NE User Guide 5

®
NetEnforcer
Policy Based Bandwidth Management
User Guide
Version 5.2
(Doc. No. D351006)
Important Notice
Important Notice
Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which
NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to
the end users using this manual, regardless of the form of action, whether in contract, tort (including
negligence), strict liability or otherwise.
SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED
FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME
WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT
OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY
FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL,
INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT.
Please read the End User License Agreement and Warranty Certificate provided with this product
before using the product. Please note that using the products indicates that you accept the terms of
the End User License Agreement and Warranty Certificate.
WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE
LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR
CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION
WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR
OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED
PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Copyright
Copyright © 1997-2004 Allot Communications. All rights reserved. No part of this document may
be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other
language without a written permission and specific authorization from Allot Communications Ltd.
Trademarks
Products and corporate names appearing in this manual may or may not be registered trademarks or
copyrights of their respective companies, and are used only for identification or explanation and to
the owners' benefit, without intent to infringe.
NetEnforcer®, NetBalancer®, CacheEnforcer® and the Allot Communications pyramid logo are
registered trademarks of Allot Communications Ltd.
NetPolicy™ is a trademark of Allot Communications Ltd.
NetEnforcer User Guide iii

Important Notice
Allot Communications
Americas Middle East and Africa

7664 Golden Triangle Drive 5 Hanagar Street
Eden Prairie, MN 55344 Industrial Zone B,
Tel: (952) 944-3100 Hod-Hasharon, 45800, Israel
Toll free: (877) 255-6826 Tel: 972-9-761-9200
Fax: (952) 944-3555 Fax: 972-9-744-3626
Europe Japan
NCI – Les Centres d’Affaires Yajima Bldg 8F
Village d’Entreprises ‘Green Side’ 7-11-3 Ginza, Chuo-Ku
Tokyo 104-0061
Batiment 1B
Japan
400 Avenue Roumanille, BP309 Tel: 81-(0)3-5537-7114
06906 Sophia Antipolis Cedex Fax: 81-(0)3-5537-5281
France
Tel: 33-(0)4-93-00-11-67
Fax: 33-(0)4-93-00-11-65
Asia Pacific
6, Ubi Road 1
Wintech Centre #06-12
Singapore 408726
Tel: 65 6841-3020
Fax: 65 6747-9173
Printing History
First Edition: December 2001, Version 4.1
Second Edition: September 2002, Version 4.2
Third Edition: January 2004, Version 5.1
Fourth Edition: December 2004, Version 5.2
iv NetEnforcer User Guide

About This Guide
About This Guide

The NetEnforcer User's Manual describes how to install and configure NetEnforcer in
your network, and use NetEnforcer to prioritize your network traffic.
This manual contains the following chapters:

Chapter 1, Introducing NetEnforcer, introduces NetEnforcer and provides an overall
description of the architecture and functioning of the system.
Chapter 2, Installing NetEnforcer, describes NetEnforcer hardware and the initial
installation and setup requirements.
Chapter 3, Getting Started, describes how to connect to NetEnforcer through your
Web browser, and describes the NetEnforcer Control Panel.
Chapter 4, Configuring NetEnforcer, describes how to modify NetEnforcer's
configuration parameters from a Web browser.
Chapter 5, NetWizard Quick Start, describes NetWizard, an easy-to-use wizard that
enables a network manager without a wide knowledge base to have an up-and-running
NetEnforcer in a relatively short time.
Chapter 6, Monitoring Network Traffic, describes how to monitor and analyze
network traffic using the NetEnforcer monitoring tools.
Chapter 7, Defining Catalog Entries, describes NetEnforcer Catalogs and how to
define new Catalog entries.
Chapter 8, Defining Policies, describes the process of defining a QoS policy and
optimizing this policy in your network environment.
Chapter 9, NetEnforcer Alerts, describes the NetEnforcer Alerts Editor and Alerts
Log.
NetEnforcer User Guide v

About This Guide
Chapter 10, Detecting Security Threats, discusses the nature of DoS attacks and their
impact on network performance, and describes the ways in which NetEnforcer detects
and handles DoS attacks.
Chapter 11, SNMP Monitoring, describes NetEnforcer SNMP-based statistics and
how to generate MRTG reports.
Appendix A, Hardware Specifications, lists the hardware specifications for all
NetEnforcer models.
Appendix B, Fail-Safe Operation, describes the fail-safe methods implemented in
NetEnforcer, such as how NetEnforcer can operate parallel to another NetEnforcer to
provide full redundancy.
Appendix C, Hardware Configuration, describes how to access internal components
of the NetEnforcer units, and explains DIP switch settings.
Appendix D, Rack Mount Installation, describes how to mount the NetEnforcer
appliance.
Appendix E, NetEnforcer Port Reference, describes configuration requirements when
using NetEnforcer with a firewall.
Appendix F, NetEnforcer Protocol Reference, lists protocols supported by
NetEnforcer.
Appendix G, NetEnforcer Command Line Interface, describes how to use a
command line interface to configure NetEnforcer.
Appendix H, Troubleshooting, describes some common situations that may arise
when using NetEnforcer and their solutions.
Appendix I, Glossary, describes the terms used in the manual.
vi NetEnforcer User Guide

About This Guide
Conventions
The following conventions are used in this manual:
Note Additional information that may be useful in understanding
or using functionality.
Tip A helpful hint for using functionality, for example, a
shortcut.
Security A note that has security implications.
Note
Caution Information that is important to consider when performing a
particular action and that may have hazardous implications.
NetEnforcer User Guide vii

Table of Contents
viii NetEnforcer User Guide

Table of Contents
Table of Contents
CHAPTER 1: INTRODUCING NETENFORCER....................................................1-1
What is NetEnforcer?................................................................................................................................1-2
Optional Software Packages....................................................................................................................1-2
NetEnforcer Environments......................................................................................................................1-3
How Does NetEnforcer Deliver QoS? ......................................................................................................1-4
Monitor....................................................................................................................................................1-4
Classify....................................................................................................................................................1-5
Enforce ....................................................................................................................................................1-6
Report......................................................................................................................................................1-7
Fail-Safe Operation ...................................................................................................................................1-7
Terms and Concepts ..................................................................................................................................1-8
QoS..........................................................................................................................................................1-8
Catalog Editors ........................................................................................................................................1-9
Pipes ........................................................................................................................................................1-9
Virtual Channels.................................................................................................................................... 1-10
Rules...................................................................................................................................................... 1-10
Templates .............................................................................................................................................. 1-11
NetWizard ............................................................................................................................................. 1-12
NetEnforcer in Action ............................................................................................................................. 1-13
Scenario 1: Corporate............................................................................................................................ 1-13
Scenario 2: QoS in an Intranet............................................................................................................... 1-15
Scenario 3: ISP ...................................................................................................................................... 1-17
Scenario 4: Satellite Provider ................................................................................................................ 1-19
Scenario 5: Enhancing Enterprise Security ........................................................................................... 1-20
CHAPTER 2: INSTALLING NETENFORCER ........................................................2-1

Hardware Description ...............................................................................................................................2-2
NetEnforcer High Availability Platform .................................................................................................2-3
NetEnforcer Enhanced Platform............................................................................................................ 2-17
Out-of-Band Management..................................................................................................................... 2-25
Monitoring Only Models (AC-202 and AC-402).................................................................................. 2-26
NetEnforcer User Guide ix

Table of Contents
Placement in the Network....................................................................................................................... 2-27

Connecting NetEnforcer to the Network .............................................................................................. 2-27
Setting Up NetEnforcer .......................................................................................................................... 2-29
Configuring Via a Terminal or Telnet .................................................................................................. 2-29
Configuring Via the LCD Panel ........................................................................................................... 2-40
CHAPTER 3: GETTING STARTED.......................................................................... 3-1

Accessing NetEnforcer.............................................................................................................................. 3-2
NetEnforcer Control Panel....................................................................................................................... 3-3
Installing the Java Plug-in 1.3.................................................................................................................. 3-9
Installing the Java Plug-in from Internet Explorer................................................................................ 3-11
Installing the Java Plug-in from Netscape ............................................................................................ 3-14
CHAPTER 4: CONFIGURING NETENFORCER ................................................... 4-1

Overview .................................................................................................................................................... 4-2
Activating the NetEnforcer ..................................................................................................................... 4-5
NetEnforcer Configuration Window ....................................................................................................... 4-7
Menu Bar ................................................................................................................................................ 4-7
Toolbar.................................................................................................................................................... 4-9
NetEnforcer Configuration Parameters................................................................................................ 4-10
Product IDs and Key............................................................................................................................. 4-11
Access Links......................................................................................................................................... 4-13
IP and Host Name ................................................................................................................................. 4-15
Security ................................................................................................................................................. 4-18
NIC ....................................................................................................................................................... 4-20
Networking ........................................................................................................................................... 4-22
SNMP ................................................................................................................................................... 4-26
Connection Control............................................................................................................................... 4-27
Monitoring ............................................................................................................................................ 4-29
Internal Accounting Setup .................................................................................................................... 4-30
External Accounting Setup ................................................................................................................... 4-32
RADIUS Setup ..................................................................................................................................... 4-34
Accounting/RADIUS Storage............................................................................................................... 4-37
LDAP/Text Source ............................................................................................................................... 4-40
VLAN ................................................................................................................................................... 4-41
Alerts .................................................................................................................................................... 4-43
Denial of Service (DoS)........................................................................................................................ 4-44
x NetEnforcer User Guide

Table of Contents
Additional Configuration Options.......................................................................................................... 4-46

Backing Up Configuration .................................................................................................................... 4-46
Restoring Configuration ........................................................................................................................ 4-47
Setting Date and Time ........................................................................................................................... 4-48
Verifying Configuration ........................................................................................................................ 4-49
CHAPTER 5: NETWIZARD QUICK START...........................................................5-1

Introducing NetWizard .............................................................................................................................5-2
Monitoring Network Traffic .....................................................................................................................5-3
Viewing Graphs.......................................................................................................................................5-8
Viewing Statistics.................................................................................................................................. 5-10
Viewing Information ............................................................................................................................. 5-12
Viewing the Log.................................................................................................................................... 5-14
Defining Policies....................................................................................................................................... 5-15
QoS Examples ....................................................................................................................................... 5-18
CHAPTER 6: MONITORING NETWORK TRAFFIC ............................................6-1

Overview.....................................................................................................................................................6-2
Graph Types ............................................................................................................................................6-4
Graph Views............................................................................................................................................6-5
Graph Styles ............................................................................................................................................6-6
In/Out Bandwidth ....................................................................................................................................6-7
NetEnforcer Monitoring Window ............................................................................................................6-8
Accessing Monitoring Graphs.................................................................................................................6-9
Monitoring Window Menu Bar ............................................................................................................. 6-12
Monitoring Window Toolbar ................................................................................................................ 6-15
Monitoring Graphs.................................................................................................................................. 6-21
Pipes Distribution .................................................................................................................................. 6-25
Virtual Channels Distribution................................................................................................................ 6-27
Bandwidth ............................................................................................................................................. 6-29
Connections........................................................................................................................................... 6-31
Utilization.............................................................................................................................................. 6-32
Packets................................................................................................................................................... 6-33
Most Active Pipes ................................................................................................................................. 6-35
Most Active Virtual Channels ............................................................................................................... 6-37
Most Active Protocols ........................................................................................................................... 6-39
Most Active Hosts ................................................................................................................................. 6-42
NetEnforcer User Guide xi

Table of Contents
Most Active Internal Hosts ................................................................................................................... 6-43

Most Active External Hosts .................................................................................................................. 6-45
Most Active Clients .............................................................................................................................. 6-47
Most Active Servers.............................................................................................................................. 6-49
Long-Term Monitoring........................................................................................................................... 6-51
Collecting Data for Long-Term Monitoring ......................................................................................... 6-51
Adding Graphs...................................................................................................................................... 6-62
Viewing Long-Term Monitoring Graphs.............................................................................................. 6-66
CHAPTER 7: DEFINING CATALOG ENTRIES..................................................... 7-1

Working with Catalog Editors ................................................................................................................. 7-2
Accessing Catalog Editors ...................................................................................................................... 7-3
Protected Entries ..................................................................................................................................... 7-5
Deleting Entries from a Catalog ............................................................................................................. 7-6
Policy Editor Toolbar.............................................................................................................................. 7-6
Host Catalog Editor .................................................................................................................................. 7-8
Defining Host Lists................................................................................................................................. 7-9
Grouping Hosts ..................................................................................................................................... 7-12
Defining LDAP-based Hosts ................................................................................................................ 7-14
Defining Text File-Based Hosts............................................................................................................ 7-17
Service Catalog Editor ............................................................................................................................ 7-20
Defining TCP and UDP IP Protocols.................................................................................................... 7-21
Defining Non-TCP and Non-UDP IP Protocols ................................................................................... 7-23
Defining Non-IP Protocols ................................................................................................................... 7-24
Importing Protocols .............................................................................................................................. 7-26
Web Update .......................................................................................................................................... 7-29
Grouping Service Catalog Entries ........................................................................................................ 7-30
Adding Content..................................................................................................................................... 7-31
Time Catalog Editor ............................................................................................................................... 7-52
TOS (Type of Service) Catalog Editor .................................................................................................. 7-57
Free Format........................................................................................................................................... 7-61
VLAN Catalog Editor ............................................................................................................................. 7-63
Defining VLANs .................................................................................................................................. 7-64
Quality of Service Catalog Editor.......................................................................................................... 7-66
Ignoring Quality of Service .................................................................................................................. 7-68
Defining QoS for Pipes......................................................................................................................... 7-69
Defining QoS for Virtual Channels ...................................................................................................... 7-75
xii NetEnforcer User Guide

Table of Contents
Connection Control Catalog Editor ....................................................................................................... 7-81

Load-Balancing ..................................................................................................................................... 7-83
Cache Redirection ................................................................................................................................. 7-85
Data Source Catalog Editor .................................................................................................................... 7-87
CHAPTER 8: DEFINING POLICIES.........................................................................8-1

NetEnforcer Policy.....................................................................................................................................8-2
Pipes ........................................................................................................................................................8-3
Virtual Channels......................................................................................................................................8-4
Rules........................................................................................................................................................8-4
Actions ....................................................................................................................................................8-5
Using Pipes, Virtual Channels and Rules................................................................................................8-9
NetEnforcer Policy Editor....................................................................................................................... 8-11
View Options......................................................................................................................................... 8-12
Policy Editor Menus and Toolbar.......................................................................................................... 8-13
Policy Editor Status Bar ........................................................................................................................ 8-19
Defining Policy ......................................................................................................................................... 8-20
Defining Your Network Requirements.................................................................................................. 8-21
Adding Pipes ......................................................................................................................................... 8-22
Adding Virtual Channels....................................................................................................................... 8-24
Adding Rules......................................................................................................................................... 8-26
Policy Table Order ................................................................................................................................ 8-28
Templates .............................................................................................................................................. 8-28
Distributing Policy to Other NetEnforcers ............................................................................................ 8-35
CHAPTER 9: NETENFORCER ALERTS .................................................................9-1

Overview.....................................................................................................................................................9-2
Important Preparation ..............................................................................................................................9-4
Alerts Editor...............................................................................................................................................9-5
Predefined Alerts.....................................................................................................................................9-5
Customized Actions .............................................................................................................................. 9-11
Conditions for Alerts ............................................................................................................................. 9-12
Defined Alerts List ................................................................................................................................ 9-16
Alerts Editor Menus and Toolbar .......................................................................................................... 9-17
NetEnforcer User Guide xiii

Table of Contents
Alerts Log................................................................................................................................................. 9-18

Alerts Log Menus and Toolbar ............................................................................................................. 9-21
Accessing Monitoring Graphs .............................................................................................................. 9-23
Filtering Alerts...................................................................................................................................... 9-24
Alerts Event Messages ............................................................................................................................ 9-27
CHAPTER 10: DETECTING SECURITY THREATS........................................... 10-1

Overview .................................................................................................................................................. 10-2
Detecting and Handling DoS Attacks .................................................................................................... 10-2
Denial of Service (DoS) Parameters ..................................................................................................... 10-3
Additional Protective Mechanisms ........................................................................................................ 10-5
Security Alerts ......................................................................................................................................... 10-6
CHAPTER 11: SNMP MONITORING..................................................................... 11-1

Viewing SNMP Statistics and Getting Traps........................................................................................ 11-2
Supported SNMP MIBs ........................................................................................................................ 11-2
Access Permissions............................................................................................................................... 11-3
Configuring Trap Destinations ............................................................................................................. 11-4
Traps ..................................................................................................................................................... 11-4
MIB-II Support ..................................................................................................................................... 11-5
Accessing the Allot MIBs..................................................................................................................... 11-8
Working with SNMP-Based Management Tools................................................................................ 11-11
Introducing MRTG ............................................................................................................................. 11-11
Installing MRTG for NetEnforcer ...................................................................................................... 11-12
Example MRTG Configuration File ................................................................................................... 11-15
Example NetEnforcer MRTG Graphs................................................................................................. 11-17
APPENDIX A: HARDWARE SPECIFICATIONS .................................................. A-1

Enhanced Platform..................................................................................................................................A-1
High Availability Platform .....................................................................................................................A-2
Standards, Compliance and Certifications ..............................................................................................A-4
APPENDIX B: FAIL-SAFE OPERATION ................................................................B-1

Bypass Mode..............................................................................................................................................B-2
Bypass Initiation .....................................................................................................................................B-3
Fiber Bypass and TAP (AC-802 Fiber) ..................................................................................................B-3
xiv NetEnforcer User Guide

Table of Contents
Connecting Two NetEnforcers in Full Redundancy .............................................................................. B-7

Status Indicators in Full Redundancy Mode........................................................................................... B-8
Secondary NetEnforcer Activation....................................................................................................... B-11
Primary and Secondary Definitions...................................................................................................... B-12
Full Redundancy Connection ............................................................................................................... B-14
High Availability Platform Power Redundancy................................................................................... B-18
APPENDIX C: HARDWARE CONFIGURATION.................................................. C-1

Setting Dip Switches for the Enhanced Platform................................................................................... C-1
Enhanced Platform DIP Switches........................................................................................................... C-3
APPENDIX D: RACK MOUNT INSTALLATION .................................................. D-1
APPENDIX E: NETENFORCER PORT REFERENCE.......................................... E-1

Firewall Ports ............................................................................................................................................ E-1
APPENDIX F: NETENFORCER PROTOCOL REFERENCE .............................. F-1

Supported Protocols ................................................................................................................................. F-1
APPENDIX G: NETENFORCER COMMAND LINE INTERFACE ....................G-1

NetEnforcer Command Line Interface ...................................................................................................G-1
Command Execution Modes .................................................................................................................. G-1
Accessing the CLI .....................................................................................................................................G-2
Scripts ........................................................................................................................................................G-2
CLI Command Syntax..............................................................................................................................G-3
Online Help ...............................................................................................................................................G-4
Command Descriptions ............................................................................................................................G-4
ToS Catalog Editing ............................................................................................................................... G-5
Data Source Catalog Editing .................................................................................................................. G-5
VLAN Catalog Editing........................................................................................................................... G-6
QoS Catalog Editing............................................................................................................................... G-7
Host Catalog Editing .............................................................................................................................. G-9
Time Catalog Editing ........................................................................................................................... G-11
Service Catalog Editing........................................................................................................................ G-12
Connection Control Catalog Editing .................................................................................................... G-15
NetEnforcer User Guide xv

Table of Contents
Policy Catalog Editing ..........................................................................................................................G-17

List ........................................................................................................................................................G-19
Configuration Settings ..........................................................................................................................G-20
APPENDIX H: TROUBLESHOOTING.................................................................... H-1
APPENDIX I: GLOSSARY...........................................................................................I-1
Glossary of Terms ......................................................................................................................................I-1
xvi NetEnforcer User Guide

List of Figures
List of Figures
Figure 1-1 - Corporate Network Structure with Three Outgoing Wan Links ............................................ 1-13
Figure 1-2 - Policy for Corporate Traffic................................................................................................... 1-14
Figure 1-3 - Managing an Intranet's Mission-Critical Traffic with the NetEnforcer ................................. 1-16
Figure 1-4 - Wireless ISP Network............................................................................................................ 1-17
Figure 1-5 - Policy For Wireless ISP Traffic............................................................................................. 1-18
Figure 1-6 - NetEnforcer In Satellite Network .......................................................................................... 1-19
Figure 1-7 - Preventing A Dos Attack With NetEnforcer.......................................................................... 1-21
Figure 2-1 – NetEnforcer Front Panel: High Availability Platform (Model AC-802).................................2-5
Figure 2-2 – Link Connections Area: Ac-802 Copper.................................................................................2-6
Figure 2-3 – Link Connections Area: Ac-802 Fiber ....................................................................................2-6
Figure 2-4 – NetEnforcer LCD Panel: High Availability Platform .............................................................2-8
Figure 2-5 – NetEnforcer Rear Panel: High Availability Platform (Model AC-802) ..................................2-9
Figure 2-6 – Copper Bypass Module ......................................................................................................... 2-12
Figure 2-7 – Connecting NetEnforcer AC-802 Copper to Copper Bypass Module................................... 2-13
Figure 2-8 – Fiber Bypass Module ............................................................................................................ 2-14
Figure 2-9 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass Module ......................................... 2-15
Figure 2-10 – NetEnforcer Front Panel: Enhanced Platform..................................................................... 2-18
Figure 2-11 – NetEnforcer LCD Panel: Enhanced Platform...................................................................... 2-22
Figure 2-12 – NetEnforcer Rear Panel: Enhanced Platform ...................................................................... 2-23
Figure 2-13 - Management Port................................................................................................................. 2-25
Figure 2-14 – LAN And WAN Placement of NetEnforcer........................................................................ 2-27
Figure 2-15 – NetEnforcer Setup Menu..................................................................................................... 2-30
Figure 2-16 – Current Configuration (1) ................................................................................................... 2-32
Figure 2-17 – Current Configuration (2) ................................................................................................... 2-33
Figure 2-18 – Network Configuration ....................................................................................................... 2-34
Figure 2-19 – Password ............................................................................................................................. 2-37
Figure 2-20 – Time Setup .......................................................................................................................... 2-38
Figure 2-21 – LCD Panel, Main Menu Options......................................................................................... 2-41
Figure 3-1 – NetEnforcer Log On Dialog Box ............................................................................................3-2
Figure 3-2 – NetEnforcer Control Panel......................................................................................................3-3
Figure 3-3 – Java Plug-In Software License Agreement Window............................................................. 3-11
Figure 3-4 – Java Plug-In Security Warning Window............................................................................... 3-12
Figure 3-5 - Java Plug-In Security Warning Pop-Up – Certificate Expiration Notice............................... 3-13
NetEnforcer User Guide xvii

List of Figures
Figure 3-6 – Java Plug-In Icon .................................................................................................................. 3-14

Figure 3-7 – Plug-In Not Loaded Window................................................................................................ 3-15
Figure 3-8 – Java Plug-In Software License Agreement Window ............................................................ 3-15
Figure 3-9 – Java Plug-In Security Warning Window .............................................................................. 3-16
Figure 4-1 – NetEnforcer Configuration Window ...................................................................................... 4-3
Figure 4-2 – Confirmation Message............................................................................................................ 4-4
Figure 4-3 – Product Ids & Key Parameters ............................................................................................. 4-11
Figure 4-4 – Save confiGuration to NetEnforcer Message ....................................................................... 4-12
Figure 4-5 – Access Links Parameters ...................................................................................................... 4-13
Figure 4-6 – IP & Host Name Parameters................................................................................................. 4-15
Figure 4-7 – Out-of-Band Management.................................................................................................... 4-17
Figure 4-8 – Security Parameters .............................................................................................................. 4-18
Figure 4-9 – NIC Parameters .................................................................................................................... 4-20
Figure 4-10 – Networking Parameters ...................................................................................................... 4-22
Figure 4-11 – Monitoring Only Mode Error Message .............................................................................. 4-24
Figure 4-12 – Activating Monitoring Only Mode Message ...................................................................... 4-24
Figure 4-13 – Deactivating Monitoring Only Mode Message................................................................... 4-25
Figure 4-14 – SNMP Parameters .............................................................................................................. 4-26
Figure 4-15 – Connection Control Parameters.......................................................................................... 4-27
Figure 4-16 – Monitoring Parameters ....................................................................................................... 4-29
Figure 4-17 – Internal Accounting Parameters ......................................................................................... 4-30
Figure 4-18 – External Accounting Parameters ........................................................................................ 4-32
Figure 4-19 – Radius Setup Parameters .................................................................................................... 4-34
Figure 4-20 – Accounting/Radius Storage Parameters.............................................................................. 4-37
Figure 4-21 – LDAP/Text Source Parameters........................................................................................... 4-40
Figure 4-22 – VLAN Parameters .............................................................................................................. 4-41
Figure 4-23 – Alerts Parameters................................................................................................................ 4-43
Figure 4-24 – Denial of Service Parameters.............................................................................................. 4-44
Figure 4-25 – Backup Configuration Dialog Box ..................................................................................... 4-46
Figure 4-26 – restore Configuration Dialog Box ...................................................................................... 4-47
Figure 4-27 – Date and Time Configuration Dialog Box.......................................................................... 4-48
Figure 4-28 – System Message ................................................................................................................. 4-48
Figure 4-29 – Setup Verification Dialog Box ........................................................................................... 4-49
Figure 5-1 – NetWizard Setup Window...................................................................................................... 5-4
Figure 5-2 – NetWizard: Create New Pipe Window................................................................................... 5-5
Figure 5-3 – NetWizard Monitoring Window: Graphs View...................................................................... 5-6
Figure 5-4 – NetWizard Monitoring Window: Statistics View................................................................. 5-10
Figure 5-5 – NetWizard Monitoring Window: Information View ............................................................ 5-12
xviii NetEnforcer User Guide

List of Figures
Figure 5-6 – Netwizard Monitoring Window: Log View .......................................................................... 5-14

Figure 5-7 – Policy Definition Window .................................................................................................... 5-16
Figure 6-1 – Sample Favorite View.............................................................................................................6-3
Figure 6-2 – Graph Views ...........................................................................................................................6-5
Figure 6-3 – Bar Chart.................................................................................................................................6-6
Figure 6-4 – Pie Chart..................................................................................................................................6-6
Figure 6-5 – Line Chart ...............................................................................................................................6-6
Figure 6-6 – Area Chart ...............................................................................................................................6-6
Figure 6-7 – Displaying Bandwidth.............................................................................................................6-7
Figure 6-8 – Sample Monitoring Window...................................................................................................6-8
Figure 6-9 – NetEnforcer monitoring Menu ................................................................................................6-9
Figure 6-10 – Accessing Monitoring Graphs: Pipe Level ......................................................................... 6-10
Figure 6-11 – Accessing Monitoring Graphs: Virtual Channel Level ....................................................... 6-11
Figure 6-12 – Graphs Features Dialog Box ............................................................................................... 6-18
Figure 6-13 – Pipes Distribution Graph..................................................................................................... 6-25
Figure 6-14 – Selecting Other Graphs ....................................................................................................... 6-26
Figure 6-15 – Virtual Channels Distribution Graph .................................................................................. 6-27
Figure 6-16 – Bandwidth Graph ................................................................................................................ 6-29
Figure 6-17 –Connections Graph............................................................................................................... 6-31
Figure 6-18 – Utilization Graph................................................................................................................. 6-32
Figure 6-19 –Packets Graph ...................................................................................................................... 6-33
Figure 6-20 – Most Active Pipes Graph .................................................................................................... 6-35
Figure 6-21 – Cumulative Range Dialog Box ........................................................................................... 6-36
Figure 6-22 – Most Active Virtual Channels Graph.................................................................................. 6-37
Figure 6-23 – Most Active Protocols Graph.............................................................................................. 6-39
Figure 6-24 – Select Pipe Dialog Box ....................................................................................................... 6-41
Figure 6-25 – Most Active Hosts Graph.................................................................................................... 6-42
Figure 6-26 – Most Active Internal Hosts Graph ...................................................................................... 6-44
Figure 6-27 – Most Active External Hosts Graph ..................................................................................... 6-46
Figure 6-28 – Most Active Clients Graph.................................................................................................. 6-48
Figure 6-29 – most Active Servers Graph ................................................................................................. 6-49
Figure 6-30 – Long-Term Monitoring Agent Window.............................................................................. 6-56
Figure 6-31 – Long-Term Monitoring First Steps ..................................................................................... 6-58
Figure 6-32 – Long-Term Monitoring Window ........................................................................................ 6-59
Figure 6-33 – Setting Long-Term Monitoring Location Dialog Box ........................................................ 6-60
Figure 6-34 – Long-Term Monitoring Window – Set Data Location........................................................ 6-61
Figure 6-35 – Long-Term Monitoring Window - Add New Graph ........................................................... 6-63
Figure 6-36 – Long-Term Monitoring Window – Graph Added ............................................................... 6-64
NetEnforcer User Guide xix

List of Figures
Figure 6-37 – Long-Term Monitoring Agent Log .................................................................................... 6-65

Figure 6-38 – Graph Time Span Coverage for (NAME of Selected Graph) Window –
Relative Span Mode ......................................................................................................................... 6-67
Figure 6-39 – Graph Time Span Coverage for (Name of Selected Graph) Window –
Specific Span Mode.......................................................................................................................... 6-69
Figure 6-40 – Long-Term Monitoring Graph (Period Level).................................................................... 6-70
Figure 6-41 – Long-Term Monitoring Graph (Month Level) ................................................................... 6-73
Figure 6-42 – Long-Term Monitoring Graph (Day Level) ....................................................................... 6-74
Figure 6-43 – Long-Term Monitoring Graph (Hour Level)...................................................................... 6-75
Figure 6-44 – Long-Term Monitoring Graph (Five-Minute Level) .......................................................... 6-76
Figure 6-45 – Long-Term Monitoring Graph (Thirty-Second Level) ....................................................... 6-77
Figure 6-46 – Time Unit Selection FOR Detailed View Dialog Box........................................................ 6-78
Figure 6-47 – Collection Log File Dialog Box ......................................................................................... 6-80
Figure 7-1 – Sample Catalog Editor............................................................................................................ 7-4
Figure 7-2 – Policy Editor........................................................................................................................... 7-6
Figure 7-3 – Host Catalog Editor ................................................................................................................ 7-8
Figure 7-4 – New Host Entry Popup Menu................................................................................................. 7-9
Figure 7-5 – Host Catalog Editor: Adding Hosts ...................................................................................... 7-10
Figure 7-6 – Host Catalog Editor: Grouping Hosts................................................................................... 7-13
Figure 7-7 – Hosts Catalog Editor: Ldap-Based Hosts ............................................................................. 7-15
Figure 7-8 – Hosts Catalog Editor: Text File-Based Hosts ....................................................................... 7-18
Figure 7-9 – Service Catalog Editor.......................................................................................................... 7-20
Figure 7-10 – New Service Entry Popup Menu ........................................................................................ 7-21
Figure 7-11 – Service Catalog: Tcp/UDP Protocol ................................................................................... 7-22
Figure 7-12 – Service Catalog: Non-UDP/TCP IP Protocol ..................................................................... 7-23
Figure 7-13 – Service Catalog: Non-IP Protocol ...................................................................................... 7-25
Figure 7-14 – Protocols Library Dialog Box............................................................................................. 7-26
Figure 7-15 – Accessing Protocols Library Dialog Box from Policy Editor............................................. 7-27
Figure 7-16 – Protocols Library Dialog Box Accessed from Policy Editor .............................................. 7-28
Figure 7-17 – Web Update Message ......................................................................................................... 7-29
Figure 7-18 – Service Catalog Editor: Grouping Services ........................................................................ 7-30
Figure 7-19 – Service Catalog: Adding Content and File Name Tab........................................................ 7-32
Figure 7-20 – Service Catalog: Adding Content and URL Tab ................................................................ 7-35
Figure 7-21 – Adding Content: Methods Tab ........................................................................................... 7-36
Figure 7-22 – Adding Content: Hosts Tab ................................................................................................ 7-37
Figure 7-23 – Adding Content: Content Type Tab ................................................................................... 7-39
Figure 7-24 – Service Catalog: Adding Content and Service Tab ............................................................ 7-41
Figure 7-25 – Service Catalog: Adding Content and URL Tab ................................................................ 7-44
xx NetEnforcer User Guide

List of Figures
Figure 7-26 – Service Catalog: Adding Content IN H.323........................................................................ 7-46

Figure 7-27 – Service Catalog: Adding Content in Citrix ......................................................................... 7-48
Figure 7-28 – Adding Content: User Name Tab........................................................................................ 7-49
Figure 7-29 – Adding Content: Priority Tab.............................................................................................. 7-50
Figure 7-30 – Time Catalog Editor............................................................................................................ 7-52
Figure 7-31 – Time Entry Definition Dialog Box...................................................................................... 7-53
Figure 7-32 – Time Entry Definition: Daily .............................................................................................. 7-54
Figure 7-33 – Time Entry Definition: Weekly........................................................................................... 7-55
Figure 7-34 – Time Entry Definition: Monthly ......................................................................................... 7-55
Figure 7-35 – Time Entry Definition: Yearly ............................................................................................ 7-55
Figure 7-36 – Sample TOS Catalog Editor................................................................................................ 7-57
Figure 7-37 – TOS Catalog Editor: Differentiated Service........................................................................ 7-59
Figure 7-38 – Differentiated Service – Assured Forwarding..................................................................... 7-60
Figure 7-39 – TOS Catalog Editor: Free Format ....................................................................................... 7-61
Figure 7-40 – Details OF The Ethernet Frame Before and After the Addition of
802.1q Frame Information. ............................................................................................................... 7-63
Figure 7-41 – VLAN Catalog Editor ......................................................................................................... 7-64
Figure 7-42 – QOS Catalog Editor ............................................................................................................ 7-66
Figure 7-43 – Ignore QOS Warning .......................................................................................................... 7-68
figure 7-44 – Defining QOS for Pipes ....................................................................................................... 7-69
Figure 7-45 – Inbound and Outbound Tab: Half-Duplex Pipe .................................................................. 7-72
Figure 7-46 – Defining QOS for Pipes: General Tab ................................................................................ 7-73
Figure 7-47 – Defining QOS for Virtual Channels.................................................................................... 7-75
Figure 7-48 – CBR Parameters .................................................................................................................. 7-78
Figure 7-49 – Defining Qos for Virtual Channels: General Tab................................................................ 7-79
Figure 7-50 – Connection Control Catalog Editor..................................................................................... 7-81
Figure 7-51 – Connection Control Catalog Editor: Load Balancing.......................................................... 7-83
Figure 7-52 – Connection Control Catalog Editor: Cache Server ............................................................. 7-85
Figure 7- 53 – Data Source Catalog Editor................................................................................................ 7-87
Figure 7-54 – Data Source Catalog Editor: LDAP Server ......................................................................... 7-88
Figure 7-55 – Data Source Catalog Editor: Hosts Text File ...................................................................... 7-89
Figure 8-1 – Pipe/Virtual Channel/Rule Relationship .................................................................................8-2
Figure 8-2 – Policy Editor ......................................................................................................................... 8-11
Figure 8-3 – View Options ........................................................................................................................ 8-12
Figure 8-4 – Data Source Catalog Editor: Hosts Text File ........................................................................ 8-17
Figure 8-5 – Host Catalog Editor............................................................................................................... 8-18
Figure 8-6 – Query Dialog......................................................................................................................... 8-19
Figure 8-7 – Defining Policy Workflow .................................................................................................... 8-20
NetEnforcer User Guide xxi

List of Figures
Figure 8-8 – Insert Pipe Template............................................................................................................. 8-30

Figure 8-9 – New Pipe Template .............................................................................................................. 8-31
Figure 8-10 – Insert Virtual Channel Template ........................................................................................ 8-33
Figure 8-11 – New Virtual Channel Template .......................................................................................... 8-34
Figure 8-12 – Distribution List.................................................................................................................. 8-35
Figure 8-13 – Device Properties Dialog Box ............................................................................................ 8-36
Figure 8-14 – Distribution Report ............................................................................................................. 8-37
Figure 9-1 – NetEnforcer Configuration Window ...................................................................................... 9-4
Figure 9-2 – Alerts Editor ........................................................................................................................... 9-6
Figure 9-3 – Alerts Editor – Behavior Tab.................................................................................................. 9-8
Figure 9-4 – Alerts Log............................................................................................................................. 9-19
Figure 9-5 – Set Filters For Alerts Log Dialog Box: Severity Tab ........................................................... 9-24
Figure 9-6 – Set Filters For Alerts Log Dialog Box: Acknowledge Tab .................................................. 9-25
Figure 9-7 – Set Filters For Alerts Log Dialog Box: Source Type Tab .................................................... 9-25
Figure 9-8 – Set Filters For Alerts Log Dialog Box: Names & Description Tab...................................... 9-26
Figure 11-1 – Pipe/Vc Lookup For Snmp Dialog Box............................................................................ 11-13
Figure B-1 – Fiber Bypass Unit ..................................................................................................................B-4
Figure B-2 – Multimode Coupler Unit........................................................................................................B-4
Figure B-3 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass and Tap .........................................B-5
Figure B-4 – Connecting Two NetEnforcers in Full Redundancy ..............................................................B-8
Figure B-5 – Full Redundancy Setup Example .........................................................................................B-13
Figure B-6 – DIP Switch Configuration for Enhanced Platform at Full Redundancy ..............................B-17
Figure C-1 - DIP Switch Location: Enhanced Platform..............................................................................C-2
xxii NetEnforcer User Guide

Chapter 1: Introducing NetEnforcer
This chapter introduces NetEnforcer and explains how it delivers Quality of Service.
This chapter includes the following sections:

What is NetEnforcer?, page 1-2, introduces NetEnforcer, providing an overview of its
functionality and describing typical environments for its use.
How Does NetEnforcer Deliver QoS?, page 1-4, provides an overview of the
NetEnforcer workflow: monitor, classify, enforce and report.
Terms and Concepts, page 1-8, introduces some of the basic terms and concepts used
in NetEnforcer.
NetEnforcer in Action, page 1-13, presents scenarios that provide examples of how
NetEnforcer can optimize network traffic in a variety of working environments.
NetEnforcer User Guide 1-1

What is NetEnforcer?
NetEnforcer is a network policy enforcement device that enables you to monitor,
categorize and optimize network traffic by assigning Quality of Service (QoS) to
specified classes of traffic. QoS is the ability to define a level of performance in a data
communications system.
The exponential growth in the use of the Internet, combined with an increasing number
of Web-based applications, has resulted in unprecedented demands on existing
communication system technologies. In order to achieve an acceptable level of service
and overcome the bandwidth bottleneck problem, network managers need the capability
to control network traffic and develop prioritization policies appropriate to available
bandwidth.
NetEnforcer gives you the power to intelligently shape network bandwidth and deliver
system-wide service level guarantees based on the needs and priorities of the network
service provider or corporation.
Optional Software Packages

NetEnforcer can be further enhanced with the addition of optional software packages, as
follows:
• NetAccountant: Provides policy-based tracking of bandwidth and transactions,
usage-based reporting and billing.
• CacheEnforcer: Enables the enforcement of network caching policies.
• NetBalancer: Enables the distribution of traffic according to individual server
capabilities.
1-2 NetEnforcer User Guide

NetEnforcer Environments
Typical application environments for the NetEnforcer product family include:
• Corporate Networks: NetEnforcer controls traffic flows from Web-based
customers, internal users and remote offices to centralized corporate networks and
services. Network managers can give high priority to mission-critical applications
and assure necessary bandwidth to timing-critical applications such as voice and
video.
• Internet Service Providers: NetEnforcer manages and enforces SLAs (Service
Level Agreements). ISPs are able to deliver advanced bandwidth capabilities to
customers and provide differentiated services, partition bandwidth and support Web
hosting. NetEnforcer is geared for ISP operations providing full SLA support and
integration with ODBC and RADIUS-based billing packages, in addition to
interfacing to LDAP-based user directories.
• Educational Network: NetEnforcer limits the use of low priority traffic such as
music and file-sharing applications, and assigns Quality of Service (QoS) for
specific user groups. The NetEnforcer can limit students' access to particular sites
and applications during business hours, while allowing high-priority access to
faculty members or administrators.
• Wireless ISP Network: NetEnforcer offers service providers a complete suite of
tools for better managing over-subscription and enforcing SLAs. NetEnforcer
allows providers to immediately identify, and then cap or limit bandwidth abusers.
Its Web-based policy manager, traffic monitor and IP accounting tools offer
superior functionality and ease-of-use for allowing the service provider to discover
how Internet access is being used. NetEnforcer is an ideal platform for rapidly
provisioning new subscribers, creating and enforcing multiple tiers of service, and
collecting usage-based billing information for export to an external database.
• Voice and Video Applications: NetEnforcer enables the prioritization of data
applications and the guaranteeing of bandwidth to timing-critical, real-time
applications like Voice over IP and Video. NetEnforcer allows control of your data
and voice traffic. Through NetEnforcer, specific voice, video and multimedia traffic
flows can be identified and the following actions can be assigned: minimum and
maximum bandwidth, priorities, guaranteed rate, fairness and admission control.

• Satellite Network: Using NetEnforcer, satellite service providers reduce data

retransmissions, assure fairness by prioritizing users and applications, and provide
predictable, guaranteed bandwidth for video and voice-type streaming applications.
NetEnforcer maximizes the efficiency of traffic flowing through satellite systems.
Its advanced analysis capabilities allow the intelligent distribution of traffic through
WAN channels based on the overall state of the satellite link, its delays and
throughput. The end-result is a more efficient, reliable, and predictable system for
delivering applications over the network.
How Does NetEnforcer Deliver QoS?

NetEnforcer provides policy-based bandwidth management. Policy is defined by
classifying traffic and assigning QoS to each classification. Your policy is built and
defined over time and can be continuously adapted to meet your network requirement.
The NetEnforcer workflow is as follows:
Monitor
NetEnforcer's monitoring tools enable you to monitor in real-time the type of traffic
flowing through your network and determine your current network application patterns.
When and where your network has peaks, bursts and bottlenecks is hard to predict. The
monitoring tools enable you to see these peaks in real time, which is crucial to
managing these unwanted phenomena.

Different applications, such as e-Business, ERP and real-time applications, require

performance guarantees. Other mission-critical applications may suffer from a shortage
of bandwidth, while non-critical Web browsing and batch traffic, such as mail and FTP,
may use up network resources. Using the monitoring tools, you can identify
applications on your network that you consider mission-critical applications. These may
be special applications that are time and/or resource sensitive to which you may want to
provide increased bandwidth or server resources. Similarly, you can identify items on
your network that you consider low priority. These may include traffic that you consider
non-time and/or response sensitive, or applications that you wish to limit during busy
hours, such as FTP traffic.
The NetEnforcer monitoring tools are described in Chapter 6, Monitoring Network
Traffic.
Classify
Once you understand your network traffic patterns, you define a policy to improve your
network performance.
QoS policy consists of a set of conditions (a rule) and a set of actions that apply when
the conditions are satisfied. The actions include the QoS to be applied. For example, a
rule might be defined as traffic from source A to source B. When traffic is matched to
that rule, the specified QoS is applied.
Classification is made easier with the use of Pipes and Virtual Channels. A Pipe and a
Virtual Channel are defined by one or more rules and a set of actions.
Pipe Rule Actions

Rule
Rule
Rule
Virtual Channel Rule Actions

Rule
Rule

A Pipe includes one or more Virtual Channels. Thus, your policy consists of a hierarchy
of classification. Every connection into NetEnforcer is matched to a rule, as follows:
• Find the first Pipe rule that the connection matches. There is a default Pipe defined
in NetEnforcer (Fallback Pipe). If a connection does not match the rules of any
other Pipes, it matches the Fallback Pipe.
• Within that Pipe, find the first Virtual Channel rule that the connection matches.
Every Pipe includes a default Virtual Channel (Fallback). If a connection does not
match the rules of any other Virtual Channels within the Pipe, it matches the
Fallback Virtual Channel.
• Apply the actions defined for that Virtual Channel.
Pipes enable ISPs to divide bandwidth into logical slices and offer them to customers.
The customers can then further divide the slice of bandwidth using Virtual Channels.
Similarly, enterprises with several links to the Internet can manage each link separately
by defining a Pipe for each link.
To speed up the creation of your policy, you can use a Pipe or Virtual Channel template.
Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will
create multiple Pipes or Virtual Channels very similar to each other but with a different
IP address as the source or destination. Thus, a template must include a list of IP
addresses in the source or destination definition. A template saves the need to define
similar Pipes or Virtual Channels when the only difference between them is the IP
address in the source or destination.
Policy is defined in the Policy Editor (described in Chapter 8, Defining Policies).
Values for the conditions that make up a rule and for actions are predefined in Catalogs
(described in Chapter 7, Defining Catalog Entries).
Enforce
The process of saving a policy saves the policy to NetEnforcer, which then begins to
enforce the policy. NetEnforcer continuously prioritizes and shapes network bandwidth
according to your defined and saved policy.

Report
NetEnforcer's monitoring tools enable you to monitor in real-time the type of traffic
flowing through your network and determine your current network application patterns.
Once again, NetEnforcer's monitoring tools enable you to monitor your network traffic
and verify enforcement of the QoS policy. You can confirm that monitoring graphs
reflect the behavior expected by the policy definition. You can monitor traffic in
real-time and, using Long Term Monitoring, you can monitor your network's activity
over a much longer period of time. If required, you can make adjustments to your QoS
policy in order to fine-tune network performance.
The NetEnforcer monitoring tools are described in Chapter 6, Monitoring Network
Traffic.
Fail-Safe Operation
Allot NetEnforcer has two fail-safe features that ensure proper and continuous network
function: Bypass and Full Redundancy.
All NetEnforcers contain a Bypass element that connects the Internal connector to the
External connector in the case of a subsystem failure in NetEnforcer or a power loss.
This mechanism ensures that traffic continues to pass through passive elements of the
NetEnforcer should any hardware or software problem occur. The Bypass is an internal
element on all models except the High Availability AC-802 models, where it is
implemented as an external Bypass module.
Full Redundancy is a backup mechanism that handles the failure of a network device,
and ensures the network continues to function. Full Redundancy is provided by
connecting two NetEnforcers in parallel. The primary NetEnforcer handles the traffic
and the secondary NetEnforcer is designed to be in Standby mode as long as the
primary NetEnforcer is active. Only if, for any reason, the primary NetEnforcer is not
able to function properly, does the secondary NetEnforcer become active.
In Full Redundancy mode, Bypass mode will be activated, in the event that both the
Primary and Secondary NetEnforcer systems fail.

Terms and Concepts

This section introduces some of the basic terms and concepts used in NetEnforcer.
QoS
QoS is the ability to define a level of performance in a data communications system. In
NetEnforcer, QoS is defined as an action applied to a connection when the conditions of
a rule are satisfied. The QoS specified can include the following:
• Prioritized Bandwidth: Delivers levels of service based on a connection's
importance level and demand for traffic relative to other connections. During peak
traffic periods, the NetEnforcer will slow down lower priority applications,
resulting in increased bandwidth delivery to higher priority applications.
• Guaranteed Bandwidth: Enables the assignment of fixed minimum and maximum
amounts of bandwidth to specific Pipes, Virtual Channels and connections. By
borrowing excess bandwidth when it is available, connections are able to burst
above guaranteed minimum limits, up to the maximum guaranteed rate. Guaranteed
rates also assure predictable service quality by enabling time-critical applications to
receive constant levels of service during peak and non-peak traffic periods.
• Reserved Bandwidth on Demand: Enables the reservation of the minimum
bandwidth at the first byte of a connection until the connection is ended. This is
useful when the bottleneck is not at the link governed by NetEnforcer. By limiting
other connections (non-guarantees), NetEnforcer reserves enough bandwidth for the
required Pipe or Virtual Channel.
• TOS Marking: Enables the marking of connections admitted beyond the maximum
connections allowed per Virtual Channel with a different TOS value. Additionally,
out-of-profile traffic (beyond the guaranteed minimum) can be marked with a
different TOS value than the in-profile traffic for each connection.
• Access Control: Determines whether a connection is accepted, dropped or rejected.
For example, you can specify the following Pipe: accept 1000 ICMP connections to
Server1 and drop the rest. NetEnforcer can also be instructed to accept new
connections with a lower priority.

• Admission Control: Determines the bandwidth granted to a flow based on your

demand (for example, allocated minimum of 10kbps) and NetEnforcer's system
state (meaning, there is enough bandwidth available).
Catalog Editors
Catalog Editors enable you to define values for defining your policy. The possible
values for each condition of a rule and for actions are defined in the Catalog entries in
the Catalog Editors. A Catalog Editor enables you to give a logical name to a
comprehensive set of parameters (a Catalog entry). This logical name then becomes a
possible value for a condition or action. Catalog Editors are described in detail in
Chapter 7, Defining Catalog Entries.
Pipes
A Pipe provides a way of classifying traffic that enables you to divide the total
bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists
of one or more sets of conditions (rules) and a set of actions that apply when any of the
rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of
Virtual Channels from a QoS point of view. When you add a new Pipe, it always
includes at least one Virtual Channel, the Fallback Virtual Channel. The rule of the
Fallback Virtual Channel cannot be modified or deleted. A connection coming into
NetEnforcer is matched to a Pipe according to whether the characteristics of the
connection match any of the rules of the Pipe. The connection is then further matched to
the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence
all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are
enforced together with the actions of the Pipe.

Virtual Channels
A Virtual Channel provides a way of classifying traffic and consists of one or more sets
of conditions (rules) and a set of actions that apply when any of the rules are met. A
Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further
matched to a Virtual Channel according to whether the characteristics of the connection
match any of the rules of the Virtual Channel.
Rules
A rule is a set of six conditions. Rules can be defined at Pipe level or Virtual Channel
level. NetEnforcer matches connections to rules, first at the Pipe level and then at
Virtual Channel level within a Pipe.
The five conditions that make up a rule are as follows:
• Connection Source: Defines the source of the traffic. For example, a specific IP or
MAC address, a range of IP addresses, IP Subnet addresses, or host names. The
default value is Any which covers traffic from any source.
• Connection Destination: Defines the destination of the traffic. For example, a
specific IP or MAC address, a range of IP addresses, IP Subnet addresses, or host
names. The default value is Any, which covers traffic to any destination.
• Service: Defines the protocols relevant to a connection. Protocols may be TCP and
UDP IP type, non-TCP and non-UDP type or non-IP type. TCP and UDP IP
protocols are defined based on port type. HTTP protocols may include content
definitions, such as specific Web directories, pages, or URL patterns. The default
value is all, which covers all protocols.
• TOS: Defines the TOS byte contained in the IP headers of the traffic. The default
value is Any, which covers any TOS value.
• VLAN: Defines VLAN bits contained in the VLAN header of the traffic. The
default value is Any, which covers any VLAN value.

• Time: Defines the time period during which the traffic is received. For example
daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM or
on the 1st and 15th of the month. The default value is Always, which covers traffic at
any time.
When a new Pipe or Virtual Channel is created, it is assigned a default rule with default
values for each condition and you can modify these values as required.
Templates
create multiple Pipes or Virtual Channels very similar to each other. Templates work
with host group entries and LDAP-based hosts entries defined in the Host Catalog. For
example, if you had a host group entry in the Host Catalog called Gold Customers that
consisted of Company X, Company Y and Company Z, you could define a Pipe
template to be expanded for Gold Customers. This would result in Pipes being created
for Company X, Company Y and Company Z when the Policy Editor is saved.
A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual
Channels on source/destination differentiation. This means that you do not need to
define similar Pipes and Virtual Channels when the only difference between them is the
IP address in the source or destination.

NetWizard
NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a
network, enabling the network manager to quickly define QoS policies for each type of
protocol in the network. This, in turn, improves the efficiency and application response
time of the network.
NetWizard automatically identifies the traffic protocols in your network and then guides
you through the QoS configuration process, allowing you to assign minimum and
maximum bandwidth and priority for the various protocols.
With NetWizard, you need not be initially acquainted with every protocol or the traffic
patterns in your network in order to define QoS policy. Once you make your initial
selections, a QoS policy is generated, enabling NetEnforcer to enforce that policy in
your network. Further refinement of the policy is possible when you have become more
familiar with NetEnforcer tools, such as the Policy Editor and Catalog Editors.

NetEnforcer in Action
The following scenarios provide examples of how NetEnforcer can optimize network
traffic in a variety of working environments.
Scenario 1: Corporate
In this example, the Pipe feature enables the network manager to manage traffic to three
different WAN links and create a Pipe for each one of them.
Figure 1-1 - Corporate Network Structure with Three Outgoing WAN Links
The network manager would like to assign a maximum of 2Mbps for each WAN link.
The multiple protocol traffic is going to different locations, based on the IP address.

Pipes are created as follows:

• Link 1 traffic is limited to 2Mbps with Business applications (SAP) and Multimedia
classified based on TOS marking.
• Links 2 and 3 are also limited to 2Mbps.
All traffic to links is classified based on the destination address.
The Policy Editor is set up as follows:
Figure 1-2 - Policy for Corporate Traffic

Scenario 2: QoS in an Intranet

Corporate Intranets have become key repositories of business information needed by
employees across the enterprise. Companies also rely on the existence of network-based
services for their businesses, running mission critical applications for ERP, CRM,
eCommerce, and more. Poor application response times, caused by the mix of business-
critical and non-critical traffic on the same network, quickly translate into decreased
productivity, lost revenues and increased business costs. In addition, the penetration of
time-sensitive video conferencing and voice over IP (VoIP) offer low-cost alternatives
to expensive business trips and telephone conference calls, but these applications
require sustained network performance and therefore place increased demands on the
network.
NetEnforcer enables mission-critical applications to run smoothly over otherwise
unmanaged and congested Intranets. NetEnforcer ensures the response time of mission-
critical applications by prioritizing their traffic or guaranteeing them a portion of
bandwidth. At the same time, traffic from less critical and less time-sensitive
applications receive a limited amount of bandwidth or a lower priority. NetEnforcer
guarantees the performance of business-critical applications by grouping and defining
policies that will classify traffic into categories such as “Mission-Critical Billing
Application” or “Time-Sensitive Voice over IP.”

The figure below illustrates how a NetEnforcer manages an Intranet's mission critical
traffic.
Figure 1-3 - Managing an Intranet's mission-critical traffic with the NetEnforcer
A policy-based quality of service (QoS) solution ensures that mission-critical

applications receive the bandwidth they require. NetEnforcer controls important
network resources such as bandwidth, servers, applications and users. It also monitors
and records traffic usage information based on clients, servers, application, time and
DiffServ tagging.

Scenario 3: ISP
An Internet Service Provider sells slices of bandwidth to subscribers (defined in Pipes),
with an advanced offering of tiered services (for example, Gold, Silver and Bronze
customers). Managing customer traffic with high granularity is needed. For example, to
create a separate Pipe for each subscriber and divide traffic according to the customer
needs.
Figure 1-4 - Wireless ISP Network
The ISP would like to control the maximum usage of each subscriber while limiting the
total bandwidth used. Moreover, the ISP needs to over-subscribe customers (there are
more customers than the bandwidth available for each VC/Pipe). The ISP would like to
offer tiered services.
The ISP does the following:
• Assigns Gold, Silver and Bronze service levels.
• Sets a maximum of 8Mbps to Smart Building tenants (minimum 2Mbps).
• Assigns a minimum of 60 Kbps and maximum of 100 Kbps to and every home user.

• Using templates, the ISP is able to over-subscribe tenants (since, most probably, not
all of them will be active at the same time).
• A Silver level is assigned to Regional Office 1 users with a minimum of 100 Kbps
and a maximum of 250 Kbps.
• Lotus Notes users are assured a minimum of 40 Kbps.
• A Bronze level is assigned to Regional Office 2 (minimum 40 Kbps and maximum
250 Kbps).
The Policy Editor is set up as follows:
Figure 1-5 - Policy for Wireless ISP Traffic

Scenario 4: Satellite Provider

Reduce Packet Loss and Network Delays
In today's typical LANs, routers or access devices simply drop packets when excess
traffic congests. In a satellite network, the satellite link is the most expensive resource
on the network. Long delays in packet transmission from a ground station to the satellite
and then back to the ground causes serious degradation in the overall throughput of the
system. This problem becomes compounded as other parts of the network introduce
more, inconsistent delays, resulting in a very unpredictable end-to-end network
environment. Because of this, it is critical in a satellite environment that lost traffic and
packet retransmissions are reduced to a minimum.
Using NetEnforcer, satellite service providers reduce data retransmissions, assure
fairness by prioritizing users and applications, and provide predictable, guaranteed
bandwidth for video and voice-type streaming applications. NetEnforcer maximizes the
efficiency of traffic flowing through satellite systems. Its advanced analysis capabilities
allow the intelligent distribution of traffic through WAN channels based on the overall
state of the satellite link, its delays and throughput. The end-result is a more efficient,
reliable, and predictable system for delivering applications over the network.
Figure 1-6 - NetEnforcer in Satellite Network

Satellite service providers provide local services for allowing many customers to share a
common satellite link to remote services. NetEnforcer is placed between the local
network of the satellite provider and the remote users.
Assure Fairness
In most satellite environments, a single uplink from the service provider delivers
bandwidth intended for multiple users while the downlink is broadcast simultaneously
to many different networks. This results in a few low-priority users or applications
taking up most of the available resources without regard to the applications’ importance
or overall need for bandwidth. Using NetEnforcer in satellite networks assures fairness
between users and applications.
Scenario 5: Enhancing Enterprise Security

One of the best security practices for the enterprise is to design a multi-layered security
system using NetEnforcer to monitor, alert and block DoS attacks, and enhance the
overall security of the network. You can also use NetEnforcer to improve network
performance by resource management and create a first line of protection from
illegitimate users and applications that seize an undeserved share of resources.
NetEnforcer detects known DoS attacks and intelligently blocks new flows suspected as
destructive traffic. Placing NetEnforcer at the edge of the enterprise network enhances
the performance of firewalls and other internal network devices. NetEnforcer discards
malicious traffic packets that slip past routers and firewalls to improve application
performance and enhance network security.

How to setup your network with NetEnforcer to prevent DoS attacks is shown in the
following diagram:
Figure 1-7 - Preventing a DoS Attack with NetEnforcer

An attacker sends broadcast pings using a victim's address as the source address. The
pings go to all addresses on the subnet and each device on the subnet responds to the
ping, flooding the victim with ICMP traffic. In a network protected with NetEnforcer,
all ping (ICMP) traffic is monitored. When NetEnforcer detects excessive amounts of
ICMP connections, it discards the malicious traffic, thereby blocking the DoS attack.


Chapter 2: Installing NetEnforcer
This chapter describes the NetEnforcer hardware and the initial installation and setup of
NetEnforcer. NetEnforcer is a transparent learning bridge that is IEEE 802.1-compliant.
NetEnforcer contains a Bypass switch that connects the Internal connector to the
External connector in the case of a subsystem failure in NetEnforcer or a power loss.
The Bypass switch is an external component on the AC-802 High Availability models
and an internal component on other models. This mechanism ensures that data passes
through NetEnforcer should any hardware or software problem occur.

Hardware Description, page 2-2, describes the accessories included with NetEnforcer,
and provides a physical description of the front and rear panels of NetEnforcer, and a
description of the external Bypass used with the AC-802 High Availability models. It
also describes the Enhanced platform.
Placement in the Network, page 2-27, describes where to place NetEnforcer in the
network and how to connect NetEnforcer to the network.
Setting Up NetEnforcer, page 2-29, describes how to define the initial basic
parameters required to work with NetEnforcer using a terminal or via the LCD panel.

Hardware Description
NetEnforcer enables the definition and classification of traffic by users, applications and
resources. Several NetEnforcer models are available to support large and small sites and
different data network speeds. The following NetEnforcer models are available:
Model Bandwidth Pipes VCs (Total) Connections Platform
NetEnforcer Standard Platform
AC-202/MO 10M 128 1,024 24,000 Enhanced
AC-202/128 128K 128 1,024 6,000 Enhanced
AC-202/512 512K 128 1,024 6,000 Enhanced
AC-202/2M 2M 256 2,048 12,000 Enhanced
AC-202/10M 10M 512 2,048 24,000 Enhanced
AC-402/MO 100M 512 2,048 96,000 Enhanced
AC-402/10M 10M 512 2,048 24,000 Enhanced
AC-402/45M 45M 1,024 4,096 64,000 Enhanced
AC-402/100M 100M 1,024 4,096 96,000 Enhanced
NetEnforcer High-Availability Platform
AC-802/100M 100M 2,048 8,192 128,000 High Availability
AC-802/SP-100M 100M 4,096 28,672 256,000 High Availability

NetEnforcers are divided into two categories:

• High Availability Models: AC-802 is 3.5" high, (two rack units). For information
on the High Availability platform, see page 2-3.
• Enhanced Models: AC-202 and AC-402 are 1.75" high, (one rack unit). For more
information on the Enhanced platform, see page 2-17.
NetEnforcer High Availability Platform

The NetEnforcer AC-802 offers carrier-grade design with redundant critical
components for fail-safe operation. Redundant hardware components on the AC-802
include redundant fans and dual hot-swappable power supplies.
The AC-802 series consist of four models, as follows:
• AC-802 Copper
• AC-802/SP Copper
• AC-802 Fiber
• AC-802/SP Fiber
These platforms come with an additional module known as a Copper Bypass (for the
AC-802 Copper) and a Fiber Bypass (for the AC802 Fiber). These modules are external
Bypass switches.
CAUTION:
All AC-802 models only work when the appropriate Bypass module is connected to it. This is to ensure
continuous service in the event of failure.
High Availability Platform Unpacking

Verify that the following items are included with NetEnforcer:
• NetEnforcer (hardware with pre-installed software)
• NetEnforcer User's Manual
• 2 Power Cables
• 2 Cross Ethernet Cables (for AC-802 Copper)
• 1 Serial Console Cable

• 2 Side Mounting Brackets

• DB-9 Backup Cable
All NetEnforcer models contain a lithium battery on the main board.
CAUTION:
Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type
recommended by the manufacturer.
Dispose of used batteries according to the manufacturer’s instructions.
NOTE:
The maximum Ethernet cable length is generally up to 50 meters.
High Availability Platform Front Panel

The front panel of High Availability models includes the following ports:
• Network Connectors (Internal and External)
• Management Port
• Console Connecter
• Backup (9-pin D-type) Connector
Management of NetEnforcer High Availability models can be via the Management port
or network connectors.

AC-802 Models Front Panel

NetEnforcer connects to your network via connectors located on the front panel. These
connectors and the LED indicators on the front panel are shown below:
LCD Panel Link Connections Area

Accessory Area
External/Internal Backup Connector

Indicators Management
Port Management
External/Internal
Indicators Console Connector
Network Connectors
Figure 2-1 – NetEnforcer Front Panel: High Availability Platform (Model AC-802)
CAUTION:
Motherboard contains lithium battery. Danger of explosion if battery is incorrectly replaced. Replace only
with the same or equivalent type recommended by the manufacturer.
Dispose of used battery according to the manufacturer’s instructions.

The Link Connections Area differs slightly according to the model as shown in the
following diagrams:
Figure 2-2 – Link Connections Area: AC-802 Copper
Figure 2-3 – Link Connections Area: AC-802 Fiber
CAUTION:
CLASS 1 LASER PRODUCT. DANGER! Invisible laser radiation when opened. AVOID DIRECT
EXPOSURE TO BEAM.
The front panel of the AC-802 model contains LEDs that are positioned on each of the
External, Internal and Management connectors or used as the Standby, Active and
Power indicators.

The modes of operation of the External, Internal and Management indicators are
described in the table below.
Extrnl/Intrnl/Mngmt NetEnforcer Status
Green A link is detected.
Orange Blinks when traffic is detected on the interface.
Off No link activity is detected.
Table 2-1 – External/Internal/Management LED Conditions: AC-802
The modes of operation of the Standby, Active and Power indicators are described in
the table below.
Indicator Status NetEnforcer Status
Standby On Two NetEnforcers are connected in Redundancy mode
and this NetEnforcer is the secondary system.
Off If you have one NetEnforcer, this should be the normal

state of the LED. If you have two NetEnforcers
configured in Redundancy mode, this NetEnforcer is not
in standby.
Active On NetEnforcer is in Active mode.
Off NetEnforcer is in Bypass mode. Traffic passes through

NetEnforcer with no Quality of Service or traffic
shaping. If you have two NetEnforcers configured in
Redundancy mode, this is the secondary NetEnforcer in a
Full Redundancy configuration and it is not active (In the
other NetEnforcer this LED should be on).
Power On NetEnforcer is powered up.
Off NetEnforcer is shut down.

Table 2-2 – Standby/Active/Power LED Conditions: AC-802

LCD Panel High Availability Platform

The LCD panel provides an indication of traffic usage and enables you to configure
NetEnforcer directly without the need to connect a terminal.
Display Area
Standby Indicator
Up Arrow Active Indicator

Left Arrow
Power Indicator
Down Arrow
Right Arrow On/Off Select Enter
Figure 2-4 – NetEnforcer LCD Panel: High Availability Platform
For a description of how to configure NetEnforcer using the LCD panel, refer to
Configuring Via the LCD Panel, page 2-40.
Management Port
The Management port exists on the Enhanced and High Availability platforms. The
dedicated Management port enables out-of-band management. Operating through the
Management port denies management access to the device from Internal or External
ports. Moreover, when there is a problem in the regular network you can still manage
and monitor the NetEnforcer.
For more information on the Management port, see Out-of-Band Management,
page 2-25.

High Availability Platform Rear Panel

AC-802 Models Rear Panel
The rear panel of AC-802 contains the following:
• Two Power Cable Connectors
• Ground Connector
• Keyboard Connector (used to connect a keyboard)
• VGA Connector (used to connect a monitor)
• Two Hot-swappable Power Supplies
Keyboard
Bi-Color
Connector
Power LEDs
Ground
VGA Connector Hot Swappable
Connector Power Supplies
Figure 2-5 – NetEnforcer Rear Panel: High Availability Platform (Model AC-802)
AC-802 Models Power Supply

NetEnforcer AC-802 includes two hot-swappable power supply modules and a dual line
feed for Redundancy purposes. Each line feed is driving one power supply.

NOTE:
The power supply automatically adapts to voltages between 100 V and 240 V, 50/60 Hz.
Should you need to, you can replace one of the power supplies while NetEnforcer is
connected and operating. Replacing a power supply while the unit is operating is
possible since the remaining power supply will take the full load and maintain full
operation.
NOTE:
To remove a power supply module, press the release button, pull the handle and slide the module out.
Leave the power cord connected when removing a power supply module.
Each power supply has a bi-color power LED indicating input/output power status:
LED Power Supply Status
Green A green light indicates that the power supply is connected to
power and no failure condition exists.
Red A red light indicates that a failure condition exists.
When power failure occurs, the power LED indication is Red and an internal buzzer
beeps. You have to remove the power supply module to quiet the buzzer. Leave the
power cord connected when removing a power supply module.
Key features of the power supply include:
• Hot-pluggable, easy to maintain
• Based on the N+1, load sharing
• Universal AC input with Power Factor correction
• Rear panel with bi-color LED indicating input/output power status
• Power fault buzzer alarm system

Bypass Modules
The AC-802 operates with an external Bypass module. The Bypass module is a
mission-critical subsystem designed to ensure network connectivity at all times. The
Bypass mechanism provides ‘connectivity insurance’ in the event of a NetEnforcer
subsystems failure. The AC-802 Copper operates with a Copper Bypass and the
AC-802 Fiber operates with a Fiber Bypass. The Bypass module is connected to
NetEnforcer by a series of leads and cables.
CAUTION:
NetEnforcer AC-802 must be connected to the appropriate Bypass module. This is to ensure continuous
service in the event of failure.
A separate NetEnforcer Bypass package is included with your AC-802 shipment. The
box includes the following:
• NetEnforcer Copper Bypass or Fiber Bypass Module
• Two side mounting brackets
• Two straight Ethernet cables (AC-802 Copper)
• Two cross-over Ethernet cables (AC-802 Copper)

Copper Bypass Module

The Copper Bypass module works in conjunction with NetEnforcer AC-802 Copper
models.
To Secondary
NetEnforcer
External Internal Backup
Connector Connector Connector
To External
Router
To Internal Mode To Primary
Connector
Switch LED NetEnforcer
Connector Indicator Connector
Figure 2-6 – Copper Bypass Module
NOTE:
Use the supplied UTP CAT-5 straight Ethernet cables to connect link connections marked with Internal and
External labels).
The Copper Bypass module includes RJ-45 connectors for Ethernet cables and two
D-type 9-pin connectors for primary and redundant unit to backup connection.

The following procedure describes how to connect a Copper Bypass module to

NetEnforcer. The procedure contains circled numbers, for example 1 , relating to
reference numbers used in the diagram.
Figure 2-7 – Connecting NetEnforcer AC-802 Copper to Copper Bypass Module
To connect the Copper Bypass to NetEnforcer:
1. Connect the External cable from the External port on the Bypass module 7 , to the
External port on NetEnforcer 1 .
2. Connect the Internal cable from the Internal port on the Bypass module 8 , to the
Internal port on NetEnforcer 2 .
3. Connect the D-type connector from the Primary port on the Bypass module 9 , to
the Backup port on NetEnforcer 3 .
4. Connect the External cable from the External port on the Bypass module 5 , to a
router connector.

5. Connect the Internal cable from the Internal port on the Bypass module 4 , to a
switch connector.
6. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type connector from
the Secondary port on the Bypass module 6 , to another NetEnforcer.
• Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
Fiber Bypass Module

The Fiber Bypass module works in conjunction with NetEnforcer AC-802 Fiber.
To Internal Network To Secondary NetEnforcer
Connector Backup Connector
To External Network Fiber Cable To Primary NetEnforcer

Connector Connector
Figure 2-8 – Fiber Bypass Module
NOTES:
Use 62.5/125µ or 50/125µ fiber optic cables with duplex SC connectors (not provided) to connect 1 Gbps
ports of the switch and the router.
Cables with duplex LC connectors (marked with Internal and External labels) are provided with the unit.

The Fiber Bypass module includes two duplex LC connectors, two built in fiber cables
and two D-type 9-pin connectors for primary and redundant unit to backup connection.
The following procedure describes how to connect a Fiber Bypass module to
NetEnforcer. The procedure contains circled numbers, for example 1 , relating to
reference numbers used in the diagram.
Figure 2-9 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass Module
To connect the Fiber Bypass to NetEnforcer:
1. Connect the fiber cable labeled External from the Bypass module 7 , to the External
port on NetEnforcer 1 .
2. Connect the fiber cable labeled Internal from the Bypass module 7 , to the Internal
port on NetEnforcer 2 .
the Backup port on NetEnforcer 3 .

4. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on
the Bypass module 5 , to a 1 Gbps router.
5. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on
the Bypass module 6 , to a 1 Gbps switch.
6. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type connector from
the Secondary port on the Bypass module 4 , to another NetEnforcer.
• Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
Powering Up
The following procedure describes how to power up the High Availability platform
models using the LCD panel.
AC-802 Models Powering Up

NOTE:
NetEnforcer and the Bypass module have to be fully plugged and connected before power is turned on. This
is to ensure proper and systematic power up.
It is recommended to connect the two power line feeds to separate power sources to
have full power redundancy. The two bi-color Power LEDs on the rear of NetEnforcer
are lit indicating that the power supply is connected to power and no failure condition
exists.
The Power LED on the LCD panel is lit and the Mode LED on the Bypass module is
off, indicating that the power is on and NetEnforcer is bypassed.
The display area of the LCD panel indicates the following: Power On.
After a few seconds, the display area of the LCD panel indicates the following:
System Loading *.

Once the system has completed loading, the following occurs:

• The Active LED on the LCD panel is lit and the Mode LED on the Bypass module
is lit, meaning that NetEnforcer is now connected to the network.
• The display area of the LCD panel indicates the default view - the current
bandwidth consumption. For example:
Inbound: XXX.X
Outbound: YYY.Y
You can now proceed to configure NetEnforcer, as required.
NetEnforcer Enhanced Platform

The NetEnforcer AC-202 and AC-402 models feature a newly designed front panel that
includes:
• An easily visible LCD panel that indicates traffic usage.
• A keypad that enables direct configuration without the need to connect to a remote
terminal; and the ability to start, reboot and shutdown from the front panel.
New features on the rear panel include:
• Additional serial port, (for future use).
• A backup (37-pin D-type backup) connector.
Enhanced Platform Unpacking

Verify that the following items are included with NetEnforcer:
• NetEnforcer (hardware with pre-installed software)
• NetEnforcer User's Manual
• 1 Power Cable
• 2 Cross Ethernet Cables
• 1 Serial Console Cable
• 2 19" Side Mounting Brackets

All NetEnforcer models contain a lithium battery on the main board.

CAUTION:
Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type
recommended by the manufacturer.
Dispose of used batteries according to the manufacturer’s instructions.
NOTE:
The maximum cable length is generally up to 50 meters.
Enhanced Platform Front Panel

The Enhanced Platform connects to your network via connectors located on the front
panel. The LCD panel, connectors and LED indicators on the front panel, are shown
below.
Console
Connector
Internal/External LCD Panel

Indicators
Management
Port
LED Indicators
Figure 2-10 – NetEnforcer Front Panel: Enhanced Platform

The front panel of the Enhanced Platform contains nine LEDs. Two LEDs are
positioned on each of the External, Internal and Management network connectors. The
remaining three LEDs are the Standby, Active and Power indicators.

The modes of operation of the External, Internal and Management indicators are
described in the table below.
Green On A valid link is detected (either 10 or 100Mbps).
Off No valid link.
Orange On Blinks when traffic (activity) is detected on the interface.
Off No traffic (activity) is detected on the interface.

Table 2-3 – External/Internal/Management LED Conditions: Enhanced Platform

The modes of operation of the Standby, Active and Power indicators are described in
the table below.
Standby On Two NetEnforcers are connected in Redundancy mode
and this NetEnforcer is the secondary system.
Off If you have one NetEnforcer, this should be the normal

state of the LED. If you have two NetEnforcers
configured in Redundancy mode, this NetEnforcer is not
in standby.
Active On NetEnforcer is in Active mode.
Off NetEnforcer is in Bypass mode. Traffic passes through

NetEnforcer with no Quality of Service or traffic
shaping. If you have two NetEnforcers configured in
Redundancy mode, this is the secondary NetEnforcer in a
Full Redundancy configuration and it is not active (In the
other NetEnforcer this LED should be on).
Power On NetEnforcer is powered up.
Off NetEnforcer is shut down.

Table 2-4 – Standby/Active/Power LED Conditions: Enhanced Platform

Enhanced Platform LCD Panel

The LCD panel provides an indication of traffic usage and enables you to configure the
system directly without the need to connect to a terminal.
Standby Indicator Up Arrow
Active Indicator
Right Arrow
Power Indicator Down Arrow

On/Off Select Enter
Display Area Left Arrow
Figure 2-11 – NetEnforcer LCD Panel: Enhanced Platform
For a description of how to configure the system using the LCD panel, refer to
Configuring Via the LCD Panel, page 2-40.
Management Port
The Management port exists on the Enhanced and High Availability platforms. The
dedicated Management port enables out-of-band management. Operating through the
Management port denies management access to the device from Internal or External
ports. Moreover, when there is a problem in the regular network you can still manage
and monitor the NetEnforcer.
For more information on the Management port, see Out-of-Band Management,
page 2-25.

Enhanced Platform Rear Panel

The rear panel of Enhanced Platform contains the following:
• Power Switch
• Power Cable Connector
• Backup (37-pin D-type) Connector
• Ground Connector
• Serial Port (for future use)
Power
Switch
Power Cable
Serial Backup Ground
Connector and
Connector Connector Connector
Fuse
Figure 2-12 – NetEnforcer Rear Panel: Enhanced Platform
NOTE:
The power supply automatically adapts to voltages between 100V and 240V.
CAUTION:
The power supply unit includes an internal fuse. Only Allot Service personnel are authorized to replace it.

Enhanced Platform Powering Up

Connect the NetEnforcer to an AC power source and put the Power switch (located on
the rear panel) to On. The Power indicator on the LCD panel is lit.
The display area of the LCD panel indicates the following: Power On.
After a few seconds, the display area of the LCD panel indicates the following:
System Loading *.
Once the system has completed loading, the following occurs:
• The Active LED on the LCD panel is lit, meaning that NetEnforcer is now
connected to the network and it is ready.
• The display area of the LCD panel indicates the default view - the current
bandwidth consumption. For example:
Inbound: XXX.X
Outbound: YYY.Y

Out-of-Band Management
The dedicated Management port on NetEnforcer provides a secure solution for device
management for enterprise and service providers. It enables you to permit access solely
to a closed group of network administrators, so that ISP customers cannot "see" the
Management port and therefore cannot access the NetEnforcer management.
NetEnforcer lets you enable or disable this Management port, permitting either in-band
or out-of-band management.
Figure 2-13 - Management Port

Using the Management port has the following benefits:

• Provides a security feature that prevents ISP customers from "seeing" the
Management port and thus prevents access to NetEnforcer. When the Management
port is enabled, the Internal and External ports are functioning solely to forward
traffic. Consequently, only the Administrator (as the one with access to the
Management port) has access to NetEnforcer.
• Enables configuring, installing and upgrading while the unit is in Bypass mode.
This is particularly important when the NetEnforcer is in carrier environments.
• Improves NetEnforcer's forwarding performance by separating the management
traffic from the regular traffic. In addition, if a problem exists in the regular network
you can still communicate with NetEnforcer in order to resolve the problem.
• Provides an infrastructure for improvements of the redundancy capabilities.
• Has its own MAC and IP address.
Refer to the Out-of-Band Management section in Chapter 4, Configuring NetEnforcer,
for instructions on how to configure the Management port.
Monitoring Only Models (AC-202 and AC-402)

Monitoring Only models enable the user to use NetEnforcer in a non-intrusive mode.
This mode enables connection without interference in the network activity, yet allows
the use of the Monitoring function.
Using a Monitoring Only model has the following benefits:
• Monitors the network activity in a non-intrusive mode. NetEnforcer behaves as a
probe, as traffic is not going through NetEnforcer. The network can never “feel”
NetEnforcer in this mode.
• Enables you to view monitoring graphs, download accounting information via the
ODBC or collect long term monitoring statistics.
• Generates audits without interrupting your network activity.
When QoS software key is purchased and loaded (see Chapter 4: Configuring
NetEnforcer), the NetEnforcer becomes a normal traffic enforcer.

Placement in the Network

NetEnforcer is supplied with fast Ethernet or Gigabit Ethernet interfaces. NetEnforcer is
normally placed on the internal side of your access router. The Internal port of
NetEnforcer interfaces with your Local Area Network (LAN) and the External port of
NetEnforcer interfaces with your access router. Refer to Figure 2-14 to see
NetEnforcer’s placement in a network.
Connecting NetEnforcer to the Network

When connecting NetEnforcer to the network, use the proper cable.
Figure 2-14 – LAN and WAN Placement of NetEnforcer

NetEnforcer is capable of operating parallel to another NetEnforcer to provide full

redundancy. If you are using the NetEnforcers in Redundancy mode, refer to
Appendix B, Fail-Safe Operation.
To connect NetEnforcer to your network:

1. Connect a Bypass module to NetEnforcer, as described in Bypass Modules, page 2-
11. This is not necessary in Enhanced models where the Bypass is internal.
2. Connect the LAN side of your network to the Internal connector on the front panel
of NetEnforcer (or the Bypass module).
3. Connect the Ethernet cable connected to the WAN side of your network to the
External connector on the front panel of NetEnforcer (or the Bypass module).
NOTES:
To connect NetEnforcer directly to a router or to a host, use the supplied Ethernet crossover cables.
To connect AC-802 Fiber models, use fiber optic cables 62.5/125µ or 50/125µ, duplex SC connectors.
4. Connect the power cable and power up NetEnforcer, as described in Powering Up,
page 2-16.
When connecting two NetEnforcers in Redundancy mode, use the special 37-pin cable
(or 9-pin cable for Bypass module) supplied. For more information, refer to Appendix B,
Fail-Safe Operation.
NOTE:
After you connect the cables (and the Active LED is on), the Internal and External Link LEDs on the front
panel are on. When traffic is passing through the interface, the Activity LEDs blink.

Setting Up NetEnforcer
In order to manage and configure NetEnforcer policies remotely from your Web
browser, several basic parameters must be configured on NetEnforcer. You can
configure these basic parameters using a terminal connected to NetEnforcer or by using
the LCD panel.
Configuring Via a Terminal or Telnet

You can use a standard terminal /PC running terminal emulation software connected to
the Console port, or Telnet via the internet to configure a NetEnforcer. If you choose to
connect via the Console port, most standard windows-based PC systems have a terminal
emulation program called HyperTerminal that can be used for this purpose. Configure
the terminal to run VT100 terminal emulation with the following parameters:
• Baud rate 19200
• 8 bits
• Stop bits 1
• No flow control
• No parity
To connect a terminal to NetEnforcer:

1. Use the supplied serial cable to connect the terminal to the Console Connector on the
front panel of NetEnforcer.
2. Connect the power cable and power up NetEnforcer, as described in Powering Up,
page 2-16 or 2-24.
3. At the terminal, select Start > Programs > Accessories and double-click on the
HyperTerminal icon. Enter a name for the session and then to set the com port and
the parameters (see above). The system boots up and you are prompted for a login
and a password.

4. Enter admin for the login and allot for the password. (To change the password, see
page 2-37.)
5. Press <Enter>. The NetEnforcer Setup Menu is displayed:
Figure 2-15 – NetEnforcer Setup Menu
To connect to a NetEnforcer via Telnet:

1. Open a Microsoft DOS window on a PC and at the C:\ prompt, enter Telnet
(IP address of NetEnforcer). Press <Enter>. The system boots up and you are
prompted for a login and a password.
2. Enter admin for the login and allot for the password. (To change the password, see
page 2-37.)
Press <Enter>. The NetEnforcer Setup Menu is displayed:

NetEnforcer Start Menu

From this menu, you can perform the following tasks:
• Display the current configuration, page 2-32.
• Configure network parameters, page 2-34.
• Change the login password, page 2-37.
• Modify the date and time settings, page 2-38.
When all necessary parameters are set, NetEnforcer prompts you to reboot. After
rebooting is completed, NetEnforcer is ready to be connected and to add Quality of
Service in your network.

Displaying the Current Configuration

You can display and view the currently set network configuration parameters at any
time.
To display the current configuration:
1. In the NetEnforcer Setup Menu, enter 1 (List current configuration) and press
<Enter>. The current network configuration parameters are displayed. A sample
screen is shown below:
Figure 2-16 – Current Configuration (1)

2. Press <Enter> to show the second screen of parameters:
Figure 2-17 – Current Configuration (2)
3. Press <Enter> to return to the NetEnforcer Setup Menu.

Configuring Network Parameters

You can define network parameters manually.
To define network parameters manually:

1. In the NetEnforcer Setup Menu, enter 2 (Network configuration) and press <Enter>.
The Network Configuration menu is displayed:
Figure 2-18 – Network Configuration
2. Enter 2 (Manual configuration) and press <Enter>.

3. Enter values for the following IP parameters:
Device IP Address The IP address for your NetEnforcer, for example,

10.1.18.7.
Network mask The network mask for your NetEnforcer, for

example, 255.0.0.0.
Device Hostname The host name for your NetEnforcer, for example,
Jonny2.
Domain name A domain name for your NetEnforcer, for example,

allot.com. Do not provide a leading ‘.’.
Default gateway IP address The IP address of your default gateway, for

example, 10.0.02. If you do not have a default
gateway, enter NONE.
Default gateway interface If you entered a default gateway in the previous

step, the NetEnforcer interface to which it is
connected, either 0 for Internal or 1 for External.
Primary name server IP If you have a Domain Name Server (DNS), its IP
address address. If you do not have a DNS, enter none.
Secondary name server IP If you have a second DNS, its IP address. If you do
address not have a second DNS, enter none.
Enable VLAN Enables/disables the VLAN environment.

Environment.
The Ethernet Adapter Settings screen is displayed.
4. Enter the following parameters to set up the NetEnforcer Ethernet adapters:
• The duplex type for the Internal interface. Enter full for full duplex, half for half
duplex or auto for AutoSensing.
• If you selected full or half duplex, enter the link speed of the Internal interface,
10M or 100M. Use M for Mbps.

• The duplex type for the External interface. Enter full for full duplex, half for half
• If you selected full or half duplex, enter the link speed of the External interface,
NOTE:
AC-802 Copper models support also Gigabit Ethernet, AutoSensing, 10/100/1000Base-T.
When using NetEnforcer AC-802 Fiber models, you must set the interface of the device you are
connecting to, as 1000Mbps Full Duplex, Auto-Negotiation Disable.
TIP:
When connecting NetEnforcer to a hub or a switch, ensure that the Ethernet adapter settings on both
sides (meaning, NetEnforcer and the switch) are set to the same mode. In other words, if you wish to
set the Ethernet adapters on your NetEnforcer to AutoSensing, ensure that the Ethernet adapter on the
connected hub or switch is also set to AutoSensing, The same principle applies when setting the
Ethernet adapters to Half or Full Duplex.
In addition, to ensure that the devices on both sides of the NetEnforcer (meaning, the devices
connected to the Internal and External interfaces) can communicate in the event of the NetEnforcer
going into Bypass, ensure that the Ethernet adapters on devices on both sides of the NetEnforcer are
set to the same mode. (For further information, see Appendix B, Fail-Safe Operation.)
NOTE:
M = 1 million (1,000,000); K = 1 kilo (1,000)
5. Enter the following parameters to set up the Management Port:

• The duplex type for the Internal interface. Enter full for full duplex, half for half
• If you selected full or half duplex, enter the link speed of the Internal interface,
• The duplex type for the External interface. Enter full for full duplex, half for half
• If you selected full or half duplex, enter the link speed of the External interface,

6. Press <Enter> to finish and return to the Network Configuration menu.
7. To save your configuration, enter 3 (Save latest settings as current configuration)

from the Network Configuration menu. A message is displayed, asking whether you
wish to make your changes effective immediately. Enter y or n.
Changing the Passwords

You can change the login password for either the Admin user or the Monitor user. The
Admin user has access to all NetEnforcer functions, while the Monitor user has
read-only access. It is strongly recommended to change the default password (allot).
NetEnforcer might enable access from anywhere on the Internet, and should therefore
be protected with a unique password.
To change the users’ password:
1. In the NetEnforcer Setup Menu, enter 3 (Change password) and press <Enter>. The
Password screen is displayed:
Figure 2-19 – Password

2. Enter 1 or 2 to specify the type of user whose password you want to change and
press <Enter>.
3. Enter a new password and press <Enter>. The password must be between 5 and 8
characters. You can use a combination of upper and lower case letters and numbers.
4. Re-enter the password and press <Enter>. If NetEnforcer detects a simple password,
a warning is displayed on the screen.

CAUTION:
You must change the default passwords to ensure a minimum level of security.
NOTE:
The new user name and password will be used in the NetEnforcer Log In window when accessing
NetEnforcer through a browser.
Modifying Date and Time Settings

You can modify date and time settings as required. You can set the system time
manually, or you can set up NetEnforcer to receive time checks from an NTP (Network
Time Protocol) server, if you have one on your network.
To modify the date and time settings:
1. In the NetEnforcer Setup Menu, enter 4 (Set time) and press <Enter>. The Time
Setup screen is displayed:
Figure 2-20 – Time Setup

The current day, date, system time and time zone are displayed at the top of the
screen.
2. To change the time zone, perform the following steps:
• Enter 1 and press <Enter>.
• Enter y and press <Enter>. NetEnforcer displays a list of time zones.

• Enter the required time zone and press <Enter>.
3. To change the system time, perform the following steps:

• Enter 2 and press <Enter>.
• Enter the new date and time in the format DD-MM-YYY -HH-mm. For example,
12-05-2001-11-20 for 12th May 2001, 11:20 am.
• Press <Enter> to set the time.
Changing the Root User Password

You can change the root password that provides access to super-user rights.
To change the root password:

1. Use the supplied serial cable to connect the terminal to the Console Connector on the
front panel of NetEnforcer.
2. Set the NetEnforcer power switch, located near the NetEnforcer power cable, to the
ON position. The system boots up and on the terminal you are prompted for a login
and a password.
3. At the terminal, press <Enter>. The system boots up and you are prompted for a
login and a password.
4. Enter root for the login and bagabu for the password, and then press <Enter>.
5. Enter passwd and then press <Enter>.
6. Enter a new password and press <Enter>. The password must be between 5 and 8
characters. You can use a combination of upper and lower case letters and numbers.
7. Re-enter the new password and press <Enter>.
CAUTION:
If you forget this password, contact Allot Customer Support.
When all necessary parameters are set, NetEnforcer prompts you to reboot. After
rebooting is completed, NetEnforcer is ready to be connected and to add Quality of
Service in your network.

TIP:
You can further protect the access to NetEnforcer by limiting the hosts that are allowed to manage the unit.
To configure the allowed host list, refer to Access Control in Chapter 4, Configuring NetEnforcer.
Configuring Via the LCD Panel

The NetEnforcer Enhanced models (AC-202 and AC-402) and High Availability
models (AC-802) provide an LCD panel from which you can configure basic
NetEnforcer parameters without connecting a terminal. This enables quick and easy
setting of basic parameters such as the IP address of NetEnforcer and NIC settings.
When you are not configuring NetEnforcer, the display area in the LCD panel indicates
its default view, which is the current inbound and outbound bandwidth usage. The units
are in Kbps or Mbps with one digit after the point and the display is refreshed every five
seconds.
NOTE:
When you are configuring NetEnforcer and there is no activity for more than 30 seconds, the display area
returns to the default view and any modifications to parameters that were not saved, are lost.
The Main Menu

The LCD panel provides one main menu from where you can perform the following
operations:
• Configure NIC settings, page 2-41.
• Set the NetEnforcer IP address, page 2-43.
• Enable/disable the Management port, page 2-44.
• Activate Bypass, page 2-46.
• Reboot, shutdown or exit NetEnforcer, page 2-46.

The illustration below is a list of the main menu options from the LCD panel.
Figure 2-21 – LCD Panel, Main Menu Options
Getting Started on NetEnforcer

In order to start working with NetEnforcer, press the Power button to turn on
NetEnforcer. Once the system has completed loading, the display area of the LCD
indicates its default view, the current bandwidth consumption of NetEnforcer. For
example:
Inbound: XX.XM
Outbound: YYY.YM
NOTE:
If QoS functionality is not included in your NetEnforcer (not enabled by your activation key), the default
view indicates the following: Inbound:-, Outbound:-.
Configuring NIC Settings

Configuring NIC settings enables you to configure the internal and external Ethernet
adapters to either automatically sense the direction and speed of network traffic, or use a
predetermined duplex type and speed.

To configure NIC settings:

1. With the display area displaying the default view, press the Select button. The main
menu is displayed as follows:
Main menu:
1. NIC Settings
2. Press the Select button. If the Management port is enabled, the display area indicates
the following:
1-1.[M]anagement
[In]/[Ex]ternal
NOTE:
If the Management port is disabled, the display area indicates the following: 1-1.Interface:
[In]/[Ex]ternal.
3. Use the arrow buttons to select the required interface and press the Enter button.
The display area indicates the following:
Mode: [A]uto or
[F]ull/[H]alf du
4. Use the arrow buttons to select the duplex type for the selected interface and press
the Enter button. The display area indicates the following:
Speed: [A]uto or
[100]/[10] Mbps
5. Use the arrow buttons to select the link speed of the selected interface and press the
Enter button. The display area indicates the following:
[S]ave/[C]ancel
6. Use the arrow buttons to select whether to save the settings or cancel and press the
Enter button. The new NIC settings are applied and after a few moments, the
display area displays its default view, the current bandwidth consumption.

Setting the NetEnforcer IP Address

Setting the NetEnforcer IP address enables you to specify the IP address, netmask and
default gateway for NetEnforcer.
To configure the IP address:

1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow once to display the following:
Main menu:
2. Setup IP
3. Press the Select button. The display area indicates the following:
2-1.Set IP:
xxx.xxx.xxx.xxx (the current IP address definitions are displayed)
4. Specify the IP address of NetEnforcer. Use the up and down arrow buttons to select
the required number and the left and right arrow buttons to move between the digits.
5. Press the Enter button. The display area indicates the following:
2-2.Set mask:
xxx.xxx.xxx.xxx (the current netmask definitions are displayed)
6. Specify the netmask of NetEnforcer. Use the up and down arrow buttons to select
the required number and the left and right arrow buttons to move between the digits.
2-3 Gateway exists [Yes/No]
Select whether you have a gateway defined in your
network. If you select N then you will exit to the next
step, skipping step 2-4. If you have a gateway select Y
and proceed:
2-4.Gateway:
xxx.xxx.xxx.xxx (the current gateway definitions are displayed)

8. Specify the IP address of the default gateway. Use the up and down arrow buttons to
select the required number and the left and right arrow buttons to move between the
digits.
[S]ave/[C]ancel
10. Use the arrow buttons to select whether to save the settings or cancel and press the
Enter button. The new IP and gateway settings are applied and after a few moments,
the display area displays its default view, the current bandwidth consumption.
The following cases of failure may be indicated:
Failure Display
Fail: NE IP save
Register NIC Settings
Chk NE IP config
Fail: MASK save
Netmask Save
Chk NE IP config
Fail: Mgmt save
Management NIC Save
Chk NE IP config
Fail: GW save
Gateway Save
Chk NE IP config
Enabling/Disabling the Management Port

Configuring the Management port enables you to specify whether management of
NetEnforcer is via the Management port or the network connectors. Configuration via
the Management port provides a more secure way to manage NetEnforcer and ensures
no interruption to traffic.

To configure the Management port:

menu is displayed.
2. Press the down arrow twice to display the following:
Main menu:
3. Mgmt Port
3. Press the Select button.
• If the Management port is enabled, the display area indicates the following:
Disable port?
[Y]es/[N]o
Use the arrow buttons to select whether to disable the Management port. When
you select Yes, the display area indicates that the Management port is being
disabled and after a few seconds displays its default view. When you select No,
the display area returns to the Management port menu (shown in step 2).
• If the Management port is disabled, the display area indicates the following:
Enable port?
[Y]es/[N]o
Use the arrow buttons to select whether to enable the Management port. When
you select Yes, the display area indicates that the Management port is being
enabled and after a few seconds displays its default view. When you select No,
the display area returns to the Management port menu (shown in step 2).
NOTE:
If for some reason the operation fails, the display area indicates Enabling Failed or
Disabling Failed and the system displays its default view.

Activating Bypass
To configure a Bypass:
menu is displayed.
2. Press the down arrow three times to display the following:
Main menu:
4. Bypass
3. Press the Select button. If the system is not in Bypass mode, the display area
indicates the following:
Go into Bypass?
[Y]es/[N]o
4. Use the arrow buttons to select whether to enter Bypass mode and press the Enter
button. NetEnforcer switches to Bypass mode and after a few moments, the display
area displays its default view, the current bandwidth consumption.
NOTE:
When the system is already in Bypass mode, you are prompted to select whether to exit Bypass mode.
Use the arrow buttons to select whether to exit Bypass mode and press the Enter button.
Rebooting, Shutting Down and Exiting NetEnforcer

You can reboot or shut down NetEnforcer and exit from LCD configuration as required.
To reboot NetEnforcer:
menu is displayed.
2. Press the down arrow four times to display the following:
Main menu:
5. Reboot

Reboot?
[Y]es/[N]o
4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter
button. NetEnforcer reboots and the display area indicates the following:
System
Rebooting * (blinking asterisk)
NOTE:
This message is also displayed in the display area when NetEnforcer is rebooted using a terminal.
To shutdown NetEnforcer:
menu is displayed.
2. Press the down arrow five times to display the following:
Main menu:
6. Shutdown
Shutdown?
[Y]es/[N]o
4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter
button. NetEnforcer reboots and the display area indicates the following:
System
Shutting down * (blinking asterisk)
After a few seconds, the display area indicates that NetEnforcer may be powered off.
NOTE:
This message is also displayed in the display area when NetEnforcer is shutdown using a terminal.

To exit NetEnforcer:
menu is displayed.
2. Press the down arrow six times to display the following:
Main menu:
7. Exit
3. Press the Enter or the Select button. The display area displays its default view, the
current bandwidth consumption.

Chapter 3: Getting Started
This chapter explains how to connect to your client management station, provides an
overview of the NetEnforcer interface, and describes how to install the Java Plug-in.

Accessing NetEnforcer, page 3-2, describes how to access NetEnforcer from your Web
browser.
NetEnforcer Control Panel, page 3-3, describes the options available in the
NetEnforcer Main Control Panel.
Installing the Java Plug-in 1.3, page 3-9, describes how to install the Java plug-in 1.3.
The Java plug-in is a prerequisite for running the NetEnforcer application, which runs
as a Java-based applet.
Once you have accessed the NetEnforcer application and installed the required plug-in,
you can begin to work with NetEnforcer. The first step is to configure NetEnforcer,
described in Chapter 4, Configuring NetEnforcer.

Accessing NetEnforcer
Once you have completed the initial setup, as described in the previous chapter, you can
access to NetEnforcer via your Web browser. The first time that you connect to
NetEnforcer, you may be prompted to install Java plug-in 1.3. Refer to Installing the
Java Plug-in 1.3, page 3-9, for further information.
To connect to NetEnforcer:
1. Open your browser, and enter http://(IP address of NetEnforcer). The NetEnforcer
Log On dialog box is displayed:
Figure 3-1 – NetEnforcer Log On Dialog Box
2. In the User Name field, enter admin and in the Password field, enter allot or the
password that was established at setup. This is the default user name and password.
They may be different if you changed them during the initial configuration. Refer to
Chapter 2, Installing NetEnforcer, Section Setting Up NetEnforcer.
3. Click Log On. The NetEnforcer Control Panel is displayed.
NOTE:
It may take a few moments to display the Control Panel.

NetEnforcer Control Panel

The NetEnforcer Control Panel is the main NetEnforcer window, displayed when you
connect to NetEnforcer.
Figure 3-2 – NetEnforcer Control Panel
The NetEnforcer Control Panel is the main navigation point for NetEnforcer. Each
button in the Control Panel provides access to different NetEnforcer functionality. The
buttons and their sub-options are described on the following pages.

Button Sub-options Description

Policies Provides access to the Policy Editor
where you define QoS policy using Pipes,
Virtual Channels and rules. (Refer to
Chapter 8, Defining Policies for further
information.)
From the Policy Editor, you also access

and configure entries in the NetEnforcer
Catalogs. Catalogs contain the possible
values available when configuring Pipes,
Virtual Channels and rules in the Policy
Editor. (Refer to Chapter 7, Defining
Catalog Entries for further information.)
NetWizard Provides access to NetWizard. NetWizard
is a NetEnforcer tool that uses auto-
discovery to detect the protocols in a
network, enabling you to quickly define
QoS policies for each type of protocol in
the network. (Refer to Chapter 5,
NetWizard Quick Start for further
information.)
Monitoring My Favorite View Displays a saved arrangement of
Monitoring windows as your favorite
view. (Refer to Chapter 6, Monitoring
Network Traffic for further information.)
NetEnforcer Level Enables you to monitor traffic and view
current network behavior at the
NetEnforcer level through NetEnforcer
monitoring graphs. (Refer to Chapter 6,
Monitoring Network Traffic for further
information.)


Pipe Level Enables you to monitor traffic and view
current network behavior at the Pipe level
through NetEnforcer monitoring graphs.
(Refer to Chapter 6, Monitoring Network
Traffic for further information.)
Virtual Channel Enables you to monitor traffic and view
Level current network behavior at the Virtual
Channel level through NetEnforcer
monitoring graphs. (Refer to Chapter 6,
information.)
Settings Enables you to configure features of
monitoring graphs (both current and
history) as well as set up your favorite
view. (Refer to Chapter 6, Monitoring
Network Traffic for further information.)
Long-Term Enables you to collect and view
long-term monitoring data. You can
manipulate the data and produce reports,
as required. (Refer to Chapter 6,
information.)
Alerts Alerts Log Provides access to the Alerts Log that
includes a list of the alerts triggered by
the alert definitions. (Refer to Chapter 9,
NetEnforcer Alerts for further
information.)


Alerts Editor Provides access to the Alerts Editor
where you define events or conditions
that will trigger alerts. (Refer to
Chapter 9, NetEnforcer Alerts for further
information.)
NetAccountant Design and generate template-based
accounting reports. This functionality is
only available when you have the
NetAccountant module enabled in your
NetEnforcer system. (Refer to the
NetAccountant User’s Manual for further
information.)
Configuration Enables you to specify system
configuration and setup parameters.
(Refer to Chapter 4, Configuring
NetEnforcer for further information.)
Tools Download Long- Enables you to download the Long-Term
Term Monitoring Monitoring Agent application. This
Agent application collects long-term monitoring
data, which you can then view, as
required. (Refer to the Long-term
Monitoring section in Chapter 6,
information.)
Download MIBs Enables you to download the Allot
Position MIBs and the Allot ID MIBs.
(Refer to the Accessing the Allot MIBs
section in Chapter 11, SNMP Monitoring
for further information.)


Pipe/VC ID Lookup Enables you to obtain the internal IDs for
for SNMP Pipes and Virtual Channels. This is
necessary if you are using the Allot ID
MIBs. (Refer to the Installing MRTG for
NetEnforcer section in Chapter 11,
SNMP Monitoring for further
information.)
Update Service Enables you to update the latest protocols
Catalog from Allot to the Service Catalog. (Refer to the
Communications Service Catalog Editor section in
Chapter 7, Defining Catalog Entries for
further information.)
Send ‘Snapshot’ to Enables you to send an image of a screen
Factory to NetEnforcer Customer Support for
debugging Purposes.
Download External Enables you to download the External
Accounting Collector Accounting Collector. This enables you
to download and install two applications
(Accounting Agent and Binary to ASCII
Translator) on your computer. The
Accounting Agent enables you to get the
accounting data from the NetEnforcer;
the Binary to ASCII Translator enables
you to convert the binary stream into
ASCII files. Once installed, the two
applications are transparent to the user.
Register Product Enables you to register NetEnforcer with
Allot Communications.


Window View by Application NetEnforcer applets are displayed in
individual tabs in the main NetEnforcer
window. For example, the NetEnforcer
Configuration window is displayed in the
Configuration tab and monitoring graphs
are displayed in the Monitoring tab.
View All NetEnforcer applets are displayed in one
tab (called View All) in the main
NetEnforcer window. For example, the
NetEnforcer Configuration window as
well as monitoring graphs are displayed
in the View All tab.
Close All Closes all NetEnforcer applets that are
currently open.
Cascade Cascades all open NetEnforcer applets in
the main NetEnforcer window.
Tile Tiles all open NetEnforcer applets in the
main NetEnforcer window.
Below the Windows sub-options, there is a List of open
NetEnforcer applets, for example, NetEnforcer Configuration,
Alerts Editor, and so on.
Help Index Provides access to online help.
System Messages Provides access to details about system
Details messages.
Allot Provides access to the Allot
Communications Communications home page.
Home Page


About Provides version information about
NetEnforcer.
Log Off Exits the NetEnforcer Control Panel. A
Log On button is then displayed enabling
you to access the Control Panel once
again.
Installing the Java Plug-in 1.3

NOTE:
If the Java plug-in is already installed on your PC and the version is less than 1.3, it should be removed
before installing the Java plug-in 1.3.
The NetEnforcer application runs as a Java applet with the assistance of Sun
Microsystems Java plug-in 1.3.
The minimum requirements for using the Java plug-in are Pentium 2 with 128Mb RAM.
This plug-in enables a Java applet to run using Sun’s Java Runtime Environment (JRE)
on the following platforms:
• Microsoft’s Internet Explorer 6.0 on Win32 platforms (Windows 98, Windows
2000, Windows Millennium, Windows NT 4.0 and Windows XP)
• Netscape Navigator 6 on Win32 platforms (Windows 98, Windows 2000, Windows
Millennium, Windows NT 4.0 and Windows XP)
• Solaris platforms (Solaris 2.5 or 2.6)
• Linux 2.2

When the NetEnforcer application is loaded, the Java plug-in ensures that Sun’s Java
Runtime Environment (JRE) is loaded to run the applet (and not the browser’s default
JRE). This enforces a singular behavior (consistent look and feel) of the applet among
the various browsers and their associated versions.
This section describes how to install the Java plug-in 1.3 from Microsoft Internet
Explorer and Netscape.
If you have any earlier versions of the Java plug-in, you should uninstall them before
installing version 1.3. For example, NetEnforcer 3.x users have Java plug-in 1.1.1
installed.

Installing the Java Plug-in from Internet

Explorer
You are prompted to install the Java plug-in during the initial connection procedure.
To install the Java plug-in from Internet Explorer:

1. In Internet Explorer, enter the NetEnforcer IP address and wait a few moments. The
Software License Agreement window is displayed:
Figure 3-3 – Java Plug-in Software License Agreement Window
2. Click Yes. The Select Destination Location window is displayed.
3. Select a destination location for the plug-in or leave the default location.

4. Click Next and wait a few moments. The Java Plug-in Security Warning window is
displayed:
Figure 3-4 – Java Plug-in Security Warning Window
5. Click Grant this session or Grant always. It is recommended to click Grant

always. This enables the NetEnforcer application to access the local client machine.
(Generally, Java applets running in a browser are not allowed to access the local
client machine.) After a few seconds, the NetEnforcer Log On dialog box is
displayed and you can log in, as described on page 3-2.

6. If you select Grant this session, each time you open the NetEnforcer GUI, or open
the GUI on a new computer, after June 1, 2003, (the publisher's certificate expiry
date), the following popup window is displayed:
Figure 3-5 - Java Plug-in Security Warning Pop-up – Certificate Expiration

Notice
7. Click Yes to ignore the warning and proceed; Figure 3-4 is redisplayed.
8. Click Grant Always. (Refer to step 5, above).

Installing the Java Plug-in from Netscape

When installing the Java plug-in from Netscape, you must first download the executable
installation file and then run it. The following procedure describes how to install the
Java plug-in from Netscape 6.1 and earlier.
NOTE:
If you are working with Netscape 6, you cannot control which Java plug-in is installed. When you enter the
IP address of NetEnforcer, Netscape 6 automatically determines which Java plug-in version to install. You
should follow the on-screen instructions.
To install the Java Plug-in from Netscape:

1. In Netscape, enter the NetEnforcer IP address and wait a few moments. The
following screen is displayed:
Figure 3-6 – Java Plug-in Icon

2. Click the icon. If you are using a Windows-based platform, the following Plug-in
Not Loaded window is displayed:
Figure 3-7 – Plug-in Not Loaded Window
3. Click Get the Plug-in. A standard Save As window is displayed.
4. Select the folder in which you want to save the Java plug-in executable installation
file and click Save. The executable file is saved in the selected location.
5. Run the executable file saved in step 4, and wait a few moments. The Software
License Agreement window is displayed:
Figure 3-8 – Java Plug-in Software License Agreement Window

6. Click Yes. The Select Destination Location window is displayed.
7. Select a destination location for the plug-in or leave the default location.
8. Click Next and wait a few moments. The Java Plug-in Security Warning window is
displayed:
Figure 3-9 – Java Plug-in Security Warning Window
9. Click Grant this session or Grant always. It is recommended to click Grant

always. This enables the NetEnforcer application to access the local client machine.
(Generally, Java applets running in a browser are not allowed to access the local
client machine.)
10. You may be prompted to reboot at this point. If so, restart your browser and connect
to NetEnforcer, as described in Accessing NetEnforcer, page 3-2.

Chapter 4: Configuring NetEnforcer
This chapter describes how to modify NetEnforcer’s configuration parameters from a

Web browser. You can also configure NetEnforcer using a command line interface,
described in Appendix G, NetEnforcer Command Line Interface.

Overview, page 4-2, provides an introduction to the process of modifying configuration
parameters from your browser.
NetEnforcer Configuration Window, page 4-6, describes the menu bar and toolbar in
the NetEnforcer Configuration window.
NetEnforcer Configuration Parameters, page 4-9, describes the configuration
parameters available in the NetEnforcer Configuration window.
Additional Configuration Options, page 4-45, describes how to change the date and
time settings on NetEnforcer, how to backup, restore and verify configuration, as well
as how to retrieve certain configuration parameters from a DHCP server.

Overview
Once you have configured NetEnforcer for your network environment, described in
Chapter 2, Installing NetEnforcer, you can modify configuration parameters remotely
via your Web browser including initial setup parameters, as well as the following run-
time parameters:
• System parameters, including software versions and keys
• Access link parameters, including the duplex type and bandwidth of Internal and
External interfaces
• Network interface parameters, including IP addresses and mask/gateway
parameters
• Access control parameters that determine access to NetEnforcer management
functions
• Internal and external Ethernet adapter parameters
• Networking parameters, including monitoring only mode and bridging protocol
• Parameters that enable SNMP-compatible management functions
• Connection parameters
• Monitoring parameters
• Accounting parameters
• LDAP parameters
• VLAN parameters
• Denial of Service (DoS) parameters
Configuration parameters are modified from the NetEnforcer Configuration window. A
general procedure for configuring NetEnforcer is presented on page 4-3. A description
of all the possible configuration parameters begins on page 4-9.

To configure NetEnforcer:
1. From the NetEnforcer Control Panel, click Configuration. The NetEnforcer
Configuration window is displayed:
Figure 4-1 – NetEnforcer Configuration Window

Configuration parameters are grouped in tabs. The configuration parameters are
described in NetEnforcer Configuration Parameters, page 4-9.
In each tab, edit the relevant configuration parameters, as required.
2. Click or select Save to NetEnforcer from the File menu to save the
configuration. The following confirmation message is displayed:

Figure 4-2 – Confirmation Message

3. Click OK.
NOTE:
Rebooting the NetEnforcer is required when you make changes to either:
• NetEnforcer Activation Key (Product IDs & Key tab)
• NIC
• Networking/ Accounting/ RADIUS Setup/ Restore Configuration
• Time
• Management port definition
This is to ensure that the saved parameter values are committed and activated on NetEnforcer. You are
automatically prompted to reboot.

Activating the NetEnforcer

The Key Expiration date is displayed in Product IDs and Keys tab of the Configuration
window. Some keys do not have an expiration date, and in those cases this field is
empty.
Once the date has expired the box will reboot and the new module settings will be
displayed showing all modules as disabled.

NetEnforcer Configuration Window

The NetEnforcer Configuration window contains a menu bar, a toolbar, and tabbed
pages of configuration parameters.
Menu Bar
The menu bar in the NetEnforcer Configuration window includes five menus, described
in the following sections.
File Menu
The File menu includes the following options:
Save to NetEnforcer Saves the configuration to NetEnforcer. This option is

only enabled after changes have been made to the
configuration.
Reboot NetEnforcer Enables you to reboot NetEnforcer.
Shutdown NetEnforcer Enables you to shut down NetEnforcer.
Print Enables you to print the configuration parameters in text
format.
Exit Closes the NetEnforcer Configuration window.

Edit Menu
The Edit menu includes the following option:

Undo All Unsaved Undoes all changes that have not yet been saved.
Changes
Options Menu
The Options menu includes the following options:
Backup Configuration Enables you to save the configurations in a file. Refer to

Backing Up Configuration, page 4-45.
Restore Configuration Enables you to open previously saved configurations.
Refer to Restoring Configuration, page 4-46.
Set Date and Time Enables you to configure the date and time on
NetEnforcer. Refer to Setting Date and Time, page 4-47.
Setup Verification Enables you to verify some basic configuration
parameters. Refer to Verifying Configuration, page 4-48.
Help Menu
The Help menu includes the following option:

Index Provides access to online help.

Toolbar
The toolbar in the Configuration window enables easy access to many of the functions
available from the menu bar. The toolbar includes the following buttons:
Save to NetEnforcer Saves the configuration to NetEnforcer. This

button is only enabled after changes have
been made to the configuration.
Reboot NetEnforcer Enables you to reboot NetEnforcer.
Shutdown NetEnforcer Enables you to shut down NetEnforcer.
Print Enables you to print the configuration

parameters in text format.
Undo All Unsaved Changes Undoes all changes that have not yet been
saved.
Backup Configuration Enables you to save the configuration to a
TFTP server
Restore Configuration Enables you to restore configuration from a
TFTP server
Help Provides access to online help.

NetEnforcer Configuration Parameters

The NetEnforcer Configuration window includes the following tabs:
• Product IDs and Key, page 4-10
• Access Links, page 4-12
• IP & Host Name, page 4-14
• Security, page 4-17
• NIC, page 4-19
• Networking, page 4-21
• SNMP, page 4-25
• Connection Control, page 4-26
• Monitoring, page 4-28
• Internal Accounting, page 4-29
• External Accounting, page 4-31
• RADIUS Setup, page 4-33
• Accounting/RADIUS Storage, page 4-36
• LDAP/Text Source, page 4-39
• VLAN, page 4-40
• Alerts, page 4-42
• Denial of Service (DoS), page 4-43
Each tab includes parameters that can be configured as required. After modifying
configuration parameters, you must select Save to NetEnforcer in order for the changes
to take effect.
The parameters available in each tab are described in the following sections.

Product IDs and Key

The Product IDs & Key tab includes parameters that provide system information and
activate optional NetEnforcer modules.
Figure 4-3 – Product IDs & Key Parameters

The Product IDs & Key tab includes the following parameters:
Parameter Definition
Product Model The NetEnforcer model. This field is read only.
Software Version The software version on NetEnforcer. This field is read only.
Backplane Version The backplane version on NetEnforcer. This field is read
only.
Box Number The ID number of NetEnforcer. This field is read only.

NetEnforcer The activation key to enable NetEnforcer. Enter the
Activation Key activation key supplied to you when purchasing NetEnforcer.
The functionality enabled by the key is summarized in the
fields below.
Quality of Service Quality of Service is enabled on NetEnforcer.
Load Balancing The NetBalancer module is enabled on NetEnforcer.
Cache Enforcer The CacheEnforcer module is enabled on NetEnforcer.
NetAccountant The NetAccountant module is enabled on NetEnforcer.
NetEnforcer The maximum bandwidth capacity of NetEnforcer.
Bandwidth Capacity
After entering an activation key, click Save. The following message is displayed:
Figure 4-4 – Save Configuration to NetEnforcer Message

Click Yes and NetEnforcer will automatically reboot. After the reboot, re-open the
NetEnforcer Configuration window, select the Product IDs & Key tab and you can see
the new settings based on the activation key.

Access Links
The Access Links tab includes parameters that enable you to set the duplex type and
bandwidth of the Internal and External interfaces. The internal side of NetEnforcer
interfaces with your Local Area Network (LAN) and the external side of NetEnforcer
interfaces with the Wide Area Network (WAN) via your access router.
Figure 4-5 – Access Links Parameters

The Access Links tab includes the following parameters for the Internal and External
interfaces:
Type The type of interface. The options are as follows:
Half Duplex: The access link can either transmit or receive
traffic.
Full Duplex: The access link can transmit and receive traffic
simultaneously.

Outbound The bandwidth of the link going away from NetEnforcer.
Bandwidth When the Type is Half Duplex, the outbound bandwidth is
valid for inbound and outbound traffic and the inbound
bandwidth is not relevant.
Inbound Bandwidth The bandwidth of the link going into NetEnforcer.
TIP:
If you enter a maximum bandwidth setting of less than 1Kbps for either interface, the following message is
displayed: ”A bandwidth rate of less than 1000 bits/sec has been entered for Internal outbound speed.
This is very slow speed. Continue with save anyway?”
Press Yes to confirm that this is the correct setting for the interface. Press No to re-enter another value.
It is strongly recommended not to attempt to shape traffic of less that 1Kbps. Setting internal or external
bandwidth of less than 1Kbps will cause normal network traffic to come to a halt.
For example, shaping bandwidth of a short frame of 64 bytes to a bandwidth link of 1000 bps will result in
less than two packets per second which is impractical in today's networks. Refer to the Release Notes for
more information.

IP and Host Name

The IP & Host Name tab includes parameters that enable you to modify the IP and host
name configuration of your network interfaces.
Figure 4-6 – IP & Host Name Parameters

The IP & Host Name tab includes the following parameters:
IP Address of NetEnforcer The IP address of NetEnforcer.
Network Mask The network subnet mask.
Default Gateway The IP address of the default gateway.
The default gateway enables clients to access
NetEnforcer remotely and to provide a path if
NetEnforcer is on a different subnet than that of the
client.

Host Name of NetEnforcer The host name of NetEnforcer.
Domain Name The domain name.
Primary Domain Name The IP address of the primary domain name server.
Server
Secondary Domain Name The IP address of the secondary domain name server.
Server
Primary NTP Time Server The name of the primary NTP (Network Time
Protocol) server. This enables NetEnforcer to receive
the date and time from an NTP server.
Secondary NTP Time The name of the secondary NTP (Network Time
Server Protocol) server.
Tertiary NTP Time Server The name of the tertiary NTP (Network Time
Protocol) server.

Out-of-Band Management
The dedicated Management port provides a secure solution for device management for
enterprise and service providers. It enables you to permit access solely to a closed group
of network administrators. ISP customers cannot "see" the Management port and
therefore cannot access the NetEnforcer management. NetEnforcer confidently lets you
enable or disable this Management port, permitting either In-Band or Out-of-Band
management.
Out-of-Band mode is graphically illustrated as follows:
Figure 4-7 – Out-of-Band Management

The Management port is enabled by default in all NetEnforcers with a management
port. Make sure that the Disable Management Port parameter in the IP & Host Name
tab is unchecked, as described in the previous section.
NOTE:
To use In-Band management and manage the NetEnforcer via the Internal/External ports, select the
Disable Management port option in the IP & Host Name tab.

Security
The Security tab includes parameters that enable you to specify security parameters as
well as control access to NetEnforcer management functions by specifying the names of
hosts to whom you want to grant access permission.
CAUTION:
If no hosts are defined, anyone can access NetEnforcer management functions.
Figure 4-8 – Security Parameters

The Security tab includes the following parameters on the left side:
Enable Telnet Select this checkbox to enable remote Telnet
communications with the NetEnforcer.
Enable SSH (Secure Shell) Select this checkbox to enable remote SSH

Enable Ping Select this checkbox to enable remote Ping
On the right side of the Security tab, is a list of hosts who have access permission to
NetEnforcer management functions. When the Allowed Hosts list is empty, there is
unrestricted access to NetEnforcer management functions. When there are hosts in the
Allowed Hosts list, only those hosts are allowed access to NetEnforcer management
functions. You can enter host details in either of the following formats:
• The name of the host.
• The IP address of the host.
CAUTION:
If no hosts are defined, anyone with a user name and a password can access NetEnforcer management
functions.
To add a host to the list:

1. Select Host or IP in the Host/IP Item area.
2. Specify the host name or IP address in the field to the right of the selected option.
3. Click Add. The specified host is added to the Allowed Hosts list.
You can add as many hosts as required.
To modify a host, select the host in the Allowed Hosts list to display the details in the
fields on the left. Modify the details as required and click Update.
To remove a host, select the host in the Allowed Hosts list to display the details in the
fields on the left and click Delete. If the host that you selected is the only one in the list,
a message is displayed: "Deletion will leave ‘Allowed Hosts’ list empty. This means
that all hosts will be able to access the NetEnforcer. Continue? Click Yes."

NIC
The NIC tab includes parameters that enable you to configure the internal and external
Ethernet adapters to either automatically sense the direction and speed of network
traffic, or use a predetermined duplex type and speed. When working with AC-601/802
models, you can also specify the direction and speed of the management interface.
Figure 4-9 – NIC Parameters

The NIC tab includes Mode and Speed parameters for the internal and external
Ethernet adapters.
NOTE:
If the management interface is disabled, look in the IP & Host Name tab and confirm that the Disable
Management Port checkbox is selected.

Mode The type of interface. The options are as follows:
Auto: The interface automatically senses the direction of the
traffic.
Half Duplex: The interface can either transmit or receive traffic.
Full Duplex: The interface can transmit and receive traffic
simultaneously.
Speed The speed of the interface: Auto, 1000M, 100M or 10M.
When the Mode is Auto, you cannot predefine the interface speed
and Speed is set to Auto and cannot be modified.
NOTES:
For models AC-601 and AC-802 Copper, you can also select 1000M as the link speed for the Internal or
External interfaces.
For model AC-802 Fiber, the settings for the Internal and External interfaces cannot be changed: the
duplex type is full and the link speed is 1000M.
When you connect NetEnforcer to a hub or switch, ensure that the Ethernet adapter
settings on both sides are set to the same mode. This ensures proper communication
between the Ethernet adapters. For example, if you set the Ethernet adapter on
NetEnforcer to Auto, you must also set the Ethernet adapter on the hub or switch
connected to that interface to Auto. The same principle applies when setting Ethernet
adapters to Half or Full Duplex mode. To ensure that the devices on both sides of
NetEnforcer can communicate if NetEnforcer enters Bypass mode, make sure that the
interfaces on the devices on both sides of NetEnforcer are set to the same NIC (Ethernet
adapter) mode.

Networking
The Networking tab includes parameters that enable you to configure network topology
as well select to operate in Monitoring Only mode.
Figure 4-10 – Networking Parameters

The Networking tab includes the following parameters:
Support ‘Spanning Whether you are using a second NetEnforcer as a backup
Tree’ protocol system in a spanning tree configuration.
Disable Transport Whether NetEnforcer classifies by TCP/UDP ports and
Layer Classification content inspection. Deselecting this checkbox reduces the
(TCP/UDP ports) number of connections seen by NetEnforcer and improves its
performance.

Disable Application Whether NetEnforcer analyzes content of the application
Layer Analysis in layer. Deselecting this checkbox disables content inspection
NetEnforcer and Napster and FTP identification and improves the
performance of NetEnforcer.
NetEnforcer is This checkbox only appears with the Enhanced Platforms
Enabled for AC-202 and AC-402.
Monitoring Only
Select this checkbox to enable the monitoring and viewing of
traffic in graphical representation. Traffic is classified;
however the NetEnforcer does not enforce or take action on
policies. For a detailed description of Monitoring Only,
mode, see below.
Monitoring Only Mode

Monitoring Only mode allows the operator to install and use the NetEnforcer in
listen-only mode. This mode enables connection without interference in the network
activity.
Applying this mode has the following benefits:
• Monitors the network activity in a non-intrusive way. NetEnforcer behaves as a
probe, as traffic is not going through NetEnforcer.
• Enables you to view monitoring graphs, download accounting information via the
ODBC or collect long term monitoring statistics.
• Enables traffic to be shaped by simply switching NetEnforcer to Active mode.
• Generates audits without interrupting your network activity.
Monitoring Only mode is activated/deactivated via the GUI or CLI. The activation of
this “tapping” allows management only through the Management port and disables QoS
and connection control activity.
See Figure 4-7 for a graphical representation of Monitoring Only mode.

Operating Monitoring Only Mode from the GUI

To activate Monitoring Only mode, select the NetEnforcer is enabled for monitoring
only. QoS enforcement is disabled checkbox in the Networking tab, described on
page 4-21.
When operating in Monitoring Only mode, you must use the Management port for
managing the NetEnforcer. If the Management port is not enabled, for example, there is
an incomplete connection, the following message is displayed:
Figure 4-11 – Monitoring Only Mode Error Message

When the Management port is enabled, and you have activated Monitoring Only mode,
the following message is displayed:
Figure 4-12 – Activating Monitoring Only Mode Message

Click Yes to continue with Monitoring Only mode.

When you deactivate Monitoring Only mode, the system returns to its previous state
and the following message is displayed:
Figure 4-13 – Deactivating Monitoring Only Mode Message

Click Yes to exit Monitoring Only mode.
Operating Monitoring Only Mode from the CLI

There is a CLI command that activates the Monitoring Only mode. The effect is the
same as when it is activated from the GUI. See Appendix G, NetEnforcer Command
Line Interface.
Operating Monitoring Only Mode from the LCD

The main menu includes an additional option that enables/disables Monitoring Only
mode. See Configuring Via the LCD Panel in Chapter 2, Installing NetEnforcer.

SNMP
The SNMP tab includes parameters that enable you to configure SNMP-compatible
management functions.
Figure 4-14 – SNMP Parameters

The Simple Network Management Protocol (SNMP) is a commonly used network
management protocol that allows SNMP-compatible management functions such as
device discovery, monitoring and event generation. NetEnforcer support for SNMP
includes MIB II with standard MIB II traps.
The SNMP tab includes the following parameters:
Read Community The SNMP community for devices reading SNMP variables
from NetEnforcer.
Write Community The SNMP community for devices setting SNMP variables to
NetEnforcer.

Trap Community The SNMP community to receive NetEnforcer SNMP traps.
Trap Destination The IP address of the Network Management Console that
receives the NetEnforcer-generated SNMP traps. If there is
no such destination, this parameter should be left blank.
Contact The contact person, for SNMP purposes.
Location The location of system, for SNMP purposes.
Connection Control
The Connection Control tab includes parameters that enable you to configure timeouts
and the number of retries for the NetBalancer and CacheEnforcer modules, as well as
other connection parameters.
Figure 4-15 – Connection Control Parameters

The Connection Control tab includes the following parameters:

Server Tracking The length of time that NetBalancer waits before concluding
Timeout that the server is down. The value must be between 10 to 240
seconds.
Server Tracking The number of times that NetBalancer tries to connect to the
Retries server. The value must be between 1 to 100.
Connect Timeout The length of time that NetBalancer attempts to establish the
availability of a server. The value must be between 10 to 240
seconds.
Service Tracking The length of time that NetBalancer or CacheEnforcer waits
Timeout before concluding that the service (for example, HTTP) is
down. The value must be between 10 to 249 seconds.
Service Tracking The number of times that NetBalancer or CacheEnforcer tries to
Retries connect to the service. The value must be between 1 to 100.
Use Connection If you are using content inspection and the cache server and
Control IP Address cached traffic clients are on the same side as NetEnforcer,
to Connect check this box.
NOTE:
The Connection Control parameters have no effect unless NetBalancer or CacheEnforcer are enabled on
your system. For a description of NetBalancer functionality, refer to the NetBalancer User’s Manual. For a
description of CacheEnforcer functionality, refer to the CacheEnforcer User’s Manual.

Monitoring
The Monitoring tab includes parameters that display the monitoring sample period on
NetEnforcer and enable you to configure whether NetEnforcer performs DNS resolving
actions.
Figure 4-16 – Monitoring Parameters

The Monitoring tab includes the read-only parameter Monitoring Sample Period on
NetEnforcer. This parameter displays the length of the sample period in the monitoring
process.
Additionally, by selecting or deselecting the Resolve DNS Names for Monitoring
Data checkbox, you can configure whether NetEnforcer performs DNS resolving
actions. When selected, IP addresses are translated to host names for the Monitoring
module. If you select this checkbox, ensure that you have defined a DNS server(s) in
the IP & Host Name tab.

Internal Accounting Setup

NOTES:
The NetAccountant now has the following options for data storage:
• Locally on the NetEnforcer
• Externally on a Radius Server
• Externally on a Sybase database (via the NetAccountant Reporter)
• Exported via ODBC to an external PC.
Any or all of these options may be implemented at one time.
The Internal Accounting tab includes parameters that enable you to determine the
frequency and granularity of data storage, and to control the quantity of data stored. The
Internal Accounting parameters are only relevant when NetAccountant is enabled in
your system. This is indicated in the Product Ids & Key tab. For more information
concerning the NetAccountant module and Internal and External Accounting, see the
NetAccountant User's Manual.
Figure 4-17 – Internal Accounting Parameters

Record Accounting Whether NetEnforcer records accounting data to the
Data Within the accounting database located on NetEnforcer. This must be
NetEnforcer Device selected for accounting to be active.
Only
Data will be The data storage frequency and the granularity (fine
Collected and Saved measurement) of the stored data. Granularity means that the
Every larger the setting for this parameter, the less information is
recorded about the exact time a connection occurred, so less
data is stored. This enables you to store data from a longer
period of time. The minimum setting for this parameter is one
hour. This granularity will subsequently impact the granularity
of accounting reports.
Data will be Deleted The length of time data is stored in the database. You can
From Server After ensure that data does not saturate NetEnforcer's hard disk by
determining the quantity of data saved. For example, if you set
this parameter to one month, then every day at midnight, data
accumulated more than one month prior to the current date is
removed. Configure this option with care to avoid filling
NetEnforcer's hard disk with accounting traffic data.
Note that subsequent accounting report spans cannot be longer
that the deletion span.
Use ODBC to Read Whether host IP addresses are translated to string
Accounting Data representations so that ODBC applications can read the
accounting data. The strings are then stored in the Hosts table
in the NetAccountant database. The default setting for this
option is deselected. This option is normally disabled if you do
not use an ODBC interface.
CAUTION:
The default setting of the Use ODBC to Read Accounting Data checkbox results in the following:
IP addresses that were not resolved to names are not stored in the Hosts table. Note that in previous softwar
versions, IP addresses that were not resolved to names were stored in the Hosts table.

Resolve DNS Names Whether NetEnforcer performs DNS resolving actions. When
for Accounting selected, IP addresses are translated to host names for the
Data Accounting module. Ensure that you have defined a DNS
server(s) in the IP & Host Name tab.
In the example on page 4-29, data is recorded each hour (or when data reaches a certain
amount of memory) and data is deleted from the server after seven days.
External Accounting Setup

The External Accounting tab enables you to configure the dispatch of accounting data
to an external accounting server.
Figure 4-18 – External Accounting Parameters

Dispatch Determines whether NetEnforcer dispatches accounting data to
Accounting Data to the external server indicated in this tab. Accounting data will
External Repository not be dispatched if this checkbox is not selected.
Defined Below
Primary Server The host name or IP address of the primary server of the
Host Name / IP external accounting server.
Address
Secondary Server The host name or IP address of the secondary server of the
Host Name / IP external accounting server.
Address

RADIUS Setup
The RADIUS Setup tab includes parameters that enable you to export accounting data
to a RADIUS server. The RADIUS Setup parameters are only relevant when
NetAccountant is enabled in your system. (This is indicated in the Product Ids & Key
tab.) The NetAccountant module is described in the NetAccountant User's Manual.
NOTE:
You can configure NetEnforcer to send accounting data to both its own accounting database and to a
RADIUS server. If you are using RADIUS, ensure that you configure parameters in the
Accounting/RADIUS Storage tab as well.
Figure 4-19 – RADIUS Setup Parameters

The RADIUS Setup tab includes the following parameters:

Export Data to RADIUS Whether NetEnforcer exports data to a RADIUS server.
Servers This must be selected for RADIUS to be active.
Data will be Collected The frequency at which data is collected and dispatched.
and Dispatched Every
Primary RADIUS The IP address or host name of the primary RADIUS
Server Host Name/IP server.
Addr
Shared Secret The password/secret to access the primary RADIUS
server.
Reenter Secret The password/secret to access the primary RADIUS
server.
Secondary RADIUS The IP address or host name of the secondary RADIUS
Server Host Name/IP server. The secondary RADIUS server becomes active
Addr upon unavailability or failure of the primary server.
Shared Secret The password/secret to access the secondary RADIUS
server.
Reenter Secret The password/secret to access the secondary RADIUS
server.
Message Send Failure The period of time during which NetEnforcer tries
Timeout unsuccessfully to send a message to a RADIUS server
before stopping. The value must be between 1 to 60
seconds.
# of Retries for The number of times that NetEnforcer attempts to send a
Attempting Message message after a timeout occurs. The value must be
Send between 1 and 10.

# of Failed Messages The number of unsuccessful message sending attempts
Before Switch to Other that NetEnforcer executes before switching to the
Server secondary server. The value must be between 1 and 200.
Send RADIUS Stop Whether NetEnforcer sends only RADIUS stop messages
Messages Only to a RADIUS server.

Accounting/RADIUS Storage
The Accounting/RADIUS Storage tab includes parameters that enable you to control
the content of the traffic data stored on disk (in the case of accounting) or accumulated
in memory prior to dispatch (in the case of RADIUS). This is done by selecting the
components according to which traffic data is accumulated. To accumulate traffic data
means to accumulate the byte count of connections with the same components. The
Accounting/RADIUS Storage parameters are only relevant when NetAccountant is
configured in your system. The NetAccountant module is described in the
NetAccountant User's Manual.
NOTE:
If you are using accounting or RADIUS, ensure that you configure parameters in the Internal Accounting
and RADIUS Setup tabs as well.
Figure 4-20 – Accounting/RADIUS Storage Parameters

When creating a report in NetAccountant, you select the connection components that
will be included in the report. The connection components available for selection are
determined by the parameters selected in the Accounting/RADIUS Storage tab.
For accounting users, it is recommended not to select too many parameters, in order to
avoid overrunning the accounting database with information. The more entities you
select, the longer it takes NetEnforcer to export and to save data and the longer it will
take to generate accounting reports. For hosts, recording data on an internal/external
hosts basis rather than on a client/server basis demands much less resources. It is
therefore recommended to select the first radio button in the Hosts Recording area.
The items available for selection are described below.
In the Hosts Recording area, select one of the radio buttons.
• If you select the first radio button, you can select one of the following from the
dropdown list:
• Internal Hosts: Information about traffic coming from each internal IP address is
recorded.
• External Host: Information about traffic coming from each external IP address is
recorded.
• Internal & External Host: Information about traffic coming from each internal
and external IP address is recorded.
• If you select the second radio button, you can select one of the following from the
dropdown list:
• Client: Information about the source of traffic under which the traffic was
classified is recorded.
• Server: Information about the destination of traffic under which the traffic was
classified is recorded.
• Client & Server: Information about the source and the destination of traffic under
which the traffic was classified is recorded.
• If you select the third radio button, no hosts are recorded.

CAUTION:
If you select to aggregate data by client or server, many records may be generated. For example, if you
select server then a record is created for each connection to a server. This could be a very high number if
you are, for example, browsing the Internet.
In addition, you can select any or all of the entities in the Entity Recording area:
Pipe Information about the Pipe under which the traffic was
classified. This includes explicitly defined Pipes and any
Pipe instances that result from a Pipe template.
Virtual Channel Information about the Virtual Channel under which the
traffic was classified. This includes explicitly defined
Virtual Channels and any Virtual Channel instances that
result from a Pipe template.
Service Information about the Service Catalog entry under
which the traffic was classified.

LDAP/Text Source
The LDAP/Text Source tab includes parameters that define the refresh rate for Host
Catalog definitions that reference an LDAP server or text source file.
Figure 4-21 – LDAP/Text Source Parameters

In the Host Catalog, entries may be the result of querying an LDAP server or text source
file. The parameters in the LDAP/Text Source tab define how often this query is
performed to cover changes in the LDAP server or text source file. The LDAP/Text
Source tab includes the following parameters:
LDAP/Text Auto– The time period after which LDAP or text information is
Refresh Rate refreshed, meaning external devices are read. If the value is
zero or there is no value entered, there is no automatic refresh.
Additionally, if there is a failure to read the device initially,
NetEnforcer will retry after this period.

Refresh any LDAP- Select this checkbox to refresh LDAP and text information
based…. every time the Policy Editor is saved.
VLAN
The VLAN (Virtual Local Area Network) tab enables you to determine that the
NetEnforcer is managed through specified VLAN-tagged traffic. For more information
on VLANs refer to VLAN Catalog Editor in Chapter 7, Defining Catalog Entries.
Figure 4-22 – VLAN Parameters

CAUTION:
Please remember that once this option is set and the VLAN ID is specified, the NetEnforcer will be waiting
for management traffic tagged with this specified VLAN.
If you have specified an erroneous VLAN ID, the NetEnforcer GUI will be waiting for management traffic
from that VLAN and thus will become disconnected from the network.
If this option is specified erroneously, please refer to Chapter 2, Installing NetEnforcer, Setting Up
NetEnforcer. Alternatively contact an Allot Communications service engineer.
To work in a VLAN environment check the checkbox and insert a number in the VLAN
ID field. Management of the NetEnforcer traffic can only be through one VLAN,
therefore the VLAN ID number must be consistent for operations within a specific
NetEnforcer.
The VLAN tab includes the following parameters:
The NetEnforcer’s Check this box to specify that the NetEnforcer is managed
Management through a VLAN.
Traffic is VLAN
Tagged Checking this box enables the VLAN ID field.
VLAN ID Insert a VLAN ID number from 2 to 4094. The number

specifies which VLAN ID the NetEnforcer will be managed
through.

Alerts
The Alerts tab enables you to configure alert functionality. For more information on
alerts, refer to Chapter 9, NetEnforcer Alerts.
Figure 4-23 – Alerts Parameters

In the NetEnforcer Alerts Editor, you can specify that alerts are sent (in addition to the
NetEnforcer Alerts Log) to an SMS target, via SNMP or to one or two email addresses.
The actual SMS target and the email addresses are specified in the Alerts tab.
The Alerts tab includes the following parameters:
Activate Alert Dispatching Select this box to activate alert dispatch on
on NetEnforcer NetEnforcer.
Primary Email Address The email address of the primary recipient.
Secondary Email Address The email address of the secondary recipient.

SMS Email Address The email address of the SMS target.
Source Email Address The email address of the source (e.g., the IT
manager’s email address).
SMTP Server The address of the SMTP server.
Denial of Service (DoS)

The Denial of Service (DoS) tab includes parameters that enable you to determine the
frequency and number of connections, thereby giving a level of protection from attacks
on the network resources (such as internally connected servers).
Figure 4-24 – Denial of Service Parameters

The Denial of Service tab includes the following parameters:

In Case of Denial The action that NetEnforcer takes when it reaches the
of Service Attack, maximum rate of new connections allowed for the model. The
News Flows will be options in the dropdown menu are as follows:
Admitted without QoS: New connections (flows) are
admitted, but are not classified, and no QoS policy is applied.
This is the default setting.
Dropped: New connections (flows) are dropped.
Number of You are able to define the threshold, for traffic suspected as an
Connections attack, by specifying the number of connections allowed at any
Within one time.
NetEnforcer will The default is the maximum number of connections that can be
be Limited to handled by your NetEnforcer. For the maximum number of
connections your NetEnforcer model can handle, see the
hardware description table in Chapter 2, Installing
NetEnforcer.
To view the number of connections over a specified period of
time, refer to the Connections graph in Chapter 6, Monitoring
Network Traffic. This will assist in entering a realistic
definition of an attack.
Maximum New You are able to define the threshold, for traffic suspected as an
Connections attack, by specifying the number of new connections allowed
Establishment per second.
Rate (CER): To view the number of connections per second, refer to the
Connections graph in Chapter 6, Monitoring Network Traffic.
This will assist in entering a realistic definition of an attack. If
the field is left blank, the NetEnforcer uses its default setting.
NOTE:
For additional details regarding the prevention and handling of DoS attacks, refer to Chapter 10,
Detecting Security Threats.

Additional Configuration Options

Using additional configuration options, you can backup a configuration, save it as a
configuration file and then restore it as required. You can also verify configuration, as
well as retrieve certain configuration parameters from a DHCP server. Finally, you can
change the date and time settings on NetEnforcer.
Backing Up Configuration
The Backup Configuration option enables you to back up configuration to a server and
restore it to NetEnforcer at any time.
To back up configuration
1. From the Options menu in the NetEnforcer Configuration window, select Backup
Configuration. The Backup Configuration dialog box is displayed:
Figure 4-25 – Backup Configuration Dialog Box

2. In the TFTP Server Address to Backup to field, enter the IP address of the backup
TFTP server.
3. In the Backup File Name field, enter a name for the backup file. The specified
backup file must exist on the server.
4. Click Backup. The current configuration is backed up to the specified TFTP server
with the specified file name.

Restoring Configuration
The Restore Configuration option enables you to restore a backed up configuration
file to NetEnforcer at any time.
To restore a configuration file:
1. From the Options menu in the NetEnforcer Configuration window, select Restore
Configuration. The Restore Configuration dialog box is displayed:
Figure 4-26 – Restore Configuration Dialog Box

2. In the TFTP Server Address to Restore From field, enter the IP address of the
TFTP server where the configuration file is saved.
3. In the File Name on Server field, enter the name of the configuration file.
4. Click Restore. The following message is displayed: “Restore Configuration will

reboot the NetEnforcer if the operation succeeds. This operation may take a while.
Are you sure you want to restore configuration followed by rebooting the
NetEnforcer now?”
5. Click Yes to restore the configuration and reboot the NetEnforcer.

Setting Date and Time

The Set Date and Time option enables you to change the date and time settings on
NetEnforcer.
To set the date and time:
1. From the Options menu in the NetEnforcer Configuration window, select Set Date
and Time. The Date and Time Configuration dialog box is displayed:
Figure 4-27 – Date and Time Configuration Dialog Box

2. In the Current Date field, select the required date from the calendar.
3. In the Current Time field, enter the required time.

4. From the Time Zone dropdown list, select the required time zone.
5. Click Save to NetEnforcer. The following message is displayed:
Figure 4-28 – System Message

6. Click Yes to save the time and date settings and reboot NetEnforcer.

Verifying Configuration
The Setup Verification option enables you to verify the configuration of selected
peripheral devices.
To verify configuration:
1. From the Options menu in the NetEnforcer Configuration window, select Setup
Verification. The Setup Verification dialog box is displayed:
Figure 4-29 – Setup Verification Dialog Box

2. Click Verify Now. Where relevant, the configuration parameters for the listed
devices are displayed, checked and verified.
3. Click Close to close the Setup Verification dialog box.

Chapter 5: NetWizard Quick Start
NetWizard is an easy-to-use wizard that enables a network manager without a wide

knowledge base to have an up-and-running NetEnforcer in a relatively short time. This
chapter introduces NetWizard, describes its interface and functions, and describes how
to define Quality of Service (QoS) policies using NetWizard.

Introducing NetWizard, page 5-2, introduces NetWizard and describes how it can help
you to get the system up and running, as well as define more efficient Quality of Service
(QoS) policies.
Monitoring Network Traffic, page 5-3, describes how to use NetWizard to monitor
your network traffic.
Defining Policies, page 5-15, describes how to define QoS policies and apply them in
your network.

Introducing NetWizard
NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a
network, enabling the network manager to quickly define QoS policies for each type of
protocol in the network. This, in turn, improves the efficiency and application response
time of the network. Several NetWizards can run in parallel, allowing several links to be
monitored and configured at once.
NetWizard automatically identifies the traffic protocols in your network and then guides
you through the QoS configuration process, working together with the NetEnforcer
Policy Editor, allowing you to assign minimum and maximum bandwidth and priority
for the various protocols. Simply open the Policy Editor while working in NetEnforcer
to have complete control over your new policies. NetWizard allows you to dynamically
and interactively build the Policy Table based on real-time monitoring information.
With NetWizard, you need not be initially acquainted with every protocol or the traffic
patterns in your network in order to define QoS policy. Once you make your initial
selections, a QoS policy is generated, enabling NetEnforcer to enforce that policy in
your network. NetWizard monitoring can be paused to allow you to add new Service
VCs to the policy table and then restarted with the changes already in place. Further
refinement of the policy is possible at any time with NetEnforcer tools such as the
Policy Editor and Catalog Editors. Policies defined using the NetWizard will
automatically update the policy table.

Monitoring Network Traffic

NetWizard monitors traffic in your network, automatically discovering the traffic
protocols in your network and recording the amount of bandwidth they use. This
enables you to identify traffic patterns in your network during peak and off-peak hours.
The information collected will help you define QoS policies.
Before NetWizard begins to monitor your network, you must specify the following:
• Length of the monitoring session: This is the time during which NetWizard
monitors your network traffic and collects information. This process pauses when
you opt to define policies.
• Pipe to monitor: This is the Pipe whose traffic NetWizard will monitor.
During the monitoring session, you can see an up-to-date picture of protocol activity in
your network and statistics about bandwidth usage.

To monitor network traffic:

1. From the NetEnforcer Control Panel, click NetWizard. The NetWizard opening
window is displayed:
2. Click Next. The following window is displayed:
Figure 5-1 – NetWizard Setup Window

3. In the Traffic Monitoring Running Time area, specify the length of the monitoring
session. This is the time interval during which NetEnforcer collects information
about all the protocols passing through your network. Enter a value (1-999) and
select a unit of measurement (Minutes, Hours, or Days) from the dropdown list.
The default monitoring session is 30 minutes.
TIP:
In order to get a picture of network usage over peak and off-peak periods, you should specify a longer
monitoring session, for example, one working day.

4. In the Pipe Coverage area, select the Pipe whose traffic NetWizard will monitor in
one of the following ways:
• Select Pipe, click the browse button and select a Pipe whose traffic NetWizard
will monitor. By default, the default Fallback Pipe is selected. If you have not
yet defined additional Pipes (described in Chapter 8, Defining Policies), there is
no need to change the selection.
• Select A new pipe if you want to create a new Pipe whose traffic NetWizard will
monitor.
5. Click Next. If you selected to create a new Pipe in Step 4, the following screen is
displayed. (If you selected a specific Pipe in Step 4, go to Step 8.)
Figure 5-2 – NetWizard: Create New Pipe Window

6. In the New Pipe Name field, enter a name for the Pipe.
7. Define the addresses you want the Pipe to cover as follows:

• Select the required address type radio button and enter the relevant details in the
corresponding text field. For example, select Host and enter the host name in the
text field.
• Click . The address is added to the Target Address(es) list.
• Add further addresses as required.
NOTE:
To remove an address from the Target Address(es) list, select the address in the list and click .
8. Click Next. The NetWizard Monitoring window is displayed, showing the Graphs
view:
Figure 5-3 – NetWizard Monitoring Window: Graphs View

NOTE:
If for any reason your system crashed during a previous NetWizard monitoring session, a message is
displayed asking whether you want to continue the previous session or start a new one.
You can view the information collected during the monitoring session either in
real-time (during the monitoring session) or once the monitoring session is finished.
The progress of the monitoring session is indicated in the status bars in the lower
section of the Monitoring window.
The status bar on the left estimates the amount of time left until NetEnforcer completes
a sample and updates the Monitoring window. The default sample period is 30 seconds.
In the example on page 5-6, there are 20 seconds left to the end of the sample period, at
which time NetEnforcer will update the monitoring window.
The status bar on the right indicates the time remaining in the monitoring session. In the
example on page 5-6, there are 28 minutes, 13 seconds left in the monitoring session.
The NetWizard Monitoring window includes the following buttons:
Button Description
Displays a graphical representation of bandwidth usage in your

network and the cumulative protocol rate for the various protocols
in your network traffic. Refer to Viewing Graphs, page 5-8, for
more information.
Displays statistics relating to the protocols in your network traffic.

Refer to Viewing Statistics, page 5-10, for more information.
Displays information relating to the monitoring sample. Refer to

Viewing Information, page 5-12, for more information.
Displays a log of events used for system troubleshooting. Refer to

Viewing the Log, page 5-14, for more information.

Button Description
Displays protocol information for outbound traffic only.
Displays protocol information for inbound traffic only.
Pauses the monitoring session and moves to the defining policy

screen. Refer to Defining Policies, page 5-15, for more information.
Cancels the monitoring session and closes NetWizard.
Displays online help.
Viewing Graphs
The Graphs view, shown on page 5-6, displays a graphical representation of bandwidth
usage in your network and the cumulative protocol rate for the various protocols in your
network traffic during the current monitoring session. You can display this information
for either inbound or outbound traffic by clicking the Inbound/Outbound button at the
top-right side of the Monitoring window. To display the Graphs view, click the Graphs
button.
TIP:
Hold down the <Shift> key and drag the mouse in the pie chart area to toggle the 3D effect.
Bandwidth Usage
The bandwidth usage graph on the left of Graphs view displays the percentage of the
total capacity of bandwidth used by cumulative inbound/outbound traffic.
In the example shown on page 5-6, the maximum capacity of the WAN interface is
45Mbps and the total cumulative bandwidth usage is 0.01% of the available WAN
bandwidth. The bar is blue when less than 90% of bandwidth is used, and becomes red
when it passes 90%.

Cumulative Average Protocol Rate

The protocol distribution pie chart on the right of Graphs view displays the ten most
active protocols passing through NetEnforcer during the current monitoring session, and
the average percentage of the total bandwidth that each protocol used.
The Protocols legend on the right of the pie chart indicates the color used in the pie
chart to represent each protocol and the percentage of total bandwidth used by each
protocol. Protocols are listed in descending order, with the highest consumer of
bandwidth at the top.
You can click a protocol in the pie chart or legend to display a popup box with the
following information:
• Protocol name
• Percentage of total bandwidth used by this protocol in this monitoring session
• Average number of kilobits used per second

Viewing Statistics
The Statistics view, shown below, displays traffic usage statistics. You can display this
information for either inbound or outbound by clicking the Outbound/Inbound button
at the top-right side of the Monitoring window. To access the Statistics view, click the
Statistics button.
Figure 5-4 – NetWizard Monitoring Window: Statistics View

The Statistics view displays a table of all protocols passing through your network
during the monitoring session and includes the following information:
Protocol Name The name of the protocol.
% of Relative Usage The percentage of the total used bandwidth that the protocol
used.
Rate (Kbps) The average number of kilobits per second used by the
protocol.
% of Total BW The percentage of the total available bandwidth for the Pipe
used by the protocol.
The protocols are displayed in descending order, with the most active protocol at the
top.
Below the table of protocols, the following bandwidth information is displayed:
Max. Used The maximum amount of bandwidth used during this
monitoring session.
Cumulative Avg. Used The average bandwidth used during this monitoring session
for all protocols.
Capacity The maximum amount of bandwidth available.

Viewing Information
The Information view, shown below, displays information about the monitoring session.
You can display this information for either inbound or outbound traffic by clicking the
Inbound/Outbound button at the top-right side of the Monitoring window. To access
the Information view, click the Information button.
Figure 5-5 – NetWizard Monitoring Window: Information View

The following read-only information is displayed:

Monitoring Start The time the monitoring session began.
Time on NetEnforcer
Monitoring End The time the monitoring session ended/will end.
Time on NetEnforcer
Sample Interval The length of the sample period. After each sample period,
NetEnforcer updates the Monitoring window. The default
sample period is 30 seconds. You can configure this period in
the Monitoring tab of the NetEnforcer Configuration
window, described in Chapter 4, Configuring NetEnforcer.
Estimated Total The estimated number of samples that NetEnforcer will
Samples to be collect during a monitoring session.
Collected
Time Elapsed The amount of time that has elapsed since the monitoring
session began.
Time Remaining The amount of time remaining in the monitoring session.
Number of Samples The number of samples that NetEnforcer has collected so far.
Collected
Estimated Number of The estimated number of samples that NetEnforcer has yet to
Samples Remaining collect.
Next Sample Time on The time at which NetEnforcer will begin collecting the next
NetEnforcer sample.
Error Count The number of errors encountered by NetEnforcer during the
current monitoring session.

Viewing the Log

The Log view, shown below, displays a log of events for the current session that can be
used for system troubleshooting. To access the Log view, click the Log button.
Figure 5-6 – NetWizard Monitoring Window: Log View
The log is cleared at the end of each monitoring session.

Defining Policies
A monitoring session may be paused at any time to allow you to compare the traffic
statistics you have received thus far with the business priorities of your organization and
use the information to begin creating a QoS policy to improve the performance of your
network. Monitoring may be restarted once you have set the policies you wish. In this
way, you can create your QoS policy step by step as you learn more about your
network’s bandwidth usage.
In order to set a QoS policy for a protocol, you specify one or more of the following:
• The minimum bandwidth you want for the protocol.
• The maximum bandwidth you want for the protocol.
• The priority you want to give to the protocol.
NOTE:
QoS is defined for both inbound and outbound traffic.
When the monitoring session is paused, NetEnforcer stops monitoring network traffic
for the time being and displays the Policy Definition window.

Figure 5-7 –Policy Definition Window

The Policy Definition window enables you to define QoS policies. The Monitoring
Results area displays all protocols that passed through NetEnforcer thus far in the
Monitoring process and all other protocols that have previously been assigned a QoS
policy. For each protocol, you can see the average bandwidth used per second (Rate
(Kbps)) and the percentage of the total bandwidth used by the protocol (% of Total
BW). The protocols are listed according to the percentage of total bandwidth they used,
in descending order. You can specify QoS policies in the Your QoS Definitions area,
as described below.
The information in the Monitoring window is no longer updated and represents a final
picture of traffic usage during the monitoring session. You can click Continue
Monitoring in the Policy Definition window to Monitoring window in order to
continue an ongoing Monitoring window session or to view the statistics of a concluded
one.

If required, you can also end the monitoring session before it has finished. Click Cancel
in the Monitoring window. A confirmation message is displayed. Click Yes to end the
monitoring session. Any data collected up to that point will be lost.
To set QoS policy:

1. In the Policy Definition window, specify the minimum bandwidth to be assigned to a
protocol by clicking the Min. BW (%) field, entering a percentage value and
pressing <Enter>. For example, in Figure 5-7, if you want to ensure the HTTP
protocol is minimally allocated 24% of the total available bandwidth at all times,
enter 24.
2. Specify the maximum bandwidth to be assigned to a protocol by clicking the Max.
BW (%) field, entering a percentage value and pressing <Enter>.
NOTE:
You can specify either a minimum or maximum bandwidth for a protocol, or both.
3. Specify the priority given to a specific protocol by clicking the Priority field and
selecting High, Medium or Low from the dropdown list. For example, if you want a
specific protocol to receive top priority, select high from the dropdown list.
NOTE:
If two protocols have the same priority and there is not enough bandwidth available for both, the
available bandwidth is split evenly between them.
4. Select the Assign checkbox to the left of the protocol name to assign the QoS policy
that you defined in steps 2 through 4 to the protocol upon saving.
NOTE:
You do not have to specify all three of the QoS definitions for each protocol.
5. In the Fallback fields at the lower left of the screen, repeat steps 2 through 4 to
define a default QoS policy. This policy is applied to protocols that do not have a
specific policy defined for them.
NOTE:
If required, click Assigned in the View Protocols area to display only those protocols that have been
assigned a QoS policy. Clicking All redisplays all protocols.
6. Click Save. A confirmation message is displayed.

7. Click Yes to save your definitions. NetEnforcer now enforces the QoS policies that
you defined.
8. Click Close to close NetWizard.
QoS Examples
This section provides some examples of QoS settings and how they may affect your
network traffic.
Example 1
NETBIOS-UDP Protocol Min BW: 20%
Inbound traffic has a maximum capacity of 100Mbps and outbound traffic has a
maximum capacity of 50Mbps.
This means that inbound NETBIOS-UDP traffic is guaranteed 20Mbps of bandwidth
and outbound NETBIOS-UDP traffic is guaranteed 10Mbps of bandwidth.
Example 2
HTTP Protocol Priority: High
FTP Protocol Priority: Medium
Total bandwidth for inbound traffic is 30Mbps.
If 20Mbps of HTTP traffic and 20Mbps of FTP traffic come together, the HTTP traffic
is given priority. Thus the HTTP traffic receives 20Mbps of bandwidth and the FTP
traffic gets 10Mbps. When more bandwidth is available, the FTP traffic will get the rest.

Chapter 6: Monitoring Network Traffic
This chapter describes monitoring with the NetEnforcer monitoring tool. The
monitoring tool helps you analyze the traffic flowing through your NetEnforcer and aids
you in determining the optimum configuration for your system.

Overview, page 6-1, provides an overview of the NetEnforcer monitoring tool and how
you can monitor your network traffic.
NetEnforcer Monitoring Window, page 6-8, describes the menu bar and toolbar in the
NetEnforcer Monitoring window.
Monitoring Graphs, page 6-21, describes the different monitoring graphs available in
NetEnforcer.
Long-term Monitoring, page 6-51, describes how to use Long Term Monitoring in
NetEnforcer.

Overview
NetEnforcer's monitoring tool enables you to monitor applications, protocols, policies,
clients and servers in real time and to verify enforcement of the most suitable QoS
policy.
Different applications, such as e-Business, ERP and real-time applications require
performance guarantees. Other mission-critical applications may suffer from a shortage
of bandwidth, while non-critical Web browsing and batch traffic, such as mail and FTP,
may use up network resources. In other network setups, some users require a higher
level of service than others. For example, internationally dispersed branch offices have
expensive narrow WAN links to headquarters and many different users share the same
bandwidth. On campuses, students overload network resources (WAN connection,
caches, servers) with excessive requests for service (audio traffic), while the
administration suffers from reduced available bandwidth and longer response time.
Therefore, your ability to monitor network performance determines your success in
fine-tuning network performance based on your business requirements. The monitoring
tool is designed to help you fine-tune your network performance.
When and where your network has peaks, bursts and bottlenecks is hard to predict. The
monitoring tool enables you to see these peaks in real time, which is crucial to
managing these unwanted phenomena.
NetEnforcer enables you to monitor network traffic on three levels, as follows:
• NetEnforcer Level: Where you can monitor traffic on NetEnforcer as a whole.
• Pipe Level: Where you can monitor traffic for a specific Pipe(s).
• Virtual Channel Level: Where you can monitor traffic for a specific Virtual
Channel(s) within Pipe(s).

Using the monitoring tool, you can view different graphs at each level. The different
graphs are described in Monitoring Graphs, page 6-21. All graphs are displayed in the
NetEnforcer Monitoring window and share common functionality. A quick tour of the
NetEnforcer Monitoring window is provided on page 6-6. You can display up to ten
monitoring windows at the same time and display them as your Favorite View.
Figure 6-1 – Sample Favorite View
There are several different types of graphs, and different formats in which graphs can be
displayed. Graph types and formats are described in the following pages.

Graph Types
NetEnforcer displays monitoring information in two types of graphs, as follows:
• Current/Cumulative: Displays information for sample periods. A Current-type
graph displays information for the latest whole sample period only. The sample
period is defined in your system parameters, described in Chapter 4, Configuring
NetEnforcer. A Cumulative-type graph displays information for an average sample
period, where the average is calculated for data accumulated during the last X
samples (where X is between 1 to 144, and is defined in the graph settings,
described on page 6-18). For example, where X is defined as 100. When a graph is
created, the cumulative refers to the samples from the beginning of the graph and
forward, until 100 samples have passed. When the sample number 101 arrives, the
samples taken into account are samples 2 through 101, and so on. Only the 100 last
samples are used to calculate the average. Current-type graphs can also be displayed
as Cumulative-type graphs and vice versa.
NOTE:
The Utilization graph, described on page 6-32, can only be displayed as a Current-type graph.
• Continuous: Displays information for a range of time. The range of time for which
the graph is relevant is displayed along the X-axis of the graph, and is defined in the
graph settings, described on page 6-18. The Pipes Distribution, Virtual Channels
Distribution, Dropped Packets, Bandwidth and Connections graphs are
Continuous-type graphs.

Graph Views
By default, data is displayed in a chart or graph. However, you can also display the
values in table format, as well as the definitions for each graph. These different views
are called Chart View, Table View and Definitions View, and examples are shown
below.
Table View
Definitions View
Chart View
Figure 6-2 – Graph Views

Graph Styles
When in Chart View, you can alternate the layout style of the graph between a Bar chart
and a Pie chart or between a Line chart and a stacked Area chart. Different graphs have
different styles. For example, a Pipes Distribution graph (described on page 6-25) can
be displayed as a Line chart or Area chart. A Most Active Clients graph (described on
page 6-48) can be displayed as a Bar chart or Pie chart.
Following are examples of different graph styles.
Figure 6-3 – Bar Chart Figure 6-4 – Pie Chart
Figure 6-5 – Line Chart Figure 6-6 – Area Chart

You can manipulate graphs as follows:

• Zoom into a graph by holding down the <Shift> key and dragging a box around the
area that you want to zoom in the graph.
• Move a graph by holding down the <Ctrl> key and dragging the graph.
Press <r> to reset the graph.
TIP:
Click in the toolbar at anytime to display a tooltip describing these zoom and move actions.
In/Out Bandwidth
The monitoring graphs display information about bandwidth consumed by inbound and
outbound traffic, as follows:
Inbound Bandwidth consumed by incoming traffic only.
Outbound Bandwidth consumed by outgoing traffic only.
In/Out Bandwidth consumed by both incoming and outgoing traffic.
Clicking a point in a monitoring graph displays the bandwidth value at the selected
point, as shown below:
Figure 6-7 – Displaying Bandwidth

NetEnforcer Monitoring Window

The different NetEnforcer monitoring graphs are displayed in a Monitoring window. A
sample Monitoring window is shown below:
Menu Bar Toolbar
Status Bar Graph Display Area Graph View

Figure 6-8 – Sample Monitoring Window

The menu bar and toolbar are similar for all graph types, and are described on the
following pages. The graph display area varies according to the graph displayed. The
different monitoring graphs are described on page 6-21.
NOTE:
Up to ten Monitoring windows can be displayed simultaneously.
Accessing Monitoring Graphs

In NetEnforcer, you can access monitoring graphs for all network traffic, or filtered for
specific Pipes or Virtual Channels. A table of the graphs available at each level is
shown on page 6-24. Access is available through the Monitoring menu in the
NetEnforcer Control Panel.
Figure 6-9 – NetEnforcer Monitoring Menu
Access varies according to the monitoring level.
To access a monitoring graph at the NetEnforcer level:

• From the Monitoring menu, select NetEnforcer Level and then select the
monitoring graph required. The selected monitoring graph is displayed in the
Monitoring window.
NOTE:
Monitoring graphs are named as follows: (name of graph) for (name of VC)_(name of Pipe). For example,
Most Active Servers for VC1_Gold Pipe.

To access a monitoring graph at the Pipe level:

1. From the Monitoring menu, select Pipe Level and then select the monitoring graph
required. A window showing the Pipes defined in your NetEnforcer is displayed.
Figure 6-10 – Accessing Monitoring Graphs: Pipe Level

NOTE:
You can expand a Pipe template to see instances of its corresponding Pipes.
2. Select the Pipe by which to filter the selected monitoring graph and click OK. The
selected monitoring graph for the selected Pipe is displayed in the Monitoring
window.
NOTE:
You can also display a monitoring graph for a Pipe by right-clicking the Pipe in the Policy Editor and
selecting Monitoring, then the monitoring graph required.

To access a monitoring graph at the Virtual Channel level:

1. From the Monitoring menu, select Virtual Channel Level and then select the
monitoring graph required. A window showing the Pipes and Virtual Channels
defined in your NetEnforcer is displayed.
Figure 6-11 – Accessing Monitoring Graphs: Virtual Channel Level

NOTE:
You can expand a Pipe or Virtual Channel template to see instances of its corresponding Pipes or
Virtual Channels.
2. Select the Virtual Channel by which to filter the selected monitoring graph and click
OK. The selected monitoring graph for the selected Virtual Channel is displayed in
the Monitoring window.
NOTE:
You can also display a monitoring graph for a Virtual Channel by right-clicking the Virtual Channel in
the Policy Editor and selecting Monitoring, then the monitoring graph required.

Monitoring Window Menu Bar

The menu bar in the NetEnforcer Monitoring window includes four menus, described in
the following sections.
File Menu
The File menu includes the following options:
Pause Graph Suspends the visual update of the graph. Clicking Pause
Graph again restores the visual update.
Print Prints the graph.
Add to Long-Term Enables a selected graph to be available through NetHistory.
Monitoring Refer to Long-term Monitoring with NetHistory on page 6-51.
Requests
Exit Closes the graph.
Edit Menu
The Edit menu includes the following options:

Other Graphs for… Enables you to quickly open any other graph for the same
target. For example, when a graph is opened at NetEnforcer
level, you can open any other graph at NetEnforcer level.

Other Targets for… Enables you to quickly open the same graph for a different
target. For example, when the Most Active Clients graph is
open at NetEnforcer level, you can also open the Most Active
Clients graph at Pipe and Virtual Channel level.
View Menu
The View menu includes the following options:

Chart Displays the graph in Chart View. Refer to Graph Views, page 6-5.
Table Displays the graph in Table View. Refer to Graph Views,
page 6-5.
Definitions Displays the graph in Definitions View. Refer to Graph Views,
page 6-5.
In-Bandwidth Displays the graph for incoming bandwidth only.
Out-Bandwidth Displays the graph for outgoing bandwidth only.
In+Out Displays the graph for both incoming and outgoing bandwidth.
Bandwidth
Average Displays the average bandwidth consumed by traffic, meaning the
Bandwidth amount of bandwidth consumed divided by the length of the
sample period.

Active Average Displays the active average bandwidth consumed by traffic,

Bandwidth meaning the amount of bandwidth consumed divided by the length
of the sample period when there actually was traffic.
Current View Displays the graph for the latest whole sample period only. Refer
to Graph Types, page 6-4.
Cumulative Displays the graph for an average sample period. Refer to Graph
View Types, page 6-4.
Cumulative Enables you to select a more specific and limited range within the
Range View cumulative period. The cumulative period is the last X samples,
where X is defined in the graph settings, described on page 6-18.
You select a start time and an end time, which define the time
period for the calculation of the average sample period shown in
Cumulative View.
Style Menu
The Style menu includes the following options:

Hide Menu Bar Hides/displays the Monitoring window menu bar and
toolbar. After hiding the menu bar and toolbar, you can
re-display them by clicking displayed at the top right
of the Monitoring window.
Show/Hide 'All Others' Hides/displays statistics for All Others in the monitoring
graphs. This is useful when bandwidth for All Others is
large compared to the selected Pipe or Virtual Channel.

Bar Chart Displays a Pie chart as a Bar chart. Refer to Graph Styles,
page 6-6.
Pie Chart Displays a Bar chart as a Pie chart. Refer to Graph Styles,
page 6-6.
Line Chart Displays a stacked Area chart as a Line chart. Refer to
Graph Styles, page 6-6.
Area Chart Displays a Line chart as a stacked Area chart. Refer to
Graph Styles, page 6-6.
Help Menu
The Help menu includes the following option:

Monitoring Window Toolbar

The toolbar in the Monitoring window enables easy access to many of the functions
available from the menu bar. The toolbar includes the following buttons:
Pause Graph Suspends the visual update of the graph.

Clicking Pause Graph again restores the
visual update.
Print Prints the graph.
Other Graphs for … Enables you to quickly open any other graph
for the same target. For example, when a
graph is opened at NetEnforcer level, you can
open any other graph at NetEnforcer level.

Other Targets for … Enables you to quickly open the same graph
for a different target. For example, when the
Most Active Clients graph is open at
NetEnforcer level, you can also open the
Most Active Clients graph at Pipe and
Virtual Channel level.
Chart Displays the graph in Chart View. Refer to
Graph Views, page 6-5.
Table Displays the graph in Table View. Refer to
Graph Views, page 6-5.
Definitions Displays the graph in Definitions View.
Refer to Graph Views, page 6-5.
Style Enables you to change the style of the graph.
Refer to Graph Styles, page 6-6.
Hide Menu Bar Hides the menu bar, toolbar and status bar.
Click the icon at the top of the graph to
redisplay the menu bar, toolbar and status
bar. This is useful for maximizing graph
space.
Zoom Displays a tooltip describing the zoom and
move graph functions.
Help Provides access to online help.

Setting Up and Using a Favorite View

You can display up to ten Monitoring windows at the same time and arrange them as
required. You can save a particular arrangement of Monitoring windows as your
Favorite View. The default Favorite View displays the following monitoring graphs:
• Utilization for NetEnforcer
• Virtual Channels Distribution for NetEnforcer
• Most Active Protocols for NetEnforcer (Total)
• Internal Hosts for NetEnforcer (Total)
• External Hosts for NetEnforcer (Total)
To display the Favorite View:

• From the Monitoring menu, select My Favorite View. The Favorite View is
displayed.
To set the Favorite View:

1. Arrange the Monitoring windows as required.
2. From the Monitoring menu, select Settings and then Save as My Favorite View.
The current arrangement of Monitoring windows is saved as the Favorite View. The
Favorite View is also preserved for future sessions when NetEnforcer is accessed
from the same client machine.

Monitoring Settings
The Monitoring Settings enable you to specify the number of Pipes, Virtual Channels,
Protocols, Clients and Servers displayed in the Most Active graphs, and the time span
for continuous graphs.
To define settings:
1. From the Monitoring menu, select Settings and then Graphs Features. The Graphs
Features dialog box is displayed:
Figure 6-12 –Graphs Features Dialog Box

2. Modify the values for each parameter, as follows:
Number of Most Active Pipes The number, between 1 and 25, of Pipes and
and VCs (1-25) Virtual Channels that will be displayed in the
Most Active Pipes and Most Active Virtual
Channels graphs.
Number of Most Active The number, between 1 and 25, of Protocols that
Protocols (1-25) will be displayed in the Most Active Protocols
graphs.
Number of Most Active Hosts, The number of Hosts, Clients and Servers,
Clients and Servers (1-25) between 1 and 25, that will be displayed in the
Most Active Hosts, Clients and Servers graphs.
Time Span for Continuous The period of time, between 1 and 60 minutes,
Graphs or between 1 and 24 hours, over which the data
for Continuous-type graphs is displayed. This is
Minutes (1-60)
the maximal width of the X-axis for these
Hours 1-24
graphs.
Data Collection Range (in The number of samples used to calculate the
number of samples) for average sample for Cumulative-type graphs. For
Cumulative Graphs (1-144) example, when 10 is specified, a
Cumulative-type graph will display an average
for the data collected during the last 10 sample
periods.
Number of Last Used Graphs The number of the most recently viewed graphs
(1-15) to display below the other options in the
Monitoring menu.

Details for ‘Most Active’ If you select Yes, the following occurs:
Graphs
In Protocols graphs, for any protocol that is not
a service, the port number is displayed as part of
the legend.
In any Hosts/Clients/Servers graphs, the IP is
displayed as part of the legend, as shown below:
No is the default setting.

3. Click Save to save your settings to NetEnforcer.

Monitoring Graphs
The NetEnforcer Monitoring window provides many different graphs. Some of the
graphs can be displayed for all three levels, while others can only be displayed for a
single level. At NetEnforcer level, some graphs can be displayed for the whole
NetEnforcer or for a selected Protocol, Host, Client or Server. At all levels, some graphs
can be displayed showing inbound bandwidth only, outbound bandwidth only or total
bandwidth.
The following table lists the monitoring graphs, indicating at which level they are
available as well as their graph type:
Graph Name NetEnforcer Pipe Level VC Level Graph
Level Type
Pipes 9 Continuous
Distribution
Virtual 9 Continuous
Channels
Distribution
Bandwidth 9 9 9 Continuous
Connections 9 9 9 Continuous
Utilization 9 9 9 Current
Packets 9 9 9 Continuous
Most Active 9 Current/
Pipes Cumulative
Most Active 9 9 Current/
Virtual Cumulative
Channels


Level Type
Most Active You can select the You can select to You can select to Current/
Protocols Most Active display the Total, display the Total, Cumulative
Protocols graph Inbound or Inbound or
for the following: Outbound Outbound
• For the Whole bandwidth. bandwidth.
NetEnforcer
• For a Host
• For a Client
• For a Server
For each you can
select to display
the Total,
Inbound or
Outbound
bandwidth.
Hosts Most Active Hosts display the Total, display the Total, Cumulative
graph for the Inbound or Inbound or
following: Outbound Outbound
NetEnforcer
• For a Protocol
For each you can
select to display
the Total,
Inbound or
Outbound
bandwidth.


Level Type
Internal Hosts Most Active display the Total, display the Total, Cumulative
Internal Hosts Inbound or Inbound or
graph for the Outbound Outbound
following: bandwidth. bandwidth.
• For the Whole
NetEnforcer
• For a Protocol
For each you can
select to display
the Total,
Inbound or
Outbound
bandwidth.
External Hosts Most Active display the Total, display the Total, Cumulative
External Hosts Inbound or Inbound or
graph for the Outbound Outbound
following: bandwidth. bandwidth.
• For the Whole
NetEnforcer
• For a Protocol
For each you can
select to display
the Total,
Inbound or
Outbound
bandwidth.


Level Type
Clients Most Active display the Total, display the Total, Cumulative
Clients graph for Inbound or Inbound or
the following: Outbound Outbound
NetEnforcer
• For a Protocol
For each you can
select to display
the Total, Inbound
or Outbound
bandwidth.
Servers Most Active display the Total, display the Total, Cumulative
Servers graph for Inbound or Inbound or
the following: Outbound Outbound
NetEnforcer
• For a Protocol
For each you can
select to display
the Total, Inbound
or Outbound
bandwidth.
Table 6-1 – Available Monitoring Graphs
NOTE:
Pipes or Virtual Channels that are defined as Ignore QoS cannot be seen in the monitoring graphs.

Pipes Distribution
The Pipes Distribution monitoring graph is available at the NetEnforcer level only. It
displays the bandwidth consumed by the Pipes in your network. You can view inbound
and outbound bandwidth together (shown below) or separately.
Figure 6-13 – Pipes Distribution Graph
The Pipes Distribution graph can be displayed as a stacked Area chart (above) or as a
Line chart.
As a Continuous-type graph, the Pipes Distribution graph displays information for a
specified range of time. The range of time for which the graph is relevant is displayed
along the X-axis of the graph and is defined in the graph settings, described on
page 6-18.
NOTE:
Clicking a point in a Continuous-type graph displays the bandwidth value at the selected point.

The Pipes Distribution graph displays the average bandwidth in Kbps consumed by
each selected Pipe. You can also display the active average bandwidth consumed by
each Pipe, meaning the amount of bandwidth consumed divided by the length of the
sample period when there actually was traffic.
You can simultaneously view other monitoring graphs for a specific Pipe by
right-clicking the required Pipe in the graph, or in the list on the right side of the
window, and selecting the graph that you want to see from the displayed popup menu.
Figure 6-14 – Selecting Other Graphs

Virtual Channels Distribution

The Virtual Channels Distribution monitoring graph is available at the NetEnforcer
level only. It displays the bandwidth consumed by the Virtual Channels in your
network. You can view inbound and outbound bandwidth together or separately.
Figure 6-15 – Virtual Channels Distribution Graph
The Virtual Channels Distribution graph can be displayed as a stacked Area chart or as
a Line chart (above).
As a Continuous-type graph, the Virtual Channels Distribution graph displays
information for a specified range of time. The range of time for which the graph is
relevant is displayed along the X-axis of the graph and is defined in the graph settings,
described on page 6-18.

The Virtual Channels Distribution graph displays the average bandwidth in Kbps
consumed by each selected Virtual Channel. You can also display the active average
bandwidth consumed by each Virtual Channel, meaning the amount of bandwidth
consumed divided by the length of the sample period when there actually was traffic.
NOTE:
For example, in a sample period of 60 seconds, traffic is 300Kbps for 30 seconds, and there is no traffic for
the remaining 30 seconds. The average bandwidth is 150Kbps since the whole sample period is considered.
The active average bandwidth is 300Kbps.
You can simultaneously view other monitoring graphs for a specific Virtual Channel by
right-clicking the required Virtual Channel in the graph or in the list on the right side of
the window, and selecting the graph that you want to see from the displayed popup
menu.

Bandwidth
The Bandwidth monitoring graph is available at the NetEnforcer, Pipe and Virtual
Channel levels. It displays bandwidth information for NetEnforcer or a selected Pipe or
Virtual Channel.
Figure 6-16 – Bandwidth Graph
The Bandwidth graph is displayed as a Line chart. You cannot change this display.
As a Continuous-type graph, the Bandwidth graph displays information for a specified
range of time. The range of time for which the graph is relevant is displayed along the
X-axis of the graph and is defined in the graph settings, described on page 6-18.
The following information can be viewed in the Bandwidth graph:
In-Bandwidth The bandwidth consumed by incoming traffic for the selected
Pipe or Virtual Channel.
Out-Bandwidth The bandwidth consumed by outgoing traffic for the selected

Lines indicating the minimum and maximum bandwidth may be displayed in the graph,
using additional options available in the Style menu, as follows:
• No Min/Max Lines: No lines indicating minimum or maximum bandwidth are
displayed in the Bandwidth graph. This is the default display.
• Inbound Min/Max Lines: Lines indicating minimum and maximum inbound
bandwidth are displayed in the Bandwidth graph.
• Outbound Min/Max Lines: Lines indicating minimum and maximum outbound
bandwidth are displayed in the Bandwidth graph.
NOTE:
These additional options are only available when minimum and maximum bandwidths are defined for the
Pipe or Virtual Channel (in the QoS Catalog entry selected as the value for the QoS of the Pipe or Virtual
Channel).

Connections
The Connections monitoring graph is available at the NetEnforcer, Pipe and Virtual
Channel levels. It displays connections information for NetEnforcer or a selected Pipe
or Virtual Channel.
Figure 6-17 –Connections Graph
SECURITY NOTE:
The Connections graph helps in DoS attack monitoring and enables you to detect DoS attacks in real time.
Look for a high number of live connections or new connections per second. This may be an indication of a
DoS attack.
The Connections graph is displayed as a Line chart. You cannot change this display.
The Connections graph has two Y-axes. On the left is the scale for live and new
connections and on the right is the scale for new connections per second. The scales are
very different.
As a Continuous-type graph, the Connections graph displays information for a specified

The following information can be viewed in the Connections graph:

Live Connections The number of currently open connections for the selected
New Per-Second The average number of new connections, meaning the
Connections number of new connections divided by the interval period.
Utilization
The Utilization monitoring graph is available at the NetEnforcer, Pipe and Virtual
Channel levels. It displays the inbound and outbound bandwidth consumed by
NetEnforcer, or a selected Pipe or Virtual Channel, in relation to the minimum and
maximum bandwidth defined for NetEnforcer or the selected Pipe or Virtual Channel.
Figure 6-18 – Utilization Graph
The Utilization graph is displayed as two horizontal bars representing inbound and
outbound bandwidth. You cannot change this display. The bandwidth consumed is
displayed in the horizontal bar and, above the horizontal bar, the consumed bandwidth
as a percentage of the maximum bandwidth is displayed

NOTE:
The Utilization graph is not available for a Pipe or Virtual Channel for which no maximum bandwidth has
been defined (in the QoS Catalog entry selected as the value for the QoS of the Pipe or Virtual Channel).
The Utilization graph is a Current-type graph only. This means that it displays
information for the latest whole sample period only. It cannot be displayed as a
Cumulative-type graph to provide information for accumulated data.
Packets
The Packets monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel
levels. It displays the number of packets passed in relation to NetEnforcer or a selected
Pipe or Virtual Channel. This enables you to plan future bandwidth requirements by
following historical trends. Refer to Long-Term Monitoring, page 6-51, on how to view
long-term trends.
You can view packets relating to inbound and outbound traffic together (shown below)
or separately.
Figure 6-19 –Packets Graph

The Packets graph is displayed as a Line chart. You cannot change this display. The
Y-axis is the scale for the number of packets passed.
As a Continuous-type graph, the Packets graph displays information for a specified

Most Active Pipes

The Most Active Pipes monitoring graph is available at the NetEnforcer level only. It
displays the average inbound and outbound bandwidth consumed by the most active
Pipes defined in the Policy Editor. The maximum number of Pipes displayed, between 1
and 15, is defined in the graph settings, described on page 6-18.
Figure 6-20 – Most Active Pipes Graph
The Most Active Pipes graph can be displayed as a Bar chart (above) or as a Pie chart.
As a Current/Cumulative-type graph, the Most Active Pipes graph displays information
for sample periods. It can be displayed as a Current-type graph (above) to provide
information for the latest whole sample period only, or as a Cumulative-type graph to
provide information for an average sample period based on the last X sample periods.
(X is defined in the graph settings, described on page 6-18.)

You can also select a more specific and limited range within the cumulative period by
selecting Cumulative Range View from the View menu. The Cumulative Range dialog
box for the graph is displayed.
Figure 6-21 – Cumulative Range Dialog Box
Select a start time and an end time, which will define the time period for the calculation
of the average sample period shown in the graph. Click OK.
You can simultaneously view other monitoring graphs for a specific Pipe by
right-clicking the required Pipe in the graph or in the list on the right side of the
window, and selecting the graph that you want to see from the displayed popup menu.

Most Active Virtual Channels

The Most Active Virtual Channels monitoring graph is available at the NetEnforcer and
Pipe levels. It displays the average inbound and outbound bandwidth consumed by the
most active Virtual Channels defined in the Policy Editor. The maximum number of
Virtual Channels displayed, between 1 and 25, is defined in the graph settings,
described on page 6-18.
Figure 6-22 – Most Active Virtual Channels Graph
The Most Active Virtual Channels graph can be displayed as a Bar chart or as a Pie
chart (above).

As a Current/Cumulative-type graph, the Most Active Virtual Channels graph displays

information for sample periods. It can be displayed as a Current-type graph (above) to
provide information for the latest whole sample period only, or as a Cumulative-type
graph to provide information for an average sample period based on the last X sample
periods. (X is defined in the graph settings, described on page 6-18.)
box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end
time, which will define the time period for the calculation of the average sample period
shown in the graph. Click OK.
You can simultaneously view other monitoring graphs for a specific Virtual Channel by
right-clicking the required Virtual Channel in the graph or in the list on the right side of
the window, and selecting the graph that you want to see from the displayed popup
menu.

Most Active Protocols

The Protocols Distribution monitoring graph is available at the NetEnforcer, Pipe and
Virtual Channel levels. It displays the average inbound and outbound bandwidth
consumed by the most active Protocols in your network.
At the NetEnforcer level, you can select to display the Most Active Protocols graph for
the whole NetEnforcer or for a selected Host, Client or Server. At all levels, you can
select to display the total bandwidth consumed or just the inbound or outbound
bandwidth.
Figure 6-23 – Most Active Protocols Graph
The Most Active Protocols Distribution graph can be displayed as a Pie chart (above) or
as a Bar chart.

As a Current/Cumulative-type graph, the Most Active Protocols graph displays

Adding Virtual Channels

From the Most Active Protocols graph, you can create a Virtual Channel based on a
selected protocol.

To add a Virtual Channel:

1. Right-click a protocol in the Most Active Protocols graph and select Add Virtual
Channel with Service (selected service name) on. The Policy Editor opens and the
Select Pipe dialog box is displayed.
Figure 6-24 – Select Pipe Dialog Box
2. Select a Pipe and click OK. A Virtual Channel is added to the selected Pipe based on
the selected service.
NOTE:
You select a Pipe only if the Most Active Protocols graph was opened at NetEnforcer Level. If it was
opened on Pipe or Virtual Channel level, the new Virtual Channel is added automatically to the Pipe on
which the Most Active Protocols graph was opened initially.
If the selected protocol exists as an entry in the Service Catalog, the existing service
(protocol) is used. If the selected protocol does not exist as an entry in the Service
Catalog, a new service entry is created based on the monitored protocol.

Most Active Hosts

The Most Active Hosts monitoring graph is available at NetEnforcer, Pipe and Virtual
Channel level. It displays the average inbound and outbound bandwidth consumed by
the hosts that are on the internal and external side of the NetEnforcer (clients or
servers). NetEnforcer monitors the amount of data to and from each host.
You can select to display the Most Active Hosts graph for the whole NetEnforcer or for
a selected protocol. Additionally, you can select to display the total bandwidth
consumed or just the inbound or outbound bandwidth.
The maximum number of hosts displayed, between 1 and 25, is defined in the graph
settings, described on page 6-18.
Figure 6-25 – Most Active Hosts Graph
The Most Active Hosts graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active Hosts graph displays information

for sample periods. It can be displayed as a Current-type graph (above) to provide
information for the latest whole sample period only, or as a Cumulative-type graph to
provide information for an average sample period based on the last X sample periods.
(X is defined in the graph settings, described on page 6-18.)
Most Active Internal Hosts

The Most Active Internal Hosts monitoring graph is available at NetEnforcer, Pipe and
Virtual Channel level. It displays the average inbound and outbound bandwidth
consumed by the hosts that are on the internal side of the NetEnforcer (clients or
servers). NetEnforcer monitors the amount of data to and from each internal host.
You can select to display the Most Active Internal Hosts graph for the whole
NetEnforcer or for a selected protocol. Additionally, you can select to display the total
bandwidth consumed or just the inbound or outbound bandwidth.

Figure 6-26 – Most Active Internal Hosts Graph
The Most Active Internal Hosts graph can be displayed as a Bar chart (above) or as a
Pie chart.
As a Current/Cumulative-type graph, the Most Active Internal Hosts graph displays

Most Active External Hosts

The Most Active External Hosts monitoring graph is available at NetEnforcer, Pipe and
Virtual Channel level. It displays the average inbound and outbound bandwidth
consumed by the hosts that are on the external side of the NetEnforcer (clients or
servers). NetEnforcer monitors the amount of data to and from each external host.
You can select to display the Most Active External Hosts graph for the whole
NetEnforcer or for a selected protocol. Additionally, you can select to display the total
bandwidth consumed or just the inbound or outbound bandwidth.

Figure 6-27 – Most Active External Hosts Graph
The Most Active External Hosts graph can be displayed as a Bar chart (above) or as a
Pie chart.
As a Current/Cumulative-type graph, the Most Active External Hosts graph displays
information for sample periods. It can be displayed as a Current-type graph to provide
information for the latest whole sample period only, or as a Cumulative-type graph
(above) to provide information for an average sample period based on the last X sample

Most Active Clients

The Most Active Clients monitoring graph is available at NetEnforcer, Pipe and Virtual
Channel level. It displays the average inbound and outbound bandwidth consumed by
the most active Clients. NetEnforcer monitors the amount of data from each source and
to each destination. The amount of data flowing in each connection is added to the
connection source total as Client data.
You can select to display the Most Active Clients graph for the whole NetEnforcer or
for a selected protocol. Additionally, you can select to display the total bandwidth
The maximum number of Clients displayed, between 1 and 25, is defined in the graph

Figure 6-28 – Most Active Clients Graph
The Most Active Clients graph can be displayed as a Bar chart (above) or as a Pie chart.
As a Current/Cumulative-type graph, the Most Active Clients graph displays

Most Active Servers

The Most Active Servers monitoring graph is available at the NetEnforcer, Pipe and
Virtual Channel levels. It displays the average inbound and outbound bandwidth
consumed by the most active Servers. NetEnforcer monitors the amount of data from
each source and to each destination. The amount of data flowing in each connection is
added to the connection destination total as Server data.
You can select to display the Most Active Servers graph for the whole NetEnforcer or
for a selected protocol. Additionally, you can select to display the total bandwidth
The maximum number of Servers displayed, between 1 and 25, is defined in the graph
Figure 6-29 – Most Active Servers Graph
The Most Active Servers graph can be displayed as a Bar chart (above) or as a Pie chart.

As a Current/Cumulative-type graph, the Most Active Servers graph displays

information for sample periods. It can be displayed as a Current-type graph to provide
information for the latest whole sample period only, or as a Cumulative-type graph
(above) to provide information for an average sample period based on the last X sample

Long-Term Monitoring
NetEnforcer's monitoring tool provides real-time data in intervals of one to 10 minutes
for the previous 24 hours, enabling you to monitor applications, protocols, users and
servers and to enforce the most suitable QoS policy. NetEnforcer’s long-term
monitoring tool enables you to monitor your network's activity over a much longer
period of time with the same look and feel as the real-time monitoring graphs. Using
long-term monitoring, data from as far back as one to two years is stored as .csv files on
a dedicated server for use by other reporting tools. Each server can store data from
multiple NetEnforcers at intervals of every 30 seconds for the last 10-40 days or at
intervals of one hour for up to 1 year ago or longer.
The ability to monitor applications and users is crucial in order to employ traffic
priorities based on business requirements. Monitoring helps the user to fine-tune the
network performance.
NOTE:
You must wait at least two hours before seeing any long-term graphs. If you try to view graphs before two
hours have passed, error messages will pop up.
Collecting Data for Long-Term Monitoring

In order to view long-term monitoring graphs, you must install the Long-Term
Monitoring Agent. The Long-Term Monitoring Agent requests the required graphs from
the monitoring server, receives the data, and writes it to files. NetEnforcer takes the data
from these files when you select to display long-term monitoring graphs. More than one
Long term agent may be installed on a single server, in order to collect data from
multiple NetEnforcers.
Once the Long-Term Monitoring Agent has been installed and run, you can activate and
manage long-term monitoring graphs from the NetEnforcer main GUI.
The Long-Term Monitoring Agent writes the data to files located at a shared directory
on a network drive, so that the history graphs based on those files are available from
every PC in the LAN, and not only from one PC.

NOTE:
It is reasonable to install the Long-Term Monitoring Agent itself on the same network PC to which it writes
the files, and to choose for that purpose an ‘enduring’ machine which will be ‘up’ permanently.
You must first install the Long-Term Monitoring Agent and then you can configure it to
collect data according to your requirements.
TIP:
Problem: Identify the source of congestion
Solution: Use Monitoring drill-down capabilities to find it.
Here is how: Look at the Pipes Distribution graph and identify the saturated link. If the saturation is
identified as inbound traffic, for example, for a Particular Pipe, drill-down to see the Top Inbound
Protocols graph for the particular Pipe. If you discover that the majority of the inbound traffic is KaZaa, for
instance, drill-down to see the Top Internal Clients graph for KaZaa. The specific host that is saturating the
link can then be identified
Installing the Long-Term Monitoring Agent

The Long-Term Monitoring Agent is an application, which must be downloaded and
installed (on any Windows operating system).
You can run several agents (one per NetEnforcer).
To download and install the Long-Term Monitoring Agent:

1. From the network PC that you have selected to be the long term monitoring server,
open the NetEnforcer GUI.
NOTE:
The long term monitoring server should be up at all times.
2. From the NetEnforcer Control Panel, click Tools and then select Download
Long-Term Monitoring Agent. The File Download dialog box is displayed.
3. Click Open and follow the on-screen instructions to install the Collector application.
Note the following:
• Specify the location where the Collector application should be installed.
• Enter the IP address of NetEnforcer from where you want to collect data.

• If required, you can insert details of a user name and password. If you do this,
you will not have to log in each time that the Collector is started. However, there
will be no way to connect to a different NetEnforcer without downloading and
installing the Collector again. Therefore, it is recommended only to insert these
details if there is only one NetEnforcer from which you want to collect data.
When the installation process is completed, you will have the following:
• A shortcut icon on your desktop called NetEnforcer Long Term Monitoring Agent.
• A new entry in your Start > Programs folder called NetEnforcer Long Term
Monitoring Agent.
• The Long-Term Monitoring Agent also appears in Startup, enabling it to run
automatically on each reboot of your computer.
Running the Long-Term Monitoring Agent

The Long-Term Monitoring Agent starts automatically when the PC starts. A login
window is displayed requesting a user name, password and the IP address of
NetEnforcer/
TIP:
You can avoid this login window by adding parameters to the Long-Term Monitoring Agent in the Startup
menu, as described in the following tip, which is displayed the first time the Long-Term Monitoring Agent
starts.
It is highly recommended to follow this tip.

After login, the Long-Term Monitoring Agent runs in the Windows system tray, as
shown below:
NOTE:
After login, you may also see the following message:
This is expected at this stage and you should simply click OK.
The Long-Term Monitoring Agent icon in the system tray may appear in any of the
following ways:
Icon Status
The Long-Term Monitoring Agent is disconnected.
The Long-Term Monitoring Agent is running (recording).
The Long-Term Monitoring Agent is paused (not recording).

Right-clicking the Long-Term Monitoring Agent in the system tray displays the
following menu:
The options are as follows:

Option Description
Open Opens the Long-Term Monitoring Agent window.
Record Starts collecting data.
Pause Stops collecting data.
Location Enables you to change the location where the Long-Term Monitoring
Agent stores collected data.
Graphs Displays a list of graphs for which the Long-Term Monitoring Agent
collects data - the graphs you have made available for long-term
monitoring. Refer to Adding Graphs, page 6-62.
Log Displays Long-Term Monitoring Agent log messages.
Help Provides access to NetEnforcer long term monitoring help.
About Displays version information about the Long-Term Monitoring Agent.
Exit Closes the Long-Term Monitoring Agent application.

Collecting Data
The Long-Term Monitoring Agent application may often be left open for very long
periods of time (for example, days or weeks) in order to collect data. The Long-Term
Monitoring Agent application is robust and maintains an accurate record of data even
when the system is shutdown and rebooted. In this situation, when the Long-Term
Monitoring Agent is restarted, data collection resumes and data is appended to the data
collected prior to the shutdown.
In order to collect data for long-term monitoring, you must specify a graph as available
to long-term monitoring. Refer to Adding Graphs, page 6-62.
To collect data:
1. Open the Long-Term Monitoring Agent application using the shortcut icon on your
desktop, from the Start menu or by clicking the Long-Term Monitoring Agent icon
in the system tray. The Long-Term Monitoring Agent window is displayed.
Figure 6-30 – Long-Term Monitoring Agent Window

2. If you want to adjust the location where the collected files are saved, click Pause and
click the browse button to select an alternative location. You should select a shared
directory on this network PC.
3. Click Record.
The Long-Term Monitoring Agent is now ready for collecting data.

The buttons available in the Long-Term Monitoring Agent window are as follows:
Option Description
Pause/Record Stops/starts collecting data.
Graphs Displays a list of graphs for which the Long-Term Monitoring Agent
collects data - the graphs you have made available for long-term
monitoring.
Log Displays Long-Term Monitoring Agent log messages.
Close Closes the Long-Term Monitoring Agent window.
Help Provides access to NetEnforcer long term monitoring help.
About Displays version information about the Long-Term Monitoring
Agent.
Configuring the Long Term Monitoring Data Location on

NetEnforcer
You must ensure that the long-term monitoring data location configured on NetEnforcer
is the same as that specified in the Long-Term Monitoring Agent.

To configure the long-term monitoring data location on NetEnforcer:

1. From the NetEnforcer Control Panel, click Long-Term. The first time you do this
after installing the Long-Term Monitoring Agent, the following First Steps window
is displayed:
Figure 6-31 – Long-Term Monitoring First Steps

NOTE:
This is an explanatory window. It is only displayed the first time you click Long-Term. To display it
again, click Help and then First Steps in the Long Term Monitoring window.

2. Click OK, or if it is not the first time you have selected the Long-Term option, and
the Long Term Monitoring window is displayed.
Figure 6-32 – Long-Term Monitoring Window
When the Long-Term Monitoring window is first opened, the long-term monitoring
data location is by default set as C:. You must change this location to the same
location as you specified in the Long-Term Monitoring Agent. Until you do so, a
warning (in red) is displayed in the upper right corner of the Long-Term Monitoring
window.

3. Click the browse button to the right of the Long-Term Monitoring Data Source
field. The Setting Long-Term Monitoring Location dialog box is displayed.
Figure 6-33 – Setting Long-Term Monitoring Location Dialog Box
4. Enter the location of the saved data as specified in the Long-Term Monitoring Agent
(which should be on a shared network drive) and click Save.

If the data location is the same as that specified on the Long-Term Monitoring
Agent, the warning in red should no longer appear in the top right corner of the
Long-Term Monitoring window.
Figure 6-34 – Long-Term Monitoring Window – Set Data Location
Now both the Long-Term Monitoring Agent and NetEnforcer are correctly configured
and you begin to work with long-term monitoring graphs.
NOTES:
If the data location has been configured correctly but the Long-Term Monitoring Agent is not running, a
warning message is displayed (in red) in the upper right corner: Long-Term Monitoring Agent is not
running.
In order for the warning messages in red to disappear, the problem must be resolved AND the Long-Term
Monitoring window must be closed and re-opened.

Adding Graphs
In order to collect data for long-term monitoring, you must specify a graph as available
to long-term monitoring. This can be done from a real-time monitoring window or from
the Long Term Monitoring window.
Adding a graph to long-term monitoring is only available to an administrator user with
write permissions. This is because adding a graph to long-term monitoring actually
writes a “request” file at the files location directory on the Long-Term Monitoring
Agent LAN PC. Issues of access and write permissions are therefore very critical.
To add a graph from a real-time monitoring window:

• From the File menu in a Monitoring window, select Add to Long-Term
Monitoring Requests. The graph displayed in the Monitoring window is available
in long-term monitoring.

To add graphs from the Long Term Monitoring window:

1. From the NetEnforcer Control Panel, click Long-Term. The Long Term Monitoring
window is displayed.
2. Click the Add New Graph button. Further menus are displayed –as when you select
Monitoring in the Control Panel.
Figure 6-35 – Long-Term Monitoring Window - Add New Graph

3. Select the graph you want to add to long-term monitoring. It is added to the table of
graphs in the Long-Term Monitoring window. For example, if you select The
Virtual Channels Distribution for NetEnforcer graph, the Long-Term Monitoring
window is displayed as follows:
Figure 6-36 – Long-Term Monitoring Window – Graph Added
The graph is immediately collected, as indicated by the selected checkbox in the

Collect column.
As many graphs as you require can be added to long-term monitoring but only ten
graphs can be collected at the same time. Thus, once ten graphs have been added,
subsequent graphs do not have a selected checkbox in the Collect column.
NOTE:
To change this limit, please contact Allot Communications.
You must wait for a minimum of 2 hours before you can open the graph.

You can manipulate graphs in the Long-Term Monitoring window as follows:

• Select or deselect the checkbox in the Collect column to determine whether the
graph is collected or not.
• Select a graph and click Open to display the graph. Refer to Viewing Long-Term
Monitoring Graphs, page 6-66.
• Select a graph and click Rename to rename a graph.
• Select a graph and click Delete to delete a graph from long-term monitoring.
• Click Log to display the Long-Term Monitoring Agent Log. This enables you to see
the status and actions of the Long-Term Monitoring Agent. For example, whether it
is up, whether it is recording or paused, and so on.
Figure 6-37 – Long-Term Monitoring Agent Log

Viewing Long-Term Monitoring Graphs

Data should be collected for at least two hours (approximately) using Long Term
Monitoring Agent before you view it. Long-term monitoring graphs are produced using
data from the long-term monitoring directory (C:/NEData, by default) saved in the files
called (request)_hour.xml.

To view data:
1. From the NetEnforcer Control Panel, click Long-Term. The Long Term Monitoring
window is displayed:
2. Select the graph you want to view and click Open (or double-click the graph). The
Graph Time Span Coverage for (name of selected graph) window is displayed.
Figure 6-38 – Graph Time Span Coverage for (Name of Selected Graph)
Window – Relative Span Mode

TIP:
To get the most out of your Long Term Monitoring it is recommended that you configure the following
graphs on the NetEnforcer level: Top Protocols, Top Internal Hosts, Top External Hosts,
NetEnforcer Connections, NetEnforcer Bandwidth Distribution and VC/Pipes graphs where
relevant
This window enables you to select a specific time period for the graph you want to
view. The collected data could cover a long time period and you may just want to
focus on part of it.
3. From the Span Mode dropdown list, select one of the following time measurements:
• Relative: Select the number of hours, days or months of data required. This
period is counted from the end of the available data period backwards. If you
select a month, the period covers the last calendar month. This means that if the
data ended on 17 February, you would see data from the 1-17 February.
• Specific: Select the exact dates of the time period. By default the start and end
dates are the beginning and end of the entire available period.

Figure 6-39 – Graph Time Span Coverage for (Name of Selected Graph)
Window – Specific Span Mode
TIP:
The practical meaning of your selection is displayed in the lower area of the window.

4. Click Continue. The data is retrieved from the collection files. The graph is
displayed before all the data is retrieved and you can see the percentage of data
retrieved in the status bar. While you are waiting for this to complete, you can use
other functionality of the long-term monitoring graph.
Figure 6-40 – Long-Term Monitoring Graph (Period Level)
Long-term monitoring graphs have the same look and feel as real-time monitoring
graphs. Most of the functionality available in real-time graphs is available for long-term
monitoring graphs. For example, graph types and graph styles. These features are
explained in the first sections of this chapter.
The main differences between real-time graphs and long-term monitoring graphs are as
follows:
• Only two graph views, Chart View and Table View, are available with long-term
monitoring graphs.
• Long-term monitoring graphs have a light green background color while real-time
graphs have a green background color.

• The long-term monitoring window has an additional Page menu and toolbar
buttons, as follows
Back
Forward
Start
End
These arrow buttons enable you to move forward and backwards through the pages
of a long-term monitoring graph.
• The File menu in the long-term monitoring window includes an additional option
called Collection Log File.
Manipulating Long-Term Monitoring Graphs

When a long-term monitoring graph is first displayed, the data is shown in the broadest
resolution (full view). For example, where data is requested that spans several months,
the data is presented according to month. When data is requested that spans several
years, the data is presented by year. The actual unit is seen on the horizontal axis.

You can drill down into the long-term monitoring graph to see more details. For
example, data presented according to days of a selected month or hours of a selected
day or even minutes of a selected hour. This drilling down action enables you to move
between the following levels:
Level Continuous-type graphs (for ‘Most Active’ graphs (for example,
example, Bandwidth, Pipes Most Active Virtual Channels)
Distribution
Period Data is displayed for the entire Data is displayed for the entire time
time span, for example, several span, for example, several months or
months or several days. several days.
Month Data is displayed for each day in a Data is displayed for the whole month
month. in one view.
Day Data is displayed for each hour in Data is displayed for the whole day in
a day. one view.
Hour Data is displayed for each 5 Data is displayed for the whole hour
minutes in an hour. in one view.
Minute Data is displayed for each 30 Data is displayed for the whole
seconds in a five-minute period. five-minute period in one view.
Second Data is displayed for the whole
thirty-second period in one view.
You can drill down using the right-click menu in a step-by-step fashion or directly to a
selected level.
Drilling Down Step-By-Step

This method enables you to drill down slowly through the different resolutions of the
graph. You can begin by viewing data over a long period and zoom slowly in to see data
for a very specific period.

To drill down step-by-step:

1. With the long-term monitoring graph displayed at the broadest (period) level,
proceed as follows:
• In a ‘Most Active’ graph, right-click inside the area of the graph and select Drill-
down to Month. The Drill-down to dialog box is displayed. Select the month
within the period that you would like to view, for example, September, and click
OK.
• In a continuous-type graph, right-click inside the month area of the graph on
which you want to focus and select Drill-down to (selected month).
The graph now displays data for the selected month.
Figure 6-41 – Long-Term Monitoring Graph (Month Level)
You can move through other months using the arrow buttons or Page menu options.
Every page will be displayed in the selected resolution.

2. Continue to the next level as follows:

• In a ‘Most Active’ graph, right-click inside the area of the graph and select
Drill-down to Day. The Drill-down to dialog box is displayed.
Select the day within the month that you would like to view and click OK.
• In a continuous-type graph, right-click inside the day area of the graph on which
you want to focus and select Drill-down to (selected day).
The graph now displays data for the selected day. For example, drilling down a level
to a specific day, September 12th, shows the most active protocols for that day.
Figure 6-42 – Long-Term Monitoring Graph (Day Level)
You can move through other days using the arrow buttons or Page menu options.
Every page will be displayed in the selected resolution.


Drill-down to Hour. The Drill-down to dialog box is displayed.
Select the hour within the day that you would like to view, for example, Sep 12
10:00, and click OK.
• In a continuous-type graph, right-click inside the hour area of the graph on which
you want to focus and select Drill-down to (selected hour).
TIP:
You can right-click and select Back to Full View to return to period level or select Up One Level to
return to the previous level.
The graph now displays data for the selected hour of the selected day. For example,
Figure 6-42 shows the most active protocols for September 12th. Drilling down a
level to a specific hour, 10.00, shows the most active protocols for that hour.
Figure 6-43 – Long-Term Monitoring Graph (Hour Level)

You can move through other hours using the arrow buttons or Page menu options.
Every page will be displayed in the selected resolution
Drill-down to Minutes. You cannot select which specific five-minute period to
view. The graph will show the first five-minute period of the hour and you can
scroll through subsequent five-minute periods.
• In a continuous-type graph, right-click inside the five-minute area of the graph on
which you want to focus and select Drill-down to (selected five-minute period).
In this type of graph, you can select which specific five-minute period you want
to view.
TIP:
The graph now displays data for a five-minute period. For example, Figure 6-43
shows the most active protocols during the hour 10.00 to 11.00 on September 12th.
Drilling down a level shows the most active protocols for the first five-minute period
of that hour.
Figure 6-44 – Long-Term Monitoring Graph (Five-Minute Level)

You can move through other five-minute periods using the arrow buttons or Page
menu options. Every page will be displayed in the selected resolution
Drill-down to Seconds. You cannot select which specific thirty-second period to
view. The graph will show the first thirty-second period of the five minute period
and you can scroll through subsequent thirty-second periods.
TIP:
The graph now displays data for a thirty-second period. For example, Figure 6-44
shows the most active protocols during the five-minute period 10.00 to 10.05 on
September 12th. Drilling down a level shows the most active protocols for the first
thirty seconds of that five-minute period.
Figure 6-45 – Long-Term Monitoring Graph (Thirty-Second Level)
You can move through other thirty-second periods using the arrow buttons or Page
menu options. Every page will be displayed in the selected resolution

Drilling Down Directly

This method enables you to drill down quickly from a broad resolution to a narrow
resolution. For example, you can be viewing data for an entire year and zoom straight
into viewing data for a selected day.
NOTE:
You cannot drill down directly to the Minute level or Seconds level.
To drill down directly:

1. From the Page menu, select Detailed View. The Time Unit Selection for Detailed
View dialog box is displayed:
Figure 6-46 – Time Unit Selection for Detailed View Dialog Box
NOTE:
This dialog box is correct for Most Active graphs. For continuous-type graphs, you cannot select Hour
as the Time Unit.

2. Specify details of the exact year, month, day and hour to which you want to drill
down and click OK. You can go straight from period level to day level without first
going to month level.
As with real-time graphs, you can zoom into a long-term monitoring graph by holding
down the <Shift> key and dragging a box around the area that you want to zoom in the
graph. However, this method does not change the resolution of the graph, it provides a
closer look at a particular area at the same resolution.
TIP:
You can access real-time graphs from a long-term monitoring graph. Right-click in the graph and you can
select from real-time graphs for the current entity (Pipe or Virtual Channel).

Data Coverage
Although you may have selected a large period, for example, 5 months, the period could
include interruptions where data collection stopped for a few days or a few hours. The
period coverage is indicated in the status bar (Period/Month/Day/Hour/5-Minutes
Coverage). If the percentage is low, perhaps around 85%, you can use the collection log
file to view the exact times when data collection was not active.
To view the collection log file:

• From the File menu in the long-term monitoring window, select Collection Log
File.
Figure 6-47 – Collection Log File Dialog Box
The Collection Log File dialog box provides a list of dates and times within the
selected period that collection was not active.

Chapter 7: Defining Catalog Entries
This chapter describes Catalog Editors and how to define new Catalog entries.

Working with Catalog Editors, page 7-2, describes the features common to the
Catalog Editors, and provides a general description of how to add and delete entries in
Catalogs.
Host Catalog Editor, page 7-8, describes the Host Catalog Editor, where you define
possible values for the Connection Source and Connection Destination of a policy.
Service Catalog Editor, page 7-20, describes the Service Catalog Editor, where you
define possible values for the Service of a policy.
Time Catalog Editor, page 7-52, describes the Time Catalog Editor, where you define
possible values for the Time of a policy.
TOS (Type of Service) Catalog Editor, page 7-57, describes the TOS Catalog Editor,
where you define possible values for the TOS of a policy.
VLAN Catalog Editor, page 7-63, describes the VLAN Catalog Editor, where you
define possible VLAN values of a policy.
Quality of Service Catalog Editor, page7-66, describes the QoS Catalog Editor, where
you define possible values for the Quality of Service applied to a policy.
Connection Control Catalog Editor, page 7-81, describes the Connection Control
Catalog Editor, where you define possible values for the Connection Control applied
to a policy.
Data Source Catalog Editor, page 7-87, describes the Data Source Catalog Editor,
where you define LDAP servers with which NetEnforcer can work.

Working with Catalog Editors

Catalogs contain the possible values available when defining policies in the Policy
Editor. For example, when selecting the Connection Source of a Pipe, Virtual Channel
or Rule, the possible values are the entries in the Host Catalog. Catalog Editors enables
you to add, change or delete entries in Catalogs. Entries are comprehensive sets of
parameters with logical names. These logical names then become the possible values
available in the Policy Editor.
A logical entity, such as a specific user or Quality of Service definition, can be defined
once, using the appropriate Catalog Editor, and then used many times in the Policy
Editor.
NetEnforcer includes the following Catalogs:
• Host Catalog: The entries in the Host Catalog are the possible values for the
Connection Source and Connection Destination conditions defined for a Pipe,
Virtual Channel and Rule. The Connection Source and Connection Destination
define the source and destination of the traffic. Refer to Host Catalog Editor,
page 7-8.
• Service Catalog: The entries in the Service Catalog are the possible values for the
Service condition defined for a Pipe, Virtual Channel and Rule. The Service
represents the protocols relevant to a connection. Refer to Service Catalog Editor,
page 7-20.
• Time Catalog: The entries in the Time Catalog are the possible values for the Time
condition defined for a Pipe, Virtual Channel and Rule. The Time defines the
applicability of a Pipe, Virtual Channel or Rule during certain time periods. Refer to
Time Catalog Editor, page 7-52.
• TOS Catalog: The entries in the TOS Catalog are the possible values for the TOS
condition defined for a Pipe, Virtual Channel and Rule. The TOS is the TOS byte
contained in the IP header of the packet. TOS entries are also used in QoS Catalog
entry definitions. Refer to Type of Service Catalog Editor, page 7-57.
• VLAN Catalog: The entries in the VLAN Catalog are the possible VLAN values of
a policy and their priority. Refer to VLAN Catalog Editor, page 7-63.

• QoS Catalog: The entries in the QoS Catalog are the possible values for the
Quality of Service action defined for a Pipe and Virtual Channel. The Quality of
Service allocates bandwidth, traffic priority, TOS marking and connection count
limits. Refer to Quality of Service Catalog Editor, page 7-66.
• Connection Control Catalog: The entries in the Connection Control Catalog are
the possible values for the Connection Control action defined for a Pipe and
Virtual Channel. The Connection Control refers to server load balancing and cache
redirection. Refer to Connection Control Catalog Editor, page 7-81.
• Data Source Catalog: The entries in the Data Source Catalog are the possible
LDAP servers with which NetEnforcer can work. These definitions can then be
referenced in Data Source Query definitions in the Host Catalog Editor. Refer to
Data Source Catalog Editor, page 7-87.
Each Catalog has its own editor where you can add new entries and modify existing
entries.
Accessing Catalog Editors

Catalog Editors can be accessed from any of the following places:
• The Catalogs menu in the Policy Editor
• The toolbar in the Policy Editor
• Right-clicking a cell in the Policy Editor and selecting Edit Catalog Entry

All Catalog Editors have some common fields and functionality, which are described in
this section. A sample Catalog Editor is shown below:
List Pane Definition Pane
Global Catalog Editor Buttons Specific Entry Buttons
Figure 7-1 – Sample Catalog Editor
The List pane displays a list of the current entries defined in the Catalog. Selecting an
entry in the List pane displays its name at the top of the Definition pane, and its
properties or definition below its name. The Definition pane is the working area of a
Catalog Editor in which entries are defined.

All Catalogs contain three global buttons that apply to the Catalog as a whole and three
specific buttons that apply to the currently selected entry as follows:
Specific Entry Buttons
Adds a new Catalog entry.
Deletes a selected Catalog entry. You can only delete entries that are
Unprotected. (Refer to Protected Entries, below.)
Undoes the changes made, since the last save, to the current entry.
Global Buttons
Saves changes in a Catalog Editor. In order to save the contents of the
Catalog Editor to NetEnforcer, you must also save the Policy Editor.
Exits the Catalog Editor. Any unsaved changes are lost.
Displays online help relevant to the Catalog Editor in a separate
window.
Protected Entries
Each Catalog includes default entries whose definitions cannot be modified. Such
entries are called Protected entries. When you select a Protected entry, such as Any in
the Host Catalog Editor, the Delete and Undo buttons are automatically disabled.
A user-defined entry is always Unprotected.

Deleting Entries from a Catalog

Only Unprotected entries can be deleted from a Catalog. (Refer to Protected Entries,
page 7-5.)
To delete an entry from a Catalog:

1. Select the entry to be deleted from the List pane.
2. Click Delete. The entry is no longer displayed in the List pane and it is deleted from
the Catalog.
You must save the Policy Editor for the deletion to take effect.
Catalog entries that are referenced in a policy definition cannot be deleted.
Policy Editor Toolbar

Catalog Editors can also be accessed by clicking on the required icon in the Policy
Editor.
Figure 7-2 – Policy Editor

Below is a list of the Catalog Editor menu options, tools and shortcut key options
available in the Policy Editor:
Host Opens the Host Catalog Editor, enabling you to
define possible Connection Source and
Destination conditions.
Service Opens the Service Catalog Editor, enabling you
to define possible Service conditions.
Time Opens the Time Catalog Editor, enabling you to
define possible Time conditions.
TOS Opens the TOS Catalog Editor, enabling you to
define possible Type of Service conditions.
VLAN Opens the VLAN Catalog Editor, enabling you
to define possible VLAN conditions.
Quality of Service Opens the QoS Catalog Editor, enabling you to
define possible Quality of Service actions.
Connection Control Opens the Connection Control Catalog Editor,
enabling you to define possible Connection
Control actions.
Data Source Opens the Data Source Catalog Editor,
enabling you to define the LDAP servers with
which NetEnforcer can work or to define Hosts
Text File.

Host Catalog Editor

The Host Catalog contains entries that are the possible values for the Connection Source
and Connection Destination conditions of a Pipe, Virtual Channel or Rule. A sample
Host Catalog Editor is shown below:
Figure 7-3 – Host Catalog Editor

NOTE:
The Any, Internal and External entries are Protected, meaning the definitions for this entry cannot be
modified.

You can enter the host details individually, or NetEnforcer can retrieve IP addresses or
host names from a specified LDAP directory server or text source file. (LDAP servers
and text source files with which NetEnforcer can work are defined in the Data Source
Catalog, page 7-87.) Once you have defined the hosts in a host list, you can group
several host lists together in one Catalog entry.
Defining Host Lists

A host list is a list of one or more hosts. Hosts can be network IP addresses, IP address
ranges, host names and IP subnet addresses. Following are examples of host entries:
• Host: If NetEnforcer is configured to support DNS, you can use logical DNS
names.
• IP: The IP address of a host. For example, 172.16.1.31.
• IP Subnet: For example, 10.10.10.0 with a subnet mask of 255.255.255.0.
• IP Range: A range of IP addresses. For example, 10.1.2.3-10.1.3.7 means the
ranges 10.1.2.3-10.1.2.255 and 10.1.3.1-10.1.3.7.
• MAC: The MAC address of a host..
To define a host:
1. In the Host Catalog Editor, click New. The following popup menu is displayed:
Figure 7-4 – New Host Entry Popup Menu

2. Select Host List. A new entry is added to the List pane in the Host Catalog.
Figure 7-5 – Host Catalog Editor: Adding Hosts
3. Edit the name of the entry in the Contents of field, if required.
4. In the Host Item area, click on the required host type radio button and input the
relevant details in the corresponding text field.
5. From the Interface Loc of Host dropdown list, select the location of the host
relative to NetEnforcer: Anywhere, Internal or External.
6. Click Add. The defined host is displayed in the Defined Items area.
NOTE:
The list of hosts in the Defined Items area can be sorted by clicking on any column header. For
example, click Type to sort the list by type of host.

7. Repeat steps 4-6 to add other hosts, as required. You can add up to 10,000 entries in
a host list.
NOTE:
To delete a host from the list, select the host in the Defined Items area and click Delete. To edit a host
in the list, select the host in the Defined Items area, make the changes required to the definition and
click Update.
8. Click OK. The new entry (entries) is saved in the Host Catalog and the Host Catalog
is closed. In order to save the new entry to the database, you must save the Policy
Editor.
Applying NetEnforcer in DHCP Environment

DHCP clients are those with a time-limited IP address. Dynamic IP addresses are
supported and handled as follows:
• Today most DNS servers support dynamic update. This means that a DHCP server
can dynamically inform the DNS server of any IP assignment.
• DHCP update includes the computer name to which an IP address was assigned.
• The DNS Server enters the update as part of the client name space.
• The NetEnforcer supports DNS queries. It decides whether or not to redirect
specific traffic, based on the DNS-defined computer name.
• A policy is defined to redirect only those clients that require it. Other privileged
addresses go directly without content filtering.

Grouping Hosts
A host group is a collection of previously defined Host Catalog entries of Host List
type grouped together in an additional entry. This eliminates the need to create several
similar Pipes, Virtual Channels or Rules for hosts. The QoS defined for the group
applies to all the hosts in the group.
For example, you can create a group of hosts, called Division 1. Division 1 can contain
three Host List catalog entries: Department A (employees a, b and c), Department B
(employees d, e and f) and Department C (employees g, h and j).
Groups are useful when working with templates. For more information, refer to the
Templates section in Chapter 8, Defining Policies.

To group Host Catalog entries:

1. In the Host Catalog Editor, click New. The new host entry popup menu is displayed,
as shown in Figure 7-4.
2. Select Group of Hosts. A new entry is added to the List pane in the Host Catalog
Editor, as follows:
Figure 7-6 – Host Catalog Editor: Grouping Hosts
The list in the Available Host Lists area displays all the available host list Catalog
entries that can be added to the host group. The list in the Selected Lists in Group
area displays the Catalog entries that you have selected to include in this host group.

4. Add Catalog entries to the group using the following buttons:
Adds the entries selected in the Available Host Lists area to the Selected
Lists in Group area.
Adds all the entries in the Available Host Lists area to the Selected Lists in
Group area.
Removes the entries selected in the Selected Lists in Group area and
returns them to the Available Host Lists area.
Removes all the entries from the Selected Lists in Group area and returns
them to the Available Host Lists area.
NOTE:
The entries in the Selected Lists in Group area can be sorted alphabetically by clicking on the column
header.
5. Click OK. The new entry is saved in the Host Catalog and the Host Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
Defining LDAP-based Hosts

LDAP (Lightweight Directory Access Protocol) is a communications protocol that
enables NetEnforcer to retrieve hosts from an LDAP directory server associated with
your NetEnforcer. Before creating Host Catalog entries using LDAP definitions, you
must enter LDAP server details in the Data Source Catalog. For more details, refer to
Data Source Catalog Editor, page 7-87.
You can specify (in the Policy Server tab of the NetEnforcer Configuration window)
how often the LDAP director server is read and the host information in NetEnforcer
refreshed. For more details, refer to Chapter 4, Configuring NetEnforcer, Section Policy
Server.

To define an LDAP-based host:

1. In the Host Catalog Editor, click New. The new host popup menu is displayed, as
shown on page 7-9.
2. Select Data Source Query and then select the appropriate source from the list
displayed. The list displays the LDAP servers and text files defined in the Data
Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87. A
new entry is added to the List pane in the Host Catalog Editor, as follows:
Figure 7-7 – Hosts Catalog Editor: LDAP-based Hosts

4. Define the query to the LDAP server, as follows:

• In the Directory Subtree Root field, enter the root in the LDAP server that
NetEnforcer will search.
• In the LDAP Directory Main Filter field, enter the filter string that defines the
criteria for the query according to RFC 1960.
• In the Addresses Attribute Name field, enter the name of the attribute that holds
the IP addresses of the entries, as follows:
Attribute Name Format Example
Network Address <IP V4>:<Mask bits> 172.16.1.152:24
IP Range <IP V4>:<IP V4> 172.16.1.1:172.16.1.23
Any Address 3
Host Name 4:<Host name> allot.com
• In the Group Selector field, enter the attribute by which NetEnforcer will search
for group entries.
5. Click Fetch & View Contents to preview the hosts retrieved from the LDAP
directory server.
Editor.
NOTE:
The actual execution of the LDAP query occurs when the Policy Editor is saved (or resaved). If the
Fetch operation fails, NetEnforcer will retry the operation according to the retry interval parameter,
defined in the LDAP/Text Source tab of the NetEnforcer Configuration window. Refer to the
LDAP/Text Source section in Chapter 4, Configuring NetEnforcer.

Defining Text File-Based Hosts

NetEnforcer can extract host addresses from a text file (CSV file). Before creating Host
Catalog entries using a text file as a data source, you must enter the text file details in
the Data Source Catalog. For more details, refer to Data Source Catalog Editor,
page 7-87.
You can specify (in the LDAP/Text Source tab of the NetEnforcer Configuration
window) how often the text file is read and the host information in NetEnforcer
refreshed. For more details, refer to the LDAP/Text Source section in Chapter 4,
Configuring NetEnforcer.

To define a text file-based host:

1. In the Host Catalog Editor, click New. The new host entry popup menu is displayed,
as shown in Figure 7-4.
2. Select Data Source Query and then select the appropriate source from the list
displayed. The list displays the LDAP servers and text files defined in the Data
Source Catalog. For more details, refer to Data Source Catalog Editor, page 7-87.
A new entry is added to the List pane in the Host Catalog Editor, as follows:
Figure 7-8 – Hosts Catalog Editor: Text File-Based Hosts
4. In the Text File Path field, enter the location of the text file data source. This is the
path or the host, as defined in the text source definitions, described on page 7-88.
5. In the Delimiter area, select the delimiter used in the text (CSV) file.

6. In the Location & Positions area, enter the following information:

• In the Start Query at Row field, enter the number of the row where NetEnforcer
should start reading the data. (First row is 1.)
• In the Address Field Position field, enter the number of the column where the
address is located. (First column is 1.)
• In the Group Selector Field Pos field, enter the number of the group selector
field. This parameter is used to create (internally) a host entry name for each line
in the text file.
7. Click Fetch & View Contents to preview the hosts retrieved from the text file.
Editor.
NOTE:
The actual execution of the query occurs when the Policy Editor is saved (or resaved). If the Fetch
operation fails, NetEnforcer will retry the operation according to the retry interval parameter, defined
in the LDAP/Text Source tab of the NetEnforcer Configuration window. Refer to the LDAP/Text
Source section in Chapter 4, Configuring NetEnforcer.

Service Catalog Editor

The Service Catalog contains entries that are the possible values for the Service of a
policy. The Service defines the protocol of the connection passing through NetEnforcer.
The entries are applications or protocol specifications, including network protocols,
transport protocols and application protocols. When you define an HTTP, Oracle, H.323
and Citrix application, you can also add content definitions under it. A sample Service
Catalog Editor is shown below:
Figure 7-9 – Service Catalog Editor

NOTE:
The All IP, All Service, All TCP and All UDP entries are Protected, meaning the definitions for these
entries cannot be modified.
You can enter the application details individually, or you can import services from a
protocols library. Once you have defined the applications, you can group several entries
together in one Catalog entry.

From the Service Catalog Editor, you can define the following types of applications:
• TCP and UDP IP Protocols, page 7-21.
• Non-TCP and non-UDP IP Protocols, page 7-23.
• Non-IP Protocols, page 7-24.
• You can also define content for http, Oracle, H.323 and Citrix and other
applications. For more information, refer to Adding Content, page 7-31.
Defining TCP and UDP IP Protocols

When the connection is based on either TCP or UDP protocol, you define destination
ports (meaning the target of the connection) as well as timeouts for the protocol.
To define TCP and UDP IP protocols:

1. In the Service Catalog Editor, click New. The following popup menu is displayed:
Figure 7-10 – New Service Entry Popup Menu

2. Select Application. A new entry is added to the List pane in the Service Catalog
Editor.
4. In the Protocol Definition area, select IP from the Network Protocol dropdown
list.

5. From the Transport Protocol dropdown list, select TCP or UDP.
Figure 7-11 – Service Catalog: TCP/UDP Protocol

6. From the Application Protocol dropdown list, select the application protocol.
7. In the Ports tab, specify the target of the connection (destination port) as follows:
• In the Destination Ports list, click the next available row and enter a destination
port number.
NOTES:
Port ranges can be entered as well. For example, enter 110-125 to indicate ports numbered 110
through 125.
You can delete destination or source ports by selecting the port and pressing <Delete>.
8. In the Advanced tab, enter the amount of time NetEnforcer allows a connection to
remain open with no traffic passing through it before closing it.
9. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
Editor.

Defining Non-TCP and Non-UDP IP Protocols

When the connection is IP, the protocol parameters vary according to whether the
selected IP protocol is TCP/UDP or others.
To define non-TCP and non-UDP IP protocols:

1. In the Service Catalog Editor, click New. The new service entry popup menu is
displayed, as shown in Figure 7-10.
Editor.
3. In the Protocol Definition area, select IP from the Network Protocol dropdown
list.
4. From the Transport Protocol dropdown list, select a protocol that is not UDP or
TCP. If the non-TCP/non-UDP protocol that you require does not appear in the
Transport Protocol dropdown list, you can add it by clicking the browse button
and entering the protocol number in its digital-numeric format (not its Hex format)
and clicking OK.
Figure 7-12 – Service Catalog: Non-UDP/TCP IP Protocol

Editor.
Defining Non-IP Protocols

When the connection is non-IP, you simply specify the required protocol in the Service
Catalog entry.
To define non-IP protocols:

Editor.
4. In the Protocol Definition area, select the required non-IP protocol from the
Network Protocol dropdown list. If the protocol that you require does not appear in
the list, you can add it by clicking the browse button and entering the protocol
number in its digital-numeric format (not its Hex format) and clicking OK.

Figure 7-13 – Service Catalog: Non-IP Protocol
TIP:
If you select a non-IP service as the Service condition in the Policy Editor, you must select Any for the
Connection Source and Connection Destination conditions, since all other Host Catalog entries are
IP-based. You should also define TOS as Ignored.
Editor.

Importing Protocols
You can create entries in the Service Catalog by importing services from a protocols
library. This library includes a selection of about 8000 services and is based on the
IANA list of protocols.
To import protocols:
2. Select Import from Protocols Library. The Protocols Library dialog box is
displayed.
Figure 7-14 – Protocols Library Dialog Box

NOTE:
Protocols that have already been added to the Service Catalog appear disabled (grayed out) in the
Protocols Library dialog box.
3. Select the checkbox in the Add column for the protocols you want to add to the
Service Catalog and click Add to Catalog. The selected protocols are added as
entries to the Service Catalog.
TIP:
To filter the protocols displayed, select a grouping from the Display dropdown list. For example, if you
select TCP protocols, only TCP protocols are listed in the dialog box.
4. Click Close to close the Protocols Library dialog box.
Importing Protocols from the Policy Editor

You can also import protocols from the Policy Editor. Using this procedure, you change
the service of a rule and also import the new protocol into the Service Catalog.
To import protocols from the Policy Editor:

1. In the Policy Editor, right-click an entry in the Service column. The following popup
menu is displayed:
Figure 7-15 – Accessing Protocols Library Dialog Box From Policy Editor

2. Click Select from Protocols Library. The Protocols Library dialog box is
displayed.
Figure 7-16 – Protocols Library Dialog Box Accessed From Policy Editor
3. Select a single protocol from the list and click Select. The selected entry in the
Policy Editor is replaced with the new protocol and the selected protocol is added to
the Service Catalog.

Web Update
You can also use the Web Update feature to automatically add new protocols and
applications (when available and announced from Allot Communications) to the
service catalog, without having to perform software updates.
Service Web updates adds both the service entries and the relevant Layer-7 signatures
for the protocols and applications. The new service entries are also automatically added
to the relevant default service groups. For example, if there are new P2P applications,
they are automatically added to the default P2P service group.
Note: This service is intended for customer with valid support agreements only.
To perform service Web update:
1. From the Tools menu, select Update Service Catalog from Allot
Communications. The service catalog update message is displayed, as shown in
Figure 7-17.
Figure 7-17 – Web Update Message
2. Click OK.
NOTE:
An alert is displayed in the Alerts log indicating the success or failure of the Web Update process.

Grouping Service Catalog Entries

You can group together a collection of previously defined Service Catalog entries in an
additional entry. This eliminates the need to create several similar Pipes, Virtual
Channels or Rules for services. The QoS defined for the group applies to all the services
in the group.
To group Service Catalog entries:

4. Select Group of Services. A new entry is added to the List pane in the Service
Catalog Editor.
Figure 7-18 – Service Catalog Editor: Grouping Services

The list in the Available Services area displays all the available Service Catalog
entries that can be added to the service group. The list in the Selected Services in
Group area displays the Catalog entries that you have selected to include in this
service group.
6. Add Catalog entries to the group using the following buttons:
Adds the entries selected in the Available Services area to the Selected
Services in Group area.
Adds all the entries in the Available Services area to the Selected Services
in Group area.
Removes the entries selected in the Selected Services in Group area and
returns them to the Available Services area.
Removes all the entries from the Selected Services in Group area and
returns them to the Available Services area.
Editor.
Adding Content
Most Application Protocols deal with classifying traffic according to its specific
protocol. The Transport Protocols enable you to specify destination ports and some will
apply to any traffic no matter which port.
This section provides instructions regarding how to classify traffic according to content
in certain Application Protocols (some examples of these protocols are: HTTP, Oracle,
H.323, SMTP, FTP, Citrix and others like some P2P applications.

Defining FTP Content

FTP (File Transfer Protocol) is traditional Web protocol used for file transfer. In
addition to the NetEnforcer ability to recognize FTP traffic, it is possible to define FTP
content based classification. You can define independent Service Catalog entries that
reference FTP content, by entering various information in the Command and File
Name tabs. These entries can subsequently be used in the Policy Editor. As an example,
by using the Command field it is possible to distinguish FTP Upload from FTP
download. File Transfer field can be used to recognize FTP traffic according to the
name of the file transferred over an FTP session.
To add FTP content:

1. In the Service Catalog Editor, select the FTP-Sig protocol in the List pane and click
New and then Content from the service entry popup menu displayed. A new content
entry is added below the selected “FTP Sig” Service in the List pane and the Service
Catalog Editor is displayed, as follows:
Figure 7-19 – Service Catalog: Adding Content and File Name Tab

NOTE:
The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant
line in the text content list and click the preferred option. A window opens with the option to perform
the selected operation.
2. Edit the name of the entry, if required, in the Contents of field.
NOTE:
4. In the File Name tab, enter a URL as follows:

• Click Add. The Add Item dialog box is displayed.
• Enter the required URL and click Add. The URL is displayed in the File Name
tab.
• Add further URLs using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
Editor.

Defining HTTP Content

HTTP (Hyper Text Transfer Protocol) is one of the dominant protocols on the Web. It is
mainly used for Web surfing but has many other uses such as File Transfer, Streaming
media and P2P application (as transport infrastructure). The NetEnforcer automatically
recognizes “non traditional” applications using HTTP as base protocol (e.g. Kazaa,
Gnutella, HTTP Streaming) by their official name, those applications are not considered
as HTTP and therefore are not covered by this section.
For traditional HTTP uses, such as Web surfing and File Transfer, the NetEnforcer
allows content-based classification. You can define independent Service Catalog entries
that reference HTTP content by entering information in the four tabs: URL, Methods,
Hosts and Content-Type. These entries can subsequently be used in the Policy Editor.
For example, the URL field can be used to differentiate between file names or URLs
transferred over HTTP. Methods filed can be used to distinguish between HTTP
transactions by methods, such as “GET” or “PUT”. Hosts field can be used to
differentiate between Web Servers using the same IP address (“Virtual Hosts”).
Content-Type can be used to distinguish the type of traffic forwarded over HTTP
transaction (e.g. “text/html”, “image/jpeg”).
You can define independent Service Catalog entries that reference HTTP content. These
entries can subsequently be used in the Policy Editor.

To add HTTP content:

1. In the Service Catalog Editor, select the HTTP Sig protocol in the List pane and
click New and then Content from the service entry popup menu displayed. A new
content entry is added below the selected HTTP Sig protocol in the List pane and the
Service Catalog Editor is displayed, as follows:
Figure 7-20 – Service Catalog: Adding Content and URL Tab
NOTE:

3. In the URL tab, enter a URL as follows:

• Enter the required URL and click Add. The URL is displayed in the URL tab.
A Web request carries this identifier (which can be represented by an HTML page,
an image, a Java applet or a CGI program). For a complete description of how to set
up a policy that will match a URL, see the tip on page 7-40.
NOTE:
You can delete a URL by selecting the URL and pressing <Delete> on your keyboard or by clicking
Remove in the URL tab.
4. Select the Methods tab.
Figure 7-21 – Adding Content: Methods Tab

5. In the Methods tab, enter an HTTP method as follows:

• Click Add. The Add Item dialog box is displayed with a predefined list of
methods.
• Select the required method and click Add. The method is displayed in the
Methods tab.
• Add further methods using the Add Item dialog box as required.
HTTP uses seven methods to exchange information between clients and servers:
GET, PUT, POST, OPTIONS, HEAD, DELETE and TRACE. It is possible to base
service on one or more HTTP methods.
NOTE:
You can delete a method by selecting the method and pressing <Delete> on your keyboard or by
clicking Remove in the Methods tab.
6. Select the Hosts tab.
Figure 7-22 – Adding Content: Hosts Tab

7. In the Hosts tab, enter a host as follows:

• Enter the required host and click Add. The host is displayed in the Hosts tab.
• Add further hosts using the Add Item dialog box as required.
The host string is compared against the value of the host keyword in the HTTP
header of an HTTP request sent by a client (such as Netscape Navigator or Internet
Explorer). This string is usually the name of the host that the user requested,
possibly suffixed with the string ":port". (Port is the port number that the browser
uses to connect to the server. For HTTP, this is usually port 80.)
For example, a browser that sends an HTTP request to www.cnn.com will put the
string www.cnn.com or www.cnn.com:80 in the request header for the host
keyword. If you wish to detect all traffic to a host, add * at the end of the string, for
example, www.cnn.com*. Another way to identify a host is by its IP addresses with
the following format: IP Address or IP Address:Port Number, for example:
173.17.1.1:80.
The typical usage for this kind of match is in virtual hosting, where more than one
Web site is hosted in the same IP address, which is possible if a DNS translates
many names to one IP address.
NOTE:
You can delete a host by selecting the host and pressing <Delete> on your keyboard or by clicking
Remove in the Hosts tab.

8. Select the Content Type tab.
Figure 7-23 – Adding Content: Content Type Tab
9. In the Content Type tab, enter a content type as follows:

• Click Add. The Add Item dialog box is displayed with a predefined list of content
types.
• Select the required content type and click Add. The content type is displayed in
the Content Type tab.
• Add further content types using the Add Item dialog box as required.
The predefined list contains classification according to the content-type, this is the
information that is transferred on the HTTP protocol. For example, you may want to
specify all forms of audio applications, but allow all HTML files and pictures.
Editor.

TIP:
Defining URL and Application-Level Rules
NetEnforcer enables you to reference Service entries in Pipes, Virtual Channels, and Rules by application and
content type, including:
• HTTP URL addresses.
• Web directories and pages.
• Application content types.
URLs are the addresses by which documents are identified on the World Wide Web. A rule can be defined to
match a specific URL, a list of URLs or a pattern of URLs, for example, *.gif or /document/*.
A URL has the following structure:
<scheme>://<server name>[:<port>]/<relative path of query from HTTP server root>
Where:
• Scheme is the transmission protocol. For example, HTTP (Hypertext Transmission Protocol) or FTP
(File Transfer Protocol).
• Server name is the IP address of the server on which the document resides, or its DNS name.
• Path describes the location of the document on the server with reference to the server's root directory.
To define a rule that will match a set of URLs of a specific type (for example, HTTP) on a specific host, two
sections in the Service Catalog must be defined: a Host and a URL. The part of the URL relevant for the Host
is the server name, and the part relevant for the URL is the section that includes the scheme, port and path.
For example: for the URL http://www.allot.com/news/index.html, www.allot.com will be in the Host section
and /news/index.htm or /news/* will be in the URL section. This bears no relation to entries in the Host
Catalog.

Defining Oracle Content

Defining Oracle content enables you to define all Oracle traffic based on database
names and/or user names. These entries can subsequently be used in the Policy Editor.
To add Oracle content:

1. In the Service Catalog Editor, select the Oracle TCP protocol in the List pane and
click New and then Content from the service entry popup menu displayed. A new
content entry is added below the selected Oracle protocol in the List pane and the
Service Catalog Editor is displayed, as follows:
Figure 7-24 – Service Catalog: Adding Content and Service Tab
NOTE:

3. In the Service Name tab, enter the database name as follows:

• Enter the required database name and click Add. The database name is displayed
in the Service Name tab.
• Add further database names using the Add Item dialog box as required.
4. Select the User Name tab.
5. In the User Name tab, enter user names as follows:


• Enter the required user name and click Add. The user name is displayed in the
User Name tab.
• Add further user names using the Add Item dialog box as required.
Editor.
Defining SMTP Content

SMTP (Simple Mail Transfer Protocol) is the de facto mail transfer protocol used on the
Internet. The NetEnforcer is able to distinguish between different SMTP sessions
according to the “From” field which represent the address (e.g. “john@allot.com”) or
the domain (e.g. “allot.com”) of the email originator. For example, you can use a
SMTP content based rule to identify SMTP traffic containing emails originating from
your company's domain and assign it higher priority. Another example would be to only
allow SMTP traffic containing emails originating from well known domains in order to
protect from SPAM.
You can define independent Service Catalog entries that reference SMTP content.
These entries can subsequently be used in the Policy Editor.

To add SMTP content:

1. In the Service Catalog Editor, select the SMTP protocol in the List pane and click
entry is added below the selected SMTP protocol in the List pane and the Service
Figure 7-25 – Service Catalog: Adding Content and URL Tab
NOTE:
3. In the File Name tab, enter a URL as follows:

• Enter the required URL and click Add. The URL is displayed in the Domains
tab.
Editor.
Defining H.323 Content

You can define independent Service Catalog entries that reference H.323 content. These
entries can subsequently be used in the Policy Editor.
Defining H.323 content enables you to classify audio and video H.323 traffic. In the
audio classification, extra capabilities are provided according to Codec, which indicates
the bandwidth requirements of audio transmissions. The Codec encapsulates the analog
(audio) information and converts it into digital information. The NetEnforcer can then
classify this type of traffic and apply a policy to it.

To add H.323 content:

1. In the Service Catalog Editor, select an H.323 protocol in the List pane and click
entry is added below the selected H.323 protocol in the List pane and the Service
Figure 7-26 – Service Catalog: Adding Content in H.323
NOTE:

3. In the Codec tab, enter H.323 content as follows:

• Click Add. The Add Item dialog box is displayed with a predefined list of H.323
content.
• Select the required H.323 content and click Add. The content is displayed in the
Codec tab.
• Add further H.323 content using the Add Item dialog box as required.
Editor.
Defining Citrix Content

Citrix® is a global leader in access infrastructure solutions. Their software enables
people in businesses, governments and educational institutions to securely and instantly
access software applications and information via a thin client.
In Citrix topology, a client initiates a session to a Citrix server which provides access to
various applications such as “Desktop” or “Publish Applications”. Using Citrix content
based services, the NetEnforcer can distinguish between different characteristics of
Citrix sessions. For example, the App Name field in a Citrix content based service can
identify a session by its published application name. In addition, the User Name field
can be used to identify the Citrix session, and the Priority Bit field can be used to
distinguish between Citrix Print traffic and standard Citrix traffic.

To add Citrix content:

1. In the Service Catalog Editor, select a Citrix protocol in the List pane and click New
and then Content from the service entry popup menu displayed. A new content
entry is added below the selected Citrix protocol in the List pane and the Service
Catalog Editor is displayed.
NOTE:
Citrix MetaFrame traffic may be classified by application or user name, with priority optional by
selecting CITRIX in the Service Catalog.
Citrix - NFuse traffic may be classified by application or user name, with priority optional, by selecting
CITRIX – NFUSE in the Service Catalog.
Citrix traffic can be classified by Priority Bit/Print Traffic only by selecting CITRIX-ICA in the
Service Catalog.
Figure 7-27 – Service Catalog: Adding Content in Citrix
NOTE:

3. In the App Name tab, define the application being used through the Citrix protocol,
for example Microsoft Word or Excel, as follows:
• Enter the required application name and click Add. The application name is
displayed in the App Name tab.
• Add further application names using the Add Item dialog box as required.
4. Select the User Name tab.
Figure 7-28 – Adding Content: User Name Tab

5. In the User Name tab, enter user names as follows:

• Enter the required user name and click Add. The user name is displayed in the
User Name tab.
• Add further user names using the Add Item dialog box as required.
6. Select the Priority tab.
Figure 7-29 – Adding Content: Priority Tab

7. In the Priority tab, enter the priority as follows:

• Click Add. The Add Item dialog box is displayed with a predefined list of
priorities.
• Select the required priority and click Add. The priority is displayed in the
Priority tab.
• Add further priorities using the Add Item dialog box as required.
Editor.
NOTE:
NetEnforcer features layer 7+ analysis, utilizing advanced signature recognition, of many Peer to
Peer (P2P) applications. Some of the applications which are automatically recognized and
classified are:
KaZaA (V1 & V2) Gnucleus DC++
Grokster XoloX BCDC++ Hotline (in the first
iMesh LimeWire update)
Poisned FreeWire Madster
DietKaza Bearshare BitTorrent
eDonkey (eDonkey; eMule) Acquisition Nova MP2PMotilino
xMule Phex Blubster
Overnet Gtk-Gnutella Piolet
Gnutella NEoNapster RockitNet (in the first update)
Shareaza WinMX (WinMX Direct SoulSeek
Morpheus connect, Direct Connect) Winny.

Time Catalog Editor

The Time Catalog contains entries that are the possible values for the Time of a policy,
meaning the time period when a policy is active. A sample Time Catalog Editor is
shown below:
Figure 7-30 – Time Catalog Editor
NOTE:
The Anytime entry is Protected, meaning the definitions for this entry cannot be modified.
Time periods can have ranges of hours and minutes in which they are active, or they can
be active during whole days. An entry in the Time Catalog has one or several time
periods when policies assigned this entry are active.

To define a time period:

1. In the Time Catalog Editor, click New. A new entry is added to the List pane in the
Time Catalog Editor.
3. In the Defined Time Entries area, click Add. The Time Entry Definition dialog box
is displayed:
Figure 7-31 – Time Entry Definition Dialog Box
4. In the Frequency dropdown list, select the frequency of the time period. The options
are as follows:
Daily A period of time that occurs on a daily basis.
Weekly A period of time that occurs on a weekly basis. For example, Monday
from 8:00 to 17:00.
Monthly A period of time that occurs on a monthly basis. For example, the 15th
day of the month.
Yearly A period of time that occurs on an annual basis. For example, January
1st may be defined as a yearly event.

5. The remaining fields in the dialog box vary according to the frequency you select. If
you select Daily, select the time span for the time period from the dropdown list in
the Time Span field:
All day Sets the time period as active for the whole day.
From – Through Enables you to select the exact time that the period will
begin, and the exact time that it will end.
Figure 7-32 – Time Entry Definition: Daily
6. If you select Weekly, select the day of the week for the time period from the
dropdown list in the Day of Week field and the time span from the dropdown list in
the Time Span field, as described in step 5.
Figure 7-33 – Time Entry Definition: Weekly

7. If you select Monthly, select the day of the month for the time period from the Day
of Month field and the time span from the dropdown list in the Time Span field, as
described in step 5.
Figure 7-34 – Time Entry Definition: Monthly
8. If you select Yearly, select the month for the time period from the dropdown list in
the Month field, select the day of the month from the Day of Month field, and the
time span from the dropdown list in the Time Span field, as described in step 5.
Figure 7-35 – Time Entry Definition: Yearly

9. Click OK. The specified time period is displayed in the Defined Time Entries area
in the Definition pane of the Time Catalog Editor.
10. Repeat steps 3 through 9 to add additional time periods as required.
NOTE:
You can edit or delete the time periods using the Edit and Delete buttons in the Defined Time Entries
area.
11. Click OK. The new entry (entries) is saved in the Time Catalog. In order to save the
new entry (entries) to the database, you must save the Policy Editor.
TIP:
Adding a new policy with time-dependent traffic classification is effective only on new connection
attempts. Any existing connection that may fall under that policy continues to pass under its original policy.
If a Reject or Drop action is specified, these actions are applied only to new connection attempts.
NOTE:
A discrete time range cannot be created. For example, March 15, 2001 from 2:00 PM through 5:00 PM
cannot be created. However, it can be approximated by Yearly, March 15, 2:00 PM through 5:00 PM.

TOS (Type of Service) Catalog Editor

The TOS Catalog contains entries that are the possible values for the TOS condition of a
Pipe, Virtual Channel or Rule. The entries in the TOS Catalog are also possible values
for the TOS marking parameters in the QoS Catalog (refer to page 7-71). A sample TOS
Catalog Editor is shown below:
Figure 7-36 – Sample TOS Catalog Editor
NOTE:
All of the entries in Figure 7-36 are predefined public domain TOS definitions and are Protected, meaning
that they cannot be modified.

The TOS is a byte in the IP header of a packet that contains information about routing
recommendations. NetEnforcer classifies traffic based on the TOS byte marking
contained in the IP headers of the packets passing through it. Differentiated Services
standard, for example, defines TOS byte marking for traffic classification. Using
Differentiated Services, the TOS header can have three major traffic classes: Expedited,
Assured Forwarding and Best Effort. Assured Forwarding includes a priority class and
drop precedence level (making a total of 12 combinations). All of these TOS byte
markings are predefined in the TOS Catalog. Further information regarding TOS
standards can be found at www.ietf.org/rfc/rfc2475.txt.
NetEnforcer also supports TOS classification by Free Format, which can be used to
classify traffic marked per Cisco Precedence Bits method.
In the TOS Catalog Editor, you can view the properties of predefined entries and create
entries that classify the TOS byte using Free Format, page 7-61.

To view predefined entries:

• In the TOS Catalog Editor, select a predefined entry in the List pane. When you
select the Ignore TOS entry, the Definition pane is displayed as shown on
page 7-57. When you select an entry based on Differentiated Services (Best Effort
or Expedited), the Definition pane is displayed as follows:
Figure 7-37 – TOS Catalog Editor: Differentiated Service
The Service field displays the selected differentiated service, as follows:

Best Effort Traffic is forwarded if and when possible.
Expedited Traffic receives priority treatment.
Assured Forwarding Forwarding of traffic is guaranteed.

When Assured Forwarding is displayed, two additional fields, Priority Class and
Drop Precedence, are displayed:
Figure 7-38 – Differentiated Service – Assured Forwarding
The Priority Class field displays the class (1 to 4). The priority class determines the
priority level of the traffic: Class 1 is the lowest (no priority) and Class 4 is the
highest.
The Drop Precedence field displays the precedence (Low, Medium or High). Drop
precedence refers to the fact that in times of heavy congestion, some packets will be
dropped. Low means that the packet will be dropped as a last resort, whereas High
means that the packet can be dropped before any others.
NOTE:
The graphic representation of the TOS byte that will be checked against the IP header is displayed in
the Resultant TOS Byte Bit Settings field.

Free Format
TOS classification using Free Format enables you to classify traffic marked according
to the Cisco Precedence Bits method.
To define a TOS using free format:

1. In the TOS Catalog Editor, click New. A new entry is added to the List pane in the
TOS Catalog Editor and the Definition pane is displayed as follows:
Figure 7-39 – TOS Catalog Editor: Free Format
3. Define the TOS by selecting the individual bits in the graphic representation of the
TOS byte in the Selected TOS Byte Bit Settings field.

4. Click OK. The new entry (entries) is saved in the TOS Catalog. In order to save the
TIP:
NetEnforcer in an MPLS Environment

MPLS (Multi-protocol Label Switching) has become an important networking technology in last few years.
This protocol is the first backbone related protocol to provide scalable, service-oriented infrastructure for
the Internet. MPLS (an IETF standard, architecture defined in RFC 3031) uses the concept of label
switching which creates a 'virtual circuit' between two end-points, rather than the legacy IP packet-by-
packet routing.
MPLS allows the implementation of QoS controlled services (especially in IP-VPN environment) and is
already deployed by several major carriers. The main use of MPLS is to create high quality VPNs (Virtual
Private Networks). In addition, MPLS may be used to allow integrated-access services such as voice/video
and data over IP.
A small label is added to each packet that tells the router how to process it (that is, on which link it should
be sent) in a route that was created in advance. This pre-determined route can be associated a certain QoS
level and the routers along the way can, for example, ensure that a certain amount of bandwidth will be
allocated to that route.
When combined with the Differentiated Services standard (DiffServ, IETF RFCs 2474 and 2475) the
network operator may combine service level (implemented by DiffServ) and routing decisions or traffic
engineering (implemented by MPLS) into one system in which the DiffServ behavior is managed by the
MPLS routing. A simple approach is to map DiffServ code point (or in simple terms, IP header TOS byte
values) into different MPLS paths.
Integration of the NetEnforcer in an MPLS network
The fundamental assumption is that the MPLS networks are built by edge and transit (backbone) devices.
The edge device performs the traffic classification and the transit devices (usually a fast core router)
performs the fast, low overhead, label switching.
The NetEnforcer can control every session that enters the MPLS network, and is able to:
• Classify each session, based on defined polices (conditioned by layer2 to layer7 information – such as
addresses, protocols, application data and time of day).
• Mark (“color”) every packet with a DiffServ code point (IP TOS value) based on the classification and
user’s definitions for the desired Quality of Service.
In addition, the NetEnforcer continues to control and manage the network access by implementing other
QoS behavior actions such as access control, bandwidth guarantees and limitations.

VLAN Catalog Editor

The VLAN catalog contains Virtual LAN entities defined in 802.1 Standard.
TIP:
Since Ethernet broadcast and multicast traffic is distributed to all devices in a LAN, LANs that are based on
hubs and shared cabling cannot grow with the organization and become very large to be effective. One
solution is to break large networks into smaller "islands", in order to prevent broadcast and multicast traffic
propagating network wide.
The VLAN 802.1Q standard addresses these issues and establishes a way to insert Virtual Local Area
Network (VLAN) information into the Ethernet frames. VLANs are LANs that are interconnected by a
virtual Layer 2, and therefore behave as if they are separate physical LANs.
The result is that Layer 2 (MAC) broadcast remains confined in the VLAN, even though VLANs are L2
physical interconnected. This structure creates the additional benefit of a higher level of security between
segments of internal networks.
VLANs are commonly used with campus environment networks. This gives the ability to make network
changes, without physically moving cables or equipment.
Figure 7-40 – Details of the Ethernet Frame Before and After the
Addition of 802.1Q Frame Information.

Defining VLANs
NetEnforcer supports VLAN traffic classification according to VLAN ID (VLAN
Identifier) tags, consisting of 12 bits, and according to tagging priority bits, consisting
of three bits. These definitions are set in the VLAN Catalog Editor, as shown below:
Figure 7-41 – VLAN Catalog Editor
According to the policies you define, the NetEnforcer assigns each packet a mapping
priority and QoS definition.
The VLAN definition value is comprised as follows:
• Bits 1 – 12 specify the VLAN ID.
• Bit 13 is the reserved bit.
• Bits 14 – 16 specify the user priority (where 7 is highest priority, and 1 is lowest
priority).

When opening this window, either to create a new VLAN or to edit a previous VLAN,
both boxes are checked, thereby preventing you altering the bit values.
To create a VLAN:
1. Enter the name of the VLAN in the Contents of: field.
2. Uncheck the Any User Priority and/or Any VLAN ID check boxes to insert new bit
values.
3. Insert bit values in one of the following ways:
• Insert a decimal value in the User Priority and/or VLAN ID fields; the binary
equivalent is displayed in the bit value fields.
• Click the bit value field boxes (zero is indicated as gray and black as one); the
decimal equivalent is displayed in the User Priority and VLAN ID fields.
4. Click OK. The new entry is saved in the VLAN Catalog. In order to save the new
entry to the database, you must save in the Policy Editor.

Quality of Service Catalog Editor

The QoS Catalog contains entries that are the possible values for the Quality of Service
action. This is the QoS applied to traffic when it meets the definitions of a policy. A
sample QoS Catalog Editor is shown below:
Figure 7-42 – QoS Catalog Editor
NOTE:
The Ignore QoS, Normal Priority - Pipe and Normal Priority - VC entries are Protected, meaning the
definitions for these entries cannot be modified.
The QoS Catalog Editor enables you to define QoS for a Pipe or Virtual Channel. You
can prioritize connections and specify minimum and maximum bandwidth per

Pipe/Virtual Channel or per individual connections, and you can specify traffic-shaping
techniques (CBR or Burst) for Virtual Channels. You can also specify TOS markings.
In the Quality of Service Catalog Editor, there is a pre-defined entry called Ignore QoS
that you cannot delete or create additional entries that ignore QoS.
You can create entries that assign QoS to Pipes, Virtual Channels and connections. You
can give the same QoS definitions to both directions of traffic, or define QoS
parameters for both directions independently.
Rules adopt the actions of their parent Pipe or Virtual Channel.
TIP:
Priority
A priority definition implies a relative bandwidth allocation relationship to other defined priorities. It does
not indicate absolute bandwidth allocations. If you require absolute bandwidth allocation, refer to the
descriptions of the minimum, maximum and guaranteed bandwidth fields.
Priorities 1 through 10 represent an increasing hyperbolic curve. It is important to recognize that priorities 1
through 10 do NOT represent a linear relative relationship. The following table helps explain this and shows
the priorities and resultant relative bandwidth ratios:
Priority
2 1.1
3 1.2 1.1
4 1.4 1.2 1.1
5 1.6 1.5 1.3 1.1
6 2.0 1.8 1.6 1.4 1.2
7 2.5 2.2 2.0 1.7 1.5 1.2
8 3.3 3.0 2.7 2.4 2.0 1.7 1.4
9 5.0 4.5 4.0 3.5 3.0 2.5 2.0 1.5
10 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0
Priority 1 2 3 4 5 6 7 8 9

For example:
1. Assume two Virtual Channel definitions, VC1 and VC2. VC1 has a priority of four, and VC2 has a
priority of 10. Connections satisfying VC2 will be allocated seven times more bandwidth than VC1.
2. Assume total bandwidth = 150Kbps; VC1 = Minimum 30Kbps, Priority 4; VC2 = Minimum 40Kbps,
Priority 10.
The bandwidth allocation would then be:
VC1 = 40 (30 minimum + 10 on priority basis)
VC2 = 110 (40 minimum + 70 on priority basis)
Ignoring Quality of Service

The inbound and outbound traffic bypasses NetEnforcer's QoS mechanism if the Ignore
QoS option is selected, thereby potentially saving physical bandwidth for other traffic.
However, using Ignore QoS in a policy definition leads to an attempt to satisfy any
bandwidth request. This may adversely affect other bandwidth definitions.
TIP:
This option is normally used in networks where internal traffic stays within the LAN domain, for example,
when DMZ-bound traffic stays local and is not destined to go on the physical WAN bandwidth. For further
information on interfacing to firewalls, refer to the Allot Communications Web solutions section :
http://www.allot.com/pages/solutions_index.asp?intGlobalId=11 .
To view the Ignore QoS entry:

• In the QoS Catalog Editor, select Ignore QoS in the List pane. The following
warning is displayed in the Definition pane of the QoS Catalog Editor:
Figure 7-43 – Ignore QoS Warning

Defining QoS for Pipes

Entries in the QoS Catalog that are defined for Pipes are available when assigning QoS
to Pipes in the Policy Editor.
To define QoS for Pipes:

1. Click New and then select Pipe Allocation from the popup menu displayed. A new
entry is added to the List pane in the QoS Catalog with the default name New QoS
and the Definition pane of the QoS Catalog Editor is displayed, as follows:
Figure 7-44 – Defining QoS for Pipes

NOTE:
Entries defined as Pipe-based are available for Pipe definitions in the Policy Editor, while Virtual
Channel-based entries are not. Similarly, entries defined as Virtual Channel-based are available for
Virtual Channel definitions in the Policy Editor, while Pipe-based entries are not.

2. Edit the name of the entry, if required, and press <Enter>.
3. From the Pipe-based QoS Coverage dropdown list select one of the three options:
• Both Directions Defined the Same: Define QoS for both the inbound and
outbound traffic together (in the General tab and the Inbound and Outbound
tab). This option is normally used in a symmetric environment where inbound
and outbound traffic requirements are identical. Continue with step 4 below.
• Each Direction Defined Separately: Define QoS for the inbound and outbound
traffic individually (in the General tab, the Inbound tab and the Outbound tab).
Continue with step 4 below.
• Half-Duplex Pipe: Define QoS for both the inbound and outbound traffic
together (in the General tab and the Inbound and Outbound tab) in half-duplex
mode. Half-duplex pipe communications can be wireless networks centered on
base-stations that configure as hubs working in Half-duplex mode, which
suddenly send packets in only one direction. Continue with step 5.
4. In the Inbound and Outbound tab (for Both Directions Defined the Same and
Each Direction Defined Separately), define the Quality of Service as follows:
• In the Pipe Priority field, select a priority between 1 (lowest) and 10 (highest).
• (Optional) In the Minimum Bandwidth for Pipe (Kbits/sec) field, enter the
minimum bandwidth that will be assigned to the Pipe. As long as there is traffic
requiring bandwidth in this channel, the bandwidth allocated will never be lower
than this limit. Getting bandwidth above the minimum, however, depends on the
traffic priority, should there be competition for the bandwidth.
• In the Minimum Bandwidth Reserved on Use, select Yes to reserve the full
minimum amount of bandwidth for any future traffic in the Pipe, even when the
full minimum bandwidth is not currently required. The actual reservation occurs
when the first connection is established within a Pipe.
• (Optional) In the Maximum Bandwidth for Pipe (Kbits/sec) field, enter the
maximum bandwidth assigned to the entire Pipe. The total bandwidth of all
traffic allocated in this Pipe will not exceed this limit.

NOTE:
To specify a guaranteed bandwidth for a Pipe, specify the same minimum and maximum
bandwidth, for example, 100Kbps.
• .
• In the Mark Out-of-Profile Traffic with TOS field, select the TOS marking to
be applied to each packet in traffic whose bandwidth allocation has reached the
minimum allocated for the Pipe. If you do not want to change the marking, select
Ignore TOS.
NOTE:
The possible values in these TOS marking fields are the entries in the TOS Catalog, described on
page 7-57.
• Continue with step 6.

5. In the Inbound and Outbound tab (for Half-Duplex Pipe), define the Quality of
Service as follows:
Figure 7-45 – Inbound and Outbound Tab: Half-Duplex Pipe

• In the Pipe Priority field, select a priority between 1 (lowest) and 10 (highest).
• In the Available Bandwidth (Kbits/sec) field, enter the bandwidth assigned to
the entire Pipe. The total bandwidth of all traffic allocated in this Pipe will not
exceed this limit.

6. Select the General tab.
Figure 7-46 – Defining QoS for Pipes: General Tab

7. In the General tab, define connection data, as follows:

• (Optional) In the Max # of Connections Allowed in Pipe (All Directions) field,
enter the maximum number of connections allowed for a Pipe. A new connection
that exceeds this maximum will be treated according to the method selected in
the Conditional Admission area.
• From the first dropdown list in the Conditional Admission area, select one of the
following:
• Admit by Priority: Accept the new connection, but do not assign the
minimum bandwidth. The new connection gets bandwidth per priority.
• Drop: All packets are dropped. The user is disconnected and may see the
message Connection timed-out.
NOTE:
The Drop option is provided for environments such as UDP where a client does not expect
acknowledgements (ACKs).
• Reject: All packets are dropped. In TCP, an RST packet is sent to the client
and the user may see the message Connection Closed by Server.
• If you select Admit by Priority, select the TOS marking to be applied to traffic
through the Pipe from the second dropdown list in the Conditional Admission
area. If you do not want to change the marking, select Ignore.
8. Click OK. The new entry (entries) is saved in the QoS Catalog. In order to save the

Defining QoS for Virtual Channels

Entries in the QoS Catalog that are defined for Virtual Channels are available when
assigning QoS to Virtual Channels in the Policy Editor.
To define QoS for Virtual Channels:

1. Click New and then select Virtual Channel Allocation from the popup menu
displayed. A new entry is added to the List pane in the QoS Catalog with the default
name NewQoS# and the Definition pane of the QoS Catalog Editor is displayed, as
follows:
Figure 7-47 – Defining QoS for Virtual Channels
2. Edit the name of the entry, if required, and press <Enter>.

3. From the Virtual Channel-based QoS Coverage dropdown list, select whether you
want to define QoS for inbound and outbound together or separately. If you select
Both Directions Defined the Same, you define QoS for both the inbound and
outbound traffic (in the General tab and the Inbound and Outbound tab). If you
select Each Direction Defined Separately, you define QoS for the inbound and
outbound traffic individually (in the General tab, the Inbound tab and the
Outbound tab).
NOTE:
The parameters in the Outbound tab, the Inbound tab and the Outbound and Inbound tab are the
same.
TIP:
The Both Directions Defined the Same option is normally used in a symmetric environment where
inbound and outbound traffic requirements are identical.
4. In the Inbound/Outbound tab, define the Quality of Service as follows:

• In the Priority per Virtual Channel field, select a priority between 1 and 10. (10
is the highest priority).
• (Optional) In the Minimum Bandwidth (Kbits/sec) field, enter the minimum
bandwidth that will be assigned to the Virtual Channel. As long as there is traffic
requiring bandwidth in this channel, the bandwidth will never be lower than this
limit. Getting bandwidth above the minimum, however, depends on the traffic
priority.
• (Optional) In the Maximum Bandwidth (Kbits/sec) field, enter the maximum
bandwidth assigned to the entire Virtual Channel. The total bandwidth of all
traffic in this channel will not exceed this limit.
NOTE:
To specify a guaranteed bandwidth for a Virtual Channel, specify the same Minimum and
Maximum bandwidth, for example, 100Kbps.

TIP:
When working with traffic that consists of very short connections (one or two packets per
connection), it is recommended to specify a minimum bandwidth (such as 50Kbps) per Virtual
Channel, rather than specifying a priority (such as 6). This is because using minimum bandwidth
per Virtual Channel results in a more effective QoS policy.
• In the Mark Traffic with TOS field, select the TOS marking to be applied to
traffic through the Virtual Channel. If you do not want to change the marking,
select Ignore.
5. In the Traffic-Shaping Method field, select either the Burst or CBR (Constant Bit
Rate) radio button to define how the traffic will be shaped.
6. When Burst is selected, enter connection-based information in the following fields
(shown on page 7-75):
• (Optional) In the Minimum Bandwidth (Kbits/sec) field, enter the bandwidth
that will be assigned to the connection. As long as there is traffic requiring
bandwidth in this channel, the bandwidth will never be lower than this limit.
Getting bandwidth above the minimum, however, depends on the traffic priority.
• (Optional) In the Maximum Bandwidth (Kbits/sec) field, enter the maximum
bandwidth assigned to the entire connection. The total bandwidth of all traffic in
this channel will not exceed this limit.
• (Optional) In the Burst Size (Kbits/sec) field, enter the Burst size for the
connection. The Burst size setting allows the traffic to exceed the allotted
bandwidth for a certain fraction of a second. It is allowed to exceed the maximum
(to burst) during that fraction of a second, as long as the traffic does not exceed
the maximum during the whole period of one second.
• For example, if you enter a Burst size of 150Kbps and a maximum of 100Kbps,
NetEnforcer will allow traffic to be 150Kbps for a fraction of a second, as long as
the traffic does not exceed the maximum of 100Kbps.
TIP:
The Burst Size parameter is useful in environments such as satellite communications, where
bandwidth is an expensive resource that must be utilized efficiently.

7. When CBR is selected, the following fields are displayed in the Connection
Allocations area:
Figure 7-48 – CBR Parameters
The CBR (Constant Bit Rate) setting provides the ability to smooth traffic. Traffic
exits NetEnforcer at a constant rate defined in the CBR, as long as the traffic
entering NetEnforcer does so at a rate equal to or greater than the CBR. This ensures
smoothing for streaming applications. Enter information in the fields, as follows:
• In the Guaranteed Bandwidth (KBits/sec) field, enter the guaranteed bandwidth
for the connection. Guaranteed Bandwidth is the minimum bandwidth assigned to
each connection in the Virtual Channel. Each connection will receive, if required,
at least the bandwidth specified in this parameter. Each connection can receive
more bandwidth than the guaranteed value, up to the maximum defined for the
Virtual Channel, and according to the priority of the Virtual Channel. Guaranteed
Bandwidth provides the most predictable results for critical traffic and allows
other connections to borrow the bandwidth when it is not in use. Guaranteed
Bandwidth always supersedes the needs of other, non-guaranteed connections.
TIP:
This is useful in multimedia applications, such as Voice over IP.

• In the Delay (Microseconds) field, enter the delay value. The default delay value
is 1 second and is hidden. However, you can specify any delay, as long as it does
not exceed 1 second. If you specify a delay other than the default, you need to
know your application’s buffering capability. The bigger the buffering capability
of your application, the larger the delay you can specify. The optimum delay
facilitates a better bandwidth management because it sets a lower limit to the
Quality of Service mechanism that decides whether to throw away or keep a
packet. The objective of setting the optimum delay is to keep jitter at a minimum
(0 at best).
8. Select the General tab.
Figure 7-49 – Defining QoS for Virtual Channels: General Tab
9. (Optional) In the Maximum # of Connections Allowed (All Directions) field, enter

the maximum number of connections allowed for a Virtual Channel. A new
connection that exceeds this maximum will be treated according to the method
selected in the Conditional Admission area.

10. From the dropdown list in the Conditional Admission area, select one of the
following:
• Admit by Priority: Accept the new connection, but do not assign the minimum
bandwidth. The new connection gets bandwidth per priority.
• Drop: All packets are dropped. The user is disconnected and may see the
message Connection timed-out.
NOTE:
The Drop option is provided for environments such as UDP where a client does not expect
acknowledgements (ACKs).
• Reject: All packets are dropped. In TCP, an RST packet is sent to the client and
the user may see the message Connection Closed by Server.
11. Click OK. The new entry (entries) is saved in the QoS Catalog. In order to save the

Connection Control Catalog Editor

The Connection Control Catalog contains entries that are the possible values for the
Connection Control action. This is the action applied to traffic when it meets the
definitions of a policy. A sample Connection Control Catalog Editor is shown below:
Figure 7-50 – Connection Control Catalog Editor
NOTE:
The Pass as is entry is Protected, meaning the definitions for this entry cannot be modified.

The Connection Control Catalog Editor enables you to define load balancing and cache
redirection servers in entries. This means that when traffic meets the definitions of a
policy, it can be forwarded to a load-balancing or cache redirection server. You can
only define entries that specify a load-balancing server or cache server when your
NetEnforcer system includes the optional NetBalancer or CacheEnforcer modules.
For normal traffic, without either cache redirection or load-balancing requirements, the
predefined entry, Pass as is, should be used. You cannot delete the predefined Pass as
is entry nor can you create additional entries with Pass as is selected in the Servers
Used for field.

Load-Balancing
When your system includes the NetBalancer module, you can add an entry to the
Connection Control Catalog that defines a load-balancing server.
To define a load-balancing server:

1. In the Connection Control Catalog Editor, click New and then Load Balancing from
the popup menu displayed. A new entry is added to the List pane and the Connection
Control Catalog Editor is displayed, as follows:
Figure 7-51 – Connection Control Catalog Editor: Load Balancing

3. Double-click in the Host Name / IP field and enter the load-balancing server (by
host name or IP address). The system automatically recognizes the format and
displays the appropriate entry in the Type column.
For more information on the parameters for configuring load-balancing options, refer to
the NetBalancer User's Manual.

Cache Redirection
When your system includes the CacheEnforcer module, you can add an entry to the
Connection Control Catalog that defines a cache server.
To define a cache server:

1. In the Connection Control Catalog Editor, click New and then Cache Redirection
from the popup menu displayed. A new entry is added to the List pane and the
Connection Control Catalog Editor is displayed, as follows:
Figure 7-52 – Connection Control Catalog Editor: Cache Server

3. Double-click in the Host Name / IP /MAC field and enter the cache redirection
server (by host name format, IP address or MAC address). The system automatically
recognizes the format and displays the appropriate entry in the Type column.
For more information on the parameters for configuring cache-redirecting options, refer
to the CacheEnforcer User's Manual.

Data Source Catalog Editor

The entries in the Data Source Catalog are the LDAP servers or text source files
available when defining hosts using data source queries in the Host Catalog. In the Data
Source Catalog Editor, you define the LDAP servers as well as text file data sources
that are the possible LDAP servers or text source files with which NetEnforcer works.
A selection between LDAP and Text:
Figure 7- 53 – Data Source Catalog Editor

To define an LDAP server:

1. In the Data Source Catalog Editor, click New and then LDAP Server from the
popup menu displayed. A new entry is added to the List pane and the Data Source
Catalog Editor is displayed as follows:
Figure 7-54 – Data Source Catalog Editor: LDAP Server

3. In the Host (Host/Host Port) field, enter the IP address of the LDAP server.
4. Enter the user name and password required to access the LDAP server in the relevant
fields.
5. In the Description field, enter a description for the LDAP server, if required.
6. Click OK. The new entry is saved in the Data Source Catalog and the Data Source
Catalog is closed. In order to save the new entry to the database, you must save the
Policy Editor.

To define a text source file:

1. In the Data Source Catalog Editor, click New and then Hosts Text File from the
popup menu displayed. A new entry is added to the List pane and the Data Source
Catalog Editor is displayed as follows:
Figure 7-55 – Data Source Catalog Editor: Hosts Text File
3. In the Host field, enter the IP address or host name of the location of the text source
file.
4. In the Description field, enter a description for the text source file, if required.
5. Click OK. The new entry is saved in the Data Source Catalog and the Data Source
Catalog is closed. In order to save the new entry to the database, you must save the
Policy Editor.


Chapter 8: Defining Policies
This chapter describes the process of defining a QoS policy and optimizing this policy
in your particular network environment. In NetEnforcer, policy is defined using Pipes,
Virtual Channels, and rules.

NetEnforcer Policy, page 8-2, provides an overview about how QoS policy is defined
in NetEnforcer using Pipes, Virtual Channels and rules.
NetEnforcer Policy Editor, page 8-11, provides a quick tour of the menu options, tools
and shortcut keys available in the NetEnforcer Policy Editor.
Defining Policy, page 8-20, describes how to define Pipes, Virtual Channels and rules
in order to build your QoS policy. It also describes how to create Pipe and Virtual
Channel templates.

NetEnforcer Policy
NetEnforcer enables you to classify traffic and enforce Quality of Service according to
high-level, easy-to-understand concepts. Traffic can be logically grouped into categories
such as Mission Critical, Timing Critical, or Low Priority. These result in the desired
network actions when matched to network traffic.
QoS policy consists of a set of conditions (rules) and a set of actions that apply as a
consequence of the conditions being satisfied. Traffic is classified using Pipes and
Virtual Channels. A Pipe and a Virtual Channel are defined by one or more rules and a
set of actions. A Pipe includes one or more Virtual Channels.
A sample Policy showing the relationship between Pipes, Virtual Channels and rules is
illustrated below:
Figure 8-1 – Pipe/Virtual Channel/Rule Relationship
Every connection passing through NetEnforcer is matched to a rule at Pipe level. This
means that NetEnforcer looks to match the connection to any of the sets of conditions
defined for a Pipe. If a match is found, the connection is then matched to a rule at
Virtual Channel level. This means that NetEnforcer looks to match the connection to
any of the sets of conditions defined for the Virtual Channels within the Pipe.

In short, the process of rule matching is as follows:

• Find the Pipe rule that the connection matches.
• Within that Pipe, find the Virtual Channel rule that the connection matches.
NetEnforcer searches the Policy table from the top down. Thus as soon as a Pipe rule is
found to match the connection, NetEnforcer looks at no more Pipes. Similarly, within
the matched Pipe, as soon a Virtual Channel rule is found to match the connection,
NetEnforcer looks no further.
There is a default Pipe defined in NetEnforcer, Fallback Pipe. If a connection does not
match the rules of any other Pipes, it matches the Fallback Pipe. Furthermore, every
Pipe always includes a default Virtual Channel, Fallback. If a connection does not
match the rules of any other Virtual Channels within a Pipe, it matches the Fallback
Virtual Channel.
The rules of the Fallback Pipe and Fallback Virtual Channels cannot be deleted or
modified. They allow all traffic to and from all hosts, all of the time.
Pipes
A Pipe provides a way of classifying traffic that enables you to divide the total
bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists
of one or more sets of conditions (rules) and a set of actions that apply when any of the
rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of
Virtual Channels from a QoS point of view. When you add a new Pipe, it always
includes at least one Virtual Channel, the Fallback Virtual Channel. The rule of the
Fallback Virtual Channel cannot be modified or deleted. A connection coming into
NetEnforcer is matched to a Pipe according to whether the characteristics of the
connection match any of the rules of the Pipe. The connection is then further matched to
the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence
all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are
enforced together with the actions of the Pipe.

Virtual Channels
A Virtual Channel provides a way of classifying traffic and consists of one or more sets
of conditions (rules) and a set of actions that apply when any of the rules are met. A
Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further
matched to a Virtual Channel according to whether the characteristics of the connection
match any of the rules of the Virtual Channel.
Rules
A rule is a set of six conditions. Rules can be defined at Pipe level or Virtual Channel
level. NetEnforcer matches connections to rules, first at the Pipe level and then at
Virtual Channel level within a Pipe.
The six conditions that make up a rule are as follows:
• Connection Source: Defines the source of the traffic. For example, specific IPs or
MAC addresses, a range of IP addresses, IP Subnet addresses, or host names. The
default value is Any which covers traffic from any source.
• Connection Destination: Defines the destination of the traffic. For example,
specific IPs or MAC addresses, a range of IP addresses, IP Subnet addresses, or
host names. The default value is Any which covers traffic to any destination.
• Service: Defines the protocols relevant to a connection. Protocols may be TCP and
UDP IP type, non-TCP and non-UDP type or non-IP type. TCP and UDP IP
protocols are defined based on port type. HTTP protocols may include content
definitions, such as specific Web directories, pages, or URL patterns. The default
value is All which covers all protocols.
• TOS: Defines the TOS byte contained in the IP headers of the traffic. The default
value is Any which covers any TOS value.
• VLAN: Defines VLAN traffic classification according to VLAN ID (VLAN
Identifier) tags, consisting of 12 bits, and according to tagging priority bits,
consisting of three bits.

• Time: Defines the time period during which the traffic is received. For example
daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM
or on the 1st and 15th of the month. The default value is Always which covers
traffic at any time.
When a new Pipe or Virtual Channel is created, it is assigned a default rule with default
values for each condition and you can modify these values as required.
The possible values for each condition are defined in the Catalog entries in the Catalog
Editors. A Catalog Editor enables you to give a logical name to a comprehensive set of
parameters (a Catalog entry). This logical name then becomes a possible value for a
condition. Catalog Editors are described in detail in Chapter 7, Defining Catalog
Entries.
TIP:
If you classify traffic by a specific Connection Source or Connection Destination, make sure your definition
applies to both directions, from the Source to the Destination and from the Destination to the Source. For
example, if you define HostName as the Connection Source and Any as the Connection Destination, make
sure that the rule is bi-directional, so that traffic from Any to HostName is also covered.
Actions
Pipes and Virtual Channels include a set of actions that is assigned to traffic once it
meets any of the rules defined for the Pipe or Virtual Channel. There are two actions
that can be defined for a Pipe: Access Control and Quality of Service, and three actions
that can be defined for a Virtual Channel: Access Control, Quality of Service and
Connection Control. Only if Access Control is set to Accept may the other actions
apply.
Access Control
This action determines the access given to traffic. The possible values are as follows:
Accept The connection is accepted and traffic is granted access. This is the default
value.
Drop All packets are dropped. In TCP traffic, an RST packet is sent to the client
and the user may see the message Connection Closed by Server.

Reject All packets are dropped. The user is disconnected and may see the message
Connection timed-out.
If the Access Control for a Pipe or Virtual Channel is specified as Reject or Drop, all
traffic meeting the rules of the Pipe or Virtual Channel is dropped and no other Quality
of Service or Connection Control actions are applied.
Quality of Service
This action determines the QoS given to traffic. The QoS specified can include the
following:
• Priority per Pipe/Virtual Channel
• Minimum and maximum bandwidth per Pipe/Virtual Channel
• Minimum and maximum bandwidth per connection (Virtual Channels only)
• Guaranteed bandwidth per connection (Virtual Channels only)
• Traffic shaping by enforcing Constant Bit Rate (CBR) or Burst level (Virtual
Channels only)
• TOS marking per channel
• Admission Control (number of connections)
• Reserve on Demand (Pipes only)
• Conditional Admission
The default Quality of Service action for Pipes or Virtual Channels is Normal Priority,
which has Level 4 priority, no bandwidth definitions, no TOS marking and no
connection limitations.
The possible values for the Quality of Service action are defined in a Catalog entry in
the Quality of Service Catalog Editor. A Catalog Editor enables you to assign a logical
name to a comprehensive set of parameters. This logical name then becomes a possible
value for an action. Catalog Editors are described in detail in Chapter 7, Defining
Catalog Entries.

TIP:
To evaluate what Quality of Service to set for each Pipe or Virtual Channel, consider the following:
• Do you know the applications running in your network? (For more information, refer to Chapter 6,
Monitoring Network Traffic.)
• During peak periods, what percentage of total traffic does each Pipe or Virtual Channel represent?
• Do you want to guarantee some minimum bandwidth for time-critical applications?
• Do you want to assign a higher priority to some applications?
It is recommended to start out simply and then, over time, to fine-tune the Pipes, Virtual Channels and rules
to meet your needs. Assign each of your Pipes and Virtual Channels a classification by protocol Normal
priority or use the default set of Pipes and Virtual Channels included with NetEnforcer. Monitor the results
for a period of time, using a tool such as NetWizard (described in Chapter 5, NetWizard Quick Start) and
observe how much bandwidth each of the Pipes and Virtual Channels utilizes during peak hours. Then,
using this data, create new QoS Catalog entries and assign them to the Pipes and Virtual Channels.
Now gradually increase the priority of one or two of your high-priority applications, and decrease the
priority of one or two of your lower priority ones. Observe response time during a typical day’s traffic cycle
(peak and non-peak).
Gradually fine-tune the system. Increase the number of Pipes and Virtual Channels by dividing one Pipe or
Virtual Channel into several distinct ones, as the need arises. The process of assigning Quality of Service
should continue by limiting lower priority traffic and increasing bandwidth to those applications that need or
deserve more bandwidth. For high-priority traffic, you should gradually increase the priority and assign
more minimum or fixed bandwidth. For lower priority traffic, you can lower its priority and assign a
maximum bandwidth during peak periods. You can also limit the number of active connections for that
channel. For example, if you wish to limit FTP traffic, you can specify a maximum number of connections
for all FTP traffic.
Internet connection bandwidth consumption with and without NetEnforcer is shown below:
Internet connection without Internet connection with
NetEnforcer NetEnforcer
Other e-Business Other e-Business

20% 20% 10% 60%
Email Email
60% 30%
Without NetEnforcer, Internet connection bandwidth is consumed by batch traffic such as Email, while
e-Business traffic is inhibited by lengthy response time (meaning e-Business gets only 20% of bandwidth).

With NetEnforcer used for bandwidth management, Internet connection traffic is managed according to
business priorities. For example, email is limited to 30% of bandwidth, while e-Business is granted a higher
bandwidth portion, up to 60% of bandwidth. The end result is that critical application users enjoy a better
response time.
Connection Control
This action determines whether the traffic is redirected to a specialty load-balancing or
cache server. The default value is Pass As Is, which means that the traffic is not
redirected. In order to specify other values for this action, you must have the
NetBalancer or the CacheEnforcer optional modules activated in your NetEnforcer
system. Refer to Chapter 4, Configuring NetEnforcer for more details.
This action can only be defined for Virtual Channel. The Connection Control for a Pipe
is always Pass As Is.
The possible values for the Connection Control action are defined in a Catalog entry in
the Connection Control Catalog Editor. A Catalog Editor enables you to assign a logical
name to a comprehensive set of parameters. This logical name then becomes a possible
value for an action. Catalog Editors are described in detail in Chapter 7, Defining
Catalog Entries.
The functions of NetBalancer and CacheEnforcer are as follows:
• CacheEnforcer directs requests to a cache server. You can add cache servers and
determine the action to be taken when the server list is exhausted. CacheEnforcer
lists alternate servers, enabling a request to be redirected to other servers on the list
should a server not respond. If and when all the listed servers do not respond, you
can determine the action that is to be taken. Refer to the CacheEnforcer User’s
Manual for more information.
• NetBalancer enables you to distribute traffic loads between servers. Refer to the
NetBalancer User’s Manual for more information.

Using Pipes, Virtual Channels and Rules

The following examples show how Pipes and Virtual Channels might be used:
• An Internet Service Provider sells slices of bandwidth to customers (defined in a
Pipe template), each based on the Quality of Service granted to that category of
customer (such as Gold, Silver and Bronze customers).
• A university wants to control Internet traffic congestion across the network
involving students and faculty, in particular, to limit FTP use and give preferential
bandwidth allocation to faculty during weekday hours. The university defines
Virtual Channels for faculty usage, student usage, and student usage during night
hours. A further rule is then defined under the student usage Virtual Channel that
specifies a different service for students accessing FTP.
• An organization has several links to the Internet. Only one NetEnforcer is required
with Pipes defined for every link enabling traffic to be managed on every link
independently.
NetEnforcer includes a default starting database that contains common types of traffic
written in sample Pipes, Virtual Channels and rules. You can edit, disable or delete
these as required.
Using Templates
with host entries defined in the Host Catalog.
Using Import from LDAP or Text Files

You can now use additional data source definition options: LDAP or Text File (using
the Data Source Catalog Editor). The text file can be located on a remote server.

Order of Policy Definitions

You should define Pipes and Virtual Channels so that those that are more specific are
defined before those that are more general. This is because NetEnforcer searches the
Policy table from the top down. Thus as soon as a Pipe rule is found to match the
connection, NetEnforcer looks at no more Pipes. Similarly, within the matched Pipe, as
soon a Virtual Channel rule is found to match the connection, NetEnforcer looks no
further. For example, if you define a Virtual Channel that includes all HTML (*.html)
files, that Virtual Channel must come after a Virtual Channel with a rule that specifies a
specific HTML file. Otherwise, NetEnforcer will always arrive at the general rule first,
assign the action defined in the Virtual Channel of that rule, and not assign the action
defined for the more specific rule.

NetEnforcer Policy Editor

You set your QoS policy by defining Pipes and Virtual Channels in the NetEnforcer
Policy Editor.
To access the Policy Editor:

From the NetEnforcer Control Panel, click Policies and then Policy Editor. The Policy
Editor is displayed:
Menu Bar Toolbar Rule (Conditions) Actions
Pipe
Virtual
Channels
Figure 8-2 – Policy Editor
The Policy Editor provides a tree-table of the Pipes and Virtual Channels currently
defined in your NetEnforcer. Each line in the table represents a single rule (of a Pipe or
a Virtual Channel). A Pipe can be defined by one of more rules and can include one or
more Virtual Channels. A Virtual Channel can be defined by one or more rules.

NOTE:
The first rule of a Pipe or Virtual Channel is visually embedded in the first line of the Pipe or Virtual
Channel so there is no rule icon associated with this first rule. Other rules have icons.
There is always one default Pipe, called Fallback Pipe, in the Policy Editor. The
conditions or rule of this default Pipe cannot be modified or deleted.
Every Pipe has a default Virtual Channel called Fallback. The conditions or rule of this
default Virtual Channel cannot be modified or deleted, but you can delete the Pipe
entirely. You can expand/collapse Pipes and Virtual Channels in the Policy Editor by
clicking the or on the left of a Pipe or Virtual Channel, or pressing
<Shift + right arrow> or <Shift + left arrow> on your keyboard.
View Options
You can modify the Policy Editor view by selecting to hide or display the available
columns.
To customize the Policy Editor view:

1. From the Settings menu, select View Options. The View Options dialog box is
displayed.
Figure 8-3 – View Options

2. Select the checkboxes to the left of the columns you want to display in the Policy
Editor.
3. Click OK.
Policy Editor Menus and Toolbar

The menu options, tools and shortcut key options available in the Policy Editor are as
follows:
Menu/Command Button Shortcut Function
File
Save Ctrl + S Saves the changes to the policy configuration in
the NetEnforcer database and activates the new
configuration.
Save & Distribute Saves the current policy to all NetEnforcers on
the distribution list. Refer to Distributing
Policy, page 8-32.
Reload Reloads the current policy from NetEnforcer.
Print Enables you to print the policy table displayed
in the Policy Editor.
Exit Closes the Policy Editor.
Edit
Cut Ctrl + X Cuts the currently selected Pipe, Virtual
Channel or rule from the Policy Editor and
places it in memory.
Copy Ctrl + C Copies the currently selected Pipe, Virtual
Channel or rule from the Policy Editor and
places it in memory.


Paste Ctrl + V Pastes the currently selected Pipe, Virtual
Channel or rule from memory into the current
location.
Delete Delete Deletes the selected Pipe, Virtual Channel or
rule.
Rename Ctrl + N Enables you to rename the selected Pipe or
Virtual Channel.
Enable Ctrl + E Enables the selected Pipe, Virtual Channel or
rule. A Pipe, Virtual Channel or rule must be
enabled in order for NetEnforcer to take it into
account.
Disable Ctrl + D Disables the selected Pipe, Virtual Channel or
rule. When a Pipe, Virtual Channel or rule is
disabled, NetEnforcer does not consider it. A
disabled Pipe, Virtual Channel or rule is
ignored in traffic management, monitoring,
accounting, and so on.
Find Ctrl + F Enables you to search for and locate Pipes,
Virtual Channels, and rules in the policy table.
Insert
Pipe Ctrl + P Inserts a new Pipe with default settings. Refer
to Adding Pipes, page 8-22.
Virtual Channel Ctrl + L Inserts a new Virtual Channel with default
settings. Refer to Adding Virtual Channels,
page 8-24.
Rule Ctrl + K Inserts a new rule with default settings. Refer to
Adding Rules, page 8-26.


Templates Enables you to insert Pipe templates or Virtual
Channel templates. Refer to Templates, page 8-
28.
Catalogs
Host Opens the Host Catalog Editor, enabling you to
define possible Connection Source and
Destination conditions.
Service Opens the Service Catalog Editor, enabling you
to define possible Service conditions.
Time Opens the Time Catalog Editor, enabling you to
define possible Time conditions.
TOS Opens the TOS Catalog Editor, enabling you to
define possible Type of Service conditions.
VLAN Opens the VLAN Catalog Editor, enabling you
to define possible VLAN actions.
Quality of Service Opens the QoS Catalog Editor, enabling you to
define possible Quality of Service actions.
Connection Control Opens the Connection Control Catalog Editor,
enabling you to define possible Connection
Control actions.


Data Source Opens the Data Source Catalog Editor,
enabling you to define the LDAP servers with
which NetEnforcer can work.
Can now define a text file data source in the
Data Source catalog editor.
The text file can be located on a remote server
instead of the NetEnforcer. Data transferred via
TFTP.
Settings
Distribution List Enables you to specify other NetEnforcer
addresses that will receive a policy when
distributed. Refer to Distributing Policy,
page 8-32.
View Options Enables you to modify the Policy Editor view.
Refer to View Options, page 8-12.
Help
Cache Redirection Provides access to online help for the
CacheEnforcer module.
Load Balancing Provides access to online help for the
NetBalancer module.
NOTE:
Some of these options are also available when right-clicking a line in the Policy Editor. In addition, you
can access monitoring graphs from the right-click menu of a Pipe or Virtual Channel. Monitoring graphs
are described in Chapter 6, Monitoring Network Traffic.

Data Source Catalog Editor:
Figure 8-4 – Data Source Catalog Editor: Hosts Text File

To define a text file data source:
Figure 8-5 – Host Catalog Editor
To define host entries using a text file data source:

1. Select the Data Source Query to be used.
2. Define the name and location of the text file.
3. Define the properties of the text file in the Host Catalog.
4. In the Host Catalog, select Fetch & View Contents to view the contents of the text
file.

Figure 8-6 – Query Dialog
5. Press Close and save the new host entry.
Policy Editor Status Bar

The status bar in the Policy Editor provides the following information:
• General Messages
• Mod Flag: Mod is displayed to indicate that the policy has been changed but not
yet saved.
• Key: Quality of Service not activated is displayed when the Quality of Service
key is missing or erroneous. The Quality of Service key is specified in the Product
IDs & Keys tab of the NetEnforcer Configuration window.

Defining Policy
The typical workflow for configuring your QoS policy is shown in the following
diagram:
Define Your Network

Requirements
Define Pipes
Define
Virtual Channels
Figure 8-7 – Defining Policy Workflow
Each step of the workflow is described in the following sections. You can also define
Pipes and Virtual Channels using templates, described on page 8-28.

Defining Your Network Requirements

Before defining Pipes or Virtual Channels, you must determine the type of traffic
flowing through your network. Using NetEnforcer’s Monitoring functions (described in
Chapter 6, Monitoring) or NetWizard functions (described in Chapter 5, NetWizard
Quick Start), you can determine your current network application patterns, and define
the necessary QoS classification and actions.
The following are examples of traffic patterns and required QoS policy:
• Applications on your network that you consider “mission-critical” applications.
These may be special applications that are time and/or resource sensitive. You may
want to provide increased bandwidth or server resources.
• Items on your network that you consider low priority. These may include traffic
that you consider non-time and/or response sensitive, or applications that you wish
to limit during busy hours, such as FTP traffic.
• Applications that you do not want used on your network during certain times, such
as new file-sharing applications that enable clients in your network to function as
servers, thereby drastically increasing outbound traffic volume.
• Background tasks that are important, but can be performed at a slower rate. These
may include email traffic or certain file transfers.
• Time-sensitive network applications. These may include streaming applications
such as real-time audio or video.
• Customers or groups of customers categorized into various “tiered” levels. For
example, you may wish to have Gold-level customers.
Once you have classified your network traffic, you can define your QoS policy.

Adding Pipes
Each Pipe is defined by at least one rule (set of conditions), and any traffic meeting
those conditions is channeled to that Pipe. The actions defined for the Pipe are then
applied to the traffic.
To add a pipe:
1. Add a Pipe in one of the following ways:
• Select a Pipe in the policy table and click (blue icon) in the toolbar.
• Select a Pipe in the policy table and select Pipe from the Insert menu.
• Right-click a Pipe in the policy table and select Insert and then Pipe from the
popup menus that are displayed.
• Press <Ctrl + P> on your keyboard (at the same time).
A new Pipe is added above the selected Pipe. The new Pipe contains a default
Virtual Channel (Fallback), and has default values for its rule (conditions) and
actions.
2. Edit the name of the Pipe, if required, and press <Enter>. Assigning a logical name
to the Pipe helps you to classify your traffic.
NOTE:
You can rename a Pipe at any time by selecting Rename from the Edit menu.
3. Modify the rule of the Pipe by clicking the cell in the relevant column and selecting
the required condition from the dropdown list that is displayed. The rule is made up
of the following conditions:
Connection Source The source of the traffic.
Connection Destination The destination of the traffic.
Service The protocol relevant to a connection.
Time The time of the connection.
TOS The TOS marking of the connection.
VLAN The destination of VLAN traffic.

4. Modify the actions of the Pipe by clicking the cell in the relevant column and
selecting the required action from the dropdown list that is displayed. The actions
are as follows:
Access The access given to traffic.
Quality of Service The quality of service applied to traffic given access.
The QoS determines priority, minimum and maximum
bandwidth and the maximum number of connections.
NOTE:
The Connection Control action for a Pipe is always Pass As Is.
5. Specify the direction of the traffic between the selected source and destination by
clicking in the Dir field and selecting one of the following:
Bidirectional The flow of traffic in either direction between the
selected source and destination (default).
Unidirectional The flow of traffic from the selected source to the
selected destination.
6. When a new Pipe is created, it is automatically enabled, meaning once the Policy
Editor is saved to NetEnforcer, the Pipe is taken into account by NetEnforcer. You
can enable or disable the Pipe in one of the following ways:
• Select Enable or Disable from the Edit menu.
• Right-click in the In Use column and select Enable or Disable from the popup
menu.
• Click the Enable or Disable button.
NOTE:
When a Pipe is disabled, its rules and the Virtual Channels under the Pipe are disabled automatically.
7. Click to save the new Pipe to NetEnforcer.

TIP:
You can also add a new Pipe by copying and pasting an existing Pipe and modifying its definition.
You can now define further rules for the Pipe or add further Virtual Channels to the
Pipe, as required.

Adding Virtual Channels

A Virtual Channel is added to a Pipe. A Virtual Channel is defined by at least one rule
set of conditions), and any traffic meeting those conditions is channeled to that Virtual
Channel. The actions defined for the Virtual Channel are then applied to the traffic.
NOTE:
The actions of the Pipe influence all the Virtual Channels under that Pipe and will be enforced together
with the Virtual Channel's actions on every connection that is matched to the Pipe.
To add a Virtual Channel:

1. Add a Virtual Channel in one of the following ways:
• Select a Pipe or Virtual Channel in the policy table and click in the toolbar.
• Select a Pipe or Virtual Channel in the policy table and select Virtual Channel
from the Insert menu.
• Right-click a Pipe or Virtual Channel in the policy table and select Insert and
then Virtual Channel from the popup menus that are displayed.
• Press <Ctrl + L> on your keyboard (at the same time).
A new Virtual Channel is added to the selected Pipe, or to the Pipe to which the
selected Virtual Channel belongs. The new Virtual Channel has default values for its
rule (conditions) and actions.
2. Edit the name of the Virtual Channel, if required, and press <Enter>. Assigning a
logical name to the Virtual Channel helps you to classify your traffic.
NOTE:
You can rename a Virtual Channel at any time by selecting Rename from the Edit menu.
3. Modify the rule of the Virtual Channel in the same way as for a Pipe, described on
page 8-22.

4. Modify the actions of the Virtual Channel by clicking the cell in the relevant column
and selecting the required action from the dropdown list that is displayed. The
actions are as follows:
Access The access given to traffic.
Quality of Service The quality of service applied to traffic given access.
The QoS determines priority, minimum and maximum
bandwidth, traffic-shaping techniques (CBR or Burst)
and the maximum number of connections.
Connection Control The redirection of traffic to a load-balancing server or
cache server, if required.
6. When a new Virtual Channel is created, it is automatically enabled, meaning once
the Policy Editor is saved to NetEnforcer, the Virtual Channel is taken into account
by NetEnforcer. You can enable or disable the Virtual Channel in one of the
following ways:
menu.
• Press <Ctrl + E> to enable.
• Press <Ctrl + D> to disable.
NOTE:
When a Virtual Channel is disabled, its rules are disabled automatically.

7. Click to save the new Virtual Channel to NetEnforcer.
TIP:
You can also add a new Virtual Channel by copying and pasting an existing Virtual Channel and modifying
its definition.
You can now define further rules for the Virtual Channel, as required.
Adding Rules
A rule is made up of six conditions. When traffic meets the conditions of a rule, it is
assigned to that rule. The actions assigned to the traffic are the actions defined for the
Pipe or Virtual Channel to which the rule belongs.
To add a rule:
1. Add a rule in one of the following ways:
• Select a Pipe, Virtual Channel or rule in the policy table and click (purple
icon) in the toolbar.
• Select a Pipe, Virtual Channel or rule in the policy table and select Rule from the
Insert menu.
• Right-click a Pipe, Virtual Channel or rule in the policy table and select Insert
and then Rule from the popup menus that are displayed.
• Press <Ctrl + K> on your keyboard.
A new rule is added to the selected Pipe or Virtual Channel, or to the Pipe or Virtual
Channel to which the selected rule belongs.
NOTE:
Rules do not have names.
2. Specify the conditions for the rule in the same way as for a Pipe, described on
page 8-22.

4. When a new rule is defined for a Pipe or Virtual Channel, it is automatically
enabled, meaning once the Policy Editor is saved to NetEnforcer, the rule is taken
into account by NetEnforcer. You can enable or disable the rule in one of the
following ways:
menu.
• Press <Ctrl + E> to enable.
• Press <Ctrl + D> to disable.
You can continue to define further Pipes, Virtual Channels and rules, as required. To
speed up the process, you can copy and paste existing Pipes, Virtual Channels and rules
and then modify their settings, as required. Remember, when you have completed your
editing session, click to save the new rules, Virtual Channels and Pipes to
NetEnforcer
You can also create and insert a Pipe or Virtual Channel template as described on
page 8-28.

Policy Table Order

You should define Pipes and Virtual Channels so that those that are more specific are
defined before those that are more general. Similarly, the rules defined for a Pipe or
Virtual Channel should follow this order. This is because NetEnforcer searches the
Policy table from the top down. Thus as soon as a Pipe rule is found to match the
connection, NetEnforcer looks at no more Pipes. Similarly, within the matched Pipe, as
soon a Virtual Channel rule is found to match the connection, NetEnforcer looks no
further.
Using cut and paste, you can change the order of the policy table, as follows:
• Change the order of Pipes within the policy table
• Change the order of Virtual Channels within Pipes
• Change the order of rules within Pipes or Virtual Channels
You cannot change the position of the Fallback Pipe or Fallback Virtual Channels.
The Fallback Pipe is always at the bottom of the policy table and the Fallback Virtual
Channels are always the last Virtual Channel in a Pipe.
Templates
with host entries defined in the Host Catalog. For example, if you had a Host Group
type entry in the Host Catalog called Gold Customers that consisted of Company X,
Company Y and Company Z, you could define a Pipe template to be expanded for Gold
Customers. This would result in Pipes being created for Company X, Company Y and
Company Z when the Policy Editor is saved.
With Host List type entries, templates are only effective when the Host List entry
includes more than one host or IP address or a range of IP addresses. For example,
creating a Pipe template based on a Host List type entry that includes a range of IP
addresses generates a Pipe instance for each IP in the range.

NOTE:
It is not possible to view Pipe instances in the Policy Editor. However, the instances are available for
selection in the Monitoring module, described in Chapter 6, Monitoring Network Traffic.
A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual
Channels on source/destination differentiation. This means that you do not need to
define similar Pipes and Virtual Channels when the only difference between them is the
IP address in the source or destination.
New features include:
• New Template on Range feature allows user to define a range of IPs or subnet.
• Expand feature removed, template automatically implies expansion.
Creating Pipe Templates

Pipe templates represent instances of the same Pipe for every host in a selected Host
Catalog entry. Pipe templates are added at the same hierarchy level as Pipes.
To create a Pipe template:

1. Add a Pipe template in one of the following ways:
• Select a Pipe in the policy table and select Template and then Pipe Template
from the Insert menu.
• Right-click a Pipe in the policy table and select Insert, Templates and then Pipe
Template from the popup menus that are displayed.
• Press <Ctrl + SHIFT + P> on your keyboard.

The Insert Pipe Template dialog box is displayed.
Figure 8-8 – Insert Pipe Template
2. Select the Host Catalog entry for which you want to create Pipe instances from the
dropdown list.
NOTE:
You can open the Host Catalog Editor and add or modify entries as required by clicking Host Editor.
3. In the Direction Settings area, select whether to expand the Pipe by connection
source or destination or both.
• If you select Bi-Directional, an instance of the Pipe will be generated for all
hosts specified in the selected Host Catalog entry. The Pipes will be
bi-directional, meaning that the traffic can be flowing either to or from the host in
order to match the Pipe.

• If you select Uni-Directional, you must then select whether to expand the Pipe
by connection source or destination. When Connection Source is selected, the
Pipes generated will be uni-directional from the source, meaning that the traffic
must be flowing from the host in order to match the Pipe. When Connection
Destination is selected, the Pipes generated will be uni-directional to the
destination, meaning that the traffic must be flowing to the host in order to match
the Pipe.
4. Click OK. A new Pipe template is added to the policy table.
5. Edit the name of the Pipe template, if required. The new Pipe template is displayed
in the policy table with the selected Host Catalog entry as the Connection Source or
Connection Destination.
Figure 8-9 – New Pipe Template
6. Modify the Pipe template as required. You can modify its existing rule (conditions),
modify its actions, define further rules and add Virtual Channels. The resulting Pipe
instances receive any modifications or additions made to the Pipe template.
NOTE:
You can change the Host Catalog entry for which you want to define Pipe instances at any time by
right-clicking the Pipe template name and selecting Expand by and then selecting another Host Catalog
entry.
Pipes identical to the Pipe template but with a different Connection Source or
Connection Destination are created for every member of the selected Host Catalog
entry upon saving the Policy Editor. These Pipes are not displayed in the policy table. A
Pipe is indicated as a template or master Pipe by the symbol in its icon and the
symbol next to the entry in the Connection Source or Connection Destination field.

Creating Virtual Channel Templates

The process for creating Virtual Channel templates is similar to the one used for
creating Pipe templates. Virtual Channel templates represent instances of the same
Virtual Channel for every host in a selected Host Catalog entry. Virtual Channel
templates are added at the same hierarchy level as Virtual Channels but they cannot be
created beneath a Pipe template.
To create a Virtual Channel template:

1. Add a Virtual Channel template in one of the following ways:
• Select a Pipe or Virtual Channel in the policy table and select Template and then
Virtual Channel Template from the Insert menu.
• Right-click a Pipe or Virtual Channel in the policy table and select Insert,
Templates and then Virtual Channel Template from the popup menus that are
displayed.
• Press <Ctrl + SHIF + L> on your keyboard.

The Insert Virtual Channel Template dialog box is displayed.
Figure 8-10 – Insert Virtual Channel Template
2. Select the Host Catalog entry for which you want to create Virtual Channel instances
from the dropdown list.
NOTE:
You can open the Host Catalog Editor and add or modify entries as required by clicking Host Editor.
3. In the Direction Settings area, select whether to expand the Virtual Channel by
connection source or destination or both.
• If you select Bi-Directional, an instance of the Virtual Channel will be generated
for all hosts specified in the selected Host Catalog entry. The Virtual Channels
will be bi-directional, meaning that the traffic can be flowing either to or from the
host in order to match the Virtual Channel.

• If you select Uni-Directional, you must then select whether to expand the Virtual
Channel by connection source or destination. When Connection Source is
selected, the Virtual Channels generated will be uni-directional from the source,
meaning that the traffic must be flowing from the host in order to match the
Virtual Channel. When Connection Destination is selected, the Virtual Channels
generated will be uni-directional to the destination, meaning that the traffic must
be flowing to the host in order to match the Virtual Channel.
4. Click OK. A new Virtual Channel template is added to the policy table.
5. Edit the name of the Virtual Channel template, if required. The new Virtual Channel
template is displayed in the policy table with the selected Host Catalog entry as the
Connection Source or Connection Destination.
Figure 8-11 – New Virtual Channel Template
6. Modify the Virtual Channel template as required. You can modify its existing Rule
(conditions), modify its actions and define further Rules. The resulting Virtual
Channel instances receive any modifications or additions made to the Virtual
Channel template.
NOTE:
You can change the Host Catalog entry for which you want to define Virtual Channel instances at any
time by right-clicking the Virtual Channel template name and selecting Expand by and then selecting
another Host Catalog entry.
Virtual Channels identical to the Virtual Channel template but with a different
Connection Source or Connection Destination are created for every member of the
selected host entry. These Virtual Channels are not displayed in the policy table. A
Virtual Channel is indicated as a template or master Virtual Channel by the symbol
in its icon and the symbol next to the entry in the Connection Source or
Connection Destination field.

NOTE:
For example, tiered services may defined quickly using templates. Create one template to represent
Platinum service with a minimum of 500Kbps per user, a second to represent Gold service with a
minimum of 250Kbps per user and a third to represent Silver service with a maximum of 100 Kbps per
user.
Distributing Policy to Other NetEnforcers

You can save and simultaneously distribute your QoS policy to other NetEnforcers if
required. The policy is distributed to all devices on the distribution list. You can add
devices to the distribution list as required.
To configure the distribution list:

1. From the Settings menu, select Distribution List. The Distribution List is displayed.
Figure 8-12 – Distribution List

NOTE:
You can distribute policy to other NetEnforcers, only if they are of the same model and have the same
software version as the one from which you are distributing.

2. To add a device to the distribution list, click Add. The Device Properties dialog box
is displayed.
Figure 8-13 – Device Properties Dialog Box
3. In the Host field, specify the IP address of the NetEnforcer device.
4. Specify the user name and password in the relevant fields.
5. Click OK. The device is added to the distribution list.
You can further modify the distribution list in the following ways:
• Select a device in the list and click Edit. Modify the properties of the device in the
Device Properties dialog box as required.
• Select a device in the list and click Delete. The selected device is deleted from the
distribution list.
• Click Delete All to delete all devices from the distribution list.

To distribute the QoS policy to the devices on the distribution list, select Save &
Distribute from the File menu. A report on the results of the distribution is displayed,
for example:
Figure 8-14 – Distribution Report


Chapter 9: NetEnforcer Alerts
This chapter describes the NetEnforcer Alerts Editor and Alerts Log.

Overview, page 9-2, provides an overview of the NetEnforcer Alerts Editor and Log
and how you can use them to monitor your network status.
Alerts Editor, page 9-5, describes the NetEnforcer Alerts Editor and how to define
events or conditions that will trigger alerts.
Alerts Log, page 9-22, describes the NetEnforcer Alerts Log that includes a list of the
alerts triggered by the alert definitions.

Overview
The Alerts feature allows the user to not only monitor the state of the system, but also
be alerted when certain thresholds are met. For example, users can set an alert to
identify when the bandwidth for a particular link/customer is close to reaching its
maximum. Utilizing the Alert mechanism, an action can be taken before network
problems occur (e.g., before the line is get fully utilized and congestion exists).
Thresholds can be set to alert to identify excessive connections or abnormal behavior on
the line.
TIP:
Users can be alerted of potential virus attacks by setting alerts on certain connection limits.
The Alerts feature enables user to set Actions to occur when certain user-defined
thresholds are reached for the following entities:
• NetEnforcer
• Pipe
• VC
• System
Within each entity there are various conditions that can be monitored as well as
numerous actions that can be taken in the event of an alert. The basic actions are:
• Send SNMP trap
• Send email (up to two addresses)
• Send SMS
• Change access control
• Change priority

• Send NetEnforcer into bypass

• Reboot NetEnforcer
The Alerts log provides a list of all the alerts (including predefined ones) and replaces
the Log Viewer found in previous NetEnforcer versions. Acknowledging an Alert event
allows the tracking of that Alert to continue, enabling a record of the event to be built
up in the Alerts log.

Important Preparation
In order to work with alerts, you must specify the following parameters in the Alerts tab
of the NetEnforcer Configuration window:
• Select the Activate Alert Dispatching on NetEnforcer checkbox. This is checked
by default.
Figure 9-1 – NetEnforcer Configuration Window
• Define any relevant email addresses and SMS targets for alerts.
• Click or select Save to NetEnforcer from the File menu in the NetEnforcer
Configuration window to save the configuration.
The NetEnforcer Configuration window is described in Chapter 4, Configuring
NetEnforcer.

Alerts Editor
The Alerts Editor enables you to define events or conditions that will trigger alerts (alert
definitions). Alerts can be triggered according to conditions existing in NetEnforcer, a
selected Pipe or Virtual Channel, or in the system generally. You can define up to 100
alert definitions in the Alerts Editor.
When an alert is triggered, it is displayed in the Alerts Log. You can also send
notification of alerts by SMS, email or SNMP.
Predefined System Alerts

Some alerts are predefined. This means that when certain conditions exist, an alert is
triggered and displayed in the Alerts Log. There is no need to define an alert definition
for a predefined alert in the Alerts Editor. Predefined alerts are not sent to any defined
email, SMS or SNMP targets.
All predefined alerts relate to the system, meaning they occur when a certain condition
exists in the system.
The following table lists the possible default event Alerts that may be seen in the
NetEnforcer Alerts module.
Alert Message Alert Syntax Definition

(Module#Severity#Message)
Connection to both Accounting#Critical#Connection Indicates that the NetAccountant’s
RADIUS servers lost. to both RADIUS servers lost. connection to both the primary and
secondary (if relevant) RADIUS
servers has failed. This could be due
to difficulties on either side of the
connection.


Accounting is not Accounting#Major#Accounting is Indicates that the key entered in the
active. Invalid key. not active. Invalid key. NetEnforcer GUI is not a valid key
for activating the NetAccountant
Module. Check the key or contact
Allot Customer Support.
Failed to read Accounting#Major#Failed to read Indicates that the NetAccountant
configuration configuration parameters. configuration parameters in the
parameters. NetEnforcer GUI have not been
entered.
Accounting is not Accounting#Major#Accounting is Indicates that the NetAccountant
active. not active. module has not been enabled in the
NetEnforcer GUI.
Failed to connect to Accounting#Major#Failed to Indicates that the NetAccountant
primary server. connect to primary server. Module was unable to connect to the
Connecting to Connecting to secondary server. primary external server entered in
secondary server. the NetEnforcer GUI.
Failed to connect to Accounting#Major#Failed to Indicates that the NetAccountant
secondary server. connect to secondary server. Module was unable to connect to the
secondary external server entered in
the NetEnforcer GUI.
Failed to connect to Accounting#Critical#Failed to Indicates that the NetAccountant
either primary or connect to either primary or Module was unable to connect to the
secondary server - secondary server - data send primary or secondary external server
data send aborted. aborted. entered in the NetEnforcer GUI and
that any Accounting data for this
interval has been lost.


Failed to retrieve data Accounting#Major#Failed to Indicates that the NetAccountant
- data send aborted. retrieve data - data send aborted. Module was unable to gather the
Accounting data from the Stats
Collector and that any Accounting
data for this interval has been lost.
Low disk space. Accounting#Critical#Low disk Indicates that the NetAccountant
Failed to save space. Failed to save accounting Module was unable to save Internal
accounting data. data. Please consult customer accounting data to the NetEnforcer’s
Please consult support. hard disc due to a lack of space.
customer support.
Number of accounting Accounting#Major#Number of Indicates that the number of
records exceeded accounting records exceeded accounting records to be saved
limit of <#> records. limit of %s records. (based on the configuration in the
NetEnforcer GUI) has exceeded the
maximum for the unit.
Accounting database Accounting#Major#Accounting Indicates that a specific accounting
error. Table <#> is database error. Table %s is data table is corrupted.
corrupted. corrupted.
The system has Policy Database#Critical#The Indicates that the number of rules
reached the maximum system has reached the maximum (based on the configuration in the
number of rules. number of rules. NetEnforcer GUI) has exceeded the
maximum for the unit.
Event/s of access Rule matching#Normal#Event/s Indicates that an event has triggered
deny. of access deny. a preset alert action, switching the
QoS apply to “deny packets”.
Event/s of admission Rule matching#Normal#Event/s
control failure. of admission control failure.


Event/s of Connection Connection
Control server not Control#Major#Event/s of
available. Connection Control server not
available.
Server Connection Indicates that the Connection Control
<SERVER_NAME> Control#Major#Server '%s' of server entered in the NetEnforcer
of Connection control Connection control is down. GUI is down.
is down.
Server Connection Indicates that the Connection Control
<SERVER_NAME> Control#Major#Server '%s' of server entered in the NetEnforcer
of Connection control Connection control is up. GUI has come back up.
is up.
Service Connection Indicates that the specific service on
<SERVICE_NAME> Control#Major#Service '%s' of the Connection Control server is not
of Connection control Connection control is down. responding.
is down.
Service Connection Indicates that the specific service on
<SERVICE_NAME> Control#Major#Service '%s' of the Connection Control server is
of Connection control Connection control is up. responding again.
is up.
Failed to read Accounting#Critical#Failed to Indicates that the NetAccountant
RADIUS dictionary. read RADIUS dictionary. Please module is unable to communicate
Please consult consult customer support. with the RADIUS server.
customer support.
Connection to Accounting#Major#Connection to Indicates that the NetAccountant’s
primary RADIUS primary RADIUS server lost. connection to the primary RADIUS
server lost. Trying Trying secondary server. servers has failed. This could be due
secondary server. to difficulties on either side of the
connection.


Failed to dispatch Accounting#Major#Failed to Indicates that the NetAccountant
accounting data. This dispatch accounting data. This module was unable to send the
may be due to a lack may be due to a lack of disk accounting data to an external server.
of disk space at space at destination.
destination.
The Service catalog Service update#Info#The Service Indicates that the online Service
update failed. catalog update failed. catalog update failed and was
aborted.
The Service catalog Service update#Info#The Service Indicates that the online Service
update was completed catalog update was completed catalog update was successful.
successfully. successfully.
Additionally, there are three types of system alerts, as follows:

Alert Module Failure If the alert functionality within NetEnforcer fails, an alert
is triggered.
DoS Attack If there is a DoS attack within NetEnforcer, an alert is
triggered. Additional information is described in Chapter
10, Detecting Security Threats).
Access Control If an unauthorized user tries to enter NetEnforcer, an
Exceptional Events alert is triggered.
Authorized users are specified in the Access Control tab
in the NetEnforcer Configuration window (described in
Chapter 4, Configuring NetEnforcer).

To define alerts in the Alerts Editor:

1. From the NetEnforcer Control Panel, click Alerts and then select Alerts Editor. The
Alerts Editor is displayed.
Figure 9-2 – Alerts Editor

The tabs on the left are where you define the alert and the list on the right displays a
list of all the alert definitions.
2. Select the Definition tab.
3. In the Name field, enter a name for the alert.

4. From the Object Type dropdown list, select the object to observe. This is the object
where once a specified condition exists then this alert is triggered. Select from one of
the following:
• NetEnforcer
• Pipe
• Virtual Channel
• System
5. If you selected Pipe or Virtual Channel in step 4, the Selected Pipe or Selected VC
field is displayed below the Object Type dropdown list. Select the Pipe or Virtual
Channel to observe by clicking the button and browsing to the required Pipe or
Virtual Channel.
6. In the Condition area, select the condition that must exist on the selected object in
order for the alert to occur. The available conditions vary according to the object
type selected. Additionally each condition may have different parameters. For a full
list of conditions and their parameters, refer to 9-12. When you have selected a
condition, a summary of the alert definition is provided in the Condition area. For
example, when NetEnforcer is selected as the Object Type and Any Traffic
selected as the Condition, then an alert is triggered whenever there is “any traffic
flowing in NetEnforcer”.

7. Select the Behavior tab.
Figure 9-3 – Alerts Editor – Behavior Tab

The Behavior tab is where you specify what will happen if the defined conditions in
the Definition tab are fulfilled.

8. In the Enable area, select the Alert is Enabled checkbox to enable the alert
definition.
9. From the Alert Severity dropdown list, select the severity of the alert from the
following:
• Information
• Normal
• Minor
• Major
• Critical
10. In the Dispatch & Action area, select to where the alert will be sent (in addition to
the Alerts Log) and any action that should result.
SMS The alert is sent to the SMS address specified in the Alerts tab
in the NetEnforcer Configuration window (described in
Chapter 4, Configuring NetEnforcer.
SNMP Trap The alert is sent as an SNMP trap according to the SNMP
Clients details specified in the SNMP tab in the NetEnforcer
Configuration window (described in Chapter 4, Configuring
NetEnforcer.
Email (Primary) The alert is sent to the primary email address specified in the
Alerts tab in the NetEnforcer Configuration window (described
in Chapter 4, Configuring NetEnforcer.
Email The alert is sent to the secondary email address specified in the
(Secondary) Alerts tab in the NetEnforcer Configuration window (described
in Chapter 4, Configuring NetEnforcer.
NOTE:
If details have not been provided in the Alerts and SNMP tabs of the NetEnforcer Configuration
window, a warning is displayed.

11. If required, from the Action dropdown list, select a predefined action that will result
when the alert is triggered. The list below is a set of predefined actions available for
selection. The action is implied in the name.
• ChangeAccessControlToAccept
• ChangeAccessControlToDrop
• ChangeAccessControlToReject
• ChangePriorityToHigh
• ChangePriorityToLow
• ChangePriorityToNormal
• IgnoreQoS
• NetEnforcerBypass
• Reboot
Additional custom actions can be added.
12. In the Action Following Alert area, select whether NetEnforcer will continue to
check for the alert from the following:
• Restart Checking After: Once the alert has occurred, check to see if the
condition exists again after a specified time.
• Restart Checking After Alert Acknowledged: Once the alert has occurred, only
start checking to see if the condition exists again once the alert is acknowledged.
13. Click Add. The alert definition is complete and the alert is added to the list of alerts
in the Defined Alerts List.
14. In order for the alert definition to be applied, you must save it to NetEnforcer. Select
Save to NetEnforcer from the Alerts Editor File menu or click on the toolbar.
NOTE:
Saving the Alerts Editor re-arms all alert definitions. For a “one time only” alert definition, if the alert
condition exists, an alert is again dispatched. For a “periodic” alert definition, if the alert condition
exists, an alert is dispatched.

Customized Actions
Additional actions may be defined by the user. These actions are added to the drop-
down list and appear along with the predefined actions. Actions are added through the
use of scripts. These are simply CLI commands saved in a specific location on the
NetEnforcer.
Writing the Script

The script may be saved as a text file and imported into the NetEnforcer with an FTP
client or it can be written directly in the CLI interface using the vi text editor.
Implementing the Script

Scripts written as .txt files must be saved in the usr/local/swg/Alerts/scripts folder. Once
they are saved in the folder, they appear in the drop down menu under Action in the
Behavior tab of the Alerts Editor. In addition, scripts must be made executable after
they are saved. To do this, enter the following command:
chmod +x <script_file_name>
For more information, please contact your Allot support representative.

Conditions for Alerts

The possible conditions for alerts vary according to the object type selected. The
following table details the conditions available for selection for each object type as well
as the parameters that are displayed according to the condition selected.
Condition Object Type Parameters to Specify Meaning
Any Traffic NetEnforcer No parameters required. When any traffic is in

NetEnforcer or the selected
Pipe Pipe or the selected Virtual
Virtual Channel Channel, an alert is
triggered.
No Traffic NetEnforcer No parameters required. When no traffic is in
Virtual Channel Channel for 30 seconds, an
alert is triggered.
Traffic Flow NetEnforcer When the traffic flow in
Virtual Channel Channel is less than or
more than the specified
amounts, an alert is
You can specify one or triggered.
both parameters.

Connection NetEnforcer When the number of live

Count connections in NetEnforcer
Pipe or the selected Pipe or the
Virtual Channel selected Virtual Channel is
less than or more than the
specified amounts, an alert
You can specify one or is triggered.
both parameters.
Connection NetEnforcer When the number of new
Establishment connections per second in
Rate Pipe NetEnforcer or the selected
Virtual Channel Pipe or the selected Virtual
Channel is less than or
You can specify one or amounts, an alert is
both parameters. triggered.
Pipe Count NetEnforcer When the number of active

Pipes in NetEnforcer is less
than or more than the
specified amounts, an alert
is triggered.
You can specify one or

both parameters.

Virtual NetEnforcer When the number of active

Channel Count Virtual Channels in
NetEnforcer is less than or
amounts, an alert is
triggered.
You can specify one or
both parameters.
Alert Module System No parameters required. If the alert functionality
Fails within NetEnforcer fails, an
alert is triggered.
Accounting/ System No parameters required. If there are exceptional and
RADIUS unusual events in the
Accounting/RADIUS
mechanism within
NetEnforcer, an alert is
triggered.
DoS Attack System No parameters required. If there is a DoS attack
within NetEnforcer, an alert
is triggered.
Access System No parameters required. If an unauthorized user tries
Control to enter NetEnforcer, an
alert is triggered.
Authorized users are
specified in the Access
Control tab in the
NetEnforcer Configuration
window (described in
Chapter 4, Configuring
NetEnforcer).

Router System If the link on the access

Interface router goes up or down (or
either), an alert is triggered.
This enables you to set an
alert when the primary link
goes down and the backup
Specify the router’s IP link goes into action.
address, the SNMP
community of the router,
and the interface you want
to monitor (the interface
number of the primary or
the backup link). The Alert
on Change to field enables
you to decide when you
want the alert to be issued –
when the link goes down,
when the link goes up or
every time the link changes
status (up/down).
TIP:
Router Interface
The NetEnforcer is sometimes located at the access point, just behind the access router that connects the
enterprise to the Internet. In some cases the access router has two uplinks, one is the primary and one is a
backup link. Usually the backup link will have a lower speed than the primary link.
In these environments there is a need to have the ability to change the policy defined in NetEnforcer when
the primary link at the router fails and the backup link goes into action.
This can be achieved with the NetEnforcer’s Alert module. The Router Interface condition enables you to
define an event of link up/down that happens on the access router. This enables you to set that an alert is
triggered when the primary link goes down and the backup link goes into action.

Defined Alerts List

You can define as many alerts as required. All alert definitions are displayed in the
Defined Alerts List. If an alert is enabled and has been saved to NetEnforcer, then the
alert definition is active in NetEnforcer. This means that should the condition specified
in the definition arise, an alert is triggered.
The Defined Alerts List displays a summary of the alert definition as follows:
Enabled Whether or not the alert definition is enabled.
Name The name of the alert definition.
Severity The severity of the alert definition. The background color of this field
reflects the severity as follows:
Information: Green
Normal: Green
Minor: Yellow
Major: Orange
Critical: Red
Type The type of object: NE (NetEnforcer), Pipe, VC (Virtual Channel) or
System.
Src Name When Pipe or VC is the object type, the name of the Pipe or Virtual
Channel.
Condition A summary of the condition that must exist in order for the alert to be
triggered.
Disp Where the alert will be sent (in addition to the Alerts Log) and what
action will occur when the alert is triggered.
Recheck Once the alert has occurred, whether (and if so, when) NetEnforcer will
continue to check for the alert.
You can sort the list of alert definitions by clicking a column header. For example,
clicking Type sorts the alerts according to type.

From the Defined Alerts List, you can enable and disable alerts as required. Simply
select or deselect the Enabled checkbox on the left of the list.
To modify an alert definition, select it in the Defined Alerts List, make the required
changes in the Definition and Behavior tabs and click Update.
To delete an alert definition, select it in the Defined Alerts List and click Delete.
NOTE:
You can also delete an alert definition by right-clicking it in the Defined Alerts List and selecting Delete.
Alerts Editor Menus and Toolbar

The menu options and toolbar buttons available in the Alerts Editor are as follows:
Menu/Command Button Function
File
Save to NetEnforcer Saves the alert definitions to NetEnforcer. Saving the

Alerts Editor re-arms all alert definitions.
Reload Alerts Reloads the last set of saved alert definitions in the
Alerts Editor.
Print Enables you to print the list of alert definitions.
Exit Closes the Alerts Editor.
Edit
Delete Deletes the selected alerts definition.
Enable All Enables all the alert definitions in the list.
Disable All Disables all the alert definitions in the list. When an
alert definition is disabled, NetEnforcer does not
consider it.
Select All Selects all the alert definitions in the list.


View
Sort by Enables you to sort the list of alert definitions
according to column headers.
Options
Load Alert Log Opens the Alerts Log. You can also access the Alerts
Log by right-clicking an alert definition in the
Defined Alerts List and selecting Open Alerts Log.
Help
The status bar in the Alerts Editor provides the following information:
• Last action performed.
• Selected alert/Total number of alert definitions.
• Sort condition.
• Mod is displayed when alert definitions have been modified. It is removed once the
alert definitions have been saved to NetEnforcer.
Alerts Log
The Alerts Log displays a list of the alerts triggered by the alert definitions. Information
such as the date of the alert, the source of the alert as well as the severity of the alert is
displayed.
TIP:
The color of the Alerts button in the NetEnforcer Control Panel reflects the most severe unacknowledged
alert in the Alerts Log. If the color is gray, an undetermined state exists. This is normally when there is a
communication problem.

To open the Alerts Log:

Access the Alerts Log in any of the following ways:
• From the NetEnforcer Control Panel, click Alerts and then select Alerts Log.
• In the Alerts Editor, select Load Alert Log from the Options menu.
• In the Alerts Editor, right-click an alert definition and select Load Alert Log.
An example Alerts Log is shown below:
Figure 9-4 – Alerts Log

The Alerts Log, which is automatically refreshed every 30 seconds, provides the
following information for each alert:
Ack Whether or not you have acknowledged the alert. Acknowledging
an alert re-arms the alert definition so that NetEnforcer again
checks to see if the alert condition exists.
NetEnforcer Date The time and date on NetEnforcer when the event triggering the
alert occurred.
Alert Name The name of the alert definition.
Source The type of object where the event triggering the alert occurred:
NE (NetEnforcer), Pipe, VC (Virtual Channel) or System.
Source Name When the Source is Pipe or VC, the name of the Pipe or Virtual
Channel.
Severity The severity of the alert. The background color of this field
reflects the severity as follows:
Information: Green
Normal: Green
Minor: Yellow
Major: Orange
Critical: Red
Description A summary of the event triggering the alert.
You can sort the list of alerts by clicking a column header. For example, clicking
NetEnforcer Date sorts the alerts according to date and displays them in date order.

Alerts Log Menus and Toolbar

The menu options and toolbar buttons available in the Alerts Log are as follows:
File
Reload Rereads the alert log data on NetEnforcer and

refreshes the display of the Alerts Log.
Print Enables you to print the list of alerts.
Exit Closes the Alerts Log.
Edit
Clear Selected Clears selected alerts from the Alerts Log. You can
also clear alerts from the Alerts Log by right-clicking
the alert and selecting Clear.
Clear All Clears all alerts from the Alerts Log.
Acknowledge Selected Acknowledges selected alerts in the Alerts Log.

Acknowledging an alert re-arms the alert definition so
that NetEnforcer again checks to see if the alert
condition exists.
Unacknowledge Unacknowledges selected alerts in the Alerts Log.
Selected
Acknowledge All Acknowledges all alerts in the Alerts Log.
Unacknowledge All Unacknowledges all alerts in the Alerts Log.

Select All Selects all alerts in the Alerts Log.
View
Sort by Enables you to sort the list of alerts according to
column headers.


Set Filters Enables you to filter the display of alerts.
Clear Filters Clears any filters applied to the display of alerts and
displays all alerts.
Search
Find Enables you to search the list of alerts for a specified
keyword or phrase.
Options
Edit Alert Definition Opens the Alerts Editor enabling you to modify alert
definitions as required. You can also access the Alerts
Editor by right-clicking an alert definition in the
Alerts Log and selecting Edit Definition.
Help
The status bar in the Alerts Log provides the following information:
• Last action performed.
• Selected alert/Total number of alerts.
• Sort condition.
• Whether a filter is in effect.

Accessing Monitoring Graphs

The Alerts Log provides direct access to real-time monitoring graphs. This is very
useful and enables you to quickly access a monitoring graph for closer inspection of a
problematic situation. For example, if an alert is triggered on a particular Pipe because
the number of live connections in the Pipe has exceeded a specified amount, you can
access the real-time monitoring graphs for the Pipe to understand more clearly if there is
a problem or if your QoS policy requires modification.
To access monitoring graphs from the Alerts Log, right-click an alert and select from
the options displayed. The monitoring graphs available vary according to the object type
selected.

Filtering Alerts
You can apply a filter to the Alerts Log so that only alerts matching the filter are
displayed. This is useful because the Alerts Log may include up to 10,000 alerts.
To define a filter:
1. From the View menu in the Alerts Log, select Set Filters or click in the toolbar.
The Set Filters for Alerts Log dialog box is displayed:
Figure 9-5 – Set Filters for Alerts Log Dialog Box: Severity Tab
2. Select Filter Alerts as Indicated.

3. Define the filter parameters in the different tabs as follows (only the alerts that match
the filter parameters will be displayed):
• In the Severity tab, select the Severity levels as required: Critical, Major,
Minor, Normal, Info.
• In the Acknowledge tab, select Acknowledged or Unacknowledged.
Figure 9-6 – Set Filters for Alerts Log Dialog Box: Acknowledge Tab
• In the Source Type tab, select the object type: NE, System, Pipe, VC.
Figure 9-7 – Set Filters for Alerts Log Dialog Box: Source TypeTab

• In the Names & Description tab, select from the following specifying key words
as required: Match Source Names Containing, Match Descriptions
Containing, Match Alert Names Containing.
Figure 9-8 – Set Filters for Alerts Log Dialog Box: Names & Description Tab
NOTE:
The relationship between the parameters on each tab is AND. The relationship between the tabs is OR.
4. Click OK.
The filter is applied. Only the alerts that match the filter parameters are displayed in the
Alerts Log and Filtered is displayed in the status bar.
To clear a filter, select Clear Filters from the View menu or click in the toolbar.

Chapter 10: Detecting Security Threats
This chapter describes the threat of DoS attacks on network performance and the ways
in which NetEnforcer detects and handles DoS attacks.

Overview, page 10-1, describes the basic idea behind DoS attacks on the network.
Detecting and Handling DoS Attacks, page 10-2, describes how NetEnforcer
identifies and responds to DoS attacks, as well as the DoS parameters configured in the
Denial of Service (DoS) tab of the NetEnforcer Configuration window.
Additional Protective Mechanisms, page 10-5, describes some of the NetEnforcer's
built-in mechanisms for protection against DoS attacks.
Security Alerts, page 10-6, describes the security alerts issued when a suspected attack
has been detected.

Overview
As the reliance on Internet communications increases, the importance of maintaining
the security and reliability of network services has become an increasingly critical issue.
Denial of Service (DoS) attacks are some of the most common ways in which hackers
attempt to disrupt network services. A DoS attack is an attack on a system or network
that causes a loss of service to users, typically the loss of network connectivity and
services by overloading the computational resources of the victim system.
DoS attacks are typically executed by sending multiple packets to a targeted Internet
server (usually a Web, FTP, or Mail server), which floods the server's resources,
making the system unusable. Any system that is connected to the Internet and is
equipped with TCP-based network services is subject to attack.
Detecting and Handling DoS Attacks

During a DoS attack, unwanted traffic deluges the network alongside the legitimate
traffic on the network. By monitoring the rate of new connections, NetEnforcer is able
to detect attempted DoS attacks and take the necessary actions to minimize their impact
on legitimate network traffic by identifying the focal point of the attack.
Normal traffic patterns are defined in the NetEnforcer. When significant irregularities
are detected, the traffic most likely to be part of the attack is identified and handled
according to the configured DoS parameters.
For example, in normal conditions, non-TCP/IP traffic (e.g. ICMP traffic) typically
constitutes less than 10% of the total network connections. A Smurf DoS attack, which
uses a forged ICMP echo request, generates multiple ICMP connections. Upon
detecting a high level of new ICMP connection (greater than 10% of all new
connections), NetEnforcer drops the ICMP connections while maintaining the
connections for other protocols.

Similarly, NetEnforcer can be configured to identify problematic ports which have been
identified as commonly used by known Worms. When NetEnforcer detects abnormal or
increased incidence of new connections on such a ports, the traffic on the specific port
can be dropped without affecting other TCP connections. The source IP address that
generated these connections is saved in the log file.
NOTE:
To view the list of worm source IP addresses in the log,
Denial of Service (DoS) Parameters

NetEnforcer analyzes the distribution of traffic across the various protocols and ports,
and admits or drops excess traffic when predefined thresholds have been exceeded,
according to the DoS parameters configured in the Denial of Service (DoS) tab of the
NetEnforcer Configuration window.
NOTE:
For details on NetEnforcer configuration, refer to Chapter 4, Configuring NetEnforcer.
The Denial of Service (DoS) tab includes parameters that enable you to determine the
frequency and number of connections, as follows:
In Case of Denial of The action that NetEnforcer takes when it reaches the
Service Attack, maximum rate of new connections allowed for the model.
News Flows will be The options in the dropdown menu are as follows:
Admitted without QoS: New connections (flows) are
admitted, but are not classified, and no QoS policy is applied.
This is the default setting.
Dropped: New connections (flows) are dropped.

Number of You are able to define the threshold, for traffic suspected as
Connections Within an attack, by specifying the number of connections allowed at
NetEnforcer will be any one time.
Limited to
The default is the maximum number of connections your
NetEnforcer model can handle. For the maximum number of
connections your NetEnforcer model can handle, see the
hardware description table on page 2-2 in Chapter 2,
Installing NetEnforcer.
To view the number of connections over specified period of
time, refer to the Connections graph in Chapter 6,
Monitoring Network Traffic. This will assist in entering a
realistic definition of an attack.
Maximum New You are able to define the threshold, for traffic suspected as
Connections an attack, by specifying the number of new connections
Establishment Rate allowed per second.
(CER):
To view the number of connections per second, refer to the
Connections graph in Chapter 6, Monitoring Network Traffic.
This will assist in entering a realistic definition of an attack.
If the field is left blank, the NetEnforcer uses its default
setting.

Additional Protective Mechanisms

NetEnforcer has four additional built-in mechanisms for protection against DoS attacks,
as follows:
• NetEnforcer drops ICMP packets beyond the maximum number of new
connections per second, before they are inserted into its internal buffer. This
number varies between NetEnforcer models.
• When NetEnforcer detects a high connection rate beyond the maximum number of
new connections per second, it drops TCP/UDP packets of new flows.
• When NetEnforcer detects a high connection rate that seems to be an attack
targeted for a specific address, then it drops TCP / UDP packets with the same
destination IP (spoofed) address, before they are inserted into its internal buffer.
• NetEnforcer limits the number of connections per interface, Virtual Channel or
Pipe (for example, cap ICMP packets to a server farm to a limit, say 500).

Security Alerts
Alerts are issued by NetEnforcer when a suspected security threat has been detected.
The following alert messages are defined in the system by default.
Alert Message Description
“DoS attack suspected: The NetEnforcer monitors the rate connections
Connection establishment rate flowing through the unit are established. This alert
is close to the threshold” is triggered when the connections rate is unusually
high.
“DoS attack suspected: The NetEnforcer monitors the rate connections of
Abnormal high connection various types are established. The types of
establishment rate of XXX” connections monitored are AnyIP (IP traffic which
is not TCP or UDP), TCP, UDP. This alert is
triggered when the rate connections established of
certain type are unusually high.
“DoS attack suspected: The NetEnforcer monitors the rate TCP connections
Abnormal high connection on various ports are established. This alert is
establishment rate on port triggered when the rate connections established on
XXX” a specific port are unusually high.
“Alarm Max Connections The NetEnforcer monitors the number of
XXX triggered” concurrent connections flowing through the unit. In
case the number of concurrent connections reaches
to the unit overall limit, this alert is triggered.
The limit can be manually defined on the
NetEnforcer GUI under the Configuration menu.
“Alarm Max Connections This alert is triggered after a “Alarm Max
resolved” Connections XXX triggered” alarm has been
triggered and the number of connections has
returned to normal (below 95% of the defined
limit).

Alert Message Description

“DoS attack of the type 'smurf' The NetEnforcer has detected an attack
started” characterized by large number of ICMP packets.
“DoS attack of the type 'smurf' This alert is triggered after a “DoS attack of the
ended” type 'smurf' started” alarm has been triggered and
the conditions have returned to normal.
“DoS attack of the type 'UDP The NetEnforcer has detected an attack
flood' started” characterized by large number of UDP packets.
“DoS attack of the type 'UDP This alert is triggered after a “DoS attack of the
flood' ended” type 'UDP flood' started” has been triggered and the
conditions have returned to normal.
“DoS attack of the type 'SYN' The NetEnforcer has detected an attack
started” characterized by large number of TCP packets.
“DoS attack of the type 'SYN' This alert is triggered after a “DoS attack of the
ended” type 'SYN' started” alarm has been triggered and
the conditions have returned to normal.
The alert messages are displayed in the Alerts log.


Chapter 11: SNMP Monitoring
This chapter describes the NetEnforcer SNMP-based statistics and how to generate
MRTG reports.

Viewing SNMP Statistics and Getting Traps, page 11-2, provides an overview of the
SNMP statistics available in NetEnforcer.
Working with SNMP-Based Management Tools, page 11-11, describes MRTG and
describes how to install and use the MRTG tool in NetEnforcer.

Viewing SNMP Statistics and Getting

Traps
NetEnforcer generates traffic statistics and standard SNMP MIB-II statistics. A standard
SNMP viewer, such as SNMPc (see http://www.castlerock.com) polls NetEnforcer
using a standard SNMP GET command and presents the statistics in a graph.
NetEnforcer SNMP-based statistics enables you to automatically generate MRTG (a
very well known and free tool for viewing SNMP-type statistics) reports daily, weekly,
monthly and yearly.
MRTG-type reports are ready to view with any browser (HTML format) and contain a
two dimensional graphic representation of the statistics. For example, you can view
bandwidth usage on each defined Virtual Channel or Pipe and also on the
internal/external interfaces.
An example for setting up a specific view is provides although more graphs can be
generated. For more information on MRTG see http://people.ee.ethz.ch/~oetiker/
webtools/mrtg.
NetEnforcer supports SNMP traps and you can use your SNMP management station to
get traps (alerts) for various system and network events.
Supported SNMP MIBs

NetEnforcer includes an SNMP (Simple Network Management Protocol) agent that
supports the RFC 1213/MIB-II standard and Allot MIBs. The agent provides MIB
information when polled and issues traps for specific conditions.

NetEnforcer is the authoritative source of the following MIB files that include
measurement engine variables recorded on a one-second basis and are available via the
Tools button on your NetEnforcer Control Panel:
• COMPANY-MIB.txt - includes traps.
• VC-MIB.txt - includes Virtual Channel related statistics.
• PIPE-MIB.txt - includes Pipe related statistics.
• NE-STAT-MIB.txt - includes NetEnforcer level related statistics.
The private MIB of Allot includes SNMP statistics, as follows:
• Bytes in/out/total per Virtual Channel, Pipe and NetEnforcer
• Packets in/out/total per Virtual Channel, Pipe and NetEnforcer
• Number of connections and number of new connections per second
NOTE:
Specifications of MIB-II (rfc1213.mib) can be found at http://www.ietf.org/rfc1213.txt?number=1213.
Access Permissions
To get SNMP statistics, you need to enter community (password) parameters. The
community parameters, found in the SNMP tab of the NetEnforcer Configuration
window, are as follows:
Read Community The SNMP community for devices reading SNMP variables
from NetEnforcer.
Write Community The SNMP community for devices setting SNMP variables to
NetEnforcer.
Trap Community The SNMP community to receive NetEnforcer SNMP traps.
Trap Destination The IP address of the Network Management Console that
receives the NetEnforcer-generated SNMP traps. It can be a
local host.
Refer to Chapter 4, Configuring NetEnforcer, for further information.

Configuring Trap Destinations

NetEnforcer supports one destination for SNMP traps. Configure the address via your
browser in the SNMP tab of the NetEnforcer Configuration window (described in
Chapter 4, Configuring NetEnforcer). The destination can also be set via SNMP itself.
Traps
The NetEnforcer SNMP agent issues the following traps:
Trap Name Action Number
Cold Start Reboot and restart the SNMP process. 0
Link Down Disconnecting the internal or external interface 2
forces the Link Down trap to occur.
When, after rebooting, NetEnforcer becomes
active, the Link Down trap occurs according to
the internal and external NIC status.
Link Up Connecting both the internal and external 3
interfaces, forces the Link Up trap to occur.
When, after rebooting, NetEnforcer becomes
active, the Link Up trap occurs according to
the internal and external NIC status.
Authentication failure Request with wrong community. 4
NePrimaryActive This trap is sent when the primary NetEnforcer 6-11
changes to Active mode.
NePrimaryBypass This trap is sent when the primary NetEnforcer 6-12
changes to Bypass mode.
NeSecondaryActive This trap is sent when the secondary 6-13
NetEnforcer changes to Active mode.
NeSecondaryStandBy This trap is sent when the secondary 6-14
NetEnforcer changes to Standby mode.
NeSecondaryBypass This trap is sent when the secondary 6-15
NetEnforcer changes to Bypass mode.

MIB-II Support
The NetEnforcer SNMP agent supports the following MIB-II groups: System,
Interfaces, Address Translation, IP, ICMP, TCP, UDP and SNMP.
The MIB-II object groups are shown in the following tree diagram:
iso (1)
org (3)
dod (6)
internet (1)
directory (1)
mgmt (2)
mib-2 (1)
system (1)
interfaces (2)
experimental (3) snmp (11)
private (4)
enterprises (1)
AllotCom(2603)

The Allot MIB tree is shown in the following tree diagram:

AllotCom (2603)
neStatistics (1)
neStatMIB(1)
neStat (1)
neByteCountIn (1)
neByteCountOut (2)
neByteCountTotal (3)
neLiveConnections (4)
neNewConnections (5)
nePacketsIn (6)
nePacketsOut (7)
pipeStatMIB(2) nePacketsTotal (8)
pipeStat (1)
pipeStatTable(1)
pipeEntry(1)
pipePosition (1)*
pipeInstancePosition (2)*
pipeName (3)
pipeByteCountIn (4)
pipeByteCountOut (5)
pipeByteCountTotal (6)
pipeLiveConnections (7)
* = index of table pipeNewConnections (8)
pipePacketsIn (9)
pipePacketsOut (10)
pipePacketsTotal (11)

vcStatMIB(3)
vcStat (1)
vcStatTable(1)
vcEntry (1)
vcPipePosition (1)*
vcPipeInstancePosition (2)*
vcPosition (3)*
vcInstancePosition (4)*
vcName (5)
vcByteCountIn (6)
vcByteCountOut (7)
vcByteCountTotal (8)
vcLiveConnections (9)
vcNewConnections (10)
qidPipeStatMIB (4) vcPacketsIn (11)

qidPipeStat (1) vcPacketsOut (12)
qidPipeStatTable (1) vcPacketsTotal (13)
qidPipeEntry (1)
qidPipeTemplateId (1)*
qidPipeInstanceId (2)*
qidPipeByteCountIn (3)
qidPipeByteCountOut (4)
qidPipeByteCountTotal (5)
* = index of table
qidPipeLiveConnectiosn (6)
qidPipeNewConnections (7)
qidPipePacketsIn (8)
qidPipePacketsOut (9)
qidPipePacketsTotal (10)

qidVcStatMIB (5)
qidVcStat (1)
qidVcStatTable (1)
NeTraps (2) qidVcEntry (1)
nePrimaryActive (11) qidVcPipeTemplateId (1)*

nePrimaryBypass (12) qidVcPipeInstanceId (2)*
neSecondaryActive (13) qidVcTemplateId (3)*
neSecondaryStandBy (14)
qidVcInstanceId (4)*
neSecondaryBypass (15)
qidVcByteCountIn (5)
neAlertEvent (22)
qidVcByteCountOut (6)
qidVcByteCountTotal (7)
qidVcLiveConnectiosn (8)
qidVcNewConnections (9)
qidVcPacketsIn (10)
qidVcPacketsOut (11)
qidVcPacketsTotal (12)
Accessing the Allot MIBs

You must download the Allot MIBs via the Tools button in the NetEnforcer Control
Panel. There are two zip files containing slightly different MIBs, as follows:
Mibs.zip MibsQID.zip
COMPANY-MIB.txt COMPANY-MIB.txt
NE-STAT-MIB.txt NE-STAT-MIB.txt
PIPE-MIB.txt QID-PIPE-MIB.txt
VC-MIB.txt QID-VC-MIB.txt
MRTG_Config_for_MIBs.cfg MRTG_Config_for_MIBs.cfg

Mibs.zip provides position MIBs whereby the index of the MIBs is according to the
position of the Pipe or Virtual Channel in the policy table. MibsQID.zip provides ID
MIBs whereby the index of the MIBs is according to the internal ID of the Pipe or
Virtual Channel. You can download one or both of these zip files.
Both of the zip files also contain the Allot configuration file
(MRTG_Config_for_MIBs.cfg).
To download Allot MIBs:
1. From the NetEnforcer Control Panel, click Tools and select Download Allot MIBs
and then VC/Pipe by ID or VC/Pipe by Position.
2. Download the files contained in the zip file to a local drive.
3. Repeat steps 1 and 2 for the second MIB zip file if required.
4. Use your network management application's MIB integration tool to compile the
Allot MIBs.
5. Query the Allot MIB objects using your network management application. You can
produce graphs based on the statistics generated.
Using the Allot Position MIBs

The Allot MIBs provide expansion to the basic SNMP (MIB-II) and includes
information on Pipes and Virtual Channels in the form of tables. These tables are
ordered according the policy table (in the Policy Editor), described in Chapter 8,
Defining Policies.
The object ID of an entry in the Pipe table is constructed from the Pipe position in the
policy table and the Pipe instance (host) position in the host group. The object ID of an
entry in the Virtual Channel table is constructed from the Pipe position in the policy
table, the Pipe instance (host) position in the host group, the Virtual Channel position in
the Pipe and the Virtual Channel instance (host) position in the host group.

When the policy table is modified and the new table is reloaded to the SNMP agent, the
changes will affect the SNMP Pipe and Virtual Channel tables. Thus, a change in the
Pipe/Virtual Channel position will change its object ID accordingly. For example:
Original Policy Table Object ID
Pipe1 1.0
Pipe1_Vc1 1.0.1.0
Pipe1_Vc2 1.0.2.0
Pipe2 2.0
Pipe2_Vc1 2.0.1.0
Pipe2_Vc2 2.0.2.0
Pipe3 3.0
Pipe3_Vc1 3.0.1.0
Pipe3_Vc2 3.0.2.0
Now Pipe 3 has been moved up and the table looks as follows:
Modified Policy Table Object ID

Pipe1 1.0
Pipe1_Vc1 1.0.1.0
Pipe1_Vc2 1.0.2.0
Pipe3 2.0
Pipe3_Vc1 2.0.1.0
Pipe3_Vc2 2.0.2.0
Pipe2 3.0
Pipe2_Vc1 3.0.1.0
Pipe2_Vc2 3.0.2.0

Working with SNMP-Based Management

Tools
This section describes MRTG (one example of an SNMP-based management tool) and
describes how to install and use the MRTG tool in NetEnforcer.
Introducing MRTG
The MRTG (Multi Router Traffic Grapher) tool is used to monitor the traffic load on
your NetEnforcer and is free for personal use. You can download it from
http://people.ee.ethz.ch/~oetiker/webtools/mrtg. A network manager may view
bandwidth usage on each defined Virtual Channel or Pipe and also on the
internal/external interfaces.
The MRTG tool generates HTML pages that present traffic graphs. Using a standard
Web browser, you can view pages, each containing graphs showing daily, weekly,
monthly and yearly information.
Traffic statistics are generated by NetEnforcer and written in a standard SNMP MIB
format. The MRTG tool, using PERL scripts, polls NetEnforcer using a standard SNMP
GET command and saves the data in the host (management PC) log. The log is
automatically consolidated and while the log saves data for the last two years, it does
not grow over time.
NOTE:
If you want to preserve the highest rates as seen on the daily graph, use the "With Peak" option. This will
show the highest values that were recorded in addition to the averages.

Installing MRTG for NetEnforcer

The following procedure describes how to prepare NetEnforcer to work with the MRTG
tool.
To install MRTG:
1. Install MRTG on your computer. (MRTG can be installed on both Unix/Linux and
Windows.)
NOTE:
Download sources or binaries from http://people.ee.ethz.ch/~oetiker/webtools/mrtg/.
2. Install PERL if you do not have it installed. PERL for Windows can be downloaded
from http://www.ActiveState.com.
3. If you have not already done so, download the Allot position MIBs and/or ID MIBs
including the Allot configuration file (MRTG_Config_for_MIBs.cfg). This
procedure is described on page 11-8.
NOTE:
Save the .txt files to C:/Mrtg. If you want to save them to another directory, change the directory
defined in the LoadMIBs line in the configuration file. Save the configuration file
(MRTG_Config_for_MIBs.cfg) to C:/MRTG/bin. This directory is generated during the MRTG
installation.

4. If you are using the ID MIBs, you must get the internal IDs for Pipes and Virtual
Channels for which you want to generate MRTG graphs. From the NetEnforcer
Control Panel, click Tools and select Pipe/VC ID Lookup for SNMP. The Pipe/VC
Lookup for SNMP dialog box is displayed:
Figure 11-1 – Pipe/VC Lookup for SNMP Dialog Box
5. Select a Pipe or Virtual Channel and the ID for the selected item is displayed in the
Entity ID for Selection Above field. Copy and paste the IDs into the configuration
file (MRTG_Config_for_MIBs.cfg).
NOTE:
You could also write down the IDs and then add them to the configuration file.

6. Repeat step 5 to retrieve IDs for all the Pipes and Virtual Channels for which you
want to generate MRTG graphs.
7. Adapt the MRTG_Config_for_MIBs.cfg file to your setup. For example, specify the
NetEnforcer IP address, location of MIB files, SNMP community name and OIDs of
the counters you would like to monitor. Refer to the comments in the allot.cfg file
for more information.
To install MRTG daemon:
• Start MRTG as a daemon, passing path to MRTG_Config_for_MIBs.cfg as a
command line parameter. For example, you install MRTG on Windows in directory
C:\mrtg and you also copy the MRTG_Config_for_MIBs.cfg and MIB files to
C:\mrtg. The following command will start MRTG in Daemon mode with the
proper configuration: Start /b perl C:\mrtg\bin\mrtg C:\mrtg\ MRTG_Config_
for_MIBs.cfg.
NOTE:
The MIB files must be the same as the files on your NetEnforcer. The files may also be found on
NetEnforcer in /usr/local/share/snmp/mibs/.
In general, you can monitor the following NetEnforcer SNMP counters with MRTG:
• vcByteCountIn • vcPacketCountIn
• vcByteCountOut • vcPacketCountOut
• vcByteCountTotal • vcPacketCountTotal
• pipeByteCountIn • pipePacketCountIn
• pipeByteCountOut • pipePacketCountOut
• pipeByteCountTotal • pipePacketCountTotal
• neByteCountIn • nePacketCountIn
• neByteCountOut • nePacketCountOut
• neByteCountTotal • nePacketCountTotal
• Number of connections • Number of new connections per
second

Example MRTG Configuration File

This example refers to a configuration file named MRTG_Config_for_MIBs.cfg and a
NetEnforcer with IP address 10.10.10.10 and community name, public.
The MIB files are located in drive D.
LoadMIBS: d:\COMPANY-MIB.TXT, d:\NE-STAT-MIB.TXT, d:\PIPE-MIB.TXT,
d:\VC-MIB.TXT.
RunAsDaemon: Yes
WorkDir: d:
This target refers to the inbound and outbound bytes on the Fallback Virtual Channel in
the default database.
Target[vc] vcByteCountIn.1.0.6.0&vcByteCountOut.1.0.6.0:public@
10.10.10.10:::::2
Options[vc] growright, nobanner
MaxBytes[vc] 50000000
Title[vc] Traffic Analysis for AC
PageTop[vc] <H1>Traffic Analysis – AC</H1>\n VC Out / VC In
WithPeak[vc] d,w,m,y
Suppress[vc] y,m

This target refers to the inbound and outbound bytes on the Fallback Pipe in the default
database.
Target[pipe] pipeByteCountIn.1.0.0&pipeByteCountOut.1.0:public@
10.10.10.10:::::2
Options[pipe] growright, nobanner
MaxBytes[pipe] 50000000
Title[pipe] Traffic Analysis for AC
PageTop[pipe] <H1>Traffic Analysis – AC</H1>\n PIPE Out / PIPE In
WithPeak[pipe] d,w,m,y
Suppress[pipe] y,m

Example NetEnforcer MRTG Graphs


Appendix A: Hardware Specifications
This appendix lists the hardware specifications for all NetEnforcer models.
Enhanced Platform
Dimensions
Standard 1U by 19-inch, rack mountable
Height 1.73 in (44 mm)
Width 17.32 in (440 mm)
Depth 11.73 in (298 mm)
Weight 12 lbs (5.5 kg)
Power Requirements
Input Voltage 100 - 240 V
Frequency 47 - 63 Hz
Current 2A
Power consumption
AC-302 53 W
AC-402 70 W
NetEnforcer User Guide A-1

Operating Environment
Temperature 32° F to 104° F (0° to 40° C)
Humidity 5% to 95% (non condensing)
Heat Dissipation
AC-302 181 BTU/Hour
AC-402 240 BTU/Hour
EMI Residential, commercial and light industry.
High Availability Platform

Dimensions
Standard 2U by 19-inch, rack mountable
AC-802
Height 3.46 in (88 mm)
Width 17.32 in (440 mm)
Depth 14.76 in (375 mm)
Weight Copper: 24.9 lbs (11.3 kg)
Fiber: 25.3 lbs (11.48 kg)
NOTE:
The weight of the Copper Bypass module is 3.86 lbs (1.75 kg) and the weight of the Fiber Bypass module
is 4.28 lbs (1.94 kg).
A-2 NetEnforcer User Guide

Power Requirements
AC-802
Input Voltage 100 - 240 V
Frequency 50/60 Hz
Current 7 - 3.5 A
Power consumption
Operating Environment
AC-802
Temperature 32° F to 104° F (0° to 40° C)
Humidity 5% to 95% (non condensing)
Heat Dissipation
EMI
NetEnforcer User Guide A-3

Standards, Compliance and Certifications

All Allot models hold certificates for and comply with the standards listed below.
EMC
• EMC Directive 89/336/EEC, article 7(1)
• EN 55022:1998+A1(00) class A
• EN 61000-3-2:1995_A1(98)+A2(98)
• EN 61000-3-3:1995
• EN 55024:1998+A1(01)
• FCC 47 CFR part 15, subpart B, class A
• ICES-003:1997, class A
• VCCI:2002, class B
• NEBS: GR-1089-Core*
Safety
• IEC 60950:1999 with Japanese deviations
• EN 60950:2000
UL
• 1950 NetEnforcer UL File number: E206586
• CAN/CSA C22.2 No.60950-00 * UL 60950, third edition
Environmental
• ETS 300 019-2-2 T 2.1
• ETS 300 019-2-3 T 3.1
* NetEnforcer is designed to meet these standards.
A-4 NetEnforcer User Guide

Appendix B: Fail-Safe Operation
This appendix describes the fail-safe operation implemented in NetEnforcer.

NetEnforcer has two fail-safe features that ensure proper and continuous network
function: Bypass and Full Redundancy.
All NetEnforcers include a Bypass element (either an external Bypass module or an
internal Bypass switch) that connects the Internal connector to the External connector in
the case of a subsystem failure in NetEnforcer or a power loss. This mechanism ensures
that traffic continues to pass through the passive elements of NetEnforcer should any
hardware or software problem occur.
Full Redundancy is a backup mechanism that handles the failure of a network device,
and ensures the network continues to function. Full Redundancy is provided by
connecting two NetEnforcers in parallel. The Primary NetEnforcer handles the traffic
and the Secondary NetEnforcer is designed to be in Standby mode as long as the
Primary NetEnforcer is active. Only if, for any reason, the Primary NetEnforcer is not
able to function properly, does the Secondary NetEnforcer become active.
When NetEnforcer is in Full Redundancy mode, Bypass mode will be activated, in the
event that both the Primary and Secondary NetEnforcer systems fail.
As part of the fail-safe considerations, power redundancy is also provided.
NetEnforcer User Guide B-1

Bypass Mode
The Enhanced platform models (AC-202 and AC-402) operate with an internal Bypass
element and the AC-802 operates with an external Bypass module. The AC-802 Copper
operates with a Copper Bypass and the AC-802 Fiber operates with a Fiber Bypass.
CAUTION:
NetEnforcer AC-802 must be connected to the appropriate Bypass module. This is to ensure continuous
service in the event of failure.
The Bypass module is a mission-critical subsystem designed to handle the failure of a

network device and still ensure that the network functions properly. The Bypass module
provides "connectivity insurance" in the event of a NetEnforcer subsystems failure.
NetEnforcer is factory configured to ensure normal network operation during power
loss and other critical hardware and software failure.
The Bypass module works by shorting the Internal interface to the External interface.
While the NetEnforcer is bypassed, all traffic goes through passive elements only.
When the system goes into Bypass mode, the status indicators immediately indicate it,
in the following way:
• The Active LED on the front panel of NetEnforcer turns OFF.
• The Standby LED on the front panel of NetEnforcer is OFF.
• The Mode LED on the Bypass module turns OFF.
For more information regarding the status indicators, refer to Chapter 2, Installing
NetEnforcer.
B-2 NetEnforcer User Guide

Bypass Initiation
When a single NetEnforcer is installed, it will go into Bypass mode under the following
conditions:
• Upon a subsystem failure.
• During the booting of NetEnforcer.
• Upon any NetEnforcer power feed failure and power OFF conditions.
• When the Bypass module is not connected properly to the NetEnforcer Backup
connector, even with all other connectors fully plugged. (This is not relevant to the
Enhanced platform.)
NOTES:
NetEnforcers in full Redundancy configuration that have gone into Bypass mode indication upon a
subsystem failure will not restart automatically. It is recommended to perform a reboot.
Fiber Bypass and TAP (AC-802 Fiber)

TAP mode enables the operator to install and use NetEnforcer in a non-intrusive mode.
Using this mode has the following benefits:
• It enables monitoring of network traffic without active interference in the network
activity.
• It enables gradual installation of NetEnforcer – first in non-intrusive mode and later
with policy enforcement.
CAUTION:
NetEnforcer must be connected to the Fiber Bypass module. This is to ensure continuous service in the
event of failure.

To Internal Network To Secondary NetEnforcer

Connector Backup Connector
To External Network Fiber Cable To Primary NetEnforcer

Connector Connector
Figure B-1 – Fiber Bypass Unit
IMPORTANT NOTE:
To work properly, NetEnforcer and the Bypass module have to be fully plugged and connected before
power is turned on.
A separate NetEnforcer Fiber Bypass module is included with your NetEnforcer

AC-802 Fiber shipment. For more information on installing a special Fiber TAP
package please contact Allot Customer Support. A recommended Fiber TAP package
would include two Multimode Couplers.
Each Coupler has three built-in Multimode fiber cables with SC connectors. One side of
the coupler has a single Multimode fiber that is marked as Tx, and on the other side,
there are two built-in Multimode fiber cables marked as Rx [1] and Rx [2].
Figure B-2 – Multimode Coupler Unit
IMPORTANT NOTE:
The Multimode Coupler is not a standard part of NetEnforcer.

Connecting the Fiber Bypass and the TAP

The following procedure describes how to connect the Fiber Bypass module and the
1
TAP to NetEnforcer. The procedure contains circled numbers, for example, , relating
to reference numbers used in the following diagram.
Figure B-3 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass and TAP

To connect the Fiber Bypass:
1. Connect the fiber cable labeled External from the Bypass module 7 , to the External
1
port on NetEnforcer .
2. Connect the fiber cable labeled Internal from the Bypass module 7 , to the Internal
2
port on NetEnforcer .
3
the Backup port on NetEnforcer .
4. Connect the first Multimode coupler as follows:
• Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps router
(1000Base-SX port).
• Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps switch
(1000Base-SX port).
• Connect the coupler Rx [2] fiber optic cable to the External Rx input of the Fiber
bypass module (5).
5. Connect the second Multimode coupler as follows:

• Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps switch
(1000Base-SX port).
• Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps router
(1000Base-SX port).
• Connect the coupler Rx [2] fiber optic cable to the Internal Rx input of the Fiber
bypass module (6).

Connecting Two NetEnforcers in Full

Redundancy
Failure of a network device can be catastrophic, causing network downtime and lost
business. The key to designing any mission-critical network is to recognize that these
failures can occur, and to design a network that can handle failures and still allow the
network to function. In order to do this, it is important to use the most reliable
equipment, with redundancy built in to all mission-critical equipment.
NetEnforcer can operate in parallel to provide Full Redundancy. Full Redundancy
requires two NetEnforcer systems and, where an external Bypass module is used, a
single Bypass module.
The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is designed
to be in Standby mode as long as the Primary NetEnforcer is active. Only if, for any
reason, the Primary NetEnforcer is not able to function properly does the Secondary
NetEnforcer become active.
Both NetEnforcers receive traffic from the internal network, but only the Primary
NetEnforcer is passing the traffic to the external network.
While the Primary NetEnforcer receives and handles traffic coming from the external
network, the Secondary External interface is disabled, since the system is in Standby
mode. If the Primary NetEnforcer should fail, the Secondary NetEnforcer automatically
takes control of the traffic, and enables its External interface.
In Full Redundancy mode, the Bypass mode is activated in the event that both the
Primary and Secondary NetEnforcers fail.

The following diagram shows how to connect two NetEnforcers in full Redundancy:
Figure B-4 – Connecting Two NetEnforcers in Full Redundancy
Status Indicators in Full Redundancy Mode

When operating in Full Redundancy mode, two NetEnforcer units are connected in
parallel to the Copper or Fiber Bypass module. The NetEnforcer unit connected to the
Primary port on the Bypass module is the Primary NetEnforcer and the NetEnforcer unit
connected to the Secondary port on the Bypass module is the Secondary NetEnforcer.
During operation, the LED indicators on NetEnforcer and on the Bypass module give
various readings. The LEDs relevant to operations in Full Redundancy mode are the
Standby, Active and Power LEDs on the NetEnforcer LCD panel, and the Mode LED
on the Bypass module.

The modes of operation of the indicators are described in the following tables:
For NetEnforcer AC-802 Copper of Fiber connected to a Bypass module, the LED
indicators are as follows:
Standby Active Power Mode Analysis
LED LED LED LED
Primary OFF ON ON ON Primary NetEnforcer is in
Unit Active mode.
Secondary ON OFF ON Secondary NetEnforcer is
Unit in Standby mode, ready to
take over.
Primary ON OFF ON Primary NetEnforcer fails

Unit or is now booting.
Secondary OFF ON ON ON Secondary NetEnforcer

Unit took over and is now in
Active mode.
Primary OFF OFF OFF Primary NetEnforcer is

Unit powered OFF.
Secondary OFF ON ON ON Secondary NetEnforcer

Unit took over and is now in
Active mode.
Primary OFF ON ON ON Primary NetEnforcer is in

Unit Active mode.
Secondary OFF OFF OFF Secondary NetEnforcer is

Unit not powered ON. The
only fail-safe mode
available now is Bypass.
Primary OFF OFF ON OFF Primary NetEnforcer

Unit failed or did not complete
booting.

Standby Active Power Mode Analysis

LED LED LED LED
Secondary OFF OFF ON OFF Secondary NetEnforcer
Unit failed or did not complete
booting. Bypass is now
active and all traffic is
going through Bypass.
Table B-1 – LED Conditions: Copper or Fiber Bypass, Full Redundancy Mode
For Enhanced platform, the LED indicators are as follows:

Standby Active Power Analysis
LED LED LED
Primary OFF ON ON Primary NetEnforcer is in Active mode.
Unit
Secondary ON OFF ON Secondary NetEnforcer is in Standby
Unit mode, ready to take over.
Primary OFF OFF ON Primary NetEnforcer fails or is now

Unit booting.
Secondary OFF ON ON Secondary NetEnforcer took over and it

Unit is in Active mode.
Primary OFF OFF OFF Primary NetEnforcer is powered OFF.

Unit
Secondary OFF ON ON Secondary NetEnforcer took over and it
Unit is in Active mode.

Standby Active Power Analysis

LED LED LED
Primary OFF ON ON Primary NetEnforcer is in Active mode.
Unit
Secondary OFF OFF OFF Secondary NetEnforcer is powered
Unit OFF. The only Fail-safe mode available
now is Bypass.
Primary OFF OFF ON Primary NetEnforcer failed or not

Unit completed booting.
Secondary OFF OFF ON Secondary NetEnforcer failed or not

Unit completed booting. Bypass is activated
(in the primary unit and all traffic is
going through Bypass.
Table B-3 – LED Conditions: Enhanced platform, Full Redundancy Mode
Secondary NetEnforcer Activation

When two NetEnforcers are connected in parallel (Redundancy mode), the Secondary
NetEnforcer will take control and become the active unit under the following
conditions:
• Upon a Primary subsystem failure.
• During booting of the Primary NetEnforcer platform. When booting is completed,
the Primary unit automatically takes control again.
• Upon any Primary NetEnforcer power feed failure and power OFF condition.
• Upon the Primary NetEnforcer Ethernet cable disconnecting from either the Internal
or External ports. After reconnecting the cable and rebooting, the Primary
NetEnforcer takes control again.
• When the Bypass module is not connected properly to the NetEnforcer Backup
connector, even with all other connectors fully plugged.

NOTES:
The NetEnforcer's Ethernet Adapter can detect Ethernet cable disconnection. NetEnforcers in redundant
configuration react to such events by having the Primary NetEnforcer lose control until the next machine
reboot, and the Secondary NetEnforcer becoming the active unit.
If a cable is disconnected, it is recommended to reboot the Primary NetEnforcer after reconnecting the
cable.
Primary and Secondary Definitions

Each system is defined as Primary or Secondary according to the backup cable
connection order.
When two NetEnforcers are connected in parallel using a backup cable, the Primary
system is as follows:
• In the case of AC-802 models, the NetEnforcer that is connected to the Primary
connector of the Bypass module is automatically configured to act as the Primary
system.
• In the case of Enhanced platform models, the NetEnforcer that is connected to the
Primary side of the backup cable is the Primary system.
When two NetEnforcers are connected in parallel using a backup cable, the Secondary
system is as follows:
• In the case of AC-802 models, the NetEnforcer that is connected to the Secondary
connector of the Bypass module is automatically configured to act as the Secondary
system.
• In the case of Enhanced platform models, the NetEnforcer that is connected to the
Secondary side of the backup cable is the Secondary system.
NOTE:
When you order an AC-802 model, a Backup Cable is included with the accessory kit.
A Primary configuration is indicated by LEDs, as follows:

• The Active LED on the front panel of NetEnforcer is ON.
• The Standby LED on the front panel of NetEnforcer is OFF.

A Secondary configuration is indicated by LEDs, as follows:

• The Active LED on the front panel of NetEnforcer is OFF.
• The Standby LED on the front panel of NetEnforcer is ON.
The following diagram shows the layout of a Full Redundancy setup.
The following diagram shows the layout of a Full Redundancy setup for the AC-202 or
AC-402 models.
Figure B-5 – Full Redundancy Setup Example
If the Primary system fails, the Secondary system automatically takes control of the
traffic, and enables its External interface. The LEDs indicate the Secondary system
status change as follows:
• Enhanced Platform and AC-802 model: On the Secondary system, the Standby
LED turns OFF and the Active LED turns ON. (See Table B-2 and Table B-3)

Full Redundancy Connection

The connection requirements for Full Redundancy vary slightly according to the model.
AC-802 Models
To connect two AC-802 NetEnforcers in Full Redundancy:
Before using NetEnforcers in Full Redundancy mode, make sure that the configuration
of both NetEnforcers is identical; except for their IP addresses, which must be unique
for each unit. You can use the Save & Distribute option to distribute the same QoS
policy to both NetEnforcers. For more information, refer to Chapter 8, Defining
Policies.
NOTE:
You can distribute policy to other NetEnforcers, only if they are of the same model as the one from which
you are distributing.
After ensuring identical configuration, test each NetEnforcer (while connected to the
network as a single device) and verify that they are operating identically to one another.
1. Designate one of your NetEnforcers to be the default Primary, and connect the end
of the Backup cable to the Backup connector of the NetEnforcer.
2. Connect the other end of the backup cable to the Primary connector of the Bypass
module.
3. Designate the other NetEnforcer to be the Secondary and connect one end of the
Backup cable to the Backup connector of the Secondary NetEnforcer.
4. Connect the other end of the Backup cable to the Secondary connector of the Bypass
module.
NOTE:
For more information, see the Bypass Modules section in Chapter 2, Installing NetEnforcer.

5. Ensure that the status indicators of both systems are indicating that the systems are
configured correctly, as follows:
• The Active LED of the Primary NetEnforcer is ON.
• The Standby LED of the Primary NetEnforcer is OFF.
• The Active LED of the Secondary NetEnforcer is OFF.
• The Standby LED of the Secondary NetEnforcer is ON.
CAUTION:
When two NetEnforcers are connected in Redundancy mode with a switch on each interface, if the Primary
NetEnforcer fails and the Secondary system takes control of traffic, the redundant unit may take some time
to activate. This is normal switch behavior. The switch will continue to redirect packets to the Primary
NetEnforcer, instead of to the Secondary NetEnforcer.
Enhanced Platform Models

Before using NetEnforcers in full Redundancy mode, make sure that the configuration
of both NetEnforcers is identical; except for their DIP switch settings and IP addresses,
which must be unique for each unit. You can use the Save & Distribute option to
distribute the same QoS policy to both NetEnforcers. For more information, refer to
Chapter 8, Defining Policies.
CAUTION:
Please note that only a certified Allot Communications Service Engineer is authorized to remove the
NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover
from the NetEnforcer, its warranty becomes void.
NOTE:
You can distribute policy to other NetEnforcer s, only if they are of the same model as the one from which
you are distributing.
After ensuring identical configuration, test each NetEnforcer (while connected to the
network as a single device) and verify that they are operating identically to one another.

1. Set the DIP Switches to Full Redundancy mode. See Figure B-6.
2. Designate one of your NetEnforcers to be the default Primary, and connect the end
of the Backup cable marked Primary to the backup connector of the unit. Connect
the other end of the backup cable to the backup connector of the Secondary
NetEnforcer.
3. After booting ensure that the Active LED is ON and the Standby LED is OFF. On
the Secondary NetEnforcer, the Active LED is OFF and the Standby LED is ON.
CAUTION:
When two NetEnforcers are connected in Redundancy mode with a switch on each interface, if the Primary
NetEnforcer fails and the Secondary system takes control of traffic, the redundant unit may take some time
to activate. That this is normal switch behavior. The switch will continue to redirect packets to the Primary
NetEnforcer, instead of to the Secondary NetEnforcer.
Configuration for Enhanced Platform

NetEnforcer Enhanced Platform models have the option of working in Full
Redundancy, where one system is in Float mode and the other is not. This enables one
system to cancel the other system’s Bypass mode. When this feature is activated (DIP
switch 6 is set to ON), the active system cancels the Bypass mode of the other system,
if it exists.
If the Primary NetEnforcer fails, the Secondary NetEnforcer becomes active and
cancels the Primary Bypass. If the Secondary NetEnforcer also fails, it releases its
control over of the primary NetEnforcer that will move to Bypass mode.

The recommended configuration as shown in Figure B-6, is to set the Primary

NetEnforcer to Bypass mode (switches 1 to 5 are set to ON) and the Secondary
NetEnforcer to Float mode (switches 1 to 5 are set to OFF, and switch 6, Control Over,
is set to ON).
Primary Secondary
8 8
7 7
6 6 CONTROL OVER
5 5
4 4
3 BYPASS 3 FLOAT
2 2
ON 1 ON 1
Figure B-6 – DIP Switch Configuration for Enhanced Platform at Full

Redundancy
If there is a problem with the Primary NetEnforcer, the box should be disconnected
from the network and the DIP switches on the Secondary NetEnforcer should be set to
standalone configuration.
CAUTION:
Please note that only a certified Allot Communications Service Engineer is authorized to remove the
NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover
from the NetEnforcer, its warranty becomes void.
CAUTION:
In standalone mode, NetEnforcer DIP switches should remain in the factory default settings.
To have the NetEnforcer in standalone mode, switches 1 to 5 are set to ON and switches 6 to 8 are set to
OFF. (To access the DIP Switches, see Appendix C, Hardware Configuration).

High Availability Platform Power

Redundancy
NetEnforcer High Availability platform models include two hot-swappable power
supply modules and a dual line feed for Redundancy purposes.
Each line feed is driving one power supply. It is recommended to connect the two
power line feeds to separate power sources to have full power redundancy.
Should you need to, you can replace one of the power supplies while NetEnforcer is
connected and operating. Replacing a power supply, while the unit is operating, is
possible since the remaining power supply will take the full load and maintain full
operation.
• If one power module fails or turns OFF, the other module will take over the load.
• When the power supply output is short to GND, it will shutdown. Auto recovery is
possible when the short circuit condition is removed.
• Each module has over voltage and short circuit protection.
In the case of a power failure, the fail alarm is activated and the power supply’s buzzer
beeps. For more information on AC-802 model handling of power failure, please refer
to Chapter 2.

Appendix C: Hardware Configuration
This appendix describes how to set the DIP switches for Enhanced Platform models.
Setting Dip Switches for the Enhanced

Platform
In order to access internal components of the Enhanced Platform NetEnforcer units,
including the DIP switches, the main cover must be removed.
CAUTION:
Only a certified Allot Communications Service Engineer is authorized to remove the NetEnforcer cover
and change the internal DIP switches. If a non-authorized person removes the cover from the NetEnforcer,
its warranty becomes void.
In circumstances where you to need to remove the main cover, carefully follow the
instructions below.
To remove the main cover:

1. Remove the fourteen screws (five on each side of the main cover and four at the
back) using a small Philips screwdriver.
2. Stand in a position where you are facing the back of the unit. With both hands, pull
the cover towards you, until approximately a third of the unit is exposed.
3. Remove the cover by lifting it from the overhanging rear section and then pull the
cover away from the main unit. This will expose the inside components of the
NetEnforcer.
To set the DIP switches for the Enhanced Platform, refer to page C-3.
NetEnforcer User Guide C-1

Below is a schematic diagram of an opened Enhanced Platform unit, with an

enlargement of the DIP switches.
Figure C-1 - DIP Switch Location: Enhanced Platform
C-2 NetEnforcer User Guide

Enhanced Platform DIP Switches

The service panel contains eight DIP switches. Their functions are described below:
Switch No. Function
8 ON = Forced Active (Factory Default = OFF)
7 For future use (Factory Default = OFF)
6 ON = Peer Bypass control (Factory Default = OFF)
For more information see Appendix B, Fail-Safe Operation,
Figure B-3
5 ON = Bypass connected, OFF = Bypass float (Factory Default = ON)
Table C-1 – DIP Switch Functions: Enhanced Platform
The unit is shipped with the factory defaults indicated above. This setup ensures the
normal operation of the Bypass switch (meaning that it is activated upon a failure), and
that the Active status is not forced. For normal device behavior, it is strongly
recommended not to change DIP switch factory settings.
NOTE:
For full Redundancy mode operational needs, DIP switch modifications should be performed with guidance
from an Allot Communications service engineer.
NetEnforcer User Guide C-3

C-4 NetEnforcer User Guide

Appendix D: Rack Mount Installation
The NetEnforcer and the Bypass module may be mounted in an open or closed standard
19-inch (48.26 mm) rack using the rack-mount bracket kit. This appendix describes how
to prepare the device and rack for installation and how to mount the device in the rack.
Connection to Supply Circuit

The electrical power cords are intended to serve to disconnect the device. The user can
power down the device only by removing the two electrical power cords form the power
source or the device itself.
CAUTION:
Make sure the wall socket outlet is installed near the equipment and that the socket is easy to access. It is
recommended that the wall power outlet be connected to the building installation protection.
When connecting a NetEnforcer to 120 VAC supply, plug into 15 A service receptacles, type N5/15 or
NEMA 5-15R.
Ambient Temperature
The device has a maximum operation ambient of 104° F (40° C). The ambient
temperatures around the rack should not exceed this temperature.
Airflow
To ensure proper cooling, airflow should be unrestricted within or around the rack.
Keep the area four to six inches behind the enclosure unobstructed. Make sure that there
is proper airflow around all of the NetEnforcer's vent openings.
NetEnforcer User Guide D-1

Appendix D: Rack Mount Installation
Reliable Grounding
Make sure that each installation site has a suitable ground connection. Please connect
ground to all the metal racks, enclosures, boxes and raceways. The NetEnforcer
equipment should be reliably grounded through the power supply cord.
Preparing the NetEnforcer for Rack Installation

Attach the mounting brackets of the device included in the NetEnforcer accessory kit to
both sides of the device using all eight Phillips pan-head screws included in the
NetEnforcer accessory kit. Insert the screws into the holes on both sides of the device.
Preparing the Bypass Module for Rack Installation

Use a Philips screwdriver to remove the six Phillips flat-head screws from each side of
the Bypass module device.
Attach the mounting brackets of the Bypass module included in the Bypass accessory
kit to both sides of the device. Re-insert the flat-head screws into the holes from which
the screws were removed.
Rack Mechanical Loading

When mounting the device in the rack, ensure that a hazardous condition does not result
due to uneven mechanical loading.
D-2 NetEnforcer User Guide

Appendix E: NetEnforcer Port Reference
This appendix describes the required ports for NetEnforcer.
Firewall Ports
If your NetEnforcer is working behind a firewall, the following ports must be opened on
the firewall to enable access to the NetEnforcer management functions:
Firewall Port Gives Access To

TCP Port: 23 Telnet
TCP Port: 80 Web Server/GUI
TCP Port: 56000 Internal Accounting GUI

Access
TCP Port: 51000 Policy Editor GUI Access
TCP Port: 52000 Monitoring GUI Access
TCP Port: 53000 Alerts GUI Access

TCP Port: 53306 MySQL Access
TCP Port: 56000 External Accounting Data
Transfer Access
NetEnforcer User Guide E-1

Appendix E: NetEnforcer Port Reference
If you want to use secure transmission methods, the following ports must be opened:
Firewall Port Gives Access To

TCP Port: 443 Encrypted HTTP (HTTPS)
TCP Port: 22 SSH (Encrypted Telnet)
E-2 NetEnforcer User Guide

Appendix F: NetEnforcer Protocol Reference
This appendix describes protocols supported by NetEnforcer.
Supported Protocols
The following list represents the most common protocols and services supported by
NetEnforcer and available in the default Service Catalog database. There are
thousands of other protocols which are not included and that can be found in the
NetEnforcer Advanced Service Catalog.
The protocols are divided into several groups in the following list in order to ease the
finding and understanding of each protocol. In order to catch-up with the frequent
appearance of new applications and protocols, mainly Peer-to-Peer protocols, a
web-based update for the NetEnforcer Service Catalog is available.
Web
HTTP
Method (e.g. GET, POST)
URL (e.g. File Types)
Host Names
Mime Types
HTTP-PROXY
HTTPS
NNTP-TCP
NetEnforcer User Guide F-1

P2P
KAZAA
KaZaa (V1 & V2)
Grokster
iMesh
Poisned
Diet Kaza
Upload/Download
EDONKEY
eDonkey
eMule
xMule
GNUTELLA
Shareaza
Morpheus
Gnucleus
XoloX
LimeWire
FreeWire
Bearshare
Acquisition
Nova
Phex
Gtk-Gnutella
Upload/Download
F-2 NetEnforcer User Guide

Warez
Ares 0
Swapper.NET
ShareAza – supports both gnutella ver 1 and gnutella ver 2
LimeWire
BearShare
freewire (Limewire)
zultrax
Xolox
Morpheus 4
BitTorrent
WINMX
DIRECT CONNECT
Direct connect
DC++
BCDC++
OverNet
MP2P
Motilino
Blubster
Piolet
RockitNet
Winny
Winny 1
Winny 2

HOTLINE
JABBER
MADSTER-AIMSTER
SoulSeek
IM/Chat
MSN-MESSENGER
AOL/ICQ
Yahoo
IRC
Email
POP
POP2
POP3
SMTP
SMTP by Sender/Sender Domain
SMTP by Sender email address/Sender domain
MS Exchange
Passive/Active RPC
IMAP
IMAP2-TCP
IMAP3-TCP

IMAPS (Secure IMAP)

CC-MAIL
LOTUS-NOTES
BIFF
Streaming
RTSP
RTP/AVP
Streaming
RDT
X-PN-TNG
Interleaved
Winamp
MSplayer
Realone
Quicktime
iTunes
NETSHOW
REALAUDIO

Games
ALIENS
ANARCHY
ASHERONS CALL
BLACK AND WHITE
COUNTERSTRIKE
DARK REIGN
DIABLO
DOOM
ELITE FORCE
F16
F22 SIMULATOR
FIGHTERACE
HEXEN
KALI
KOHAN IMMORTAL SOVEREIGNS
MOTORHEAD
MSN GAME
MYTH
NEED FOR SPEED
OPERATION FLASH POINT
OUTLAWS

QUAKE-TCP
SWAT3-TCP
ULTIMA
UNREAL TOURNAMENT
ZNES
File Transfer/File System

FTP
FTP – Passive/Active
FTP – Method (upload/download)
FTP - Filename
FTP – File Extension
TFTP
NETBIOS-IP
NFS
SYSLOG
PRINTER
PRINT-SRV
RCP
SUNRPC
CMD

VoIP
SKYPE
MGCP
Audio/Video/Data
Codec Name (Manual Definition)
H.323
Audio/Video
Gate Keeper
MCU (Centrelized)
codec:H.323 Video Default Codec
codec:H.323 H261 Codec
codec:H.323 Audio Default Codec
codec:H.323 G711-64K Codec
codec:H.323 G7231 Codec


T.120
VOCALTEC-IPHONE
PHILIPS-VC-TCP
Terminal Servers
CITRIX
CITRIX-ICA
CITRIX NFUSE
Citrix User Name
Citrix Publish Application name
Citrix Priority (Print)
CITRIX DATACOLLEC
CITRIX IMA CLIENT
CITRIX MGMTCONSOLE
MS-RDP-CLIENT
PCANYWHERE

TELNET
TELNETS
SSH
RLOGIN
RTELNET
X11-TCP
Transactions/Databases
Oracle
Oracle Service name/DB name
Oracle User name
ORACLE-COAUTHOR
ORACLE-EM1
ORACLE-EM2
ORACLENAMES
ORACLE-NET8CMAN-ADMIN
ORACLE-NET8CMAN
ORACLE-ORASRV
ORACLE-REMOTE-DATABASE
ORACLE-TLISRV
ORACLE-VP1
ORACLE-VP2

SAP
SAP-DIALOGSERVICE
SAP-INFOSERVICE
SAP-ROUTER
SAP-TO-ADABAS
SAP-TO-INFORMIX
SQL
SQL*NET
SQLSERVICE
MS-SQL SERVER
LDAP
LDAPS
CORBA
CORBA-IIOP-TCP
CORBA-IIOP-TCP-SSL
CORBA-IIOP-UDP
CORBA-IIOP-UDP-SSL
CYBERCASH
EXEC
Security
GRE
IPSEC
IPSEC-AH

IPSEC-ESP
PPTP
SUGP
SWIPE
Network Infrastructure
ARP
AUTH
BGP
BOOTP (DHCP)
BOOTP-CLIENT
BOOTP-SERVER
CHARGEN
CMIP
CMIP-AGENT
CMIP-MAN
DNS
ECHO
EGP
FINGER
ICMP
IGMP

Local MGMT
NPP
NTP
OSPF
PPPoE
PPP0E-CONTROL
PPP0E-DISCOVERY
RIP
RMON
SNMP
SNMP-TRAP
SNMP-Mon
TIMESERVER
TIME
WHO
WHOIS
TACACS
RADIUS
RADIUS-AUTH
RADIUS-ACCT

Legacy protocols
NETWARE-IP
APPLETALK
APPLETALK Over IP
GGP
GOPHER
I-NLSP
IPX
IPX Over IP
MS-IPX
NETBEUI
NETWARE
Manolito Clients
Piolet - Search is over UDP port 41170
Blubster
Tunneling
socks2http
httpTunnel
socks 4/5

Appendix G: NetEnforcer Command Line Interface
This appendix describes the command line interface that can be used to configure
NetEnforcer. You can also configure NetEnforcer from a Web browser, described in
Chapter 4, Configuring NetEnforcer.
NetEnforcer Command Line Interface

The NetEnforcer CLI can be used to define Pipes, Virtual Channels, Rules and Catalog
entries whenever you want to enter multiple entries without having to use the browser
interface described in the preceding chapters. For example, if you need to add 1000 new
hosts to the Host Catalog. In addition, you can also use the CLI to set system parameters
and device settings.
The CLI enables you to modify the NetEnforcer database from a command line. The
CLI supplies a set of commands to add, change, rename and remove NetEnforcer
entities, such as, Pipes, Virtual Channels or other Catalog entries and change the
configuration of NetEnforcer. This section describes how to access the CLI and
describes how to work with the CLI.
Command Execution Modes

The NetEnforcer CLI can operate in two different modes, as follows:
• Single command mode – whereby each command is executed separately.
• Cyclic mode – whereby multiple CLI commands are aggregated for execution at set
time intervals.
To enable Cyclic execution, enter the following command:
"go config policy_srv -cli_timeout X" (X in seconds).
NetEnforcer User Guide G-1

This CLI command will make the system execute the CLI commands every X
seconds instead of executing them immediately. This improves the efficiency of the
CLI execution process.
Accessing the CLI

The CLI is accessed through the Console interface of your NetEnforcer.
To access the CLI:

1. Connect to NetEnforcer using one of the following methods:
• From a local host:
• Using a monitor and keyboard connected directly to NetEnforcer.
• Via Telnet from a workstation located on the same network as
NetEnforcer.
• From a remote host:
• Using a CLI executable, enter the IP address of the remote host.
2. Login to NetEnforcer as the root user. The default password is bagabu.
IMPORTANT:
It is strongly recommended that you change the default password of the “root” user. For details on how
to change the password, please refer to Chapter 2, Installing NetEnforcer.
Scripts
You can write scripts containing both CLI and Linux commands that will automate the
data entry process. For example, you can write a script that will add 40 rules to 30
different Virtual Channels.
A script can be written on a remote workstation, using your preferred text editor, and
then sent to NetEnforcer using FTP. Alternatively, you can create the script directly on
NetEnforcer using the built in VI editor. In both cases, ensure that the script has Execute
attributes. (For more details on file attributes, please refer to a Linux manual.)
G-2 NetEnforcer User Guide

NOTE:
It is recommended that you save your scripts in a new directory on NetEnforcer (for example, /root/scripts),
so that they will not be overwritten should you upgrade your NetEnforcer software in the future.
CLI Command Syntax

The CLI consists of several commands, each of which has a switch and one or more
parameters. The syntax of the CLI is:
go <action> <switch> <parameter> <parameter value>
<parameter> <parameter value>
Where:
go precedes all CLI commands.
<action> is the command to perform. This can be add, delete, change, rename, list
or config.
<switch> is the object (for example, Pipe) upon which the command is performed.
<parameter> is the parameter required (for example, host name).
<parameter value> is the value of the parameter.
Additional optional parameters may be used, as follows:
-f: This parameter disconnects the other client with write permissions and gives the
write permissions to the CLI client. To use with all switches except list.
NOTE:
When working with Pipes, Virtual Channels, Rules or Catalog entries, you must enclose the name of the
Pipe, Virtual Channel, Rule or Catalog entry in quotation marks if it contains more than one word. For
example, go add vc Gold:PipeGold is accepted, as well as go add vc “Gold
Service:PipeGold”. However, the command go add vc Gold Service:PipeGold will
return an error message.

Online Help
If you are unsure as to which parameters are used with a specific command, you can
enter an incomplete command (for example, without the parameters), and the CLI will
list all the available parameters for that action and switch. For example, if you were to
enter the command go add time, you will receive the following output:
Usage: go add time {Name} [<-OPTION> <VALUE>...]

{ITEM_FORMAT,ITEM_FORMAT,...}
Defined Formats of the Time Item are:
# daily[:<Time>]
# weekly[:<WeekDay:Time>]
# monthly[:<MonthDay:Time>]
# yearly[:<Month:MonthDay:Time>]
Acceptable values for WeekDay are: sun, mon, tue, wed, thu, fri, sat ('sun' by default)
Acceptable values for Months are: 1 - 12 (1 by default)
Acceptable values for MonthDay are: 1 - 31 (1 by default)
Time format should be 'HH.mm-HH.mm' or 'allDay' ('allDay' by default)
Options: -f: force the write permissions to CLI client
Command Descriptions
This section describes the commands available.
{param} – required parameter
[param ] – optional parameter

ToS Catalog Editing

Commands available:
• go add tos {newName } {tosByte}
• go change tos {tosName } {tosByte}
• go delete tos {tosName }
• go rename tos {tosName:newName }
Parameter Description
newName The new name to be set to the ToS Catalog entry.
tosName The name of the existing ToS Catalog entry.
tosByte Enumeration of the selected bit numbers with ',' between them:
1 - 8.
Data Source Catalog Editing

Commands available:
• go add datasrc {newName:ldap } {location:user:passwd[:description]}
• go add datasrc {newName:txtfile } {location[:description]}
• go change datasrc {dsName } {location:user:passwd[:description]}
• go delete datasrc {dsName }
• go rename datasrc {dsName:newName }

newName The new name to be set for the Data Source Catalog entry.
dsName The name of the existing Data Source Catalog entry.
location IP/hostname of LDAP/TFTP server.
user The username assigned to the LDAP user.
passwd The password assigned to the LDAP user.
description The description of the data source (optional parameter).
VLAN Catalog Editing

Commands available:
• go add vlan {newName} {priority_bits_state:priority_bits:vlan_id_state:vlan_id}
• go change vlan {vlanName} {priority_bits_state:priority_bits:vlan_id_state:vlan_id}
• go delete vlan {vlanName}
• go rename vlan {vlanName:newName}
newName The new name to be set for the VLAN Catalog entry.
vlanName The name of the existing VLAN Catalog entry.
priority_bits_state Enabling/disabling of the Vlan priority bits: enable, disable.
priority_bits The priority bits number: 0 – 7.
vlan_id_state Enabling/disabling of the Vlan ID: enable, disable.
vlan_id The Vlan ID number: 0 – 4095.

QoS Catalog Editing

Commands available:
• go add/change qos {newName:pipe_both} -prior P -max_bw Max -min_bw
Min[:minReserved] -tos tos_in:tos_out -general maxCon:admissionCtrl:tos_admit
• go add/change qos {qosName:pipe_each } -prior P1,P2 -max_bw Max1,Max2 -tos
tos_in1:tos_out1,tos_in2:tos_out2 -min_bw Min1[:minReserved],
Min2[:minReserved] -general maxCon:admissionCtrl:tos_admit
• go add/change qos {qosName:pipe_half_duplex} -prior P1 -avail_bw Bw -general
maxCon:admissionCtrl:tos_admit
• go add/change qos {qosName:vc_both} -prior P -tos tos_mark -max_bw Max -
min_bw Min -general maxCon:admissionCtrl -con_alloc
burst:maxBw:size:minBw/cbr:bw:delay
• go add/change qos {qosName:vc_each } -prior P1, P2 -tos tos_mark1,tos_mark2 -
max_bw Max1,Max2 -min_bw Min1,Min2 -general maxCon:admissionCtrl -
con_alloc burst:maxBw1:size1:minBw1/cbr:bw1:delay1,
burst:maxBw2:size2:minBw2/cbr:bw2:delay2
• go delete qos {qosName }
• go rename qos {qosName:newName }
newName The new name to be set for the QoS Catalog entry.
qosName The name of the existing QoS Catalog entry.
-prior The priority per VC or Pipe: 1-10 (default: 4).
-max_bw The maximum bandwidth for a VC or Pipe, for example, 10M
or 100K.
-min_bw The minimum bandwidth for a VC or Pipe, for example, 10M
or 100K.

-avail_bw The available bandwidth for a Full Duplex Pipe, for example,
10M or 100K.
minReserved The minimum bandwidth reserve available: yes or no (default:
no).
tos_admit The name of the ToS Catalog entry to mark the admitted traffic.
tos_in The name of the ToS Catalog entry to mark in-profile traffic.
tos_out The name of the ToS Catalog entry to mark out-of-profile
traffic.
tos_mark The name of the ToS Catalog entry to mark traffic.
maxCon The maximum number of connections allowed on the VC or
Pipe.
admissionCtrl The admission control: reject, drop, admit.
Connection allocation parameters when a traffic shaping method is burst:
maxBw The maximum bandwidth per connection, for example, 10M or
100K.
minBw The minimum bandwidth per connection, for example, 10M or
100K.
size The burst size in K/M bit per second
Connection allocation parameters when a traffic shaping method is cbr:
bw The bandwidth per connection, for example, 10M or 100K.
delay The delay in microseconds: 100 - 1,000,000.
When a type of QoS entry is vc_each or pipe_each, then all of the parameters (except
for –general) require two values separated with a , (comma). The first value is for
inbound traffic and the second is for outbound traffic. If you do not want to specify an
inbound parameter, use a empty field in format, for example, -prior ,2.

Host Catalog Editing

Commands available:
• go add host {newName:addresses} {type:value[:interface], type:value,…}
• go add host {newName:group} {host1,host2}
• go add host { newName:ldap} {dataSource:root:address_attr:name_attr:filter}
• go add host { newName:txtfile} {dataSrc:file:start_row:address_pos:
name_pos:delimiter}
• go change host {hostName} {-/+type:value[:interface],-/+type:value[:interface]}
• go change host {hostName} {-/+host1,-/+host2,…}
• go change host {hostName} {=type:value[:interface],type:value[:interface],…}
• go change host {hostName} {=host1,host2,…}
• go change host { hostName} {dataSource:root:address_attr:name_attr:filter}
• go change host { hostName} {dataSrc:file:start_row:address_pos:name_pos:
delimiter}
• go delete host {hostName }
• go rename host {hostName:newName }
newName The new name to be set for the Host Catalog entry.
hostName The name of the existing Host Catalog entry.
Parameters to Host Entry of type addresses:
type Type of address: name, range, netaddr, ipaddr, macaddr.
value Address according to the type specified.
interface Interface type : internal, external, anywhere (by default).

Parameters to Host Entry of type group:
host1,host2 The names of previously defined Host Catalog entries separated
by comma, which will be joined in a group.
Parameters to Host Entry of type ldap:
dataSource The name of the previously defined Data Source Catalog entry.
root LDAP Directory subtree root.
address_attr The addresses attribute name.
name_attr The name attribute name.
filter LDAP Directory search filter.
Parameters to Host Entry of type txtfile:
file The full file path on remote host.
start_row The row number from which to start reading data in a text file.
address_pos The position of address field.
name_pos The position of name field.
delimiter The separator character that separates a text file row into fields:
comma, space, semicolon or other character.
When changing the addresses or group list of the Host Entry, use prefixes ‘-‘ or ‘+’ to
each address or group item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at
beginning for replacing list with entered new one.
For example,
go change host Test1 -ipaddr:2.2.2.2,+range:1.1.1.1-
1.1.1.9 -f
go change host Test2 +host8,-host9 –f
go change host Test2 =host10,host11 –f

When changing the Host Entry of type txtfile or ldap , use empty fields for parameters
you do not want to change.
For example, command to change LDAP filter only:
go change host Test1 ::::servicegroup=gold
Time Catalog Editing

Commands available:
• go add time {newName} {item1,item2,...}
• go change time {tmName} {-/+item1,-/+item2,...}
• go change time {tmName} {=item1,item2,...}
• go delete time {tmName }
• go rename time {tmName:newName }
newName The new name to be set to the ToS Catalog
entry.
tmName The name of the existing ToS Catalog entry.
daily[:time] The Time item formats defined.
weekly[:day[:time] ]
monthly[:month_day[:time]]
yearly[:month :month_day[:time]]
time The range of hours and minutes: HH.mm-
HH.mm, allDay (default: allDay).
day The day of the week: sun, mon, tue, wed, thu,
fri, sat. This is valid for weekly time periods.

month The month: 1-12. This is valid for yearly time

periods.
month_day The day of the month: 1-31. This is valid for

monthly and yearly time periods.
When changing the Time Entry, use prefixes ‘– ‘ or ‘+’ to each time item ( ‘– ‘ to
remove item, ‘+’ to add new item ), or prefix ‘=’ once at the beginning for replacing a
list with a new one.
For example,
go add time Test1 daily:10.00-20.00,weekly:5:08.20-20.00
-f
go change time Test1 –daily:10.00-20.00,+monthly:15 -f
go change time Test1 =daily:14.00-20.00,monthly:25 -f
Service Catalog Editing

Commands available:
• go add service {newName:appl } -protocol net[:ip[:app]] -dst_ports p1,p2,…
-port_type pt -parse_by_port enable|disable -coll_filter filter
• go add service {newName:group} [-group_report enable|disable]
{srvName1,srvName2,...}
• go add service {newName:content:parentName} {content1,content2,...}
• go change service {srvName} -protocol net[:ip[:app]] -dst_ports -/+p1,-/+p2
-port_type pt -parse_by_port enable|disable -coll_filter filter
• go change service {srvName} -dst_ports =p1,p2,…
• go change service {grName} [-group_report enable|disable] {-/+srvName1,-
/+srvName2,...}
• go change service {contName} {-/+content1, -/+content2,...}

• go delete service {srvName }

• go rename service {srvName:newName }
newName The new name to be set to the Service Catalog entry.
srvName The name of the existing Service Catalog entry.
–protocol The protocol of Service entry. By default IP:TCP:Other TCP
net The network protocol to be used by the Catalog entry: IP, ARP,
Banyan-Vines, DEC-DECNET, DEC-LAT, DEC-Ethernet,
Appletalk, SNA, IPX, Ipv6, MS-IPX, NetBEUI, ANY, PPPoE-
Discovery, PPPoE-Control or whole number in interval 1 – 65534
ip The transport protocol, if the Network Protocol is IP only: TCP, UDP,
EIGRP, ICMP, IGMP, EGP, RSVP, OSPFIGP, SIPP-ESP, SIPP-
AH, I-NLSP, SWIPE, GGP, GRE, ANY or whole number in interval
1 - 255
app The name of the Application protocol when the Transport Protocol is
TCP or UDP only
–dst_ports The list of ports on the destination host at which the traffic should
arrive: x, x-y.
-port_type The Port type: all, other, list.
-coll_filter The Collection filter: service, appl.
content Value Format of the Content is: <type:value>. Content Types and
Values are depending on the Application.

Acceptable Contents to the Application HTTP are:
• url
• method - with one of values CONNECT, DELETE, GET,
HEAD, OPTIONS, POST, PUT, TRACE
• host
• content-type - command 'go list content' shows the all of
acceptable values
Acceptable Contents to the Application FTP are:
• command - with one of values Download, Upload, Other
• file
Acceptable Contents to the Application Oracle are:
• service
• user
Acceptable Contents to the Application Citrix are:
• appl
• user
• Priority - with one of values High, Medium, Low, Print Traffic
Acceptable Contents to the Application H.323 are:
• codec - with one of values H.323 G711-64K Codec, H.323 G711-
56K Codec, H.323 G722-64K Codec, H.323 G722-56K Codec,
H.323 G722-48K Codec, H.323 G7231 Codec, H.323 G728
Codec, H.323 G729 Codec, H.323 H261 Codec, H.323 H262
Codec, H.323 H263 Codec, H.323 Audio Default Codec, H.323
Video Default Codec
Acceptable Contents to the Application KaZaA and Gnutella are:
• Direction - with one of values Upload, Download
Acceptable Contents to the Application Citrix ICA are:

Acceptable Contents to the Application SMTP are:
• domains_file - with name of the file containing domains
• Domains
Acceptable Contents to the Application Citrix NFuse are:
• appl
• user
Acceptable Contents to the Application MGCP are:
• codec
• Media Type - with one of values Audio, Video, Application,
Data, All
When changing the port list of Service Entry, use prefixes ‘– ‘ or ‘+’ to each port
number or port range (‘– ‘ to remove port, ‘+’ to add new port), or prefix ‘=’ once at
beginning for replacing ports list with entered new one. The same prefixes should be
used for update the Service Group list and Content Inspection list.
For example,
go add service Test1:appl –dst_ports 333,3456-3460 -f
go change service Test1 –dst_ports +2222-2228,-333
go change service Test1 –dst_ports =2222-2228,4444 -f
Connection Control Catalog Editing

Commands available:
• go add coc {newName: lb:<Technique:PortUse>} -behaviour
NoSrvAction[:Backup:Sticky] -servers Host:[Port:Weight],Host:[Port:Weight],...
• go add coc {newName:cache} –behaviour NoSrvAction -servers Host,Host
• go change coc {cocName} –behaviour NoSrvAction[:Backup:Sticky] -servers -/+
Host[:Port:Weight],-/+Host[:Port:Weight],...

• go delete coc {cocName }

• go rename coc {cocName:newName }
newName The new name to be set to the Connection Control Catalog entry.
cocName The name of the existing Connection Control Catalog entry.
Host Hostname or IP address of Load Balancing/Cache server.
NoSrvAction No Server action: drop, reject, pass-as-is (by default).
Parameters to Connection Control entry of type lb only:
Technique The load balancing technique being used: rr, fa, wrr (by
default).
PortUse The load balancing port being used: original (by default),
assigned, fixed:<PortNumber>
Backup Whether to activate load balancing on server failure: yes, no (by
default).
Sticky The timeout (in seconds) for sticky connections: 0 - 999999.
Port The port number on load balancing server.
Weight The weight number on load balancing server, when Technique is
defined as wrr.
When changing the servers list of the Connection Control entry, use prefixes ‘-‘ or ‘+’
for each server item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at the
beginning when replacing a list with a new one.
For example,
go add coc Test1:lb:wrr:fixed:777 –servers 10.1.1.4::3 -f
go change coc Test1 –servers –10.1.1.4::3,+10.1.1.10::5 -f

Policy Catalog Editing

Commands available:
• go add pipe {newName[:state]} –expand exp –src Src –dst Dest –service Serv –
time Time –tos ToS –vlan Vlan –access Access –qos QoS –offset X -dir X
• go change pipe {pName[:state]} –expand exp –access Access –qos QoS
• go delete pipe {pName }
• go rename time {pName:newName }
• go add vc {newName:pName[:state]} –expand exp –src Src –dst Dest –service
Serv –time Time –tos ToS –vlan Vlan –access Access –qos QoS –coc Coc –offset
X -dir X
• go change vc {vcName:pName[:state]} -expand exp -access Access -qos QoS -coc
Coc
• go delete vc {vcName:pName }
• go rename vc {vcName:newName:pName }
• go add prule {pName[:state]} –src Src –dst Dest -service Serv -time Time -tos ToS
-vlan Vlan -offset X -dir X
• go change prule {pName:offset[:state]} –src Src –dst Dest –service Serv –time
Time –tos ToS –vlan Vlan -dir X
• go delete prule {pName:offset}
• go add vcrule {vcName:pName[:state]} –src Src –dst Dest –service Serv -time
Time -tos ToS -vlan Vlan -offset Offset -dir X
• go change vcrule {vcName:pName:offset[:state]} –src Src –dst Dest –service Serv
–time Time –tos ToS –vlan Vlan -dir X
• go delete vcrule {vcName:pName:offset}

newName The new name to be set for the Pipe or Virtual Channel.
PName The name of the existing Pipe.
VcName The name of the existing Virtual Channel.
State The status of the Pipe, Virtual Channel or Rule: enable, disable
(default: enable)
-expand The location of the Host Catalog entry for template expansion: none
(no template), src, dst.
-src The Connection Source condition of the Pipe or Virtual Channel:
any entry from the Host Catalog. (default: Any)
-dst The Connection Destination condition of the Pipe or Virtual
Channel: any entry from the Host Catalog. (default: Any)
-service The Service condition of the Pipe or Virtual Channel: any entry
from the Service Catalog. (default: All IP)
-time The Time condition of the Pipe or Virtual Channel: any entry from
the Time Catalog. (default: Anytime)
-tos The ToS condition of the Pipe or Virtual Channel: any entry from
the TOS Catalog. (default: Ignore)
-vlan The Vlan condition of the Pipe or Virtual Channel: any entry from
the Vlan Catalog. (default: Any)
-qos The QoS action of the Pipe or Virtual Channel: any entry from the
QoS Catalog. (default: Normal Priority – Pipe/ Normal Priority –
Virtual Channel)
-access The Access action of the Pipe or Virtual Channel: Accept, Reject,
Drop (default: Accept.).
-coc The Connection Control action of the Virtual Channel: any entry
name from the Connection Control Catalog.

-dir The direction of traffic to which the Pipe or Virtual Channel applies:
1, 2. (default: 2)
-offset The position of the Pipe, Virtual Channel or Rule – offset from first
position in the policy table
When adding a new Pipe or Virtual Channel without parameter ‘-offset’ , it will be
added on next to last position (before Fallback Pipe/VC).
List
The list action displays the entries defined in the different Catalogs.
Commands available:
• go list {object} [-full]
Object Parameter Description
host -full Displays the contents of the Host Catalog. If ‘-full’
parameter is specified, additional information is shown
for entries from LDAP/Text file Data Source
time - Displays the contents of the Time Catalog.
tos - Displays the contents of the ToS Catalog.
qos - Displays the contents of the QoS Catalog.
service -full Displays the contents of the Service Catalog.
datasrc - Displays the contents of the Data Source Catalog.
vlan - Displays the contents of the Vlan Catalog.
coc - Displays the contents of the Connection Control
Catalog.

Object Parameter Description

pipes -full Displays a list of defined Pipes. If ‘-full’ parameter is
specified, additional information is shown for each
Virtual Channel in the Pipe.
pipedata {pName} Displays full data for a single Pipe identified by name.
vc {vcName:pNa Displays full data for a single VC identified by name.
me}
Configuration Settings
The config action enables you to configure NetEnforcer. A description of the switches
and parameters available are shown below.
Commands available:
• go config key {Key}
• go config nic -internal link -external link –mgmt link
• go config access_control {host_list}
• go config snmp –community read:write:trap -trap_dest Dest -contact Contact
–location Loc
• go config vlan { vlan_env:vlan_id}
• go config ips –h Hostname –d Domain -g Gateway -ip ip:mask –dns dns1:dns2 –ts
ts1:ts2:ts3 –mgmt check -reject_ip ip:mask|none
• go config access_link -internal link -external link
• go config policy_srv –auto_refresh X -save_refresh check
• go config monitoring –resolve_dns check -sample_period sp
• go config coc –pass_through check -retries server:service -timeout
server:service:connect

• go config acct_setup [enable|disable] -resolve_dns check -odbc check

-collect_data period -del_data period –ip IP1:IP2
• go config radius_setup [enable|disable] -stop_only check -collect_data period
-server1 addr –server2 addr -send_timeout X –retries Y -failed_msg N
• go config acct_radius_storage –pipe check –vc check –service check -hosts hr
• go config dos [admit|drop] –max_conn X –max_cer Y
• go config security –connect Mode –telnet check –ping check -timeout X
–root_login check -ssh check
• go config network –transport check -appl check –sptree check -mesh check –mom
check –ar -/+route1, -/+route2,…|none
• go config alerts [enable|disable] –email e1:e2 –sms SMS –src _email -smtp
• go config time –t date_time –tz zone
• go config setup_verify
• go config send_snapshot
• go config view [cfg_tab]
Config Tab Parameter Description
key Key The new box activation key or none.
access_control Host_list Update the list of hosts allowed access to
NetEnforcer. Any hosts not entered into this list
will be barred access to NetEnforcer. The format
is IP addresses/host names with prefix –(minus)
or + (plus) separated by , (comma) or all.
For example, go config access_control –
10.10.10.1, +10.10.10.2.
snmp –community The SNMP read, write and trap community.


-trap_dest The SNMP trap destination address.
-contact The SNMP contact.
–location The SNMP location.
vlan vlan_env The Vlan environment setting: enable, disable.
vlan_id The Vlan ID: 1 – 4094.
ips -h The host name of NetEnforcer.
-d The domain name where NetEnforcer is located.
For example, allot.com.
-g The IP address of the gateway or none.
-ip The IP address of NetEnforcer and network
subnet mask.
-dns The IP address of your Primary/ Secondary
DNS server, or none.
-ts IP address of the Primary/ Secondary/ Tertiary
Time server, or none.
nic -internal Internal/External/Management Interface NIC
settings in format [mode:speed]. The Mode
-external
values are: auto, half, full. The Speed values
-mgmt are: auto, 10, 100, 1000(according to the box
type)
acct_setup (these -resolve_dns Resolve DNS names for Accounting data:
parameters are for enable, disable.
Internal Accounting)
-odbc Use ODBC to read Accounting data: enable
[:Username:Passw], disable.
-collect_data The timespan of saved Accounting data:
Xminutes, Xhours, Xdays.


-del_data The timespan of deleted Accounting data:
Xdays, Xmonths.
acct_setup (these -ip IP1:IP2 are primary and secondary IP addresses
parameters are for of external accounting servers.
External
Accounting)
access_link -internal Internal/External Interface Link settings in
format [type:outBW:inBW]. The bandwidth
-external
must be defined using K/M unit. The Link
Types are: half, full.
For example, go config access_link
–internal full:1000M:100M
policy_srv –auto_refresh Auto refresh rate for any LDAP/Text file-based
query found in policy catalog : Xsec, Xmin,
Xhours, Xdays or none.
-save_refresh Refresh any LDAP/Text file-based query found
in policy catalog when saving policy database:
enable, disable.
monitoring –resolve_dns Resolve DNS names for monitoring data:
enable, disable.
- The monitoring sample period: 30sec, 1min,
sample_period 2min, 3min, 4min, 5min, 6min, 7min, 8min,
9min, 10min.
coc -pass_through Pass all cached traffic through QoS device:
enable, disable.
-retries The Server/Service tracking retries: 1 – 100.
-timeout The Server/Connect tracking timeout: 10 – 240.
Service tracking timeout: 10 – 249.


radius_setup -stop_only Send RADIUS Stop messages only: enable,
disable.
-collect_data The period of saving RADIUS data: Xminutes,
Xhours, Xdays.
-server1 The Primary/Secondary RADIUS server in
-server2 format <addr[/port]:secret> or none.
-send_timeout The Timeout on the message send failure: 1 –
60.
-retries The Number of retries for attempting message
send: 1 – 10.
-failed_msg The Number of failed messages before switch to
other server: 1 – 200.
acct_radius_storage –pipe Save item 'Pipe' in each Accounting record:
enable, disable.
–vc Save item 'Virtual Channel' in each Accounting
record: enable, disable.
–service Save item 'Service' in each Accounting record:
enable, disable.
–host Host recording in Accounting: int_host,
ext_host, int_ext_host, client, server,
client_server, disable.
dos –max_conn Maximum number of connections in case of
DoS attack: 1 - Value (value according to
NetEnforcer type).
-max_cer Maximum new connections establishment rate:
1 – Value (value according to NetEnforcer
type).


security –connect The connection mode: ssl, non-ssl, both.
–telnet Enable/disable telnet: enable, disable.
–ping Enable/disable ping replies: enable, disable.
-timeout The timeout while connected via console or
telnet. The shells will automatically logout after
the specified number of seconds. If 0, no
automatic logout.
-root_login Enable/disable ability to log in as user “root”:
enable, disable.
(modifies files /etc/security and
/etc/ssh/sshd_config)
-ssh Enable/disable Secure Shell communications:
enable, disable. (run / stop sshd)
network -transport Transport Layer Classification (TCP/UDP
ports): enable, disable.
-sptree Support ‘Spanning Tree’ protocol: enable,
disable.
-appl Application Layer Analysis: enable, disable.
-mesh Support Meshed network topology: enable,
disable.
-mom 'Monitoring Only' mode: enable, disable.


-ar Additional routes.The format is -
/+<destIP:mask:gateway:destType:interface>
,…
Destination types: host, network
Interfaces: 0, 1, 2
Prefixes : '-' to delete selected route from
Routing Table; '+' to add new route to
Routing Table.
time -t The system time in format DD-MM-YYYY-
HH-mm.
-tz Time zone settings. Enter one from the
following list of parameters:
US/Alaska, US/Aleutian, US/Arizona,
US/Central, US/East-Indiana, US/Eastern,
US/Hawaii, US/Indiana-Starke, US/Michigan,
US/Mountain, US/Pacific, US/Samoa,
Africa/Abidjan, Africa/Accra,
Africa/Addis_Ababa, Africa/Algiers,
Africa/Asmera, Africa/Bamako, Africa/Bangui,
Africa/Banjul, Africa/Bissau, Africa/Blantyre,
Africa/Brazzaville,
Africa/Bujumbura,Africa/Cairo,
Africa/Casablanca, Africa/Ceuta,
Africa/Conakry, Africa/Dakar,
Africa/Dar_es_Salaam, Africa/Djibouti,
Africa/Douala, Africa/El_Aaiun,
Africa/Freetown, Africa/Gaborone,
Africa/Harare, Africa/Johannesburg,
Africa/Kampala, Africa/Khartoum,
Africa/Kigali, Africa/Kinshasa, Africa/Lagos,
Africa/Libreville, Africa/Lome, Africa/Luanda,


Africa/Lubumbashi, Africa/Lusaka,
Africa/Malabo, Africa/Maputo, Africa/Maseru,
Africa/Mbabane, Africa/Mogadishu,
Africa/Monrovia, Africa/Nairobi,
Africa/Ndjamena, Africa/Niamey,
Africa/Nouakchott, Africa/Ouagadougou,
Africa/Porto-Novo, Africa/Sao_Tome,
Africa/Timbuktu, Africa/Tripoli, Africa/Tunis,
Africa/Windhoek, America/Adak,
America/Anchorage, America/Anguilla,
America/Antigua, America/Araguaina,
America/Aruba, America/Asuncion,
America/Atka, America/Barbados,
America/Belem, America/Belize,
America/Boa_Vista, America/Bogota,
America/Boise, America/Buenos_Aires,
America/Cambridge_Bay, America/Cancun,
America/Caracas, America/Catamarca,
America/Cayenne, America/Cayman,
America/Chicago, America/Chihuahua,
America/Cordoba, America/Costa_Rica,
America/Cuiaba, America/Curacao,
America/Dawson, America/Dawson_Creek,
America/Denver, America/Detroit,
America/Dominica, America/Edmonton,
America/Eirunepe, America/El_Salvador,
America/Ensenada, America/Fort_Wayne,
America/Fortaleza, America/Glace_Bay,
America/Godthab, America/Goose_Bay,
America/Grand_Turk, America/Grenada,
America/Guadeloupe, America/Guatemala,
America/Guayaquil, America/Guyana,
America/Halifax, America/Havana,
America/Hermosillo,


America/Indiana/Indianapolis,
America/Indiana/Knox,
America/Indiana/Marengo,
America/Indiana/Vevay, America/Indianapolis,
America/Inuvik, America/Iqaluit,
America/Jamaica, America/Jujuy,
America/Juneau, America/Lima,
America/Kentucky/Louisville, America/La_Paz,
America/Kentucky/Monticello,
America/Knox_IN, America/Los_Angeles,
America/Louisville, America/Maceio,
America/Managua, America/Manaus,
America/Martinique, America/Mazatlan,
America/Mendoza, America/Menominee,
America/Merida, America/Mexico_City,
America/Miquelon, America/Monterrey,
America/Montevideo, America/Montreal,
America/Montserrat, America/Nassau,
America/New_York, America/Nipigon,
America/Nome, America/Noronha,
America/Panama, America/Pangnirtung,
America/Paramaribo, America/Phoenix,
America/Port-au-Prince,
America/Port_of_Spain, America/Porto_Acre,
America/Porto_Velho, America/Puerto_Rico,
America/Rainy_River, America/Rankin_Inlet,
America/Recife, America/Regina,
America/Rosario, America/Santiago,
America/Santo_Domingo, America/Sao_Paulo,
America/Scoresbysund, America/Shiprock,
America/St_Johns, America/St_Kitts,
America/St_Lucia, America/St_Thomas,
America/St_Vincent, America/Swift_Current,
America/Tegucigalpa, America/Thule,


America/Thunder_Bay, America/Tijuana,
America/Tortola, America/Vancouver,
America/Virgin, America/Whitehorse,
America/Winnipeg, America/Yakutat,
America/Yellowknife, Antarctica/Casey,
Antarctica/Davis, Antarctica/DumontDUrville,
Antarctica/Mawson, Antarctica/McMurdo,
Antarctica/Palmer, Antarctica/South_Pole,
Antarctica/Syowa, Arctic/Longyearbyen,
Asia/Aden, Asia/Almaty,Asia/Amman,
Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe,
Asia/Ashgabat, Asia/Ashkhabad, Asia/Baghdad,
Asia/Bahrain, Asia/Baku, Asia/Bangkok,
Asia/Beirut, Asia/Bishkek, Asia/Brunei,
Asia/Calcutta, Asia/Chungking, Asia/Colombo,
Asia/Dacca, Asia/Damascus, Asia/Dhaka,
Asia/Dili,Asia/Dubai, Asia/Dushanbe,
Asia/Gaza, Asia/Harbin, Asia/Hong_Kong,
Asia/Hovd, Asia/Irkutsk, Asia/Istanbul,
Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem,
Asia/Kabul, Asia/Kamchatka, Asia/Karachi,
Asia/Kashgar, Asia/Katmandu,
Asia/Krasnoyarsk, Asia/Kuala_Lumpur,
Asia/Kuching, Asia/Kuwait, Asia/Macao,
Asia/Magadan, Asia/Manila, Asia/Muscat,
Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk,
Asia/Phnom_Penh, Asia/Pyongyang,
Asia/Qatar, Asia/Rangoon ,Asia/Riyadh,
Asia/Riyadh87, Asia/Riyadh88, Asia/Riyadh89,
Asia/Saigon, Asia/Samarkand, Asia/Seoul,
Asia/Shanghai, Asia/Singapore, Asia/Taipei,
Asia/Tashkent, Asia/Tbilisi, Asia/Tehran,
Asia/Tel_Aviv, Asia/Thimbu, Asia/Thimphu,
Asia/Tokyo, Asia/Ujung_Pandang,


Asia/Ulaanbaatar, Asia/Ulan_Bator,
Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok,
Asia/Yakutsk, Asia/Yekaterinburg,
Asia/Yerevan, Atlantic/Azores,
Atlantic/Bermuda, Atlantic/Canary,
Atlantic/Cape_Verde, Atlantic/Faeroe,
Atlantic/Jan_Mayen, Atlantic/Madeira,
Atlantic/Reykjavik, Atlantic/South_Georgia,
Atlantic/St_Helena, Atlantic/Stanley,
Australia/ACT, Australia/Adelaide,
Australia/Brisbane, Australia/Broken_Hill,
Australia/Canberra, Australia/Darwin,
Australia/Hobart, Australia/LHI,
Australia/Lindeman, Australia/Lord_Howe,
Australia/Melbourne, Australia/NSW,
Australia/North, Australia/Perth,
Australia/Queensland, Australia/South,
Australia/Sydney, Australia/Tasmania,
Australia/Victoria, Australia/West,
Australia/Yancowinna, Brazil/Acre,
Brazil/DeNoronha, Brazil/East,Brazil/West,
CET, CST6CDT, Canada/Atlantic,
Canada/Central, Canada/East-Saskatchewan,
Canada/Eastern, Canada/Mountain,
Canada/Newfoundland, Canada/Pacific,
Canada/Saskatchewan, Canada/Yukon,
Chile/Continental, Chile/EasterIsland, Cuba,
EET, EST, EST5EDT, Egypt, Eire, Etc/GMT,
Etc/GMT+0, Etc/GMT+1, Etc/GMT+10,
Etc/GMT+9, Etc/GMT-0, Etc/GMT-1,
Etc/GMT-10, Etc/GMT-11, Etc/GMT-12,


Etc/GMT-9, Etc/GMT0, Etc/Greenwich,
Etc/UCT, Etc/UTC, Etc/Universal, Etc/Zulu,
Europe/Amsterdam, Europe/Andorra,
Europe/Athens, Europe/Belfast,
Europe/Belgrade, Europe/Berlin,
Europe/Bratislava, Europe/Brussels,
Europe/Bucharest, Europe/Budapest,
Europe/Chisinau, Europe/Copenhagen,
Europe/Dublin, Europe/Gibraltar,
Europe/Helsinki, Europe/Istanbul,
Europe/Kaliningrad, Europe/Kiev,
Europe/Lisbon, Europe/Ljubljana,
Europe/London, Europe/Luxembourg,
Europe/Madrid, Europe/Malta, Europe/Minsk,
Europe/Monaco, Europe/Moscow,
Europe/Nicosia, Europe/Oslo, Europe/Paris,
Europe/Prague, Europe/Riga, Europe/Rome,
Europe/Samara, Europe/San_Marino,
Europe/Sarajevo, Europe/Simferopol,
Europe/Skopje, Europe/Sofia,
Europe/Stockholm, Europe/Tallinn,
Europe/Tirane, Europe/Tiraspol,
Europe/Uzhgorod, Europe/Vaduz,
Europe/Vatican, Europe/Vienna,
Europe/Vilnius, Europe/Warsaw,
Europe/Zagreb, Europe/Zaporozhye,
Europe/Zurich, Factory, GB, GB-Eire, GMT,
GMT+0, GMT-0, GMT0, Greenwich, HST,
Hongkong, Iceland, Indian/Antananarivo,
Indian/Chagos, Indian/Christmas, Indian/Cocos,
Indian/Comoro, Indian/Kerguelen, Indian/Mahe,


Indian/Maldives, Indian/Mauritius,
Indian/Mayotte, Indian/Reunion, Iran, Israel,
Jamaica, Japan, Kwajalein, Libya, MET, MST,
MST7MDT, Mexico/BajaNorte,
Mexico/BajaSur, Mexico/General,
Mideast/Riyadh87, Mideast/Riyadh88,
Mideast/Riyadh89, NZ, NZ-CHAT, Navajo,
PRC, PST8PDT, Pacific/Apia,
Pacific/Auckland, Pacific/Chatham,
Pacific/Easter, Pacific/Efate, Pacific/Enderbury,
Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti,
Pacific/Galapagos, Pacific/Gambier,
Pacific/Guadalcanal, Pacific/Guam,
Pacific/Honolulu, Pacific/Johnston,
Pacific/Kiritimati, Pacific/Kosrae,
Pacific/Kwajalein, Pacific/Majuro,
Pacific/Marquesas, Pacific/Midway,
Pacific/Nauru, Pacific/Niue, Pacific/Norfolk,
Pacific/Noumea, Pacific/Pago_Pago,
Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape,
Pacific/Port_Moresby, Pacific/Rarotonga,
Pacific/Saipan, Pacific/Samoa, Pacific/Tahiti,
Pacific/Tarawa, Pacific/Tongatapu,
Pacific/Truk, Pacific/Wake, Pacific/Wallis,
Pacific/Yap, Poland, Portugal, ROC, ROK,
Singapore, Turkey, UCT, UTC, Universal, W-
SU, WET, Zulu


view cfg_tab Display the current configuration parameters for
tab specified: key, ips, snmp, access_link,
access_control, vlan, acct_setup, monitoring,
policy_srv, acct_radius_storage,
dos , security, alerts, time. If tab was not
specified, then all of the configuration
parameters will be displayed
alerts –email The Primary/ Secondary email address of alert
target
–sms The SMS address of alert target
setup_verify - Perform the setup verification.
Send_snapshot - Send snapshot to Allot from NetEnforcer


Appendix H: Troubleshooting
This appendix describes some common situations that may occur when using
NetEnforcer and how to deal with them.
Problem Solution
No Link with the NetEnforcer
I cannot ping to the NetEnforcer and cannot Ensure that you are connected with the correct
see a link on the interfaces of the NetEnforcer. cables. If NetEnforcer is directly connected to
another device, such as a router, firewall or
PC, you should be connected using a cross
cable. A straight cable is used when
connecting to a hub or a switch.
No Link with the NetEnforcer/Link Up, Link Down
My link with the NetEnforcer appears to keep This is probably due to the fact that the two
disconnecting. I see huge packet loss when I NICs (NetEnforcer's and its connected device)
ping and I can also see the link light going off are not synchronized properly. It is mandatory
intermittently. to set both the NetEnforcer's NIC and the
adjacent device's NIC to the same speed and
Duplex mode. This can be done via the
NetEnforcer Setup Menu (Network
configuration, Manual configuration),
described in Chapter 2, Installing
NetEnforcer. Alternatively, the NIC settings
can be changed via the browser interface in
the Configuration window (Advanced view)
under the NIC tab, described in Chapter 4,
Configuring NetEnforcer.
NetEnforcer User Guide H-1

Problem Solution
Cannot Access the NetEnforcer
I can ping through the NetEnforcer and Check that your IP routing is defined correctly
browse to the Internet but I am unable to on the NetEnforcer. The Default Gateway
access the NetEnforcer directly via telnet or definition should refer to the default gateway
the browser interface. used by your clients from different subnets, to
access the subnet on which the NetEnforcer
sits.
Monitoring Graph does not Appear Accurate
I defined CBR for a connection but the The monitoring graph has two display modes,
monitoring graph always displays the "Average" and "Active Average".
throughput as less than this value. In general
The "Average" option displays an average
the values displayed in the monitoring chart
throughput rate over the whole sample time,
appear to be inaccurate.
meaning total bytes sent (or received)/one
sample time. The result is that if a connection
is only sending traffic for a third of that time
period, the actual throughput rate over the
whole sample time will be reduced to a third
of its actual rate.
The "Active Average" option displays the
throughput rate only for the time period that
the connection was sending traffic. This
provides a 'true' representation of the
throughput rate.
In order to change the display mode, select the
appropriate monitoring mode from the View
menu.
H-2 NetEnforcer User Guide

Problem Solution
Host IPs / Names are not added to the Access Control List
When I add an IP address to the access control This problem is as a result of the browser
list via the Configuration window (Access cache size being too small. To change the
Control tab), it disappears when I select Add. cache size, follow the instructions below:
For Microsoft Internet Explorer:
1. From the Tools menu, select Internet
Options.
2. Select the General tab and then select
Settings from the Temporary Internet Files
section.
3. Ensure that the Amount of disk space to
be used is at least 10 Kbytes.
4. Click OK to return to the General tab, and
click OK again to close the Internet
Options dialog box.
5. Restart Internet Explorer.
For Netscape Navigator:
1. From the Edit menu, choose Preferences.
2. In the Categories window, click on the
plus ("+") sign next to Advanced, and
select Cache.
3. Ensure that the Disk Cache is set to at
least 10 Kbytes, and click OK.
4. Restart Navigator.

Problem Solution
Changing the RadiusServerPort
My Radius server does not run on the default 1. Open the Configuration window
port. I would like to export my accounting (Advanced View).
data to the radius server. How do I do this?
2. Select the RADIUS Setup tab.
3. In the Primary RADIUS Server Host
Name/IP Address field, enter the IP
address/host name of your RADIUS server
and the port number that the server runs
on. For example, if your RADIUS server
runs on port 2222 and the IP address of the
server is 1.2.3.4 then you would enter the
information as follows: 1.2.3.4:2222.
Applications Disconnect with Low Priority
I am trying to run a particular application but The difference between the highest priority
every time I try to do anything it disconnects. applications and the lowest priority
The only Quality of Service definition I have applications should usually be very small (1-2
defined is Priority 1. I have many high steps). Large differences in priority (9 or 10
priority applications, some with guaranteed steps) for many applications may cause
bandwidth definitions. excessive timeouts. If your link is congested,
then applications with very low priorities will
be assigned only small bandwidth allocations.
In some cases, this bandwidth is not enough
for the application to function and so it
becomes "starved" and eventually times out.
Unable to Connect to the NetEnforcer via HyperTerminal
I am trying to connect to the NetEnforcer via In some cases you may need to ground the
HyperTerminal. All my settings are correct NetEnforcer. At the rear of the NetEnforcer
but I am still not able to access the there is a ground connector. Connect this to a
NetEnforcer. grounding cable and try the HyperTerminal
connection again.

Problem Solution
Software Version and AC Model
How do I find out what NetEnforcer model I Open the Configuration window and select
have and what software version it is running. the Product IDs and Key tab. The model is
listed under Product Name and the version
under Version.
Backup of VC Table and Configuration Information
How do I back up my policy data and Refer to Chapter 4, Configuring NetEnforcer,
configuration information? Additional Configuration Options.
What Does Raw TCP mean?
In the protocol distribution window of the The NetEnforcer reports TCP traffic as Raw
monitoring graph I see "Raw TCP." What when it does not see all packets within a
does this mean? connection. This can be when NetEnforcer is
rebooted, since it becomes active while many
connections are already active. In this case,
the amount of Raw TCP traffic will decrease
over time as existing connections are closed
and new connections are opened. Another
cause of Raw TCP traffic is if NetEnforcer is
sitting in a 'meshed' network. This means that
the packets can take more than one path to
reach the same destination. In this case not all
packets will pass through NetEnforcer. In any
situation where NetEnforcer only receives
part of the packets within a connection, the
traffic will be reported as RAW.

Problem Solution
Maximum per VC is exceeded
I have defined a maximum per VC of 10Kbps. A regular packet size is 12Kb. Therefore if
In the Inbound monitoring graph I always see you define a maximum value lower than 12
more than 10Kbps. you will still see a throughput of at least
12Kbps.

Appendix I: Glossary
This appendix defines the terms used throughout the manual.
Glossary of Terms
Access Control
An action that specifies the access for a connection. You can select the Access
Control to accept, drop, or reject a connection.
Access Link
Internal and External logical interfaces. Access links may be smaller or equal to the
Ethernet Adapter values.
Action
The operation performed on a connection once it matches a rule. A combination of
Access Control, QoS and Connection Control.
Address – IP
A list of logical entities representing IP Version 4 (IPv4) addresses, which are
comprised of 32 bits.
Address – MAC
A list of logical entities representing Media Access Control (MAC) addresses, which
are comprised of a 48-bit source or destination address. The source address is the
sender's globally unique device address.
Admin
The default user name for administrating NetEnforcer, with the default password
allot. It is strongly recommended to change this password.
NetEnforcer User Guide I-1

Admission Control
A step in every flow activation, when the required bandwidth is allocated (or not)
according to user demand (minimum bandwidth and maximum number of
connections) and system state.
Application Binding
The process of finding the correct application type for a flow (in case the flow is
TCP or UDP).
Application Recognition
The classification of protocols/applications by their unique "signature".
Application Type
The application type is defined by the destination port number.
Backplane Watchdog Timer
The backplane internal hardware timer that initiates the bypass in case there was no
software visit (the software visit restarts the timer).
Bandwidth
A parameter that defines the rate at which data flows.
Blocked Queue
A queue that holds packets that are over the maximum bandwidth defined for the
connection/Virtual Channel/Pipe.
Borrowing Bandwidth
A Pipe/Virtual Channel defined with a minimum bandwidth will receive only the
minimum necessary bandwidth, even if that value falls below the guaranteed
minimum. For example, if a Virtual Channel is currently defined for 100 Kb
minimum but needs only 50 Kb, 50 Kb is all that will be reserved, and the remainder
of the bandwidth will be allocated to another Virtual Channel. This means that
unused bandwidth is never wasted.
I-2 NetEnforcer User Guide

Burst Mode
When burst size is defined, the system will allow traffic to burst for a certain amount
of time, but the average traffic for the whole period will still be bounded by the
maximum.
Cache Redirection (CacheEnforcer)
A network device that intercepts client HTTP requests and forwards them to one or
more cache servers.
Catalog
A list of user-defined entries used when defining Pipes, Virtual Channels and rules
in the Policy Editor.
CBR
See Constant Bit Rate.
Centralized Monitoring and Accounting
Provision of centralized policy-based accounting and remote monitoring services.
The Allot Communications NetPolicy provides a comprehensive, policy-based
system that allows the network manager to define, in a concise and organized
fashion, policies that automatically effect change on specific equipment in the
network environment.
Classification
The procedure by which a flow or connection is associated to a Pipe and a Virtual
Channel. This procedure occurs every time a new flow passes through NetEnforcer.
Classification Element
Definition of partial criteria for a match to an attribute of network traffic. One rule is
a set of five classification elements or conditions. See Condition.
COC
See Connection Control.

Condition
A criteria with which to classify traffic. Conditions include Connection Source,
Connection Destination, Service, ToS, and Time.
Connection
A flow from a source to a destination and from the destination back to the source.
Connection Control
Defines whether a flow is directed to Load balancing, cache redirection, or
pass as is.
Connection Control Catalog
A Catalog that enables the user to define different load-balancing and
cache-redirection definitions.
Constant Bit Rate
Offers constant throughput. When CBR is defined, the system will not allow traffic
to exceed the maximum boundary defined.
Constant Connection
Offers constant throughput. When CBR is defined, the system will not allow traffic
to exceed the maximum boundary defined.
Content Inspection
The ability to analyze packet content on a per-flow basis. This feature is the
capability to filter packets per user’s content requests. Content based packet
classification is based on any combination of source address, destination address,
protocol, type, or content URL, including URL patterns.
Delay
Specifies the maximum delay that a packet stays in NetEnforcer. If the packet
exceeds this delay, the packet is discarded.

DDoS Attack
Distributed Denial of Service Attack. These attacks are more intense and damaging
than DoS attacks. In DDoS attacks, multiple machines unknowingly participate in an
attack against a single host target.
DHCP
Dynamic Host Configuration Protocol. Used for automated allocation, configuration
and management of IP addresses and TCP/IP protocol stack parameters.
DoS Attack
Denial of Service Attack. Most DoS attacks are overloading servers with redundant
traffic. All servers can handle traffic volume up to a maximum, beyond which they
become disabled.
Drop
All packets are dropped. The user is disconnected and may see the message
Connection timed-out.
Flow
A series of packets with common attributes. Since these attributes do not change in
time, it is possible to identify a flow by its first packet only. TCP and UDP flows are
identified by the IP and port of the source and destination. Any other IP flow is
identified by the source IP, destination IP and protocol number. Non-IP flows are
identified by protocol number only. See Connection.
Flow Attribute
Data belonging to a flow that differentiates that flow from others.
Fraggle Attack
When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast
addresses, all of it having a fake source address. This is a simple rewrite of the
Smurf code.

Guaranteed Bandwidth
A per-connection parameter, which means that every connection will be granted
“N bytes/bits per second”.
Host Catalog
A Catalog that enables the user to define the Connection Source and Connection
Destination, two of the classification elements or conditions of a rule. Hosts can be
network IP addresses, IP address ranges, host names, IP Subnet addresses or MAC
addresses.
Inbound Traffic
Traffic that flows into the External link and out from the Internal link.
Java Applet
A program written in the Java™ (Sun Microsystems Inc trademark) language. The
applet's code is transferred to your system and executed by the browser's Java
Virtual Machine (JVM) (see more at: http://java.sun.com/applets/).
Light Directory Access Protocol (LDAP)
A standard communication protocol that allows clients, servers and applications to
access directory services. NetEnforcer includes an LDAP client for communication
with the LDAP directory.
Load Balancing
A mechanism that enables balancing traffic between different servers. All traffic is
directed to a single IP, but the load-balancer smartly divides the traffic between the
different servers.
Maximum Bandwidth
A parameter that defines the upper limit of the bandwidth provision of NetEnforcer,
a Pipe, a Virtual Channel or a connection. NetEnforcer ensures that the bandwidth
will not exceed this value.

Minimum Bandwidth
A parameter that defines the lower limit of bandwidth provision, and states that
NetEnforcer will provide a particular Pipe, Virtual Channel or connection with “at
least N bytes/bits per second”. NetEnforcer guarantees that the bandwidth will not
fall below this value.
Monitor
The default basic user name for monitoring NetEnforcer, with the default password
allot. It is strongly recommended to change this password.
MPLS
Multi-protocol Label Switching. This protocol, relevant in networking technology,
provides scalable infrastructure for the Internet. MPLS uses the concept of label
switching to create a 'virtual circuit' between two-end points. The main use of MPLS
is to create high quality VPNs (Virtual Private Networks). In addition, MPLS may
be used to allow integrated-access services such as voice/video and data over IP.
MRTG
Multirouter Traffic Grapher. The MRTG tool generates HTML pages that present
traffic statistic graphs. Using a standard Web browser, you can view pages, each
containing graphs showing daily, weekly, monthly and yearly information.
NetHistory
A software module that enables the user to view network behavior at any time in the
past.
NIC
Network Interface Card. Located in one device and physically connected to the
Ethernet cable going into another device.
Number of Connections
The number of open connections (sessions from the software point of view) in
NetEnforcer.

ODBC
Microsoft Open Database Connectivity interface. An application programming
interface (API) for database access. It uses Structured Query Language (SQL) as its
database access language.
Outbound Traffic
Traffic that flows into the Internal link and out from the External link.
P2P Applications
These "Peer-to-Peer" applications turn network clients into servers, using expensive
WAN bandwidth and potentially distributing worms throughout the network.
Napster is a well-known P2P application.
Packets Per Second (PPS)
The number of packets that were sent by NetEnforcer in a second.
Per Flow Queuing (PFQ)
Allot Communications QoS algorithm that defines a process where the scheduler
empties the queue according to each flow policy and fairness. Allot Communications
implements a smart queue scheduling algorithm, with accurate timing for receiving
and sending packets. The timing is such that the applications on both sides are within
the timing tolerances, while NetEnforcer precisely controls the bandwidth.
Allot Communications PFQ maximizes WAN link utilization and minimizes
bandwidth waste. Allot Communications utilizes standard mechanisms built in to the
TCP to maximize WAN utilization. It also uses a unique combination of PFQ and
Smart Queue Scheduling to precisely control bandwidth for both the incoming and
outgoing traffic. Policies are based on a variety of criteria, including when needed,
data located within the traffic, and so on.
Ping of Death
When an attacker sends illegitimate, oversized ICMP (ping) packets. These attacks
are targeted at specific TCP stacks that cannot handle this type of packet and
overload the victim's servers.

Pipe
A grouping of traffic defined by conditions (rules) and actions that owns
sub-groupings called Virtual Channels.
Policy
The regulation of access to network resources and services based on (business)
administrative criteria.
Policy Server
A server which administers QoS requests and sends out information necessary
(policy) to enforce QoS.
Port Number
A 16-bit integer appended to a message and passed between client and server
transport layers.
Priority
A parameter that identifies the relative importance of traffic on a particular Pipe or
Virtual Channel compared to other Pipes or Virtual Channels. Priority does not
explicitly define the speed of communication, but assigns a weight value, for
example, for every 2 bytes of priority 3, send 4 bytes of priority 7. It does not define
how long it takes to send priority 7 or priority 3 bytes.
Process Watchdog
A software process that is responsible for keeping the system in a normal operation
state. It watches the aliveness of processes and restarts a process or the whole system
when required.
QoS
See Quality of Service.

QoS Action
Defines a level of bandwidth agreement using parameters such as
minimum/maximum bandwidth, priority, and so on. You can select the QoS action
for Pipes, Virtual Channels and connections.
QoS Catalog
A Catalog that enables the user to define possible values for the QoS action.
QoS Gateway
Provision of end-to-end policy enforcement and management via standards-based
signal provisioning protocols, including Differentiated Services, ToS, RSVP, MPLS,
and 802.1P.
QoS of UDP Traffic
Allot Communications supports QoS for UDP traffic by using the token bucket
mechanism (for CBR sessions), combined with the leaky bucket mechanism (to
supply rate limits).
Quality of Service
Enforcing a network policy that will impact bandwidth, delay (jitter), or traffic
reliability.
Queuing
Method used by routers to control the flow of traffic. Packets are placed in holding
queues and retransmitted based on CBQ and WFQ algorithms. When traffic
overflows the queue, packets are discarded to reduce network congestion.
RADIUS
Remote Authentication Dial In User Services protocol. Specifies accounting, log and
analysis parameters for IP users accessing via dial in services.

Redundancy Configuration
A configuration in which two NetEnforcers are connected in parallel using a flat
cable. If one NetEnforcer goes down, the other one takes over immediately. One
NetEnforcer is automatically the primary system (defined by the flat cable
hardware), and the Primary and Active LEDs on the front panel are lit. The other
NetEnforcer is the secondary system, and the Secondary LED on the front panel is
lit. The flat cable is connected between the Backup connectors.
Reject
All packets are dropped. In TCP traffic, an RST packet is sent to the client and the
user may see the message Connection Closed by Server.
Reserve on Demand
A minimum bandwidth demand mode that reserves allocated bandwidth and, even if
it is not all used or required, does not provide it for other traffic.
Rule
A combination of classification elements or conditions comprised of Connection
Source, Connection Destination, Service, TOS and Time. Together these conditions
form complete criteria for classifying network traffic. Conjunction is made with the
AND operator.
Rule Matching
The process of finding the first matching rule for a flow or connection.
Schedule Queue
A queue in which the packets wait to be transmitted. The schedule is defined by the
minimum bandwidth and priority parameters.
Service
Protocol- or application-based criteria for traffic classification.

Service Catalog
A Catalog that enables the user to define possible values for the Service condition. It
includes a list of different network/transport/applications protocols defined by the
protocol number (L2, L3, L4 or L5 layer) and destination port number (L4).
Smurf Attack
When a perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast
addresses, using a fake source address. The source address will be flooded with
simultaneous replies.
SNMP
Simple Network Management Protocol. Sets up the rules for exchanging network
information through messages (which contain variables with values). The following
types of messages are defined: read, write and trap.
Spanning Tree
A link management protocol that provides path redundancy while preventing
undesirable loops in the network.
Spoofing
When an attacker uses a fake Internet address so that the source address of an IP
packet is not the actual source. An attacker from outside of the network (meaning,
from the Internet) may send packets with a source address on the LAN. This
deceives the internal servers into identifying the attacker as a legitimate internal
network user and the internal address becomes the victim. Spoofing is used in most
of the well-known DOS attacks.
Standalone Configuration
A configuration in which only one NetEnforcer is connected to the network (in
contrast to the redundancy configuration). In case of system crash, NetEnforcer
becomes a wire, meaning that NetEnforcer continues to forward traffic without
performing policy enforcement functions.

SYN Attack
When an attacker sends a series of SYN requests to a target (victim). The target
sends a SYN ACK in response and waits for an ACK to come back to complete the
session set up. Since the source address was fake, the response never comes, filling
the victim's memory buffers so that it can no longer accept legitimate session
requests.
Template – Virtual Channel or Pipe
A master Virtual Channel or Pipe that represents a class of Virtual Channels or
Pipes, that only differ in one of their Host catalog conditions.
Time Catalog
A Catalog that enables the user to define possible values for the Time condition.
NetEnforcer is capable of classifying traffic based on packet and time parameters.
ToS
See Type of Service.
ToS Catalog
A Catalog that enables the user to define possible values for the ToS condition.
Traffic Classification
NetEnforcer classifies traffic per IP source/destination including networks, subnets,
hostnames, list and ranges of addresses; TCP/UDP ports including lists of ports, port
ranges and HTTP header parameters; URL (including wildcards - *), methods, host
names (in the header) and FTP control to data connection correlation.

Type of Service
A byte in the IP header that defines the Type of Service that should be given to that
packet. Two types are implemented: IP Precedence bits (mostly in Cisco equipment)
or DiffServ (IETF standard). When used for IP Precedence, utilizes bits 0-2 to
signify 8 priority values 0-7. When used as DiffServ Code Point Description
(DSCP), utilizes only 6 out of the 8 bits. IP Precedence and DiffServ are prioritizing
methods for IP traffic going through the network.
By setting the Type of Service (ToS) bits in accordance with network policy,
end-to-end QoS can be achieved in a heterogeneous environment.
Virtual Channel
A grouping of traffic defined by conditions (rules) and actions that can be owned by
Pipes.
Virtual Connection
Class of network traffic that defines traffic classification criteria and policies.
VLAN
Virtual Local Area Network refers to LANs that are interconnected by a virtual
Layer 2. The NetEnforcer enables you to apply VLAN tags to its management
traffic. VLANs are commonly used with campus environment networks. This
enables network changes to be made without physically moving cables or
equipment.
Well-Known Ports
Some services are conventionally assigned a permanent port number. For a well-
known port list see, for example: http://www.isi.edu/in-notes/iana/assignments/port-
numbers.
Worms
This self-propagating code floods networks with email and adds Registry entries to
users' clients. Worms may be transmitted via email, sharing infected files, or via
Internet Chat. Worms take advantage of "back doors" or "holes" in popularly used
email software and operation systems. "Malicious" worms may also erase or hide
certain types of files.

Index
Alerts Log, 9-18

A Menus, 9-21
Monitoring Graphs, 9-23
Access Control, 8-5 Status Bar, 9-22
Access Links Toolbar, 9-21
Configuring, 4-13
Accessing B
Catalog Editor, 7-3
Command Line Interface, G-2 Backup Configuration, 4-46
NetEnforcer, 3-2 Bandwidth
Policy Editor, 8-11 Guaranteed, 7-78
Accounting Inbound, 6-7
Internal, 4-30, 4-32 Outbound, 6-7
Storage, 4-37 Bandwidth Monitoring Graph, 6-29
Actions Bypass, 2-46, B-1
Access Control, 8-5 Initiation, B-3
Connection Control, 8-8 Bypass Mode, B-2
Policy, 8-5 Bypass Module, 2-11
Quality of Service, 8-6 Copper, 2-12
Activation Key, 4-12 Fiber, 2-14, B-3
Alerts
Conditions, 9-12 C
Configuring, 4-43
Defining, 9-6 CacheEnforcer, 1-2, 4-27, 7-85, 8-8
Filtering, 9-24 Catalog Editor, 1-9
List, 9-16 Accessing, 7-3
Resulting Action, 9-10 Connection Control. See Connection Control
Security, 10-6 Catalog
Severity, 9-9 Data Source. See Data Source Catalog
Unilateral, 9-5 Deleting Entries, 7-6
Alerts Editor, 9-5 Host. See Host Catalog
Defining Alerts, 9-6 Protected Entries, 7-5
Menus, 9-17 Quality of Service. See Quality of Service Catalog
Status Bar, 9-18 Service. See Service Catalog
Toolbar, 9-17 Time. See Time Catalog

Index
Type of Service. See TOS Catalog RADIUS Storage, 4-37

VLAN. See VLAN Catalog Restore, 4-47
Working with, 7-2 Routing Table, 4-22
CBR. See Constant Bit Rate Security, 4-18
Classifying Setup Verification, 4-49
Traffic, 1-5 SNMP Parameters, 4-26
CLI. See Command Line Interface VLAN, 4-41
Collector Application Configuring NetEnforcer
Collecting Data, 6-56 Via LCD Panel, 2-40
Command Line Interface, G-1 Via Terminal, 2-29
Accessing, G-2 Connecting
Command Syntax, G-3 NetEnforcer to Network, 2-27, 2-28
Online Help, G-4 Terminal, 2-29
Scripts, G-2 Connection Control, 8-8
Command Line Interface Command Descriptions Cache Redirection, 7-85
Config, G-20 Configuring Parameters, 4-27
List, G-19 Load-Balancing, 7-83
Configuration Window, 4-7 Connection Control Catalog, 7-81
Menu Bar, 4-7 Connections Monitoring Graph, 6-31
Standard View, 4-10 Constant Bit Rate
Toolbar, 4-9 Parameters, 7-78
Configuring Control Panel, 3-3
Access Links, 4-13 Copper Bypass Module, 2-12
Accounting Storage, 4-37
Alerts, 4-43 D
Backup, 4-46
Connection Control Parameters, 4-27 Data Source Catalog, 7-87
Date and Time, 4-48 Date and Time
DoS, 4-44 Configuring, 4-48
Host Name, 4-15 Date and Time Settings, 2-38
Internal Accounting Parameters, 4-30, 4-32 Debugging, 3-7
IP Parameters, 2-43, 4-15 Detecting Security Threats, 10-1
LDAP/Text Source, 4-40 DIP Switches
Monitoring, 4-29 Enhanced Platform, C-1, C-3
NetEnforcer from Web Browser, 4-3 Distributing Policy, 8-35
Network Parameters, 2-34 DoS
Network Topology, 4-22 Configuration, 4-44
Networking Parameters, 4-22 Setup, 4-44
NIC Settings, 2-41, 4-20 DoS Attacks, 10-2
Product Details, 4-11 DoS parameters, 10-3
Product IDs and Key, 4-11 Dropped Packets Monitoring Graph, 6-33
RADIUS Setup Parameters, 4-34

Index
Front Panel, 2-5

E LCD Panel, 2-8
Rear Panel, 2-9
Enforcing, 1-6 Unpacking, 2-3
Enhanced Platform Host Catalog, 4-40, 7-8
DIP Switches, C-1, C-3 Defining Host Lists, 7-9
Fail-Safe Configuration, B-16 Grouping Hosts, 7-12
Front Panel, 2-18 LDAP, 7-14
LCD Panel, 2-22 Text Source, 7-17
Rear Panel, 2-23 Host Name
Status Indicators, 2-19 Configuring, 4-15
Unpacking, 2-17
I
F
In/Out Bandwidth, 6-7
Fail-Safe IP Parameters
Mode, 1-7 Configuring, 2-43, 4-15
Operation, B-1
Fail-Safe Configuration J
Enhanced Platform, B-16
Favorite View, 6-17 Java Plug-in, 3-9
Fiber Bypass Module, 2-14, B-3 Installing from Internet Explorer, 3-11
Firewall Ports, E-1 Installing from Netscape, 3-14
Front Panel
Enhanced Platform, 2-18 L
High Availability Platform, 2-5
Full Redundancy, B-1 LCD Panel, 2-40
Status Indicators, B-8 Enhanced Platform, 2-22
G LDAP, 7-88
Configuring, 4-40
Graph Styles, 6-6 Long-term Monitoring, 6-51
Graph Types, 6-4 Adding Graphs, 6-62
Graph Views, 6-5 Collecting Data, 6-56
Graphs Data Coverage, 6-80
Accessing, 6-9 Day Level Graph, 6-74
Five-Minute Level Graph, 6-76
H Hour Level Graph, 6-75
Manipulating Graphs, 6-71
Hardware Specifications Month Level Graph, 6-73
NetEnforcer, A-1 Period Level Graph, 6-70
High Availability Platform

Index
Thirty-Second Level Graph, 6-77 Monitoring Window, 6-8

Viewing Data, 6-66 Menu Bar, 6-12
Settings, 6-18
M Toolbar, 6-15
Most Active Clients Monitoring Graph, 6-47
Management Port, 2-44 Most Active External Hosts Monitoring Graph, 6-45
Menu Bar Most Active Internal Hosts Monitoring Graph, 6-42,
Alerts Editor, 9-17 6-43
Alerts Log, 9-21 Most Active Pipes Monitoring Graph, 6-35
Configuration Window, 4-7 Most Active Servers Monitoring Graph, 6-49
Monitoring Window, 6-12 Most Active Virtual Channels Monitoring Graph, 6-37
Policy Editor, 8-13 MPLS Environment, 7-62
MIB MRTG, 11-11
Allot, 11-3, 11-6, 11-8, 11-9 Example Configuration File, 11-15
MIB-II, 11-5 Example Graphs, 11-17
Monitoring, 1-4 Installing, 11-12
Accessing Graphs, 6-9 Introducing, 11-11
Configuration, 4-29
Favorite View, 6-17 N
Graph Styles, 6-6
Graph Types, 6-4 NetAccountant, 1-2, 4-30, 4-32, 4-34, 4-37
Graph Views, 6-5 NetBalancer, 1-2, 4-27, 7-83, 8-8
In/Out Bandwidth, 6-7 NetEnforcer
Long-term, 6-51 Accessing, 3-2
Network Traffic, 6-2 Changing Password, 2-37
Setup, 4-29 Command Line Interface, G-1
Monitoring Graphs, 6-21 Configuration Window, 4-7
Alerts Log, 9-23 Configuring from Web Browser, 4-3
Bandwidth, 6-29 Connecting to Network, 2-27, 2-28
Connections, 6-31 Control Panel, 3-3
Dropped Packets, 6-33 Current Configuration, 2-31, 2-32
Most Active Clients, 6-47 Delivering QoS, 1-4
Most Active External Hosts, 6-45 Enhanced Platform, 2-17
Most Active Internal Hosts, 6-42, 6-43 Environments, 1-3
Most Active Pipes, 6-35 Hardware, 2-2
Most Active Servers, 6-49 Hardware Specifications, A-1
Most Active Virtual Channels, 6-37 High Availability Platform, 2-3, 2-40
Pipes Distribution, 6-25 IP Address, 4-15
Protocols Distribution, 6-39 Logging Off, 3-9
Utilization, 6-32 Models, 2-2
Virtual Channels Distribution, 6-27 Modifying Date Settings, 2-38
Monitoring Only Mode, 2-26, 4-24 Modifying Time Settings, 2-38

Index
Monitoring Network Traffic, 6-2

Monitoring Window, 6-8 P
Overview, 1-2
Policy, 8-2 Password
Policy Editor, 8-11 Changing Login, 2-37
Ports, E-1 Changing Root, 2-39
Protocols, F-1 Pipes, 1-9, 8-3
Redundancy, B-7 Access Control, 8-5
Registering, 3-7 Adding, 8-22
Scenarios, 1-13 Creating Templates, 8-29
Setting Up, 2-29 Examples, 8-9
Shutting Down, 2-46 Policy Editor, 8-11
Standards Compliance, A-4 Quality of Service Catalog, 7-69
Viewing Applets, 3-8 Pipes Distribution
NetWizard Monitoring Graph, 6-25
Defining Policies, 5-15 Policy, 8-2
Ending the Monitoring Session, 5-15 Adding Pipes, 8-22
Introducing, 1-12, 5-2 Adding Rules, 8-26
Monitoring Network Traffic, 5-3 Adding Virtual Channels, 8-24
Monitoring Window, 5-7 Distributing, 8-35
QoS Examples, 5-18 Network Requirements, 8-21
Viewing Graphs, 5-8 Order, 8-28
Viewing Information, 5-12 Pipes, 8-3
Viewing Statistics, 5-10 Rules, 8-4
Viewing the Log, 5-14 Templates, 1-11, 8-28
Network Parameters View Options, 8-12
Configuring, 2-34 Virtual Channels, 8-4
Network Requirements Workflow, 8-20
Policy, 8-21 Policy Editor, 8-11
Network Topology Importing Protocols, 7-27, 7-29
Configuring, 4-22 Menus, 8-13
Networking Parameters Order, 8-28
Configuring, 4-22 Order of Definitions, 8-10
NIC Settings Pipes, 8-11
Configuring, 2-41, 4-20 Status Bar, 8-19
Toolbar, 8-13
O Virtual Channels, 8-11
Policy Table. See Policy Editor
Options Power Redundancy, B-18
View, 8-12 Power Supply, 2-9
Out-of-Band Management, 2-8, 2-22, 2-25, 4-17 LEDs, 2-10
Monitoring Only Mode, 2-26 Priority, 7-67

Index
Product Details Protective Mechanisms, 10-5

Configuring, 4-11 Risks, 10-2
Product IDs and Key Service Catalog, 7-20
Configuring, 4-11 Adding Content, 7-31
Protocols Distribution Monitoring Graph, 6-39 Defining Citrix Content, 7-47
Defining H.323 Content, 7-34, 7-43, 7-45
Q Defining Oracle Content, 7-41
Grouping Entries, 7-30
QoS. See Quality of Service Importing Protocols, 7-26
Quality, 5-18 Non-IP Protocols, 7-24
Quality of Service, 1-4, 1-8, 8-6 Non-TCP IP Protocols, 7-23
Ignoring, 7-68 Non-UDP IP Protocols, 7-23
Pipes, 7-69 TCP IP Protocols, 7-21
Virtual Channels, 7-75 UDP IP Protocols, 7-21
Quality of Service Catalog, 7-66 Setting Up NetEnforcer, 2-29
SNMP
R Access Permissions, 11-3
Statistics, 11-2
RADIUS Supported MIBs, 11-2
Setup, 4-34 SNMP Parameters
Storage, 4-37 Configuring, 4-26
Rear Panel Standard View
Enhanced Platform, 2-23 Configuration Window, 4-10
High Availability Platform, 2-9 Status Indicators
Redundancy, B-7 Enhanced Platform, 2-19
Registering NetEnforcer, 3-7 Storage
Reporting, 1-7 Accounting, 4-37
Restoring Configuration, 4-47 RADIUS, 4-37
Routing Table
Configuring, 4-22 T
Rules, 1-10, 8-4
Adding, 8-26 TAP Mode, B-3
Examples, 8-9 Templates, 8-28
Pipes, 8-29
S Policy, 1-11
Virtual Channels, 8-32
Security Text Source, 7-89
Alerts, 10-6 Configuring, 4-40
Configuring, 4-18 Time and Date Settings, 2-38
Detecting Threats, 10-1 Time Catalog, 7-52
DoS Attacks, 10-2 Defining Time, 7-53

Index
Toolbar
Alerts Editor, 9-17 V
Alerts Log, 9-21
Configuration Window, 4-9 Verifying Configuration, 4-49
Monitoring Window, 6-15 Virtual Channels, 1-10, 8-4
Policy Editor, 8-13 Access Control, 8-5
TOS Catalog, 7-57 Adding, 8-24
Free Format, 7-61 Creating Templates, 8-32
Predefined Entries, 7-59 Examples, 8-9
Traffic Classification, 1-5 Policy Editor, 8-11
Traffic Shaping, 7-77 Quality of Service Catalog, 7-75
Traps, 11-2, 11-4 Virtual Channels Distribution
Configuring Destinations, 11-4 Monitoring Graph, 6-27
VLAN
U Configuration, 4-41
Setup, 4-41
Unpacking VLAN Catalog, 7-63
Enhanced Platform, 2-17
Utilization Monitoring Graph, 6-32

Index

NE User Guide 5

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

NE User Guide 5

Diunggah oleh

Hak Cipta:

Format Tersedia

®

NetEnforcer User Guide iii

Americas Middle East and Africa

iv NetEnforcer User Guide

About This Guide

This manual contains the following chapters:

NetEnforcer User Guide v

vi NetEnforcer User Guide

NetEnforcer User Guide vii

viii NetEnforcer User Guide

CHAPTER 2: INSTALLING NETENFORCER ........................................................2-1

NetEnforcer User Guide ix

Placement in the Network....................................................................................................................... 2-27

CHAPTER 3: GETTING STARTED.......................................................................... 3-1

CHAPTER 4: CONFIGURING NETENFORCER ................................................... 4-1

x NetEnforcer User Guide

Additional Configuration Options.......................................................................................................... 4-46

CHAPTER 5: NETWIZARD QUICK START...........................................................5-1

CHAPTER 6: MONITORING NETWORK TRAFFIC ............................................6-1

NetEnforcer User Guide xi

Most Active Internal Hosts ................................................................................................................... 6-43

CHAPTER 7: DEFINING CATALOG ENTRIES..................................................... 7-1

xii NetEnforcer User Guide

Connection Control Catalog Editor ....................................................................................................... 7-81

CHAPTER 8: DEFINING POLICIES.........................................................................8-1

CHAPTER 9: NETENFORCER ALERTS .................................................................9-1

NetEnforcer User Guide xiii

Alerts Log................................................................................................................................................. 9-18

CHAPTER 10: DETECTING SECURITY THREATS........................................... 10-1

CHAPTER 11: SNMP MONITORING..................................................................... 11-1

APPENDIX A: HARDWARE SPECIFICATIONS .................................................. A-1

APPENDIX B: FAIL-SAFE OPERATION ................................................................B-1

xiv NetEnforcer User Guide

Connecting Two NetEnforcers in Full Redundancy .............................................................................. B-7

APPENDIX C: HARDWARE CONFIGURATION.................................................. C-1

APPENDIX D: RACK MOUNT INSTALLATION .................................................. D-1

APPENDIX E: NETENFORCER PORT REFERENCE.......................................... E-1

APPENDIX F: NETENFORCER PROTOCOL REFERENCE .............................. F-1

APPENDIX G: NETENFORCER COMMAND LINE INTERFACE ....................G-1

NetEnforcer User Guide xv

Policy Catalog Editing ..........................................................................................................................G-17

APPENDIX H: TROUBLESHOOTING.................................................................... H-1

xvi NetEnforcer User Guide

NetEnforcer User Guide xvii

Figure 3-6 – Java Plug-In Icon .................................................................................................................. 3-14

xviii NetEnforcer User Guide

Figure 5-6 – Netwizard Monitoring Window: Log View .......................................................................... 5-14

NetEnforcer User Guide xix

Figure 6-37 – Long-Term Monitoring Agent Log .................................................................................... 6-65

xx NetEnforcer User Guide

Figure 7-26 – Service Catalog: Adding Content IN H.323........................................................................ 7-46

NetEnforcer User Guide xxi

Figure 8-8 – Insert Pipe Template............................................................................................................. 8-30

xxii NetEnforcer User Guide

This chapter includes the following sections:

NetEnforcer User Guide 1-1

Optional Software Packages

1-2 NetEnforcer User Guide

NetEnforcer User Guide 1-3

• Satellite Network: Using NetEnforcer, satellite service providers reduce data

How Does NetEnforcer Deliver QoS?

1-4 NetEnforcer User Guide

Different applications, such as e-Business, ERP and real-time applications, require