Nokia Firewall (9035001-01) - CA...

Nokia Firewall

Device Management

Supports Management Module SM-NOK1000

TT TTii ii tt tt ll ll ee ee pp pp

aa aa ee ee

D e v i c e M a n a g e m e n t N o k i a F i r e w a l l

Copyright NoticeDocument 9035001-01. Copyright © September 2001 AprismaManagement Technologies, Inc., 121 Technology Drive, Durham, NH03824 USA. All rights reserved worldwide. Use, duplication, or disclosureby the United States government is subject to the restrictions set forth inDFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19.

Liability DisclaimerAprisma Management Technologies, Inc. (“Aprisma”) reserves the right tomake changes in specifications and other information contained in thisdocument without prior notice. In all cases, the reader should contactAprisma to inquire if any changes have been made.

The hardware, firmware, or software described in this manual is subject tochange without notice.

IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS,DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANYINCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGESWHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS)ARISING OUT OF OR RELATED TO THIS MANUAL OR THEINFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEENADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THEPOSSIBILITY OF SUCH DAMAGES.

Trademark, Service Mark, and Logo InformationSPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registeredtrademarks of Aprisma Management Technologies, Inc., or its affiliates.APRISMA , APRISMA MANAGEMENT TECHNOLOGIES , the APRISMAMANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS ,DCM, VNM, SpectroGRAPH , SpectroSERVER , Inductive ModelingTechnology , Device Communications Manager , SPECTRUM SecurityManager , and Virtual Network Machine are unregistered trademarks ofAprisma Management Technologies, Inc., or its affiliates. For a completelist of Aprisma trademarks, service marks, and trade names, go tohttp://www.aprisma.com/manuals/trademark-list.htm.

All referenced trademarks, service marks, and trade names identified inthis document, whether registered or unregistered, are the intellectualproperty of their respective owners. No rights are granted by AprismaManagement Technologies, Inc., to use such marks, whether byimplication, estoppel, or otherwise. If you have comments or concerns

about trademark or copyright references, please send an e-mail [email protected]; we will do our best to help.

Restricted Rights Notice(Applicable to licenses to the United States government only.)

This software and/or user documentation is/are provided withRESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure bythe government is subject to restrictions as set forth in FAR 52.227-14(June 1987) Alternate III (g)(3) (June 1987), FAR 52.227-19 (June 1987),or DFARS 52.227-7013 (c)(1)(ii) (June 1988), and/or in similar orsuccessor clauses in the FAR or DFARS, or in the DOD or NASA FARSupplement, as applicable. Contractor/manufacturer is AprismaManagement Technologies, Inc., 121 Technology Drive, Durham, NH03824. In the event the government seeks to obtain the software pursuantto standard commercial practice, this software agreement, instead of thenoted regulatory clauses, shall control the terms of the government'slicense.

Virus DisclaimerAprisma makes no representations or warranties to the effect that thelicensed software is virus-free.

Aprisma has tested its software with current virus-checking technologies.However, because no anti-virus system is 100 percent effective, westrongly recommend that you write-protect the licensed software andverify (with an anti-virus system in which you have confidence) that thelicensed software, prior to installation, is virus-free.

Contact InformationAprisma Management Technologies, Inc.121 Technology DriveDurham, NH 03824Phone: 603.334.2100U.S. toll-free: 877.468.1448Web site: http://www.aprisma.com

http://www.aprisma.com/manuals/trademark-list.htm

http://www.aprisma.com

http://www.aprisma.com

http://www.aprisma.com/manuals/trademark-list.htm


ContentsINTRODUCTION 4

Purpose and Scope ........................................................4Required Reading ...........................................................4Supported Devices..........................................................5The SPECTRUM Model ..................................................5

TASKS 8

DEVICE VIEW 9

Interface Icons ..............................................................10Interface Icon Subviews Menu......................................11Interface Status View ....................................................11Secondary Address Panel ............................................12

DEVICE TOPOLOGY VIEWS 13

Device Topology View ..................................................13

APPLICATION VIEWS 14

Application Icons ...........................................................15Supported Applications .................................................15

Common Applications................................................15Device Specific Applications......................................17

Checkpoint Application .................................................17Firewall InformationView ...........................................17

RateShape Application .................................................18

RateShape Performance View ..................................18Rule Status Table View .........................................18Aggregation Class Status Table View ...................19

Virtual Router Redundancy Protocol (VRRP) Application20

PERFORMANCE VIEWS 21

Device Performance View.............................................22Port Performance View .................................................22

CONFIGURATION VIEWS 23

Device Configuration View............................................23Interface Configuration View.........................................24IPSO Configuration View ..............................................24

IPSO Additional Configuration View..........................26RateShape Configuration View.....................................26

Rule Table View ........................................................27Aggregation Class Table View ..................................28VRRP Configuration View .........................................29

MODEL INFORMATION VIEWS 33

INDEX 34


Introduction

This section introduces SPECTRUM Device Management documentation for the Nokia Firewall series ofdevices.

This introduction contains the following topics:

• Purpose and Scope• Required Reading• Supported Devices (Page 5)• The SPECTRUM Model (Page 5)

Purpose and ScopeUse this documentation as a guide for managing Nokia Firewall devices with the SPECTRUM management module SM-NOK1000. This documentation describes the icons, menus, and views that enable you to remotely monitor, configure, and troubleshoot Nokia Firewall devices through software models in your SPECTRUM database.

This documentation consists primarily of information specific to the supported management module. For general information about device management using SPECTRUM, and

for explanations of basic SPECTRUM functionality, refer to the documentation listed under Required Reading.

Required ReadingBefore using this document, you should be familiar with the information provided in the following documentation:

• Getting Started with SPECTRUM for Operators

• Getting Started with SPECTRUM for Administrators

• How to Manage Your Network with SPECTRUM

• SPECTRUM Views• SPECTRUM Icons• SPECTRUM Menus

I n t r o d u c t i o n S u p p o r t e d D e v i c e s


Supported DevicesSPECTRUM management module SM-NOK1000 currently allows you to model several different types of Nokia Firewall devices. These include the following:

IP330 - This device supports a comprehensive suite of IP-routing functions and protocols, including RIPv1/RIPv2,IGRP, OSPF and BGP4 for unicast traffic, and DVMRP for multicast-traffic. The integrated router functionality eliminates the need for separate intranet and access routers in security applications.

IP440 - In addition to offering complete secu-rity-application software functionality and network services such as frame relay and routing, the 19" rack-mountable Nokia IP440 supports up to 16 physical interfaces. It includes four PCI slots with a wide-range of interface card options, including high-density 10/100 Ethernet, V.35/X.21, T1, and more. As a networking device, the IP440 supports a comprehensive suite of IP-routing protocols: RIPv1/RIPv2, IGRP, OSPF and BGP4 for uni-cast traffic, and DVMRP for multicast traffic.

IP650 - This carrier class firewall supports a comprehensive suite of IP-routing functions and protocols, including RIPv1/RIPv2, IGRP,

OSPF and BGP4 for unicast traffic, and DVMRP for multicast traffic. Its integrated router functionality eliminates the need for separate Intranet and access routers in secu-rity applications. Featuring front access and five standard Compact PCI I/O slots for inter-face cards, the rack-mountable IP650 is 19" wide and 2RU high. A variety of connectivity options are available - high-density 10/100 Ethernet, high-speed ATM or HSSI, and wide area network interfaces such as V.35/X.21 and T-1.

The SPECTRUM ModelSPECTRUM uses a single model type for modeling the supported Nokia Firewall devices. This model type is NokiaFW. This model is represented in SpectroGRAPH views by Device icons. As shown in Figure 1, the appearance of the Device icon varies depending on the view in which it appears.

I n t r o d u c t i o n T h e S P E C T R U M M o d e l


Figure 1:Figure 1:Figure 1:Figure 1: Device Icon

The device-specific Icon Subviews menu options available from the Device icon are listed below.

Device icons provide access to the views, subviews, and tables that let you manage the modeled device. Figure 2 shows the model-specific portion of the Icon Subviews menu for a IP440 Device icon in a Topology view. The views listed below are accessible directly from this menu and are described individually in subsequent sections of this documentation.

• Device View (Page 9)• Device Topology Views (Page 13)• Application Views (Page 14)• Performance Views (Page 21)• Configuration Views (Page 23)• Model Information Views (Page 33)

Option Accesses the...

Fault Management

For further information refer to How to Manage Your Network with SPECTRUM documentation.

Device Device View (Page 9)

Model Name

XYZ_Mxxx

Model Name

IP440

Small Device icon appears inTopology and Application views

Large Device icon appears inDevice Topology, Location, andDevice Interface views.

Device Topology Device Topology Views (Page 13)

Application Application Views (Page 14)

Configuration Configuration Views (Page 23)

Model Information

Model Information Views (Page 33)

Primary Application

Menu options that let you select either Gen Bridge App or MIB-II as the primary application.



Figure 2:Figure 2:Figure 2:Figure 2: Device Icon Subviews Menu Options

DeviceDevTopApplicationConfiguration

Model Name

IP440

- >

Fault IsolationModel InformationPrimary Application


Tasks

This section identifies various management and troubleshooting tasks that can be performed for models ofNokia Firewall devices using the views, icons, and labels referenced within this document.

Application Information (examine)• Application Views (Page 14)

Device (configure)• Configuration Views (Page 23)

Device Performance (monitor)• Device View (Page 9)• Device Performance View (Page 22)

File Transfer (initiate/examine)• Firewall InformationView (Page 17)

Interface Mask and Address (examine)• Secondary Address Panel (Page 12)

IPSO Configuration (configure)• IPSO Configuration View (Page 24)

Model Information (examine)• Model Information Views (Page 33)

Port Configuration (examine/modify)• Interface Icons (Page 10)• Device Configuration View (Page 23)

A Port (examine/enable/disable)• Interface Status View (Page 11)

Port Statistics (monitor)• Performance Views (Page 21)

RateShape Configuration (configure)• RateShape Configuration View (Page 26)

Virtual Router Configuration (configure)• VRRP Configuration View (Page 29)


Device View

This section describes the Device view and subviews available for models of Nokia Firewall devices inSPECTRUM.

Access: From the Icon Subviews menu for the Deviceicon, select Device .

This view (Figure 3) uses icons and labels to represent the device and its components, such as modules, ports, and applications. The view provides dynamic configuration and performance information for each of the device’s serial and network I/O ports, which are represented by Interface icons in the bottom panel of the view. The middle panel of the view displays a Device icon, which lets you monitor the device operation and access other device-specific views.

Figure 3:Figure 3:Figure 3:Figure 3: Device View

File View HelpTools

Model NameContactDescriptionLocation

Sys Up TimeManufacturerDevice TypeSerial Number

Network Address

Interface Description

Filter Physical

Interface Options PanelDevice Icon

XYZ_Mxxx

Model Name

1Ethernet

0:0:1D:F:FD:B6

ei0

0.0.0.0

ON

5SFTWARLPBK

0:0:1D:F:FD:B6

lo0

0.0.0.0

ON

9ATM8023

0:0:1D:F:FD:B6

zn1

0.0.0.0

ON

512AAL5

UAAL5

0.0.0.0

ON

2ATMCPU

0.0.0.0

ON

6ATM portCPU.1

0.0.0.0

ON

ATM7A1

0.0.0.0

ON

ATM7B1

0.0.0.0

ON

ATM7B2

0.0.0.0

ON

ATM7B3

0.0.0.0

ON

ATM8B1

0.0.0.0

ON

ATM8B2

0.0.0.0

ON

ATM8B3

0.0.0.0

ON

ATM8B4

0.0.0.0

ON

10

2783905 2783909

11

7

3 4

8

Interface Icons

Bookmarks

Model Name of type XYZ_Mxxx of Landscape node: Primary

Primary Application Gen Bridge App


Interface IconsFigure 4 shows a close-up of an Interface icon from the Device view. Most of the informational labels on the icon also provide double-click access to other views, as explained in the following label descriptions.

Figure 4: Interface Icon

Interface Number LabelThis label displays the interface (port) number.

IF Status LabelThis label displays the current status of the interface for the primary application selected, e.g., Gen Rtr App or MIB-II App. Table 1 lists the possible label color representations. Note that the color of the label also depends on the interface’s current Administrative Status, which you set in the Interface Status View (Page 11). This view can be accessed by double-clicking the label.

Interface Type LabelThis label identifies the interface type (Ethernet, ATM, etc.). Double-click this label to access the Interface Configuration View (Page 24).

c

f

b

1ethernet

0:0:1D:F:FD:B6

a

a Interface Number Label

b IF Status Label

c Interface Type Label

d Network Type Label

e Physical Address Label

f IP Address Label

fxp0

0.0.0.0

d

e

ON Table 1: Interface Status Label Colors

ColorOperational

StatusAdministrative

StatusLabelText

Green up up ON

Blue down down OFF

Yellow down up OFF

Red testing testing TEST

D e v i c e V i e w I n t e r f a c e I c o n S u b v i e w s M e n u


Network Type LabelThis label identifies the type of network to which the interface is connected. Double-click the label to open the Model Information view for the interface.

Physical Address LabelThis label displays the physical (MAC) address of the interface. Double-click this label to open the IF Address Translation Table.

IP Address LabelThis label displays the IP address for the interface. Double-click this label to open the Secondary Address Panel (Page 12), which lets you change the address and mask for the interface.

Interface Icon Subviews MenuTable 2 lists the device-specific interface Icon Subviews menu options and the views to which they provide access.

Interface Status ViewAccess: From the Icon Subviews menu for the Interfaceicon in the Device view, select IF Status .

This view provides information on the operational status of the interface and allows you to enable or disable the port.

Table 2: Interface Icon Subviews Menu


Detail Interface Detail view, which displays packet, error, and discard breakdown statistics for the interface.

IF Status Interface Status View (Page 11).

IF Configuration Interface Configuration View (Page 24).

IF Address Translation Table

Interface Address Translation Table, which identifies the physical and network address for the interface.

Secondary Address Panel

Secondary Address Panel (Page 12).

Thresholds Interface Threshold view, which lets you set the on/off alarm thresholds for load, packet rate, error rate, and % discarded for the interface.

Model Information

Model Information Views (Page 33).

D e v i c e V i e w S e c o n d a r y A d d r e s s P a n e l


Operational StatusThe current state of the interface (Up, Down, Unknown, Dormant , Not Present , Lower LayerDown, or Testing ).

This button allows you to select the desired administrative state of the interface (On, Off , or Testing ).

Secondary Address PanelAccess: From the Icon Subviews menu for the Interfaceicon in the Device view, select Secondary Address Panel .

This panel provides a table of IP addresses and masks obtained from the Address Translation table within the device’s firmware. You can change the current address displayed in the IP Address field by selecting an entry from the table in this panel and clicking the Update button.

Administrative Status


Device Topology Views

This section provides brief descriptions of the Device Topology views available for models of Nokia Firewalldevices.

Device Topology views show the connections between a modeled device and other network entities. There is one Device Topology view available for Nokia Firewall devices:

• Device Topology View

Device Topology ViewAccess: From the Icon Subviews menu for the Deviceicon, select DevTop.

The lower panel of the Device Topology view (Figure 5) uses interface icons to represent the device’s serial/network I/O ports. These icons provide the same information and menu options as those in the Device View. If there is a device connected to a particular interface, a device icon appears on the vertical bar above the interface icon.

Figure 5:Figure 5:Figure 5:Figure 5: Device Topology View

File View HelpTools

1Ethernet

0:0:1D:F:FD:B6

ei0

0.0.0.0

ON 2ATM

0:0:1D:F:FD:B6A2

0.0.0.0

ON 3ATM

0:0:1D:F:FD:B6CPU

0.0.0.0

ON

XYZ_Mxxx

Model Name

Bookmarks

Graphic of<manufacturer>

Device

Model Name of type Model Type of Landscape node: Primary


Application Views

This section describes the main Application view and the associated application-specific subviews available formodels of Nokia Firewall devices.

Access: From the Icon Subviews menu for the Deviceicon, select Application.

When a device is modeled, SPECTRUM automatically creates models for each of the applications supported by the device. The Application view displays these models (as Application icons), shows their current status, and provides access to application-specific subviews.

Figure 6 is an example of an Application view in its default mode (Icon) where each of the application models is represented by an Application icon. The Application icons are arranged hierarchically under a Device icon, with major applications in the top row and their respective minor applications stacked directly below.

You can also see the applications displayed by name only, in list format, by selecting View > Mode > List.

Figure 6:Figure 6:Figure 6:Figure 6: Application View

SpectroGRAPH: Application: Model Name

Model Name

Contact

Description

Location

Network Address System Up Time

Manufacturer

Device Type

Serial Number

Model Name

6E132_25

Model Name

Model Type

File View Tools Bookmarks

Model Name of type <model type> of Landscape node: Primary

Help


Application IconsWhen the Application view is in Icon mode, each of the application models is represented by an Application icon (Figure 7). Double-clicking the Model Name label (a) at the top of the icon opens the associated Model Information view—see Model Information Views (Page 33). For some applications, the Model Type label (c) at the bottom of the icon is also a double-click zone, which opens an application-specific view. Any views accessible through these double-click zones are also accessible from the Application icon’s Icon Subviews menu.

Figure 7:Figure 7:Figure 7:Figure 7: Application Icon

Supported ApplicationsSPECTRUM’s applications can be grouped within two general categories as follows:

• Applications associated with non proprietary MIBs. See Common Applications below.

• Applications associated with device-specific MIBs. See Device Specific Applications (Page 17).

Common ApplicationsFor the most part, these applications represent the non proprietary MIBs supported by your device. Listed below (beneath the title of the SPECTRUM document that describes them) are some of the common applications currently supported by SPECTRUM. Nokia Firewall devices support both common and device-specific applications.

• Routing Applications- Generic Routing- Repeater

aaaa Model Name Label / Model Information View

bbbb Condition Status Label

cccc Model Type Label / Application-Specific View

(a)

(b)

(c)

172.59.203.24

IP2_App

IP2_App

Note:Note:

The documents listed below (in bold font) are available for viewing at:

www.aprisma.com/manuals/



A p p l i c a t i o n V i e w s S u p p o r t e d A p p l i c a t i o n s


- AppleTalk- DECnet- OSPF- OSPF2- BGP4- VRRP

• Bridging Applications- Ethernet Special Database- Spanning Tree- Static- Transparent- PPP Bridging- Source Routing- Translation- QBridge

• MIB II Applications- SNMP- IP- ICMP- TCP- System2- UDP

• Transmission Applications- FDDI- Point to Point- DS1

- DS3- RS-232- WAN- Frame Relay- Token Ring- Ethernet- Fast Ethernet- rfc1317App- rfc1285App- rfc1315App- 802.11App- SONET

• Technology Applications- APPN- ATM Client- DHCP- PNNI- rfc1316App- DLSw

A p p l i c a t i o n V i e w s C h e c k p o i n t A p p l i c a t i o n


Device Specific ApplicationsThe views and subviews available for Nokia Firewall device-specific applications are described in the rest of this section.

• Checkpoint Application• RateShape Performance View (Page 18)• Virtual Router Redundancy Protocol (VRRP)

Application (Page 20)

Checkpoint ApplicationThis major application (model type CheckpointApp) provides access to the following application-specific subview:

• Firewall InformationView

Firewall InformationViewAccess: From the Icon Subview menu for theCheckpointApp application, select Firewall .

This view contains the following information:

General Information

This section of the Firewall Information view provides the following information:

ProductFirewall - 1 product.

Module StateThe state of the module.

Last SNMP FW EventThe last SNMP trap sent via “fw”.

Major VersionFirewall - 1 major version.

Minor VersionFirewall -1 minor version.

Filter Information


NameThe name of the loaded filter.

DateThe date the filter was installed.

Packet Information


Accepted PacketsThe number of accepted packets

Rejected PacketsThe number of rejected packets.

A p p l i c a t i o n V i e w s R a t e S h a p e A p p l i c a t i o n


Dropped PacketsThe number of dropped packets.

Logged PacketsThe number of logged packets.

RateShape ApplicationThis major application (model type NkIpsoRateApp) provides access to the following application-specific subviews:

• IPSO Configuration View (Page 24)• RateShape Configuration View (Page 26)• RateShape Performance View (Page 18)

RateShape Performance ViewAccess: From the Icon Subviews menu for theNkIpsoRateApp application, select RateShapePerformance .

This view displays the Access List Status Table which provides the following information:

ifIndexIdentifies the MIB-II interface which this access list stat entry is responsible for.

IndexA unique value identifying this table entry.

DirectionThe data source for this access list.

Pkts PassedNumber of packets successfully exiting this access list.

Bytes PassedNumber of bytes successfully exiting this access list.

Clicking this button opens the Rule Status Table View.

Clicking this button opens the Aggregation Class Status Table View (Page 19).

Rule Status Table ViewAccess: From the RateShape Performance view, click theRules button.

This view provides the following information:

ifIndexA unique value corresponding to the interface to which this rule is applied.

Rules

Aggregation Class

A p p l i c a t i o n V i e w s R a t e S h a p e A p p l i c a t i o n


IndexThe “rsRuleIndex” value of the rule this entry describes.

DirectionThe data source for this rule.

Drop PktsThe number of packets that exceeded this rate limit.

Drop OctetsThe number of bytes that exceeded this rate limit.

Pkts PassedNumber of packets successfully exiting this rule.

Bytes PassedNumber of bytes successfully exiting this rule.

Aggregation Class Status Table ViewAccess: From the RateShape Performance view, click theAggregation Class button.


ifIndexThe value of “ifIndex” which corresponds to the interface for which this aggregation class handles tokens.

IndexA unique value identifying this entry in the table.

DirectionThe data source for this aggregation class.

Shaped PktsThe number of packets shaped by this rate limit.

Shaped OctetsThe number of octets shaped by this rate limit.

Enqueued PktsThe number of packets enqueued by this rate limit.

Enqueued OctetsThe number of packets enqueued by this rate limit.

Dropped PktsThe number of packets which exceeded this rate limit.

Dropped OctetsThe number of octets which exceeded this rate limit.

Pkts Passed InThe number of packets passed in successfully exiting this aggregation class.

Pkts Passed OutThe number of packets passed out successfully exiting this aggregation class.

A p p l i c a t i o n V i e w s V i r t u a l R o u t e r R e d u n d a n c y P r o t o c o l ( V R R P ) A p p l i c a t i o n


Bytes Passed InThe number of bytes passed in successfully exiting this aggregation class.

Bytes Passed OutThe number of bytes passed out successfully exiting this aggregation class.

Virtual Router RedundancyProtocol (VRRP) ApplicationThis major application (model type rfc2338App) provides access to the following application-specific subview:

• VRRP Configuration View (Page 29)


Performance Views

This section provides brief descriptions of the Performance views available for the Nokia Firewall devices inSPECTRUM.

Performance views display performance statistics in terms of a set of transmission attributes, e.g., cell rates, frame rates, % error, etc. A typical view is shown in Figure 8. The instantaneous condition of each transmission attribute is recorded in a graph. The statistical information for each attribute is presented in the adjacent table.

Generally, you determine performance at the device level through Performance views accessed from the Device and Application icons. You determine performance at the port/interface level through Performance views accessed from Interface icons.

For more information on Performance views, refer to the SPECTRUM Views documentation.

The following paragraphs list the performance attributes displayed for each Performance view supported by this management module.

Figure 8: Performance View

SpectroGRAPH: Type Routing

Model Name

Contact

Description

Location

Network Address System Up Time

Manufacturer

Device Type

Serial Number

Log

100.0

10.00

1.00

0.10

0.01

000:40:0 0:30:0 0:20:0

Value Average Peak Value

* Frame Rate

% Delivered

% Forwarded

% Transmit

% Error

DetailGraph Properties Scroll to Date-Time

File View Tools Bookmarks

% Discarded*Frames per second

type routing of type IP Routing of Landscape node: Primary

Primary Application


Device Performance ViewAccess: From the Icon Subviews menu for the Deviceicon, select Performance .

Current and historical frame transmission information is provided via the following attributes.

• Frame Rate• % Delivered• % Forwarded• % Transmit• % Error• % Discarded

Port Performance ViewAccess: From the Icon Subviews menu for the DeviceInterface icon, select Performance .

Current and historical packet transmission information is provided via the following attributes.

• Load• Packet Rate• % Error

% Discarded


Configuration Views

This section describes the various Configuration views and subviews available for models of Nokia Firewalldevices.

Configuration views allow you to view and modify current settings for the modeled device and its interfaces, ports, and applications. The following Configuration views are available for models of Nokia Firewall devices:

• Device Configuration View• Interface Configuration View (Page 24)• IPSO Configuration View (Page 24)• RateShape Configuration View (Page 26)

Device Configuration ViewAccess: From the Icon Subviews menu for the Deviceicon, select Configuration .

This view (Figure 9) provides status and configuration information about the device as a whole as well as on a port-by-port basis. It also provides button access to the Interface Address Translation View and a subview that lets you establish redundancy for the model. Fields and

column headings within the Device Configuration view and its subviews are explained in detail in SPECTRUM Views.

Figure 9:Figure 9:Figure 9:Figure 9: Device Configuration View

SpectroGRAPH:

* File V iew H elp

Primary Application

System Up Time

Manufacturer

Device Type

Serial Number

Network AddressNameContactDescriptionLocation

Device Configuration View

Index Description Type Bandwidth Physical Address

PrintInterface Configuration Table

Interface Address Translation

Contact Status Number of Interfaces

Tools B ookmarks

Redundacny and Model reconfiguration Options

Operation Status

C o n f i g u r a t i o n V i e w s I n t e r f a c e C o n f i g u r a t i o n V i e w


Interface Configuration ViewAccess: From the Icon Subviews menu for a selectedInterface icon, select IF Configuration .

This view provides the following information for the selected interface:

Operation StatusThe current operational state of the interface. Possible values are: up, down, testing, and unknown .

Admin. StatusThe desired operational state of the interface. Possible values are: up, down, or testing .

Last ChangeThe “System UpTime” value when the interface entered its current operational state.

IP Address/Network MaskThis window provides a list of the user-defined IP addresses and network masks for the interface.

Physical AddressThe Ethernet (MAC) address of the interface.

BandwidthThe estimated bandwidth of the interface, measured in bits per second. For interfaces that do not vary in bandwidth, or for which no

accurate estimate can be made, a nominal bandwidth is provided.

Packet SizeThe largest packet that can be transmitted or received by the port, displayed in octets.

Queue LengthThe length of the outbound packet queue, in packets.

IPSO Configuration ViewAccess: From the Icon Subviews menu for theNkIpsoRateApp application, select Configuration .


CardThis area of the IPSO Configuration View provides the following information:

IndexThe number of the slot in which this card is plugged.

StatusThe operational status of this card. Possible values are: enabled or disabled .

C o n f i g u r a t i o n V i e w s I P S O C o n f i g u r a t i o n V i e w


TypeThe “ifType” value for any interface(s) on this card. Please refer to RFC1213.

ConfigThis area of the IPSO Configuration View provides the following information:

IndexThe index for this configuration, with 1 representing the currently running database and traversing from newest to oldest.

File PathThe absolute pathname and filename that holds a record of this configuration.

Date/TimeThe date and time this file was last changed.

Log TableThis section of the IPSO Configuration View provides the following information on the most recent configuration changes to the system:

IndexThe unique index of this configuration change entry.

DescriptionA description of the nature of the configuration change.

Serial NumberThe serial number of this device.

SIMM TotalThe total memory capacity, in megabytes, contained in the SIMM sockets.

MB TypeThe type of motherboard populating this device.

MB Rev NumberAn string value representing the type of motherboard populating this device.

MB Serial NumberThe serial number of the motherboard.

Log SizeA maximum limit on the number of entries which may be recorded in the Log Table.

Clicking this button opens the IPSO Additional Configuration View (Page 26).

Additional Configuration

C o n f i g u r a t i o n V i e w s R a t e S h a p e C o n f i g u r a t i o n V i e w


IPSO Additional ConfigurationViewAccess: From the IPSO Configuration View, click theAdditional Configuration button.


FanThis area of the IPSO Additional Configuration View provides the following information:

IndexA unique value representing this particular fan.

StatusThe operational status of this fan. Possible values are: running and notRunning .

PowerThis area of the IPSO Additional Configuration View provides the following information:

IndexA unique value representing this power supply.

TemperatureAn indication of whether or not this power supply’s internal temperature is over the recommended operation temperature limit. Possible values are: normal and overTemperature .

Oper StatusThe operational status of this power supply. Possible values are: running and notRunning .

ImageThis area of the IPSO Additional Configuration View provides the following information on resident kernel images on this system:

IndexA unique value for the image represented by this entry.

Version No.The version number of this image.

Serial No.The serial number of this image.

Time of LoadThe date and time when this image was first transferred onto this device.

RateShape Configuration ViewAccess: From the Icon Subviews menu for theNkIpsoRateApp application, select RateShape Config .

This view displays the Access List table which provides the following information:



ifIndexThe “ifIndex” of the MIB-II interface for which this access list entry is responsible.

IndexA unique value identifying this Access List.

DirectionThe data source for this access list.

NameAunique descriptor for this access list.

Row StatusThe current status of this access list. Possible values are: active , notInService , notReady , createAndGo , createAndWait , and destroy .

Clicking on this button opens the Access List Add View, which enables you to create an Access List within the Access List Table by entering an instance and then selecting its desired status.

Clicking this button opens the Rule Table View.

Clicking this button opens the Aggregation Class Table View (Page 28).

Rule Table ViewAccess: From the RateShape Configuration view click onthe Rules button.


ifIndexThe “ifIndex” of the MIB-II interface for which this access list entry is responsible.

IndexAn arbitrary value for rate limit objects.

DirectionThe data source for the Rate Limit object.

TOSThe TOS field of the type of packet which this rule governs.

ActionThe forwarding Action associated with this rule. Possible values are: drop , accept , reject , condition , and skip .

Add New Access List

Rules

Aggregation Class



Src AddrThe source IP address for this rule.

Src Addr MaskThe mask of source address for this rule.

Dest AddrThe destination IP address for this rule.

Dest Addr MaskThe mask of destination address for this rule.

ProtocolThe number of IP protocol that rule applies on.

Src Start PortThe start of the source range of port number(s) of the IP protocol for this rule.

Src End PortThe end of the source range of port number(s) of the IP protocol for this rule.

Dest Start PortThe start of the destination range of port number(s) of the IP protocol for this rule.

Dest End PortThe end of the destination range of port number(s) of the IP protocol for this rule.

Agg Class IndexThe index to the aggregation class (queue) if the value of Action is enqueue .

EstablishedIndicates whether this rule is effective on previously-established TCP connections.

Row StatusThe current status of this rule. Possible values are: active , notInService , notReady , createAndGo , createAndWait , and destroy .

Aggregation Class Table ViewAccess: From the RateShape Configuration view click onthe Aggregation Class button.


ifIndexThe value of “ifIndex” which corresponds to the first interface for which this aggregation class handles tokens.

IndexThe unique value identifying this aggregation class (queue).

DirectionThe data source for this aggregation class.

NameA description of this aggregation class.



Mean RateThe peak bandwidth when Burst Rate and Burst Duration are not set. When mean rate and burst duration are set, the mean rate specifies the long-term rate which the packet stream will be shaped to, but the packet stream can burst above that rate, with no penalty, for as long as the burst duration specifies.

Burst RateThe maximum burst peak rate in kilobits per second before being shaped. This value is obsolete and will no longer be supported.

Burst DurationThe number of milliseconds this aggregation class needs to transmit Burst Rate. If this is not set to a non-zero value, Mean Rate is the peak rate.

Row StatusThe current status of this aggregation class. Possible values are: active , notInService , notReady , createAndGo , createAndWait , and destroy .

VRRP Configuration ViewAccess: From the Icon Subviews menu for the rfc2338Appapplication, select Configuration .


Node VersionThe particular version of the VRRP supported by this node.

Trap ControlIndicates whether the VRRP-enabled router will generate SNMP traps for events defined in this MIB.

Packet SourceThe IP address of an inbound VRRP packet.

Authorization Error TypePotential types of configuration conflicts. Possible values are: invalidAuthType , authTypeMismatch , and authFailure .

VRRP Operations TableThis area of the VRRP Configuration view contains the follwoinf information:

IndexThe Virtual Router Identifier

Virt MAC AddressThe virtual MAC address of the virtual router. This is derived as follows: 00-00-5E-00-01-<VRID>. Where the first three octets consist of the IANA’s OUI; the next two octets indicate the address block of the VRRP protocol; and the remaining octets consist of the VRID.



StateThe mandatory state of the virtual router. Possible values are described in Table 3.

Admin StateThis value will enable/disable the virtual router function. Setting the value to up, will transition the state of the virtual router from initialize to backup or master ; setting the value to down, will transition the router from master or backup to initialize . State transitions may not be immediate; they sometimes depend on other factors, such as the interface (IF) state.

PriThis value specifies the priority to be used for the virtual router master election process. Higher values imply higher priority. A priority of ’0’, although not settable, is sent by the master router to indicate that this router has ceased to participate in VRRP and a backup virtual router should transition to become a new master.

IP Addr CntThe number of IP addresses that are associated with this virtual router.

Master Ip AddrThe master router’s real (primary) IP address. This is the IP address listed as the source in VRRP advertisement last received by this virtual router.

Primary IP AddrIn the case where there is more than one IP address for a given ‘ifIndex’, this object is used to specify the IP address that will become the Master Ip Addr, should the virtual router transition from backup to master. If this object is set to 0.0.0.0, the IP address which is numerically lowest will be selected.

Table 3: State Values

Value Description

initialize Indicates the virtual router is waiting for a startup event.

backup Indicates the virtual router is monitoring the availability of the master router.

master Indicates the virtual router is forwarding packets for IP addresses that are associated with this router.



Auth TypeAuthentication type used for VRRP protocol exchanges between virtual routers. Possible values are described in Table 4.

Auth KeyThe Authentication Key. This value is set according to the value in Auth Type . If the length of the value is less than 16 octets, the agent will left adjust and zero fill to 16 octets. The value of this object is the same for a given “ifIndex.”

Adv IntvThe time interval, in seconds, between sending advertisement messages. Only the master router sends VRRP advertisements.

Preempt ModeControls whether a higher priority virtual router will preempt a lower priority master.

Up TImeThis is the value of “sysUpTime” when this virtual router transitioned out of “initialized”.

ProtocolThe particular protocol being controlled by this Virtual Router. Possible values are: ip , bridge , decnet , and other .

StatusThe row status variable, used in accordance to installation and removal conventions for conceptual rows. The state that this value transitions to when set is based on a determination of whether the read-write objects in the row have been correctly initialized for virtual router operation. A row in which not all of the values are correctly set is considered ‘incomplete’. Possible values are described in Table 5.

Table 4: Authentication Values

Value Description

noAuthentication VRRP protocol exchanges are not authenticated.

simpleTextPassword Exchanges are authenticated by a clear text password.

ipAuthenticationHeader Exchanges are authenticated using the IP authentication header.


Table 5: Status Values

Value Description

active When this value is read, it indicates that all the read-write objects (in the row) required for virtual router operation have been correctly initialized such that the respective virtual router can be made operational by setting the Admin State to ‘up’. When set to ‘active’, no other objects in the conceptual row, with the exception of Admin State can be modified.

notInService When set, allows the values in the row tobe modified by a management station, thus changing the operational characteristics of the corresponding virtual router.

notReady The agent sets the value to this state to indicate that the conceptual row exists but is lacking initialization of one or more objects required for virtual router operation.

createAndGo This is set by a management station wishing to create a new instance of a virtual router and to have its status automatically set to ‘active’, making it available for use by a virtual router. Upon receiving a request to set Status to this value, the agent transitions the Status to ‘active’ if the other settable objects in the row have been correctly initialized. If the row is incomplete, the agent transitions the state to ‘notReady’.

createAndWait This is set by a management station wishing to create a new instance of a virtual router but not make it available for use. When this value is set, Status transitions to ‘notInService’ if the row has been correctly initialized; if the row is incomplete, Status will become ‘notReady’.

destroy Deletes the conceptual row, and hence, the corresponding instance of a virtual router.

Table 5: Status Values

Value Description


Model Information Views

This section provides a brief description of the Model Information views available for models of Nokia Firewalldevices.

Access: From the Icon Subviews menu for the Deviceicon, select Model Information .

Model Information views provide descriptive and configuration information about models of devices, interfaces, and applications. Figure 10 shows an example of a Model Information view accessed from the Icon Subviews menu for an IP440 Device icon. Model Information views are also available for each of the Interface icons in the Interface Device and Interface Device Topology views, and for each of the Application icons in the main Application view. Although these views may vary slightly, depending on the particular device being modeled, their basic layout and content are similar for most SPECTRUM management modules. Therefore, these views are described in more detail in SPECTRUM Views.

Figure 10:Figure 10:Figure 10:Figure 10: Model Information View

SpectroGRAPH:

* File V iew H elpTools

Primary Application

System Up Time

Manufacturer

Device Type

Serial Number

Network AddressNameContactDescriptionLocation

Model Information View

MM Version Number

MM Name

MM Part Number

General Information Communication Information

Community Name

DCM TimeOut

DCM Retry

Poll/Log InformationModel Created By

Model Type

Model Creation Time

Poll Interval

Polling StatusModel State

Security String

Mgmnt Protocol

Bookmarks


Index

AAddress

Interface IP 11Physical (MAC) 11Translation 12

Admin Status 10Admin. Status 24Aggregation Class Status Table

View 19Bytes Passed In 20Bytes Passed Out 20Direction 19Dropped Octets 19Dropped Pkts 19Enqueued Octets 19Enqueued Pkts 19ifIndex 19Index 19Pkts Passed In 19Pkts Passed Out 19Shaped Octets 19Shaped Pkts 19

Aggregation Class Table View 28Authorization Error Type 29Burst Duration 29Burst Rate 29Direction 28

ifIndex 28Index 28Mean Rate 29Name 28Node Version 29Packet Source 29Row Status 29Trap Control 29VRRP Operations Table 29

Admin State 30Adv Intv 31Auth Key 31Auth Type 31Index 29IP Addr Cnt 30Master Ip Addr 30Preempt Mode 31Pri 30Primary IP Addr 30Protocol 31State 30Status 31Up TIme 31Virt MAC Address 29

ApplicationDevice-specific 17Icons 14

Application Icons 15

Application View 14

BBandwidth 24

CCheckpoint Application 17Condition Status Label 15Configuration views 23

DDevice icon 5, 14Device Topology Views 13

FFile Transfer MIB View 17

Index 32Firewall Information View

Accepted Packets 17Date 17

I n d e x I n d e x


Dropped Packets 18Filter Information 17General Information 17Last SNMP FW Event 17Logged Packets 18Major Version 17Minor Version 17Module State 17Name 17Packet Information 17Product 17Rejected Packets 17

Firewall InformationView 17

IIcons

Device 5, 14Interface 10

Image 26Interface

Status 11Type, Device 10

Interface Configuration View 24IP Address/Network Mask 24IPSO Additional Configuration

View 26Fan 26

Index 26Status 26

Image 26

Index 26Serial No. 26Time of Load 26Version No. 26

Power 26Index 26Oper Status 26Temperature 26

IPSO Configuration View 2424

buttonAdditional Configuration 25

Card 24Config 25

Date/Time 25File Path 25Index 25

Log Size 25Log Table 25

Description 25Index 25

MB Rev Number 25MB Serial Number 25MB Type 25Serial Number 25SIMM Total 25Status 24Type 25

LLabels

Application IconCondition Status 15Model Name 15Model Type 15

Last Change 24

MMask 12Mode (Icon or List) 14Model type 5Model Type Label 15

NNetwork Type 11

OOperation Status 24

PPacket Size 24Performance Statistics 21

I n d e x I n d e x


Physical Address 24Port Number, Device 10

QQueue Length 24

RRateShape Application 18RateShape Configuration View 26

buttonAdd New Access List 27Aggregation Class 27Rules 27

Direction 27ifIndex 27Index 27Name 27Row Status 27

RateShape Performance View 18button

Aggregation Class 18Rules 18

Bytes Passed 18Direction 18ifIndex 18Index 18Pkts Passed 18

Row 27

Rule Status Table View 18Bytes Passed 19Direction 19Drop Octets 19Drop Pkts 19ifIndex 18Index 19

Rule Table View 27Action 27Agg Class Index 28Dest Addr 28Dest Addr Mask 28Dest End Port 28Dest Start Port 28Direction 27Established 28ifIndex 27Index 27Protocol 28Row Status 28Src Addr 28Src Addr Mask 28Src End Port 28Src Start Port 28TOS 27

SStatistics

Routing Frame Transmission 22

TTasks 8Threshold Information 11

VViews

Configuration 23Device Configuration 23Interface Configuration 24

Virtual Router Redundancy Protocol (VRRP) Application 20

VRRP Configuration View 29

Nokia Firewall (9035001-01) - CA...

Documents

Transcript of Nokia Firewall (9035001-01) - CA...