The minimum bandwidth you want for the protocol. • The maximum bandwidth you want for the protocol. • The priority you want to give to the protocol.

NOTE:

QoS is defined for both inbound and outbound traffic.

When the monitoring session is paused, NetEnforcer stops monitoring network traffic for the time being and displays the Policy Definition window.

Page 214: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-16

Figure 5-7 –Policy Definition Window

The Policy Definition window enables you to define QoS policies. The Monitoring Results area displays all protocols that passed through NetEnforcer thus far in the Monitoring process and all other protocols that have previously been assigned a QoS policy. For each protocol, you can see the average bandwidth used per second (Rate (Kbps)) and the percentage of the total bandwidth used by the protocol (% of Total BW). The protocols are listed according to the percentage of total bandwidth they used, in descending order. You can specify QoS policies in the Your QoS Definitions area, as described below.

The information in the Monitoring window is no longer updated and represents a final picture of traffic usage during the monitoring session. You can click Continue Monitoring in the Policy Definition window to Monitoring window in order to continue an ongoing Monitoring window session or to view the statistics of a concluded one.

Page 215: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-17

If required, you can also end the monitoring session before it has finished. Click Cancel in the Monitoring window. A confirmation message is displayed. Click Yes to end the monitoring session. Any data collected up to that point will be lost.

To set QoS policy:

1. In the Policy Definition window, specify the minimum bandwidth to be assigned to a protocol by clicking the Min. BW (%) field, entering a percentage value and pressing <Enter>. For example, in Figure 5-7, if you want to ensure the HTTP protocol is minimally allocated 24% of the total available bandwidth at all times, enter 24.

2. Specify the maximum bandwidth to be assigned to a protocol by clicking the Max. BW (%) field, entering a percentage value and pressing <Enter>.

NOTE:

You can specify either a minimum or maximum bandwidth for a protocol, or both.

3. Specify the priority given to a specific protocol by clicking the Priority field and selecting High, Medium or Low from the dropdown list. For example, if you want a specific protocol to receive top priority, select high from the dropdown list.

NOTE:

If two protocols have the same priority and there is not enough bandwidth available for both, the available bandwidth is split evenly between them.

4. Select the Assign checkbox to the left of the protocol name to assign the QoS policy that you defined in steps 2 through 4 to the protocol upon saving.

NOTE:

You do not have to specify all three of the QoS definitions for each protocol.

5. In the Fallback fields at the lower left of the screen, repeat steps 2 through 4 to define a default QoS policy. This policy is applied to protocols that do not have a specific policy defined for them.

NOTE:

If required, click Assigned in the View Protocols area to display only those protocols that have been assigned a QoS policy. Clicking All redisplays all protocols.

6. Click Save. A confirmation message is displayed.

Page 216: Net Enforcer Operation Guide v5.5

Chapter 5: NetWizard Quick Start

NetEnforcer Operation Guide v5.5 5-18

7. Click Yes to save your definitions. NetEnforcer now enforces the QoS policies that you defined.

8. Click Close to close NetWizard.

QoS Examples This section provides some examples of QoS settings and how they may affect your network traffic.

Example 1 NETBIOS-UDP Protocol Min BW: 20% Inbound traffic has a maximum capacity of 100Mbps and outbound traffic has a maximum capacity of 50Mbps.

This means that inbound NETBIOS-UDP traffic is guaranteed 20Mbps of bandwidth and outbound NETBIOS-UDP traffic is guaranteed 10Mbps of bandwidth.

Example 2 HTTP Protocol Priority: High

FTP Protocol Priority: Medium Total bandwidth for inbound traffic is 30Mbps. If 20Mbps of HTTP traffic and 20Mbps of FTP traffic come together, the HTTP traffic is given priority. Thus the HTTP traffic receives 20Mbps of bandwidth and the FTP traffic gets 10Mbps. When more bandwidth is available, the FTP traffic will get the rest.

Page 217: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 6-1

Chapter 6: Monitoring Network Traffic

This chapter describes monitoring with the NetEnforcer monitoring tool. The monitoring tool helps you analyze the traffic flowing through your NetEnforcer and aids you in determining the optimum configuration for your system.

This chapter includes the following sections:

Overview, page 6-1, provides an overview of the NetEnforcer monitoring tool and how you can monitor your network traffic.

NetEnforcer Monitoring Window, page 6-8, describes the menu bar and toolbar in the NetEnforcer Monitoring window.

Monitoring Graphs, page 6-21, describes the different monitoring graphs available in NetEnforcer.

Long-term Monitoring, page 6-51, describes how to use Long Term Monitoring in NetEnforcer.

Page 218: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-2

Overview NetEnforcer's monitoring tool enables you to monitor applications, protocols, policies, clients and servers in real time and to verify enforcement of the most suitable QoS policy.

Different applications, such as e-Business, ERP and real-time applications require performance guarantees. Other mission-critical applications may suffer from a shortage of bandwidth, while non-critical Web browsing and batch traffic, such as mail and FTP, may use up network resources. In other network setups, some users require a higher level of service than others. For example, internationally dispersed branch offices have expensive narrow WAN links to headquarters and many different users share the same bandwidth. On campuses, students overload network resources (WAN connection, caches, servers) with excessive requests for service (audio traffic), while the administration suffers from reduced available bandwidth and longer response time.

Therefore, your ability to monitor network performance determines your success in fine-tuning network performance based on your business requirements. The monitoring tool is designed to help you fine-tune your network performance.

When and where your network has peaks, bursts and bottlenecks is hard to predict. The monitoring tool enables you to see these peaks in real time, which is crucial to managing these unwanted phenomena.

NetEnforcer enables you to monitor network traffic on three levels, as follows:

• NetEnforcer Level: Where you can monitor traffic on NetEnforcer as a whole.

• Pipe Level: Where you can monitor traffic for a specific Pipe(s).

• Virtual Channel Level: Where you can monitor traffic for a specific Virtual Channel(s) within Pipe(s).

Page 219: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-3

Using the monitoring tool, you can view different graphs at each level. The different graphs are described in Monitoring Graphs, page 6-21. All graphs are displayed in the NetEnforcer Monitoring window and share common functionality. A quick tour of the NetEnforcer Monitoring window is provided on page 6-6. You can display up to ten monitoring windows at the same time and display them as your Favorite View.

Figure 6-1 – Sample Favorite View

There are several different types of graphs, and different formats in which graphs can be displayed. Graph types and formats are described in the following pages.

Page 220: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-4

Graph Types NetEnforcer displays monitoring information in two types of graphs, as follows:

• Current/Cumulative: Displays information for sample periods. A Current-type graph displays information for the latest whole sample period only. The sample period is defined in your system parameters, described in Chapter 4, Configuring NetEnforcer. A Cumulative-type graph displays information for an average sample period, where the average is calculated for data accumulated during the last X samples (where X is between 1 to 144, and is defined in the graph settings, described on page 6-18). For example, where X is defined as 100. When a graph is created, the cumulative refers to the samples from the beginning of the graph and forward, until 100 samples have passed. When the sample number 101 arrives, the samples taken into account are samples 2 through 101, and so on. Only the 100 last samples are used to calculate the average. Current-type graphs can also be displayed as Cumulative-type graphs and vice versa.

NOTE:

The Utilization graph, described on page 6-32, can only be displayed as a Current-type graph.

• Continuous: Displays information for a range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph, and is defined in the graph settings, described on page 6-18. The Pipes Distribution, Virtual Channels Distribution, Dropped Packets, Bandwidth and Connections graphs are Continuous-type graphs.

Page 221: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-5

Graph Views By default, data is displayed in a chart or graph. However, you can also display the values in table format, as well as the definitions for each graph. These different views are called Chart View, Table View and Definitions View, and examples are shown below.

Definitions View

Table View

Chart View Figure 6-2 – Graph Views

Page 222: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-6

Graph Styles When in Chart View, you can alternate the layout style of the graph between a Bar chart and a Pie chart or between a Line chart and a stacked Area chart. Different graphs have different styles. For example, a Pipes Distribution graph (described on page 6-25) can be displayed as a Line chart or Area chart. A Most Active Clients graph (described on page 6-48) can be displayed as a Bar chart or Pie chart.

Following are examples of different graph styles.

Figure 6-3 – Bar Chart Figure 6-4 – Pie Chart

Figure 6-5 – Line Chart Figure 6-6 – Area Chart

Page 223: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-7

You can manipulate graphs as follows:

• Zoom into a graph by holding down the <Shift> key and dragging a box around the area that you want to zoom in the graph.

• Move a graph by holding down the <Ctrl> key and dragging the graph.

Press <r> to reset the graph.

TIP:

Click in the toolbar at anytime to display a tooltip describing these zoom and move actions.

In/Out Bandwidth The monitoring graphs display information about bandwidth consumed by inbound and outbound traffic, as follows:

Inbound Bandwidth consumed by incoming traffic only.

Outbound Bandwidth consumed by outgoing traffic only.

In/Out Bandwidth consumed by both incoming and outgoing traffic.

Clicking a point in a monitoring graph displays the bandwidth value at the selected point, as shown below:

Figure 6-7 – Displaying Bandwidth

Page 224: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-8

NetEnforcer Monitoring Window The different NetEnforcer monitoring graphs are displayed in a Monitoring window. A sample Monitoring window is shown below:

Graph Display AreaStatus Bar Graph View

ToolbarMenu Bar

Graph Display AreaStatus Bar Graph View

ToolbarMenu Bar

Figure 6-8 – Sample Monitoring Window

Page 225: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-9

The menu bar and toolbar are similar for all graph types, and are described on the following pages. The graph display area varies according to the graph displayed. The different monitoring graphs are described on page 6-21.

NOTE:

Up to ten Monitoring windows can be displayed simultaneously.

Accessing Monitoring Graphs In NetEnforcer, you can access monitoring graphs for all network traffic, or filtered for specific Pipes or Virtual Channels. A table of the graphs available at each level is shown on page 6-24. Access is available through the Monitoring menu in the NetEnforcer Control Panel.

Figure 6-9 – NetEnforcer Monitoring Menu

Access varies according to the monitoring level.

To access a monitoring graph at the NetEnforcer level:

• From the Monitoring menu, select NetEnforcer Level and then select the monitoring graph required. The selected monitoring graph is displayed in the Monitoring window.

NOTE:

Monitoring graphs are named as follows: (name of graph) for (name of VC)_(name of Pipe). For example, Most Active Servers for VC1_Gold Pipe.

Page 226: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-10

To access a monitoring graph at the Pipe level:

1. From the Monitoring menu, select Pipe Level and then select the monitoring graph required. A window showing the Pipes defined in your NetEnforcer is displayed.

Figure 6-10 – Accessing Monitoring Graphs: Pipe Level

NOTE:

You can expand a Pipe template to see instances of its corresponding Pipes.

2. Select the Pipe by which to filter the selected monitoring graph and click OK. The selected monitoring graph for the selected Pipe is displayed in the Monitoring window.

NOTE:

You can also display a monitoring graph for a Pipe by right-clicking the Pipe in the Policy Editor and selecting Monitoring, then the monitoring graph required.

Page 227: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-11

To access a monitoring graph at the Virtual Channel level: 1. From the Monitoring menu, select Virtual Channel Level and then select the

monitoring graph required. A window showing the Pipes and Virtual Channels defined in your NetEnforcer is displayed.

Figure 6-11 – Accessing Monitoring Graphs: Virtual Channel Level

NOTE:

You can expand a Pipe or Virtual Channel template to see instances of its corresponding Pipes or Virtual Channels.

2. Select the Virtual Channel by which to filter the selected monitoring graph and click OK. The selected monitoring graph for the selected Virtual Channel is displayed in the Monitoring window.

NOTE:

You can also display a monitoring graph for a Virtual Channel by right-clicking the Virtual Channel in the Policy Editor and selecting Monitoring, then the monitoring graph required.

Page 228: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-12

Monitoring Window Menu Bar The menu bar in the NetEnforcer Monitoring window includes four menus, described in the following sections.

File Menu

The File menu includes the following options:

Pause Graph Suspends the visual update of the graph. Clicking Pause Graph again restores the visual update.

Print Prints the graph.

Add to Long-Term Monitoring Requests

Enables a selected graph to be available through NetHistory. Refer to Long-term Monitoring with NetHistory on page 6-51.

Exit Closes the graph.

Edit Menu

The Edit menu includes the following options:

Other Graphs for… Enables you to quickly open any other graph for the same target. For example, when a graph is opened at NetEnforcer level, you can open any other graph at NetEnforcer level.

Page 229: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-13

Other Targets for… Enables you to quickly open the same graph for a different target. For example, when the Most Active Clients graph is open at NetEnforcer level, you can also open the Most Active Clients graph at Pipe and Virtual Channel level.

View Menu

The View menu includes the following options:

Chart Displays the graph in Chart View. Refer to Graph Views, page 6-5. Table Displays the graph in Table View. Refer to Graph Views,

page 6-5. Definitions Displays the graph in Definitions View. Refer to Graph Views,

page 6-5. In-Bandwidth Displays the graph for incoming bandwidth only. Out-Bandwidth Displays the graph for outgoing bandwidth only. In+Out Bandwidth

Displays the graph for both incoming and outgoing bandwidth.

Average Bandwidth

Displays the average bandwidth consumed by traffic, meaning the amount of bandwidth consumed divided by the length of the sample period.

Page 230: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-14

Active Average Bandwidth

Displays the active average bandwidth consumed by traffic, meaning the amount of bandwidth consumed divided by the length of the sample period when there actually was traffic.

Current View Displays the graph for the latest whole sample period only. Refer to Graph Types, page 6-4.

Cumulative View

Displays the graph for an average sample period. Refer to Graph Types, page 6-4.

Cumulative Range View

Enables you to select a more specific and limited range within the cumulative period. The cumulative period is the last X samples, where X is defined in the graph settings, described on page 6-18. You select a start time and an end time, which define the time period for the calculation of the average sample period shown in Cumulative View.

Style Menu

The Style menu includes the following options:

Hide Menu Bar Hides/displays the Monitoring window menu bar and toolbar. After hiding the menu bar and toolbar, you can re-display them by clicking displayed at the top right of the Monitoring window.

Show/Hide 'All Others' Hides/displays statistics for All Others in the monitoring graphs. This is useful when bandwidth for All Others is large compared to the selected Pipe or Virtual Channel.

Page 231: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-15

Bar Chart Displays a Pie chart as a Bar chart. Refer to Graph Styles, page 6-6.

Pie Chart Displays a Bar chart as a Pie chart. Refer to Graph Styles, page 6-6.

Line Chart Displays a stacked Area chart as a Line chart. Refer to Graph Styles, page 6-6.

Area Chart Displays a Line chart as a stacked Area chart. Refer to Graph Styles, page 6-6.

Help Menu

The Help menu includes the following option:

Index Provides access to online help.

Monitoring Window Toolbar The toolbar in the Monitoring window enables easy access to many of the functions available from the menu bar. The toolbar includes the following buttons:

Pause Graph Suspends the visual update of the graph.

Clicking Pause Graph again restores the visual update.

Print Prints the graph.

Other Graphs for … Enables you to quickly open any other graph

for the same target. For example, when a graph is opened at NetEnforcer level, you can open any other graph at NetEnforcer level.

Page 232: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-16

Other Targets for … Enables you to quickly open the same graph

for a different target. For example, when the Most Active Clients graph is open at NetEnforcer level, you can also open the Most Active Clients graph at Pipe and Virtual Channel level.

Chart Displays the graph in Chart View. Refer to

Graph Views, page 6-5.

Table Displays the graph in Table View. Refer to

Graph Views, page 6-5.

Definitions Displays the graph in Definitions View.

Refer to Graph Views, page 6-5.

Style Enables you to change the style of the graph.

Refer to Graph Styles, page 6-6.

Hide Menu Bar Hides the menu bar, toolbar and status bar.

Click the icon at the top of the graph to redisplay the menu bar, toolbar and status bar. This is useful for maximizing graph space.

Zoom Displays a tooltip describing the zoom and

move graph functions.

Help Provides access to online help.

Page 233: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-17

Setting Up and Using a Favorite View You can display up to ten Monitoring windows at the same time and arrange them as required. You can save a particular arrangement of Monitoring windows as your Favorite View. The default Favorite View displays the following monitoring graphs: • Utilization for NetEnforcer • Virtual Channels Distribution for NetEnforcer • Most Active Protocols for NetEnforcer (Total) • Internal Hosts for NetEnforcer (Total) • External Hosts for NetEnforcer (Total)

To display the Favorite View:

• From the Monitoring menu, select My Favorite View. The Favorite View is displayed.

To set the Favorite View:

1. Arrange the Monitoring windows as required.

2. From the Monitoring menu, select Settings and then Save as My Favorite View. The current arrangement of Monitoring windows is saved as the Favorite View. The Favorite View is also preserved for future sessions when NetEnforcer is accessed from the same client machine.

Page 234: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-18

Monitoring Settings The Monitoring Settings enable you to specify the number of Pipes, Virtual Channels, Protocols, Clients and Servers displayed in the Most Active graphs, and the time span for continuous graphs.

To define settings:

1. From the Monitoring menu, select Settings and then Graphs Features. The Graphs Features dialog box is displayed:

Figure 6-12 –Graphs Features Dialog Box

Page 235: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-19

2. Modify the values for each parameter, as follows:

Number of Most Active Pipes and VCs (1-25)

The number, between 1 and 25, of Pipes and Virtual Channels that will be displayed in the Most Active Pipes and Most Active Virtual Channels graphs.

Number of Most Active Protocols (1-25)

The number, between 1 and 25, of Protocols that will be displayed in the Most Active Protocols graphs.

Number of Most Active Hosts, Clients and Servers (1-25)

The number of Hosts, Clients and Servers, between 1 and 25, that will be displayed in the Most Active Hosts, Clients and Servers graphs.

Time Span for Continuous Graphs

Minutes (1-60) Hours 1-24

The period of time, between 1 and 60 minutes, or between 1 and 24 hours, over which the data for Continuous-type graphs is displayed. This is the maximal width of the X-axis for these graphs.

Data Collection Range (in number of samples) for Cumulative Graphs (1-144)

The number of samples used to calculate the average sample for Cumulative-type graphs. For example, when 10 is specified, a Cumulative-type graph will display an average for the data collected during the last 10 sample periods.

Number of Last Used Graphs (1-15)

The number of the most recently viewed graphs to display below the other options in the Monitoring menu.

Page 236: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-20

Details for ‘Most Active’ Graphs

If you select Yes, the following occurs:

In Protocols graphs, for any protocol that is not a service, the port number is displayed as part of the legend.

In any Hosts/Clients/Servers graphs, the IP is displayed as part of the legend, as shown below:

No is the default setting.

3. Click Save to save your settings to NetEnforcer.

Page 237: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-21

Monitoring Graphs The NetEnforcer Monitoring window provides many different graphs. Some of the graphs can be displayed for all three levels, while others can only be displayed for a single level. At NetEnforcer level, some graphs can be displayed for the whole NetEnforcer or for a selected Protocol, Host, Client or Server. At all levels, some graphs can be displayed showing inbound bandwidth only, outbound bandwidth only or total bandwidth.

The following table lists the monitoring graphs, indicating at which level they are available as well as their graph type:

Graph Name NetEnforcer Level

Pipe Level VC Level Graph Type

Pipes Distribution

Continuous

Virtual Channels Distribution

Continuous

Bandwidth Continuous

Connections Continuous

Utilization Current

Packets Continuous

Most Active Pipes

Current/ Cumulative

Most Active Virtual Channels

Current/ Cumulative

Page 238: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-22

Graph Name NetEnforcer Level

Pipe Level VC Level Graph Type

Most Active Protocols

You can select the Most Active Protocols graph for the following: • For the Whole

NetEnforcer • For a Host • For a Client • For a Server

For each you can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

Current/ Cumulative

Most Active Hosts

You can select the Most Active Hosts graph for the following: • For the Whole

NetEnforcer • For a Protocol

For each you can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

Current/ Cumulative

Page 239: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-23

Graph Name NetEnforcer Level

Pipe Level VC Level Graph Type

Most Active Internal Hosts

You can select the Most Active Internal Hosts graph for the following: • For the Whole

NetEnforcer • For a Protocol

For each you can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

Current/ Cumulative

Most Active External Hosts

You can select the Most Active External Hosts graph for the following: • For the Whole

NetEnforcer • For a Protocol

For each you can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

Current/ Cumulative

Page 240: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-24

Graph Name NetEnforcer Level

Pipe Level VC Level Graph Type

Most Active Clients

You can select the Most Active Clients graph for the following: • For the Whole

NetEnforcer • For a Protocol

For each you can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

Current/ Cumulative

Most Active Servers

You can select the Most Active Servers graph for the following: • For the Whole

NetEnforcer • For a Protocol

For each you can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

You can select to display the Total, Inbound or Outbound bandwidth.

Current/ Cumulative

Table 6-1 – Available Monitoring Graphs

NOTE:

Pipes or Virtual Channels that are defined as Ignore QoS cannot be seen in the monitoring graphs.

Page 241: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-25

Pipes Distribution The Pipes Distribution monitoring graph is available at the NetEnforcer level only. It displays the bandwidth consumed by the Pipes in your network. You can view inbound and outbound bandwidth together (shown below) or separately.

Figure 6-13 – Pipes Distribution Graph

The Pipes Distribution graph can be displayed as a stacked Area chart (above) or as a Line chart.

As a Continuous-type graph, the Pipes Distribution graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.

NOTE:

Clicking a point in a Continuous-type graph displays the bandwidth value at the selected point.

Page 242: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-26

The Pipes Distribution graph displays the average bandwidth in Kbps consumed by each selected Pipe. You can also display the active average bandwidth consumed by each Pipe, meaning the amount of bandwidth consumed divided by the length of the sample period when there actually was traffic.

You can simultaneously view other monitoring graphs for a specific Pipe by right-clicking the required Pipe in the graph, or in the list on the right side of the window, and selecting the graph that you want to see from the displayed popup menu.

Figure 6-14 – Selecting Other Graphs

Page 243: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-27

Virtual Channels Distribution The Virtual Channels Distribution monitoring graph is available at the NetEnforcer level only. It displays the bandwidth consumed by the Virtual Channels in your network. You can view inbound and outbound bandwidth together or separately.

Figure 6-15 – Virtual Channels Distribution Graph

The Virtual Channels Distribution graph can be displayed as a stacked Area chart or as a Line chart (above).

As a Continuous-type graph, the Virtual Channels Distribution graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.

Page 244: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-28

The Virtual Channels Distribution graph displays the average bandwidth in Kbps consumed by each selected Virtual Channel. You can also display the active average bandwidth consumed by each Virtual Channel, meaning the amount of bandwidth consumed divided by the length of the sample period when there actually was traffic.

NOTE:

For example, in a sample period of 60 seconds, traffic is 300Kbps for 30 seconds, and there is no traffic for the remaining 30 seconds. The average bandwidth is 150Kbps since the whole sample period is considered. The active average bandwidth is 300Kbps.

You can simultaneously view other monitoring graphs for a specific Virtual Channel by right-clicking the required Virtual Channel in the graph or in the list on the right side of the window, and selecting the graph that you want to see from the displayed popup menu.

Page 245: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-29

Bandwidth The Bandwidth monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays bandwidth information for NetEnforcer or a selected Pipe or Virtual Channel.

Figure 6-16 – Bandwidth Graph

The Bandwidth graph is displayed as a Line chart. You cannot change this display.

As a Continuous-type graph, the Bandwidth graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.

The following information can be viewed in the Bandwidth graph:

In-Bandwidth The bandwidth consumed by incoming traffic for the selected Pipe or Virtual Channel.

Out-Bandwidth The bandwidth consumed by outgoing traffic for the selected Pipe or Virtual Channel.

Page 246: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-30

Lines indicating the minimum and maximum bandwidth may be displayed in the graph, using additional options available in the Style menu, as follows:

• No Min/Max Lines: No lines indicating minimum or maximum bandwidth are displayed in the Bandwidth graph. This is the default display.

• Inbound Min/Max Lines: Lines indicating minimum and maximum inbound bandwidth are displayed in the Bandwidth graph.

• Outbound Min/Max Lines: Lines indicating minimum and maximum outbound bandwidth are displayed in the Bandwidth graph.

NOTE:

These additional options are only available when minimum and maximum bandwidths are defined for the Pipe or Virtual Channel (in the QoS Catalog entry selected as the value for the QoS of the Pipe or Virtual Channel).

Page 247: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-31

Connections The Connections monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays connections information for NetEnforcer or a selected Pipe or Virtual Channel.

Figure 6-17 –Connections Graph

SECURITY NOTE:

The Connections graph helps in DoS attack monitoring and enables you to detect DoS attacks in real time. Look for a high number of live connections or new connections per second. This may be an indication of a DoS attack.

The Connections graph is displayed as a Line chart. You cannot change this display.

The Connections graph has two Y-axes. On the left is the scale for live and new connections and on the right is the scale for new connections per second. The scales are very different.

As a Continuous-type graph, the Connections graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.

Page 248: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-32

The following information can be viewed in the Connections graph:

Live Connections The number of currently open connections for the selected Pipe or Virtual Channel.

New Per-Second Connections

The average number of new connections, meaning the number of new connections divided by the interval period.

Utilization The Utilization monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays the inbound and outbound bandwidth consumed by NetEnforcer, or a selected Pipe or Virtual Channel, in relation to the minimum and maximum bandwidth defined for NetEnforcer or the selected Pipe or Virtual Channel.

Figure 6-18 – Utilization Graph

The Utilization graph is displayed as two horizontal bars representing inbound and outbound bandwidth. You cannot change this display. The bandwidth consumed is displayed in the horizontal bar and, above the horizontal bar, the consumed bandwidth as a percentage of the maximum bandwidth is displayed

Page 249: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-33

NOTE:

The Utilization graph is not available for a Pipe or Virtual Channel for which no maximum bandwidth has been defined (in the QoS Catalog entry selected as the value for the QoS of the Pipe or Virtual Channel).

The Utilization graph is a Current-type graph only. This means that it displays information for the latest whole sample period only. It cannot be displayed as a Cumulative-type graph to provide information for accumulated data.

Packets The Packets monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays the number of packets passed in relation to NetEnforcer or a selected Pipe or Virtual Channel. This enables you to plan future bandwidth requirements by following historical trends. Refer to Long-Term Monitoring, page 6-51, on how to view long-term trends.

You can view packets relating to inbound and outbound traffic together (shown below) or separately.

Figure 6-19 –Packets Graph

Page 250: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-34

The Packets graph is displayed as a Line chart. You cannot change this display. The Y-axis is the scale for the number of packets passed.

As a Continuous-type graph, the Packets graph displays information for a specified range of time. The range of time for which the graph is relevant is displayed along the X-axis of the graph and is defined in the graph settings, described on page 6-18.

Page 251: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-35

Most Active Pipes The Most Active Pipes monitoring graph is available at the NetEnforcer level only. It displays the average inbound and outbound bandwidth consumed by the most active Pipes defined in the Policy Editor. The maximum number of Pipes displayed, between 1 and 15, is defined in the graph settings, described on page 6-18.

Figure 6-20 – Most Active Pipes Graph

The Most Active Pipes graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active Pipes graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

Page 252: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-36

You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed.

Figure 6-21 – Cumulative Range Dialog Box

Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK.

You can simultaneously view other monitoring graphs for a specific Pipe by right-clicking the required Pipe in the graph or in the list on the right side of the window, and selecting the graph that you want to see from the displayed popup menu.

Page 253: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-37

Most Active Virtual Channels The Most Active Virtual Channels monitoring graph is available at the NetEnforcer and Pipe levels. It displays the average inbound and outbound bandwidth consumed by the most active Virtual Channels defined in the Policy Editor. The maximum number of Virtual Channels displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Figure 6-22 – Most Active Virtual Channels Graph

The Most Active Virtual Channels graph can be displayed as a Bar chart or as a Pie chart (above).

Page 254: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-38

As a Current/Cumulative-type graph, the Most Active Virtual Channels graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK. You can simultaneously view other monitoring graphs for a specific Virtual Channel by right-clicking the required Virtual Channel in the graph or in the list on the right side of the window, and selecting the graph that you want to see from the displayed popup menu.

Page 255: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-39

Most Active Protocols The Protocols Distribution monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays the average inbound and outbound bandwidth consumed by the most active Protocols in your network.

At the NetEnforcer level, you can select to display the Most Active Protocols graph for the whole NetEnforcer or for a selected Host, Client or Server. At all levels, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

Figure 6-23 – Most Active Protocols Graph

The Most Active Protocols Distribution graph can be displayed as a Pie chart (above) or as a Bar chart.

Page 256: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-40

As a Current/Cumulative-type graph, the Most Active Protocols graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK.

Adding Virtual Channels From the Most Active Protocols graph, you can create a Virtual Channel based on a selected protocol.

Page 257: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-41

To add a Virtual Channel:

1. Right-click a protocol in the Most Active Protocols graph and select Add Virtual Channel with Service (selected service name) on. The Policy Editor opens and the Select Pipe dialog box is displayed.

Figure 6-24 – Select Pipe Dialog Box

2. Select a Pipe and click OK. A Virtual Channel is added to the selected Pipe based on the selected service.

NOTE:

You select a Pipe only if the Most Active Protocols graph was opened at NetEnforcer Level. If it was opened on Pipe or Virtual Channel level, the new Virtual Channel is added automatically to the Pipe on which the Most Active Protocols graph was opened initially.

If the selected protocol exists as an entry in the Service Catalog, the existing service (protocol) is used. If the selected protocol does not exist as an entry in the Service Catalog, a new service entry is created based on the monitored protocol.

Page 258: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-42

Most Active Hosts The Most Active Hosts monitoring graph is available at NetEnforcer, Pipe and Virtual Channel level. It displays the average inbound and outbound bandwidth consumed by the hosts that are on the internal and external side of the NetEnforcer (clients or servers). NetEnforcer monitors the amount of data to and from each host.

You can select to display the Most Active Hosts graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

The maximum number of hosts displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Figure 6-25 – Most Active Hosts Graph

The Most Active Hosts graph can be displayed as a Bar chart (above) or as a Pie chart.

Page 259: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-43

As a Current/Cumulative-type graph, the Most Active Hosts graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK.

Most Active Internal Hosts The Most Active Internal Hosts monitoring graph is available at NetEnforcer, Pipe and Virtual Channel level. It displays the average inbound and outbound bandwidth consumed by the hosts that are on the internal side of the NetEnforcer (clients or servers). NetEnforcer monitors the amount of data to and from each internal host.

You can select to display the Most Active Internal Hosts graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

Page 260: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-44

The maximum number of hosts displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Figure 6-26 – Most Active Internal Hosts Graph

The Most Active Internal Hosts graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active Internal Hosts graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

Page 261: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-45

You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK.

Most Active External Hosts The Most Active External Hosts monitoring graph is available at NetEnforcer, Pipe and Virtual Channel level. It displays the average inbound and outbound bandwidth consumed by the hosts that are on the external side of the NetEnforcer (clients or servers). NetEnforcer monitors the amount of data to and from each external host.

You can select to display the Most Active External Hosts graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

Page 262: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-46

The maximum number of hosts displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Figure 6-27 – Most Active External Hosts Graph

The Most Active External Hosts graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active External Hosts graph displays information for sample periods. It can be displayed as a Current-type graph to provide information for the latest whole sample period only, or as a Cumulative-type graph (above) to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

Page 263: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-47

You can also select a more specific and limited range within the cumulative period by selecting Cumulative Range View from the View menu. The Cumulative Range dialog box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end time, which will define the time period for the calculation of the average sample period shown in the graph. Click OK.

Most Active Clients The Most Active Clients monitoring graph is available at NetEnforcer, Pipe and Virtual Channel level. It displays the average inbound and outbound bandwidth consumed by the most active Clients. NetEnforcer monitors the amount of data from each source and to each destination. The amount of data flowing in each connection is added to the connection source total as Client data.

You can select to display the Most Active Clients graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

The maximum number of Clients displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Page 264: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-48

Figure 6-28 – Most Active Clients Graph

The Most Active Clients graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active Clients graph displays information for sample periods. It can be displayed as a Current-type graph (above) to provide information for the latest whole sample period only, or as a Cumulative-type graph to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

Page 265: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-49

Most Active Servers The Most Active Servers monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel levels. It displays the average inbound and outbound bandwidth consumed by the most active Servers. NetEnforcer monitors the amount of data from each source and to each destination. The amount of data flowing in each connection is added to the connection destination total as Server data.

You can select to display the Most Active Servers graph for the whole NetEnforcer or for a selected protocol. Additionally, you can select to display the total bandwidth consumed or just the inbound or outbound bandwidth.

The maximum number of Servers displayed, between 1 and 25, is defined in the graph settings, described on page 6-18.

Figure 6-29 – Most Active Servers Graph

The Most Active Servers graph can be displayed as a Bar chart (above) or as a Pie chart.

Page 266: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-50

As a Current/Cumulative-type graph, the Most Active Servers graph displays information for sample periods. It can be displayed as a Current-type graph to provide information for the latest whole sample period only, or as a Cumulative-type graph (above) to provide information for an average sample period based on the last X sample periods. (X is defined in the graph settings, described on page 6-18.)

Page 267: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-51

Long-Term Monitoring NetEnforcer's monitoring tool provides real-time data in intervals of one to 10 minutes for the previous 24 hours, enabling you to monitor applications, protocols, users and servers and to enforce the most suitable QoS policy. NetEnforcer’s long-term monitoring tool enables you to monitor your network's activity over a much longer period of time with the same look and feel as the real-time monitoring graphs. Using long-term monitoring, data from as far back as one to two years is stored as .csv files on a dedicated server for use by other reporting tools. Each server can store data from multiple NetEnforcers at intervals of every 30 seconds for the last 10-40 days or at intervals of one hour for up to 1 year ago or longer.

The ability to monitor applications and users is crucial in order to employ traffic priorities based on business requirements. Monitoring helps the user to fine-tune the network performance.

NOTE:

You must wait at least two hours before seeing any long-term graphs. If you try to view graphs before two hours have passed, error messages will pop up.

Collecting Data for Long-Term Monitoring In order to view long-term monitoring graphs, you must install the Long-Term Monitoring Agent. The Long-Term Monitoring Agent requests the required graphs from the monitoring server, receives the data, and writes it to files. NetEnforcer takes the data from these files when you select to display long-term monitoring graphs. More than one Long term agent may be installed on a single server, in order to collect data from multiple NetEnforcers.

Once the Long-Term Monitoring Agent has been installed and run, you can activate and manage long-term monitoring graphs from the NetEnforcer main GUI.

The Long-Term Monitoring Agent writes the data to files located at a shared directory on a network drive, so that the history graphs based on those files are available from every PC in the LAN, and not only from one PC.

Page 268: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-52

NOTE:

It is reasonable to install the Long-Term Monitoring Agent itself on the same network PC to which it writes the files, and to choose for that purpose an ‘enduring’ machine which will be ‘up’ permanently.

You must first install the Long-Term Monitoring Agent and then you can configure it to collect data according to your requirements.

TIP:

Problem: Identify the source of congestion Solution: Use Monitoring drill-down capabilities to find it.

Here is how: Look at the Pipes Distribution graph and identify the saturated link. If the saturation is identified as inbound traffic, for example, for a Particular Pipe, drill-down to see the Top Inbound Protocols graph for the particular Pipe. If you discover that the majority of the inbound traffic is KaZaa, for instance, drill-down to see the Top Internal Clients graph for KaZaa. The specific host that is saturating the link can then be identified

Installing the Long-Term Monitoring Agent The Long-Term Monitoring Agent is an application, which must be downloaded and installed (on any Windows operating system).

You can run several agents (one per NetEnforcer).

To download and install the Long-Term Monitoring Agent:

1. From the network PC that you have selected to be the long term monitoring server, open the NetEnforcer GUI.

NOTE:

The long term monitoring server should be up at all times.

2. From the NetEnforcer Control Panel, click Tools and then select Download Long-Term Monitoring Agent. The File Download dialog box is displayed.

3. Click Open and follow the on-screen instructions to install the Collector application. Note the following: • Specify the location where the Collector application should be installed. • Enter the IP address of NetEnforcer from where you want to collect data.

Page 269: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-53

• If required, you can insert details of a user name and password. If you do this, you will not have to log in each time that the Collector is started. However, there will be no way to connect to a different NetEnforcer without downloading and installing the Collector again. Therefore, it is recommended only to insert these details if there is only one NetEnforcer from which you want to collect data.

When the installation process is completed, you will have the following:

• A shortcut icon on your desktop called NetEnforcer Long Term Monitoring Agent.

• A new entry in your Start > Programs folder called NetEnforcer Long Term Monitoring Agent.

• The Long-Term Monitoring Agent also appears in Startup, enabling it to run automatically on each reboot of your computer.

Running the Long-Term Monitoring Agent The Long-Term Monitoring Agent starts automatically when the PC starts. A login window is displayed requesting a user name, password and the IP address of NetEnforcer/

TIP:

You can avoid this login window by adding parameters to the Long-Term Monitoring Agent in the Startup menu, as described in the following tip, which is displayed the first time the Long-Term Monitoring Agent starts.

It is highly recommended to follow this tip.

Page 270: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-54

After login, the Long-Term Monitoring Agent runs in the Windows system tray, as shown below:

NOTE:

After login, you may also see the following message:

This is expected at this stage and you should simply click OK.

The Long-Term Monitoring Agent icon in the system tray may appear in any of the following ways:

Icon Status

The Long-Term Monitoring Agent is disconnected.

The Long-Term Monitoring Agent is running (recording).

The Long-Term Monitoring Agent is paused (not recording).

Page 271: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-55

Right-clicking the Long-Term Monitoring Agent in the system tray displays the following menu:

The options are as follows:

Option Description

Open Opens the Long-Term Monitoring Agent window.

Record Starts collecting data.

Pause Stops collecting data.

Location Enables you to change the location where the Long-Term Monitoring Agent stores collected data.

Graphs Displays a list of graphs for which the Long-Term Monitoring Agent collects data - the graphs you have made available for long-term monitoring. Refer to Adding Graphs, page 6-62.

Log Displays Long-Term Monitoring Agent log messages.

Help Provides access to NetEnforcer long term monitoring help.

About Displays version information about the Long-Term Monitoring Agent.

Exit Closes the Long-Term Monitoring Agent application.

Page 272: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-56

Collecting Data The Long-Term Monitoring Agent application may often be left open for very long periods of time (for example, days or weeks) in order to collect data. The Long-Term Monitoring Agent application is robust and maintains an accurate record of data even when the system is shutdown and rebooted. In this situation, when the Long-Term Monitoring Agent is restarted, data collection resumes and data is appended to the data collected prior to the shutdown.

In order to collect data for long-term monitoring, you must specify a graph as available to long-term monitoring. Refer to Adding Graphs, page 6-62.

To collect data:

1. Open the Long-Term Monitoring Agent application using the shortcut icon on your desktop, from the Start menu or by clicking the Long-Term Monitoring Agent icon in the system tray. The Long-Term Monitoring Agent window is displayed.

Figure 6-30 – Long-Term Monitoring Agent Window

Page 273: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-57

2. If you want to adjust the location where the collected files are saved, click Pause and click the browse button to select an alternative location. You should select a shared directory on this network PC.

3. Click Record.

The Long-Term Monitoring Agent is now ready for collecting data.

The buttons available in the Long-Term Monitoring Agent window are as follows:

Option Description

Pause/Record Stops/starts collecting data.

Graphs Displays a list of graphs for which the Long-Term Monitoring Agent collects data - the graphs you have made available for long-term monitoring.

Log Displays Long-Term Monitoring Agent log messages.

Close Closes the Long-Term Monitoring Agent window.

Help Provides access to NetEnforcer long term monitoring help.

About Displays version information about the Long-Term Monitoring Agent.

Configuring the Long Term Monitoring Data Location on NetEnforcer You must ensure that the long-term monitoring data location configured on NetEnforcer is the same as that specified in the Long-Term Monitoring Agent.

Page 274: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-58

To configure the long-term monitoring data location on NetEnforcer:

1. From the NetEnforcer Control Panel, click Long-Term. The first time you do this after installing the Long-Term Monitoring Agent, the following First Steps window is displayed:

Figure 6-31 – Long-Term Monitoring First Steps

NOTE:

This is an explanatory window. It is only displayed the first time you click Long-Term. To display it again, click Help and then First Steps in the Long Term Monitoring window.

Page 275: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-59

2. Click OK, or if it is not the first time you have selected the Long-Term option, and the Long Term Monitoring window is displayed.

Figure 6-32 – Long-Term Monitoring Window

When the Long-Term Monitoring window is first opened, the long-term monitoring data location is by default set as C:. You must change this location to the same location as you specified in the Long-Term Monitoring Agent. Until you do so, a warning (in red) is displayed in the upper right corner of the Long-Term Monitoring window.

Page 276: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-60

3. Click the browse button to the right of the Long-Term Monitoring Data Source field. The Setting Long-Term Monitoring Location dialog box is displayed.

Figure 6-33 – Setting Long-Term Monitoring Location Dialog Box

4. Enter the location of the saved data as specified in the Long-Term Monitoring Agent (which should be on a shared network drive) and click Save.

Page 277: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-61

If the data location is the same as that specified on the Long-Term Monitoring Agent, the warning in red should no longer appear in the top right corner of the Long-Term Monitoring window.

Figure 6-34 – Long-Term Monitoring Window – Set Data Location

Now both the Long-Term Monitoring Agent and NetEnforcer are correctly configured and you begin to work with long-term monitoring graphs.

NOTES:

If the data location has been configured correctly but the Long-Term Monitoring Agent is not running, a warning message is displayed (in red) in the upper right corner: Long-Term Monitoring Agent is not running.

In order for the warning messages in red to disappear, the problem must be resolved AND the Long-Term Monitoring window must be closed and re-opened.

Page 278: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-62

Adding Graphs In order to collect data for long-term monitoring, you must specify a graph as available to long-term monitoring. This can be done from a real-time monitoring window or from the Long Term Monitoring window.

Adding a graph to long-term monitoring is only available to an administrator user with write permissions. This is because adding a graph to long-term monitoring actually writes a “request” file at the files location directory on the Long-Term Monitoring Agent LAN PC. Issues of access and write permissions are therefore very critical.

To add a graph from a real-time monitoring window:

• From the File menu in a Monitoring window, select Add to Long-Term Monitoring Requests. The graph displayed in the Monitoring window is available in long-term monitoring.

Page 279: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-63

To add graphs from the Long Term Monitoring window:

1. From the NetEnforcer Control Panel, click Long-Term. The Long Term Monitoring window is displayed.

2. Click the Add New Graph button. Further menus are displayed –as when you select Monitoring in the Control Panel.

Figure 6-35 – Long-Term Monitoring Window - Add New Graph

Page 280: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-64

3. Select the graph you want to add to long-term monitoring. It is added to the table of graphs in the Long-Term Monitoring window. For example, if you select The Virtual Channels Distribution for NetEnforcer graph, the Long-Term Monitoring window is displayed as follows:

Figure 6-36 – Long-Term Monitoring Window – Graph Added

The graph is immediately collected, as indicated by the selected checkbox in the Collect column.

As many graphs as you require can be added to long-term monitoring but only ten graphs can be collected at the same time. Thus, once ten graphs have been added, subsequent graphs do not have a selected checkbox in the Collect column.

NOTE:

To change this limit, please contact Allot Communications.

You must wait for a minimum of 2 hours before you can open the graph.

Page 281: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-65

You can manipulate graphs in the Long-Term Monitoring window as follows:

• Select or deselect the checkbox in the Collect column to determine whether the graph is collected or not.

• Select a graph and click Open to display the graph. Refer to Viewing Long-Term Monitoring Graphs, page 6-66.

• Select a graph and click Rename to rename a graph.

• Select a graph and click Delete to delete a graph from long-term monitoring.

• Click Log to display the Long-Term Monitoring Agent Log. This enables you to see the status and actions of the Long-Term Monitoring Agent. For example, whether it is up, whether it is recording or paused, and so on.

Figure 6-37 – Long-Term Monitoring Agent Log

Page 282: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-66

Viewing Long-Term Monitoring Graphs Data should be collected for at least two hours (approximately) using Long Term Monitoring Agent before you view it. Long-term monitoring graphs are produced using data from the long-term monitoring directory (C:/NEData, by default) saved in the files called (request)_hour.xml.

Page 283: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-67

To view data:

1. From the NetEnforcer Control Panel, click Long-Term. The Long Term Monitoring window is displayed:

2. Select the graph you want to view and click Open (or double-click the graph). The Graph Time Span Coverage for (name of selected graph) window is displayed.

Figure 6-38 – Graph Time Span Coverage for (Name of Selected Graph) Window – Relative Span Mode

Page 284: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-68

TIP:

To get the most out of your Long Term Monitoring it is recommended that you configure the following graphs on the NetEnforcer level: Top Protocols, Top Internal Hosts, Top External Hosts, NetEnforcer Connections, NetEnforcer Bandwidth Distribution and VC/Pipes graphs where relevant

This window enables you to select a specific time period for the graph you want to view. The collected data could cover a long time period and you may just want to focus on part of it.

3. From the Span Mode dropdown list, select one of the following time measurements: • Relative: Select the number of hours, days or months of data required. This

period is counted from the end of the available data period backwards. If you select a month, the period covers the last calendar month. This means that if the data ended on 17 February, you would see data from the 1-17 February.

• Specific: Select the exact dates of the time period. By default the start and end dates are the beginning and end of the entire available period.

Page 285: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-69

Figure 6-39 – Graph Time Span Coverage for (Name of Selected Graph) Window – Specific Span Mode

TIP:

The practical meaning of your selection is displayed in the lower area of the window.

Page 286: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-70

4. Click Continue. The data is retrieved from the collection files. The graph is displayed before all the data is retrieved and you can see the percentage of data retrieved in the status bar. While you are waiting for this to complete, you can use other functionality of the long-term monitoring graph.

Figure 6-40 – Long-Term Monitoring Graph (Period Level)

Long-term monitoring graphs have the same look and feel as real-time monitoring graphs. Most of the functionality available in real-time graphs is available for long-term monitoring graphs. For example, graph types and graph styles. These features are explained in the first sections of this chapter.

The main differences between real-time graphs and long-term monitoring graphs are as follows:

• Only two graph views, Chart View and Table View, are available with long-term monitoring graphs.

• Long-term monitoring graphs have a light green background color while real-time graphs have a green background color.

Page 287: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-71

• The long-term monitoring window has an additional Page menu and toolbar buttons, as follows

Back

Forward

Start

End

These arrow buttons enable you to move forward and backwards through the pages of a long-term monitoring graph.

• The File menu in the long-term monitoring window includes an additional option called Collection Log File.

Manipulating Long-Term Monitoring Graphs When a long-term monitoring graph is first displayed, the data is shown in the broadest resolution (full view). For example, where data is requested that spans several months, the data is presented according to month. When data is requested that spans several years, the data is presented by year. The actual unit is seen on the horizontal axis.

Page 288: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-72

You can drill down into the long-term monitoring graph to see more details. For example, data presented according to days of a selected month or hours of a selected day or even minutes of a selected hour. This drilling down action enables you to move between the following levels:

Level Continuous-type graphs (for example, Bandwidth, Pipes Distribution

‘Most Active’ graphs (for example, Most Active Virtual Channels)

Period Data is displayed for the entire time span, for example, several months or several days.

Data is displayed for the entire time span, for example, several months or several days.

Month Data is displayed for each day in a month.

Data is displayed for the whole month in one view.

Day Data is displayed for each hour in a day.

Data is displayed for the whole day in one view.

Hour Data is displayed for each 5 minutes in an hour.

Data is displayed for the whole hour in one view.

Minute Data is displayed for each 30 seconds in a five-minute period.

Data is displayed for the whole five-minute period in one view.

Second Data is displayed for the whole thirty-second period in one view.

You can drill down using the right-click menu in a step-by-step fashion or directly to a selected level.

Drilling Down Step-By-Step

This method enables you to drill down slowly through the different resolutions of the graph. You can begin by viewing data over a long period and zoom slowly in to see data for a very specific period.

Page 289: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-73

To drill down step-by-step:

1. With the long-term monitoring graph displayed at the broadest (period) level, proceed as follows: • In a ‘Most Active’ graph, right-click inside the area of the graph and select Drill-

down to Month. The Drill-down to dialog box is displayed. Select the month within the period that you would like to view, for example, September, and click OK.

• In a continuous-type graph, right-click inside the month area of the graph on which you want to focus and select Drill-down to (selected month).

The graph now displays data for the selected month.

Figure 6-41 – Long-Term Monitoring Graph (Month Level)

You can move through other months using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution.

Page 290: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-74

2. Continue to the next level as follows: • In a ‘Most Active’ graph, right-click inside the area of the graph and select

Drill-down to Day. The Drill-down to dialog box is displayed.

Select the day within the month that you would like to view and click OK.

• In a continuous-type graph, right-click inside the day area of the graph on which you want to focus and select Drill-down to (selected day).

The graph now displays data for the selected day. For example, drilling down a level to a specific day, September 12th, shows the most active protocols for that day.

Figure 6-42 – Long-Term Monitoring Graph (Day Level)

You can move through other days using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution.

Page 291: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-75

3. Continue to the next level as follows: • In a ‘Most Active’ graph, right-click inside the area of the graph and select

Drill-down to Hour. The Drill-down to dialog box is displayed.

Select the hour within the day that you would like to view, for example, Sep 12 10:00, and click OK.

• In a continuous-type graph, right-click inside the hour area of the graph on which you want to focus and select Drill-down to (selected hour).

TIP:

You can right-click and select Back to Full View to return to period level or select Up One Level to return to the previous level.

The graph now displays data for the selected hour of the selected day. For example, Figure 6-42 shows the most active protocols for September 12th. Drilling down a level to a specific hour, 10.00, shows the most active protocols for that hour.

Figure 6-43 – Long-Term Monitoring Graph (Hour Level)

Page 292: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-76

You can move through other hours using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution

4. Continue to the next level as follows: • In a ‘Most Active’ graph, right-click inside the area of the graph and select

Drill-down to Minutes. You cannot select which specific five-minute period to view. The graph will show the first five-minute period of the hour and you can scroll through subsequent five-minute periods.

• In a continuous-type graph, right-click inside the five-minute area of the graph on which you want to focus and select Drill-down to (selected five-minute period). In this type of graph, you can select which specific five-minute period you want to view.

TIP:

You can right-click and select Back to Full View to return to period level or select Up One Level to return to the previous level.

The graph now displays data for a five-minute period. For example, Figure 6-43 shows the most active protocols during the hour 10.00 to 11.00 on September 12th. Drilling down a level shows the most active protocols for the first five-minute period of that hour.

Figure 6-44 – Long-Term Monitoring Graph (Five-Minute Level)

Page 293: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-77

You can move through other five-minute periods using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution

5. Continue to the next level as follows: • In a ‘Most Active’ graph, right-click inside the area of the graph and select

Drill-down to Seconds. You cannot select which specific thirty-second period to view. The graph will show the first thirty-second period of the five minute period and you can scroll through subsequent thirty-second periods.

TIP:

You can right-click and select Back to Full View to return to period level or select Up One Level to return to the previous level.

The graph now displays data for a thirty-second period. For example, Figure 6-44 shows the most active protocols during the five-minute period 10.00 to 10.05 on September 12th. Drilling down a level shows the most active protocols for the first thirty seconds of that five-minute period.

Figure 6-45 – Long-Term Monitoring Graph (Thirty-Second Level)

You can move through other thirty-second periods using the arrow buttons or Page menu options. Every page will be displayed in the selected resolution

Page 294: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-78

Drilling Down Directly

This method enables you to drill down quickly from a broad resolution to a narrow resolution. For example, you can be viewing data for an entire year and zoom straight into viewing data for a selected day.

NOTE:

You cannot drill down directly to the Minute level or Seconds level.

To drill down directly:

1. From the Page menu, select Detailed View. The Time Unit Selection for Detailed View dialog box is displayed:

Figure 6-46 – Time Unit Selection for Detailed View Dialog Box

NOTE:

This dialog box is correct for Most Active graphs. For continuous-type graphs, you cannot select Hour as the Time Unit.

Page 295: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-79

2. Specify details of the exact year, month, day and hour to which you want to drill down and click OK. You can go straight from period level to day level without first going to month level.

As with real-time graphs, you can zoom into a long-term monitoring graph by holding down the <Shift> key and dragging a box around the area that you want to zoom in the graph. However, this method does not change the resolution of the graph, it provides a closer look at a particular area at the same resolution.

TIP:

You can access real-time graphs from a long-term monitoring graph. Right-click in the graph and you can select from real-time graphs for the current entity (Pipe or Virtual Channel).

Page 296: Net Enforcer Operation Guide v5.5

Chapter 6: Monitoring Network Traffic

NetEnforcer Operation Guide v5.5 6-80

Data Coverage Although you may have selected a large period, for example, 5 months, the period could include interruptions where data collection stopped for a few days or a few hours. The period coverage is indicated in the status bar (Period/Month/Day/Hour/5-Minutes Coverage). If the percentage is low, perhaps around 85%, you can use the collection log file to view the exact times when data collection was not active.

To view the collection log file:

• From the File menu in the long-term monitoring window, select Collection Log File.

Figure 6-47 – Collection Log File Dialog Box

The Collection Log File dialog box provides a list of dates and times within the selected period that collection was not active.

Page 297: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 7-1

Chapter 7: Defining Catalog Entries

This chapter describes Catalog Editors and how to define new Catalog entries.

This chapter includes the following sections:

Working with Catalog Editors, page 7-2, describes the features common to the Catalog Editors, and provides a general description of how to add and delete entries in Catalogs.

Host Catalog Editor, page 7-8, describes the Host Catalog Editor, where you define possible values for the Connection Source and Connection Destination of a policy.

Service Catalog Editor, page 7-20, describes the Service Catalog Editor, where you define possible values for the Service of a policy.

Time Catalog Editor, page 7-52, describes the Time Catalog Editor, where you define possible values for the Time of a policy.

TOS (Type of Service) Catalog Editor, page 7-57, describes the TOS Catalog Editor, where you define possible values for the TOS of a policy.

VLAN Catalog Editor, page 7-63, describes the VLAN Catalog Editor, where you define possible VLAN values of a policy.

Quality of Service Catalog Editor, page7-66, describes the QoS Catalog Editor, where you define possible values for the Quality of Service applied to a policy.

Connection Control Catalog Editor, page 7-81, describes the Connection Control Catalog Editor, where you define possible values for the Connection Control applied to a policy.

Data Source Catalog Editor, page 7-87, describes the Data Source Catalog Editor, where you define LDAP servers with which NetEnforcer can work.

Page 298: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-2

Working with Catalog Editors Catalogs contain the possible values available when defining policies in the Policy Editor. For example, when selecting the Connection Source of a Pipe, Virtual Channel or Rule, the possible values are the entries in the Host Catalog. Catalog Editors enables you to add, change or delete entries in Catalogs. Entries are comprehensive sets of parameters with logical names. These logical names then become the possible values available in the Policy Editor.

A logical entity, such as a specific user or Quality of Service definition, can be defined once, using the appropriate Catalog Editor, and then used many times in the Policy Editor.

NetEnforcer includes the following Catalogs:

• Host Catalog: The entries in the Host Catalog are the possible values for the Connection Source and Connection Destination conditions defined for a Pipe, Virtual Channel and Rule. The Connection Source and Connection Destination define the source and destination of the traffic. Refer to Host Catalog Editor, page 7-8.

• Service Catalog: The entries in the Service Catalog are the possible values for the Service condition defined for a Pipe, Virtual Channel and Rule. The Service represents the protocols relevant to a connection. Refer to Service Catalog Editor, page 7-20.

• Time Catalog: The entries in the Time Catalog are the possible values for the Time condition defined for a Pipe, Virtual Channel and Rule. The Time defines the applicability of a Pipe, Virtual Channel or Rule during certain time periods. Refer to Time Catalog Editor, page 7-52.

• TOS Catalog: The entries in the TOS Catalog are the possible values for the TOS condition defined for a Pipe, Virtual Channel and Rule. The TOS is the TOS byte contained in the IP header of the packet. TOS entries are also used in QoS Catalog entry definitions. Refer to Type of Service Catalog Editor, page 7-57.

• VLAN Catalog: The entries in the VLAN Catalog are the possible VLAN values of a policy and their priority. Refer to VLAN Catalog Editor, page 7-63.

Page 299: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-3

• QoS Catalog: The entries in the QoS Catalog are the possible values for the Quality of Service action defined for a Pipe and Virtual Channel. The Quality of Service allocates bandwidth, traffic priority, TOS marking and connection count limits. Refer to Quality of Service Catalog Editor, page 7-66.

• Connection Control Catalog: The entries in the Connection Control Catalog are the possible values for the Connection Control action defined for a Pipe and Virtual Channel. The Connection Control refers to server load balancing and cache redirection. Refer to Connection Control Catalog Editor, page 7-81.

• Data Source Catalog: The entries in the Data Source Catalog are the possible LDAP servers with which NetEnforcer can work. These definitions can then be referenced in Data Source Query definitions in the Host Catalog Editor. Refer to Data Source Catalog Editor, page 7-87.

Each Catalog has its own editor where you can add new entries and modify existing entries.

Accessing Catalog Editors Catalog Editors can be accessed from any of the following places:

• The Catalogs menu in the Policy Editor

• The toolbar in the Policy Editor

• Right-clicking a cell in the Policy Editor and selecting Edit Catalog Entry

Page 300: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-4

All Catalog Editors have some common fields and functionality, which are described in this section. A sample Catalog Editor is shown below:

List Pane Definition Pane

Specific Entry ButtonsGlobal Catalog Editor Buttons

List Pane Definition Pane

Global Catalog Editor Buttons

List Pane Definition Pane

Specific Entry ButtonsGlobal Catalog Editor Buttons

List Pane Definition Pane

Global Catalog Editor Buttons

List Pane Definition Pane

Specific Entry ButtonsGlobal Catalog Editor Buttons

List Pane Definition Pane

Global Catalog Editor Buttons Figure 7-1 – Sample Catalog Editor

The List pane displays a list of the current entries defined in the Catalog. Selecting an entry in the List pane displays its name at the top of the Definition pane, and its properties or definition below its name. The Definition pane is the working area of a Catalog Editor in which entries are defined.

Page 301: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-5

All Catalogs contain three global buttons that apply to the Catalog as a whole and three specific buttons that apply to the currently selected entry as follows: Specific Entry Buttons

Adds a new Catalog entry.

Deletes a selected Catalog entry. You can only delete entries that are Unprotected. (Refer to Protected Entries, below.)

Undoes the changes made, since the last save, to the current entry.

Global Buttons

Saves changes in a Catalog Editor. In order to save the contents of the Catalog Editor to NetEnforcer, you must also save the Policy Editor.

Exits the Catalog Editor. Any unsaved changes are lost.

Displays online help relevant to the Catalog Editor in a separate window.

Protected Entries Each Catalog includes default entries whose definitions cannot be modified. Such entries are called Protected entries. When you select a Protected entry, such as Any in the Host Catalog Editor, the Delete and Undo buttons are automatically disabled. A user-defined entry is always Unprotected.

Page 302: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-6

Deleting Entries from a Catalog Only Unprotected entries can be deleted from a Catalog. (Refer to Protected Entries, page 7-5.)

To delete an entry from a Catalog:

1. Select the entry to be deleted from the List pane.

2. Click Delete. The entry is no longer displayed in the List pane and it is deleted from the Catalog.

You must save the Policy Editor for the deletion to take effect.

Catalog entries that are referenced in a policy definition cannot be deleted.

Policy Editor Toolbar Catalog Editors can also be accessed by clicking on the required icon in the Policy Editor.

Figure 7-2 – Policy Editor

Page 303: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-7

Below is a list of the Catalog Editor menu options, tools and shortcut key options available in the Policy Editor:

Host Opens the Host Catalog Editor, enabling you to define possible Connection Source and Destination conditions.

Service Opens the Service Catalog Editor, enabling you to define possible Service conditions.

Time Opens the Time Catalog Editor, enabling you to define possible Time conditions.

TOS Opens the TOS Catalog Editor, enabling you to define possible Type of Service conditions.

VLAN

Opens the VLAN Catalog Editor, enabling you to define possible VLAN conditions.

Quality of Service Opens the QoS Catalog Editor, enabling you to define possible Quality of Service actions.

Connection Control Opens the Connection Control Catalog Editor, enabling you to define possible Connection Control actions.

Data Source Opens the Data Source Catalog Editor, enabling you to define the LDAP servers with which NetEnforcer can work or to define Hosts Text File.

Page 304: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-8

Host Catalog Editor The Host Catalog contains entries that are the possible values for the Connection Source and Connection Destination conditions of a Pipe, Virtual Channel or Rule. A sample Host Catalog Editor is shown below:

Figure 7-3 – Host Catalog Editor

NOTE:

The Any, Internal and External entries are Protected, meaning the definitions for this entry cannot be modified.

Page 305: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-9

You can enter the host details individually, or NetEnforcer can retrieve IP addresses or host names from a specified LDAP directory server or text source file. (LDAP servers and text source files with which NetEnforcer can work are defined in the Data Source Catalog, page 7-87.) Once you have defined the hosts in a host list, you can group several host lists together in one Catalog entry.

Defining Host Lists A host list is a list of one or more hosts. Hosts can be network IP addresses, IP address ranges, host names and IP subnet addresses. Following are examples of host entries:

• Host: If NetEnforcer is configured to support DNS, you can use logical DNS names.

• IP: The IP address of a host. For example, 172.16.1.31.

• IP Subnet: For example, 10.10.10.0 with a subnet mask of 255.255.255.0.

• IP Range: A range of IP addresses. For example, 10.1.2.3-10.1.3.7 means the ranges 10.1.2.3-10.1.2.255 and 10.1.3.1-10.1.3.7.

• MAC: The MAC address of a host..

To define a host:

1. In the Host Catalog Editor, click New. The following popup menu is displayed:

Figure 7-4 – New Host Entry Popup Menu

Page 306: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-10

2. Select Host List. A new entry is added to the List pane in the Host Catalog.

Figure 7-5 – Host Catalog Editor: Adding Hosts

3. Edit the name of the entry in the Contents of field, if required.

4. In the Host Item area, click on the required host type radio button and input the relevant details in the corresponding text field.

5. From the Interface Loc of Host dropdown list, select the location of the host relative to NetEnforcer: Anywhere, Internal or External.

6. Click Add. The defined host is displayed in the Defined Items area.

NOTE:

The list of hosts in the Defined Items area can be sorted by clicking on any column header. For example, click Type to sort the list by type of host.

Page 307: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-11

7. Repeat steps 4-6 to add other hosts, as required. You can add up to 10,000 entries in a host list.

NOTE:

To delete a host from the list, select the host in the Defined Items area and click Delete. To edit a host in the list, select the host in the Defined Items area, make the changes required to the definition and click Update.

8. Click OK. The new entry (entries) is saved in the Host Catalog and the Host Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Applying NetEnforcer in DHCP Environment DHCP clients are those with a time-limited IP address. Dynamic IP addresses are supported and handled as follows:

• Today most DNS servers support dynamic update. This means that a DHCP server can dynamically inform the DNS server of any IP assignment.

• DHCP update includes the computer name to which an IP address was assigned.

• The DNS Server enters the update as part of the client name space.

• The NetEnforcer supports DNS queries. It decides whether or not to redirect specific traffic, based on the DNS-defined computer name.

• A policy is defined to redirect only those clients that require it. Other privileged addresses go directly without content filtering.

Page 308: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-12

Grouping Hosts A host group is a collection of previously defined Host Catalog entries of Host List type grouped together in an additional entry. This eliminates the need to create several similar Pipes, Virtual Channels or Rules for hosts. The QoS defined for the group applies to all the hosts in the group. For example, you can create a group of hosts, called Division 1. Division 1 can contain three Host List catalog entries: Department A (employees a, b and c), Department B (employees d, e and f) and Department C (employees g, h and j). Groups are useful when working with templates. For more information, refer to the Templates section in Chapter 8, Defining Policies.

Page 309: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-13

To group Host Catalog entries:

1. In the Host Catalog Editor, click New. The new host entry popup menu is displayed, as shown in Figure 7-4.

2. Select Group of Hosts. A new entry is added to the List pane in the Host Catalog Editor, as follows:

Figure 7-6 – Host Catalog Editor: Grouping Hosts

3. Edit the name of the entry in the Contents of field, if required.

The list in the Available Host Lists area displays all the available host list Catalog entries that can be added to the host group. The list in the Selected Lists in Group area displays the Catalog entries that you have selected to include in this host group.

Page 310: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-14

4. Add Catalog entries to the group using the following buttons:

Adds the entries selected in the Available Host Lists area to the Selected Lists in Group area.

Adds all the entries in the Available Host Lists area to the Selected Lists in Group area.

Removes the entries selected in the Selected Lists in Group area and returns them to the Available Host Lists area.

Removes all the entries from the Selected Lists in Group area and returns them to the Available Host Lists area.

NOTE:

The entries in the Selected Lists in Group area can be sorted alphabetically by clicking on the column header.

5. Click OK. The new entry is saved in the Host Catalog and the Host Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Defining LDAP-based Hosts LDAP (Lightweight Directory Access Protocol) is a communications protocol that enables NetEnforcer to retrieve hosts from an LDAP directory server associated with your NetEnforcer. Before creating Host Catalog entries using LDAP definitions, you must enter LDAP server details in the Data Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87.

You can specify (in the Policy Server tab of the NetEnforcer Configuration window) how often the LDAP director server is read and the host information in NetEnforcer refreshed. For more details, refer to Chapter 4, Configuring NetEnforcer, Section Policy Server.

Page 311: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-15

To define an LDAP-based host:

1. In the Host Catalog Editor, click New. The new host popup menu is displayed, as shown on page 7-9.

2. Select Data Source Query and then select the appropriate source from the list displayed. The list displays the LDAP servers and text files defined in the Data Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87. A new entry is added to the List pane in the Host Catalog Editor, as follows:

Figure 7-7 – Hosts Catalog Editor: LDAP-based Hosts

3. Edit the name of the entry in the Contents of field, if required.

Page 312: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-16

4. Define the query to the LDAP server, as follows: • In the Directory Subtree Root field, enter the root in the LDAP server that

NetEnforcer will search.

• In the LDAP Directory Main Filter field, enter the filter string that defines the criteria for the query according to RFC 1960.

• In the Addresses Attribute Name field, enter the name of the attribute that holds the IP addresses of the entries, as follows: Attribute Name Format Example

Network Address <IP V4>:<Mask bits> 172.16.1.152:24

IP Range <IP V4>:<IP V4> 172.16.1.1:172.16.1.23

Any Address 3

Host Name 4:<Host name> allot.com

• In the Group Selector field, enter the attribute by which NetEnforcer will search for group entries.

5. Click Fetch & View Contents to preview the hosts retrieved from the LDAP directory server.

6. Click OK. The new entry is saved in the Host Catalog and the Host Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

NOTE:

The actual execution of the LDAP query occurs when the Policy Editor is saved (or resaved). If the Fetch operation fails, NetEnforcer will retry the operation according to the retry interval parameter, defined in the LDAP/Text Source tab of the NetEnforcer Configuration window. Refer to the LDAP/Text Source section in Chapter 4, Configuring NetEnforcer.

Page 313: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-17

Defining Text File-Based Hosts NetEnforcer can extract host addresses from a text file (CSV file). Before creating Host Catalog entries using a text file as a data source, you must enter the text file details in the Data Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87.

You can specify (in the LDAP/Text Source tab of the NetEnforcer Configuration window) how often the text file is read and the host information in NetEnforcer refreshed. For more details, refer to the LDAP/Text Source section in Chapter 4, Configuring NetEnforcer.

Page 314: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-18

To define a text file-based host:

1. In the Host Catalog Editor, click New. The new host entry popup menu is displayed, as shown in Figure 7-4.

2. Select Data Source Query and then select the appropriate source from the list displayed. The list displays the LDAP servers and text files defined in the Data Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87. A new entry is added to the List pane in the Host Catalog Editor, as follows:

Figure 7-8 – Hosts Catalog Editor: Text File-Based Hosts

3. Edit the name of the entry in the Contents of field, if required.

4. In the Text File Path field, enter the location of the text file data source. This is the path or the host, as defined in the text source definitions, described on page 7-88.

5. In the Delimiter area, select the delimiter used in the text (CSV) file.

Page 315: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-19

6. In the Location & Positions area, enter the following information: • In the Start Query at Row field, enter the number of the row where NetEnforcer

should start reading the data. (First row is 1.)

• In the Address Field Position field, enter the number of the column where the address is located. (First column is 1.)

• In the Group Selector Field Pos field, enter the number of the group selector field. This parameter is used to create (internally) a host entry name for each line in the text file.

7. Click Fetch & View Contents to preview the hosts retrieved from the text file.

8. Click OK. The new entry is saved in the Host Catalog and the Host Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

NOTE:

The actual execution of the query occurs when the Policy Editor is saved (or resaved). If the Fetch operation fails, NetEnforcer will retry the operation according to the retry interval parameter, defined in the LDAP/Text Source tab of the NetEnforcer Configuration window. Refer to the LDAP/Text Source section in Chapter 4, Configuring NetEnforcer.

Page 316: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-20

Service Catalog Editor The Service Catalog contains entries that are the possible values for the Service of a policy. The Service defines the protocol of the connection passing through NetEnforcer. The entries are applications or protocol specifications, including network protocols, transport protocols and application protocols. When you define an HTTP, Oracle, H.323 and Citrix application, you can also add content definitions under it. A sample Service Catalog Editor is shown below:

Figure 7-9 – Service Catalog Editor

NOTE:

The All IP, All Service, All TCP and All UDP entries are Protected, meaning the definitions for these entries cannot be modified.

You can enter the application details individually, or you can import services from a protocols library. Once you have defined the applications, you can group several entries together in one Catalog entry.

Page 317: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-21

From the Service Catalog Editor, you can define the following types of applications: • TCP and UDP IP Protocols, page 7-21. • Non-TCP and non-UDP IP Protocols, page 7-23. • Non-IP Protocols, page 7-24. • You can also define content for http, Oracle, H.323 and Citrix and other

applications. For more information, refer to Adding Content, page 7-31.

Defining TCP and UDP IP Protocols When the connection is based on either TCP or UDP protocol, you define destination ports (meaning the target of the connection) as well as timeouts for the protocol.

To define TCP and UDP IP protocols:

1. In the Service Catalog Editor, click New. The following popup menu is displayed:

Figure 7-10 – New Service Entry Popup Menu

2. Select Application. A new entry is added to the List pane in the Service Catalog Editor.

3. Edit the name of the entry in the Contents of field, if required.

4. In the Protocol Definition area, select IP from the Network Protocol dropdown list.

Page 318: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-22

5. From the Transport Protocol dropdown list, select TCP or UDP.

Figure 7-11 – Service Catalog: TCP/UDP Protocol

6. From the Application Protocol dropdown list, select the application protocol.

7. In the Ports tab, specify the target of the connection (destination port) as follows: • In the Destination Ports list, click the next available row and enter a destination

port number.

NOTES:

Port ranges can be entered as well. For example, enter 110-125 to indicate ports numbered 110 through 125. You can delete destination or source ports by selecting the port and pressing <Delete>.

8. In the Advanced tab, enter the amount of time NetEnforcer allows a connection to remain open with no traffic passing through it before closing it.

9. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Page 319: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-23

Defining Non-TCP and Non-UDP IP Protocols When the connection is IP, the protocol parameters vary according to whether the selected IP protocol is TCP/UDP or others.

To define non-TCP and non-UDP IP protocols:

1. In the Service Catalog Editor, click New. The new service entry popup menu is displayed, as shown in Figure 7-10.

2. Select Application. A new entry is added to the List pane in the Service Catalog Editor.

3. In the Protocol Definition area, select IP from the Network Protocol dropdown list.

4. From the Transport Protocol dropdown list, select a protocol that is not UDP or TCP. If the non-TCP/non-UDP protocol that you require does not appear in the Transport Protocol dropdown list, you can add it by clicking the browse button and entering the protocol number in its digital-numeric format (not its Hex format) and clicking OK.

Figure 7-12 – Service Catalog: Non-UDP/TCP IP Protocol

Page 320: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-24

5. In the Advanced tab, enter the amount of time NetEnforcer allows a connection to remain open with no traffic passing through it before closing it.

6. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Defining Non-IP Protocols When the connection is non-IP, you simply specify the required protocol in the Service Catalog entry.

To define non-IP protocols:

1. In the Service Catalog Editor, click New. The new service entry popup menu is displayed, as shown in Figure 7-10.

2. Select Application. A new entry is added to the List pane in the Service Catalog Editor.

3. Edit the name of the entry in the Contents of field, if required.

4. In the Protocol Definition area, select the required non-IP protocol from the Network Protocol dropdown list. If the protocol that you require does not appear in the list, you can add it by clicking the browse button and entering the protocol number in its digital-numeric format (not its Hex format) and clicking OK.

Page 321: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-25

Figure 7-13 – Service Catalog: Non-IP Protocol

TIP: If you select a non-IP service as the Service condition in the Policy Editor, you must select Any for the Connection Source and Connection Destination conditions, since all other Host Catalog entries are IP-based. You should also define TOS as Ignored.

5. In the Advanced tab, enter the amount of time NetEnforcer allows a connection to remain open with no traffic passing through it before closing it.

6. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Page 322: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-26

Importing Protocols You can create entries in the Service Catalog by importing services from a protocols library. This library includes a selection of about 8000 services and is based on the IANA list of protocols.

To import protocols:

1. In the Service Catalog Editor, click New. The new service entry popup menu is displayed, as shown in Figure 7-10.

2. Select Import from Protocols Library. The Protocols Library dialog box is displayed.

Figure 7-14 – Protocols Library Dialog Box

Page 323: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-27

NOTE:

Protocols that have already been added to the Service Catalog appear disabled (grayed out) in the Protocols Library dialog box.

3. Select the checkbox in the Add column for the protocols you want to add to the Service Catalog and click Add to Catalog. The selected protocols are added as entries to the Service Catalog.

TIP: To filter the protocols displayed, select a grouping from the Display dropdown list. For example, if you select TCP protocols, only TCP protocols are listed in the dialog box.

4. Click Close to close the Protocols Library dialog box.

Importing Protocols from the Policy Editor You can also import protocols from the Policy Editor. Using this procedure, you change the service of a rule and also import the new protocol into the Service Catalog.

To import protocols from the Policy Editor:

1. In the Policy Editor, right-click an entry in the Service column. The following popup menu is displayed:

Figure 7-15 – Accessing Protocols Library Dialog Box From Policy Editor

Page 324: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-28

2. Click Select from Protocols Library. The Protocols Library dialog box is displayed.

Figure 7-16 – Protocols Library Dialog Box Accessed From Policy Editor

3. Select a single protocol from the list and click Select. The selected entry in the Policy Editor is replaced with the new protocol and the selected protocol is added to the Service Catalog.

Page 325: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-29

Web Update You can also use the Web Update feature to automatically add new protocols and applications (when available and announced from Allot Communications) to the service catalog, without having to perform software updates.

Service Web updates adds both the service entries and the relevant Layer-7 signatures for the protocols and applications. The new service entries are also automatically added to the relevant default service groups. For example, if there are new P2P applications, they are automatically added to the default P2P service group.

Note: This service is intended for customer with valid support agreements only.

To perform service Web update:

1. From the Tools menu, select Update Service Catalog from Allot Communications. The service catalog update message is displayed, as shown in Figure 7-17.

Figure 7-17 – Web Update Message

2. Click OK.

NOTE:

An alert is displayed in the Alerts log indicating the success or failure of the Web Update process.

Page 326: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-30

Grouping Service Catalog Entries You can group together a collection of previously defined Service Catalog entries in an additional entry. This eliminates the need to create several similar Pipes, Virtual Channels or Rules for services. The QoS defined for the group applies to all the services in the group.

To group Service Catalog entries:

3. In the Service Catalog Editor, click New. The new service entry popup menu is displayed, as shown in Figure 7-10.

4. Select Group of Services. A new entry is added to the List pane in the Service Catalog Editor.

Figure 7-18 – Service Catalog Editor: Grouping Services

5. Edit the name of the entry in the Contents of field, if required.

Page 327: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-31

The list in the Available Services area displays all the available Service Catalog entries that can be added to the service group. The list in the Selected Services in Group area displays the Catalog entries that you have selected to include in this service group.

6. Add Catalog entries to the group using the following buttons:

Adds the entries selected in the Available Services area to the Selected Services in Group area.

Adds all the entries in the Available Services area to the Selected Services in Group area.

Removes the entries selected in the Selected Services in Group area and returns them to the Available Services area.

Removes all the entries from the Selected Services in Group area and returns them to the Available Services area.

7. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Adding Content Most Application Protocols deal with classifying traffic according to its specific protocol. The Transport Protocols enable you to specify destination ports and some will apply to any traffic no matter which port.

This section provides instructions regarding how to classify traffic according to content in certain Application Protocols (some examples of these protocols are: HTTP, Oracle, H.323, SMTP, FTP, Citrix and others like some P2P applications.

Page 328: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-32

Defining FTP Content FTP (File Transfer Protocol) is traditional Web protocol used for file transfer. In addition to the NetEnforcer ability to recognize FTP traffic, it is possible to define FTP content based classification. You can define independent Service Catalog entries that reference FTP content, by entering various information in the Command and File Name tabs. These entries can subsequently be used in the Policy Editor. As an example, by using the Command field it is possible to distinguish FTP Upload from FTP download. File Transfer field can be used to recognize FTP traffic according to the name of the file transferred over an FTP session.

To add FTP content:

1. In the Service Catalog Editor, select the FTP-Sig protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected “FTP Sig” Service in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-19 – Service Catalog: Adding Content and File Name Tab

Page 329: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-33

NOTE:

The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant line in the text content list and click the preferred option. A window opens with the option to perform the selected operation.

2. Edit the name of the entry, if required, in the Contents of field.

NOTE:

The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant line in the text content list and click the preferred option. A window opens with the option to perform the selected operation.

3. Edit the name of the entry, if required, in the Contents of field.

4. In the File Name tab, enter a URL as follows: • Click Add. The Add Item dialog box is displayed.

• Enter the required URL and click Add. The URL is displayed in the File Name

tab.

• Add further URLs using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box.

5. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Page 330: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-34

Defining HTTP Content HTTP (Hyper Text Transfer Protocol) is one of the dominant protocols on the Web. It is mainly used for Web surfing but has many other uses such as File Transfer, Streaming media and P2P application (as transport infrastructure). The NetEnforcer automatically recognizes “non traditional” applications using HTTP as base protocol (e.g. Kazaa, Gnutella, HTTP Streaming) by their official name, those applications are not considered as HTTP and therefore are not covered by this section.

For traditional HTTP uses, such as Web surfing and File Transfer, the NetEnforcer allows content-based classification. You can define independent Service Catalog entries that reference HTTP content by entering information in the four tabs: URL, Methods, Hosts and Content-Type. These entries can subsequently be used in the Policy Editor. For example, the URL field can be used to differentiate between file names or URLs transferred over HTTP. Methods filed can be used to distinguish between HTTP transactions by methods, such as “GET” or “PUT”. Hosts field can be used to differentiate between Web Servers using the same IP address (“Virtual Hosts”). Content-Type can be used to distinguish the type of traffic forwarded over HTTP transaction (e.g. “text/html”, “image/jpeg”).

You can define independent Service Catalog entries that reference HTTP content. These entries can subsequently be used in the Policy Editor.

Page 331: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-35

To add HTTP content:

1. In the Service Catalog Editor, select the HTTP Sig protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected HTTP Sig protocol in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-20 – Service Catalog: Adding Content and URL Tab

NOTE:

The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant line in the text content list and click the preferred option. A window opens with the option to perform the selected operation.

2. Edit the name of the entry, if required, in the Contents of field.

Page 332: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-36

3. In the URL tab, enter a URL as follows: • Click Add. The Add Item dialog box is displayed.

• Enter the required URL and click Add. The URL is displayed in the URL tab.

• Add further URLs using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box. A Web request carries this identifier (which can be represented by an HTML page, an image, a Java applet or a CGI program). For a complete description of how to set up a policy that will match a URL, see the tip on page 7-40.

NOTE:

You can delete a URL by selecting the URL and pressing <Delete> on your keyboard or by clicking Remove in the URL tab.

4. Select the Methods tab.

Figure 7-21 – Adding Content: Methods Tab

Page 333: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-37

5. In the Methods tab, enter an HTTP method as follows: • Click Add. The Add Item dialog box is displayed with a predefined list of

methods.

• Select the required method and click Add. The method is displayed in the

Methods tab.

• Add further methods using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box. HTTP uses seven methods to exchange information between clients and servers: GET, PUT, POST, OPTIONS, HEAD, DELETE and TRACE. It is possible to base service on one or more HTTP methods.

NOTE:

You can delete a method by selecting the method and pressing <Delete> on your keyboard or by clicking Remove in the Methods tab.

6. Select the Hosts tab.

Figure 7-22 – Adding Content: Hosts Tab

Page 334: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-38

7. In the Hosts tab, enter a host as follows: • Click Add. The Add Item dialog box is displayed.

• Enter the required host and click Add. The host is displayed in the Hosts tab.

• Add further hosts using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box. The host string is compared against the value of the host keyword in the HTTP header of an HTTP request sent by a client (such as Netscape Navigator or Internet Explorer). This string is usually the name of the host that the user requested, possibly suffixed with the string ":port". (Port is the port number that the browser uses to connect to the server. For HTTP, this is usually port 80.)

For example, a browser that sends an HTTP request to www.cnn.com will put the string www.cnn.com or www.cnn.com:80 in the request header for the host keyword. If you wish to detect all traffic to a host, add * at the end of the string, for example, www.cnn.com*. Another way to identify a host is by its IP addresses with the following format: IP Address or IP Address:Port Number, for example: 173.17.1.1:80.

The typical usage for this kind of match is in virtual hosting, where more than one Web site is hosted in the same IP address, which is possible if a DNS translates many names to one IP address.

NOTE:

You can delete a host by selecting the host and pressing <Delete> on your keyboard or by clicking Remove in the Hosts tab.

Page 335: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-39

8. Select the Content Type tab.

Figure 7-23 – Adding Content: Content Type Tab

9. In the Content Type tab, enter a content type as follows: • Click Add. The Add Item dialog box is displayed with a predefined list of content

types.

• Select the required content type and click Add. The content type is displayed in

the Content Type tab.

• Add further content types using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box. The predefined list contains classification according to the content-type, this is the information that is transferred on the HTTP protocol. For example, you may want to specify all forms of audio applications, but allow all HTML files and pictures.

10. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Page 336: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-40

TIP:

Defining URL and Application-Level Rules

NetEnforcer enables you to reference Service entries in Pipes, Virtual Channels, and Rules by application and content type, including:

• HTTP URL addresses.

• Web directories and pages.

• Application content types.

URLs are the addresses by which documents are identified on the World Wide Web. A rule can be defined to match a specific URL, a list of URLs or a pattern of URLs, for example, *.gif or /document/*.

A URL has the following structure: <scheme>://<server name>[:<port>]/<relative path of query from HTTP server root>

Where:

• Scheme is the transmission protocol. For example, HTTP (Hypertext Transmission Protocol) or FTP (File Transfer Protocol).

• Server name is the IP address of the server on which the document resides, or its DNS name.

• Path describes the location of the document on the server with reference to the server's root directory. To define a rule that will match a set of URLs of a specific type (for example, HTTP) on a specific host, two sections in the Service Catalog must be defined: a Host and a URL. The part of the URL relevant for the Host is the server name, and the part relevant for the URL is the section that includes the scheme, port and path. For example: for the URL http://www.allot.com/news/index.html, www.allot.com will be in the Host section and /news/index.htm or /news/* will be in the URL section. This bears no relation to entries in the Host Catalog.

Page 337: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-41

Defining Oracle Content Defining Oracle content enables you to define all Oracle traffic based on database names and/or user names. These entries can subsequently be used in the Policy Editor.

To add Oracle content:

1. In the Service Catalog Editor, select the Oracle TCP protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected Oracle protocol in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-24 – Service Catalog: Adding Content and Service Tab

NOTE:

The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant line in the text content list and click the preferred option. A window opens with the option to perform the selected operation.

2. Edit the name of the entry, if required, in the Contents of field.

Page 338: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-42

3. In the Service Name tab, enter the database name as follows: • Click Add. The Add Item dialog box is displayed.

• Enter the required database name and click Add. The database name is displayed

in the Service Name tab.

• Add further database names using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box.

4. Select the User Name tab.

5. In the User Name tab, enter user names as follows: • Click Add. The Add Item dialog box is displayed.

Page 339: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-43

• Enter the required user name and click Add. The user name is displayed in the User Name tab.

• Add further user names using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box.

6. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Defining SMTP Content SMTP (Simple Mail Transfer Protocol) is the de facto mail transfer protocol used on the Internet. The NetEnforcer is able to distinguish between different SMTP sessions according to the “From” field which represent the address (e.g. “[email protected]”) or the domain (e.g. “allot.com”) of the email originator. For example, you can use a SMTP content based rule to identify SMTP traffic containing emails originating from your company's domain and assign it higher priority. Another example would be to only allow SMTP traffic containing emails originating from well known domains in order to protect from SPAM.

You can define independent Service Catalog entries that reference SMTP content. These entries can subsequently be used in the Policy Editor.

Page 340: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-44

To add SMTP content:

1. In the Service Catalog Editor, select the SMTP protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected SMTP protocol in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-25 – Service Catalog: Adding Content and URL Tab

NOTE:

The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant line in the text content list and click the preferred option. A window opens with the option to perform the selected operation.

2. Edit the name of the entry, if required, in the Contents of field.

3. In the File Name tab, enter a URL as follows:

Page 341: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-45

• Click Add. The Add Item dialog box is displayed.

• Enter the required URL and click Add. The URL is displayed in the Domains

tab.

• Add further URLs using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box.

4. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Defining H.323 Content You can define independent Service Catalog entries that reference H.323 content. These entries can subsequently be used in the Policy Editor.

Defining H.323 content enables you to classify audio and video H.323 traffic. In the audio classification, extra capabilities are provided according to Codec, which indicates the bandwidth requirements of audio transmissions. The Codec encapsulates the analog (audio) information and converts it into digital information. The NetEnforcer can then classify this type of traffic and apply a policy to it.

Page 342: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-46

To add H.323 content:

1. In the Service Catalog Editor, select an H.323 protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected H.323 protocol in the List pane and the Service Catalog Editor is displayed, as follows:

Figure 7-26 – Service Catalog: Adding Content in H.323

NOTE:

The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant line in the text content list and click the preferred option. A window opens with the option to perform the selected operation.

2. Edit the name of the entry, if required, in the Contents of field.

Page 343: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-47

3. In the Codec tab, enter H.323 content as follows: • Click Add. The Add Item dialog box is displayed with a predefined list of H.323

content.

• Select the required H.323 content and click Add. The content is displayed in the

Codec tab.

• Add further H.323 content using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box.

4. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Defining Citrix Content Citrix® is a global leader in access infrastructure solutions. Their software enables people in businesses, governments and educational institutions to securely and instantly access software applications and information via a thin client.

In Citrix topology, a client initiates a session to a Citrix server which provides access to various applications such as “Desktop” or “Publish Applications”. Using Citrix content based services, the NetEnforcer can distinguish between different characteristics of Citrix sessions. For example, the App Name field in a Citrix content based service can identify a session by its published application name. In addition, the User Name field can be used to identify the Citrix session, and the Priority Bit field can be used to distinguish between Citrix Print traffic and standard Citrix traffic.

Page 344: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-48

To add Citrix content:

1. In the Service Catalog Editor, select a Citrix protocol in the List pane and click New and then Content from the service entry popup menu displayed. A new content entry is added below the selected Citrix protocol in the List pane and the Service Catalog Editor is displayed.

NOTE:

Citrix MetaFrame traffic may be classified by application or user name, with priority optional by selecting CITRIX in the Service Catalog.

Citrix - NFuse traffic may be classified by application or user name, with priority optional, by selecting CITRIX – NFUSE in the Service Catalog.

Citrix traffic can be classified by Priority Bit/Print Traffic only by selecting CITRIX-ICA in the Service Catalog.

Figure 7-27 – Service Catalog: Adding Content in Citrix

NOTE:

The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant line in the text content list and click the preferred option. A window opens with the option to perform the selected operation.

Page 345: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-49

2. Edit the name of the entry, if required, in the Contents of field.

3. In the App Name tab, define the application being used through the Citrix protocol, for example Microsoft Word or Excel, as follows: • Click Add. The Add Item dialog box is displayed.

• Enter the required application name and click Add. The application name is

displayed in the App Name tab.

• Add further application names using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box.

4. Select the User Name tab.

Figure 7-28 – Adding Content: User Name Tab

Page 346: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-50

5. In the User Name tab, enter user names as follows: • Click Add. The Add Item dialog box is displayed.

• Enter the required user name and click Add. The user name is displayed in the

User Name tab.

• Add further user names using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box.

6. Select the Priority tab.

Figure 7-29 – Adding Content: Priority Tab

Page 347: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-51

7. In the Priority tab, enter the priority as follows: • Click Add. The Add Item dialog box is displayed with a predefined list of

priorities.

• Select the required priority and click Add. The priority is displayed in the

Priority tab.

• Add further priorities using the Add Item dialog box as required.

• Click Close to close the Add Item dialog box.

8. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

NOTE:

NetEnforcer features layer 7+ analysis, utilizing advanced signature recognition, of many Peer to Peer (P2P) applications. Some of the applications which are automatically recognized and classified are:

KaZaA (V1 & V2) Grokster iMesh Poisned DietKaza eDonkey (eDonkey; eMule) xMule Overnet Gnutella Shareaza Morpheus

Gnucleus XoloX LimeWire FreeWire Bearshare Acquisition Nova Phex Gtk-Gnutella NEoNapster WinMX (WinMX Direct connect, Direct Connect)

DC++ BCDC++ Hotline (in the first update) Madster BitTorrent MP2PMotilino Blubster Piolet RockitNet (in the first update) SoulSeek Winny.

Page 348: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-52

Time Catalog Editor The Time Catalog contains entries that are the possible values for the Time of a policy, meaning the time period when a policy is active. A sample Time Catalog Editor is shown below:

Figure 7-30 – Time Catalog Editor

NOTE:

The Anytime entry is Protected, meaning the definitions for this entry cannot be modified.

Time periods can have ranges of hours and minutes in which they are active, or they can be active during whole days. An entry in the Time Catalog has one or several time periods when policies assigned this entry are active.

Page 349: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-53

To define a time period:

1. In the Time Catalog Editor, click New. A new entry is added to the List pane in the Time Catalog Editor.

2. Edit the name of the entry in the Contents of field, if required.

3. In the Defined Time Entries area, click Add. The Time Entry Definition dialog box is displayed:

Figure 7-31 – Time Entry Definition Dialog Box

4. In the Frequency dropdown list, select the frequency of the time period. The options are as follows:

Daily A period of time that occurs on a daily basis.

Weekly A period of time that occurs on a weekly basis. For example, Monday from 8:00 to 17:00.

Monthly A period of time that occurs on a monthly basis. For example, the 15th day of the month.

Yearly A period of time that occurs on an annual basis. For example, January 1st may be defined as a yearly event.

Page 350: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-54

5. The remaining fields in the dialog box vary according to the frequency you select. If you select Daily, select the time span for the time period from the dropdown list in the Time Span field: All day Sets the time period as active for the whole day. From – Through Enables you to select the exact time that the period will

begin, and the exact time that it will end.

Figure 7-32 – Time Entry Definition: Daily

6. If you select Weekly, select the day of the week for the time period from the dropdown list in the Day of Week field and the time span from the dropdown list in the Time Span field, as described in step 5.

Page 351: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-55

Figure 7-33 – Time Entry Definition: Weekly

7. If you select Monthly, select the day of the month for the time period from the Day of Month field and the time span from the dropdown list in the Time Span field, as described in step 5.

Figure 7-34 – Time Entry Definition: Monthly

8. If you select Yearly, select the month for the time period from the dropdown list in the Month field, select the day of the month from the Day of Month field, and the time span from the dropdown list in the Time Span field, as described in step 5.

Figure 7-35 – Time Entry Definition: Yearly

Page 352: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-56

9. Click OK. The specified time period is displayed in the Defined Time Entries area in the Definition pane of the Time Catalog Editor.

10. Repeat steps 3 through 9 to add additional time periods as required.

NOTE:

You can edit or delete the time periods using the Edit and Delete buttons in the Defined Time Entries area.

11. Click OK. The new entry (entries) is saved in the Time Catalog. In order to save the new entry (entries) to the database, you must save the Policy Editor.

TIP: Adding a new policy with time-dependent traffic classification is effective only on new connection attempts. Any existing connection that may fall under that policy continues to pass under its original policy. If a Reject or Drop action is specified, these actions are applied only to new connection attempts.

NOTE:

A discrete time range cannot be created. For example, March 15, 2001 from 2:00 PM through 5:00 PM cannot be created. However, it can be approximated by Yearly, March 15, 2:00 PM through 5:00 PM.

Page 353: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-57

TOS (Type of Service) Catalog Editor The TOS Catalog contains entries that are the possible values for the TOS condition of a Pipe, Virtual Channel or Rule. The entries in the TOS Catalog are also possible values for the TOS marking parameters in the QoS Catalog (refer to page 7-71). A sample TOS Catalog Editor is shown below:

Figure 7-36 – Sample TOS Catalog Editor

NOTE:

All of the entries in Figure 7-36 are predefined public domain TOS definitions and are Protected, meaning that they cannot be modified.

Page 354: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-58

The TOS is a byte in the IP header of a packet that contains information about routing recommendations. NetEnforcer classifies traffic based on the TOS byte marking contained in the IP headers of the packets passing through it. Differentiated Services standard, for example, defines TOS byte marking for traffic classification. Using Differentiated Services, the TOS header can have three major traffic classes: Expedited, Assured Forwarding and Best Effort. Assured Forwarding includes a priority class and drop precedence level (making a total of 12 combinations). All of these TOS byte markings are predefined in the TOS Catalog. Further information regarding TOS standards can be found at www.ietf.org/rfc/rfc2475.txt.

NetEnforcer also supports TOS classification by Free Format, which can be used to classify traffic marked per Cisco Precedence Bits method.

In the TOS Catalog Editor, you can view the properties of predefined entries and create entries that classify the TOS byte using Free Format, page 7-61.

Page 355: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-59

To view predefined entries:

• In the TOS Catalog Editor, select a predefined entry in the List pane. When you select the Ignore TOS entry, the Definition pane is displayed as shown on page 7-57. When you select an entry based on Differentiated Services (Best Effort or Expedited), the Definition pane is displayed as follows:

Figure 7-37 – TOS Catalog Editor: Differentiated Service

The Service field displays the selected differentiated service, as follows: Best Effort Traffic is forwarded if and when possible. Expedited Traffic receives priority treatment. Assured Forwarding Forwarding of traffic is guaranteed.

Page 356: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-60

When Assured Forwarding is displayed, two additional fields, Priority Class and Drop Precedence, are displayed:

Figure 7-38 – Differentiated Service – Assured Forwarding

The Priority Class field displays the class (1 to 4). The priority class determines the priority level of the traffic: Class 1 is the lowest (no priority) and Class 4 is the highest.

The Drop Precedence field displays the precedence (Low, Medium or High). Drop precedence refers to the fact that in times of heavy congestion, some packets will be dropped. Low means that the packet will be dropped as a last resort, whereas High means that the packet can be dropped before any others.

NOTE:

The graphic representation of the TOS byte that will be checked against the IP header is displayed in the Resultant TOS Byte Bit Settings field.

Page 357: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-61

Free Format TOS classification using Free Format enables you to classify traffic marked according to the Cisco Precedence Bits method.

To define a TOS using free format:

1. In the TOS Catalog Editor, click New. A new entry is added to the List pane in the TOS Catalog Editor and the Definition pane is displayed as follows:

Figure 7-39 – TOS Catalog Editor: Free Format

2. Edit the name of the entry in the Contents of field, if required.

3. Define the TOS by selecting the individual bits in the graphic representation of the TOS byte in the Selected TOS Byte Bit Settings field.

Page 358: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-62

4. Click OK. The new entry (entries) is saved in the TOS Catalog. In order to save the new entry (entries) to the database, you must save the Policy Editor.

TIP:

NetEnforcer in an MPLS Environment MPLS (Multi-protocol Label Switching) has become an important networking technology in last few years. This protocol is the first backbone related protocol to provide scalable, service-oriented infrastructure for the Internet. MPLS (an IETF standard, architecture defined in RFC 3031) uses the concept of label switching which creates a 'virtual circuit' between two end-points, rather than the legacy IP packet-by-packet routing.

MPLS allows the implementation of QoS controlled services (especially in IP-VPN environment) and is already deployed by several major carriers. The main use of MPLS is to create high quality VPNs (Virtual Private Networks). In addition, MPLS may be used to allow integrated-access services such as voice/video and data over IP.

A small label is added to each packet that tells the router how to process it (that is, on which link it should be sent) in a route that was created in advance. This pre-determined route can be associated a certain QoS level and the routers along the way can, for example, ensure that a certain amount of bandwidth will be allocated to that route.

When combined with the Differentiated Services standard (DiffServ, IETF RFCs 2474 and 2475) the network operator may combine service level (implemented by DiffServ) and routing decisions or traffic engineering (implemented by MPLS) into one system in which the DiffServ behavior is managed by the MPLS routing. A simple approach is to map DiffServ code point (or in simple terms, IP header TOS byte values) into different MPLS paths.

Integration of the NetEnforcer in an MPLS network

The fundamental assumption is that the MPLS networks are built by edge and transit (backbone) devices. The edge device performs the traffic classification and the transit devices (usually a fast core router) performs the fast, low overhead, label switching.

The NetEnforcer can control every session that enters the MPLS network, and is able to:

• Classify each session, based on defined polices (conditioned by layer2 to layer7 information – such as addresses, protocols, application data and time of day).

• Mark (“color”) every packet with a DiffServ code point (IP TOS value) based on the classification and user’s definitions for the desired Quality of Service.

In addition, the NetEnforcer continues to control and manage the network access by implementing other QoS behavior actions such as access control, bandwidth guarantees and limitations.

Page 359: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-63

VLAN Catalog Editor The VLAN catalog contains Virtual LAN entities defined in 802.1 Standard.

TIP:

Since Ethernet broadcast and multicast traffic is distributed to all devices in a LAN, LANs that are based on hubs and shared cabling cannot grow with the organization and become very large to be effective. One solution is to break large networks into smaller "islands", in order to prevent broadcast and multicast traffic propagating network wide.

The VLAN 802.1Q standard addresses these issues and establishes a way to insert Virtual Local Area Network (VLAN) information into the Ethernet frames. VLANs are LANs that are interconnected by a virtual Layer 2, and therefore behave as if they are separate physical LANs.

The result is that Layer 2 (MAC) broadcast remains confined in the VLAN, even though VLANs are L2 physical interconnected. This structure creates the additional benefit of a higher level of security between segments of internal networks.

VLANs are commonly used with campus environment networks. This gives the ability to make network changes, without physically moving cables or equipment.

Figure 7-40 – Details of the Ethernet Frame Before and After the Addition of 802.1Q Frame Information.

Page 360: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-64

Defining VLANs NetEnforcer supports VLAN traffic classification according to VLAN ID (VLAN Identifier) tags, consisting of 12 bits, and according to tagging priority bits, consisting of three bits. These definitions are set in the VLAN Catalog Editor, as shown below:

Figure 7-41 – VLAN Catalog Editor

According to the policies you define, the NetEnforcer assigns each packet a mapping priority and QoS definition.

The VLAN definition value is comprised as follows:

• Bits 1 – 12 specify the VLAN ID.

• Bit 13 is the reserved bit.

• Bits 14 – 16 specify the user priority (where 7 is highest priority, and 1 is lowest priority).

Page 361: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-65

When opening this window, either to create a new VLAN or to edit a previous VLAN, both boxes are checked, thereby preventing you altering the bit values.

To create a VLAN:

1. Enter the name of the VLAN in the Contents of: field.

2. Uncheck the Any User Priority and/or Any VLAN ID check boxes to insert new bit values.

3. Insert bit values in one of the following ways: • Insert a decimal value in the User Priority and/or VLAN ID fields; the binary

equivalent is displayed in the bit value fields.

• Click the bit value field boxes (zero is indicated as gray and black as one); the decimal equivalent is displayed in the User Priority and VLAN ID fields.

4. Click OK. The new entry is saved in the VLAN Catalog. In order to save the new entry to the database, you must save in the Policy Editor.

Page 362: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-66

Quality of Service Catalog Editor The QoS Catalog contains entries that are the possible values for the Quality of Service action. This is the QoS applied to traffic when it meets the definitions of a policy. A sample QoS Catalog Editor is shown below:

Figure 7-42 – QoS Catalog Editor

NOTE:

The Ignore QoS, Normal Priority - Pipe and Normal Priority - VC entries are Protected, meaning the definitions for these entries cannot be modified.

The QoS Catalog Editor enables you to define QoS for a Pipe or Virtual Channel. You can prioritize connections and specify minimum and maximum bandwidth per

Page 363: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-67

Pipe/Virtual Channel or per individual connections, and you can specify traffic-shaping techniques (CBR or Burst) for Virtual Channels. You can also specify TOS markings.

In the Quality of Service Catalog Editor, there is a pre-defined entry called Ignore QoS that you cannot delete or create additional entries that ignore QoS.

You can create entries that assign QoS to Pipes, Virtual Channels and connections. You can give the same QoS definitions to both directions of traffic, or define QoS parameters for both directions independently.

Rules adopt the actions of their parent Pipe or Virtual Channel.

TIP:

Priority

A priority definition implies a relative bandwidth allocation relationship to other defined priorities. It does not indicate absolute bandwidth allocations. If you require absolute bandwidth allocation, refer to the descriptions of the minimum, maximum and guaranteed bandwidth fields. Priorities 1 through 10 represent an increasing hyperbolic curve. It is important to recognize that priorities 1 through 10 do NOT represent a linear relative relationship. The following table helps explain this and shows the priorities and resultant relative bandwidth ratios:

Priority

2 1.1

3 1.2 1.1

4 1.4 1.2 1.1

5 1.6 1.5 1.3 1.1

6 2.0 1.8 1.6 1.4 1.2

7 2.5 2.2 2.0 1.7 1.5 1.2

8 3.3 3.0 2.7 2.4 2.0 1.7 1.4

9 5.0 4.5 4.0 3.5 3.0 2.5 2.0 1.5

10 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0

Priority 1 2 3 4 5 6 7 8 9

Page 364: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-68

For example:

1. Assume two Virtual Channel definitions, VC1 and VC2. VC1 has a priority of four, and VC2 has a priority of 10. Connections satisfying VC2 will be allocated seven times more bandwidth than VC1.

2. Assume total bandwidth = 150Kbps; VC1 = Minimum 30Kbps, Priority 4; VC2 = Minimum 40Kbps, Priority 10. The bandwidth allocation would then be: VC1 = 40 (30 minimum + 10 on priority basis) VC2 = 110 (40 minimum + 70 on priority basis)

Ignoring Quality of Service The inbound and outbound traffic bypasses NetEnforcer's QoS mechanism if the Ignore QoS option is selected, thereby potentially saving physical bandwidth for other traffic. However, using Ignore QoS in a policy definition leads to an attempt to satisfy any bandwidth request. This may adversely affect other bandwidth definitions.

TIP: This option is normally used in networks where internal traffic stays within the LAN domain, for example, when DMZ-bound traffic stays local and is not destined to go on the physical WAN bandwidth. For further information on interfacing to firewalls, refer to the Allot Communications Web solutions section : http://www.allot.com/pages/solutions_index.asp?intGlobalId=11 .

To view the Ignore QoS entry:

• In the QoS Catalog Editor, select Ignore QoS in the List pane. The following warning is displayed in the Definition pane of the QoS Catalog Editor:

Figure 7-43 – Ignore QoS Warning

Page 365: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-69

Defining QoS for Pipes Entries in the QoS Catalog that are defined for Pipes are available when assigning QoS to Pipes in the Policy Editor.

To define QoS for Pipes:

1. Click New and then select Pipe Allocation from the popup menu displayed. A new entry is added to the List pane in the QoS Catalog with the default name New QoS and the Definition pane of the QoS Catalog Editor is displayed, as follows:

Figure 7-44 – Defining QoS for Pipes

NOTE:

Entries defined as Pipe-based are available for Pipe definitions in the Policy Editor, while Virtual Channel-based entries are not. Similarly, entries defined as Virtual Channel-based are available for Virtual Channel definitions in the Policy Editor, while Pipe-based entries are not.

Page 366: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-70

2. Edit the name of the entry, if required, and press <Enter>.

3. From the Pipe-based QoS Coverage dropdown list select one of the three options: • Both Directions Defined the Same: Define QoS for both the inbound and

outbound traffic together (in the General tab and the Inbound and Outbound tab). This option is normally used in a symmetric environment where inbound and outbound traffic requirements are identical. Continue with step 4 below.

• Each Direction Defined Separately: Define QoS for the inbound and outbound traffic individually (in the General tab, the Inbound tab and the Outbound tab). Continue with step 4 below.

• Half-Duplex Pipe: Define QoS for both the inbound and outbound traffic together (in the General tab and the Inbound and Outbound tab) in half-duplex mode. Half-duplex pipe communications can be wireless networks centered on base-stations that configure as hubs working in Half-duplex mode, which suddenly send packets in only one direction. Continue with step 5.

4. In the Inbound and Outbound tab (for Both Directions Defined the Same and Each Direction Defined Separately), define the Quality of Service as follows: • In the Pipe Priority field, select a priority between 1 (lowest) and 10 (highest).

• (Optional) In the Minimum Bandwidth for Pipe (Kbits/sec) field, enter the minimum bandwidth that will be assigned to the Pipe. As long as there is traffic requiring bandwidth in this channel, the bandwidth allocated will never be lower than this limit. Getting bandwidth above the minimum, however, depends on the traffic priority, should there be competition for the bandwidth.

• In the Minimum Bandwidth Reserved on Use, select Yes to reserve the full minimum amount of bandwidth for any future traffic in the Pipe, even when the full minimum bandwidth is not currently required. The actual reservation occurs when the first connection is established within a Pipe.

• (Optional) In the Maximum Bandwidth for Pipe (Kbits/sec) field, enter the maximum bandwidth assigned to the entire Pipe. The total bandwidth of all traffic allocated in this Pipe will not exceed this limit.

Page 367: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-71

NOTE:

To specify a guaranteed bandwidth for a Pipe, specify the same minimum and maximum bandwidth, for example, 100Kbps.

• .

• In the Mark Out-of-Profile Traffic with TOS field, select the TOS marking to be applied to each packet in traffic whose bandwidth allocation has reached the minimum allocated for the Pipe. If you do not want to change the marking, select Ignore TOS.

NOTE:

The possible values in these TOS marking fields are the entries in the TOS Catalog, described on page 7-57.

• Continue with step 6.

Page 368: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-72

5. In the Inbound and Outbound tab (for Half-Duplex Pipe), define the Quality of Service as follows:

Figure 7-45 – Inbound and Outbound Tab: Half-Duplex Pipe

• In the Pipe Priority field, select a priority between 1 (lowest) and 10 (highest).

• In the Available Bandwidth (Kbits/sec) field, enter the bandwidth assigned to the entire Pipe. The total bandwidth of all traffic allocated in this Pipe will not exceed this limit.

Page 369: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-73

6. Select the General tab.

Figure 7-46 – Defining QoS for Pipes: General Tab

Page 370: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-74

7. In the General tab, define connection data, as follows: • (Optional) In the Max # of Connections Allowed in Pipe (All Directions) field,

enter the maximum number of connections allowed for a Pipe. A new connection that exceeds this maximum will be treated according to the method selected in the Conditional Admission area.

• From the first dropdown list in the Conditional Admission area, select one of the following:

• Admit by Priority: Accept the new connection, but do not assign the minimum bandwidth. The new connection gets bandwidth per priority.

• Drop: All packets are dropped. The user is disconnected and may see the message Connection timed-out.

NOTE:

The Drop option is provided for environments such as UDP where a client does not expect acknowledgements (ACKs).

• Reject: All packets are dropped. In TCP, an RST packet is sent to the client and the user may see the message Connection Closed by Server.

• If you select Admit by Priority, select the TOS marking to be applied to traffic through the Pipe from the second dropdown list in the Conditional Admission area. If you do not want to change the marking, select Ignore.

8. Click OK. The new entry (entries) is saved in the QoS Catalog. In order to save the new entry (entries) to the database, you must save the Policy Editor.

Page 371: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-75

Defining QoS for Virtual Channels Entries in the QoS Catalog that are defined for Virtual Channels are available when assigning QoS to Virtual Channels in the Policy Editor.

To define QoS for Virtual Channels:

1. Click New and then select Virtual Channel Allocation from the popup menu displayed. A new entry is added to the List pane in the QoS Catalog with the default name NewQoS# and the Definition pane of the QoS Catalog Editor is displayed, as follows:

Figure 7-47 – Defining QoS for Virtual Channels

2. Edit the name of the entry, if required, and press <Enter>.

Page 372: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-76

3. From the Virtual Channel-based QoS Coverage dropdown list, select whether you want to define QoS for inbound and outbound together or separately. If you select Both Directions Defined the Same, you define QoS for both the inbound and outbound traffic (in the General tab and the Inbound and Outbound tab). If you select Each Direction Defined Separately, you define QoS for the inbound and outbound traffic individually (in the General tab, the Inbound tab and the Outbound tab).

NOTE:

The parameters in the Outbound tab, the Inbound tab and the Outbound and Inbound tab are the same.

TIP:

The Both Directions Defined the Same option is normally used in a symmetric environment where inbound and outbound traffic requirements are identical.

4. In the Inbound/Outbound tab, define the Quality of Service as follows: • In the Priority per Virtual Channel field, select a priority between 1 and 10. (10

is the highest priority).

• (Optional) In the Minimum Bandwidth (Kbits/sec) field, enter the minimum bandwidth that will be assigned to the Virtual Channel. As long as there is traffic requiring bandwidth in this channel, the bandwidth will never be lower than this limit. Getting bandwidth above the minimum, however, depends on the traffic priority.

• (Optional) In the Maximum Bandwidth (Kbits/sec) field, enter the maximum bandwidth assigned to the entire Virtual Channel. The total bandwidth of all traffic in this channel will not exceed this limit.

NOTE:

To specify a guaranteed bandwidth for a Virtual Channel, specify the same Minimum and Maximum bandwidth, for example, 100Kbps.

Page 373: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-77

TIP: When working with traffic that consists of very short connections (one or two packets per connection), it is recommended to specify a minimum bandwidth (such as 50Kbps) per Virtual Channel, rather than specifying a priority (such as 6). This is because using minimum bandwidth per Virtual Channel results in a more effective QoS policy.

• In the Mark Traffic with TOS field, select the TOS marking to be applied to traffic through the Virtual Channel. If you do not want to change the marking, select Ignore.

5. In the Traffic-Shaping Method field, select either the Burst or CBR (Constant Bit Rate) radio button to define how the traffic will be shaped.

6. When Burst is selected, enter connection-based information in the following fields (shown on page 7-75): • (Optional) In the Minimum Bandwidth (Kbits/sec) field, enter the bandwidth

that will be assigned to the connection. As long as there is traffic requiring bandwidth in this channel, the bandwidth will never be lower than this limit. Getting bandwidth above the minimum, however, depends on the traffic priority.

• (Optional) In the Maximum Bandwidth (Kbits/sec) field, enter the maximum bandwidth assigned to the entire connection. The total bandwidth of all traffic in this channel will not exceed this limit.

• (Optional) In the Burst Size (Kbits/sec) field, enter the Burst size for the connection. The Burst size setting allows the traffic to exceed the allotted bandwidth for a certain fraction of a second. It is allowed to exceed the maximum (to burst) during that fraction of a second, as long as the traffic does not exceed the maximum during the whole period of one second.

• For example, if you enter a Burst size of 150Kbps and a maximum of 100Kbps, NetEnforcer will allow traffic to be 150Kbps for a fraction of a second, as long as the traffic does not exceed the maximum of 100Kbps.

TIP:

The Burst Size parameter is useful in environments such as satellite communications, where bandwidth is an expensive resource that must be utilized efficiently.

Page 374: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-78

7. When CBR is selected, the following fields are displayed in the Connection Allocations area:

Figure 7-48 – CBR Parameters

The CBR (Constant Bit Rate) setting provides the ability to smooth traffic. Traffic exits NetEnforcer at a constant rate defined in the CBR, as long as the traffic entering NetEnforcer does so at a rate equal to or greater than the CBR. This ensures smoothing for streaming applications. Enter information in the fields, as follows: • In the Guaranteed Bandwidth (KBits/sec) field, enter the guaranteed bandwidth

for the connection. Guaranteed Bandwidth is the minimum bandwidth assigned to each connection in the Virtual Channel. Each connection will receive, if required, at least the bandwidth specified in this parameter. Each connection can receive more bandwidth than the guaranteed value, up to the maximum defined for the Virtual Channel, and according to the priority of the Virtual Channel. Guaranteed Bandwidth provides the most predictable results for critical traffic and allows other connections to borrow the bandwidth when it is not in use. Guaranteed Bandwidth always supersedes the needs of other, non-guaranteed connections.

TIP: This is useful in multimedia applications, such as Voice over IP.

Page 375: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-79

• In the Delay (Microseconds) field, enter the delay value. The default delay value is 1 second and is hidden. However, you can specify any delay, as long as it does not exceed 1 second. If you specify a delay other than the default, you need to know your application’s buffering capability. The bigger the buffering capability of your application, the larger the delay you can specify. The optimum delay facilitates a better bandwidth management because it sets a lower limit to the Quality of Service mechanism that decides whether to throw away or keep a packet. The objective of setting the optimum delay is to keep jitter at a minimum (0 at best).

8. Select the General tab.

Figure 7-49 – Defining QoS for Virtual Channels: General Tab

9. (Optional) In the Maximum # of Connections Allowed (All Directions) field, enter the maximum number of connections allowed for a Virtual Channel. A new connection that exceeds this maximum will be treated according to the method selected in the Conditional Admission area.

Page 376: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-80

10. From the dropdown list in the Conditional Admission area, select one of the following: • Admit by Priority: Accept the new connection, but do not assign the minimum

bandwidth. The new connection gets bandwidth per priority.

• Drop: All packets are dropped. The user is disconnected and may see the message Connection timed-out.

NOTE:

The Drop option is provided for environments such as UDP where a client does not expect acknowledgements (ACKs).

• Reject: All packets are dropped. In TCP, an RST packet is sent to the client and the user may see the message Connection Closed by Server.

11. Click OK. The new entry (entries) is saved in the QoS Catalog. In order to save the new entry (entries) to the database, you must save the Policy Editor.

Page 377: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-81

Connection Control Catalog Editor The Connection Control Catalog contains entries that are the possible values for the Connection Control action. This is the action applied to traffic when it meets the definitions of a policy. A sample Connection Control Catalog Editor is shown below:

Figure 7-50 – Connection Control Catalog Editor

NOTE:

The Pass as is entry is Protected, meaning the definitions for this entry cannot be modified.

Page 378: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-82

The Connection Control Catalog Editor enables you to define load balancing and cache redirection servers in entries. This means that when traffic meets the definitions of a policy, it can be forwarded to a load-balancing or cache redirection server. You can only define entries that specify a load-balancing server or cache server when your NetEnforcer system includes the optional NetBalancer or CacheEnforcer modules.

For normal traffic, without either cache redirection or load-balancing requirements, the predefined entry, Pass as is, should be used. You cannot delete the predefined Pass as is entry nor can you create additional entries with Pass as is selected in the Servers Used for field.

Page 379: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-83

Load-Balancing When your system includes the NetBalancer module, you can add an entry to the Connection Control Catalog that defines a load-balancing server.

To define a load-balancing server:

1. In the Connection Control Catalog Editor, click New and then Load Balancing from the popup menu displayed. A new entry is added to the List pane and the Connection Control Catalog Editor is displayed, as follows:

Figure 7-51 – Connection Control Catalog Editor: Load Balancing

2. Edit the name of the entry in the Contents of field, if required.

Page 380: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-84

3. Double-click in the Host Name / IP field and enter the load-balancing server (by host name or IP address). The system automatically recognizes the format and displays the appropriate entry in the Type column.

For more information on the parameters for configuring load-balancing options, refer to the NetBalancer User's Manual.

Page 381: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-85

Cache Redirection When your system includes the CacheEnforcer module, you can add an entry to the Connection Control Catalog that defines a cache server.

To define a cache server:

1. In the Connection Control Catalog Editor, click New and then Cache Redirection from the popup menu displayed. A new entry is added to the List pane and the Connection Control Catalog Editor is displayed, as follows:

Figure 7-52 – Connection Control Catalog Editor: Cache Server

2. Edit the name of the entry in the Contents of field, if required.

Page 382: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-86

3. Double-click in the Host Name / IP /MAC field and enter the cache redirection server (by host name format, IP address or MAC address). The system automatically recognizes the format and displays the appropriate entry in the Type column.

For more information on the parameters for configuring cache-redirecting options, refer to the CacheEnforcer User's Manual.

Page 383: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-87

Data Source Catalog Editor The entries in the Data Source Catalog are the LDAP servers or text source files available when defining hosts using data source queries in the Host Catalog. In the Data Source Catalog Editor, you define the LDAP servers as well as text file data sources that are the possible LDAP servers or text source files with which NetEnforcer works.

A selection between LDAP and Text:

Figure 7- 53 – Data Source Catalog Editor

Page 384: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-88

To define an LDAP server:

1. In the Data Source Catalog Editor, click New and then LDAP Server from the popup menu displayed. A new entry is added to the List pane and the Data Source Catalog Editor is displayed as follows:

Figure 7-54 – Data Source Catalog Editor: LDAP Server

2. Edit the name of the entry in the Contents of field, if required.

3. In the Host (Host/Host Port) field, enter the IP address of the LDAP server.

4. Enter the user name and password required to access the LDAP server in the relevant fields.

5. In the Description field, enter a description for the LDAP server, if required.

6. Click OK. The new entry is saved in the Data Source Catalog and the Data Source Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Page 385: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-89

To define a text source file:

1. In the Data Source Catalog Editor, click New and then Hosts Text File from the popup menu displayed. A new entry is added to the List pane and the Data Source Catalog Editor is displayed as follows:

Figure 7-55 – Data Source Catalog Editor: Hosts Text File

2. Edit the name of the entry in the Contents of field, if required.

3. In the Host field, enter the IP address or host name of the location of the text source file.

4. In the Description field, enter a description for the text source file, if required.

5. Click OK. The new entry is saved in the Data Source Catalog and the Data Source Catalog is closed. In order to save the new entry to the database, you must save the Policy Editor.

Page 386: Net Enforcer Operation Guide v5.5

Chapter 7: Defining Catalog Entries

NetEnforcer Operation Guide v5.5 7-90

Page 387: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 8-1

Chapter 8: Defining Policies

This chapter describes the process of defining a QoS policy and optimizing this policy in your particular network environment. In NetEnforcer, policy is defined using Pipes, Virtual Channels, and rules.

This chapter includes the following sections:

NetEnforcer Policy, page 8-2, provides an overview about how QoS policy is defined in NetEnforcer using Pipes, Virtual Channels and rules.

NetEnforcer Policy Editor, page 8-11, provides a quick tour of the menu options, tools and shortcut keys available in the NetEnforcer Policy Editor.

Defining Policy, page 8-20, describes how to define Pipes, Virtual Channels and rules in order to build your QoS policy. It also describes how to create Pipe and Virtual Channel templates.

Page 388: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-2

NetEnforcer Policy NetEnforcer enables you to classify traffic and enforce Quality of Service according to high-level, easy-to-understand concepts. Traffic can be logically grouped into categories such as Mission Critical, Timing Critical, or Low Priority. These result in the desired network actions when matched to network traffic.

QoS policy consists of a set of conditions (rules) and a set of actions that apply as a consequence of the conditions being satisfied. Traffic is classified using Pipes and Virtual Channels. A Pipe and a Virtual Channel are defined by one or more rules and a set of actions. A Pipe includes one or more Virtual Channels.

A sample Policy showing the relationship between Pipes, Virtual Channels and rules is illustrated below:

Figure 8-1 – Pipe/Virtual Channel/Rule Relationship

Every connection passing through NetEnforcer is matched to a rule at Pipe level. This means that NetEnforcer looks to match the connection to any of the sets of conditions defined for a Pipe. If a match is found, the connection is then matched to a rule at Virtual Channel level. This means that NetEnforcer looks to match the connection to any of the sets of conditions defined for the Virtual Channels within the Pipe.

Page 389: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-3

In short, the process of rule matching is as follows:

• Find the Pipe rule that the connection matches.

• Within that Pipe, find the Virtual Channel rule that the connection matches.

NetEnforcer searches the Policy table from the top down. Thus as soon as a Pipe rule is found to match the connection, NetEnforcer looks at no more Pipes. Similarly, within the matched Pipe, as soon a Virtual Channel rule is found to match the connection, NetEnforcer looks no further.

There is a default Pipe defined in NetEnforcer, Fallback Pipe. If a connection does not match the rules of any other Pipes, it matches the Fallback Pipe. Furthermore, every Pipe always includes a default Virtual Channel, Fallback. If a connection does not match the rules of any other Virtual Channels within a Pipe, it matches the Fallback Virtual Channel.

The rules of the Fallback Pipe and Fallback Virtual Channels cannot be deleted or modified. They allow all traffic to and from all hosts, all of the time.

Pipes A Pipe provides a way of classifying traffic that enables you to divide the total bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of Virtual Channels from a QoS point of view. When you add a new Pipe, it always includes at least one Virtual Channel, the Fallback Virtual Channel. The rule of the Fallback Virtual Channel cannot be modified or deleted. A connection coming into NetEnforcer is matched to a Pipe according to whether the characteristics of the connection match any of the rules of the Pipe. The connection is then further matched to the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are enforced together with the actions of the Pipe.

Page 390: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-4

Virtual Channels A Virtual Channel provides a way of classifying traffic and consists of one or more sets of conditions (rules) and a set of actions that apply when any of the rules are met. A Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further matched to a Virtual Channel according to whether the characteristics of the connection match any of the rules of the Virtual Channel.

Rules A rule is a set of six conditions. Rules can be defined at Pipe level or Virtual Channel level. NetEnforcer matches connections to rules, first at the Pipe level and then at Virtual Channel level within a Pipe.

The six conditions that make up a rule are as follows:

• Connection Source: Defines the source of the traffic. For example, specific IPs or MAC addresses, a range of IP addresses, IP Subnet addresses, or host names. The default value is Any which covers traffic from any source.

• Connection Destination: Defines the destination of the traffic. For example, specific IPs or MAC addresses, a range of IP addresses, IP Subnet addresses, or host names. The default value is Any which covers traffic to any destination.

• Service: Defines the protocols relevant to a connection. Protocols may be TCP and UDP IP type, non-TCP and non-UDP type or non-IP type. TCP and UDP IP protocols are defined based on port type. HTTP protocols may include content definitions, such as specific Web directories, pages, or URL patterns. The default value is All which covers all protocols.

• TOS: Defines the TOS byte contained in the IP headers of the traffic. The default value is Any which covers any TOS value.

• VLAN: Defines VLAN traffic classification according to VLAN ID (VLAN Identifier) tags, consisting of 12 bits, and according to tagging priority bits, consisting of three bits.

Page 391: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-5

• Time: Defines the time period during which the traffic is received. For example daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM or on the 1st and 15th of the month. The default value is Always which covers traffic at any time.

When a new Pipe or Virtual Channel is created, it is assigned a default rule with default values for each condition and you can modify these values as required.

The possible values for each condition are defined in the Catalog entries in the Catalog Editors. A Catalog Editor enables you to give a logical name to a comprehensive set of parameters (a Catalog entry). This logical name then becomes a possible value for a condition. Catalog Editors are described in detail in Chapter 7, Defining Catalog Entries.

TIP:

If you classify traffic by a specific Connection Source or Connection Destination, make sure your definition applies to both directions, from the Source to the Destination and from the Destination to the Source. For example, if you define HostName as the Connection Source and Any as the Connection Destination, make sure that the rule is bi-directional, so that traffic from Any to HostName is also covered.

Actions Pipes and Virtual Channels include a set of actions that is assigned to traffic once it meets any of the rules defined for the Pipe or Virtual Channel. There are two actions that can be defined for a Pipe: Access Control and Quality of Service, and three actions that can be defined for a Virtual Channel: Access Control, Quality of Service and Connection Control. Only if Access Control is set to Accept may the other actions apply.

Access Control This action determines the access given to traffic. The possible values are as follows: Accept The connection is accepted and traffic is granted access. This is the default

value. Drop All packets are dropped. In TCP traffic, an RST packet is sent to the client

and the user may see the message Connection Closed by Server.

Page 392: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-6

Reject All packets are dropped. The user is disconnected and may see the message Connection timed-out.

If the Access Control for a Pipe or Virtual Channel is specified as Reject or Drop, all traffic meeting the rules of the Pipe or Virtual Channel is dropped and no other Quality of Service or Connection Control actions are applied.

Quality of Service This action determines the QoS given to traffic. The QoS specified can include the following:

• Priority per Pipe/Virtual Channel

• Minimum and maximum bandwidth per Pipe/Virtual Channel

• Minimum and maximum bandwidth per connection (Virtual Channels only)

• Guaranteed bandwidth per connection (Virtual Channels only)

• Traffic shaping by enforcing Constant Bit Rate (CBR) or Burst level (Virtual Channels only)

• TOS marking per channel

• Admission Control (number of connections)

• Reserve on Demand (Pipes only)

• Conditional Admission

The default Quality of Service action for Pipes or Virtual Channels is Normal Priority, which has Level 4 priority, no bandwidth definitions, no TOS marking and no connection limitations.

The possible values for the Quality of Service action are defined in a Catalog entry in the Quality of Service Catalog Editor. A Catalog Editor enables you to assign a logical name to a comprehensive set of parameters. This logical name then becomes a possible value for an action. Catalog Editors are described in detail in Chapter 7, Defining Catalog Entries.

Page 393: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-7

TIP:

To evaluate what Quality of Service to set for each Pipe or Virtual Channel, consider the following:

• Do you know the applications running in your network? (For more information, refer to Chapter 6, Monitoring Network Traffic.)

• During peak periods, what percentage of total traffic does each Pipe or Virtual Channel represent?

• Do you want to guarantee some minimum bandwidth for time-critical applications?

• Do you want to assign a higher priority to some applications?

It is recommended to start out simply and then, over time, to fine-tune the Pipes, Virtual Channels and rules to meet your needs. Assign each of your Pipes and Virtual Channels a classification by protocol Normal priority or use the default set of Pipes and Virtual Channels included with NetEnforcer. Monitor the results for a period of time, using a tool such as NetWizard (described in Chapter 5, NetWizard Quick Start) and observe how much bandwidth each of the Pipes and Virtual Channels utilizes during peak hours. Then, using this data, create new QoS Catalog entries and assign them to the Pipes and Virtual Channels.

Now gradually increase the priority of one or two of your high-priority applications, and decrease the priority of one or two of your lower priority ones. Observe response time during a typical day’s traffic cycle (peak and non-peak).

Gradually fine-tune the system. Increase the number of Pipes and Virtual Channels by dividing one Pipe or Virtual Channel into several distinct ones, as the need arises. The process of assigning Quality of Service should continue by limiting lower priority traffic and increasing bandwidth to those applications that need or deserve more bandwidth. For high-priority traffic, you should gradually increase the priority and assign more minimum or fixed bandwidth. For lower priority traffic, you can lower its priority and assign a maximum bandwidth during peak periods. You can also limit the number of active connections for that channel. For example, if you wish to limit FTP traffic, you can specify a maximum number of connections for all FTP traffic.

Internet connection bandwidth consumption with and without NetEnforcer is shown below:

Internet connection withoutNetEnforcer

Email60%

Other20%

e-Business20%

Internet connection withNetEnforcer

e-Business60%

Other10%

Email30%

Without NetEnforcer, Internet connection bandwidth is consumed by batch traffic such as Email, while e-Business traffic is inhibited by lengthy response time (meaning e-Business gets only 20% of bandwidth).

Page 394: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-8

With NetEnforcer used for bandwidth management, Internet connection traffic is managed according to business priorities. For example, email is limited to 30% of bandwidth, while e-Business is granted a higher bandwidth portion, up to 60% of bandwidth. The end result is that critical application users enjoy a better response time.

Connection Control This action determines whether the traffic is redirected to a specialty load-balancing or cache server. The default value is Pass As Is, which means that the traffic is not redirected. In order to specify other values for this action, you must have the NetBalancer or the CacheEnforcer optional modules activated in your NetEnforcer system. Refer to Chapter 4, Configuring NetEnforcer for more details.

This action can only be defined for Virtual Channel. The Connection Control for a Pipe is always Pass As Is.

The possible values for the Connection Control action are defined in a Catalog entry in the Connection Control Catalog Editor. A Catalog Editor enables you to assign a logical name to a comprehensive set of parameters. This logical name then becomes a possible value for an action. Catalog Editors are described in detail in Chapter 7, Defining Catalog Entries.

The functions of NetBalancer and CacheEnforcer are as follows:

• CacheEnforcer directs requests to a cache server. You can add cache servers and determine the action to be taken when the server list is exhausted. CacheEnforcer lists alternate servers, enabling a request to be redirected to other servers on the list should a server not respond. If and when all the listed servers do not respond, you can determine the action that is to be taken. Refer to the CacheEnforcer User’s Manual for more information.

• NetBalancer enables you to distribute traffic loads between servers. Refer to the NetBalancer User’s Manual for more information.

Page 395: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-9

Using Pipes, Virtual Channels and Rules The following examples show how Pipes and Virtual Channels might be used: • An Internet Service Provider sells slices of bandwidth to customers (defined in a

Pipe template), each based on the Quality of Service granted to that category of customer (such as Gold, Silver and Bronze customers).

• A university wants to control Internet traffic congestion across the network involving students and faculty, in particular, to limit FTP use and give preferential bandwidth allocation to faculty during weekday hours. The university defines Virtual Channels for faculty usage, student usage, and student usage during night hours. A further rule is then defined under the student usage Virtual Channel that specifies a different service for students accessing FTP.

• An organization has several links to the Internet. Only one NetEnforcer is required with Pipes defined for every link enabling traffic to be managed on every link independently.

NetEnforcer includes a default starting database that contains common types of traffic written in sample Pipes, Virtual Channels and rules. You can edit, disable or delete these as required.

Using Templates Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other. Templates work with host entries defined in the Host Catalog.

Using Import from LDAP or Text Files You can now use additional data source definition options: LDAP or Text File (using the Data Source Catalog Editor). The text file can be located on a remote server.

Page 396: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-10

Order of Policy Definitions You should define Pipes and Virtual Channels so that those that are more specific are defined before those that are more general. This is because NetEnforcer searches the Policy table from the top down. Thus as soon as a Pipe rule is found to match the connection, NetEnforcer looks at no more Pipes. Similarly, within the matched Pipe, as soon a Virtual Channel rule is found to match the connection, NetEnforcer looks no further. For example, if you define a Virtual Channel that includes all HTML (*.html) files, that Virtual Channel must come after a Virtual Channel with a rule that specifies a specific HTML file. Otherwise, NetEnforcer will always arrive at the general rule first, assign the action defined in the Virtual Channel of that rule, and not assign the action defined for the more specific rule.

Page 397: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-11

NetEnforcer Policy Editor You set your QoS policy by defining Pipes and Virtual Channels in the NetEnforcer Policy Editor.

To access the Policy Editor:

From the NetEnforcer Control Panel, click Policies and then Policy Editor. The Policy Editor is displayed:

Menu Bar Rule (Conditions)

Virtual Channels

Toolbar

Pipe

Menu Bar ActionsToolbarMenu Bar Rule (Conditions)

Virtual Channels

Toolbar

Pipe

Menu Bar ActionsToolbar

Figure 8-2 – Policy Editor

The Policy Editor provides a tree-table of the Pipes and Virtual Channels currently defined in your NetEnforcer. Each line in the table represents a single rule (of a Pipe or a Virtual Channel). A Pipe can be defined by one of more rules and can include one or more Virtual Channels. A Virtual Channel can be defined by one or more rules.

Page 398: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-12

NOTE:

The first rule of a Pipe or Virtual Channel is visually embedded in the first line of the Pipe or Virtual Channel so there is no rule icon associated with this first rule. Other rules have icons.

There is always one default Pipe, called Fallback Pipe, in the Policy Editor. The conditions or rule of this default Pipe cannot be modified or deleted.

Every Pipe has a default Virtual Channel called Fallback. The conditions or rule of this default Virtual Channel cannot be modified or deleted, but you can delete the Pipe entirely. You can expand/collapse Pipes and Virtual Channels in the Policy Editor by clicking the or on the left of a Pipe or Virtual Channel, or pressing <Shift + right arrow> or <Shift + left arrow> on your keyboard.

View Options You can modify the Policy Editor view by selecting to hide or display the available columns.

To customize the Policy Editor view:

1. From the Settings menu, select View Options. The View Options dialog box is displayed.

Figure 8-3 – View Options

Page 399: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-13

2. Select the checkboxes to the left of the columns you want to display in the Policy Editor.

3. Click OK.

Policy Editor Menus and Toolbar The menu options, tools and shortcut key options available in the Policy Editor are as follows:

Menu/Command Button Shortcut Function

File

Save

Ctrl + S Saves the changes to the policy configuration in the NetEnforcer database and activates the new configuration.

Save & Distribute Saves the current policy to all NetEnforcers on the distribution list. Refer to Distributing Policy, page 8-32.

Reload Reloads the current policy from NetEnforcer.

Print Enables you to print the policy table displayed in the Policy Editor.

Exit Closes the Policy Editor.

Edit

Cut

Ctrl + X Cuts the currently selected Pipe, Virtual Channel or rule from the Policy Editor and places it in memory.

Copy

Ctrl + C Copies the currently selected Pipe, Virtual Channel or rule from the Policy Editor and places it in memory.

Page 400: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-14

Menu/Command Button Shortcut Function

Paste Ctrl + V Pastes the currently selected Pipe, Virtual Channel or rule from memory into the current location.

Delete

Delete Deletes the selected Pipe, Virtual Channel or rule.

Rename Ctrl + N Enables you to rename the selected Pipe or Virtual Channel.

Enable Ctrl + E Enables the selected Pipe, Virtual Channel or rule. A Pipe, Virtual Channel or rule must be enabled in order for NetEnforcer to take it into account.

Disable Ctrl + D Disables the selected Pipe, Virtual Channel or rule. When a Pipe, Virtual Channel or rule is disabled, NetEnforcer does not consider it. A disabled Pipe, Virtual Channel or rule is ignored in traffic management, monitoring, accounting, and so on.

Find Ctrl + F Enables you to search for and locate Pipes, Virtual Channels, and rules in the policy table.

Insert

Pipe

Ctrl + P Inserts a new Pipe with default settings. Refer to Adding Pipes, page 8-22.

Virtual Channel Ctrl + L Inserts a new Virtual Channel with default settings. Refer to Adding Virtual Channels, page 8-24.

Rule

Ctrl + K Inserts a new rule with default settings. Refer to Adding Rules, page 8-26.

Page 401: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-15

Menu/Command Button Shortcut Function

Templates Enables you to insert Pipe templates or Virtual Channel templates. Refer to Templates, page 8-28.

Catalogs

Host Opens the Host Catalog Editor, enabling you to define possible Connection Source and Destination conditions.

Service Opens the Service Catalog Editor, enabling you to define possible Service conditions.

Time Opens the Time Catalog Editor, enabling you to define possible Time conditions.

TOS Opens the TOS Catalog Editor, enabling you to define possible Type of Service conditions.

VLAN

Opens the VLAN Catalog Editor, enabling you to define possible VLAN actions.

Quality of Service Opens the QoS Catalog Editor, enabling you to define possible Quality of Service actions.

Connection Control Opens the Connection Control Catalog Editor, enabling you to define possible Connection Control actions.

Page 402: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-16

Menu/Command Button Shortcut Function

Data Source Opens the Data Source Catalog Editor, enabling you to define the LDAP servers with which NetEnforcer can work.

Can now define a text file data source in the Data Source catalog editor.

The text file can be located on a remote server instead of the NetEnforcer. Data transferred via TFTP.

Settings

Distribution List Enables you to specify other NetEnforcer addresses that will receive a policy when distributed. Refer to Distributing Policy, page 8-32.

View Options Enables you to modify the Policy Editor view. Refer to View Options, page 8-12.

Help

Index Provides access to online help.

Cache Redirection Provides access to online help for the CacheEnforcer module.

Load Balancing Provides access to online help for the NetBalancer module.

NOTE:

Some of these options are also available when right-clicking a line in the Policy Editor. In addition, you can access monitoring graphs from the right-click menu of a Pipe or Virtual Channel. Monitoring graphs are described in Chapter 6, Monitoring Network Traffic.

Page 403: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-17

Data Source Catalog Editor:

Figure 8-4 – Data Source Catalog Editor: Hosts Text File

Page 404: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-18

To define a text file data source:

Figure 8-5 – Host Catalog Editor

To define host entries using a text file data source:

1. Select the Data Source Query to be used.

2. Define the name and location of the text file.

3. Define the properties of the text file in the Host Catalog.

4. In the Host Catalog, select Fetch & View Contents to view the contents of the text file.

Page 405: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-19

Figure 8-6 – Query Dialog

5. Press Close and save the new host entry.

Policy Editor Status Bar The status bar in the Policy Editor provides the following information:

• General Messages

• Mod Flag: Mod is displayed to indicate that the policy has been changed but not yet saved.

• Key: Quality of Service not activated is displayed when the Quality of Service key is missing or erroneous. The Quality of Service key is specified in the Product IDs & Keys tab of the NetEnforcer Configuration window.

Page 406: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-20

Defining Policy The typical workflow for configuring your QoS policy is shown in the following diagram:

DefineVirtual Channels

Define Your NetworkRequirements

Define Pipes

Figure 8-7 – Defining Policy Workflow

Each step of the workflow is described in the following sections. You can also define Pipes and Virtual Channels using templates, described on page 8-28.

Page 407: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-21

Defining Your Network Requirements Before defining Pipes or Virtual Channels, you must determine the type of traffic flowing through your network. Using NetEnforcer’s Monitoring functions (described in Chapter 6, Monitoring) or NetWizard functions (described in Chapter 5, NetWizard Quick Start), you can determine your current network application patterns, and define the necessary QoS classification and actions.

The following are examples of traffic patterns and required QoS policy:

• Applications on your network that you consider “mission-critical” applications. These may be special applications that are time and/or resource sensitive. You may want to provide increased bandwidth or server resources.

• Items on your network that you consider low priority. These may include traffic that you consider non-time and/or response sensitive, or applications that you wish to limit during busy hours, such as FTP traffic.

• Applications that you do not want used on your network during certain times, such as new file-sharing applications that enable clients in your network to function as servers, thereby drastically increasing outbound traffic volume.

• Background tasks that are important, but can be performed at a slower rate. These may include email traffic or certain file transfers.

• Time-sensitive network applications. These may include streaming applications such as real-time audio or video.

• Customers or groups of customers categorized into various “tiered” levels. For example, you may wish to have Gold-level customers.

Once you have classified your network traffic, you can define your QoS policy.

Page 408: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-22

Adding Pipes Each Pipe is defined by at least one rule (set of conditions), and any traffic meeting those conditions is channeled to that Pipe. The actions defined for the Pipe are then applied to the traffic.

To add a pipe:

1. Add a Pipe in one of the following ways: • Select a Pipe in the policy table and click (blue icon) in the toolbar. • Select a Pipe in the policy table and select Pipe from the Insert menu. • Right-click a Pipe in the policy table and select Insert and then Pipe from the

popup menus that are displayed. • Press <Ctrl + P> on your keyboard (at the same time).

A new Pipe is added above the selected Pipe. The new Pipe contains a default Virtual Channel (Fallback), and has default values for its rule (conditions) and actions.

2. Edit the name of the Pipe, if required, and press <Enter>. Assigning a logical name to the Pipe helps you to classify your traffic.

NOTE:

You can rename a Pipe at any time by selecting Rename from the Edit menu.

3. Modify the rule of the Pipe by clicking the cell in the relevant column and selecting the required condition from the dropdown list that is displayed. The rule is made up of the following conditions:

Connection Source The source of the traffic.

Connection Destination The destination of the traffic.

Service The protocol relevant to a connection.

Time The time of the connection.

TOS The TOS marking of the connection.

VLAN The destination of VLAN traffic.

Page 409: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-23

4. Modify the actions of the Pipe by clicking the cell in the relevant column and selecting the required action from the dropdown list that is displayed. The actions are as follows: Access The access given to traffic. Quality of Service The quality of service applied to traffic given access.

The QoS determines priority, minimum and maximum bandwidth and the maximum number of connections.

NOTE:

The Connection Control action for a Pipe is always Pass As Is.

5. Specify the direction of the traffic between the selected source and destination by clicking in the Dir field and selecting one of the following: Bidirectional The flow of traffic in either direction between the

selected source and destination (default). Unidirectional The flow of traffic from the selected source to the

selected destination.

6. When a new Pipe is created, it is automatically enabled, meaning once the Policy Editor is saved to NetEnforcer, the Pipe is taken into account by NetEnforcer. You can enable or disable the Pipe in one of the following ways: • Select Enable or Disable from the Edit menu. • Right-click in the In Use column and select Enable or Disable from the popup

menu. • Click the Enable or Disable button.

NOTE:

When a Pipe is disabled, its rules and the Virtual Channels under the Pipe are disabled automatically.

7. Click to save the new Pipe to NetEnforcer.

TIP:

You can also add a new Pipe by copying and pasting an existing Pipe and modifying its definition.

You can now define further rules for the Pipe or add further Virtual Channels to the Pipe, as required.

Page 410: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-24

Adding Virtual Channels A Virtual Channel is added to a Pipe. A Virtual Channel is defined by at least one rule set of conditions), and any traffic meeting those conditions is channeled to that Virtual Channel. The actions defined for the Virtual Channel are then applied to the traffic.

NOTE:

The actions of the Pipe influence all the Virtual Channels under that Pipe and will be enforced together with the Virtual Channel's actions on every connection that is matched to the Pipe.

To add a Virtual Channel:

1. Add a Virtual Channel in one of the following ways: • Select a Pipe or Virtual Channel in the policy table and click in the toolbar. • Select a Pipe or Virtual Channel in the policy table and select Virtual Channel

from the Insert menu. • Right-click a Pipe or Virtual Channel in the policy table and select Insert and

then Virtual Channel from the popup menus that are displayed. • Press <Ctrl + L> on your keyboard (at the same time).

A new Virtual Channel is added to the selected Pipe, or to the Pipe to which the selected Virtual Channel belongs. The new Virtual Channel has default values for its rule (conditions) and actions.

2. Edit the name of the Virtual Channel, if required, and press <Enter>. Assigning a logical name to the Virtual Channel helps you to classify your traffic.

NOTE:

You can rename a Virtual Channel at any time by selecting Rename from the Edit menu.

3. Modify the rule of the Virtual Channel in the same way as for a Pipe, described on page 8-22.

Page 411: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-25

4. Modify the actions of the Virtual Channel by clicking the cell in the relevant column and selecting the required action from the dropdown list that is displayed. The actions are as follows: Access The access given to traffic. Quality of Service The quality of service applied to traffic given access.

The QoS determines priority, minimum and maximum bandwidth, traffic-shaping techniques (CBR or Burst) and the maximum number of connections.

Connection Control The redirection of traffic to a load-balancing server or cache server, if required.

5. Specify the direction of the traffic between the selected source and destination by clicking in the Dir field and selecting one of the following: Bidirectional The flow of traffic in either direction between the

selected source and destination (default). Unidirectional The flow of traffic from the selected source to the

selected destination.

6. When a new Virtual Channel is created, it is automatically enabled, meaning once the Policy Editor is saved to NetEnforcer, the Virtual Channel is taken into account by NetEnforcer. You can enable or disable the Virtual Channel in one of the following ways: • Select Enable or Disable from the Edit menu. • Right-click in the In Use column and select Enable or Disable from the popup

menu. • Click the Enable or Disable button. • Press <Ctrl + E> to enable. • Press <Ctrl + D> to disable.

NOTE:

When a Virtual Channel is disabled, its rules are disabled automatically.

Page 412: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-26

7. Click to save the new Virtual Channel to NetEnforcer.

TIP:

You can also add a new Virtual Channel by copying and pasting an existing Virtual Channel and modifying its definition.

You can now define further rules for the Virtual Channel, as required.

Adding Rules A rule is made up of six conditions. When traffic meets the conditions of a rule, it is assigned to that rule. The actions assigned to the traffic are the actions defined for the Pipe or Virtual Channel to which the rule belongs.

To add a rule:

1. Add a rule in one of the following ways:

• Select a Pipe, Virtual Channel or rule in the policy table and click (purple icon) in the toolbar.

• Select a Pipe, Virtual Channel or rule in the policy table and select Rule from the Insert menu.

• Right-click a Pipe, Virtual Channel or rule in the policy table and select Insert and then Rule from the popup menus that are displayed.

• Press <Ctrl + K> on your keyboard.

A new rule is added to the selected Pipe or Virtual Channel, or to the Pipe or Virtual Channel to which the selected rule belongs.

NOTE:

Rules do not have names.

2. Specify the conditions for the rule in the same way as for a Pipe, described on page 8-22.

Page 413: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-27

3. Specify the direction of the traffic between the selected source and destination by clicking in the Dir field and selecting one of the following: Bidirectional The flow of traffic in either direction between the

selected source and destination (default). Unidirectional The flow of traffic from the selected source to the

selected destination.

4. When a new rule is defined for a Pipe or Virtual Channel, it is automatically enabled, meaning once the Policy Editor is saved to NetEnforcer, the rule is taken into account by NetEnforcer. You can enable or disable the rule in one of the following ways: • Select Enable or Disable from the Edit menu. • Right-click in the In Use column and select Enable or Disable from the popup

menu. • Click the Enable or Disable button. • Press <Ctrl + E> to enable. • Press <Ctrl + D> to disable.

You can continue to define further Pipes, Virtual Channels and rules, as required. To speed up the process, you can copy and paste existing Pipes, Virtual Channels and rules and then modify their settings, as required. Remember, when you have completed your

editing session, click to save the new rules, Virtual Channels and Pipes to NetEnforcer

You can also create and insert a Pipe or Virtual Channel template as described on page 8-28.

Page 414: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-28

Policy Table Order You should define Pipes and Virtual Channels so that those that are more specific are defined before those that are more general. Similarly, the rules defined for a Pipe or Virtual Channel should follow this order. This is because NetEnforcer searches the Policy table from the top down. Thus as soon as a Pipe rule is found to match the connection, NetEnforcer looks at no more Pipes. Similarly, within the matched Pipe, as soon a Virtual Channel rule is found to match the connection, NetEnforcer looks no further.

Using cut and paste, you can change the order of the policy table, as follows:

• Change the order of Pipes within the policy table

• Change the order of Virtual Channels within Pipes

• Change the order of rules within Pipes or Virtual Channels

You cannot change the position of the Fallback Pipe or Fallback Virtual Channels. The Fallback Pipe is always at the bottom of the policy table and the Fallback Virtual Channels are always the last Virtual Channel in a Pipe.

Templates Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels very similar to each other. Templates work with host entries defined in the Host Catalog. For example, if you had a Host Group type entry in the Host Catalog called Gold Customers that consisted of Company X, Company Y and Company Z, you could define a Pipe template to be expanded for Gold Customers. This would result in Pipes being created for Company X, Company Y and Company Z when the Policy Editor is saved.

With Host List type entries, templates are only effective when the Host List entry includes more than one host or IP address or a range of IP addresses. For example, creating a Pipe template based on a Host List type entry that includes a range of IP addresses generates a Pipe instance for each IP in the range.

Page 415: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-29

NOTE:

It is not possible to view Pipe instances in the Policy Editor. However, the instances are available for selection in the Monitoring module, described in Chapter 6, Monitoring Network Traffic.

A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual Channels on source/destination differentiation. This means that you do not need to define similar Pipes and Virtual Channels when the only difference between them is the IP address in the source or destination.

New features include:

• New Template on Range feature allows user to define a range of IPs or subnet.

• Expand feature removed, template automatically implies expansion.

Creating Pipe Templates Pipe templates represent instances of the same Pipe for every host in a selected Host Catalog entry. Pipe templates are added at the same hierarchy level as Pipes.

To create a Pipe template:

1. Add a Pipe template in one of the following ways: • Select a Pipe in the policy table and select Template and then Pipe Template

from the Insert menu. • Right-click a Pipe in the policy table and select Insert, Templates and then Pipe

Template from the popup menus that are displayed. • Press <Ctrl + SHIFT + P> on your keyboard.

Page 416: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-30

The Insert Pipe Template dialog box is displayed.

Figure 8-8 – Insert Pipe Template

2. Select the Host Catalog entry for which you want to create Pipe instances from the dropdown list.

NOTE:

You can open the Host Catalog Editor and add or modify entries as required by clicking Host Editor.

3. In the Direction Settings area, select whether to expand the Pipe by connection source or destination or both. • If you select Bi-Directional, an instance of the Pipe will be generated for all

hosts specified in the selected Host Catalog entry. The Pipes will be bi-directional, meaning that the traffic can be flowing either to or from the host in order to match the Pipe.

Page 417: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-31

• If you select Uni-Directional, you must then select whether to expand the Pipe by connection source or destination. When Connection Source is selected, the Pipes generated will be uni-directional from the source, meaning that the traffic must be flowing from the host in order to match the Pipe. When Connection Destination is selected, the Pipes generated will be uni-directional to the destination, meaning that the traffic must be flowing to the host in order to match the Pipe.

4. Click OK. A new Pipe template is added to the policy table.

5. Edit the name of the Pipe template, if required. The new Pipe template is displayed in the policy table with the selected Host Catalog entry as the Connection Source or Connection Destination.

Figure 8-9 – New Pipe Template

6. Modify the Pipe template as required. You can modify its existing rule (conditions), modify its actions, define further rules and add Virtual Channels. The resulting Pipe instances receive any modifications or additions made to the Pipe template.

NOTE:

You can change the Host Catalog entry for which you want to define Pipe instances at any time by right-clicking the Pipe template name and selecting Expand by and then selecting another Host Catalog entry.

Pipes identical to the Pipe template but with a different Connection Source or Connection Destination are created for every member of the selected Host Catalog entry upon saving the Policy Editor. These Pipes are not displayed in the policy table. A Pipe is indicated as a template or master Pipe by the symbol in its icon and the symbol next to the entry in the Connection Source or Connection Destination field.

Page 418: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-32

Creating Virtual Channel Templates The process for creating Virtual Channel templates is similar to the one used for creating Pipe templates. Virtual Channel templates represent instances of the same Virtual Channel for every host in a selected Host Catalog entry. Virtual Channel templates are added at the same hierarchy level as Virtual Channels but they cannot be created beneath a Pipe template.

To create a Virtual Channel template:

1. Add a Virtual Channel template in one of the following ways: • Select a Pipe or Virtual Channel in the policy table and select Template and then

Virtual Channel Template from the Insert menu. • Right-click a Pipe or Virtual Channel in the policy table and select Insert,

Templates and then Virtual Channel Template from the popup menus that are displayed.

• Press <Ctrl + SHIF + L> on your keyboard.

Page 419: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-33

The Insert Virtual Channel Template dialog box is displayed.

Figure 8-10 – Insert Virtual Channel Template

2. Select the Host Catalog entry for which you want to create Virtual Channel instances from the dropdown list.

NOTE:

You can open the Host Catalog Editor and add or modify entries as required by clicking Host Editor.

3. In the Direction Settings area, select whether to expand the Virtual Channel by connection source or destination or both. • If you select Bi-Directional, an instance of the Virtual Channel will be generated

for all hosts specified in the selected Host Catalog entry. The Virtual Channels will be bi-directional, meaning that the traffic can be flowing either to or from the host in order to match the Virtual Channel.

Page 420: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-34

• If you select Uni-Directional, you must then select whether to expand the Virtual Channel by connection source or destination. When Connection Source is selected, the Virtual Channels generated will be uni-directional from the source, meaning that the traffic must be flowing from the host in order to match the Virtual Channel. When Connection Destination is selected, the Virtual Channels generated will be uni-directional to the destination, meaning that the traffic must be flowing to the host in order to match the Virtual Channel.

4. Click OK. A new Virtual Channel template is added to the policy table.

5. Edit the name of the Virtual Channel template, if required. The new Virtual Channel template is displayed in the policy table with the selected Host Catalog entry as the Connection Source or Connection Destination.

Figure 8-11 – New Virtual Channel Template

6. Modify the Virtual Channel template as required. You can modify its existing Rule (conditions), modify its actions and define further Rules. The resulting Virtual Channel instances receive any modifications or additions made to the Virtual Channel template.

NOTE:

You can change the Host Catalog entry for which you want to define Virtual Channel instances at any time by right-clicking the Virtual Channel template name and selecting Expand by and then selecting another Host Catalog entry.

Virtual Channels identical to the Virtual Channel template but with a different Connection Source or Connection Destination are created for every member of the selected host entry. These Virtual Channels are not displayed in the policy table. A Virtual Channel is indicated as a template or master Virtual Channel by the symbol in its icon and the symbol next to the entry in the Connection Source or Connection Destination field.

Page 421: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-35

NOTE:

For example, tiered services may defined quickly using templates. Create one template to represent Platinum service with a minimum of 500Kbps per user, a second to represent Gold service with a minimum of 250Kbps per user and a third to represent Silver service with a maximum of 100 Kbps per user.

Distributing Policy to Other NetEnforcers You can save and simultaneously distribute your QoS policy to other NetEnforcers if required. The policy is distributed to all devices on the distribution list. You can add devices to the distribution list as required.

To configure the distribution list:

1. From the Settings menu, select Distribution List. The Distribution List is displayed.

Figure 8-12 – Distribution List

NOTE:

You can distribute policy to other NetEnforcers, only if they are of the same model and have the same software version as the one from which you are distributing.

Page 422: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-36

2. To add a device to the distribution list, click Add. The Device Properties dialog box is displayed.

Figure 8-13 – Device Properties Dialog Box

3. In the Host field, specify the IP address of the NetEnforcer device.

4. Specify the user name and password in the relevant fields.

5. Click OK. The device is added to the distribution list.

You can further modify the distribution list in the following ways:

• Select a device in the list and click Edit. Modify the properties of the device in the Device Properties dialog box as required.

• Select a device in the list and click Delete. The selected device is deleted from the distribution list.

• Click Delete All to delete all devices from the distribution list.

Page 423: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-37

To distribute the QoS policy to the devices on the distribution list, select Save & Distribute from the File menu. A report on the results of the distribution is displayed, for example:

Figure 8-14 – Distribution Report

Page 424: Net Enforcer Operation Guide v5.5

Chapter 8: Defining Policies

NetEnforcer Operation Guide v5.5 8-38

Page 425: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 9-1

Chapter 9: NetEnforcer Alerts

This chapter describes the NetEnforcer Alerts Editor and Alerts Log.

This chapter includes the following sections:

Overview, page 9-2, provides an overview of the NetEnforcer Alerts Editor and Log and how you can use them to monitor your network status.

Alerts Editor, page 9-5, describes the NetEnforcer Alerts Editor and how to define events or conditions that will trigger alerts.

Alerts Log, page 9-22, describes the NetEnforcer Alerts Log that includes a list of the alerts triggered by the alert definitions.

Page 426: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-2

Overview The Alerts feature allows the user to not only monitor the state of the system, but also be alerted when certain thresholds are met. For example, users can set an alert to identify when the bandwidth for a particular link/customer is close to reaching its maximum. Utilizing the Alert mechanism, an action can be taken before network problems occur (e.g., before the line is get fully utilized and congestion exists). Thresholds can be set to alert to identify excessive connections or abnormal behavior on the line.

TIP:

Users can be alerted of potential virus attacks by setting alerts on certain connection limits.

The Alerts feature enables user to set Actions to occur when certain user-defined thresholds are reached for the following entities:

• NetEnforcer

• Pipe

• VC

• System

Within each entity there are various conditions that can be monitored as well as numerous actions that can be taken in the event of an alert. The basic actions are:

• Send SNMP trap

• Send email (up to two addresses)

• Send SMS

• Change access control

• Change priority

Page 427: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-3

• Send NetEnforcer into bypass

• Reboot NetEnforcer

The Alerts log provides a list of all the alerts (including predefined ones) and replaces the Log Viewer found in previous NetEnforcer versions. Acknowledging an Alert event allows the tracking of that Alert to continue, enabling a record of the event to be built up in the Alerts log.

Page 428: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-4

Important Preparation In order to work with alerts, you must specify the following parameters in the Alerts tab of the NetEnforcer Configuration window:

• Select the Activate Alert Dispatching on NetEnforcer checkbox. This is checked by default.

Figure 9-1 – NetEnforcer Configuration Window

• Define any relevant email addresses and SMS targets for alerts.

• Click or select Save to NetEnforcer from the File menu in the NetEnforcer Configuration window to save the configuration.

The NetEnforcer Configuration window is described in Chapter 4, Configuring NetEnforcer.

Page 429: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-5

Alerts Editor The Alerts Editor enables you to define events or conditions that will trigger alerts (alert definitions). Alerts can be triggered according to conditions existing in NetEnforcer, a selected Pipe or Virtual Channel, or in the system generally. You can define up to 100 alert definitions in the Alerts Editor.

When an alert is triggered, it is displayed in the Alerts Log. You can also send notification of alerts by SMS, email or SNMP.

Predefined System Alerts Some alerts are predefined. This means that when certain conditions exist, an alert is triggered and displayed in the Alerts Log. There is no need to define an alert definition for a predefined alert in the Alerts Editor. Predefined alerts are not sent to any defined email, SMS or SNMP targets.

All predefined alerts relate to the system, meaning they occur when a certain condition exists in the system.

The following table lists the possible default event Alerts that may be seen in the NetEnforcer Alerts module.

Alert Message Alert Syntax (Module#Severity#Message)

Definition

Connection to both RADIUS servers lost.

Accounting#Critical#Connection to both RADIUS servers lost.

Indicates that the NetAccountant’s connection to both the primary and secondary (if relevant) RADIUS servers has failed. This could be due to difficulties on either side of the connection.

Page 430: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-6

Alert Message Alert Syntax (Module#Severity#Message)

Definition

Accounting is not active. Invalid key.

Accounting#Major#Accounting is not active. Invalid key.

Indicates that the key entered in the NetEnforcer GUI is not a valid key for activating the NetAccountant Module. Check the key or contact Allot Customer Support.

Failed to read configuration parameters.

Accounting#Major#Failed to read configuration parameters.

Indicates that the NetAccountant configuration parameters in the NetEnforcer GUI have not been entered.

Accounting is not active.

Accounting#Major#Accounting is not active.

Indicates that the NetAccountant module has not been enabled in the NetEnforcer GUI.

Failed to connect to primary server. Connecting to secondary server.

Accounting#Major#Failed to connect to primary server. Connecting to secondary server.

Indicates that the NetAccountant Module was unable to connect to the primary external server entered in the NetEnforcer GUI.

Failed to connect to secondary server.

Accounting#Major#Failed to connect to secondary server.

Indicates that the NetAccountant Module was unable to connect to the secondary external server entered in the NetEnforcer GUI.

Failed to connect to either primary or secondary server - data send aborted.

Accounting#Critical#Failed to connect to either primary or secondary server - data send aborted.

Indicates that the NetAccountant Module was unable to connect to the primary or secondary external server entered in the NetEnforcer GUI and that any Accounting data for this interval has been lost.

Page 431: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-7

Alert Message Alert Syntax (Module#Severity#Message)

Definition

Failed to retrieve data - data send aborted.

Accounting#Major#Failed to retrieve data - data send aborted.

Indicates that the NetAccountant Module was unable to gather the Accounting data from the Stats Collector and that any Accounting data for this interval has been lost.

Low disk space. Failed to save accounting data. Please consult customer support.

Accounting#Critical#Low disk space. Failed to save accounting data. Please consult customer support.

Indicates that the NetAccountant Module was unable to save Internal accounting data to the NetEnforcer’s hard disc due to a lack of space.

Number of accounting records exceeded limit of <#> records.

Accounting#Major#Number of accounting records exceeded limit of %s records.

Indicates that the number of accounting records to be saved (based on the configuration in the NetEnforcer GUI) has exceeded the maximum for the unit.

Accounting database error. Table <#> is corrupted.

Accounting#Major#Accounting database error. Table %s is corrupted.

Indicates that a specific accounting data table is corrupted.

The system has reached the maximum number of rules.

Policy Database#Critical#The system has reached the maximum number of rules.

Indicates that the number of rules (based on the configuration in the NetEnforcer GUI) has exceeded the maximum for the unit.

Event/s of access deny.

Rule matching#Normal#Event/s of access deny.

Indicates that an event has triggered a preset alert action, switching the QoS apply to “deny packets”.

Event/s of admission control failure.

Rule matching#Normal#Event/s of admission control failure.

Page 432: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-8

Alert Message Alert Syntax (Module#Severity#Message)

Definition

Event/s of Connection Control server not available.

Connection Control#Major#Event/s of Connection Control server not available.

Server <SERVER_NAME> of Connection control is down.

Connection Control#Major#Server '%s' of Connection control is down.

Indicates that the Connection Control server entered in the NetEnforcer GUI is down.

Server <SERVER_NAME> of Connection control is up.

Connection Control#Major#Server '%s' of Connection control is up.

Indicates that the Connection Control server entered in the NetEnforcer GUI has come back up.

Service <SERVICE_NAME> of Connection control is down.

Connection Control#Major#Service '%s' of Connection control is down.

Indicates that the specific service on the Connection Control server is not responding.

Service <SERVICE_NAME> of Connection control is up.

Connection Control#Major#Service '%s' of Connection control is up.

Indicates that the specific service on the Connection Control server is responding again.

Failed to read RADIUS dictionary. Please consult customer support.

Accounting#Critical#Failed to read RADIUS dictionary. Please consult customer support.

Indicates that the NetAccountant module is unable to communicate with the RADIUS server.

Connection to primary RADIUS server lost. Trying secondary server.

Accounting#Major#Connection to primary RADIUS server lost. Trying secondary server.

Indicates that the NetAccountant’s connection to the primary RADIUS servers has failed. This could be due to difficulties on either side of the connection.

Page 433: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-9

Alert Message Alert Syntax (Module#Severity#Message)

Definition

Failed to dispatch accounting data. This may be due to a lack of disk space at destination.

Accounting#Major#Failed to dispatch accounting data. This may be due to a lack of disk space at destination.

Indicates that the NetAccountant module was unable to send the accounting data to an external server.

The Service catalog update failed.

Service update#Info#The Service catalog update failed.

Indicates that the online Service catalog update failed and was aborted.

The Service catalog update was completed successfully.

Service update#Info#The Service catalog update was completed successfully.

Indicates that the online Service catalog update was successful.

Additionally, there are three types of system alerts, as follows:

Alert Module Failure If the alert functionality within NetEnforcer fails, an alert is triggered.

DoS Attack If there is a DoS attack within NetEnforcer, an alert is triggered. Additional information is described in Chapter 10, Detecting Security Threats).

Access Control Exceptional Events

If an unauthorized user tries to enter NetEnforcer, an alert is triggered.

Authorized users are specified in the Access Control tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer).

Page 434: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-10

To define alerts in the Alerts Editor:

1. From the NetEnforcer Control Panel, click Alerts and then select Alerts Editor. The Alerts Editor is displayed.

Figure 9-2 – Alerts Editor

The tabs on the left are where you define the alert and the list on the right displays a list of all the alert definitions.

2. Select the Definition tab.

3. In the Name field, enter a name for the alert.

Page 435: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-11

4. From the Object Type dropdown list, select the object to observe. This is the object where once a specified condition exists then this alert is triggered. Select from one of the following: • NetEnforcer • Pipe • Virtual Channel • System

5. If you selected Pipe or Virtual Channel in step 4, the Selected Pipe or Selected VC field is displayed below the Object Type dropdown list. Select the Pipe or Virtual Channel to observe by clicking the button and browsing to the required Pipe or Virtual Channel.

6. In the Condition area, select the condition that must exist on the selected object in order for the alert to occur. The available conditions vary according to the object type selected. Additionally each condition may have different parameters. For a full list of conditions and their parameters, refer to 9-12. When you have selected a condition, a summary of the alert definition is provided in the Condition area. For example, when NetEnforcer is selected as the Object Type and Any Traffic selected as the Condition, then an alert is triggered whenever there is “any traffic flowing in NetEnforcer”.

Page 436: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-12

7. Select the Behavior tab.

Figure 9-3 – Alerts Editor – Behavior Tab

The Behavior tab is where you specify what will happen if the defined conditions in the Definition tab are fulfilled.

Page 437: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-13

8. In the Enable area, select the Alert is Enabled checkbox to enable the alert definition.

9. From the Alert Severity dropdown list, select the severity of the alert from the following: • Information • Normal • Minor • Major • Critical

10. In the Dispatch & Action area, select to where the alert will be sent (in addition to the Alerts Log) and any action that should result. SMS The alert is sent to the SMS address specified in the Alerts tab

in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer.

SNMP Trap Clients

The alert is sent as an SNMP trap according to the SNMP details specified in the SNMP tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer.

Email (Primary) The alert is sent to the primary email address specified in the Alerts tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer.

Email (Secondary)

The alert is sent to the secondary email address specified in the Alerts tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer.

NOTE:

If details have not been provided in the Alerts and SNMP tabs of the NetEnforcer Configuration window, a warning is displayed.

Page 438: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-14

11. If required, from the Action dropdown list, select a predefined action that will result when the alert is triggered. The list below is a set of predefined actions available for selection. The action is implied in the name. • ChangeAccessControlToAccept • ChangeAccessControlToDrop • ChangeAccessControlToReject • ChangePriorityToHigh • ChangePriorityToLow • ChangePriorityToNormal • IgnoreQoS • NetEnforcerBypass • Reboot Additional custom actions can be added.

12. In the Action Following Alert area, select whether NetEnforcer will continue to check for the alert from the following: • Restart Checking After: Once the alert has occurred, check to see if the

condition exists again after a specified time. • Restart Checking After Alert Acknowledged: Once the alert has occurred, only

start checking to see if the condition exists again once the alert is acknowledged.

13. Click Add. The alert definition is complete and the alert is added to the list of alerts in the Defined Alerts List.

14. In order for the alert definition to be applied, you must save it to NetEnforcer. Select Save to NetEnforcer from the Alerts Editor File menu or click on the toolbar.

NOTE:

Saving the Alerts Editor re-arms all alert definitions. For a “one time only” alert definition, if the alert condition exists, an alert is again dispatched. For a “periodic” alert definition, if the alert condition exists, an alert is dispatched.

Page 439: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-15

Customized Actions Additional actions may be defined by the user. These actions are added to the drop-down list and appear along with the predefined actions. Actions are added through the use of scripts. These are simply CLI commands saved in a specific location on the NetEnforcer.

Writing the Script The script may be saved as a text file and imported into the NetEnforcer with an FTP client or it can be written directly in the CLI interface using the vi text editor.

Implementing the Script Scripts written as .txt files must be saved in the usr/local/swg/Alerts/scripts folder. Once they are saved in the folder, they appear in the drop down menu under Action in the Behavior tab of the Alerts Editor. In addition, scripts must be made executable after they are saved. To do this, enter the following command: chmod +x <script_file_name>

For more information, please contact your Allot support representative.

Page 440: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-16

Conditions for Alerts The possible conditions for alerts vary according to the object type selected. The following table details the conditions available for selection for each object type as well as the parameters that are displayed according to the condition selected.

Condition Object Type Parameters to Specify Meaning

Any Traffic NetEnforcer

Pipe

Virtual Channel

No parameters required. When any traffic is in NetEnforcer or the selected Pipe or the selected Virtual Channel, an alert is triggered.

No Traffic NetEnforcer

Pipe

Virtual Channel

No parameters required. When no traffic is in NetEnforcer or the selected Pipe or the selected Virtual Channel for 30 seconds, an alert is triggered.

Traffic Flow NetEnforcer

Pipe

Virtual Channel

You can specify one or both parameters.

When the traffic flow in NetEnforcer or the selected Pipe or the selected Virtual Channel is less than or more than the specified amounts, an alert is triggered.

Page 441: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-17

Condition Object Type Parameters to Specify Meaning

Connection Count

NetEnforcer

Pipe

Virtual Channel

You can specify one or both parameters.

When the number of live connections in NetEnforcer or the selected Pipe or the selected Virtual Channel is less than or more than the specified amounts, an alert is triggered.

Connection Establishment Rate

NetEnforcer

Pipe

Virtual Channel

You can specify one or both parameters.

When the number of new connections per second in NetEnforcer or the selected Pipe or the selected Virtual Channel is less than or more than the specified amounts, an alert is triggered.

Pipe Count NetEnforcer

You can specify one or both parameters.

When the number of active Pipes in NetEnforcer is less than or more than the specified amounts, an alert is triggered.

Page 442: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-18

Condition Object Type Parameters to Specify Meaning

Virtual Channel Count

NetEnforcer

You can specify one or both parameters.

When the number of active Virtual Channels in NetEnforcer is less than or more than the specified amounts, an alert is triggered.

Alert Module Fails

System No parameters required. If the alert functionality within NetEnforcer fails, an alert is triggered.

Accounting/ RADIUS

System No parameters required. If there are exceptional and unusual events in the Accounting/RADIUS mechanism within NetEnforcer, an alert is triggered.

DoS Attack System No parameters required. If there is a DoS attack within NetEnforcer, an alert is triggered.

Access Control

System No parameters required. If an unauthorized user tries to enter NetEnforcer, an alert is triggered.

Authorized users are specified in the Access Control tab in the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer).

Page 443: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-19

Condition Object Type Parameters to Specify Meaning

Router Interface

System

Specify the router’s IP address, the SNMP community of the router, and the interface you want to monitor (the interface number of the primary or the backup link). The Alert on Change to field enables you to decide when you want the alert to be issued – when the link goes down, when the link goes up or every time the link changes status (up/down).

If the link on the access router goes up or down (or either), an alert is triggered.

This enables you to set an alert when the primary link goes down and the backup link goes into action.

TIP:

Router Interface

The NetEnforcer is sometimes located at the access point, just behind the access router that connects the enterprise to the Internet. In some cases the access router has two uplinks, one is the primary and one is a backup link. Usually the backup link will have a lower speed than the primary link.

In these environments there is a need to have the ability to change the policy defined in NetEnforcer when the primary link at the router fails and the backup link goes into action.

This can be achieved with the NetEnforcer’s Alert module. The Router Interface condition enables you to define an event of link up/down that happens on the access router. This enables you to set that an alert is triggered when the primary link goes down and the backup link goes into action.

Page 444: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-20

Defined Alerts List You can define as many alerts as required. All alert definitions are displayed in the Defined Alerts List. If an alert is enabled and has been saved to NetEnforcer, then the alert definition is active in NetEnforcer. This means that should the condition specified in the definition arise, an alert is triggered.

The Defined Alerts List displays a summary of the alert definition as follows:

Enabled Whether or not the alert definition is enabled.

Name The name of the alert definition.

Severity The severity of the alert definition. The background color of this field reflects the severity as follows: Information: Green Normal: Green Minor: Yellow Major: Orange Critical: Red

Type The type of object: NE (NetEnforcer), Pipe, VC (Virtual Channel) or System.

Src Name When Pipe or VC is the object type, the name of the Pipe or Virtual Channel.

Condition A summary of the condition that must exist in order for the alert to be triggered.

Disp Where the alert will be sent (in addition to the Alerts Log) and what action will occur when the alert is triggered.

Recheck Once the alert has occurred, whether (and if so, when) NetEnforcer will continue to check for the alert.

You can sort the list of alert definitions by clicking a column header. For example, clicking Type sorts the alerts according to type.

Page 445: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-21

From the Defined Alerts List, you can enable and disable alerts as required. Simply select or deselect the Enabled checkbox on the left of the list.

To modify an alert definition, select it in the Defined Alerts List, make the required changes in the Definition and Behavior tabs and click Update.

To delete an alert definition, select it in the Defined Alerts List and click Delete.

NOTE:

You can also delete an alert definition by right-clicking it in the Defined Alerts List and selecting Delete.

Alerts Editor Menus and Toolbar The menu options and toolbar buttons available in the Alerts Editor are as follows:

Menu/Command Button Function

File

Save to NetEnforcer Saves the alert definitions to NetEnforcer. Saving the Alerts Editor re-arms all alert definitions.

Reload Alerts Reloads the last set of saved alert definitions in the Alerts Editor.

Print Enables you to print the list of alert definitions.

Exit Closes the Alerts Editor.

Edit

Delete Deletes the selected alerts definition.

Enable All Enables all the alert definitions in the list.

Disable All Disables all the alert definitions in the list. When an alert definition is disabled, NetEnforcer does not consider it.

Select All Selects all the alert definitions in the list.

Page 446: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-22

Menu/Command Button Function

View

Sort by Enables you to sort the list of alert definitions according to column headers.

Options

Load Alert Log Opens the Alerts Log. You can also access the Alerts Log by right-clicking an alert definition in the Defined Alerts List and selecting Open Alerts Log.

Help

Index Provides access to online help.

The status bar in the Alerts Editor provides the following information:

• Last action performed.

• Selected alert/Total number of alert definitions.

• Sort condition.

• Mod is displayed when alert definitions have been modified. It is removed once the alert definitions have been saved to NetEnforcer.

Alerts Log The Alerts Log displays a list of the alerts triggered by the alert definitions. Information such as the date of the alert, the source of the alert as well as the severity of the alert is displayed.

TIP:

The color of the Alerts button in the NetEnforcer Control Panel reflects the most severe unacknowledged alert in the Alerts Log. If the color is gray, an undetermined state exists. This is normally when there is a communication problem.

Page 447: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-23

To open the Alerts Log:

Access the Alerts Log in any of the following ways:

• From the NetEnforcer Control Panel, click Alerts and then select Alerts Log.

• In the Alerts Editor, select Load Alert Log from the Options menu.

• In the Alerts Editor, right-click an alert definition and select Load Alert Log.

An example Alerts Log is shown below:

Figure 9-4 – Alerts Log

Page 448: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-24

The Alerts Log, which is automatically refreshed every 30 seconds, provides the following information for each alert:

Ack Whether or not you have acknowledged the alert. Acknowledging an alert re-arms the alert definition so that NetEnforcer again checks to see if the alert condition exists.

NetEnforcer Date The time and date on NetEnforcer when the event triggering the alert occurred.

Alert Name The name of the alert definition.

Source The type of object where the event triggering the alert occurred: NE (NetEnforcer), Pipe, VC (Virtual Channel) or System.

Source Name When the Source is Pipe or VC, the name of the Pipe or Virtual Channel.

Severity The severity of the alert. The background color of this field reflects the severity as follows: Information: Green Normal: Green Minor: Yellow Major: Orange Critical: Red

Description A summary of the event triggering the alert.

You can sort the list of alerts by clicking a column header. For example, clicking NetEnforcer Date sorts the alerts according to date and displays them in date order.

Page 449: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-25

Alerts Log Menus and Toolbar The menu options and toolbar buttons available in the Alerts Log are as follows:

Menu/Command Button Function

File

Reload Rereads the alert log data on NetEnforcer and refreshes the display of the Alerts Log.

Print Enables you to print the list of alerts.

Exit Closes the Alerts Log.

Edit

Clear Selected Clears selected alerts from the Alerts Log. You can also clear alerts from the Alerts Log by right-clicking the alert and selecting Clear.

Clear All Clears all alerts from the Alerts Log.

Acknowledge Selected Acknowledges selected alerts in the Alerts Log. Acknowledging an alert re-arms the alert definition so that NetEnforcer again checks to see if the alert condition exists.

Unacknowledge Selected

Unacknowledges selected alerts in the Alerts Log.

Acknowledge All Acknowledges all alerts in the Alerts Log.

Unacknowledge All Unacknowledges all alerts in the Alerts Log.

Select All Selects all alerts in the Alerts Log.

View

Sort by Enables you to sort the list of alerts according to column headers.

Page 450: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-26

Menu/Command Button Function

Set Filters Enables you to filter the display of alerts.

Clear Filters Clears any filters applied to the display of alerts and displays all alerts.

Search

Find Enables you to search the list of alerts for a specified keyword or phrase.

Options

Edit Alert Definition

Opens the Alerts Editor enabling you to modify alert definitions as required. You can also access the Alerts Editor by right-clicking an alert definition in the Alerts Log and selecting Edit Definition.

Help

Index Provides access to online help.

The status bar in the Alerts Log provides the following information:

• Last action performed.

• Selected alert/Total number of alerts.

• Sort condition.

• Whether a filter is in effect.

Page 451: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-27

Accessing Monitoring Graphs The Alerts Log provides direct access to real-time monitoring graphs. This is very useful and enables you to quickly access a monitoring graph for closer inspection of a problematic situation. For example, if an alert is triggered on a particular Pipe because the number of live connections in the Pipe has exceeded a specified amount, you can access the real-time monitoring graphs for the Pipe to understand more clearly if there is a problem or if your QoS policy requires modification.

To access monitoring graphs from the Alerts Log, right-click an alert and select from the options displayed. The monitoring graphs available vary according to the object type selected.

Page 452: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-28

Filtering Alerts You can apply a filter to the Alerts Log so that only alerts matching the filter are displayed. This is useful because the Alerts Log may include up to 10,000 alerts.

To define a filter:

1. From the View menu in the Alerts Log, select Set Filters or click in the toolbar. The Set Filters for Alerts Log dialog box is displayed:

Figure 9-5 – Set Filters for Alerts Log Dialog Box: Severity Tab

2. Select Filter Alerts as Indicated.

Page 453: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-29

3. Define the filter parameters in the different tabs as follows (only the alerts that match the filter parameters will be displayed): • In the Severity tab, select the Severity levels as required: Critical, Major,

Minor, Normal, Info. • In the Acknowledge tab, select Acknowledged or Unacknowledged.

Figure 9-6 – Set Filters for Alerts Log Dialog Box: Acknowledge Tab

• In the Source Type tab, select the object type: NE, System, Pipe, VC.

Figure 9-7 – Set Filters for Alerts Log Dialog Box: Source TypeTab

Page 454: Net Enforcer Operation Guide v5.5

Chapter 9: NetEnforcer Alerts

NetEnforcer Operation Guide v5.5 9-30

• In the Names & Description tab, select from the following specifying key words as required: Match Source Names Containing, Match Descriptions Containing, Match Alert Names Containing.

Figure 9-8 – Set Filters for Alerts Log Dialog Box: Names & Description Tab

NOTE:

The relationship between the parameters on each tab is AND. The relationship between the tabs is OR.

4. Click OK.

The filter is applied. Only the alerts that match the filter parameters are displayed in the Alerts Log and Filtered is displayed in the status bar.

To clear a filter, select Clear Filters from the View menu or click in the toolbar.

Page 455: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5 10-1

Chapter 10: Detecting Security Threats

This chapter describes the threat of DoS attacks on network performance and the ways in which NetEnforcer detects and handles DoS attacks.

This chapter includes the following sections:

Overview, page 10-1, describes the basic idea behind DoS attacks on the network.

Detecting and Handling DoS Attacks, page 10-2, describes how NetEnforcer identifies and responds to DoS attacks, as well as the DoS parameters configured in the Denial of Service (DoS) tab of the NetEnforcer Configuration window.

Additional Protective Mechanisms, page 10-5, describes some of the NetEnforcer's built-in mechanisms for protection against DoS attacks.

Security Alerts, page 10-6, describes the security alerts issued when a suspected attack has been detected.

Page 456: Net Enforcer Operation Guide v5.5

Chapter 10: Detecting Security Threats

NetEnforcer Operation Guide v5.5 10-2

Overview As the reliance on Internet communications increases, the importance of maintaining the security and reliability of network services has become an increasingly critical issue.

Denial of Service (DoS) attacks are some of the most common ways in which hackers attempt to disrupt network services. A DoS attack is an attack on a system or network that causes a loss of service to users, typically the loss of network connectivity and services by overloading the computational resources of the victim system.

DoS attacks are typically executed by sending multiple packets to a targeted Internet server (usually a Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Any system that is connected to the Internet and is equipped with TCP-based network services is subject to attack.

Detecting and Handling DoS Attacks During a DoS attack, unwanted traffic deluges the network alongside the legitimate traffic on the network. By monitoring the rate of new connections, NetEnforcer is able to detect attempted DoS attacks and take the necessary actions to minimize their impact on legitimate network traffic by identifying the focal point of the attack.

Normal traffic patterns are defined in the NetEnforcer. When significant irregularities are detected, the traffic most likely to be part of the attack is identified and handled according to the configured DoS parameters.

For example, in normal conditions, non-TCP/IP traffic (e.g. ICMP traffic) typically constitutes less than 10% of the total network connections. A Smurf DoS attack, which uses a forged ICMP echo request, generates multiple ICMP connections. Upon detecting a high level of new ICMP connection (greater than 10% of all new connections), NetEnforcer drops the ICMP connections while maintaining the connections for other protocols.

Page 457: Net Enforcer Operation Guide v5.5

Chapter 10: Detecting Security Threats

NetEnforcer Operation Guide v5.5 10-3

Similarly, NetEnforcer can be configured to identify problematic ports which have been identified as commonly used by known Worms. When NetEnforcer detects abnormal or increased incidence of new connections on such a ports, the traffic on the specific port can be dropped without affecting other TCP connections. The source IP address that generated these connections is saved in the log file.

NOTE:

To view the list of worm source IP addresses in the log,

Denial of Service (DoS) Parameters NetEnforcer analyzes the distribution of traffic across the various protocols and ports, and admits or drops excess traffic when predefined thresholds have been exceeded, according to the DoS parameters configured in the Denial of Service (DoS) tab of the NetEnforcer Configuration window.

NOTE: For details on NetEnforcer configuration, refer to Chapter 4, Configuring NetEnforcer.

The Denial of Service (DoS) tab includes parameters that enable you to determine the frequency and number of connections, as follows:

Parameter Definition

In Case of Denial of Service Attack, News Flows will be

The action that NetEnforcer takes when it reaches the maximum rate of new connections allowed for the model. The options in the dropdown menu are as follows: Admitted without QoS: New connections (flows) are admitted, but are not classified, and no QoS policy is applied. This is the default setting.

Dropped: New connections (flows) are dropped.

Page 458: Net Enforcer Operation Guide v5.5

Chapter 10: Detecting Security Threats

NetEnforcer Operation Guide v5.5 10-4

Parameter Definition

Number of Connections Within NetEnforcer will be Limited to

You are able to define the threshold, for traffic suspected as an attack, by specifying the number of connections allowed at any one time.

The default is the maximum number of connections your NetEnforcer model can handle. For the maximum number of connections your NetEnforcer model can handle, see the hardware description table on page 2-2 in Chapter 2, Installing NetEnforcer.

To view the number of connections over specified period of time, refer to the Connections graph in Chapter 6, Monitoring Network Traffic. This will assist in entering a realistic definition of an attack.

Maximum New Connections Establishment Rate (CER):

You are able to define the threshold, for traffic suspected as an attack, by specifying the number of new connections allowed per second.

To view the number of connections per second, refer to the Connections graph in Chapter 6, Monitoring Network Traffic. This will assist in entering a realistic definition of an attack. If the field is left blank, the NetEnforcer uses its default setting.

Page 459: Net Enforcer Operation Guide v5.5

Chapter 10: Detecting Security Threats

NetEnforcer Operation Guide v5.5 10-5

Additional Protective Mechanisms NetEnforcer has four additional built-in mechanisms for protection against DoS attacks, as follows:

• NetEnforcer drops ICMP packets beyond the maximum number of new connections per second, before they are inserted into its internal buffer. This number varies between NetEnforcer models.

• When NetEnforcer detects a high connection rate beyond the maximum number of new connections per second, it drops TCP/UDP packets of new flows.

• When NetEnforcer detects a high connection rate that seems to be an attack targeted for a specific address, then it drops TCP / UDP packets with the same destination IP (spoofed) address, before they are inserted into its internal buffer.

• NetEnforcer limits the number of connections per interface, Virtual Channel or Pipe (for example, cap ICMP packets to a server farm to a limit, say 500).

Page 460: Net Enforcer Operation Guide v5.5

Chapter 10: Detecting Security Threats

NetEnforcer Operation Guide v5.5 10-6

Security Alerts Alerts are issued by NetEnforcer when a suspected security threat has been detected. The following alert messages are defined in the system by default.

Alert Message Description

“DoS attack suspected: Connection establishment rate is close to the threshold”

The NetEnforcer monitors the rate connections flowing through the unit are established. This alert is triggered when the connections rate is unusually high.

“DoS attack suspected: Abnormal high connection establishment rate of XXX”

The NetEnforcer monitors the rate connections of various types are established. The types of connections monitored are AnyIP (IP traffic which is not TCP or UDP), TCP, UDP. This alert is triggered when the rate connections established of certain type are unusually high.

“DoS attack suspected: Abnormal high connection establishment rate on port XXX”

The NetEnforcer monitors the rate TCP connections on various ports are established. This alert is triggered when the rate connections established on a specific port are unusually high.

“Alarm Max Connections XXX triggered”

The NetEnforcer monitors the number of concurrent connections flowing through the unit. In case the number of concurrent connections reaches to the unit overall limit, this alert is triggered. The limit can be manually defined on the NetEnforcer GUI under the Configuration menu.

“Alarm Max Connections resolved”

This alert is triggered after a “Alarm Max Connections XXX triggered” alarm has been triggered and the number of connections has returned to normal (below 95% of the defined limit).

Page 461: Net Enforcer Operation Guide v5.5

Chapter 10: Detecting Security Threats

NetEnforcer Operation Guide v5.5 10-7

Alert Message Description

“DoS attack of the type 'smurf' started”

The NetEnforcer has detected an attack characterized by large number of ICMP packets.

“DoS attack of the type 'smurf' ended”

This alert is triggered after a “DoS attack of the type 'smurf' started” alarm has been triggered and the conditions have returned to normal.

“DoS attack of the type 'UDP flood' started”

The NetEnforcer has detected an attack characterized by large number of UDP packets.

“DoS attack of the type 'UDP flood' ended”

This alert is triggered after a “DoS attack of the type 'UDP flood' started” has been triggered and the conditions have returned to normal.

“DoS attack of the type 'SYN' started”

The NetEnforcer has detected an attack characterized by large number of TCP packets.

“DoS attack of the type 'SYN' ended”

This alert is triggered after a “DoS attack of the type 'SYN' started” alarm has been triggered and the conditions have returned to normal.

The alert messages are displayed in the Alerts log.

Page 462: Net Enforcer Operation Guide v5.5

Chapter 10: Detecting Security Threats

NetEnforcer Operation Guide v5.5 10-8

Page 463: Net Enforcer Operation Guide v5.5

NetEnforcer User Guide 11-1

Chapter 11: SNMP Monitoring

This chapter describes the NetEnforcer SNMP-based statistics and how to generate MRTG reports.

This chapter includes the following sections:

Viewing SNMP Statistics and Getting Traps, page 11-2, provides an overview of the SNMP statistics available in NetEnforcer.

Working with SNMP-Based Management Tools, page 11-11, describes MRTG and describes how to install and use the MRTG tool in NetEnforcer.

Page 464: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-2

Viewing SNMP Statistics and Getting Traps

NetEnforcer generates traffic statistics and standard SNMP MIB-II statistics. A standard SNMP viewer, such as SNMPc (see http://www.castlerock.com) polls NetEnforcer using a standard SNMP GET command and presents the statistics in a graph.

NetEnforcer SNMP-based statistics enables you to automatically generate MRTG (a very well known and free tool for viewing SNMP-type statistics) reports daily, weekly, monthly and yearly.

MRTG-type reports are ready to view with any browser (HTML format) and contain a two dimensional graphic representation of the statistics. For example, you can view bandwidth usage on each defined Virtual Channel or Pipe and also on the internal/external interfaces.

An example for setting up a specific view is provides although more graphs can be generated. For more information on MRTG see http://people.ee.ethz.ch/~oetiker/ webtools/mrtg.

NetEnforcer supports SNMP traps and you can use your SNMP management station to get traps (alerts) for various system and network events.

Supported SNMP MIBs NetEnforcer includes an SNMP (Simple Network Management Protocol) agent that supports the RFC 1213/MIB-II standard and Allot MIBs. The agent provides MIB information when polled and issues traps for specific conditions.

Page 465: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-3

NetEnforcer is the authoritative source of the following MIB files that include measurement engine variables recorded on a one-second basis and are available via the Tools button on your NetEnforcer Control Panel:

• COMPANY-MIB.txt - includes traps.

• VC-MIB.txt - includes Virtual Channel related statistics.

• PIPE-MIB.txt - includes Pipe related statistics.

• NE-STAT-MIB.txt - includes NetEnforcer level related statistics.

The private MIB of Allot includes SNMP statistics, as follows:

• Bytes in/out/total per Virtual Channel, Pipe and NetEnforcer

• Packets in/out/total per Virtual Channel, Pipe and NetEnforcer

• Number of connections and number of new connections per second

NOTE:

Specifications of MIB-II (rfc1213.mib) can be found at http://www.ietf.org/rfc1213.txt?number=1213.

Access Permissions To get SNMP statistics, you need to enter community (password) parameters. The community parameters, found in the SNMP tab of the NetEnforcer Configuration window, are as follows:

Read Community The SNMP community for devices reading SNMP variables from NetEnforcer.

Write Community The SNMP community for devices setting SNMP variables to NetEnforcer.

Trap Community The SNMP community to receive NetEnforcer SNMP traps.

Trap Destination The IP address of the Network Management Console that receives the NetEnforcer-generated SNMP traps. It can be a local host.

Refer to Chapter 4, Configuring NetEnforcer, for further information.

Page 466: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-4

Configuring Trap Destinations NetEnforcer supports one destination for SNMP traps. Configure the address via your browser in the SNMP tab of the NetEnforcer Configuration window (described in Chapter 4, Configuring NetEnforcer). The destination can also be set via SNMP itself.

Traps The NetEnforcer SNMP agent issues the following traps:

Trap Name Action Number Cold Start Reboot and restart the SNMP process. 0 Link Down Disconnecting the internal or external interface

forces the Link Down trap to occur. When, after rebooting, NetEnforcer becomes active, the Link Down trap occurs according to the internal and external NIC status.

2

Link Up Connecting both the internal and external interfaces, forces the Link Up trap to occur. When, after rebooting, NetEnforcer becomes active, the Link Up trap occurs according to the internal and external NIC status.

3

Authentication failure Request with wrong community. 4 NePrimaryActive This trap is sent when the primary NetEnforcer

changes to Active mode. 6-11

NePrimaryBypass This trap is sent when the primary NetEnforcer changes to Bypass mode.

6-12

NeSecondaryActive This trap is sent when the secondary NetEnforcer changes to Active mode.

6-13

NeSecondaryStandBy This trap is sent when the secondary NetEnforcer changes to Standby mode.

6-14

NeSecondaryBypass This trap is sent when the secondary NetEnforcer changes to Bypass mode.

6-15

Page 467: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-5

MIB-II Support The NetEnforcer SNMP agent supports the following MIB-II groups: System, Interfaces, Address Translation, IP, ICMP, TCP, UDP and SNMP.

The MIB-II object groups are shown in the following tree diagram:

iso (1)

org (3)

dod (6)

internet (1)

directory (1)

mgmt (2)

mib-2 (1)

system (1)

interfaces (2)

snmp (11)experimental (3)

private (4)

enterprises (1)

AllotCom(2603)

iso (1)

org (3)

dod (6)

internet (1)

directory (1)

mgmt (2)

mib-2 (1)

system (1)

interfaces (2)

snmp (11)experimental (3)experimental (3)

private (4)

enterprises (1)

AllotCom(2603)

Page 468: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-6

The Allot MIB tree is shown in the following tree diagram:

neStatistics (1)

neStatMIB(1)

neStat (1)

neByteCountIn (1)

neByteCountOut (2)

pipeEntry(1)

AllotCom (2603)

pipePosition (1)*

pipeInstancePosition (2)*

pipeName (3)

pipeByteCountIn (4)

pipeByteCountOut (5)

pipeByteCountTotal (6)

neByteCountTotal (3)

pipeStat (1)

pipeStatTable(1)

pipeStatMIB(2)

* = index of table

neLiveConnections (4)

neNewConnections (5)

nePacketsIn (6)

nePacketsOut (7)

nePacketsTotal (8)

pipeLiveConnections (7)

pipeNewConnections (8)

pipePacketsIn (9)

pipePacketsOut (10)

pipePacketsTotal (11)

neStatistics (1)

neStatMIB(1)

neStat (1)

neByteCountIn (1)

neByteCountOut (2)

pipeEntry(1)

AllotCom (2603)

pipePosition (1)*

pipeInstancePosition (2)*

pipeName (3)

pipeByteCountIn (4)

pipeByteCountOut (5)

pipeByteCountTotal (6)

neByteCountTotal (3)

pipeStat (1)

pipeStatTable(1)

pipeStatMIB(2)

* = index of table

neLiveConnections (4)

neNewConnections (5)

nePacketsIn (6)

nePacketsOut (7)

nePacketsTotal (8)

pipeLiveConnections (7)

pipeNewConnections (8)

pipePacketsIn (9)

pipePacketsOut (10)

pipePacketsTotal (11)

Page 469: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-7

vcEntry (1)

vcPipePosition (1)*

vcPipeInstancePosition (2)*

vcName (5)

vcByteCountIn (6)

vcByteCountOut (7)

vcByteCountTotal (8)

vcStat (1)

vcStatTable(1)

vcStatMIB(3)

vcPosition (3)*

vcInstancePosition (4)*

* = index of table

vcNewConnections (10)

vcPacketsIn (11)

vcPacketsOut (12)

vcPacketsTotal (13)

vcLiveConnections (9)

qidPipeStat (1)

qidPipeEntry (1)

qidPipeTemplateId (1)*

qidPipeInstanceId (2)*

qidPipeByteCountTotal (5)

qidPipeLiveConnectiosn (6)

qidPipeNewConnections (7)

qidPipePacketsIn (8)

qidPipeStatTable (1)

qidPipeStatMIB (4)

qidPipeByteCountIn (3)

qidPipeByteCountOut (4)

qidPipePacketsTotal (10)

qidPipePacketsOut (9)

vcEntry (1)

vcPipePosition (1)*

vcPipeInstancePosition (2)*

vcName (5)

vcByteCountIn (6)

vcByteCountOut (7)

vcByteCountTotal (8)

vcStat (1)

vcStatTable(1)

vcStatMIB(3)

vcPosition (3)*

vcInstancePosition (4)*

* = index of table

vcNewConnections (10)

vcPacketsIn (11)

vcPacketsOut (12)

vcPacketsTotal (13)

vcLiveConnections (9)

qidPipeStat (1)

qidPipeEntry (1)

qidPipeTemplateId (1)*

qidPipeInstanceId (2)*

qidPipeByteCountTotal (5)

qidPipeLiveConnectiosn (6)

qidPipeNewConnections (7)

qidPipePacketsIn (8)

qidPipeStatTable (1)

qidPipeStatMIB (4)

qidPipeByteCountIn (3)

qidPipeByteCountOut (4)

qidPipePacketsTotal (10)

qidPipePacketsOut (9)

qidPipeEntry (1)

qidPipeTemplateId (1)*

qidPipeInstanceId (2)*

qidPipeByteCountTotal (5)

qidPipeLiveConnectiosn (6)

qidPipeNewConnections (7)

qidPipePacketsIn (8)

qidPipeStatTable (1)

qidPipeStatMIB (4)

qidPipeByteCountIn (3)

qidPipeByteCountOut (4)

qidPipePacketsTotal (10)

qidPipePacketsOut (9)

Page 470: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-8

NeTraps (2)

nePrimaryActive (11)

nePrimaryBypass (12)

neSecondaryActive (13)

neSecondaryStandBy (14)

neSecondaryBypass (15)

qidVcEntry (1)

qidVcTemplateId (3)*

qidVcInstanceId (4)*

qidVcByteCountTotal (7)

qidVcLiveConnectiosn (8)

qidVcNewConnections (9)

qidVcPacketsIn (10)

qidVcStatTable (1)

qidVcStatMIB (5)

qidVcByteCountIn (5)

qidVcByteCountOut (6)

qidVcPacketsTotal (12)

qidVcPacketsOut (11)

qidVcStat (1)

qidVcPipeTemplateId (1)*

qidVcPipeInstanceId (2)*

neAlertEvent (22)

NeTraps (2)

nePrimaryActive (11)

nePrimaryBypass (12)

neSecondaryActive (13)

neSecondaryStandBy (14)

neSecondaryBypass (15)

qidVcEntry (1)

qidVcTemplateId (3)*

qidVcInstanceId (4)*

qidVcByteCountTotal (7)

qidVcLiveConnectiosn (8)

qidVcNewConnections (9)

qidVcPacketsIn (10)

qidVcStatTable (1)

qidVcStatMIB (5)

qidVcByteCountIn (5)

qidVcByteCountOut (6)

qidVcPacketsTotal (12)

qidVcPacketsOut (11)

qidVcStat (1)

qidVcPipeTemplateId (1)*

qidVcPipeInstanceId (2)*

neAlertEvent (22)

Accessing the Allot MIBs You must download the Allot MIBs via the Tools button in the NetEnforcer Control Panel. There are two zip files containing slightly different MIBs, as follows:

Mibs.zip MibsQID.zip

COMPANY-MIB.txt COMPANY-MIB.txt

NE-STAT-MIB.txt NE-STAT-MIB.txt

PIPE-MIB.txt QID-PIPE-MIB.txt

VC-MIB.txt QID-VC-MIB.txt

MRTG_Config_for_MIBs.cfg MRTG_Config_for_MIBs.cfg

Page 471: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-9

Mibs.zip provides position MIBs whereby the index of the MIBs is according to the position of the Pipe or Virtual Channel in the policy table. MibsQID.zip provides ID MIBs whereby the index of the MIBs is according to the internal ID of the Pipe or Virtual Channel. You can download one or both of these zip files.

Both of the zip files also contain the Allot configuration file (MRTG_Config_for_MIBs.cfg).

To download Allot MIBs:

1. From the NetEnforcer Control Panel, click Tools and select Download Allot MIBs and then VC/Pipe by ID or VC/Pipe by Position.

2. Download the files contained in the zip file to a local drive.

3. Repeat steps 1 and 2 for the second MIB zip file if required.

4. Use your network management application's MIB integration tool to compile the Allot MIBs.

5. Query the Allot MIB objects using your network management application. You can produce graphs based on the statistics generated.

Using the Allot Position MIBs The Allot MIBs provide expansion to the basic SNMP (MIB-II) and includes information on Pipes and Virtual Channels in the form of tables. These tables are ordered according the policy table (in the Policy Editor), described in Chapter 8, Defining Policies.

The object ID of an entry in the Pipe table is constructed from the Pipe position in the policy table and the Pipe instance (host) position in the host group. The object ID of an entry in the Virtual Channel table is constructed from the Pipe position in the policy table, the Pipe instance (host) position in the host group, the Virtual Channel position in the Pipe and the Virtual Channel instance (host) position in the host group.

Page 472: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-10

When the policy table is modified and the new table is reloaded to the SNMP agent, the changes will affect the SNMP Pipe and Virtual Channel tables. Thus, a change in the Pipe/Virtual Channel position will change its object ID accordingly. For example:

Original Policy Table Object ID Pipe1 1.0 Pipe1_Vc1 1.0.1.0 Pipe1_Vc2 1.0.2.0 Pipe2 2.0 Pipe2_Vc1 2.0.1.0 Pipe2_Vc2 2.0.2.0 Pipe3 3.0 Pipe3_Vc1 3.0.1.0 Pipe3_Vc2 3.0.2.0

Now Pipe 3 has been moved up and the table looks as follows:

Modified Policy Table Object ID Pipe1 1.0 Pipe1_Vc1 1.0.1.0 Pipe1_Vc2 1.0.2.0 Pipe3 2.0 Pipe3_Vc1 2.0.1.0 Pipe3_Vc2 2.0.2.0 Pipe2 3.0 Pipe2_Vc1 3.0.1.0 Pipe2_Vc2 3.0.2.0

Page 473: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-11

Working with SNMP-Based Management Tools

This section describes MRTG (one example of an SNMP-based management tool) and describes how to install and use the MRTG tool in NetEnforcer.

Introducing MRTG The MRTG (Multi Router Traffic Grapher) tool is used to monitor the traffic load on your NetEnforcer and is free for personal use. You can download it from http://people.ee.ethz.ch/~oetiker/webtools/mrtg. A network manager may view bandwidth usage on each defined Virtual Channel or Pipe and also on the internal/external interfaces.

The MRTG tool generates HTML pages that present traffic graphs. Using a standard Web browser, you can view pages, each containing graphs showing daily, weekly, monthly and yearly information.

Traffic statistics are generated by NetEnforcer and written in a standard SNMP MIB format. The MRTG tool, using PERL scripts, polls NetEnforcer using a standard SNMP GET command and saves the data in the host (management PC) log. The log is automatically consolidated and while the log saves data for the last two years, it does not grow over time.

NOTE:

If you want to preserve the highest rates as seen on the daily graph, use the "With Peak" option. This will show the highest values that were recorded in addition to the averages.

Page 474: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-12

Installing MRTG for NetEnforcer The following procedure describes how to prepare NetEnforcer to work with the MRTG tool.

To install MRTG:

1. Install MRTG on your computer. (MRTG can be installed on both Unix/Linux and Windows.)

NOTE:

Download sources or binaries from http://people.ee.ethz.ch/~oetiker/webtools/mrtg/.

2. Install PERL if you do not have it installed. PERL for Windows can be downloaded from http://www.ActiveState.com.

3. If you have not already done so, download the Allot position MIBs and/or ID MIBs including the Allot configuration file (MRTG_Config_for_MIBs.cfg). This procedure is described on page 11-8.

NOTE:

Save the .txt files to C:/Mrtg. If you want to save them to another directory, change the directory defined in the LoadMIBs line in the configuration file. Save the configuration file (MRTG_Config_for_MIBs.cfg) to C:/MRTG/bin. This directory is generated during the MRTG installation.

Page 475: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-13

4. If you are using the ID MIBs, you must get the internal IDs for Pipes and Virtual Channels for which you want to generate MRTG graphs. From the NetEnforcer Control Panel, click Tools and select Pipe/VC ID Lookup for SNMP. The Pipe/VC Lookup for SNMP dialog box is displayed:

Figure 11-1 – Pipe/VC Lookup for SNMP Dialog Box

5. Select a Pipe or Virtual Channel and the ID for the selected item is displayed in the Entity ID for Selection Above field. Copy and paste the IDs into the configuration file (MRTG_Config_for_MIBs.cfg).

NOTE:

You could also write down the IDs and then add them to the configuration file.

Page 476: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-14

6. Repeat step 5 to retrieve IDs for all the Pipes and Virtual Channels for which you want to generate MRTG graphs.

7. Adapt the MRTG_Config_for_MIBs.cfg file to your setup. For example, specify the NetEnforcer IP address, location of MIB files, SNMP community name and OIDs of the counters you would like to monitor. Refer to the comments in the allot.cfg file for more information.

To install MRTG daemon:

• Start MRTG as a daemon, passing path to MRTG_Config_for_MIBs.cfg as a command line parameter. For example, you install MRTG on Windows in directory C:\mrtg and you also copy the MRTG_Config_for_MIBs.cfg and MIB files to C:\mrtg. The following command will start MRTG in Daemon mode with the proper configuration: Start /b perl C:\mrtg\bin\mrtg C:\mrtg\ MRTG_Config_ for_MIBs.cfg.

NOTE:

The MIB files must be the same as the files on your NetEnforcer. The files may also be found on NetEnforcer in /usr/local/share/snmp/mibs/.

In general, you can monitor the following NetEnforcer SNMP counters with MRTG: • vcByteCountIn • vcByteCountOut • vcByteCountTotal • pipeByteCountIn • pipeByteCountOut • pipeByteCountTotal • neByteCountIn • neByteCountOut • neByteCountTotal

• vcPacketCountIn • vcPacketCountOut • vcPacketCountTotal • pipePacketCountIn • pipePacketCountOut • pipePacketCountTotal • nePacketCountIn • nePacketCountOut • nePacketCountTotal

• Number of connections • Number of new connections per second

Page 477: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-15

Example MRTG Configuration File This example refers to a configuration file named MRTG_Config_for_MIBs.cfg and a NetEnforcer with IP address 10.10.10.10 and community name, public.

The MIB files are located in drive D.

LoadMIBS: d:\COMPANY-MIB.TXT, d:\NE-STAT-MIB.TXT, d:\PIPE-MIB.TXT, d:\VC-MIB.TXT.

RunAsDaemon: Yes

WorkDir: d: This target refers to the inbound and outbound bytes on the Fallback Virtual Channel in the default database.

Target[vc] vcByteCountIn.1.0.6.0&vcByteCountOut.1.0.6.0:public@ 10.10.10.10:::::2

Options[vc] growright, nobanner

MaxBytes[vc] 50000000

Title[vc] Traffic Analysis for AC

PageTop[vc] <H1>Traffic Analysis – AC</H1>\n VC Out / VC In

WithPeak[vc] d,w,m,y

Suppress[vc] y,m

Page 478: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-16

This target refers to the inbound and outbound bytes on the Fallback Pipe in the default database.

Target[pipe] pipeByteCountIn.1.0.0&pipeByteCountOut.1.0:public@ 10.10.10.10:::::2

Options[pipe] growright, nobanner

MaxBytes[pipe] 50000000

Title[pipe] Traffic Analysis for AC

PageTop[pipe] <H1>Traffic Analysis – AC</H1>\n PIPE Out / PIPE In

WithPeak[pipe] d,w,m,y

Suppress[pipe] y,m

Page 479: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-17

Example NetEnforcer MRTG Graphs

Page 480: Net Enforcer Operation Guide v5.5

Chapter 11: SNMP Monitoring

NetEnforcer User Guide 11-18

Page 481: Net Enforcer Operation Guide v5.5

NetEnforcer Operation Guide v5.5

A-1

Appendix A: NetEnforcer Command Line Interface

This appendix describes the command line interface that can be used to configure NetEnforcer. You can also configure NetEnforcer from a Web browser, described in Chapter 4, Configuring NetEnforcer.

NetEnforcer Command Line Interface The NetEnforcer CLI can be used to define Pipes, Virtual Channels, Rules and Catalog entries whenever you want to enter multiple entries without having to use the browser interface described in the preceding chapters. For example, if you need to add 1000 new hosts to the Host Catalog. In addition, you can also use the CLI to set system parameters and device settings.

The CLI enables you to modify the NetEnforcer database from a command line. The CLI supplies a set of commands to add, change, rename and remove NetEnforcer entities, such as, Pipes, Virtual Channels or other Catalog entries and change the configuration of NetEnforcer. This section describes how to access the CLI and describes how to work with the CLI.

Command Execution Modes The NetEnforcer CLI can operate in two different modes, as follows:

• Single command mode – whereby each command is executed separately.

• Cyclic mode – whereby multiple CLI commands are aggregated for execution at set time intervals.

To enable Cyclic execution, enter the following command:

"go config policy_srv -cli_timeout X" (X in seconds).

Page 482: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-2

This CLI command will make the system execute the CLI commands every X seconds instead of executing them immediately. This improves the efficiency of the CLI execution process.

Accessing the CLI The CLI is accessed through the Console interface of your NetEnforcer.

To access the CLI:

1. Connect to NetEnforcer using one of the following methods: • From a local host:

• Using a monitor and keyboard connected directly to NetEnforcer. • Via Telnet from a workstation located on the same network as

NetEnforcer. • From a remote host:

• Using a CLI executable, enter the IP address of the remote host.

2. Login to NetEnforcer as the root user. The default password is bagabu.

IMPORTANT:

It is strongly recommended that you change the default password of the “root” user. For details on how to change the password, please refer to Chapter 2, Installing NetEnforcer.

Scripts You can write scripts containing both CLI and Linux commands that will automate the data entry process. For example, you can write a script that will add 40 rules to 30 different Virtual Channels.

A script can be written on a remote workstation, using your preferred text editor, and then sent to NetEnforcer using FTP. Alternatively, you can create the script directly on NetEnforcer using the built in VI editor. In both cases, ensure that the script has Execute attributes. (For more details on file attributes, please refer to a Linux manual.)

Page 483: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-3

NOTE:

It is recommended that you save your scripts in a new directory on NetEnforcer (for example, /root/scripts), so that they will not be overwritten should you upgrade your NetEnforcer software in the future.

CLI Command Syntax The CLI consists of several commands, each of which has a switch and one or more parameters. The syntax of the CLI is: go <action> <switch> <parameter> <parameter value> <parameter> <parameter value>

Where:

go precedes all CLI commands.

<action> is the command to perform. This can be add, delete, change, rename, list or config.

<switch> is the object (for example, Pipe) upon which the command is performed.

<parameter> is the parameter required (for example, host name).

<parameter value> is the value of the parameter.

Additional optional parameters may be used, as follows:

-f: This parameter disconnects the other client with write permissions and gives the write permissions to the CLI client. To use with all switches except list.

NOTE:

When working with Pipes, Virtual Channels, Rules or Catalog entries, you must enclose the name of the Pipe, Virtual Channel, Rule or Catalog entry in quotation marks if it contains more than one word. For example, go add vc Gold:PipeGold is accepted, as well as go add vc “Gold Service:PipeGold”. However, the command go add vc Gold Service:PipeGold will return an error message.

Page 484: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-4

Online Help If you are unsure as to which parameters are used with a specific command, you can enter an incomplete command (for example, without the parameters), and the CLI will list all the available parameters for that action and switch. For example, if you were to enter the command go add time, you will receive the following output:

Usage: go add time {Name} [<-OPTION> <VALUE>...] {ITEM_FORMAT,ITEM_FORMAT,...}

Defined Formats of the Time Item are: # daily[:<Time>]

# weekly[:<WeekDay:Time>]

# monthly[:<MonthDay:Time>]

# yearly[:<Month:MonthDay:Time>]

Acceptable values for WeekDay are: sun, mon, tue, wed, thu, fri, sat ('sun' by default)

Acceptable values for Months are: 1 - 12 (1 by default)

Acceptable values for MonthDay are: 1 - 31 (1 by default)

Time format should be 'HH.mm-HH.mm' or 'allDay' ('allDay' by default)

Options: -f: force the write permissions to CLI client

Command Descriptions This section describes the commands available.

{param} – required parameter

[param ] – optional parameter

Page 485: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-5

ToS Catalog Editing Commands available:

• go add tos {newName } {tosByte}

• go change tos {tosName } {tosByte}

• go delete tos {tosName }

• go rename tos {tosName:newName }

Parameter Description Parameter Description

newName The new name to be set to the ToS Catalog entry.

tosName The name of the existing ToS Catalog entry.

tosByte Enumeration of the selected bit numbers with ',' between them: 1 - 8.

Data Source Catalog Editing Commands available:

• go add datasrc {newName:ldap } {location:user:passwd[:description]} • go add datasrc {newName:txtfile } {location[:description]}

• go change datasrc {dsName } {location:user:passwd[:description]}

• go delete datasrc {dsName }

• go rename datasrc {dsName:newName }

Page 486: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-6

Parameter Description Parameter Description

newName The new name to be set for the Data Source Catalog entry.

dsName The name of the existing Data Source Catalog entry.

location IP/hostname of LDAP/TFTP server.

user The username assigned to the LDAP user.

passwd The password assigned to the LDAP user.

description The description of the data source (optional parameter).

VLAN Catalog Editing Commands available:

• go add vlan {newName} {priority_bits_state:priority_bits:vlan_id_state:vlan_id}

• go change vlan {vlanName} {priority_bits_state:priority_bits:vlan_id_state:vlan_id}

• go delete vlan {vlanName}

• go rename vlan {vlanName:newName}

Parameter Description Parameter Description

newName The new name to be set for the VLAN Catalog entry.

vlanName The name of the existing VLAN Catalog entry.

priority_bits_state Enabling/disabling of the Vlan priority bits: enable, disable.

priority_bits The priority bits number: 0 – 7.

vlan_id_state Enabling/disabling of the Vlan ID: enable, disable.

vlan_id The Vlan ID number: 0 – 4095.

Page 487: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-7

QoS Catalog Editing Commands available:

• go add/change qos {newName:pipe_both} -prior P -max_bw Max -min_bw Min[:minReserved] -tos tos_in:tos_out -general maxCon:admissionCtrl:tos_admit

• go add/change qos {qosName:pipe_each } -prior P1,P2 -max_bw Max1,Max2 -tos tos_in1:tos_out1,tos_in2:tos_out2 -min_bw Min1[:minReserved], Min2[:minReserved] -general maxCon:admissionCtrl:tos_admit

• go add/change qos {qosName:pipe_half_duplex} -prior P1 -avail_bw Bw -general maxCon:admissionCtrl:tos_admit

• go add/change qos {qosName:vc_both} -prior P -tos tos_mark -max_bw Max -min_bw Min -general maxCon:admissionCtrl -con_alloc burst:maxBw:size:minBw/cbr:bw:delay

• go add/change qos {qosName:vc_each } -prior P1, P2 -tos tos_mark1,tos_mark2 -max_bw Max1,Max2 -min_bw Min1,Min2 -general maxCon:admissionCtrl -con_alloc burst:maxBw1:size1:minBw1/cbr:bw1:delay1, burst:maxBw2:size2:minBw2/cbr:bw2:delay2

• go delete qos {qosName }

• go rename qos {qosName:newName }

Parameter Description Parameter Description

newName The new name to be set for the QoS Catalog entry.

qosName The name of the existing QoS Catalog entry.

-prior The priority per VC or Pipe: 1-10 (default: 4).

-max_bw The maximum bandwidth for a VC or Pipe, for example, 10M or 100K.

-min_bw The minimum bandwidth for a VC or Pipe, for example, 10M or 100K.

Page 488: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-8

Parameter Description

-avail_bw The available bandwidth for a Full Duplex Pipe, for example, 10M or 100K.

minReserved The minimum bandwidth reserve available: yes or no (default: no).

tos_admit The name of the ToS Catalog entry to mark the admitted traffic.

tos_in The name of the ToS Catalog entry to mark in-profile traffic.

tos_out The name of the ToS Catalog entry to mark out-of-profile traffic.

tos_mark The name of the ToS Catalog entry to mark traffic.

maxCon The maximum number of connections allowed on the VC or Pipe.

admissionCtrl The admission control: reject, drop, admit.

Connection allocation parameters when a traffic shaping method is burst:

maxBw The maximum bandwidth per connection, for example, 10M or 100K.

minBw The minimum bandwidth per connection, for example, 10M or 100K.

size The burst size in K/M bit per second

Connection allocation parameters when a traffic shaping method is cbr:

bw The bandwidth per connection, for example, 10M or 100K.

delay The delay in microseconds: 100 - 1,000,000.

When a type of QoS entry is vc_each or pipe_each, then all of the parameters (except for –general) require two values separated with a , (comma). The first value is for inbound traffic and the second is for outbound traffic. If you do not want to specify an inbound parameter, use a empty field in format, for example, -prior ,2.

Page 489: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-9

Host Catalog Editing Commands available:

• go add host {newName:addresses} {type:value[:interface], type:value,…}

• go add host {newName:group} {host1,host2}

• go add host { newName:ldap} {dataSource:root:address_attr:name_attr:filter}

• go add host { newName:txtfile} {dataSrc:file:start_row:address_pos: name_pos:delimiter}

• go change host {hostName} {-/+type:value[:interface],-/+type:value[:interface]}

• go change host {hostName} {-/+host1,-/+host2,…}

• go change host {hostName} {=type:value[:interface],type:value[:interface],…}

• go change host {hostName} {=host1,host2,…}

• go change host { hostName} {dataSource:root:address_attr:name_attr:filter}

• go change host { hostName} {dataSrc:file:start_row:address_pos:name_pos: delimiter}

• go delete host {hostName }

• go rename host {hostName:newName }

Parameter Description Parameter Description

newName The new name to be set for the Host Catalog entry.

hostName The name of the existing Host Catalog entry.

Parameters to Host Entry of type addresses:

type Type of address: name, range, netaddr, ipaddr, macaddr.

value Address according to the type specified.

interface Interface type : internal, external, anywhere (by default).

Page 490: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-10

Parameter Description

Parameters to Host Entry of type group:

host1,host2 The names of previously defined Host Catalog entries separated by comma, which will be joined in a group.

Parameters to Host Entry of type ldap:

dataSource The name of the previously defined Data Source Catalog entry.

root LDAP Directory subtree root.

address_attr The addresses attribute name.

name_attr The name attribute name.

filter LDAP Directory search filter.

Parameters to Host Entry of type txtfile:

file The full file path on remote host.

start_row The row number from which to start reading data in a text file.

address_pos The position of address field.

name_pos The position of name field.

delimiter The separator character that separates a text file row into fields: comma, space, semicolon or other character.

When changing the addresses or group list of the Host Entry, use prefixes ‘-‘ or ‘+’ to each address or group item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at beginning for replacing list with entered new one. For example, go change host Test1 -ipaddr:2.2.2.2,+range:1.1.1.1-1.1.1.9 -f

go change host Test2 +host8,-host9 –f

go change host Test2 =host10,host11 –f

Page 491: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-11

When changing the Host Entry of type txtfile or ldap , use empty fields for parameters you do not want to change.

For example, command to change LDAP filter only: go change host Test1 ::::servicegroup=gold

Time Catalog Editing Commands available:

• go add time {newName} {item1,item2,...}

• go change time {tmName} {-/+item1,-/+item2,...}

• go change time {tmName} {=item1,item2,...}

• go delete time {tmName }

• go rename time {tmName:newName }

Parameter Description Parameter Description

newName The new name to be set to the ToS Catalog entry.

tmName The name of the existing ToS Catalog entry.

daily[:time]

weekly[:day[:time] ]

monthly[:month_day[:time]]

yearly[:month :month_day[:time]]

The Time item formats defined.

time The range of hours and minutes: HH.mm-HH.mm, allDay (default: allDay).

day The day of the week: sun, mon, tue, wed, thu, fri, sat. This is valid for weekly time periods.

Page 492: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-12

Parameter Description

month The month: 1-12. This is valid for yearly time periods.

month_day The day of the month: 1-31. This is valid for monthly and yearly time periods.

When changing the Time Entry, use prefixes ‘– ‘ or ‘+’ to each time item ( ‘– ‘ to remove item, ‘+’ to add new item ), or prefix ‘=’ once at the beginning for replacing a list with a new one. For example, go add time Test1 daily:10.00-20.00,weekly:5:08.20-20.00 -f

go change time Test1 –daily:10.00-20.00,+monthly:15 -f

go change time Test1 =daily:14.00-20.00,monthly:25 -f

Service Catalog Editing Commands available:

• go add service {newName:appl } -protocol net[:ip[:app]] -dst_ports p1,p2,… -port_type pt -parse_by_port enable|disable -coll_filter filter

• go add service {newName:group} [-group_report enable|disable] {srvName1,srvName2,...}

• go add service {newName:content:parentName} {content1,content2,...}

• go change service {srvName} -protocol net[:ip[:app]] -dst_ports -/+p1,-/+p2 -port_type pt -parse_by_port enable|disable -coll_filter filter

• go change service {srvName} -dst_ports =p1,p2,…

• go change service {grName} [-group_report enable|disable] {-/+srvName1,-/+srvName2,...}

• go change service {contName} {-/+content1, -/+content2,...}

Page 493: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-13

• go delete service {srvName }

• go rename service {srvName:newName }

Parameter Description Parameter Description

newName The new name to be set to the Service Catalog entry.

srvName The name of the existing Service Catalog entry.

–protocol The protocol of Service entry. By default IP:TCP:Other TCP

net The network protocol to be used by the Catalog entry: IP, ARP, Banyan-Vines, DEC-DECNET, DEC-LAT, DEC-Ethernet, Appletalk, SNA, IPX, Ipv6, MS-IPX, NetBEUI, ANY, PPPoE-Discovery, PPPoE-Control or whole number in interval 1 – 65534

ip The transport protocol, if the Network Protocol is IP only: TCP, UDP, EIGRP, ICMP, IGMP, EGP, RSVP, OSPFIGP, SIPP-ESP, SIPP-AH, I-NLSP, SWIPE, GGP, GRE, ANY or whole number in interval 1 - 255

app The name of the Application protocol when the Transport Protocol is TCP or UDP only

–dst_ports The list of ports on the destination host at which the traffic should arrive: x, x-y.

-port_type The Port type: all, other, list.

-coll_filter The Collection filter: service, appl.

content Value Format of the Content is: <type:value>. Content Types and Values are depending on the Application.

Page 494: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-14

Parameter Description

Acceptable Contents to the Application HTTP are: • url • method - with one of values CONNECT, DELETE, GET,

HEAD, OPTIONS, POST, PUT, TRACE • host • content-type - command 'go list content' shows the all of

acceptable values Acceptable Contents to the Application FTP are: • command - with one of values Download, Upload, Other • file Acceptable Contents to the Application Oracle are: • service • user Acceptable Contents to the Application Citrix are: • appl • user • Priority - with one of values High, Medium, Low, Print Traffic Acceptable Contents to the Application H.323 are: • codec - with one of values H.323 G711-64K Codec, H.323 G711-

56K Codec, H.323 G722-64K Codec, H.323 G722-56K Codec, H.323 G722-48K Codec, H.323 G7231 Codec, H.323 G728 Codec, H.323 G729 Codec, H.323 H261 Codec, H.323 H262 Codec, H.323 H263 Codec, H.323 Audio Default Codec, H.323 Video Default Codec

Acceptable Contents to the Application KaZaA and Gnutella are: • Direction - with one of values Upload, Download Acceptable Contents to the Application Citrix ICA are: • Priority - with one of values High, Medium, Low, Print Traffic

Page 495: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-15

Parameter Description

Acceptable Contents to the Application SMTP are: • domains_file - with name of the file containing domains • Domains

Acceptable Contents to the Application Citrix NFuse are: • appl • user • Priority - with one of values High, Medium, Low, Print Traffic

Acceptable Contents to the Application MGCP are: • codec • Media Type - with one of values Audio, Video, Application,

Data, All

When changing the port list of Service Entry, use prefixes ‘– ‘ or ‘+’ to each port number or port range (‘– ‘ to remove port, ‘+’ to add new port), or prefix ‘=’ once at beginning for replacing ports list with entered new one. The same prefixes should be used for update the Service Group list and Content Inspection list. For example, go add service Test1:appl –dst_ports 333,3456-3460 -f

go change service Test1 –dst_ports +2222-2228,-333

go change service Test1 –dst_ports =2222-2228,4444 -f

Connection Control Catalog Editing Commands available:

• go add coc {newName: lb:<Technique:PortUse>} -behaviour NoSrvAction[:Backup:Sticky] -servers Host:[Port:Weight],Host:[Port:Weight],...

• go add coc {newName:cache} –behaviour NoSrvAction -servers Host,Host

• go change coc {cocName} –behaviour NoSrvAction[:Backup:Sticky] -servers -/+ Host[:Port:Weight],-/+Host[:Port:Weight],...

Page 496: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-16

• go delete coc {cocName }

• go rename coc {cocName:newName }

Parameter Description Parameter Description

newName The new name to be set to the Connection Control Catalog entry.

cocName The name of the existing Connection Control Catalog entry.

Host Hostname or IP address of Load Balancing/Cache server.

NoSrvAction No Server action: drop, reject, pass-as-is (by default).

Parameters to Connection Control entry of type lb only:

Technique The load balancing technique being used: rr, fa, wrr (by default).

PortUse The load balancing port being used: original (by default), assigned, fixed:<PortNumber>

Backup Whether to activate load balancing on server failure: yes, no (by default).

Sticky The timeout (in seconds) for sticky connections: 0 - 999999.

Port The port number on load balancing server.

Weight The weight number on load balancing server, when Technique is defined as wrr.

When changing the servers list of the Connection Control entry, use prefixes ‘-‘ or ‘+’ for each server item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at the beginning when replacing a list with a new one. For example, go add coc Test1:lb:wrr:fixed:777 –servers 10.1.1.4::3 -f

go change coc Test1 –servers –10.1.1.4::3,+10.1.1.10::5 -f

Page 497: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-17

Policy Catalog Editing Commands available:

• go add pipe {newName[:state]} –expand exp –src Src –dst Dest –service Serv –time Time –tos ToS –vlan Vlan –access Access –qos QoS –offset X -dir X

• go change pipe {pName[:state]} –expand exp –access Access –qos QoS

• go delete pipe {pName }

• go rename time {pName:newName }

• go add vc {newName:pName[:state]} –expand exp –src Src –dst Dest –service Serv –time Time –tos ToS –vlan Vlan –access Access –qos QoS –coc Coc –offset X -dir X

• go change vc {vcName:pName[:state]} -expand exp -access Access -qos QoS -coc Coc

• go delete vc {vcName:pName }

• go rename vc {vcName:newName:pName }

• go add prule {pName[:state]} –src Src –dst Dest -service Serv -time Time -tos ToS -vlan Vlan -offset X -dir X

• go change prule {pName:offset[:state]} –src Src –dst Dest –service Serv –time Time –tos ToS –vlan Vlan -dir X

• go delete prule {pName:offset}

• go add vcrule {vcName:pName[:state]} –src Src –dst Dest –service Serv -time Time -tos ToS -vlan Vlan -offset Offset -dir X

• go change vcrule {vcName:pName:offset[:state]} –src Src –dst Dest –service Serv –time Time –tos ToS –vlan Vlan -dir X

• go delete vcrule {vcName:pName:offset}

Page 498: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-18

Parameter Description Parameter Description

newName The new name to be set for the Pipe or Virtual Channel.

PName The name of the existing Pipe.

VcName The name of the existing Virtual Channel.

State The status of the Pipe, Virtual Channel or Rule: enable, disable (default: enable)

-expand The location of the Host Catalog entry for template expansion: none (no template), src, dst.

-src The Connection Source condition of the Pipe or Virtual Channel: any entry from the Host Catalog. (default: Any)

-dst The Connection Destination condition of the Pipe or Virtual Channel: any entry from the Host Catalog. (default: Any)

-service The Service condition of the Pipe or Virtual Channel: any entry from the Service Catalog. (default: All IP)

-time The Time condition of the Pipe or Virtual Channel: any entry from the Time Catalog. (default: Anytime)

-tos The ToS condition of the Pipe or Virtual Channel: any entry from the TOS Catalog. (default: Ignore)

-vlan The Vlan condition of the Pipe or Virtual Channel: any entry from the Vlan Catalog. (default: Any)

-qos The QoS action of the Pipe or Virtual Channel: any entry from the QoS Catalog. (default: Normal Priority – Pipe/ Normal Priority – Virtual Channel)

-access The Access action of the Pipe or Virtual Channel: Accept, Reject, Drop (default: Accept.).

-coc The Connection Control action of the Virtual Channel: any entry name from the Connection Control Catalog.

Page 499: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-19

Parameter Description

-dir The direction of traffic to which the Pipe or Virtual Channel applies: 1, 2. (default: 2)

-offset The position of the Pipe, Virtual Channel or Rule – offset from first position in the policy table

When adding a new Pipe or Virtual Channel without parameter ‘-offset’ , it will be added on next to last position (before Fallback Pipe/VC).

List The list action displays the entries defined in the different Catalogs.

Commands available:

• go list {object} [-full]

Parameter Description Object Parameter Description

host -full Displays the contents of the Host Catalog. If ‘-full’ parameter is specified, additional information is shown for entries from LDAP/Text file Data Source

time - Displays the contents of the Time Catalog.

tos - Displays the contents of the ToS Catalog.

qos - Displays the contents of the QoS Catalog.

service -full Displays the contents of the Service Catalog.

datasrc - Displays the contents of the Data Source Catalog.

vlan - Displays the contents of the Vlan Catalog.

coc - Displays the contents of the Connection Control Catalog.

Page 500: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-20

Object Parameter Description

pipes -full Displays a list of defined Pipes. If ‘-full’ parameter is specified, additional information is shown for each Virtual Channel in the Pipe.

pipedata {pName} Displays full data for a single Pipe identified by name.

vc {vcName:pName}

Displays full data for a single VC identified by name.

Configuration Settings The config action enables you to configure NetEnforcer. A description of the switches and parameters available are shown below.

Commands available:

• go config key {Key}

• go config nic -internal link -external link –mgmt link

• go config access_control {host_list}

• go config snmp –community read:write:trap -trap_dest Dest -contact Contact –location Loc

• go config vlan { vlan_env:vlan_id}

• go config ips –h Hostname –d Domain -g Gateway -ip ip:mask –dns dns1:dns2 –ts ts1:ts2:ts3 –mgmt check -reject_ip ip:mask|none

• go config access_link -internal link -external link

• go config policy_srv –auto_refresh X -save_refresh check

• go config monitoring –resolve_dns check -sample_period sp

• go config coc –pass_through check -retries server:service -timeout server:service:connect

Page 501: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-21

• go config acct_setup [enable|disable] -resolve_dns check -odbc check -collect_data period -del_data period –ip IP1:IP2

• go config radius_setup [enable|disable] -stop_only check -collect_data period -server1 addr –server2 addr -send_timeout X –retries Y -failed_msg N

• go config acct_radius_storage –pipe check –vc check –service check -hosts hr

• go config dos [admit|drop] –max_conn X –max_cer Y

• go config security –connect Mode –telnet check –ping check -timeout X –root_login check -ssh check

• go config network –transport check -appl check –sptree check -mesh check –mom check –ar -/+route1, -/+route2,…|none

• go config alerts [enable|disable] –email e1:e2 –sms SMS –src _email -smtp

• go config time –t date_time –tz zone

• go config setup_verify

• go config send_snapshot

• go config view [cfg_tab]

Parameter Description Config Tab Parameter Description

key Key The new box activation key or none.

access_control Host_list Update the list of hosts allowed access to NetEnforcer. Any hosts not entered into this list will be barred access to NetEnforcer. The format is IP addresses/host names with prefix –(minus) or + (plus) separated by , (comma) or all.

For example, go config access_control –10.10.10.1, +10.10.10.2.

snmp –community The SNMP read, write and trap community.

Page 502: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-22

Config Tab Parameter Description

-trap_dest The SNMP trap destination address.

-contact The SNMP contact.

–location The SNMP location.

vlan_env The Vlan environment setting: enable, disable. vlan

vlan_id The Vlan ID: 1 – 4094.

-h The host name of NetEnforcer.

-d The domain name where NetEnforcer is located. For example, allot.com.

-g The IP address of the gateway or none.

-ip The IP address of NetEnforcer and network subnet mask.

-dns The IP address of your Primary/ Secondary DNS server, or none.

ips

-ts IP address of the Primary/ Secondary/ Tertiary Time server, or none.

nic -internal

-external

-mgmt

Internal/External/Management Interface NIC settings in format [mode:speed]. The Mode values are: auto, half, full. The Speed values are: auto, 10, 100, 1000(according to the box type)

-resolve_dns Resolve DNS names for Accounting data: enable, disable.

-odbc Use ODBC to read Accounting data: enable [:Username:Passw], disable.

acct_setup (these parameters are for Internal Accounting)

-collect_data The timespan of saved Accounting data: Xminutes, Xhours, Xdays.

Page 503: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-23

Config Tab Parameter Description

-del_data The timespan of deleted Accounting data: Xdays, Xmonths.

acct_setup (these parameters are for External Accounting)

-ip IP1:IP2 are primary and secondary IP addresses of external accounting servers.

access_link -internal

-external

Internal/External Interface Link settings in format [type:outBW:inBW]. The bandwidth must be defined using K/M unit. The Link Types are: half, full.

For example, go config access_link –internal full:1000M:100M

–auto_refresh Auto refresh rate for any LDAP/Text file-based query found in policy catalog : Xsec, Xmin, Xhours, Xdays or none.

policy_srv

-save_refresh Refresh any LDAP/Text file-based query found in policy catalog when saving policy database: enable, disable.

–resolve_dns Resolve DNS names for monitoring data: enable, disable.

monitoring

-sample_period

The monitoring sample period: 30sec, 1min, 2min, 3min, 4min, 5min, 6min, 7min, 8min, 9min, 10min.

-pass_through Pass all cached traffic through QoS device: enable, disable.

-retries The Server/Service tracking retries: 1 – 100.

coc

-timeout The Server/Connect tracking timeout: 10 – 240.

Service tracking timeout: 10 – 249.

Page 504: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-24

Config Tab Parameter Description

-stop_only Send RADIUS Stop messages only: enable, disable.

-collect_data The period of saving RADIUS data: Xminutes, Xhours, Xdays.

-server1 -server2

The Primary/Secondary RADIUS server in format <addr[/port]:secret> or none.

-send_timeout The Timeout on the message send failure: 1 – 60.

-retries The Number of retries for attempting message send: 1 – 10.

radius_setup

-failed_msg The Number of failed messages before switch to other server: 1 – 200.

–pipe Save item 'Pipe' in each Accounting record: enable, disable.

–vc Save item 'Virtual Channel' in each Accounting record: enable, disable.

–service Save item 'Service' in each Accounting record: enable, disable.

acct_radius_storage

–host Host recording in Accounting: int_host, ext_host, int_ext_host, client, server, client_server, disable.

–max_conn Maximum number of connections in case of DoS attack: 1 - Value (value according to NetEnforcer type).

dos

-max_cer Maximum new connections establishment rate: 1 – Value (value according to NetEnforcer type).

Page 505: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-25

Config Tab Parameter Description

–connect The connection mode: ssl, non-ssl, both.

–telnet Enable/disable telnet: enable, disable.

–ping Enable/disable ping replies: enable, disable.

-timeout The timeout while connected via console or telnet. The shells will automatically logout after the specified number of seconds. If 0, no automatic logout.

-root_login Enable/disable ability to log in as user “root”: enable, disable.

(modifies files /etc/security and /etc/ssh/sshd_config)

security

-ssh Enable/disable Secure Shell communications: enable, disable. (run / stop sshd)

-transport Transport Layer Classification (TCP/UDP ports): enable, disable.

-sptree Support ‘Spanning Tree’ protocol: enable, disable.

-appl Application Layer Analysis: enable, disable.

-mesh Support Meshed network topology: enable, disable.

network

-mom 'Monitoring Only' mode: enable, disable.

Page 506: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-26

Config Tab Parameter Description

-ar Additional routes.The format is -/+<destIP:mask:gateway:destType:interface>,…

Destination types: host, network

Interfaces: 0, 1, 2

Prefixes : '-' to delete selected route from Routing Table; '+' to add new route to Routing Table.

time -t The system time in format DD-MM-YYYY-HH-mm.

-tz Time zone settings. Enter one from the following list of parameters:

US/Alaska, US/Aleutian, US/Arizona, US/Central, US/East-Indiana, US/Eastern, US/Hawaii, US/Indiana-Starke, US/Michigan, US/Mountain, US/Pacific, US/Samoa, Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura,Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda,

Page 507: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-27

Config Tab Parameter Description Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/Windhoek, America/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Araguaina, America/Aruba, America/Asuncion, America/Atka, America/Barbados, America/Belem, America/Belize, America/Boa_Vista, America/Bogota, America/Boise, America/Buenos_Aires, America/Cambridge_Bay, America/Cancun, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago, America/Chihuahua, America/Cordoba, America/Costa_Rica, America/Cuiaba, America/Curacao, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/Eirunepe, America/El_Salvador, America/Ensenada, America/Fort_Wayne, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Hermosillo,

Page 508: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-28

Config Tab Parameter Description America/Indiana/Indianapolis, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Vevay, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/Lima, America/Kentucky/Louisville, America/La_Paz, America/Kentucky/Monticello, America/Knox_IN, America/Los_Angeles, America/Louisville, America/Maceio, America/Managua, America/Manaus, America/Martinique, America/Mazatlan, America/Mendoza, America/Menominee, America/Merida, America/Mexico_City, America/Miquelon, America/Monterrey, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince, America/Port_of_Spain, America/Porto_Acre, America/Porto_Velho, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Recife, America/Regina, America/Rosario, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current, America/Tegucigalpa, America/Thule,

Page 509: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-29

Config Tab Parameter Description America/Thunder_Bay, America/Tijuana, America/Tortola, America/Vancouver, America/Virgin, America/Whitehorse, America/Winnipeg, America/Yakutat, America/Yellowknife, Antarctica/Casey, Antarctica/Davis, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/South_Pole, Antarctica/Syowa, Arctic/Longyearbyen, Asia/Aden, Asia/Almaty,Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashgabat, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dhaka, Asia/Dili,Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hong_Kong, Asia/Hovd, Asia/Irkutsk, Asia/Istanbul, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Katmandu, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pyongyang, Asia/Qatar, Asia/Rangoon ,Asia/Riyadh, Asia/Riyadh87, Asia/Riyadh88, Asia/Riyadh89, Asia/Saigon, Asia/Samarkand, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Tel_Aviv, Asia/Thimbu, Asia/Thimphu, Asia/Tokyo, Asia/Ujung_Pandang,

Page 510: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-30

Config Tab Parameter Description Asia/Ulaanbaatar, Asia/Ulan_Bator, Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan, Atlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/Stanley, Australia/ACT, Australia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Canberra, Australia/Darwin, Australia/Hobart, Australia/LHI, Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/NSW, Australia/North, Australia/Perth, Australia/Queensland, Australia/South, Australia/Sydney, Australia/Tasmania, Australia/Victoria, Australia/West, Australia/Yancowinna, Brazil/Acre, Brazil/DeNoronha, Brazil/East,Brazil/West, CET, CST6CDT, Canada/Atlantic, Canada/Central, Canada/East-Saskatchewan, Canada/Eastern, Canada/Mountain, Canada/Newfoundland, Canada/Pacific, Canada/Saskatchewan, Canada/Yukon, Chile/Continental, Chile/EasterIsland, Cuba, EET, EST, EST5EDT, Egypt, Eire, Etc/GMT, Etc/GMT+0, Etc/GMT+1, Etc/GMT+10, Etc/GMT+11, Etc/GMT+12, Etc/GMT+2, Etc/GMT+3, Etc/GMT+4, Etc/GMT+5, Etc/GMT+6, Etc/GMT+7, Etc/GMT+8, Etc/GMT+9, Etc/GMT-0, Etc/GMT-1, Etc/GMT-10, Etc/GMT-11, Etc/GMT-12,

Page 511: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-31

Config Tab Parameter Description Etc/GMT-13, Etc/GMT-14, Etc/GMT-2, Etc/GMT-3, Etc/GMT-4, Etc/GMT-5, Etc/GMT-6, Etc/GMT-7, Etc/GMT-8, Etc/GMT-9, Etc/GMT0, Etc/Greenwich, Etc/UCT, Etc/UTC, Etc/Universal, Etc/Zulu, Europe/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Nicosia, Europe/Oslo, Europe/Paris, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Tiraspol, Europe/Uzhgorod, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Warsaw, Europe/Zagreb, Europe/Zaporozhye, Europe/Zurich, Factory, GB, GB-Eire, GMT, GMT+0, GMT-0, GMT0, Greenwich, HST, Hongkong, Iceland, Indian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe,

Page 512: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5 A-32

Config Tab Parameter Description Indian/Maldives, Indian/Mauritius, Indian/Mayotte, Indian/Reunion, Iran, Israel, Jamaica, Japan, Kwajalein, Libya, MET, MST, MST7MDT, Mexico/BajaNorte, Mexico/BajaSur, Mexico/General, Mideast/Riyadh87, Mideast/Riyadh88, Mideast/Riyadh89, NZ, NZ-CHAT, Navajo, PRC, PST8PDT, Pacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Samoa, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap, Poland, Portugal, ROC, ROK, Singapore, Turkey, UCT, UTC, Universal, W-SU, WET, Zulu

Page 513: Net Enforcer Operation Guide v5.5

Appendix A: NetEnforcer Command Line Interface

NetEnforcer Operation Guide v5.5

A-33

Config Tab Parameter Description

view cfg_tab Display the current configuration parameters for tab specified: key, ips, snmp, access_link, access_control, vlan, acct_setup, monitoring, policy_srv, acct_radius_storage, dos , security, alerts, time. If tab was not specified, then all of the configuration parameters will be displayed

–email The Primary/ Secondary email address of alert target

alerts

–sms The SMS address of alert target setup_verify - Perform the setup verification.

Send_snapshot - Send snapshot to Allot from NetEnforcer