NetEnforcer
Policy Based Bandwidth Management
User Guide
Version 5.2
(Doc. No. D351006)
Important Notice
Important Notice
Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which
NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to
the end users using this manual, regardless of the form of action, whether in contract, tort (including
negligence), strict liability or otherwise.
SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED
FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME
WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT
OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY
FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL,
INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT.
Please read the End User License Agreement and Warranty Certificate provided with this product
before using the product. Please note that using the products indicates that you accept the terms of
the End User License Agreement and Warranty Certificate.
WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE
LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR
CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION
WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR
OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED
PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Copyright
Copyright © 1997-2004 Allot Communications. All rights reserved. No part of this document may
be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other
language without a written permission and specific authorization from Allot Communications Ltd.
Trademarks
Products and corporate names appearing in this manual may or may not be registered trademarks or
copyrights of their respective companies, and are used only for identification or explanation and to
the owners' benefit, without intent to infringe.
NetEnforcer®, NetBalancer®, CacheEnforcer® and the Allot Communications pyramid logo are
registered trademarks of Allot Communications Ltd.
NetPolicy™ is a trademark of Allot Communications Ltd.
Allot Communications
Europe Japan
NCI – Les Centres d’Affaires Yajima Bldg 8F
Village d’Entreprises ‘Green Side’ 7-11-3 Ginza, Chuo-Ku
Tokyo 104-0061
Batiment 1B
Japan
400 Avenue Roumanille, BP309 Tel: 81-(0)3-5537-7114
06906 Sophia Antipolis Cedex Fax: 81-(0)3-5537-5281
France
Tel: 33-(0)4-93-00-11-67
Fax: 33-(0)4-93-00-11-65
Asia Pacific
6, Ubi Road 1
Wintech Centre #06-12
Singapore 408726
Tel: 65 6841-3020
Fax: 65 6747-9173
Printing History
First Edition: December 2001, Version 4.1
Second Edition: September 2002, Version 4.2
Third Edition: January 2004, Version 5.1
Fourth Edition: December 2004, Version 5.2
Chapter 10, Detecting Security Threats, discusses the nature of DoS attacks and their
impact on network performance, and describes the ways in which NetEnforcer detects
and handles DoS attacks.
Chapter 11, SNMP Monitoring, describes NetEnforcer SNMP-based statistics and
how to generate MRTG reports.
Appendix A, Hardware Specifications, lists the hardware specifications for all
NetEnforcer models.
Appendix B, Fail-Safe Operation, describes the fail-safe methods implemented in
NetEnforcer, such as how NetEnforcer can operate parallel to another NetEnforcer to
provide full redundancy.
Appendix C, Hardware Configuration, describes how to access internal components
of the NetEnforcer units, and explains DIP switch settings.
Appendix D, Rack Mount Installation, describes how to mount the NetEnforcer
appliance.
Appendix E, NetEnforcer Port Reference, describes configuration requirements when
using NetEnforcer with a firewall.
Appendix F, NetEnforcer Protocol Reference, lists protocols supported by
NetEnforcer.
Appendix G, NetEnforcer Command Line Interface, describes how to use a
command line interface to configure NetEnforcer.
Appendix H, Troubleshooting, describes some common situations that may arise
when using NetEnforcer and their solutions.
Appendix I, Glossary, describes the terms used in the manual.
Conventions
The following conventions are used in this manual:
Note Additional information that may be useful in understanding
or using functionality.
Tip A helpful hint for using functionality, for example, a
shortcut.
Security A note that has security implications.
Note
Caution Information that is important to consider when performing a
particular action and that may have hazardous implications.
Table of Contents
CHAPTER 1: INTRODUCING NETENFORCER....................................................1-1
What is NetEnforcer?................................................................................................................................1-2
Optional Software Packages....................................................................................................................1-2
NetEnforcer Environments......................................................................................................................1-3
How Does NetEnforcer Deliver QoS? ......................................................................................................1-4
Monitor....................................................................................................................................................1-4
Classify....................................................................................................................................................1-5
Enforce ....................................................................................................................................................1-6
Report......................................................................................................................................................1-7
Fail-Safe Operation ...................................................................................................................................1-7
Terms and Concepts ..................................................................................................................................1-8
QoS..........................................................................................................................................................1-8
Catalog Editors ........................................................................................................................................1-9
Pipes ........................................................................................................................................................1-9
Virtual Channels.................................................................................................................................... 1-10
Rules...................................................................................................................................................... 1-10
Templates .............................................................................................................................................. 1-11
NetWizard ............................................................................................................................................. 1-12
NetEnforcer in Action ............................................................................................................................. 1-13
Scenario 1: Corporate............................................................................................................................ 1-13
Scenario 2: QoS in an Intranet............................................................................................................... 1-15
Scenario 3: ISP ...................................................................................................................................... 1-17
Scenario 4: Satellite Provider ................................................................................................................ 1-19
Scenario 5: Enhancing Enterprise Security ........................................................................................... 1-20
APPENDIX I: GLOSSARY...........................................................................................I-1
Glossary of Terms ......................................................................................................................................I-1
List of Figures
Figure 1-1 - Corporate Network Structure with Three Outgoing Wan Links ............................................ 1-13
Figure 1-2 - Policy for Corporate Traffic................................................................................................... 1-14
Figure 1-3 - Managing an Intranet's Mission-Critical Traffic with the NetEnforcer ................................. 1-16
Figure 1-4 - Wireless ISP Network............................................................................................................ 1-17
Figure 1-5 - Policy For Wireless ISP Traffic............................................................................................. 1-18
Figure 1-6 - NetEnforcer In Satellite Network .......................................................................................... 1-19
Figure 1-7 - Preventing A Dos Attack With NetEnforcer.......................................................................... 1-21
Figure 2-1 – NetEnforcer Front Panel: High Availability Platform (Model AC-802).................................2-5
Figure 2-2 – Link Connections Area: Ac-802 Copper.................................................................................2-6
Figure 2-3 – Link Connections Area: Ac-802 Fiber ....................................................................................2-6
Figure 2-4 – NetEnforcer LCD Panel: High Availability Platform .............................................................2-8
Figure 2-5 – NetEnforcer Rear Panel: High Availability Platform (Model AC-802) ..................................2-9
Figure 2-6 – Copper Bypass Module ......................................................................................................... 2-12
Figure 2-7 – Connecting NetEnforcer AC-802 Copper to Copper Bypass Module................................... 2-13
Figure 2-8 – Fiber Bypass Module ............................................................................................................ 2-14
Figure 2-9 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass Module ......................................... 2-15
Figure 2-10 – NetEnforcer Front Panel: Enhanced Platform..................................................................... 2-18
Figure 2-11 – NetEnforcer LCD Panel: Enhanced Platform...................................................................... 2-22
Figure 2-12 – NetEnforcer Rear Panel: Enhanced Platform ...................................................................... 2-23
Figure 2-13 - Management Port................................................................................................................. 2-25
Figure 2-14 – LAN And WAN Placement of NetEnforcer........................................................................ 2-27
Figure 2-15 – NetEnforcer Setup Menu..................................................................................................... 2-30
Figure 2-16 – Current Configuration (1) ................................................................................................... 2-32
Figure 2-17 – Current Configuration (2) ................................................................................................... 2-33
Figure 2-18 – Network Configuration ....................................................................................................... 2-34
Figure 2-19 – Password ............................................................................................................................. 2-37
Figure 2-20 – Time Setup .......................................................................................................................... 2-38
Figure 2-21 – LCD Panel, Main Menu Options......................................................................................... 2-41
Figure 3-1 – NetEnforcer Log On Dialog Box ............................................................................................3-2
Figure 3-2 – NetEnforcer Control Panel......................................................................................................3-3
Figure 3-3 – Java Plug-In Software License Agreement Window............................................................. 3-11
Figure 3-4 – Java Plug-In Security Warning Window............................................................................... 3-12
Figure 3-5 - Java Plug-In Security Warning Pop-Up – Certificate Expiration Notice............................... 3-13
This chapter introduces NetEnforcer and explains how it delivers Quality of Service.
What is NetEnforcer?
NetEnforcer is a network policy enforcement device that enables you to monitor,
categorize and optimize network traffic by assigning Quality of Service (QoS) to
specified classes of traffic. QoS is the ability to define a level of performance in a data
communications system.
The exponential growth in the use of the Internet, combined with an increasing number
of Web-based applications, has resulted in unprecedented demands on existing
communication system technologies. In order to achieve an acceptable level of service
and overcome the bandwidth bottleneck problem, network managers need the capability
to control network traffic and develop prioritization policies appropriate to available
bandwidth.
NetEnforcer gives you the power to intelligently shape network bandwidth and deliver
system-wide service level guarantees based on the needs and priorities of the network
service provider or corporation.
NetEnforcer Environments
Typical application environments for the NetEnforcer product family include:
• Corporate Networks: NetEnforcer controls traffic flows from Web-based
customers, internal users and remote offices to centralized corporate networks and
services. Network managers can give high priority to mission-critical applications
and assure necessary bandwidth to timing-critical applications such as voice and
video.
• Internet Service Providers: NetEnforcer manages and enforces SLAs (Service
Level Agreements). ISPs are able to deliver advanced bandwidth capabilities to
customers and provide differentiated services, partition bandwidth and support Web
hosting. NetEnforcer is geared for ISP operations providing full SLA support and
integration with ODBC and RADIUS-based billing packages, in addition to
interfacing to LDAP-based user directories.
• Educational Network: NetEnforcer limits the use of low priority traffic such as
music and file-sharing applications, and assigns Quality of Service (QoS) for
specific user groups. The NetEnforcer can limit students' access to particular sites
and applications during business hours, while allowing high-priority access to
faculty members or administrators.
• Wireless ISP Network: NetEnforcer offers service providers a complete suite of
tools for better managing over-subscription and enforcing SLAs. NetEnforcer
allows providers to immediately identify, and then cap or limit bandwidth abusers.
Its Web-based policy manager, traffic monitor and IP accounting tools offer
superior functionality and ease-of-use for allowing the service provider to discover
how Internet access is being used. NetEnforcer is an ideal platform for rapidly
provisioning new subscribers, creating and enforcing multiple tiers of service, and
collecting usage-based billing information for export to an external database.
• Voice and Video Applications: NetEnforcer enables the prioritization of data
applications and the guaranteeing of bandwidth to timing-critical, real-time
applications like Voice over IP and Video. NetEnforcer allows control of your data
and voice traffic. Through NetEnforcer, specific voice, video and multimedia traffic
flows can be identified and the following actions can be assigned: minimum and
maximum bandwidth, priorities, guaranteed rate, fairness and admission control.
Monitor
NetEnforcer's monitoring tools enable you to monitor in real-time the type of traffic
flowing through your network and determine your current network application patterns.
When and where your network has peaks, bursts and bottlenecks is hard to predict. The
monitoring tools enable you to see these peaks in real time, which is crucial to
managing these unwanted phenomena.
Classify
Once you understand your network traffic patterns, you define a policy to improve your
network performance.
QoS policy consists of a set of conditions (a rule) and a set of actions that apply when
the conditions are satisfied. The actions include the QoS to be applied. For example, a
rule might be defined as traffic from source A to source B. When traffic is matched to
that rule, the specified QoS is applied.
Classification is made easier with the use of Pipes and Virtual Channels. A Pipe and a
Virtual Channel are defined by one or more rules and a set of actions.
A Pipe includes one or more Virtual Channels. Thus, your policy consists of a hierarchy
of classification. Every connection into NetEnforcer is matched to a rule, as follows:
• Find the first Pipe rule that the connection matches. There is a default Pipe defined
in NetEnforcer (Fallback Pipe). If a connection does not match the rules of any
other Pipes, it matches the Fallback Pipe.
• Within that Pipe, find the first Virtual Channel rule that the connection matches.
Every Pipe includes a default Virtual Channel (Fallback). If a connection does not
match the rules of any other Virtual Channels within the Pipe, it matches the
Fallback Virtual Channel.
• Apply the actions defined for that Virtual Channel.
Pipes enable ISPs to divide bandwidth into logical slices and offer them to customers.
The customers can then further divide the slice of bandwidth using Virtual Channels.
Similarly, enterprises with several links to the Internet can manage each link separately
by defining a Pipe for each link.
To speed up the creation of your policy, you can use a Pipe or Virtual Channel template.
Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will
create multiple Pipes or Virtual Channels very similar to each other but with a different
IP address as the source or destination. Thus, a template must include a list of IP
addresses in the source or destination definition. A template saves the need to define
similar Pipes or Virtual Channels when the only difference between them is the IP
address in the source or destination.
Policy is defined in the Policy Editor (described in Chapter 8, Defining Policies).
Values for the conditions that make up a rule and for actions are predefined in Catalogs
(described in Chapter 7, Defining Catalog Entries).
Enforce
The process of saving a policy saves the policy to NetEnforcer, which then begins to
enforce the policy. NetEnforcer continuously prioritizes and shapes network bandwidth
according to your defined and saved policy.
Report
NetEnforcer's monitoring tools enable you to monitor in real-time the type of traffic
flowing through your network and determine your current network application patterns.
Once again, NetEnforcer's monitoring tools enable you to monitor your network traffic
and verify enforcement of the QoS policy. You can confirm that monitoring graphs
reflect the behavior expected by the policy definition. You can monitor traffic in
real-time and, using Long Term Monitoring, you can monitor your network's activity
over a much longer period of time. If required, you can make adjustments to your QoS
policy in order to fine-tune network performance.
The NetEnforcer monitoring tools are described in Chapter 6, Monitoring Network
Traffic.
Fail-Safe Operation
Allot NetEnforcer has two fail-safe features that ensure proper and continuous network
function: Bypass and Full Redundancy.
All NetEnforcers contain a Bypass element that connects the Internal connector to the
External connector in the case of a subsystem failure in NetEnforcer or a power loss.
This mechanism ensures that traffic continues to pass through passive elements of the
NetEnforcer should any hardware or software problem occur. The Bypass is an internal
element on all models except the High Availability AC-802 models, where it is
implemented as an external Bypass module.
Full Redundancy is a backup mechanism that handles the failure of a network device,
and ensures the network continues to function. Full Redundancy is provided by
connecting two NetEnforcers in parallel. The primary NetEnforcer handles the traffic
and the secondary NetEnforcer is designed to be in Standby mode as long as the
primary NetEnforcer is active. Only if, for any reason, the primary NetEnforcer is not
able to function properly, does the secondary NetEnforcer become active.
In Full Redundancy mode, Bypass mode will be activated, in the event that both the
Primary and Secondary NetEnforcer systems fail.
QoS
QoS is the ability to define a level of performance in a data communications system. In
NetEnforcer, QoS is defined as an action applied to a connection when the conditions of
a rule are satisfied. The QoS specified can include the following:
• Prioritized Bandwidth: Delivers levels of service based on a connection's
importance level and demand for traffic relative to other connections. During peak
traffic periods, the NetEnforcer will slow down lower priority applications,
resulting in increased bandwidth delivery to higher priority applications.
• Guaranteed Bandwidth: Enables the assignment of fixed minimum and maximum
amounts of bandwidth to specific Pipes, Virtual Channels and connections. By
borrowing excess bandwidth when it is available, connections are able to burst
above guaranteed minimum limits, up to the maximum guaranteed rate. Guaranteed
rates also assure predictable service quality by enabling time-critical applications to
receive constant levels of service during peak and non-peak traffic periods.
• Reserved Bandwidth on Demand: Enables the reservation of the minimum
bandwidth at the first byte of a connection until the connection is ended. This is
useful when the bottleneck is not at the link governed by NetEnforcer. By limiting
other connections (non-guarantees), NetEnforcer reserves enough bandwidth for the
required Pipe or Virtual Channel.
• TOS Marking: Enables the marking of connections admitted beyond the maximum
connections allowed per Virtual Channel with a different TOS value. Additionally,
out-of-profile traffic (beyond the guaranteed minimum) can be marked with a
different TOS value than the in-profile traffic for each connection.
• Access Control: Determines whether a connection is accepted, dropped or rejected.
For example, you can specify the following Pipe: accept 1000 ICMP connections to
Server1 and drop the rest. NetEnforcer can also be instructed to accept new
connections with a lower priority.
Catalog Editors
Catalog Editors enable you to define values for defining your policy. The possible
values for each condition of a rule and for actions are defined in the Catalog entries in
the Catalog Editors. A Catalog Editor enables you to give a logical name to a
comprehensive set of parameters (a Catalog entry). This logical name then becomes a
possible value for a condition or action. Catalog Editors are described in detail in
Chapter 7, Defining Catalog Entries.
Pipes
A Pipe provides a way of classifying traffic that enables you to divide the total
bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists
of one or more sets of conditions (rules) and a set of actions that apply when any of the
rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of
Virtual Channels from a QoS point of view. When you add a new Pipe, it always
includes at least one Virtual Channel, the Fallback Virtual Channel. The rule of the
Fallback Virtual Channel cannot be modified or deleted. A connection coming into
NetEnforcer is matched to a Pipe according to whether the characteristics of the
connection match any of the rules of the Pipe. The connection is then further matched to
the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence
all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are
enforced together with the actions of the Pipe.
Virtual Channels
A Virtual Channel provides a way of classifying traffic and consists of one or more sets
of conditions (rules) and a set of actions that apply when any of the rules are met. A
Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further
matched to a Virtual Channel according to whether the characteristics of the connection
match any of the rules of the Virtual Channel.
Rules
A rule is a set of six conditions. Rules can be defined at Pipe level or Virtual Channel
level. NetEnforcer matches connections to rules, first at the Pipe level and then at
Virtual Channel level within a Pipe.
The five conditions that make up a rule are as follows:
• Connection Source: Defines the source of the traffic. For example, a specific IP or
MAC address, a range of IP addresses, IP Subnet addresses, or host names. The
default value is Any which covers traffic from any source.
• Connection Destination: Defines the destination of the traffic. For example, a
specific IP or MAC address, a range of IP addresses, IP Subnet addresses, or host
names. The default value is Any, which covers traffic to any destination.
• Service: Defines the protocols relevant to a connection. Protocols may be TCP and
UDP IP type, non-TCP and non-UDP type or non-IP type. TCP and UDP IP
protocols are defined based on port type. HTTP protocols may include content
definitions, such as specific Web directories, pages, or URL patterns. The default
value is all, which covers all protocols.
• TOS: Defines the TOS byte contained in the IP headers of the traffic. The default
value is Any, which covers any TOS value.
• VLAN: Defines VLAN bits contained in the VLAN header of the traffic. The
default value is Any, which covers any VLAN value.
• Time: Defines the time period during which the traffic is received. For example
daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM or
on the 1st and 15th of the month. The default value is Always, which covers traffic at
any time.
When a new Pipe or Virtual Channel is created, it is assigned a default rule with default
values for each condition and you can modify these values as required.
Templates
Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will
create multiple Pipes or Virtual Channels very similar to each other. Templates work
with host group entries and LDAP-based hosts entries defined in the Host Catalog. For
example, if you had a host group entry in the Host Catalog called Gold Customers that
consisted of Company X, Company Y and Company Z, you could define a Pipe
template to be expanded for Gold Customers. This would result in Pipes being created
for Company X, Company Y and Company Z when the Policy Editor is saved.
A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual
Channels on source/destination differentiation. This means that you do not need to
define similar Pipes and Virtual Channels when the only difference between them is the
IP address in the source or destination.
NetWizard
NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a
network, enabling the network manager to quickly define QoS policies for each type of
protocol in the network. This, in turn, improves the efficiency and application response
time of the network.
NetWizard automatically identifies the traffic protocols in your network and then guides
you through the QoS configuration process, allowing you to assign minimum and
maximum bandwidth and priority for the various protocols.
With NetWizard, you need not be initially acquainted with every protocol or the traffic
patterns in your network in order to define QoS policy. Once you make your initial
selections, a QoS policy is generated, enabling NetEnforcer to enforce that policy in
your network. Further refinement of the policy is possible when you have become more
familiar with NetEnforcer tools, such as the Policy Editor and Catalog Editors.
NetEnforcer in Action
The following scenarios provide examples of how NetEnforcer can optimize network
traffic in a variety of working environments.
Scenario 1: Corporate
In this example, the Pipe feature enables the network manager to manage traffic to three
different WAN links and create a Pipe for each one of them.
Figure 1-1 - Corporate Network Structure with Three Outgoing WAN Links
The network manager would like to assign a maximum of 2Mbps for each WAN link.
The multiple protocol traffic is going to different locations, based on the IP address.
The figure below illustrates how a NetEnforcer manages an Intranet's mission critical
traffic.
Scenario 3: ISP
An Internet Service Provider sells slices of bandwidth to subscribers (defined in Pipes),
with an advanced offering of tiered services (for example, Gold, Silver and Bronze
customers). Managing customer traffic with high granularity is needed. For example, to
create a separate Pipe for each subscriber and divide traffic according to the customer
needs.
The ISP would like to control the maximum usage of each subscriber while limiting the
total bandwidth used. Moreover, the ISP needs to over-subscribe customers (there are
more customers than the bandwidth available for each VC/Pipe). The ISP would like to
offer tiered services.
The ISP does the following:
• Assigns Gold, Silver and Bronze service levels.
• Sets a maximum of 8Mbps to Smart Building tenants (minimum 2Mbps).
• Assigns a minimum of 60 Kbps and maximum of 100 Kbps to and every home user.
• Using templates, the ISP is able to over-subscribe tenants (since, most probably, not
all of them will be active at the same time).
• A Silver level is assigned to Regional Office 1 users with a minimum of 100 Kbps
and a maximum of 250 Kbps.
• Lotus Notes users are assured a minimum of 40 Kbps.
• A Bronze level is assigned to Regional Office 2 (minimum 40 Kbps and maximum
250 Kbps).
The Policy Editor is set up as follows:
Satellite service providers provide local services for allowing many customers to share a
common satellite link to remote services. NetEnforcer is placed between the local
network of the satellite provider and the remote users.
Assure Fairness
In most satellite environments, a single uplink from the service provider delivers
bandwidth intended for multiple users while the downlink is broadcast simultaneously
to many different networks. This results in a few low-priority users or applications
taking up most of the available resources without regard to the applications’ importance
or overall need for bandwidth. Using NetEnforcer in satellite networks assures fairness
between users and applications.
How to setup your network with NetEnforcer to prevent DoS attacks is shown in the
following diagram:
This chapter describes the NetEnforcer hardware and the initial installation and setup of
NetEnforcer. NetEnforcer is a transparent learning bridge that is IEEE 802.1-compliant.
NetEnforcer contains a Bypass switch that connects the Internal connector to the
External connector in the case of a subsystem failure in NetEnforcer or a power loss.
The Bypass switch is an external component on the AC-802 High Availability models
and an internal component on other models. This mechanism ensures that data passes
through NetEnforcer should any hardware or software problem occur.
Hardware Description
NetEnforcer enables the definition and classification of traffic by users, applications and
resources. Several NetEnforcer models are available to support large and small sites and
different data network speeds. The following NetEnforcer models are available:
Model Bandwidth Pipes VCs (Total) Connections Platform
NetEnforcer Standard Platform
AC-202/MO 10M 128 1,024 24,000 Enhanced
AC-202/128 128K 128 1,024 6,000 Enhanced
AC-202/512 512K 128 1,024 6,000 Enhanced
AC-202/2M 2M 256 2,048 12,000 Enhanced
AC-202/10M 10M 512 2,048 24,000 Enhanced
AC-402/MO 100M 512 2,048 96,000 Enhanced
AC-402/10M 10M 512 2,048 24,000 Enhanced
AC-402/45M 45M 1,024 4,096 64,000 Enhanced
AC-402/100M 100M 1,024 4,096 96,000 Enhanced
NetEnforcer High-Availability Platform
AC-802/100M 100M 2,048 8,192 128,000 High Availability
AC-802/155M 155M 2,048 8,192 128,000 High Availability
AC-802/310M 310M 2,048 8,192 128,000 High Availability
AC-802/SP-100M 100M 4,096 28,672 256,000 High Availability
AC-802/SP-155M 155M 4,096 28,672 256,000 High Availability
AC-802/SP-310M 310M 4,096 28,672 256,000 High Availability
These platforms come with an additional module known as a Copper Bypass (for the
AC-802 Copper) and a Fiber Bypass (for the AC802 Fiber). These modules are external
Bypass switches.
CAUTION:
All AC-802 models only work when the appropriate Bypass module is connected to it. This is to ensure
continuous service in the event of failure.
NOTE:
The maximum Ethernet cable length is generally up to 50 meters.
Figure 2-1 – NetEnforcer Front Panel: High Availability Platform (Model AC-802)
CAUTION:
Motherboard contains lithium battery. Danger of explosion if battery is incorrectly replaced. Replace only
with the same or equivalent type recommended by the manufacturer.
Dispose of used battery according to the manufacturer’s instructions.
The Link Connections Area differs slightly according to the model as shown in the
following diagrams:
CAUTION:
CLASS 1 LASER PRODUCT. DANGER! Invisible laser radiation when opened. AVOID DIRECT
EXPOSURE TO BEAM.
The front panel of the AC-802 model contains LEDs that are positioned on each of the
External, Internal and Management connectors or used as the Standby, Active and
Power indicators.
The modes of operation of the External, Internal and Management indicators are
described in the table below.
Extrnl/Intrnl/Mngmt NetEnforcer Status
Green A link is detected.
Orange Blinks when traffic is detected on the interface.
Off No link activity is detected.
Table 2-1 – External/Internal/Management LED Conditions: AC-802
The modes of operation of the Standby, Active and Power indicators are described in
the table below.
Indicator Status NetEnforcer Status
Standby On Two NetEnforcers are connected in Redundancy mode
and this NetEnforcer is the secondary system.
Display Area
Standby Indicator
For a description of how to configure NetEnforcer using the LCD panel, refer to
Configuring Via the LCD Panel, page 2-40.
Management Port
The Management port exists on the Enhanced and High Availability platforms. The
dedicated Management port enables out-of-band management. Operating through the
Management port denies management access to the device from Internal or External
ports. Moreover, when there is a problem in the regular network you can still manage
and monitor the NetEnforcer.
For more information on the Management port, see Out-of-Band Management,
page 2-25.
Keyboard
Bi-Color
Connector
Power LEDs
Ground
VGA Connector Hot Swappable
Connector Power Supplies
Figure 2-5 – NetEnforcer Rear Panel: High Availability Platform (Model AC-802)
NOTE:
The power supply automatically adapts to voltages between 100 V and 240 V, 50/60 Hz.
Should you need to, you can replace one of the power supplies while NetEnforcer is
connected and operating. Replacing a power supply while the unit is operating is
possible since the remaining power supply will take the full load and maintain full
operation.
NOTE:
To remove a power supply module, press the release button, pull the handle and slide the module out.
Leave the power cord connected when removing a power supply module.
Each power supply has a bi-color power LED indicating input/output power status:
LED Power Supply Status
Green A green light indicates that the power supply is connected to
power and no failure condition exists.
Red A red light indicates that a failure condition exists.
When power failure occurs, the power LED indication is Red and an internal buzzer
beeps. You have to remove the power supply module to quiet the buzzer. Leave the
power cord connected when removing a power supply module.
Key features of the power supply include:
• Hot-pluggable, easy to maintain
• Based on the N+1, load sharing
• Universal AC input with Power Factor correction
• Rear panel with bi-color LED indicating input/output power status
• Power fault buzzer alarm system
Bypass Modules
The AC-802 operates with an external Bypass module. The Bypass module is a
mission-critical subsystem designed to ensure network connectivity at all times. The
Bypass mechanism provides ‘connectivity insurance’ in the event of a NetEnforcer
subsystems failure. The AC-802 Copper operates with a Copper Bypass and the
AC-802 Fiber operates with a Fiber Bypass. The Bypass module is connected to
NetEnforcer by a series of leads and cables.
CAUTION:
NetEnforcer AC-802 must be connected to the appropriate Bypass module. This is to ensure continuous
service in the event of failure.
A separate NetEnforcer Bypass package is included with your AC-802 shipment. The
box includes the following:
• NetEnforcer Copper Bypass or Fiber Bypass Module
• Two side mounting brackets
• Two straight Ethernet cables (AC-802 Copper)
• Two cross-over Ethernet cables (AC-802 Copper)
To External
Router
To Internal Mode To Primary
Connector
Switch LED NetEnforcer
Connector Indicator Connector
NOTE:
Use the supplied UTP CAT-5 straight Ethernet cables to connect link connections marked with Internal and
External labels).
The Copper Bypass module includes RJ-45 connectors for Ethernet cables and two
D-type 9-pin connectors for primary and redundant unit to backup connection.
1. Connect the External cable from the External port on the Bypass module 7 , to the
External port on NetEnforcer 1 .
2. Connect the Internal cable from the Internal port on the Bypass module 8 , to the
Internal port on NetEnforcer 2 .
3. Connect the D-type connector from the Primary port on the Bypass module 9 , to
the Backup port on NetEnforcer 3 .
4. Connect the External cable from the External port on the Bypass module 5 , to a
router connector.
5. Connect the Internal cable from the Internal port on the Bypass module 4 , to a
switch connector.
6. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type connector from
the Secondary port on the Bypass module 6 , to another NetEnforcer.
• Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
NOTES:
Use 62.5/125µ or 50/125µ fiber optic cables with duplex SC connectors (not provided) to connect 1 Gbps
ports of the switch and the router.
Cables with duplex LC connectors (marked with Internal and External labels) are provided with the unit.
The Fiber Bypass module includes two duplex LC connectors, two built in fiber cables
and two D-type 9-pin connectors for primary and redundant unit to backup connection.
The following procedure describes how to connect a Fiber Bypass module to
NetEnforcer. The procedure contains circled numbers, for example 1 , relating to
reference numbers used in the diagram.
1. Connect the fiber cable labeled External from the Bypass module 7 , to the External
port on NetEnforcer 1 .
2. Connect the fiber cable labeled Internal from the Bypass module 7 , to the Internal
port on NetEnforcer 2 .
3. Connect the D-type connector from the Primary port on the Bypass module 8 , to
the Backup port on NetEnforcer 3 .
4. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on
the Bypass module 5 , to a 1 Gbps router.
5. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on
the Bypass module 6 , to a 1 Gbps switch.
6. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type connector from
the Secondary port on the Bypass module 4 , to another NetEnforcer.
• Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
Powering Up
The following procedure describes how to power up the High Availability platform
models using the LCD panel.
It is recommended to connect the two power line feeds to separate power sources to
have full power redundancy. The two bi-color Power LEDs on the rear of NetEnforcer
are lit indicating that the power supply is connected to power and no failure condition
exists.
The Power LED on the LCD panel is lit and the Mode LED on the Bypass module is
off, indicating that the power is on and NetEnforcer is bypassed.
The display area of the LCD panel indicates the following: Power On.
After a few seconds, the display area of the LCD panel indicates the following:
System Loading *.
NOTE:
The maximum cable length is generally up to 50 meters.
Console
Connector
Management
Port
LED Indicators
The front panel of the Enhanced Platform contains nine LEDs. Two LEDs are
positioned on each of the External, Internal and Management network connectors. The
remaining three LEDs are the Standby, Active and Power indicators.
The modes of operation of the External, Internal and Management indicators are
described in the table below.
Indicator Status NetEnforcer Status
The modes of operation of the Standby, Active and Power indicators are described in
the table below.
Indicator Status NetEnforcer Status
Standby On Two NetEnforcers are connected in Redundancy mode
and this NetEnforcer is the secondary system.
Active Indicator
Right Arrow
For a description of how to configure the system using the LCD panel, refer to
Configuring Via the LCD Panel, page 2-40.
Management Port
The Management port exists on the Enhanced and High Availability platforms. The
dedicated Management port enables out-of-band management. Operating through the
Management port denies management access to the device from Internal or External
ports. Moreover, when there is a problem in the regular network you can still manage
and monitor the NetEnforcer.
For more information on the Management port, see Out-of-Band Management,
page 2-25.
Power Cable
Serial Backup Ground
Connector and
Connector Connector Connector
Fuse
NOTE:
The power supply automatically adapts to voltages between 100V and 240V.
CAUTION:
The power supply unit includes an internal fuse. Only Allot Service personnel are authorized to replace it.
Out-of-Band Management
The dedicated Management port on NetEnforcer provides a secure solution for device
management for enterprise and service providers. It enables you to permit access solely
to a closed group of network administrators, so that ISP customers cannot "see" the
Management port and therefore cannot access the NetEnforcer management.
NetEnforcer lets you enable or disable this Management port, permitting either in-band
or out-of-band management.
4. Connect the power cable and power up NetEnforcer, as described in Powering Up,
page 2-16.
When connecting two NetEnforcers in Redundancy mode, use the special 37-pin cable
(or 9-pin cable for Bypass module) supplied. For more information, refer to Appendix B,
Fail-Safe Operation.
NOTE:
After you connect the cables (and the Active LED is on), the Internal and External Link LEDs on the front
panel are on. When traffic is passing through the interface, the Activity LEDs blink.
Setting Up NetEnforcer
In order to manage and configure NetEnforcer policies remotely from your Web
browser, several basic parameters must be configured on NetEnforcer. You can
configure these basic parameters using a terminal connected to NetEnforcer or by using
the LCD panel.
4. Enter admin for the login and allot for the password. (To change the password, see
page 2-37.)
5. Press <Enter>. The NetEnforcer Setup Menu is displayed:
When all necessary parameters are set, NetEnforcer prompts you to reboot. After
rebooting is completed, NetEnforcer is ready to be connected and to add Quality of
Service in your network.
1. In the NetEnforcer Setup Menu, enter 1 (List current configuration) and press
<Enter>. The current network configuration parameters are displayed. A sample
screen is shown below:
Device Hostname The host name for your NetEnforcer, for example,
Jonny2.
Primary name server IP If you have a Domain Name Server (DNS), its IP
address address. If you do not have a DNS, enter none.
Secondary name server IP If you have a second DNS, its IP address. If you do
address not have a second DNS, enter none.
• The duplex type for the External interface. Enter full for full duplex, half for half
duplex or auto for AutoSensing.
• If you selected full or half duplex, enter the link speed of the External interface,
10M or 100M. Use M for Mbps.
NOTE:
AC-802 Copper models support also Gigabit Ethernet, AutoSensing, 10/100/1000Base-T.
When using NetEnforcer AC-802 Fiber models, you must set the interface of the device you are
connecting to, as 1000Mbps Full Duplex, Auto-Negotiation Disable.
TIP:
When connecting NetEnforcer to a hub or a switch, ensure that the Ethernet adapter settings on both
sides (meaning, NetEnforcer and the switch) are set to the same mode. In other words, if you wish to
set the Ethernet adapters on your NetEnforcer to AutoSensing, ensure that the Ethernet adapter on the
connected hub or switch is also set to AutoSensing, The same principle applies when setting the
Ethernet adapters to Half or Full Duplex.
In addition, to ensure that the devices on both sides of the NetEnforcer (meaning, the devices
connected to the Internal and External interfaces) can communicate in the event of the NetEnforcer
going into Bypass, ensure that the Ethernet adapters on devices on both sides of the NetEnforcer are
set to the same mode. (For further information, see Appendix B, Fail-Safe Operation.)
NOTE:
M = 1 million (1,000,000); K = 1 kilo (1,000)
CAUTION:
You must change the default passwords to ensure a minimum level of security.
NOTE:
The new user name and password will be used in the NetEnforcer Log In window when accessing
NetEnforcer through a browser.
6. Enter a new password and press <Enter>. The password must be between 5 and 8
characters. You can use a combination of upper and lower case letters and numbers.
7. Re-enter the new password and press <Enter>.
CAUTION:
If you forget this password, contact Allot Customer Support.
When all necessary parameters are set, NetEnforcer prompts you to reboot. After
rebooting is completed, NetEnforcer is ready to be connected and to add Quality of
Service in your network.
TIP:
You can further protect the access to NetEnforcer by limiting the hosts that are allowed to manage the unit.
To configure the allowed host list, refer to Access Control in Chapter 4, Configuring NetEnforcer.
The illustration below is a list of the main menu options from the LCD panel.
3. Use the arrow buttons to select the required interface and press the Enter button.
The display area indicates the following:
Mode: [A]uto or
[F]ull/[H]alf du
4. Use the arrow buttons to select the duplex type for the selected interface and press
the Enter button. The display area indicates the following:
Speed: [A]uto or
[100]/[10] Mbps
5. Use the arrow buttons to select the link speed of the selected interface and press the
Enter button. The display area indicates the following:
[S]ave/[C]ancel
6. Use the arrow buttons to select whether to save the settings or cancel and press the
Enter button. The new NIC settings are applied and after a few moments, the
display area displays its default view, the current bandwidth consumption.
8. Specify the IP address of the default gateway. Use the up and down arrow buttons to
select the required number and the left and right arrow buttons to move between the
digits.
9. Press the Enter button. The display area indicates the following:
[S]ave/[C]ancel
10. Use the arrow buttons to select whether to save the settings or cancel and press the
Enter button. The new IP and gateway settings are applied and after a few moments,
the display area displays its default view, the current bandwidth consumption.
The following cases of failure may be indicated:
Failure Display
Fail: NE IP save
Register NIC Settings
Chk NE IP config
Fail: MASK save
Netmask Save
Chk NE IP config
Fail: Mgmt save
Management NIC Save
Chk NE IP config
Fail: GW save
Gateway Save
Chk NE IP config
Activating Bypass
To configure a Bypass:
1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow three times to display the following:
Main menu:
4. Bypass
3. Press the Select button. If the system is not in Bypass mode, the display area
indicates the following:
Go into Bypass?
[Y]es/[N]o
4. Use the arrow buttons to select whether to enter Bypass mode and press the Enter
button. NetEnforcer switches to Bypass mode and after a few moments, the display
area displays its default view, the current bandwidth consumption.
NOTE:
When the system is already in Bypass mode, you are prompted to select whether to exit Bypass mode.
Use the arrow buttons to select whether to exit Bypass mode and press the Enter button.
To reboot NetEnforcer:
1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow four times to display the following:
Main menu:
5. Reboot
3. Press the Select button. The display area indicates the following:
Reboot?
[Y]es/[N]o
4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter
button. NetEnforcer reboots and the display area indicates the following:
System
Rebooting * (blinking asterisk)
NOTE:
This message is also displayed in the display area when NetEnforcer is rebooted using a terminal.
To shutdown NetEnforcer:
1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow five times to display the following:
Main menu:
6. Shutdown
3. Press the Select button. The display area indicates the following:
Shutdown?
[Y]es/[N]o
4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter
button. NetEnforcer reboots and the display area indicates the following:
System
Shutting down * (blinking asterisk)
After a few seconds, the display area indicates that NetEnforcer may be powered off.
NOTE:
This message is also displayed in the display area when NetEnforcer is shutdown using a terminal.
To exit NetEnforcer:
1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow six times to display the following:
Main menu:
7. Exit
3. Press the Enter or the Select button. The display area displays its default view, the
current bandwidth consumption.
This chapter explains how to connect to your client management station, provides an
overview of the NetEnforcer interface, and describes how to install the Java Plug-in.
Accessing NetEnforcer
Once you have completed the initial setup, as described in the previous chapter, you can
access to NetEnforcer via your Web browser. The first time that you connect to
NetEnforcer, you may be prompted to install Java plug-in 1.3. Refer to Installing the
Java Plug-in 1.3, page 3-9, for further information.
To connect to NetEnforcer:
1. Open your browser, and enter http://(IP address of NetEnforcer). The NetEnforcer
Log On dialog box is displayed:
2. In the User Name field, enter admin and in the Password field, enter allot or the
password that was established at setup. This is the default user name and password.
They may be different if you changed them during the initial configuration. Refer to
Chapter 2, Installing NetEnforcer, Section Setting Up NetEnforcer.
3. Click Log On. The NetEnforcer Control Panel is displayed.
NOTE:
It may take a few moments to display the Control Panel.
The NetEnforcer Control Panel is the main navigation point for NetEnforcer. Each
button in the Control Panel provides access to different NetEnforcer functionality. The
buttons and their sub-options are described on the following pages.
The NetEnforcer application runs as a Java applet with the assistance of Sun
Microsystems Java plug-in 1.3.
The minimum requirements for using the Java plug-in are Pentium 2 with 128Mb RAM.
This plug-in enables a Java applet to run using Sun’s Java Runtime Environment (JRE)
on the following platforms:
• Microsoft’s Internet Explorer 6.0 on Win32 platforms (Windows 98, Windows
2000, Windows Millennium, Windows NT 4.0 and Windows XP)
• Netscape Navigator 6 on Win32 platforms (Windows 98, Windows 2000, Windows
Millennium, Windows NT 4.0 and Windows XP)
• Solaris platforms (Solaris 2.5 or 2.6)
• Linux 2.2
When the NetEnforcer application is loaded, the Java plug-in ensures that Sun’s Java
Runtime Environment (JRE) is loaded to run the applet (and not the browser’s default
JRE). This enforces a singular behavior (consistent look and feel) of the applet among
the various browsers and their associated versions.
This section describes how to install the Java plug-in 1.3 from Microsoft Internet
Explorer and Netscape.
If you have any earlier versions of the Java plug-in, you should uninstall them before
installing version 1.3. For example, NetEnforcer 3.x users have Java plug-in 1.1.1
installed.
3. Select a destination location for the plug-in or leave the default location.
4. Click Next and wait a few moments. The Java Plug-in Security Warning window is
displayed:
6. If you select Grant this session, each time you open the NetEnforcer GUI, or open
the GUI on a new computer, after June 1, 2003, (the publisher's certificate expiry
date), the following popup window is displayed:
7. Click Yes to ignore the warning and proceed; Figure 3-4 is redisplayed.
2. Click the icon. If you are using a Windows-based platform, the following Plug-in
Not Loaded window is displayed:
4. Select the folder in which you want to save the Java plug-in executable installation
file and click Save. The executable file is saved in the selected location.
5. Run the executable file saved in step 4, and wait a few moments. The Software
License Agreement window is displayed:
7. Select a destination location for the plug-in or leave the default location.
8. Click Next and wait a few moments. The Java Plug-in Security Warning window is
displayed:
Overview
Once you have configured NetEnforcer for your network environment, described in
Chapter 2, Installing NetEnforcer, you can modify configuration parameters remotely
via your Web browser including initial setup parameters, as well as the following run-
time parameters:
• System parameters, including software versions and keys
• Access link parameters, including the duplex type and bandwidth of Internal and
External interfaces
• Network interface parameters, including IP addresses and mask/gateway
parameters
• Access control parameters that determine access to NetEnforcer management
functions
• Internal and external Ethernet adapter parameters
• Networking parameters, including monitoring only mode and bridging protocol
• Parameters that enable SNMP-compatible management functions
• Connection parameters
• Monitoring parameters
• Accounting parameters
• LDAP parameters
• VLAN parameters
• Denial of Service (DoS) parameters
Configuration parameters are modified from the NetEnforcer Configuration window. A
general procedure for configuring NetEnforcer is presented on page 4-3. A description
of all the possible configuration parameters begins on page 4-9.
To configure NetEnforcer:
1. From the NetEnforcer Control Panel, click Configuration. The NetEnforcer
Configuration window is displayed:
Once the date has expired the box will reboot and the new module settings will be
displayed showing all modules as disabled.
Menu Bar
The menu bar in the NetEnforcer Configuration window includes five menus, described
in the following sections.
File Menu
Edit Menu
Options Menu
Help Menu
Toolbar
The toolbar in the Configuration window enables easy access to many of the functions
available from the menu bar. The toolbar includes the following buttons:
Parameter Definition
NetEnforcer The activation key to enable NetEnforcer. Enter the
Activation Key activation key supplied to you when purchasing NetEnforcer.
The functionality enabled by the key is summarized in the
fields below.
Quality of Service Quality of Service is enabled on NetEnforcer.
Load Balancing The NetBalancer module is enabled on NetEnforcer.
Cache Enforcer The CacheEnforcer module is enabled on NetEnforcer.
NetAccountant The NetAccountant module is enabled on NetEnforcer.
NetEnforcer The maximum bandwidth capacity of NetEnforcer.
Bandwidth Capacity
After entering an activation key, click Save. The following message is displayed:
Access Links
The Access Links tab includes parameters that enable you to set the duplex type and
bandwidth of the Internal and External interfaces. The internal side of NetEnforcer
interfaces with your Local Area Network (LAN) and the external side of NetEnforcer
interfaces with the Wide Area Network (WAN) via your access router.
Parameter Definition
Outbound The bandwidth of the link going away from NetEnforcer.
Bandwidth When the Type is Half Duplex, the outbound bandwidth is
valid for inbound and outbound traffic and the inbound
bandwidth is not relevant.
Inbound Bandwidth The bandwidth of the link going into NetEnforcer.
TIP:
If you enter a maximum bandwidth setting of less than 1Kbps for either interface, the following message is
displayed: ”A bandwidth rate of less than 1000 bits/sec has been entered for Internal outbound speed.
This is very slow speed. Continue with save anyway?”
Press Yes to confirm that this is the correct setting for the interface. Press No to re-enter another value.
It is strongly recommended not to attempt to shape traffic of less that 1Kbps. Setting internal or external
bandwidth of less than 1Kbps will cause normal network traffic to come to a halt.
For example, shaping bandwidth of a short frame of 64 bytes to a bandwidth link of 1000 bps will result in
less than two packets per second which is impractical in today's networks. Refer to the Release Notes for
more information.
Parameter Definition
Host Name of NetEnforcer The host name of NetEnforcer.
Domain Name The domain name.
Primary Domain Name The IP address of the primary domain name server.
Server
Secondary Domain Name The IP address of the secondary domain name server.
Server
Primary NTP Time Server The name of the primary NTP (Network Time
Protocol) server. This enables NetEnforcer to receive
the date and time from an NTP server.
Secondary NTP Time The name of the secondary NTP (Network Time
Server Protocol) server.
Tertiary NTP Time Server The name of the tertiary NTP (Network Time
Protocol) server.
Out-of-Band Management
The dedicated Management port provides a secure solution for device management for
enterprise and service providers. It enables you to permit access solely to a closed group
of network administrators. ISP customers cannot "see" the Management port and
therefore cannot access the NetEnforcer management. NetEnforcer confidently lets you
enable or disable this Management port, permitting either In-Band or Out-of-Band
management.
Out-of-Band mode is graphically illustrated as follows:
NOTE:
To use In-Band management and manage the NetEnforcer via the Internal/External ports, select the
Disable Management port option in the IP & Host Name tab.
Security
The Security tab includes parameters that enable you to specify security parameters as
well as control access to NetEnforcer management functions by specifying the names of
hosts to whom you want to grant access permission.
CAUTION:
If no hosts are defined, anyone can access NetEnforcer management functions.
Parameter Definition
Enable Ping Select this checkbox to enable remote Ping
communications with the NetEnforcer.
On the right side of the Security tab, is a list of hosts who have access permission to
NetEnforcer management functions. When the Allowed Hosts list is empty, there is
unrestricted access to NetEnforcer management functions. When there are hosts in the
Allowed Hosts list, only those hosts are allowed access to NetEnforcer management
functions. You can enter host details in either of the following formats:
• The name of the host.
• The IP address of the host.
CAUTION:
If no hosts are defined, anyone with a user name and a password can access NetEnforcer management
functions.
NIC
The NIC tab includes parameters that enable you to configure the internal and external
Ethernet adapters to either automatically sense the direction and speed of network
traffic, or use a predetermined duplex type and speed. When working with AC-601/802
models, you can also specify the direction and speed of the management interface.
NOTE:
If the management interface is disabled, look in the IP & Host Name tab and confirm that the Disable
Management Port checkbox is selected.
Parameter Definition
Mode The type of interface. The options are as follows:
Auto: The interface automatically senses the direction of the
traffic.
Half Duplex: The interface can either transmit or receive traffic.
Full Duplex: The interface can transmit and receive traffic
simultaneously.
Speed The speed of the interface: Auto, 1000M, 100M or 10M.
When the Mode is Auto, you cannot predefine the interface speed
and Speed is set to Auto and cannot be modified.
NOTES:
For models AC-601 and AC-802 Copper, you can also select 1000M as the link speed for the Internal or
External interfaces.
For model AC-802 Fiber, the settings for the Internal and External interfaces cannot be changed: the
duplex type is full and the link speed is 1000M.
When you connect NetEnforcer to a hub or switch, ensure that the Ethernet adapter
settings on both sides are set to the same mode. This ensures proper communication
between the Ethernet adapters. For example, if you set the Ethernet adapter on
NetEnforcer to Auto, you must also set the Ethernet adapter on the hub or switch
connected to that interface to Auto. The same principle applies when setting Ethernet
adapters to Half or Full Duplex mode. To ensure that the devices on both sides of
NetEnforcer can communicate if NetEnforcer enters Bypass mode, make sure that the
interfaces on the devices on both sides of NetEnforcer are set to the same NIC (Ethernet
adapter) mode.
Networking
The Networking tab includes parameters that enable you to configure network topology
as well select to operate in Monitoring Only mode.
Parameter Definition
Disable Application Whether NetEnforcer analyzes content of the application
Layer Analysis in layer. Deselecting this checkbox disables content inspection
NetEnforcer and Napster and FTP identification and improves the
performance of NetEnforcer.
NetEnforcer is This checkbox only appears with the Enhanced Platforms
Enabled for AC-202 and AC-402.
Monitoring Only
Select this checkbox to enable the monitoring and viewing of
traffic in graphical representation. Traffic is classified;
however the NetEnforcer does not enforce or take action on
policies. For a detailed description of Monitoring Only,
mode, see below.
When you deactivate Monitoring Only mode, the system returns to its previous state
and the following message is displayed:
SNMP
The SNMP tab includes parameters that enable you to configure SNMP-compatible
management functions.
Parameter Definition
Trap Community The SNMP community to receive NetEnforcer SNMP traps.
Trap Destination The IP address of the Network Management Console that
receives the NetEnforcer-generated SNMP traps. If there is
no such destination, this parameter should be left blank.
Contact The contact person, for SNMP purposes.
Location The location of system, for SNMP purposes.
Connection Control
The Connection Control tab includes parameters that enable you to configure timeouts
and the number of retries for the NetBalancer and CacheEnforcer modules, as well as
other connection parameters.
NOTE:
The Connection Control parameters have no effect unless NetBalancer or CacheEnforcer are enabled on
your system. For a description of NetBalancer functionality, refer to the NetBalancer User’s Manual. For a
description of CacheEnforcer functionality, refer to the CacheEnforcer User’s Manual.
Monitoring
The Monitoring tab includes parameters that display the monitoring sample period on
NetEnforcer and enable you to configure whether NetEnforcer performs DNS resolving
actions.
The Internal Accounting tab includes parameters that enable you to determine the
frequency and granularity of data storage, and to control the quantity of data stored. The
Internal Accounting parameters are only relevant when NetAccountant is enabled in
your system. This is indicated in the Product Ids & Key tab. For more information
concerning the NetAccountant module and Internal and External Accounting, see the
NetAccountant User's Manual.
Parameter Definition
Record Accounting Whether NetEnforcer records accounting data to the
Data Within the accounting database located on NetEnforcer. This must be
NetEnforcer Device selected for accounting to be active.
Only
Data will be The data storage frequency and the granularity (fine
Collected and Saved measurement) of the stored data. Granularity means that the
Every larger the setting for this parameter, the less information is
recorded about the exact time a connection occurred, so less
data is stored. This enables you to store data from a longer
period of time. The minimum setting for this parameter is one
hour. This granularity will subsequently impact the granularity
of accounting reports.
Data will be Deleted The length of time data is stored in the database. You can
From Server After ensure that data does not saturate NetEnforcer's hard disk by
determining the quantity of data saved. For example, if you set
this parameter to one month, then every day at midnight, data
accumulated more than one month prior to the current date is
removed. Configure this option with care to avoid filling
NetEnforcer's hard disk with accounting traffic data.
Note that subsequent accounting report spans cannot be longer
that the deletion span.
Use ODBC to Read Whether host IP addresses are translated to string
Accounting Data representations so that ODBC applications can read the
accounting data. The strings are then stored in the Hosts table
in the NetAccountant database. The default setting for this
option is deselected. This option is normally disabled if you do
not use an ODBC interface.
CAUTION:
The default setting of the Use ODBC to Read Accounting Data checkbox results in the following:
IP addresses that were not resolved to names are not stored in the Hosts table. Note that in previous softwar
versions, IP addresses that were not resolved to names were stored in the Hosts table.
Parameter Definition
Resolve DNS Names Whether NetEnforcer performs DNS resolving actions. When
for Accounting selected, IP addresses are translated to host names for the
Data Accounting module. Ensure that you have defined a DNS
server(s) in the IP & Host Name tab.
In the example on page 4-29, data is recorded each hour (or when data reaches a certain
amount of memory) and data is deleted from the server after seven days.
Parameter Definition
Dispatch Determines whether NetEnforcer dispatches accounting data to
Accounting Data to the external server indicated in this tab. Accounting data will
External Repository not be dispatched if this checkbox is not selected.
Defined Below
Primary Server The host name or IP address of the primary server of the
Host Name / IP external accounting server.
Address
Secondary Server The host name or IP address of the secondary server of the
Host Name / IP external accounting server.
Address
RADIUS Setup
The RADIUS Setup tab includes parameters that enable you to export accounting data
to a RADIUS server. The RADIUS Setup parameters are only relevant when
NetAccountant is enabled in your system. (This is indicated in the Product Ids & Key
tab.) The NetAccountant module is described in the NetAccountant User's Manual.
NOTE:
You can configure NetEnforcer to send accounting data to both its own accounting database and to a
RADIUS server. If you are using RADIUS, ensure that you configure parameters in the
Accounting/RADIUS Storage tab as well.
Parameter Definition
# of Failed Messages The number of unsuccessful message sending attempts
Before Switch to Other that NetEnforcer executes before switching to the
Server secondary server. The value must be between 1 and 200.
Send RADIUS Stop Whether NetEnforcer sends only RADIUS stop messages
Messages Only to a RADIUS server.
Accounting/RADIUS Storage
The Accounting/RADIUS Storage tab includes parameters that enable you to control
the content of the traffic data stored on disk (in the case of accounting) or accumulated
in memory prior to dispatch (in the case of RADIUS). This is done by selecting the
components according to which traffic data is accumulated. To accumulate traffic data
means to accumulate the byte count of connections with the same components. The
Accounting/RADIUS Storage parameters are only relevant when NetAccountant is
configured in your system. The NetAccountant module is described in the
NetAccountant User's Manual.
NOTE:
If you are using accounting or RADIUS, ensure that you configure parameters in the Internal Accounting
and RADIUS Setup tabs as well.
When creating a report in NetAccountant, you select the connection components that
will be included in the report. The connection components available for selection are
determined by the parameters selected in the Accounting/RADIUS Storage tab.
For accounting users, it is recommended not to select too many parameters, in order to
avoid overrunning the accounting database with information. The more entities you
select, the longer it takes NetEnforcer to export and to save data and the longer it will
take to generate accounting reports. For hosts, recording data on an internal/external
hosts basis rather than on a client/server basis demands much less resources. It is
therefore recommended to select the first radio button in the Hosts Recording area.
The items available for selection are described below.
In the Hosts Recording area, select one of the radio buttons.
• If you select the first radio button, you can select one of the following from the
dropdown list:
• Internal Hosts: Information about traffic coming from each internal IP address is
recorded.
• External Host: Information about traffic coming from each external IP address is
recorded.
• Internal & External Host: Information about traffic coming from each internal
and external IP address is recorded.
• If you select the second radio button, you can select one of the following from the
dropdown list:
• Client: Information about the source of traffic under which the traffic was
classified is recorded.
• Server: Information about the destination of traffic under which the traffic was
classified is recorded.
• Client & Server: Information about the source and the destination of traffic under
which the traffic was classified is recorded.
• If you select the third radio button, no hosts are recorded.
CAUTION:
If you select to aggregate data by client or server, many records may be generated. For example, if you
select server then a record is created for each connection to a server. This could be a very high number if
you are, for example, browsing the Internet.
In addition, you can select any or all of the entities in the Entity Recording area:
Pipe Information about the Pipe under which the traffic was
classified. This includes explicitly defined Pipes and any
Pipe instances that result from a Pipe template.
Virtual Channel Information about the Virtual Channel under which the
traffic was classified. This includes explicitly defined
Virtual Channels and any Virtual Channel instances that
result from a Pipe template.
Service Information about the Service Catalog entry under
which the traffic was classified.
LDAP/Text Source
The LDAP/Text Source tab includes parameters that define the refresh rate for Host
Catalog definitions that reference an LDAP server or text source file.
Parameter Definition
Refresh any LDAP- Select this checkbox to refresh LDAP and text information
based…. every time the Policy Editor is saved.
VLAN
The VLAN (Virtual Local Area Network) tab enables you to determine that the
NetEnforcer is managed through specified VLAN-tagged traffic. For more information
on VLANs refer to VLAN Catalog Editor in Chapter 7, Defining Catalog Entries.
CAUTION:
Please remember that once this option is set and the VLAN ID is specified, the NetEnforcer will be waiting
for management traffic tagged with this specified VLAN.
If you have specified an erroneous VLAN ID, the NetEnforcer GUI will be waiting for management traffic
from that VLAN and thus will become disconnected from the network.
If this option is specified erroneously, please refer to Chapter 2, Installing NetEnforcer, Setting Up
NetEnforcer. Alternatively contact an Allot Communications service engineer.
To work in a VLAN environment check the checkbox and insert a number in the VLAN
ID field. Management of the NetEnforcer traffic can only be through one VLAN,
therefore the VLAN ID number must be consistent for operations within a specific
NetEnforcer.
The VLAN tab includes the following parameters:
Parameter Definition
The NetEnforcer’s Check this box to specify that the NetEnforcer is managed
Management through a VLAN.
Traffic is VLAN
Tagged Checking this box enables the VLAN ID field.
Alerts
The Alerts tab enables you to configure alert functionality. For more information on
alerts, refer to Chapter 9, NetEnforcer Alerts.
Parameter Definition
SMS Email Address The email address of the SMS target.
Source Email Address The email address of the source (e.g., the IT
manager’s email address).
SMTP Server The address of the SMTP server.
For additional details regarding the prevention and handling of DoS attacks, refer to Chapter 10,
Detecting Security Threats.
Backing Up Configuration
The Backup Configuration option enables you to back up configuration to a server and
restore it to NetEnforcer at any time.
To back up configuration
1. From the Options menu in the NetEnforcer Configuration window, select Backup
Configuration. The Backup Configuration dialog box is displayed:
Restoring Configuration
The Restore Configuration option enables you to restore a backed up configuration
file to NetEnforcer at any time.
To restore a configuration file:
1. From the Options menu in the NetEnforcer Configuration window, select Restore
Configuration. The Restore Configuration dialog box is displayed:
Verifying Configuration
The Setup Verification option enables you to verify the configuration of selected
peripheral devices.
To verify configuration:
1. From the Options menu in the NetEnforcer Configuration window, select Setup
Verification. The Setup Verification dialog box is displayed:
Introducing NetWizard
NetWizard is a NetEnforcer tool that uses auto-discovery to detect the protocols in a
network, enabling the network manager to quickly define QoS policies for each type of
protocol in the network. This, in turn, improves the efficiency and application response
time of the network. Several NetWizards can run in parallel, allowing several links to be
monitored and configured at once.
NetWizard automatically identifies the traffic protocols in your network and then guides
you through the QoS configuration process, working together with the NetEnforcer
Policy Editor, allowing you to assign minimum and maximum bandwidth and priority
for the various protocols. Simply open the Policy Editor while working in NetEnforcer
to have complete control over your new policies. NetWizard allows you to dynamically
and interactively build the Policy Table based on real-time monitoring information.
With NetWizard, you need not be initially acquainted with every protocol or the traffic
patterns in your network in order to define QoS policy. Once you make your initial
selections, a QoS policy is generated, enabling NetEnforcer to enforce that policy in
your network. NetWizard monitoring can be paused to allow you to add new Service
VCs to the policy table and then restarted with the changes already in place. Further
refinement of the policy is possible at any time with NetEnforcer tools such as the
Policy Editor and Catalog Editors. Policies defined using the NetWizard will
automatically update the policy table.
4. In the Pipe Coverage area, select the Pipe whose traffic NetWizard will monitor in
one of the following ways:
• Select Pipe, click the browse button and select a Pipe whose traffic NetWizard
will monitor. By default, the default Fallback Pipe is selected. If you have not
yet defined additional Pipes (described in Chapter 8, Defining Policies), there is
no need to change the selection.
• Select A new pipe if you want to create a new Pipe whose traffic NetWizard will
monitor.
5. Click Next. If you selected to create a new Pipe in Step 4, the following screen is
displayed. (If you selected a specific Pipe in Step 4, go to Step 8.)
6. In the New Pipe Name field, enter a name for the Pipe.
To remove an address from the Target Address(es) list, select the address in the list and click .
8. Click Next. The NetWizard Monitoring window is displayed, showing the Graphs
view:
NOTE:
If for any reason your system crashed during a previous NetWizard monitoring session, a message is
displayed asking whether you want to continue the previous session or start a new one.
You can view the information collected during the monitoring session either in
real-time (during the monitoring session) or once the monitoring session is finished.
The progress of the monitoring session is indicated in the status bars in the lower
section of the Monitoring window.
The status bar on the left estimates the amount of time left until NetEnforcer completes
a sample and updates the Monitoring window. The default sample period is 30 seconds.
In the example on page 5-6, there are 20 seconds left to the end of the sample period, at
which time NetEnforcer will update the monitoring window.
The status bar on the right indicates the time remaining in the monitoring session. In the
example on page 5-6, there are 28 minutes, 13 seconds left in the monitoring session.
The NetWizard Monitoring window includes the following buttons:
Button Description
Button Description
Viewing Graphs
The Graphs view, shown on page 5-6, displays a graphical representation of bandwidth
usage in your network and the cumulative protocol rate for the various protocols in your
network traffic during the current monitoring session. You can display this information
for either inbound or outbound traffic by clicking the Inbound/Outbound button at the
top-right side of the Monitoring window. To display the Graphs view, click the Graphs
button.
TIP:
Hold down the <Shift> key and drag the mouse in the pie chart area to toggle the 3D effect.
Bandwidth Usage
The bandwidth usage graph on the left of Graphs view displays the percentage of the
total capacity of bandwidth used by cumulative inbound/outbound traffic.
In the example shown on page 5-6, the maximum capacity of the WAN interface is
45Mbps and the total cumulative bandwidth usage is 0.01% of the available WAN
bandwidth. The bar is blue when less than 90% of bandwidth is used, and becomes red
when it passes 90%.
Viewing Statistics
The Statistics view, shown below, displays traffic usage statistics. You can display this
information for either inbound or outbound by clicking the Outbound/Inbound button
at the top-right side of the Monitoring window. To access the Statistics view, click the
Statistics button.
The Statistics view displays a table of all protocols passing through your network
during the monitoring session and includes the following information:
Protocol Name The name of the protocol.
% of Relative Usage The percentage of the total used bandwidth that the protocol
used.
Rate (Kbps) The average number of kilobits per second used by the
protocol.
% of Total BW The percentage of the total available bandwidth for the Pipe
used by the protocol.
The protocols are displayed in descending order, with the most active protocol at the
top.
Below the table of protocols, the following bandwidth information is displayed:
Max. Used The maximum amount of bandwidth used during this
monitoring session.
Cumulative Avg. Used The average bandwidth used during this monitoring session
for all protocols.
Capacity The maximum amount of bandwidth available.
Viewing Information
The Information view, shown below, displays information about the monitoring session.
You can display this information for either inbound or outbound traffic by clicking the
Inbound/Outbound button at the top-right side of the Monitoring window. To access
the Information view, click the Information button.
Defining Policies
A monitoring session may be paused at any time to allow you to compare the traffic
statistics you have received thus far with the business priorities of your organization and
use the information to begin creating a QoS policy to improve the performance of your
network. Monitoring may be restarted once you have set the policies you wish. In this
way, you can create your QoS policy step by step as you learn more about your
network’s bandwidth usage.
In order to set a QoS policy for a protocol, you specify one or more of the following:
• The minimum bandwidth you want for the protocol.
• The maximum bandwidth you want for the protocol.
• The priority you want to give to the protocol.
NOTE:
QoS is defined for both inbound and outbound traffic.
When the monitoring session is paused, NetEnforcer stops monitoring network traffic
for the time being and displays the Policy Definition window.
If required, you can also end the monitoring session before it has finished. Click Cancel
in the Monitoring window. A confirmation message is displayed. Click Yes to end the
monitoring session. Any data collected up to that point will be lost.
3. Specify the priority given to a specific protocol by clicking the Priority field and
selecting High, Medium or Low from the dropdown list. For example, if you want a
specific protocol to receive top priority, select high from the dropdown list.
NOTE:
If two protocols have the same priority and there is not enough bandwidth available for both, the
available bandwidth is split evenly between them.
4. Select the Assign checkbox to the left of the protocol name to assign the QoS policy
that you defined in steps 2 through 4 to the protocol upon saving.
NOTE:
You do not have to specify all three of the QoS definitions for each protocol.
5. In the Fallback fields at the lower left of the screen, repeat steps 2 through 4 to
define a default QoS policy. This policy is applied to protocols that do not have a
specific policy defined for them.
NOTE:
If required, click Assigned in the View Protocols area to display only those protocols that have been
assigned a QoS policy. Clicking All redisplays all protocols.
7. Click Yes to save your definitions. NetEnforcer now enforces the QoS policies that
you defined.
8. Click Close to close NetWizard.
QoS Examples
This section provides some examples of QoS settings and how they may affect your
network traffic.
Example 1
NETBIOS-UDP Protocol Min BW: 20%
Inbound traffic has a maximum capacity of 100Mbps and outbound traffic has a
maximum capacity of 50Mbps.
This means that inbound NETBIOS-UDP traffic is guaranteed 20Mbps of bandwidth
and outbound NETBIOS-UDP traffic is guaranteed 10Mbps of bandwidth.
Example 2
HTTP Protocol Priority: High
FTP Protocol Priority: Medium
Total bandwidth for inbound traffic is 30Mbps.
If 20Mbps of HTTP traffic and 20Mbps of FTP traffic come together, the HTTP traffic
is given priority. Thus the HTTP traffic receives 20Mbps of bandwidth and the FTP
traffic gets 10Mbps. When more bandwidth is available, the FTP traffic will get the rest.
This chapter describes monitoring with the NetEnforcer monitoring tool. The
monitoring tool helps you analyze the traffic flowing through your NetEnforcer and aids
you in determining the optimum configuration for your system.
Overview
NetEnforcer's monitoring tool enables you to monitor applications, protocols, policies,
clients and servers in real time and to verify enforcement of the most suitable QoS
policy.
Different applications, such as e-Business, ERP and real-time applications require
performance guarantees. Other mission-critical applications may suffer from a shortage
of bandwidth, while non-critical Web browsing and batch traffic, such as mail and FTP,
may use up network resources. In other network setups, some users require a higher
level of service than others. For example, internationally dispersed branch offices have
expensive narrow WAN links to headquarters and many different users share the same
bandwidth. On campuses, students overload network resources (WAN connection,
caches, servers) with excessive requests for service (audio traffic), while the
administration suffers from reduced available bandwidth and longer response time.
Therefore, your ability to monitor network performance determines your success in
fine-tuning network performance based on your business requirements. The monitoring
tool is designed to help you fine-tune your network performance.
When and where your network has peaks, bursts and bottlenecks is hard to predict. The
monitoring tool enables you to see these peaks in real time, which is crucial to
managing these unwanted phenomena.
NetEnforcer enables you to monitor network traffic on three levels, as follows:
• NetEnforcer Level: Where you can monitor traffic on NetEnforcer as a whole.
• Pipe Level: Where you can monitor traffic for a specific Pipe(s).
• Virtual Channel Level: Where you can monitor traffic for a specific Virtual
Channel(s) within Pipe(s).
Using the monitoring tool, you can view different graphs at each level. The different
graphs are described in Monitoring Graphs, page 6-21. All graphs are displayed in the
NetEnforcer Monitoring window and share common functionality. A quick tour of the
NetEnforcer Monitoring window is provided on page 6-6. You can display up to ten
monitoring windows at the same time and display them as your Favorite View.
There are several different types of graphs, and different formats in which graphs can be
displayed. Graph types and formats are described in the following pages.
Graph Types
NetEnforcer displays monitoring information in two types of graphs, as follows:
• Current/Cumulative: Displays information for sample periods. A Current-type
graph displays information for the latest whole sample period only. The sample
period is defined in your system parameters, described in Chapter 4, Configuring
NetEnforcer. A Cumulative-type graph displays information for an average sample
period, where the average is calculated for data accumulated during the last X
samples (where X is between 1 to 144, and is defined in the graph settings,
described on page 6-18). For example, where X is defined as 100. When a graph is
created, the cumulative refers to the samples from the beginning of the graph and
forward, until 100 samples have passed. When the sample number 101 arrives, the
samples taken into account are samples 2 through 101, and so on. Only the 100 last
samples are used to calculate the average. Current-type graphs can also be displayed
as Cumulative-type graphs and vice versa.
NOTE:
The Utilization graph, described on page 6-32, can only be displayed as a Current-type graph.
• Continuous: Displays information for a range of time. The range of time for which
the graph is relevant is displayed along the X-axis of the graph, and is defined in the
graph settings, described on page 6-18. The Pipes Distribution, Virtual Channels
Distribution, Dropped Packets, Bandwidth and Connections graphs are
Continuous-type graphs.
Graph Views
By default, data is displayed in a chart or graph. However, you can also display the
values in table format, as well as the definitions for each graph. These different views
are called Chart View, Table View and Definitions View, and examples are shown
below.
Table View
Definitions View
Chart View
Figure 6-2 – Graph Views
Graph Styles
When in Chart View, you can alternate the layout style of the graph between a Bar chart
and a Pie chart or between a Line chart and a stacked Area chart. Different graphs have
different styles. For example, a Pipes Distribution graph (described on page 6-25) can
be displayed as a Line chart or Area chart. A Most Active Clients graph (described on
page 6-48) can be displayed as a Bar chart or Pie chart.
Following are examples of different graph styles.
Click in the toolbar at anytime to display a tooltip describing these zoom and move actions.
In/Out Bandwidth
The monitoring graphs display information about bandwidth consumed by inbound and
outbound traffic, as follows:
Inbound Bandwidth consumed by incoming traffic only.
Outbound Bandwidth consumed by outgoing traffic only.
In/Out Bandwidth consumed by both incoming and outgoing traffic.
Clicking a point in a monitoring graph displays the bandwidth value at the selected
point, as shown below:
The menu bar and toolbar are similar for all graph types, and are described on the
following pages. The graph display area varies according to the graph displayed. The
different monitoring graphs are described on page 6-21.
NOTE:
Up to ten Monitoring windows can be displayed simultaneously.
NOTE:
Monitoring graphs are named as follows: (name of graph) for (name of VC)_(name of Pipe). For example,
Most Active Servers for VC1_Gold Pipe.
2. Select the Pipe by which to filter the selected monitoring graph and click OK. The
selected monitoring graph for the selected Pipe is displayed in the Monitoring
window.
NOTE:
You can also display a monitoring graph for a Pipe by right-clicking the Pipe in the Policy Editor and
selecting Monitoring, then the monitoring graph required.
2. Select the Virtual Channel by which to filter the selected monitoring graph and click
OK. The selected monitoring graph for the selected Virtual Channel is displayed in
the Monitoring window.
NOTE:
You can also display a monitoring graph for a Virtual Channel by right-clicking the Virtual Channel in
the Policy Editor and selecting Monitoring, then the monitoring graph required.
File Menu
Pause Graph Suspends the visual update of the graph. Clicking Pause
Graph again restores the visual update.
Print Prints the graph.
Add to Long-Term Enables a selected graph to be available through NetHistory.
Monitoring Refer to Long-term Monitoring with NetHistory on page 6-51.
Requests
Exit Closes the graph.
Edit Menu
Other Targets for… Enables you to quickly open the same graph for a different
target. For example, when the Most Active Clients graph is
open at NetEnforcer level, you can also open the Most Active
Clients graph at Pipe and Virtual Channel level.
View Menu
Style Menu
Bar Chart Displays a Pie chart as a Bar chart. Refer to Graph Styles,
page 6-6.
Pie Chart Displays a Bar chart as a Pie chart. Refer to Graph Styles,
page 6-6.
Line Chart Displays a stacked Area chart as a Line chart. Refer to
Graph Styles, page 6-6.
Area Chart Displays a Line chart as a stacked Area chart. Refer to
Graph Styles, page 6-6.
Help Menu
Other Graphs for … Enables you to quickly open any other graph
for the same target. For example, when a
graph is opened at NetEnforcer level, you can
open any other graph at NetEnforcer level.
Other Targets for … Enables you to quickly open the same graph
for a different target. For example, when the
Most Active Clients graph is open at
NetEnforcer level, you can also open the
Most Active Clients graph at Pipe and
Virtual Channel level.
Chart Displays the graph in Chart View. Refer to
Graph Views, page 6-5.
Table Displays the graph in Table View. Refer to
Graph Views, page 6-5.
Definitions Displays the graph in Definitions View.
Refer to Graph Views, page 6-5.
Style Enables you to change the style of the graph.
Refer to Graph Styles, page 6-6.
Hide Menu Bar Hides the menu bar, toolbar and status bar.
Click the icon at the top of the graph to
redisplay the menu bar, toolbar and status
bar. This is useful for maximizing graph
space.
Zoom Displays a tooltip describing the zoom and
move graph functions.
Help Provides access to online help.
2. From the Monitoring menu, select Settings and then Save as My Favorite View.
The current arrangement of Monitoring windows is saved as the Favorite View. The
Favorite View is also preserved for future sessions when NetEnforcer is accessed
from the same client machine.
Monitoring Settings
The Monitoring Settings enable you to specify the number of Pipes, Virtual Channels,
Protocols, Clients and Servers displayed in the Most Active graphs, and the time span
for continuous graphs.
To define settings:
1. From the Monitoring menu, select Settings and then Graphs Features. The Graphs
Features dialog box is displayed:
Number of Most Active Pipes The number, between 1 and 25, of Pipes and
and VCs (1-25) Virtual Channels that will be displayed in the
Most Active Pipes and Most Active Virtual
Channels graphs.
Number of Most Active The number, between 1 and 25, of Protocols that
Protocols (1-25) will be displayed in the Most Active Protocols
graphs.
Number of Most Active Hosts, The number of Hosts, Clients and Servers,
Clients and Servers (1-25) between 1 and 25, that will be displayed in the
Most Active Hosts, Clients and Servers graphs.
Time Span for Continuous The period of time, between 1 and 60 minutes,
Graphs or between 1 and 24 hours, over which the data
for Continuous-type graphs is displayed. This is
Minutes (1-60)
the maximal width of the X-axis for these
Hours 1-24
graphs.
Data Collection Range (in The number of samples used to calculate the
number of samples) for average sample for Cumulative-type graphs. For
Cumulative Graphs (1-144) example, when 10 is specified, a
Cumulative-type graph will display an average
for the data collected during the last 10 sample
periods.
Number of Last Used Graphs The number of the most recently viewed graphs
(1-15) to display below the other options in the
Monitoring menu.
Details for ‘Most Active’ If you select Yes, the following occurs:
Graphs
In Protocols graphs, for any protocol that is not
a service, the port number is displayed as part of
the legend.
In any Hosts/Clients/Servers graphs, the IP is
displayed as part of the legend, as shown below:
Monitoring Graphs
The NetEnforcer Monitoring window provides many different graphs. Some of the
graphs can be displayed for all three levels, while others can only be displayed for a
single level. At NetEnforcer level, some graphs can be displayed for the whole
NetEnforcer or for a selected Protocol, Host, Client or Server. At all levels, some graphs
can be displayed showing inbound bandwidth only, outbound bandwidth only or total
bandwidth.
The following table lists the monitoring graphs, indicating at which level they are
available as well as their graph type:
Graph Name NetEnforcer Pipe Level VC Level Graph
Level Type
Pipes 9 Continuous
Distribution
Virtual 9 Continuous
Channels
Distribution
Bandwidth 9 9 9 Continuous
Connections 9 9 9 Continuous
Utilization 9 9 9 Current
Packets 9 9 9 Continuous
Most Active 9 Current/
Pipes Cumulative
Most Active 9 9 Current/
Virtual Cumulative
Channels
Pipes Distribution
The Pipes Distribution monitoring graph is available at the NetEnforcer level only. It
displays the bandwidth consumed by the Pipes in your network. You can view inbound
and outbound bandwidth together (shown below) or separately.
The Pipes Distribution graph can be displayed as a stacked Area chart (above) or as a
Line chart.
As a Continuous-type graph, the Pipes Distribution graph displays information for a
specified range of time. The range of time for which the graph is relevant is displayed
along the X-axis of the graph and is defined in the graph settings, described on
page 6-18.
NOTE:
Clicking a point in a Continuous-type graph displays the bandwidth value at the selected point.
The Pipes Distribution graph displays the average bandwidth in Kbps consumed by
each selected Pipe. You can also display the active average bandwidth consumed by
each Pipe, meaning the amount of bandwidth consumed divided by the length of the
sample period when there actually was traffic.
You can simultaneously view other monitoring graphs for a specific Pipe by
right-clicking the required Pipe in the graph, or in the list on the right side of the
window, and selecting the graph that you want to see from the displayed popup menu.
The Virtual Channels Distribution graph can be displayed as a stacked Area chart or as
a Line chart (above).
As a Continuous-type graph, the Virtual Channels Distribution graph displays
information for a specified range of time. The range of time for which the graph is
relevant is displayed along the X-axis of the graph and is defined in the graph settings,
described on page 6-18.
The Virtual Channels Distribution graph displays the average bandwidth in Kbps
consumed by each selected Virtual Channel. You can also display the active average
bandwidth consumed by each Virtual Channel, meaning the amount of bandwidth
consumed divided by the length of the sample period when there actually was traffic.
NOTE:
For example, in a sample period of 60 seconds, traffic is 300Kbps for 30 seconds, and there is no traffic for
the remaining 30 seconds. The average bandwidth is 150Kbps since the whole sample period is considered.
The active average bandwidth is 300Kbps.
You can simultaneously view other monitoring graphs for a specific Virtual Channel by
right-clicking the required Virtual Channel in the graph or in the list on the right side of
the window, and selecting the graph that you want to see from the displayed popup
menu.
Bandwidth
The Bandwidth monitoring graph is available at the NetEnforcer, Pipe and Virtual
Channel levels. It displays bandwidth information for NetEnforcer or a selected Pipe or
Virtual Channel.
The Bandwidth graph is displayed as a Line chart. You cannot change this display.
As a Continuous-type graph, the Bandwidth graph displays information for a specified
range of time. The range of time for which the graph is relevant is displayed along the
X-axis of the graph and is defined in the graph settings, described on page 6-18.
The following information can be viewed in the Bandwidth graph:
In-Bandwidth The bandwidth consumed by incoming traffic for the selected
Pipe or Virtual Channel.
Out-Bandwidth The bandwidth consumed by outgoing traffic for the selected
Pipe or Virtual Channel.
Lines indicating the minimum and maximum bandwidth may be displayed in the graph,
using additional options available in the Style menu, as follows:
• No Min/Max Lines: No lines indicating minimum or maximum bandwidth are
displayed in the Bandwidth graph. This is the default display.
• Inbound Min/Max Lines: Lines indicating minimum and maximum inbound
bandwidth are displayed in the Bandwidth graph.
• Outbound Min/Max Lines: Lines indicating minimum and maximum outbound
bandwidth are displayed in the Bandwidth graph.
NOTE:
These additional options are only available when minimum and maximum bandwidths are defined for the
Pipe or Virtual Channel (in the QoS Catalog entry selected as the value for the QoS of the Pipe or Virtual
Channel).
Connections
The Connections monitoring graph is available at the NetEnforcer, Pipe and Virtual
Channel levels. It displays connections information for NetEnforcer or a selected Pipe
or Virtual Channel.
SECURITY NOTE:
The Connections graph helps in DoS attack monitoring and enables you to detect DoS attacks in real time.
Look for a high number of live connections or new connections per second. This may be an indication of a
DoS attack.
The Connections graph is displayed as a Line chart. You cannot change this display.
The Connections graph has two Y-axes. On the left is the scale for live and new
connections and on the right is the scale for new connections per second. The scales are
very different.
As a Continuous-type graph, the Connections graph displays information for a specified
range of time. The range of time for which the graph is relevant is displayed along the
X-axis of the graph and is defined in the graph settings, described on page 6-18.
Utilization
The Utilization monitoring graph is available at the NetEnforcer, Pipe and Virtual
Channel levels. It displays the inbound and outbound bandwidth consumed by
NetEnforcer, or a selected Pipe or Virtual Channel, in relation to the minimum and
maximum bandwidth defined for NetEnforcer or the selected Pipe or Virtual Channel.
The Utilization graph is displayed as two horizontal bars representing inbound and
outbound bandwidth. You cannot change this display. The bandwidth consumed is
displayed in the horizontal bar and, above the horizontal bar, the consumed bandwidth
as a percentage of the maximum bandwidth is displayed
NOTE:
The Utilization graph is not available for a Pipe or Virtual Channel for which no maximum bandwidth has
been defined (in the QoS Catalog entry selected as the value for the QoS of the Pipe or Virtual Channel).
The Utilization graph is a Current-type graph only. This means that it displays
information for the latest whole sample period only. It cannot be displayed as a
Cumulative-type graph to provide information for accumulated data.
Packets
The Packets monitoring graph is available at the NetEnforcer, Pipe and Virtual Channel
levels. It displays the number of packets passed in relation to NetEnforcer or a selected
Pipe or Virtual Channel. This enables you to plan future bandwidth requirements by
following historical trends. Refer to Long-Term Monitoring, page 6-51, on how to view
long-term trends.
You can view packets relating to inbound and outbound traffic together (shown below)
or separately.
The Packets graph is displayed as a Line chart. You cannot change this display. The
Y-axis is the scale for the number of packets passed.
As a Continuous-type graph, the Packets graph displays information for a specified
range of time. The range of time for which the graph is relevant is displayed along the
X-axis of the graph and is defined in the graph settings, described on page 6-18.
The Most Active Pipes graph can be displayed as a Bar chart (above) or as a Pie chart.
As a Current/Cumulative-type graph, the Most Active Pipes graph displays information
for sample periods. It can be displayed as a Current-type graph (above) to provide
information for the latest whole sample period only, or as a Cumulative-type graph to
provide information for an average sample period based on the last X sample periods.
(X is defined in the graph settings, described on page 6-18.)
You can also select a more specific and limited range within the cumulative period by
selecting Cumulative Range View from the View menu. The Cumulative Range dialog
box for the graph is displayed.
Select a start time and an end time, which will define the time period for the calculation
of the average sample period shown in the graph. Click OK.
You can simultaneously view other monitoring graphs for a specific Pipe by
right-clicking the required Pipe in the graph or in the list on the right side of the
window, and selecting the graph that you want to see from the displayed popup menu.
The Most Active Virtual Channels graph can be displayed as a Bar chart or as a Pie
chart (above).
The Most Active Protocols Distribution graph can be displayed as a Pie chart (above) or
as a Bar chart.
2. Select a Pipe and click OK. A Virtual Channel is added to the selected Pipe based on
the selected service.
NOTE:
You select a Pipe only if the Most Active Protocols graph was opened at NetEnforcer Level. If it was
opened on Pipe or Virtual Channel level, the new Virtual Channel is added automatically to the Pipe on
which the Most Active Protocols graph was opened initially.
If the selected protocol exists as an entry in the Service Catalog, the existing service
(protocol) is used. If the selected protocol does not exist as an entry in the Service
Catalog, a new service entry is created based on the monitored protocol.
The Most Active Hosts graph can be displayed as a Bar chart (above) or as a Pie chart.
The maximum number of hosts displayed, between 1 and 25, is defined in the graph
settings, described on page 6-18.
The Most Active Internal Hosts graph can be displayed as a Bar chart (above) or as a
Pie chart.
As a Current/Cumulative-type graph, the Most Active Internal Hosts graph displays
information for sample periods. It can be displayed as a Current-type graph (above) to
provide information for the latest whole sample period only, or as a Cumulative-type
graph to provide information for an average sample period based on the last X sample
periods. (X is defined in the graph settings, described on page 6-18.)
You can also select a more specific and limited range within the cumulative period by
selecting Cumulative Range View from the View menu. The Cumulative Range dialog
box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end
time, which will define the time period for the calculation of the average sample period
shown in the graph. Click OK.
The maximum number of hosts displayed, between 1 and 25, is defined in the graph
settings, described on page 6-18.
The Most Active External Hosts graph can be displayed as a Bar chart (above) or as a
Pie chart.
As a Current/Cumulative-type graph, the Most Active External Hosts graph displays
information for sample periods. It can be displayed as a Current-type graph to provide
information for the latest whole sample period only, or as a Cumulative-type graph
(above) to provide information for an average sample period based on the last X sample
periods. (X is defined in the graph settings, described on page 6-18.)
You can also select a more specific and limited range within the cumulative period by
selecting Cumulative Range View from the View menu. The Cumulative Range dialog
box for the graph is displayed, as shown in Figure 6-21. Select a start time and an end
time, which will define the time period for the calculation of the average sample period
shown in the graph. Click OK.
The Most Active Clients graph can be displayed as a Bar chart (above) or as a Pie chart.
As a Current/Cumulative-type graph, the Most Active Clients graph displays
information for sample periods. It can be displayed as a Current-type graph (above) to
provide information for the latest whole sample period only, or as a Cumulative-type
graph to provide information for an average sample period based on the last X sample
periods. (X is defined in the graph settings, described on page 6-18.)
The Most Active Servers graph can be displayed as a Bar chart (above) or as a Pie chart.
Long-Term Monitoring
NetEnforcer's monitoring tool provides real-time data in intervals of one to 10 minutes
for the previous 24 hours, enabling you to monitor applications, protocols, users and
servers and to enforce the most suitable QoS policy. NetEnforcer’s long-term
monitoring tool enables you to monitor your network's activity over a much longer
period of time with the same look and feel as the real-time monitoring graphs. Using
long-term monitoring, data from as far back as one to two years is stored as .csv files on
a dedicated server for use by other reporting tools. Each server can store data from
multiple NetEnforcers at intervals of every 30 seconds for the last 10-40 days or at
intervals of one hour for up to 1 year ago or longer.
The ability to monitor applications and users is crucial in order to employ traffic
priorities based on business requirements. Monitoring helps the user to fine-tune the
network performance.
NOTE:
You must wait at least two hours before seeing any long-term graphs. If you try to view graphs before two
hours have passed, error messages will pop up.
NOTE:
It is reasonable to install the Long-Term Monitoring Agent itself on the same network PC to which it writes
the files, and to choose for that purpose an ‘enduring’ machine which will be ‘up’ permanently.
You must first install the Long-Term Monitoring Agent and then you can configure it to
collect data according to your requirements.
TIP:
Problem: Identify the source of congestion
Solution: Use Monitoring drill-down capabilities to find it.
Here is how: Look at the Pipes Distribution graph and identify the saturated link. If the saturation is
identified as inbound traffic, for example, for a Particular Pipe, drill-down to see the Top Inbound
Protocols graph for the particular Pipe. If you discover that the majority of the inbound traffic is KaZaa, for
instance, drill-down to see the Top Internal Clients graph for KaZaa. The specific host that is saturating the
link can then be identified
2. From the NetEnforcer Control Panel, click Tools and then select Download
Long-Term Monitoring Agent. The File Download dialog box is displayed.
3. Click Open and follow the on-screen instructions to install the Collector application.
Note the following:
• Specify the location where the Collector application should be installed.
• Enter the IP address of NetEnforcer from where you want to collect data.
• If required, you can insert details of a user name and password. If you do this,
you will not have to log in each time that the Collector is started. However, there
will be no way to connect to a different NetEnforcer without downloading and
installing the Collector again. Therefore, it is recommended only to insert these
details if there is only one NetEnforcer from which you want to collect data.
When the installation process is completed, you will have the following:
• A shortcut icon on your desktop called NetEnforcer Long Term Monitoring Agent.
• A new entry in your Start > Programs folder called NetEnforcer Long Term
Monitoring Agent.
• The Long-Term Monitoring Agent also appears in Startup, enabling it to run
automatically on each reboot of your computer.
After login, the Long-Term Monitoring Agent runs in the Windows system tray, as
shown below:
NOTE:
After login, you may also see the following message:
This is expected at this stage and you should simply click OK.
The Long-Term Monitoring Agent icon in the system tray may appear in any of the
following ways:
Icon Status
Right-clicking the Long-Term Monitoring Agent in the system tray displays the
following menu:
Collecting Data
The Long-Term Monitoring Agent application may often be left open for very long
periods of time (for example, days or weeks) in order to collect data. The Long-Term
Monitoring Agent application is robust and maintains an accurate record of data even
when the system is shutdown and rebooted. In this situation, when the Long-Term
Monitoring Agent is restarted, data collection resumes and data is appended to the data
collected prior to the shutdown.
In order to collect data for long-term monitoring, you must specify a graph as available
to long-term monitoring. Refer to Adding Graphs, page 6-62.
To collect data:
1. Open the Long-Term Monitoring Agent application using the shortcut icon on your
desktop, from the Start menu or by clicking the Long-Term Monitoring Agent icon
in the system tray. The Long-Term Monitoring Agent window is displayed.
2. If you want to adjust the location where the collected files are saved, click Pause and
click the browse button to select an alternative location. You should select a shared
directory on this network PC.
3. Click Record.
2. Click OK, or if it is not the first time you have selected the Long-Term option, and
the Long Term Monitoring window is displayed.
When the Long-Term Monitoring window is first opened, the long-term monitoring
data location is by default set as C:. You must change this location to the same
location as you specified in the Long-Term Monitoring Agent. Until you do so, a
warning (in red) is displayed in the upper right corner of the Long-Term Monitoring
window.
3. Click the browse button to the right of the Long-Term Monitoring Data Source
field. The Setting Long-Term Monitoring Location dialog box is displayed.
4. Enter the location of the saved data as specified in the Long-Term Monitoring Agent
(which should be on a shared network drive) and click Save.
If the data location is the same as that specified on the Long-Term Monitoring
Agent, the warning in red should no longer appear in the top right corner of the
Long-Term Monitoring window.
Now both the Long-Term Monitoring Agent and NetEnforcer are correctly configured
and you begin to work with long-term monitoring graphs.
NOTES:
If the data location has been configured correctly but the Long-Term Monitoring Agent is not running, a
warning message is displayed (in red) in the upper right corner: Long-Term Monitoring Agent is not
running.
In order for the warning messages in red to disappear, the problem must be resolved AND the Long-Term
Monitoring window must be closed and re-opened.
Adding Graphs
In order to collect data for long-term monitoring, you must specify a graph as available
to long-term monitoring. This can be done from a real-time monitoring window or from
the Long Term Monitoring window.
Adding a graph to long-term monitoring is only available to an administrator user with
write permissions. This is because adding a graph to long-term monitoring actually
writes a “request” file at the files location directory on the Long-Term Monitoring
Agent LAN PC. Issues of access and write permissions are therefore very critical.
3. Select the graph you want to add to long-term monitoring. It is added to the table of
graphs in the Long-Term Monitoring window. For example, if you select The
Virtual Channels Distribution for NetEnforcer graph, the Long-Term Monitoring
window is displayed as follows:
You must wait for a minimum of 2 hours before you can open the graph.
To view data:
1. From the NetEnforcer Control Panel, click Long-Term. The Long Term Monitoring
window is displayed:
2. Select the graph you want to view and click Open (or double-click the graph). The
Graph Time Span Coverage for (name of selected graph) window is displayed.
Figure 6-38 – Graph Time Span Coverage for (Name of Selected Graph)
Window – Relative Span Mode
TIP:
To get the most out of your Long Term Monitoring it is recommended that you configure the following
graphs on the NetEnforcer level: Top Protocols, Top Internal Hosts, Top External Hosts,
NetEnforcer Connections, NetEnforcer Bandwidth Distribution and VC/Pipes graphs where
relevant
This window enables you to select a specific time period for the graph you want to
view. The collected data could cover a long time period and you may just want to
focus on part of it.
3. From the Span Mode dropdown list, select one of the following time measurements:
• Relative: Select the number of hours, days or months of data required. This
period is counted from the end of the available data period backwards. If you
select a month, the period covers the last calendar month. This means that if the
data ended on 17 February, you would see data from the 1-17 February.
• Specific: Select the exact dates of the time period. By default the start and end
dates are the beginning and end of the entire available period.
Figure 6-39 – Graph Time Span Coverage for (Name of Selected Graph)
Window – Specific Span Mode
TIP:
The practical meaning of your selection is displayed in the lower area of the window.
4. Click Continue. The data is retrieved from the collection files. The graph is
displayed before all the data is retrieved and you can see the percentage of data
retrieved in the status bar. While you are waiting for this to complete, you can use
other functionality of the long-term monitoring graph.
Long-term monitoring graphs have the same look and feel as real-time monitoring
graphs. Most of the functionality available in real-time graphs is available for long-term
monitoring graphs. For example, graph types and graph styles. These features are
explained in the first sections of this chapter.
The main differences between real-time graphs and long-term monitoring graphs are as
follows:
• Only two graph views, Chart View and Table View, are available with long-term
monitoring graphs.
• Long-term monitoring graphs have a light green background color while real-time
graphs have a green background color.
• The long-term monitoring window has an additional Page menu and toolbar
buttons, as follows
Back
Forward
Start
End
These arrow buttons enable you to move forward and backwards through the pages
of a long-term monitoring graph.
• The File menu in the long-term monitoring window includes an additional option
called Collection Log File.
You can drill down into the long-term monitoring graph to see more details. For
example, data presented according to days of a selected month or hours of a selected
day or even minutes of a selected hour. This drilling down action enables you to move
between the following levels:
Level Continuous-type graphs (for ‘Most Active’ graphs (for example,
example, Bandwidth, Pipes Most Active Virtual Channels)
Distribution
Period Data is displayed for the entire Data is displayed for the entire time
time span, for example, several span, for example, several months or
months or several days. several days.
Month Data is displayed for each day in a Data is displayed for the whole month
month. in one view.
Day Data is displayed for each hour in Data is displayed for the whole day in
a day. one view.
Hour Data is displayed for each 5 Data is displayed for the whole hour
minutes in an hour. in one view.
Minute Data is displayed for each 30 Data is displayed for the whole
seconds in a five-minute period. five-minute period in one view.
Second Data is displayed for the whole
thirty-second period in one view.
You can drill down using the right-click menu in a step-by-step fashion or directly to a
selected level.
You can move through other months using the arrow buttons or Page menu options.
Every page will be displayed in the selected resolution.
Select the day within the month that you would like to view and click OK.
• In a continuous-type graph, right-click inside the day area of the graph on which
you want to focus and select Drill-down to (selected day).
The graph now displays data for the selected day. For example, drilling down a level
to a specific day, September 12th, shows the most active protocols for that day.
You can move through other days using the arrow buttons or Page menu options.
Every page will be displayed in the selected resolution.
Select the hour within the day that you would like to view, for example, Sep 12
10:00, and click OK.
• In a continuous-type graph, right-click inside the hour area of the graph on which
you want to focus and select Drill-down to (selected hour).
TIP:
You can right-click and select Back to Full View to return to period level or select Up One Level to
return to the previous level.
The graph now displays data for the selected hour of the selected day. For example,
Figure 6-42 shows the most active protocols for September 12th. Drilling down a
level to a specific hour, 10.00, shows the most active protocols for that hour.
You can move through other hours using the arrow buttons or Page menu options.
Every page will be displayed in the selected resolution
4. Continue to the next level as follows:
• In a ‘Most Active’ graph, right-click inside the area of the graph and select
Drill-down to Minutes. You cannot select which specific five-minute period to
view. The graph will show the first five-minute period of the hour and you can
scroll through subsequent five-minute periods.
• In a continuous-type graph, right-click inside the five-minute area of the graph on
which you want to focus and select Drill-down to (selected five-minute period).
In this type of graph, you can select which specific five-minute period you want
to view.
TIP:
You can right-click and select Back to Full View to return to period level or select Up One Level to
return to the previous level.
The graph now displays data for a five-minute period. For example, Figure 6-43
shows the most active protocols during the hour 10.00 to 11.00 on September 12th.
Drilling down a level shows the most active protocols for the first five-minute period
of that hour.
You can move through other five-minute periods using the arrow buttons or Page
menu options. Every page will be displayed in the selected resolution
5. Continue to the next level as follows:
• In a ‘Most Active’ graph, right-click inside the area of the graph and select
Drill-down to Seconds. You cannot select which specific thirty-second period to
view. The graph will show the first thirty-second period of the five minute period
and you can scroll through subsequent thirty-second periods.
TIP:
You can right-click and select Back to Full View to return to period level or select Up One Level to
return to the previous level.
The graph now displays data for a thirty-second period. For example, Figure 6-44
shows the most active protocols during the five-minute period 10.00 to 10.05 on
September 12th. Drilling down a level shows the most active protocols for the first
thirty seconds of that five-minute period.
You can move through other thirty-second periods using the arrow buttons or Page
menu options. Every page will be displayed in the selected resolution
Figure 6-46 – Time Unit Selection for Detailed View Dialog Box
NOTE:
This dialog box is correct for Most Active graphs. For continuous-type graphs, you cannot select Hour
as the Time Unit.
2. Specify details of the exact year, month, day and hour to which you want to drill
down and click OK. You can go straight from period level to day level without first
going to month level.
As with real-time graphs, you can zoom into a long-term monitoring graph by holding
down the <Shift> key and dragging a box around the area that you want to zoom in the
graph. However, this method does not change the resolution of the graph, it provides a
closer look at a particular area at the same resolution.
TIP:
You can access real-time graphs from a long-term monitoring graph. Right-click in the graph and you can
select from real-time graphs for the current entity (Pipe or Virtual Channel).
Data Coverage
Although you may have selected a large period, for example, 5 months, the period could
include interruptions where data collection stopped for a few days or a few hours. The
period coverage is indicated in the status bar (Period/Month/Day/Hour/5-Minutes
Coverage). If the percentage is low, perhaps around 85%, you can use the collection log
file to view the exact times when data collection was not active.
The Collection Log File dialog box provides a list of dates and times within the
selected period that collection was not active.
This chapter describes Catalog Editors and how to define new Catalog entries.
• QoS Catalog: The entries in the QoS Catalog are the possible values for the
Quality of Service action defined for a Pipe and Virtual Channel. The Quality of
Service allocates bandwidth, traffic priority, TOS marking and connection count
limits. Refer to Quality of Service Catalog Editor, page 7-66.
• Connection Control Catalog: The entries in the Connection Control Catalog are
the possible values for the Connection Control action defined for a Pipe and
Virtual Channel. The Connection Control refers to server load balancing and cache
redirection. Refer to Connection Control Catalog Editor, page 7-81.
• Data Source Catalog: The entries in the Data Source Catalog are the possible
LDAP servers with which NetEnforcer can work. These definitions can then be
referenced in Data Source Query definitions in the Host Catalog Editor. Refer to
Data Source Catalog Editor, page 7-87.
Each Catalog has its own editor where you can add new entries and modify existing
entries.
All Catalog Editors have some common fields and functionality, which are described in
this section. A sample Catalog Editor is shown below:
List Pane Definition Pane
The List pane displays a list of the current entries defined in the Catalog. Selecting an
entry in the List pane displays its name at the top of the Definition pane, and its
properties or definition below its name. The Definition pane is the working area of a
Catalog Editor in which entries are defined.
All Catalogs contain three global buttons that apply to the Catalog as a whole and three
specific buttons that apply to the currently selected entry as follows:
Specific Entry Buttons
Adds a new Catalog entry.
Deletes a selected Catalog entry. You can only delete entries that are
Unprotected. (Refer to Protected Entries, below.)
Undoes the changes made, since the last save, to the current entry.
Global Buttons
Saves changes in a Catalog Editor. In order to save the contents of the
Catalog Editor to NetEnforcer, you must also save the Policy Editor.
Exits the Catalog Editor. Any unsaved changes are lost.
Displays online help relevant to the Catalog Editor in a separate
window.
Protected Entries
Each Catalog includes default entries whose definitions cannot be modified. Such
entries are called Protected entries. When you select a Protected entry, such as Any in
the Host Catalog Editor, the Delete and Undo buttons are automatically disabled.
A user-defined entry is always Unprotected.
2. Click Delete. The entry is no longer displayed in the List pane and it is deleted from
the Catalog.
You must save the Policy Editor for the deletion to take effect.
Catalog entries that are referenced in a policy definition cannot be deleted.
Below is a list of the Catalog Editor menu options, tools and shortcut key options
available in the Policy Editor:
Host Opens the Host Catalog Editor, enabling you to
define possible Connection Source and
Destination conditions.
Service Opens the Service Catalog Editor, enabling you
to define possible Service conditions.
Time Opens the Time Catalog Editor, enabling you to
define possible Time conditions.
TOS Opens the TOS Catalog Editor, enabling you to
define possible Type of Service conditions.
VLAN Opens the VLAN Catalog Editor, enabling you
to define possible VLAN conditions.
Quality of Service Opens the QoS Catalog Editor, enabling you to
define possible Quality of Service actions.
Connection Control Opens the Connection Control Catalog Editor,
enabling you to define possible Connection
Control actions.
Data Source Opens the Data Source Catalog Editor,
enabling you to define the LDAP servers with
which NetEnforcer can work or to define Hosts
Text File.
You can enter the host details individually, or NetEnforcer can retrieve IP addresses or
host names from a specified LDAP directory server or text source file. (LDAP servers
and text source files with which NetEnforcer can work are defined in the Data Source
Catalog, page 7-87.) Once you have defined the hosts in a host list, you can group
several host lists together in one Catalog entry.
To define a host:
1. In the Host Catalog Editor, click New. The following popup menu is displayed:
2. Select Host List. A new entry is added to the List pane in the Host Catalog.
4. In the Host Item area, click on the required host type radio button and input the
relevant details in the corresponding text field.
5. From the Interface Loc of Host dropdown list, select the location of the host
relative to NetEnforcer: Anywhere, Internal or External.
6. Click Add. The defined host is displayed in the Defined Items area.
NOTE:
The list of hosts in the Defined Items area can be sorted by clicking on any column header. For
example, click Type to sort the list by type of host.
7. Repeat steps 4-6 to add other hosts, as required. You can add up to 10,000 entries in
a host list.
NOTE:
To delete a host from the list, select the host in the Defined Items area and click Delete. To edit a host
in the list, select the host in the Defined Items area, make the changes required to the definition and
click Update.
8. Click OK. The new entry (entries) is saved in the Host Catalog and the Host Catalog
is closed. In order to save the new entry to the database, you must save the Policy
Editor.
Grouping Hosts
A host group is a collection of previously defined Host Catalog entries of Host List
type grouped together in an additional entry. This eliminates the need to create several
similar Pipes, Virtual Channels or Rules for hosts. The QoS defined for the group
applies to all the hosts in the group.
For example, you can create a group of hosts, called Division 1. Division 1 can contain
three Host List catalog entries: Department A (employees a, b and c), Department B
(employees d, e and f) and Department C (employees g, h and j).
Groups are useful when working with templates. For more information, refer to the
Templates section in Chapter 8, Defining Policies.
The list in the Available Host Lists area displays all the available host list Catalog
entries that can be added to the host group. The list in the Selected Lists in Group
area displays the Catalog entries that you have selected to include in this host group.
Adds the entries selected in the Available Host Lists area to the Selected
Lists in Group area.
Adds all the entries in the Available Host Lists area to the Selected Lists in
Group area.
Removes the entries selected in the Selected Lists in Group area and
returns them to the Available Host Lists area.
Removes all the entries from the Selected Lists in Group area and returns
them to the Available Host Lists area.
NOTE:
The entries in the Selected Lists in Group area can be sorted alphabetically by clicking on the column
header.
5. Click OK. The new entry is saved in the Host Catalog and the Host Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
5. Click Fetch & View Contents to preview the hosts retrieved from the LDAP
directory server.
6. Click OK. The new entry is saved in the Host Catalog and the Host Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
NOTE:
The actual execution of the LDAP query occurs when the Policy Editor is saved (or resaved). If the
Fetch operation fails, NetEnforcer will retry the operation according to the retry interval parameter,
defined in the LDAP/Text Source tab of the NetEnforcer Configuration window. Refer to the
LDAP/Text Source section in Chapter 4, Configuring NetEnforcer.
4. In the Text File Path field, enter the location of the text file data source. This is the
path or the host, as defined in the text source definitions, described on page 7-88.
5. In the Delimiter area, select the delimiter used in the text (CSV) file.
8. Click OK. The new entry is saved in the Host Catalog and the Host Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
NOTE:
The actual execution of the query occurs when the Policy Editor is saved (or resaved). If the Fetch
operation fails, NetEnforcer will retry the operation according to the retry interval parameter, defined
in the LDAP/Text Source tab of the NetEnforcer Configuration window. Refer to the LDAP/Text
Source section in Chapter 4, Configuring NetEnforcer.
From the Service Catalog Editor, you can define the following types of applications:
• TCP and UDP IP Protocols, page 7-21.
• Non-TCP and non-UDP IP Protocols, page 7-23.
• Non-IP Protocols, page 7-24.
• You can also define content for http, Oracle, H.323 and Citrix and other
applications. For more information, refer to Adding Content, page 7-31.
7. In the Ports tab, specify the target of the connection (destination port) as follows:
• In the Destination Ports list, click the next available row and enter a destination
port number.
NOTES:
Port ranges can be entered as well. For example, enter 110-125 to indicate ports numbered 110
through 125.
You can delete destination or source ports by selecting the port and pressing <Delete>.
8. In the Advanced tab, enter the amount of time NetEnforcer allows a connection to
remain open with no traffic passing through it before closing it.
9. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
5. In the Advanced tab, enter the amount of time NetEnforcer allows a connection to
remain open with no traffic passing through it before closing it.
6. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
TIP:
If you select a non-IP service as the Service condition in the Policy Editor, you must select Any for the
Connection Source and Connection Destination conditions, since all other Host Catalog entries are
IP-based. You should also define TOS as Ignored.
5. In the Advanced tab, enter the amount of time NetEnforcer allows a connection to
remain open with no traffic passing through it before closing it.
6. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
Importing Protocols
You can create entries in the Service Catalog by importing services from a protocols
library. This library includes a selection of about 8000 services and is based on the
IANA list of protocols.
To import protocols:
1. In the Service Catalog Editor, click New. The new service entry popup menu is
displayed, as shown in Figure 7-10.
2. Select Import from Protocols Library. The Protocols Library dialog box is
displayed.
NOTE:
Protocols that have already been added to the Service Catalog appear disabled (grayed out) in the
Protocols Library dialog box.
3. Select the checkbox in the Add column for the protocols you want to add to the
Service Catalog and click Add to Catalog. The selected protocols are added as
entries to the Service Catalog.
TIP:
To filter the protocols displayed, select a grouping from the Display dropdown list. For example, if you
select TCP protocols, only TCP protocols are listed in the dialog box.
Figure 7-15 – Accessing Protocols Library Dialog Box From Policy Editor
2. Click Select from Protocols Library. The Protocols Library dialog box is
displayed.
Figure 7-16 – Protocols Library Dialog Box Accessed From Policy Editor
3. Select a single protocol from the list and click Select. The selected entry in the
Policy Editor is replaced with the new protocol and the selected protocol is added to
the Service Catalog.
Web Update
You can also use the Web Update feature to automatically add new protocols and
applications (when available and announced from Allot Communications) to the
service catalog, without having to perform software updates.
Service Web updates adds both the service entries and the relevant Layer-7 signatures
for the protocols and applications. The new service entries are also automatically added
to the relevant default service groups. For example, if there are new P2P applications,
they are automatically added to the default P2P service group.
Note: This service is intended for customer with valid support agreements only.
To perform service Web update:
1. From the Tools menu, select Update Service Catalog from Allot
Communications. The service catalog update message is displayed, as shown in
Figure 7-17.
2. Click OK.
NOTE:
An alert is displayed in the Alerts log indicating the success or failure of the Web Update process.
The list in the Available Services area displays all the available Service Catalog
entries that can be added to the service group. The list in the Selected Services in
Group area displays the Catalog entries that you have selected to include in this
service group.
6. Add Catalog entries to the group using the following buttons:
Adds the entries selected in the Available Services area to the Selected
Services in Group area.
Adds all the entries in the Available Services area to the Selected Services
in Group area.
Removes the entries selected in the Selected Services in Group area and
returns them to the Available Services area.
Removes all the entries from the Selected Services in Group area and
returns them to the Available Services area.
7. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
Adding Content
Most Application Protocols deal with classifying traffic according to its specific
protocol. The Transport Protocols enable you to specify destination ports and some will
apply to any traffic no matter which port.
This section provides instructions regarding how to classify traffic according to content
in certain Application Protocols (some examples of these protocols are: HTTP, Oracle,
H.323, SMTP, FTP, Citrix and others like some P2P applications.
Figure 7-19 – Service Catalog: Adding Content and File Name Tab
NOTE:
The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant
line in the text content list and click the preferred option. A window opens with the option to perform
the selected operation.
NOTE:
The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant
line in the text content list and click the preferred option. A window opens with the option to perform
the selected operation.
• Enter the required URL and click Add. The URL is displayed in the File Name
tab.
• Add further URLs using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
5. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
NOTE:
The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant
line in the text content list and click the preferred option. A window opens with the option to perform
the selected operation.
• Enter the required URL and click Add. The URL is displayed in the URL tab.
• Add further URLs using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
A Web request carries this identifier (which can be represented by an HTML page,
an image, a Java applet or a CGI program). For a complete description of how to set
up a policy that will match a URL, see the tip on page 7-40.
NOTE:
You can delete a URL by selecting the URL and pressing <Delete> on your keyboard or by clicking
Remove in the URL tab.
• Select the required method and click Add. The method is displayed in the
Methods tab.
• Add further methods using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
HTTP uses seven methods to exchange information between clients and servers:
GET, PUT, POST, OPTIONS, HEAD, DELETE and TRACE. It is possible to base
service on one or more HTTP methods.
NOTE:
You can delete a method by selecting the method and pressing <Delete> on your keyboard or by
clicking Remove in the Methods tab.
• Enter the required host and click Add. The host is displayed in the Hosts tab.
• Add further hosts using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
The host string is compared against the value of the host keyword in the HTTP
header of an HTTP request sent by a client (such as Netscape Navigator or Internet
Explorer). This string is usually the name of the host that the user requested,
possibly suffixed with the string ":port". (Port is the port number that the browser
uses to connect to the server. For HTTP, this is usually port 80.)
For example, a browser that sends an HTTP request to www.cnn.com will put the
string www.cnn.com or www.cnn.com:80 in the request header for the host
keyword. If you wish to detect all traffic to a host, add * at the end of the string, for
example, www.cnn.com*. Another way to identify a host is by its IP addresses with
the following format: IP Address or IP Address:Port Number, for example:
173.17.1.1:80.
The typical usage for this kind of match is in virtual hosting, where more than one
Web site is hosted in the same IP address, which is possible if a DNS translates
many names to one IP address.
NOTE:
You can delete a host by selecting the host and pressing <Delete> on your keyboard or by clicking
Remove in the Hosts tab.
• Select the required content type and click Add. The content type is displayed in
the Content Type tab.
• Add further content types using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
The predefined list contains classification according to the content-type, this is the
information that is transferred on the HTTP protocol. For example, you may want to
specify all forms of audio applications, but allow all HTML files and pictures.
10. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
TIP:
Defining URL and Application-Level Rules
NetEnforcer enables you to reference Service entries in Pipes, Virtual Channels, and Rules by application and
content type, including:
• HTTP URL addresses.
• Web directories and pages.
• Application content types.
URLs are the addresses by which documents are identified on the World Wide Web. A rule can be defined to
match a specific URL, a list of URLs or a pattern of URLs, for example, *.gif or /document/*.
A URL has the following structure:
<scheme>://<server name>[:<port>]/<relative path of query from HTTP server root>
Where:
• Scheme is the transmission protocol. For example, HTTP (Hypertext Transmission Protocol) or FTP
(File Transfer Protocol).
• Server name is the IP address of the server on which the document resides, or its DNS name.
• Path describes the location of the document on the server with reference to the server's root directory.
To define a rule that will match a set of URLs of a specific type (for example, HTTP) on a specific host, two
sections in the Service Catalog must be defined: a Host and a URL. The part of the URL relevant for the Host
is the server name, and the part relevant for the URL is the section that includes the scheme, port and path.
For example: for the URL http://www.allot.com/news/index.html, www.allot.com will be in the Host section
and /news/index.htm or /news/* will be in the URL section. This bears no relation to entries in the Host
Catalog.
NOTE:
The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant
line in the text content list and click the preferred option. A window opens with the option to perform
the selected operation.
• Enter the required database name and click Add. The database name is displayed
in the Service Name tab.
• Add further database names using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
• Enter the required user name and click Add. The user name is displayed in the
User Name tab.
• Add further user names using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
6. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
NOTE:
The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant
line in the text content list and click the preferred option. A window opens with the option to perform
the selected operation.
• Enter the required URL and click Add. The URL is displayed in the Domains
tab.
• Add further URLs using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
4. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
NOTE:
The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant
line in the text content list and click the preferred option. A window opens with the option to perform
the selected operation.
• Select the required H.323 content and click Add. The content is displayed in the
Codec tab.
• Add further H.323 content using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
4. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
NOTE:
Citrix MetaFrame traffic may be classified by application or user name, with priority optional by
selecting CITRIX in the Service Catalog.
Citrix - NFuse traffic may be classified by application or user name, with priority optional, by selecting
CITRIX – NFUSE in the Service Catalog.
Citrix traffic can be classified by Priority Bit/Print Traffic only by selecting CITRIX-ICA in the
Service Catalog.
NOTE:
The Add, Edit and Remove buttons can be used at any time when in this mode. Highlight the relevant
line in the text content list and click the preferred option. A window opens with the option to perform
the selected operation.
3. In the App Name tab, define the application being used through the Citrix protocol,
for example Microsoft Word or Excel, as follows:
• Click Add. The Add Item dialog box is displayed.
• Enter the required application name and click Add. The application name is
displayed in the App Name tab.
• Add further application names using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
• Enter the required user name and click Add. The user name is displayed in the
User Name tab.
• Add further user names using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
• Select the required priority and click Add. The priority is displayed in the
Priority tab.
• Add further priorities using the Add Item dialog box as required.
• Click Close to close the Add Item dialog box.
8. Click OK. The new entry is saved in the Service Catalog and the Service Catalog is
closed. In order to save the new entry to the database, you must save the Policy
Editor.
NOTE:
NetEnforcer features layer 7+ analysis, utilizing advanced signature recognition, of many Peer to
Peer (P2P) applications. Some of the applications which are automatically recognized and
classified are:
KaZaA (V1 & V2) Gnucleus DC++
Grokster XoloX BCDC++ Hotline (in the first
iMesh LimeWire update)
Poisned FreeWire Madster
DietKaza Bearshare BitTorrent
eDonkey (eDonkey; eMule) Acquisition Nova MP2PMotilino
xMule Phex Blubster
Overnet Gtk-Gnutella Piolet
Gnutella NEoNapster RockitNet (in the first update)
Shareaza WinMX (WinMX Direct SoulSeek
Morpheus connect, Direct Connect) Winny.
NOTE:
The Anytime entry is Protected, meaning the definitions for this entry cannot be modified.
Time periods can have ranges of hours and minutes in which they are active, or they can
be active during whole days. An entry in the Time Catalog has one or several time
periods when policies assigned this entry are active.
3. In the Defined Time Entries area, click Add. The Time Entry Definition dialog box
is displayed:
4. In the Frequency dropdown list, select the frequency of the time period. The options
are as follows:
Daily A period of time that occurs on a daily basis.
Weekly A period of time that occurs on a weekly basis. For example, Monday
from 8:00 to 17:00.
Monthly A period of time that occurs on a monthly basis. For example, the 15th
day of the month.
Yearly A period of time that occurs on an annual basis. For example, January
1st may be defined as a yearly event.
5. The remaining fields in the dialog box vary according to the frequency you select. If
you select Daily, select the time span for the time period from the dropdown list in
the Time Span field:
All day Sets the time period as active for the whole day.
From – Through Enables you to select the exact time that the period will
begin, and the exact time that it will end.
6. If you select Weekly, select the day of the week for the time period from the
dropdown list in the Day of Week field and the time span from the dropdown list in
the Time Span field, as described in step 5.
7. If you select Monthly, select the day of the month for the time period from the Day
of Month field and the time span from the dropdown list in the Time Span field, as
described in step 5.
8. If you select Yearly, select the month for the time period from the dropdown list in
the Month field, select the day of the month from the Day of Month field, and the
time span from the dropdown list in the Time Span field, as described in step 5.
9. Click OK. The specified time period is displayed in the Defined Time Entries area
in the Definition pane of the Time Catalog Editor.
10. Repeat steps 3 through 9 to add additional time periods as required.
NOTE:
You can edit or delete the time periods using the Edit and Delete buttons in the Defined Time Entries
area.
11. Click OK. The new entry (entries) is saved in the Time Catalog. In order to save the
new entry (entries) to the database, you must save the Policy Editor.
TIP:
Adding a new policy with time-dependent traffic classification is effective only on new connection
attempts. Any existing connection that may fall under that policy continues to pass under its original policy.
If a Reject or Drop action is specified, these actions are applied only to new connection attempts.
NOTE:
A discrete time range cannot be created. For example, March 15, 2001 from 2:00 PM through 5:00 PM
cannot be created. However, it can be approximated by Yearly, March 15, 2:00 PM through 5:00 PM.
NOTE:
All of the entries in Figure 7-36 are predefined public domain TOS definitions and are Protected, meaning
that they cannot be modified.
The TOS is a byte in the IP header of a packet that contains information about routing
recommendations. NetEnforcer classifies traffic based on the TOS byte marking
contained in the IP headers of the packets passing through it. Differentiated Services
standard, for example, defines TOS byte marking for traffic classification. Using
Differentiated Services, the TOS header can have three major traffic classes: Expedited,
Assured Forwarding and Best Effort. Assured Forwarding includes a priority class and
drop precedence level (making a total of 12 combinations). All of these TOS byte
markings are predefined in the TOS Catalog. Further information regarding TOS
standards can be found at www.ietf.org/rfc/rfc2475.txt.
NetEnforcer also supports TOS classification by Free Format, which can be used to
classify traffic marked per Cisco Precedence Bits method.
In the TOS Catalog Editor, you can view the properties of predefined entries and create
entries that classify the TOS byte using Free Format, page 7-61.
When Assured Forwarding is displayed, two additional fields, Priority Class and
Drop Precedence, are displayed:
The Priority Class field displays the class (1 to 4). The priority class determines the
priority level of the traffic: Class 1 is the lowest (no priority) and Class 4 is the
highest.
The Drop Precedence field displays the precedence (Low, Medium or High). Drop
precedence refers to the fact that in times of heavy congestion, some packets will be
dropped. Low means that the packet will be dropped as a last resort, whereas High
means that the packet can be dropped before any others.
NOTE:
The graphic representation of the TOS byte that will be checked against the IP header is displayed in
the Resultant TOS Byte Bit Settings field.
Free Format
TOS classification using Free Format enables you to classify traffic marked according
to the Cisco Precedence Bits method.
3. Define the TOS by selecting the individual bits in the graphic representation of the
TOS byte in the Selected TOS Byte Bit Settings field.
4. Click OK. The new entry (entries) is saved in the TOS Catalog. In order to save the
new entry (entries) to the database, you must save the Policy Editor.
TIP:
Figure 7-40 – Details of the Ethernet Frame Before and After the
Addition of 802.1Q Frame Information.
Defining VLANs
NetEnforcer supports VLAN traffic classification according to VLAN ID (VLAN
Identifier) tags, consisting of 12 bits, and according to tagging priority bits, consisting
of three bits. These definitions are set in the VLAN Catalog Editor, as shown below:
According to the policies you define, the NetEnforcer assigns each packet a mapping
priority and QoS definition.
The VLAN definition value is comprised as follows:
• Bits 1 – 12 specify the VLAN ID.
• Bit 13 is the reserved bit.
• Bits 14 – 16 specify the user priority (where 7 is highest priority, and 1 is lowest
priority).
When opening this window, either to create a new VLAN or to edit a previous VLAN,
both boxes are checked, thereby preventing you altering the bit values.
To create a VLAN:
1. Enter the name of the VLAN in the Contents of: field.
2. Uncheck the Any User Priority and/or Any VLAN ID check boxes to insert new bit
values.
3. Insert bit values in one of the following ways:
• Insert a decimal value in the User Priority and/or VLAN ID fields; the binary
equivalent is displayed in the bit value fields.
• Click the bit value field boxes (zero is indicated as gray and black as one); the
decimal equivalent is displayed in the User Priority and VLAN ID fields.
4. Click OK. The new entry is saved in the VLAN Catalog. In order to save the new
entry to the database, you must save in the Policy Editor.
NOTE:
The Ignore QoS, Normal Priority - Pipe and Normal Priority - VC entries are Protected, meaning the
definitions for these entries cannot be modified.
The QoS Catalog Editor enables you to define QoS for a Pipe or Virtual Channel. You
can prioritize connections and specify minimum and maximum bandwidth per
Pipe/Virtual Channel or per individual connections, and you can specify traffic-shaping
techniques (CBR or Burst) for Virtual Channels. You can also specify TOS markings.
In the Quality of Service Catalog Editor, there is a pre-defined entry called Ignore QoS
that you cannot delete or create additional entries that ignore QoS.
You can create entries that assign QoS to Pipes, Virtual Channels and connections. You
can give the same QoS definitions to both directions of traffic, or define QoS
parameters for both directions independently.
Rules adopt the actions of their parent Pipe or Virtual Channel.
TIP:
Priority
A priority definition implies a relative bandwidth allocation relationship to other defined priorities. It does
not indicate absolute bandwidth allocations. If you require absolute bandwidth allocation, refer to the
descriptions of the minimum, maximum and guaranteed bandwidth fields.
Priorities 1 through 10 represent an increasing hyperbolic curve. It is important to recognize that priorities 1
through 10 do NOT represent a linear relative relationship. The following table helps explain this and shows
the priorities and resultant relative bandwidth ratios:
Priority
2 1.1
3 1.2 1.1
Priority 1 2 3 4 5 6 7 8 9
For example:
1. Assume two Virtual Channel definitions, VC1 and VC2. VC1 has a priority of four, and VC2 has a
priority of 10. Connections satisfying VC2 will be allocated seven times more bandwidth than VC1.
2. Assume total bandwidth = 150Kbps; VC1 = Minimum 30Kbps, Priority 4; VC2 = Minimum 40Kbps,
Priority 10.
The bandwidth allocation would then be:
VC1 = 40 (30 minimum + 10 on priority basis)
VC2 = 110 (40 minimum + 70 on priority basis)
3. From the Pipe-based QoS Coverage dropdown list select one of the three options:
• Both Directions Defined the Same: Define QoS for both the inbound and
outbound traffic together (in the General tab and the Inbound and Outbound
tab). This option is normally used in a symmetric environment where inbound
and outbound traffic requirements are identical. Continue with step 4 below.
• Each Direction Defined Separately: Define QoS for the inbound and outbound
traffic individually (in the General tab, the Inbound tab and the Outbound tab).
Continue with step 4 below.
• Half-Duplex Pipe: Define QoS for both the inbound and outbound traffic
together (in the General tab and the Inbound and Outbound tab) in half-duplex
mode. Half-duplex pipe communications can be wireless networks centered on
base-stations that configure as hubs working in Half-duplex mode, which
suddenly send packets in only one direction. Continue with step 5.
4. In the Inbound and Outbound tab (for Both Directions Defined the Same and
Each Direction Defined Separately), define the Quality of Service as follows:
• In the Pipe Priority field, select a priority between 1 (lowest) and 10 (highest).
• (Optional) In the Minimum Bandwidth for Pipe (Kbits/sec) field, enter the
minimum bandwidth that will be assigned to the Pipe. As long as there is traffic
requiring bandwidth in this channel, the bandwidth allocated will never be lower
than this limit. Getting bandwidth above the minimum, however, depends on the
traffic priority, should there be competition for the bandwidth.
• In the Minimum Bandwidth Reserved on Use, select Yes to reserve the full
minimum amount of bandwidth for any future traffic in the Pipe, even when the
full minimum bandwidth is not currently required. The actual reservation occurs
when the first connection is established within a Pipe.
• (Optional) In the Maximum Bandwidth for Pipe (Kbits/sec) field, enter the
maximum bandwidth assigned to the entire Pipe. The total bandwidth of all
traffic allocated in this Pipe will not exceed this limit.
NOTE:
To specify a guaranteed bandwidth for a Pipe, specify the same minimum and maximum
bandwidth, for example, 100Kbps.
• .
• In the Mark Out-of-Profile Traffic with TOS field, select the TOS marking to
be applied to each packet in traffic whose bandwidth allocation has reached the
minimum allocated for the Pipe. If you do not want to change the marking, select
Ignore TOS.
NOTE:
The possible values in these TOS marking fields are the entries in the TOS Catalog, described on
page 7-57.
• Continue with step 6.
5. In the Inbound and Outbound tab (for Half-Duplex Pipe), define the Quality of
Service as follows:
8. Click OK. The new entry (entries) is saved in the QoS Catalog. In order to save the
new entry (entries) to the database, you must save the Policy Editor.
3. From the Virtual Channel-based QoS Coverage dropdown list, select whether you
want to define QoS for inbound and outbound together or separately. If you select
Both Directions Defined the Same, you define QoS for both the inbound and
outbound traffic (in the General tab and the Inbound and Outbound tab). If you
select Each Direction Defined Separately, you define QoS for the inbound and
outbound traffic individually (in the General tab, the Inbound tab and the
Outbound tab).
NOTE:
The parameters in the Outbound tab, the Inbound tab and the Outbound and Inbound tab are the
same.
TIP:
The Both Directions Defined the Same option is normally used in a symmetric environment where
inbound and outbound traffic requirements are identical.
TIP:
When working with traffic that consists of very short connections (one or two packets per
connection), it is recommended to specify a minimum bandwidth (such as 50Kbps) per Virtual
Channel, rather than specifying a priority (such as 6). This is because using minimum bandwidth
per Virtual Channel results in a more effective QoS policy.
• In the Mark Traffic with TOS field, select the TOS marking to be applied to
traffic through the Virtual Channel. If you do not want to change the marking,
select Ignore.
5. In the Traffic-Shaping Method field, select either the Burst or CBR (Constant Bit
Rate) radio button to define how the traffic will be shaped.
6. When Burst is selected, enter connection-based information in the following fields
(shown on page 7-75):
• (Optional) In the Minimum Bandwidth (Kbits/sec) field, enter the bandwidth
that will be assigned to the connection. As long as there is traffic requiring
bandwidth in this channel, the bandwidth will never be lower than this limit.
Getting bandwidth above the minimum, however, depends on the traffic priority.
• (Optional) In the Maximum Bandwidth (Kbits/sec) field, enter the maximum
bandwidth assigned to the entire connection. The total bandwidth of all traffic in
this channel will not exceed this limit.
• (Optional) In the Burst Size (Kbits/sec) field, enter the Burst size for the
connection. The Burst size setting allows the traffic to exceed the allotted
bandwidth for a certain fraction of a second. It is allowed to exceed the maximum
(to burst) during that fraction of a second, as long as the traffic does not exceed
the maximum during the whole period of one second.
• For example, if you enter a Burst size of 150Kbps and a maximum of 100Kbps,
NetEnforcer will allow traffic to be 150Kbps for a fraction of a second, as long as
the traffic does not exceed the maximum of 100Kbps.
TIP:
The Burst Size parameter is useful in environments such as satellite communications, where
bandwidth is an expensive resource that must be utilized efficiently.
7. When CBR is selected, the following fields are displayed in the Connection
Allocations area:
The CBR (Constant Bit Rate) setting provides the ability to smooth traffic. Traffic
exits NetEnforcer at a constant rate defined in the CBR, as long as the traffic
entering NetEnforcer does so at a rate equal to or greater than the CBR. This ensures
smoothing for streaming applications. Enter information in the fields, as follows:
• In the Guaranteed Bandwidth (KBits/sec) field, enter the guaranteed bandwidth
for the connection. Guaranteed Bandwidth is the minimum bandwidth assigned to
each connection in the Virtual Channel. Each connection will receive, if required,
at least the bandwidth specified in this parameter. Each connection can receive
more bandwidth than the guaranteed value, up to the maximum defined for the
Virtual Channel, and according to the priority of the Virtual Channel. Guaranteed
Bandwidth provides the most predictable results for critical traffic and allows
other connections to borrow the bandwidth when it is not in use. Guaranteed
Bandwidth always supersedes the needs of other, non-guaranteed connections.
TIP:
This is useful in multimedia applications, such as Voice over IP.
• In the Delay (Microseconds) field, enter the delay value. The default delay value
is 1 second and is hidden. However, you can specify any delay, as long as it does
not exceed 1 second. If you specify a delay other than the default, you need to
know your application’s buffering capability. The bigger the buffering capability
of your application, the larger the delay you can specify. The optimum delay
facilitates a better bandwidth management because it sets a lower limit to the
Quality of Service mechanism that decides whether to throw away or keep a
packet. The objective of setting the optimum delay is to keep jitter at a minimum
(0 at best).
8. Select the General tab.
10. From the dropdown list in the Conditional Admission area, select one of the
following:
• Admit by Priority: Accept the new connection, but do not assign the minimum
bandwidth. The new connection gets bandwidth per priority.
• Drop: All packets are dropped. The user is disconnected and may see the
message Connection timed-out.
NOTE:
The Drop option is provided for environments such as UDP where a client does not expect
acknowledgements (ACKs).
• Reject: All packets are dropped. In TCP, an RST packet is sent to the client and
the user may see the message Connection Closed by Server.
11. Click OK. The new entry (entries) is saved in the QoS Catalog. In order to save the
new entry (entries) to the database, you must save the Policy Editor.
NOTE:
The Pass as is entry is Protected, meaning the definitions for this entry cannot be modified.
The Connection Control Catalog Editor enables you to define load balancing and cache
redirection servers in entries. This means that when traffic meets the definitions of a
policy, it can be forwarded to a load-balancing or cache redirection server. You can
only define entries that specify a load-balancing server or cache server when your
NetEnforcer system includes the optional NetBalancer or CacheEnforcer modules.
For normal traffic, without either cache redirection or load-balancing requirements, the
predefined entry, Pass as is, should be used. You cannot delete the predefined Pass as
is entry nor can you create additional entries with Pass as is selected in the Servers
Used for field.
Load-Balancing
When your system includes the NetBalancer module, you can add an entry to the
Connection Control Catalog that defines a load-balancing server.
3. Double-click in the Host Name / IP field and enter the load-balancing server (by
host name or IP address). The system automatically recognizes the format and
displays the appropriate entry in the Type column.
For more information on the parameters for configuring load-balancing options, refer to
the NetBalancer User's Manual.
Cache Redirection
When your system includes the CacheEnforcer module, you can add an entry to the
Connection Control Catalog that defines a cache server.
3. Double-click in the Host Name / IP /MAC field and enter the cache redirection
server (by host name format, IP address or MAC address). The system automatically
recognizes the format and displays the appropriate entry in the Type column.
For more information on the parameters for configuring cache-redirecting options, refer
to the CacheEnforcer User's Manual.
6. Click OK. The new entry is saved in the Data Source Catalog and the Data Source
Catalog is closed. In order to save the new entry to the database, you must save the
Policy Editor.
3. In the Host field, enter the IP address or host name of the location of the text source
file.
4. In the Description field, enter a description for the text source file, if required.
5. Click OK. The new entry is saved in the Data Source Catalog and the Data Source
Catalog is closed. In order to save the new entry to the database, you must save the
Policy Editor.
This chapter describes the process of defining a QoS policy and optimizing this policy
in your particular network environment. In NetEnforcer, policy is defined using Pipes,
Virtual Channels, and rules.
NetEnforcer Policy
NetEnforcer enables you to classify traffic and enforce Quality of Service according to
high-level, easy-to-understand concepts. Traffic can be logically grouped into categories
such as Mission Critical, Timing Critical, or Low Priority. These result in the desired
network actions when matched to network traffic.
QoS policy consists of a set of conditions (rules) and a set of actions that apply as a
consequence of the conditions being satisfied. Traffic is classified using Pipes and
Virtual Channels. A Pipe and a Virtual Channel are defined by one or more rules and a
set of actions. A Pipe includes one or more Virtual Channels.
A sample Policy showing the relationship between Pipes, Virtual Channels and rules is
illustrated below:
Every connection passing through NetEnforcer is matched to a rule at Pipe level. This
means that NetEnforcer looks to match the connection to any of the sets of conditions
defined for a Pipe. If a match is found, the connection is then matched to a rule at
Virtual Channel level. This means that NetEnforcer looks to match the connection to
any of the sets of conditions defined for the Virtual Channels within the Pipe.
Pipes
A Pipe provides a way of classifying traffic that enables you to divide the total
bandwidth and then manage every Pipe as if it was an independent link. A Pipe consists
of one or more sets of conditions (rules) and a set of actions that apply when any of the
rules are met. A Pipe can aggregate several Virtual Channels, acting like a container of
Virtual Channels from a QoS point of view. When you add a new Pipe, it always
includes at least one Virtual Channel, the Fallback Virtual Channel. The rule of the
Fallback Virtual Channel cannot be modified or deleted. A connection coming into
NetEnforcer is matched to a Pipe according to whether the characteristics of the
connection match any of the rules of the Pipe. The connection is then further matched to
the rules of a Virtual Channel under the Pipe. The actions defined for the Pipe influence
all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are
enforced together with the actions of the Pipe.
Virtual Channels
A Virtual Channel provides a way of classifying traffic and consists of one or more sets
of conditions (rules) and a set of actions that apply when any of the rules are met. A
Virtual Channel is defined within a Pipe. A connection matched to a Pipe is further
matched to a Virtual Channel according to whether the characteristics of the connection
match any of the rules of the Virtual Channel.
Rules
A rule is a set of six conditions. Rules can be defined at Pipe level or Virtual Channel
level. NetEnforcer matches connections to rules, first at the Pipe level and then at
Virtual Channel level within a Pipe.
The six conditions that make up a rule are as follows:
• Connection Source: Defines the source of the traffic. For example, specific IPs or
MAC addresses, a range of IP addresses, IP Subnet addresses, or host names. The
default value is Any which covers traffic from any source.
• Connection Destination: Defines the destination of the traffic. For example,
specific IPs or MAC addresses, a range of IP addresses, IP Subnet addresses, or
host names. The default value is Any which covers traffic to any destination.
• Service: Defines the protocols relevant to a connection. Protocols may be TCP and
UDP IP type, non-TCP and non-UDP type or non-IP type. TCP and UDP IP
protocols are defined based on port type. HTTP protocols may include content
definitions, such as specific Web directories, pages, or URL patterns. The default
value is All which covers all protocols.
• TOS: Defines the TOS byte contained in the IP headers of the traffic. The default
value is Any which covers any TOS value.
• VLAN: Defines VLAN traffic classification according to VLAN ID (VLAN
Identifier) tags, consisting of 12 bits, and according to tagging priority bits,
consisting of three bits.
• Time: Defines the time period during which the traffic is received. For example
daily between 8.00 AM and 6.00 PM, Sundays between 12.00 AM and 12.00 PM
or on the 1st and 15th of the month. The default value is Always which covers
traffic at any time.
When a new Pipe or Virtual Channel is created, it is assigned a default rule with default
values for each condition and you can modify these values as required.
The possible values for each condition are defined in the Catalog entries in the Catalog
Editors. A Catalog Editor enables you to give a logical name to a comprehensive set of
parameters (a Catalog entry). This logical name then becomes a possible value for a
condition. Catalog Editors are described in detail in Chapter 7, Defining Catalog
Entries.
TIP:
If you classify traffic by a specific Connection Source or Connection Destination, make sure your definition
applies to both directions, from the Source to the Destination and from the Destination to the Source. For
example, if you define HostName as the Connection Source and Any as the Connection Destination, make
sure that the rule is bi-directional, so that traffic from Any to HostName is also covered.
Actions
Pipes and Virtual Channels include a set of actions that is assigned to traffic once it
meets any of the rules defined for the Pipe or Virtual Channel. There are two actions
that can be defined for a Pipe: Access Control and Quality of Service, and three actions
that can be defined for a Virtual Channel: Access Control, Quality of Service and
Connection Control. Only if Access Control is set to Accept may the other actions
apply.
Access Control
This action determines the access given to traffic. The possible values are as follows:
Accept The connection is accepted and traffic is granted access. This is the default
value.
Drop All packets are dropped. In TCP traffic, an RST packet is sent to the client
and the user may see the message Connection Closed by Server.
Reject All packets are dropped. The user is disconnected and may see the message
Connection timed-out.
If the Access Control for a Pipe or Virtual Channel is specified as Reject or Drop, all
traffic meeting the rules of the Pipe or Virtual Channel is dropped and no other Quality
of Service or Connection Control actions are applied.
Quality of Service
This action determines the QoS given to traffic. The QoS specified can include the
following:
• Priority per Pipe/Virtual Channel
• Minimum and maximum bandwidth per Pipe/Virtual Channel
• Minimum and maximum bandwidth per connection (Virtual Channels only)
• Guaranteed bandwidth per connection (Virtual Channels only)
• Traffic shaping by enforcing Constant Bit Rate (CBR) or Burst level (Virtual
Channels only)
• TOS marking per channel
• Admission Control (number of connections)
• Reserve on Demand (Pipes only)
• Conditional Admission
The default Quality of Service action for Pipes or Virtual Channels is Normal Priority,
which has Level 4 priority, no bandwidth definitions, no TOS marking and no
connection limitations.
The possible values for the Quality of Service action are defined in a Catalog entry in
the Quality of Service Catalog Editor. A Catalog Editor enables you to assign a logical
name to a comprehensive set of parameters. This logical name then becomes a possible
value for an action. Catalog Editors are described in detail in Chapter 7, Defining
Catalog Entries.
TIP:
To evaluate what Quality of Service to set for each Pipe or Virtual Channel, consider the following:
• Do you know the applications running in your network? (For more information, refer to Chapter 6,
Monitoring Network Traffic.)
• During peak periods, what percentage of total traffic does each Pipe or Virtual Channel represent?
• Do you want to guarantee some minimum bandwidth for time-critical applications?
• Do you want to assign a higher priority to some applications?
It is recommended to start out simply and then, over time, to fine-tune the Pipes, Virtual Channels and rules
to meet your needs. Assign each of your Pipes and Virtual Channels a classification by protocol Normal
priority or use the default set of Pipes and Virtual Channels included with NetEnforcer. Monitor the results
for a period of time, using a tool such as NetWizard (described in Chapter 5, NetWizard Quick Start) and
observe how much bandwidth each of the Pipes and Virtual Channels utilizes during peak hours. Then,
using this data, create new QoS Catalog entries and assign them to the Pipes and Virtual Channels.
Now gradually increase the priority of one or two of your high-priority applications, and decrease the
priority of one or two of your lower priority ones. Observe response time during a typical day’s traffic cycle
(peak and non-peak).
Gradually fine-tune the system. Increase the number of Pipes and Virtual Channels by dividing one Pipe or
Virtual Channel into several distinct ones, as the need arises. The process of assigning Quality of Service
should continue by limiting lower priority traffic and increasing bandwidth to those applications that need or
deserve more bandwidth. For high-priority traffic, you should gradually increase the priority and assign
more minimum or fixed bandwidth. For lower priority traffic, you can lower its priority and assign a
maximum bandwidth during peak periods. You can also limit the number of active connections for that
channel. For example, if you wish to limit FTP traffic, you can specify a maximum number of connections
for all FTP traffic.
Internet connection bandwidth consumption with and without NetEnforcer is shown below:
Internet connection without Internet connection with
NetEnforcer NetEnforcer
Email Email
60% 30%
Without NetEnforcer, Internet connection bandwidth is consumed by batch traffic such as Email, while
e-Business traffic is inhibited by lengthy response time (meaning e-Business gets only 20% of bandwidth).
With NetEnforcer used for bandwidth management, Internet connection traffic is managed according to
business priorities. For example, email is limited to 30% of bandwidth, while e-Business is granted a higher
bandwidth portion, up to 60% of bandwidth. The end result is that critical application users enjoy a better
response time.
Connection Control
This action determines whether the traffic is redirected to a specialty load-balancing or
cache server. The default value is Pass As Is, which means that the traffic is not
redirected. In order to specify other values for this action, you must have the
NetBalancer or the CacheEnforcer optional modules activated in your NetEnforcer
system. Refer to Chapter 4, Configuring NetEnforcer for more details.
This action can only be defined for Virtual Channel. The Connection Control for a Pipe
is always Pass As Is.
The possible values for the Connection Control action are defined in a Catalog entry in
the Connection Control Catalog Editor. A Catalog Editor enables you to assign a logical
name to a comprehensive set of parameters. This logical name then becomes a possible
value for an action. Catalog Editors are described in detail in Chapter 7, Defining
Catalog Entries.
The functions of NetBalancer and CacheEnforcer are as follows:
• CacheEnforcer directs requests to a cache server. You can add cache servers and
determine the action to be taken when the server list is exhausted. CacheEnforcer
lists alternate servers, enabling a request to be redirected to other servers on the list
should a server not respond. If and when all the listed servers do not respond, you
can determine the action that is to be taken. Refer to the CacheEnforcer User’s
Manual for more information.
• NetBalancer enables you to distribute traffic loads between servers. Refer to the
NetBalancer User’s Manual for more information.
Using Templates
Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will
create multiple Pipes or Virtual Channels very similar to each other. Templates work
with host entries defined in the Host Catalog.
Pipe
Virtual
Channels
The Policy Editor provides a tree-table of the Pipes and Virtual Channels currently
defined in your NetEnforcer. Each line in the table represents a single rule (of a Pipe or
a Virtual Channel). A Pipe can be defined by one of more rules and can include one or
more Virtual Channels. A Virtual Channel can be defined by one or more rules.
NOTE:
The first rule of a Pipe or Virtual Channel is visually embedded in the first line of the Pipe or Virtual
Channel so there is no rule icon associated with this first rule. Other rules have icons.
There is always one default Pipe, called Fallback Pipe, in the Policy Editor. The
conditions or rule of this default Pipe cannot be modified or deleted.
Every Pipe has a default Virtual Channel called Fallback. The conditions or rule of this
default Virtual Channel cannot be modified or deleted, but you can delete the Pipe
entirely. You can expand/collapse Pipes and Virtual Channels in the Policy Editor by
clicking the or on the left of a Pipe or Virtual Channel, or pressing
<Shift + right arrow> or <Shift + left arrow> on your keyboard.
View Options
You can modify the Policy Editor view by selecting to hide or display the available
columns.
2. Select the checkboxes to the left of the columns you want to display in the Policy
Editor.
3. Click OK.
NOTE:
Some of these options are also available when right-clicking a line in the Policy Editor. In addition, you
can access monitoring graphs from the right-click menu of a Pipe or Virtual Channel. Monitoring graphs
are described in Chapter 6, Monitoring Network Traffic.
Defining Policy
The typical workflow for configuring your QoS policy is shown in the following
diagram:
Define Pipes
Define
Virtual Channels
Each step of the workflow is described in the following sections. You can also define
Pipes and Virtual Channels using templates, described on page 8-28.
Adding Pipes
Each Pipe is defined by at least one rule (set of conditions), and any traffic meeting
those conditions is channeled to that Pipe. The actions defined for the Pipe are then
applied to the traffic.
To add a pipe:
1. Add a Pipe in one of the following ways:
• Select a Pipe in the policy table and click (blue icon) in the toolbar.
• Select a Pipe in the policy table and select Pipe from the Insert menu.
• Right-click a Pipe in the policy table and select Insert and then Pipe from the
popup menus that are displayed.
• Press <Ctrl + P> on your keyboard (at the same time).
A new Pipe is added above the selected Pipe. The new Pipe contains a default
Virtual Channel (Fallback), and has default values for its rule (conditions) and
actions.
2. Edit the name of the Pipe, if required, and press <Enter>. Assigning a logical name
to the Pipe helps you to classify your traffic.
NOTE:
You can rename a Pipe at any time by selecting Rename from the Edit menu.
3. Modify the rule of the Pipe by clicking the cell in the relevant column and selecting
the required condition from the dropdown list that is displayed. The rule is made up
of the following conditions:
Connection Source The source of the traffic.
Connection Destination The destination of the traffic.
Service The protocol relevant to a connection.
Time The time of the connection.
TOS The TOS marking of the connection.
VLAN The destination of VLAN traffic.
4. Modify the actions of the Pipe by clicking the cell in the relevant column and
selecting the required action from the dropdown list that is displayed. The actions
are as follows:
Access The access given to traffic.
Quality of Service The quality of service applied to traffic given access.
The QoS determines priority, minimum and maximum
bandwidth and the maximum number of connections.
NOTE:
The Connection Control action for a Pipe is always Pass As Is.
5. Specify the direction of the traffic between the selected source and destination by
clicking in the Dir field and selecting one of the following:
Bidirectional The flow of traffic in either direction between the
selected source and destination (default).
Unidirectional The flow of traffic from the selected source to the
selected destination.
6. When a new Pipe is created, it is automatically enabled, meaning once the Policy
Editor is saved to NetEnforcer, the Pipe is taken into account by NetEnforcer. You
can enable or disable the Pipe in one of the following ways:
• Select Enable or Disable from the Edit menu.
• Right-click in the In Use column and select Enable or Disable from the popup
menu.
• Click the Enable or Disable button.
NOTE:
When a Pipe is disabled, its rules and the Virtual Channels under the Pipe are disabled automatically.
You can now define further rules for the Pipe or add further Virtual Channels to the
Pipe, as required.
A new Virtual Channel is added to the selected Pipe, or to the Pipe to which the
selected Virtual Channel belongs. The new Virtual Channel has default values for its
rule (conditions) and actions.
2. Edit the name of the Virtual Channel, if required, and press <Enter>. Assigning a
logical name to the Virtual Channel helps you to classify your traffic.
NOTE:
You can rename a Virtual Channel at any time by selecting Rename from the Edit menu.
3. Modify the rule of the Virtual Channel in the same way as for a Pipe, described on
page 8-22.
4. Modify the actions of the Virtual Channel by clicking the cell in the relevant column
and selecting the required action from the dropdown list that is displayed. The
actions are as follows:
Access The access given to traffic.
Quality of Service The quality of service applied to traffic given access.
The QoS determines priority, minimum and maximum
bandwidth, traffic-shaping techniques (CBR or Burst)
and the maximum number of connections.
Connection Control The redirection of traffic to a load-balancing server or
cache server, if required.
5. Specify the direction of the traffic between the selected source and destination by
clicking in the Dir field and selecting one of the following:
Bidirectional The flow of traffic in either direction between the
selected source and destination (default).
Unidirectional The flow of traffic from the selected source to the
selected destination.
6. When a new Virtual Channel is created, it is automatically enabled, meaning once
the Policy Editor is saved to NetEnforcer, the Virtual Channel is taken into account
by NetEnforcer. You can enable or disable the Virtual Channel in one of the
following ways:
• Select Enable or Disable from the Edit menu.
• Right-click in the In Use column and select Enable or Disable from the popup
menu.
• Click the Enable or Disable button.
• Press <Ctrl + E> to enable.
• Press <Ctrl + D> to disable.
NOTE:
When a Virtual Channel is disabled, its rules are disabled automatically.
TIP:
You can also add a new Virtual Channel by copying and pasting an existing Virtual Channel and modifying
its definition.
You can now define further rules for the Virtual Channel, as required.
Adding Rules
A rule is made up of six conditions. When traffic meets the conditions of a rule, it is
assigned to that rule. The actions assigned to the traffic are the actions defined for the
Pipe or Virtual Channel to which the rule belongs.
To add a rule:
1. Add a rule in one of the following ways:
• Select a Pipe, Virtual Channel or rule in the policy table and click (purple
icon) in the toolbar.
• Select a Pipe, Virtual Channel or rule in the policy table and select Rule from the
Insert menu.
• Right-click a Pipe, Virtual Channel or rule in the policy table and select Insert
and then Rule from the popup menus that are displayed.
• Press <Ctrl + K> on your keyboard.
A new rule is added to the selected Pipe or Virtual Channel, or to the Pipe or Virtual
Channel to which the selected rule belongs.
NOTE:
Rules do not have names.
2. Specify the conditions for the rule in the same way as for a Pipe, described on
page 8-22.
3. Specify the direction of the traffic between the selected source and destination by
clicking in the Dir field and selecting one of the following:
Bidirectional The flow of traffic in either direction between the
selected source and destination (default).
Unidirectional The flow of traffic from the selected source to the
selected destination.
4. When a new rule is defined for a Pipe or Virtual Channel, it is automatically
enabled, meaning once the Policy Editor is saved to NetEnforcer, the rule is taken
into account by NetEnforcer. You can enable or disable the rule in one of the
following ways:
• Select Enable or Disable from the Edit menu.
• Right-click in the In Use column and select Enable or Disable from the popup
menu.
• Click the Enable or Disable button.
• Press <Ctrl + E> to enable.
• Press <Ctrl + D> to disable.
You can continue to define further Pipes, Virtual Channels and rules, as required. To
speed up the process, you can copy and paste existing Pipes, Virtual Channels and rules
and then modify their settings, as required. Remember, when you have completed your
editing session, click to save the new rules, Virtual Channels and Pipes to
NetEnforcer
You can also create and insert a Pipe or Virtual Channel template as described on
page 8-28.
Templates
Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will
create multiple Pipes or Virtual Channels very similar to each other. Templates work
with host entries defined in the Host Catalog. For example, if you had a Host Group
type entry in the Host Catalog called Gold Customers that consisted of Company X,
Company Y and Company Z, you could define a Pipe template to be expanded for Gold
Customers. This would result in Pipes being created for Company X, Company Y and
Company Z when the Policy Editor is saved.
With Host List type entries, templates are only effective when the Host List entry
includes more than one host or IP address or a range of IP addresses. For example,
creating a Pipe template based on a Host List type entry that includes a range of IP
addresses generates a Pipe instance for each IP in the range.
NOTE:
It is not possible to view Pipe instances in the Policy Editor. However, the instances are available for
selection in the Monitoring module, described in Chapter 6, Monitoring Network Traffic.
A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual
Channels on source/destination differentiation. This means that you do not need to
define similar Pipes and Virtual Channels when the only difference between them is the
IP address in the source or destination.
New features include:
• New Template on Range feature allows user to define a range of IPs or subnet.
• Expand feature removed, template automatically implies expansion.
2. Select the Host Catalog entry for which you want to create Pipe instances from the
dropdown list.
NOTE:
You can open the Host Catalog Editor and add or modify entries as required by clicking Host Editor.
3. In the Direction Settings area, select whether to expand the Pipe by connection
source or destination or both.
• If you select Bi-Directional, an instance of the Pipe will be generated for all
hosts specified in the selected Host Catalog entry. The Pipes will be
bi-directional, meaning that the traffic can be flowing either to or from the host in
order to match the Pipe.
• If you select Uni-Directional, you must then select whether to expand the Pipe
by connection source or destination. When Connection Source is selected, the
Pipes generated will be uni-directional from the source, meaning that the traffic
must be flowing from the host in order to match the Pipe. When Connection
Destination is selected, the Pipes generated will be uni-directional to the
destination, meaning that the traffic must be flowing to the host in order to match
the Pipe.
5. Edit the name of the Pipe template, if required. The new Pipe template is displayed
in the policy table with the selected Host Catalog entry as the Connection Source or
Connection Destination.
6. Modify the Pipe template as required. You can modify its existing rule (conditions),
modify its actions, define further rules and add Virtual Channels. The resulting Pipe
instances receive any modifications or additions made to the Pipe template.
NOTE:
You can change the Host Catalog entry for which you want to define Pipe instances at any time by
right-clicking the Pipe template name and selecting Expand by and then selecting another Host Catalog
entry.
Pipes identical to the Pipe template but with a different Connection Source or
Connection Destination are created for every member of the selected Host Catalog
entry upon saving the Policy Editor. These Pipes are not displayed in the policy table. A
Pipe is indicated as a template or master Pipe by the symbol in its icon and the
symbol next to the entry in the Connection Source or Connection Destination field.
2. Select the Host Catalog entry for which you want to create Virtual Channel instances
from the dropdown list.
NOTE:
You can open the Host Catalog Editor and add or modify entries as required by clicking Host Editor.
3. In the Direction Settings area, select whether to expand the Virtual Channel by
connection source or destination or both.
• If you select Bi-Directional, an instance of the Virtual Channel will be generated
for all hosts specified in the selected Host Catalog entry. The Virtual Channels
will be bi-directional, meaning that the traffic can be flowing either to or from the
host in order to match the Virtual Channel.
• If you select Uni-Directional, you must then select whether to expand the Virtual
Channel by connection source or destination. When Connection Source is
selected, the Virtual Channels generated will be uni-directional from the source,
meaning that the traffic must be flowing from the host in order to match the
Virtual Channel. When Connection Destination is selected, the Virtual Channels
generated will be uni-directional to the destination, meaning that the traffic must
be flowing to the host in order to match the Virtual Channel.
4. Click OK. A new Virtual Channel template is added to the policy table.
5. Edit the name of the Virtual Channel template, if required. The new Virtual Channel
template is displayed in the policy table with the selected Host Catalog entry as the
Connection Source or Connection Destination.
6. Modify the Virtual Channel template as required. You can modify its existing Rule
(conditions), modify its actions and define further Rules. The resulting Virtual
Channel instances receive any modifications or additions made to the Virtual
Channel template.
NOTE:
You can change the Host Catalog entry for which you want to define Virtual Channel instances at any
time by right-clicking the Virtual Channel template name and selecting Expand by and then selecting
another Host Catalog entry.
Virtual Channels identical to the Virtual Channel template but with a different
Connection Source or Connection Destination are created for every member of the
selected host entry. These Virtual Channels are not displayed in the policy table. A
Virtual Channel is indicated as a template or master Virtual Channel by the symbol
in its icon and the symbol next to the entry in the Connection Source or
Connection Destination field.
NOTE:
For example, tiered services may defined quickly using templates. Create one template to represent
Platinum service with a minimum of 500Kbps per user, a second to represent Gold service with a
minimum of 250Kbps per user and a third to represent Silver service with a maximum of 100 Kbps per
user.
2. To add a device to the distribution list, click Add. The Device Properties dialog box
is displayed.
You can further modify the distribution list in the following ways:
• Select a device in the list and click Edit. Modify the properties of the device in the
Device Properties dialog box as required.
• Select a device in the list and click Delete. The selected device is deleted from the
distribution list.
• Click Delete All to delete all devices from the distribution list.
To distribute the QoS policy to the devices on the distribution list, select Save &
Distribute from the File menu. A report on the results of the distribution is displayed,
for example:
This chapter describes the NetEnforcer Alerts Editor and Alerts Log.
Overview
The Alerts feature allows the user to not only monitor the state of the system, but also
be alerted when certain thresholds are met. For example, users can set an alert to
identify when the bandwidth for a particular link/customer is close to reaching its
maximum. Utilizing the Alert mechanism, an action can be taken before network
problems occur (e.g., before the line is get fully utilized and congestion exists).
Thresholds can be set to alert to identify excessive connections or abnormal behavior on
the line.
TIP:
Users can be alerted of potential virus attacks by setting alerts on certain connection limits.
The Alerts feature enables user to set Actions to occur when certain user-defined
thresholds are reached for the following entities:
• NetEnforcer
• Pipe
• VC
• System
Within each entity there are various conditions that can be monitored as well as
numerous actions that can be taken in the event of an alert. The basic actions are:
• Send SNMP trap
• Send email (up to two addresses)
• Send SMS
• Change access control
• Change priority
Important Preparation
In order to work with alerts, you must specify the following parameters in the Alerts tab
of the NetEnforcer Configuration window:
• Select the Activate Alert Dispatching on NetEnforcer checkbox. This is checked
by default.
• Define any relevant email addresses and SMS targets for alerts.
• Click or select Save to NetEnforcer from the File menu in the NetEnforcer
Configuration window to save the configuration.
The NetEnforcer Configuration window is described in Chapter 4, Configuring
NetEnforcer.
Alerts Editor
The Alerts Editor enables you to define events or conditions that will trigger alerts (alert
definitions). Alerts can be triggered according to conditions existing in NetEnforcer, a
selected Pipe or Virtual Channel, or in the system generally. You can define up to 100
alert definitions in the Alerts Editor.
When an alert is triggered, it is displayed in the Alerts Log. You can also send
notification of alerts by SMS, email or SNMP.
4. From the Object Type dropdown list, select the object to observe. This is the object
where once a specified condition exists then this alert is triggered. Select from one of
the following:
• NetEnforcer
• Pipe
• Virtual Channel
• System
5. If you selected Pipe or Virtual Channel in step 4, the Selected Pipe or Selected VC
field is displayed below the Object Type dropdown list. Select the Pipe or Virtual
Channel to observe by clicking the button and browsing to the required Pipe or
Virtual Channel.
6. In the Condition area, select the condition that must exist on the selected object in
order for the alert to occur. The available conditions vary according to the object
type selected. Additionally each condition may have different parameters. For a full
list of conditions and their parameters, refer to 9-12. When you have selected a
condition, a summary of the alert definition is provided in the Condition area. For
example, when NetEnforcer is selected as the Object Type and Any Traffic
selected as the Condition, then an alert is triggered whenever there is “any traffic
flowing in NetEnforcer”.
8. In the Enable area, select the Alert is Enabled checkbox to enable the alert
definition.
9. From the Alert Severity dropdown list, select the severity of the alert from the
following:
• Information
• Normal
• Minor
• Major
• Critical
10. In the Dispatch & Action area, select to where the alert will be sent (in addition to
the Alerts Log) and any action that should result.
SMS The alert is sent to the SMS address specified in the Alerts tab
in the NetEnforcer Configuration window (described in
Chapter 4, Configuring NetEnforcer.
SNMP Trap The alert is sent as an SNMP trap according to the SNMP
Clients details specified in the SNMP tab in the NetEnforcer
Configuration window (described in Chapter 4, Configuring
NetEnforcer.
Email (Primary) The alert is sent to the primary email address specified in the
Alerts tab in the NetEnforcer Configuration window (described
in Chapter 4, Configuring NetEnforcer.
Email The alert is sent to the secondary email address specified in the
(Secondary) Alerts tab in the NetEnforcer Configuration window (described
in Chapter 4, Configuring NetEnforcer.
NOTE:
If details have not been provided in the Alerts and SNMP tabs of the NetEnforcer Configuration
window, a warning is displayed.
11. If required, from the Action dropdown list, select a predefined action that will result
when the alert is triggered. The list below is a set of predefined actions available for
selection. The action is implied in the name.
• ChangeAccessControlToAccept
• ChangeAccessControlToDrop
• ChangeAccessControlToReject
• ChangePriorityToHigh
• ChangePriorityToLow
• ChangePriorityToNormal
• IgnoreQoS
• NetEnforcerBypass
• Reboot
Additional custom actions can be added.
12. In the Action Following Alert area, select whether NetEnforcer will continue to
check for the alert from the following:
• Restart Checking After: Once the alert has occurred, check to see if the
condition exists again after a specified time.
• Restart Checking After Alert Acknowledged: Once the alert has occurred, only
start checking to see if the condition exists again once the alert is acknowledged.
13. Click Add. The alert definition is complete and the alert is added to the list of alerts
in the Defined Alerts List.
14. In order for the alert definition to be applied, you must save it to NetEnforcer. Select
Save to NetEnforcer from the Alerts Editor File menu or click on the toolbar.
NOTE:
Saving the Alerts Editor re-arms all alert definitions. For a “one time only” alert definition, if the alert
condition exists, an alert is again dispatched. For a “periodic” alert definition, if the alert condition
exists, an alert is dispatched.
Customized Actions
Additional actions may be defined by the user. These actions are added to the drop-
down list and appear along with the predefined actions. Actions are added through the
use of scripts. These are simply CLI commands saved in a specific location on the
NetEnforcer.
TIP:
Router Interface
The NetEnforcer is sometimes located at the access point, just behind the access router that connects the
enterprise to the Internet. In some cases the access router has two uplinks, one is the primary and one is a
backup link. Usually the backup link will have a lower speed than the primary link.
In these environments there is a need to have the ability to change the policy defined in NetEnforcer when
the primary link at the router fails and the backup link goes into action.
This can be achieved with the NetEnforcer’s Alert module. The Router Interface condition enables you to
define an event of link up/down that happens on the access router. This enables you to set that an alert is
triggered when the primary link goes down and the backup link goes into action.
From the Defined Alerts List, you can enable and disable alerts as required. Simply
select or deselect the Enabled checkbox on the left of the list.
To modify an alert definition, select it in the Defined Alerts List, make the required
changes in the Definition and Behavior tabs and click Update.
To delete an alert definition, select it in the Defined Alerts List and click Delete.
NOTE:
You can also delete an alert definition by right-clicking it in the Defined Alerts List and selecting Delete.
Edit
Delete Deletes the selected alerts definition.
Disable All Disables all the alert definitions in the list. When an
alert definition is disabled, NetEnforcer does not
consider it.
Select All Selects all the alert definitions in the list.
The status bar in the Alerts Editor provides the following information:
• Last action performed.
• Selected alert/Total number of alert definitions.
• Sort condition.
• Mod is displayed when alert definitions have been modified. It is removed once the
alert definitions have been saved to NetEnforcer.
Alerts Log
The Alerts Log displays a list of the alerts triggered by the alert definitions. Information
such as the date of the alert, the source of the alert as well as the severity of the alert is
displayed.
TIP:
The color of the Alerts button in the NetEnforcer Control Panel reflects the most severe unacknowledged
alert in the Alerts Log. If the color is gray, an undetermined state exists. This is normally when there is a
communication problem.
The Alerts Log, which is automatically refreshed every 30 seconds, provides the
following information for each alert:
Ack Whether or not you have acknowledged the alert. Acknowledging
an alert re-arms the alert definition so that NetEnforcer again
checks to see if the alert condition exists.
NetEnforcer Date The time and date on NetEnforcer when the event triggering the
alert occurred.
Alert Name The name of the alert definition.
Source The type of object where the event triggering the alert occurred:
NE (NetEnforcer), Pipe, VC (Virtual Channel) or System.
Source Name When the Source is Pipe or VC, the name of the Pipe or Virtual
Channel.
Severity The severity of the alert. The background color of this field
reflects the severity as follows:
Information: Green
Normal: Green
Minor: Yellow
Major: Orange
Critical: Red
Description A summary of the event triggering the alert.
You can sort the list of alerts by clicking a column header. For example, clicking
NetEnforcer Date sorts the alerts according to date and displays them in date order.
Edit
Clear Selected Clears selected alerts from the Alerts Log. You can
also clear alerts from the Alerts Log by right-clicking
the alert and selecting Clear.
Clear All Clears all alerts from the Alerts Log.
View
Sort by Enables you to sort the list of alerts according to
column headers.
Clear Filters Clears any filters applied to the display of alerts and
displays all alerts.
Search
Find Enables you to search the list of alerts for a specified
keyword or phrase.
Options
Edit Alert Definition Opens the Alerts Editor enabling you to modify alert
definitions as required. You can also access the Alerts
Editor by right-clicking an alert definition in the
Alerts Log and selecting Edit Definition.
Help
Index Provides access to online help.
The status bar in the Alerts Log provides the following information:
• Last action performed.
• Selected alert/Total number of alerts.
• Sort condition.
• Whether a filter is in effect.
Filtering Alerts
You can apply a filter to the Alerts Log so that only alerts matching the filter are
displayed. This is useful because the Alerts Log may include up to 10,000 alerts.
To define a filter:
1. From the View menu in the Alerts Log, select Set Filters or click in the toolbar.
The Set Filters for Alerts Log dialog box is displayed:
Figure 9-5 – Set Filters for Alerts Log Dialog Box: Severity Tab
3. Define the filter parameters in the different tabs as follows (only the alerts that match
the filter parameters will be displayed):
• In the Severity tab, select the Severity levels as required: Critical, Major,
Minor, Normal, Info.
• In the Acknowledge tab, select Acknowledged or Unacknowledged.
Figure 9-6 – Set Filters for Alerts Log Dialog Box: Acknowledge Tab
• In the Source Type tab, select the object type: NE, System, Pipe, VC.
Figure 9-7 – Set Filters for Alerts Log Dialog Box: Source TypeTab
• In the Names & Description tab, select from the following specifying key words
as required: Match Source Names Containing, Match Descriptions
Containing, Match Alert Names Containing.
Figure 9-8 – Set Filters for Alerts Log Dialog Box: Names & Description Tab
NOTE:
The relationship between the parameters on each tab is AND. The relationship between the tabs is OR.
4. Click OK.
The filter is applied. Only the alerts that match the filter parameters are displayed in the
Alerts Log and Filtered is displayed in the status bar.
To clear a filter, select Clear Filters from the View menu or click in the toolbar.
This chapter describes the threat of DoS attacks on network performance and the ways
in which NetEnforcer detects and handles DoS attacks.
Overview
As the reliance on Internet communications increases, the importance of maintaining
the security and reliability of network services has become an increasingly critical issue.
Denial of Service (DoS) attacks are some of the most common ways in which hackers
attempt to disrupt network services. A DoS attack is an attack on a system or network
that causes a loss of service to users, typically the loss of network connectivity and
services by overloading the computational resources of the victim system.
DoS attacks are typically executed by sending multiple packets to a targeted Internet
server (usually a Web, FTP, or Mail server), which floods the server's resources,
making the system unusable. Any system that is connected to the Internet and is
equipped with TCP-based network services is subject to attack.
Similarly, NetEnforcer can be configured to identify problematic ports which have been
identified as commonly used by known Worms. When NetEnforcer detects abnormal or
increased incidence of new connections on such a ports, the traffic on the specific port
can be dropped without affecting other TCP connections. The source IP address that
generated these connections is saved in the log file.
NOTE:
To view the list of worm source IP addresses in the log,
The Denial of Service (DoS) tab includes parameters that enable you to determine the
frequency and number of connections, as follows:
Parameter Definition
In Case of Denial of The action that NetEnforcer takes when it reaches the
Service Attack, maximum rate of new connections allowed for the model.
News Flows will be The options in the dropdown menu are as follows:
Admitted without QoS: New connections (flows) are
admitted, but are not classified, and no QoS policy is applied.
This is the default setting.
Dropped: New connections (flows) are dropped.
Parameter Definition
Number of You are able to define the threshold, for traffic suspected as
Connections Within an attack, by specifying the number of connections allowed at
NetEnforcer will be any one time.
Limited to
The default is the maximum number of connections your
NetEnforcer model can handle. For the maximum number of
connections your NetEnforcer model can handle, see the
hardware description table on page 2-2 in Chapter 2,
Installing NetEnforcer.
To view the number of connections over specified period of
time, refer to the Connections graph in Chapter 6,
Monitoring Network Traffic. This will assist in entering a
realistic definition of an attack.
Maximum New You are able to define the threshold, for traffic suspected as
Connections an attack, by specifying the number of new connections
Establishment Rate allowed per second.
(CER):
To view the number of connections per second, refer to the
Connections graph in Chapter 6, Monitoring Network Traffic.
This will assist in entering a realistic definition of an attack.
If the field is left blank, the NetEnforcer uses its default
setting.
Security Alerts
Alerts are issued by NetEnforcer when a suspected security threat has been detected.
The following alert messages are defined in the system by default.
Alert Message Description
“DoS attack suspected: The NetEnforcer monitors the rate connections
Connection establishment rate flowing through the unit are established. This alert
is close to the threshold” is triggered when the connections rate is unusually
high.
“DoS attack suspected: The NetEnforcer monitors the rate connections of
Abnormal high connection various types are established. The types of
establishment rate of XXX” connections monitored are AnyIP (IP traffic which
is not TCP or UDP), TCP, UDP. This alert is
triggered when the rate connections established of
certain type are unusually high.
“DoS attack suspected: The NetEnforcer monitors the rate TCP connections
Abnormal high connection on various ports are established. This alert is
establishment rate on port triggered when the rate connections established on
XXX” a specific port are unusually high.
“Alarm Max Connections The NetEnforcer monitors the number of
XXX triggered” concurrent connections flowing through the unit. In
case the number of concurrent connections reaches
to the unit overall limit, this alert is triggered.
The limit can be manually defined on the
NetEnforcer GUI under the Configuration menu.
“Alarm Max Connections This alert is triggered after a “Alarm Max
resolved” Connections XXX triggered” alarm has been
triggered and the number of connections has
returned to normal (below 95% of the defined
limit).
“DoS attack of the type 'UDP The NetEnforcer has detected an attack
flood' started” characterized by large number of UDP packets.
“DoS attack of the type 'UDP This alert is triggered after a “DoS attack of the
flood' ended” type 'UDP flood' started” has been triggered and the
conditions have returned to normal.
“DoS attack of the type 'SYN' The NetEnforcer has detected an attack
started” characterized by large number of TCP packets.
“DoS attack of the type 'SYN' This alert is triggered after a “DoS attack of the
ended” type 'SYN' started” alarm has been triggered and
the conditions have returned to normal.
The alert messages are displayed in the Alerts log.
This chapter describes the NetEnforcer SNMP-based statistics and how to generate
MRTG reports.
NetEnforcer is the authoritative source of the following MIB files that include
measurement engine variables recorded on a one-second basis and are available via the
Tools button on your NetEnforcer Control Panel:
• COMPANY-MIB.txt - includes traps.
• VC-MIB.txt - includes Virtual Channel related statistics.
• PIPE-MIB.txt - includes Pipe related statistics.
• NE-STAT-MIB.txt - includes NetEnforcer level related statistics.
The private MIB of Allot includes SNMP statistics, as follows:
• Bytes in/out/total per Virtual Channel, Pipe and NetEnforcer
• Packets in/out/total per Virtual Channel, Pipe and NetEnforcer
• Number of connections and number of new connections per second
NOTE:
Specifications of MIB-II (rfc1213.mib) can be found at http://www.ietf.org/rfc1213.txt?number=1213.
Access Permissions
To get SNMP statistics, you need to enter community (password) parameters. The
community parameters, found in the SNMP tab of the NetEnforcer Configuration
window, are as follows:
Read Community The SNMP community for devices reading SNMP variables
from NetEnforcer.
Write Community The SNMP community for devices setting SNMP variables to
NetEnforcer.
Trap Community The SNMP community to receive NetEnforcer SNMP traps.
Trap Destination The IP address of the Network Management Console that
receives the NetEnforcer-generated SNMP traps. It can be a
local host.
Refer to Chapter 4, Configuring NetEnforcer, for further information.
Traps
The NetEnforcer SNMP agent issues the following traps:
Trap Name Action Number
Cold Start Reboot and restart the SNMP process. 0
Link Down Disconnecting the internal or external interface 2
forces the Link Down trap to occur.
When, after rebooting, NetEnforcer becomes
active, the Link Down trap occurs according to
the internal and external NIC status.
Link Up Connecting both the internal and external 3
interfaces, forces the Link Up trap to occur.
When, after rebooting, NetEnforcer becomes
active, the Link Up trap occurs according to
the internal and external NIC status.
Authentication failure Request with wrong community. 4
NePrimaryActive This trap is sent when the primary NetEnforcer 6-11
changes to Active mode.
NePrimaryBypass This trap is sent when the primary NetEnforcer 6-12
changes to Bypass mode.
NeSecondaryActive This trap is sent when the secondary 6-13
NetEnforcer changes to Active mode.
NeSecondaryStandBy This trap is sent when the secondary 6-14
NetEnforcer changes to Standby mode.
NeSecondaryBypass This trap is sent when the secondary 6-15
NetEnforcer changes to Bypass mode.
MIB-II Support
The NetEnforcer SNMP agent supports the following MIB-II groups: System,
Interfaces, Address Translation, IP, ICMP, TCP, UDP and SNMP.
The MIB-II object groups are shown in the following tree diagram:
iso (1)
org (3)
dod (6)
internet (1)
directory (1)
mgmt (2)
mib-2 (1)
system (1)
interfaces (2)
experimental (3) snmp (11)
private (4)
enterprises (1)
AllotCom(2603)
neStatistics (1)
neStatMIB(1)
neStat (1)
neByteCountIn (1)
neByteCountOut (2)
neByteCountTotal (3)
neLiveConnections (4)
neNewConnections (5)
nePacketsIn (6)
nePacketsOut (7)
pipeStat (1)
pipeStatTable(1)
pipeEntry(1)
pipePosition (1)*
pipeInstancePosition (2)*
pipeName (3)
pipeByteCountIn (4)
pipeByteCountOut (5)
pipeByteCountTotal (6)
pipeLiveConnections (7)
pipePacketsIn (9)
pipePacketsOut (10)
pipePacketsTotal (11)
vcStatMIB(3)
vcStat (1)
vcStatTable(1)
vcEntry (1)
vcPipePosition (1)*
vcPipeInstancePosition (2)*
vcPosition (3)*
vcInstancePosition (4)*
vcName (5)
vcByteCountIn (6)
vcByteCountOut (7)
vcByteCountTotal (8)
vcLiveConnections (9)
vcNewConnections (10)
qidPipeTemplateId (1)*
qidPipeInstanceId (2)*
qidPipeByteCountIn (3)
qidPipeByteCountOut (4)
qidPipeByteCountTotal (5)
* = index of table
qidPipeLiveConnectiosn (6)
qidPipeNewConnections (7)
qidPipePacketsIn (8)
qidPipePacketsOut (9)
qidPipePacketsTotal (10)
qidVcStatMIB (5)
qidVcStat (1)
qidVcStatTable (1)
qidVcByteCountTotal (7)
qidVcLiveConnectiosn (8)
qidVcNewConnections (9)
qidVcPacketsIn (10)
qidVcPacketsOut (11)
qidVcPacketsTotal (12)
Mibs.zip provides position MIBs whereby the index of the MIBs is according to the
position of the Pipe or Virtual Channel in the policy table. MibsQID.zip provides ID
MIBs whereby the index of the MIBs is according to the internal ID of the Pipe or
Virtual Channel. You can download one or both of these zip files.
Both of the zip files also contain the Allot configuration file
(MRTG_Config_for_MIBs.cfg).
To download Allot MIBs:
1. From the NetEnforcer Control Panel, click Tools and select Download Allot MIBs
and then VC/Pipe by ID or VC/Pipe by Position.
2. Download the files contained in the zip file to a local drive.
3. Repeat steps 1 and 2 for the second MIB zip file if required.
4. Use your network management application's MIB integration tool to compile the
Allot MIBs.
5. Query the Allot MIB objects using your network management application. You can
produce graphs based on the statistics generated.
When the policy table is modified and the new table is reloaded to the SNMP agent, the
changes will affect the SNMP Pipe and Virtual Channel tables. Thus, a change in the
Pipe/Virtual Channel position will change its object ID accordingly. For example:
Original Policy Table Object ID
Pipe1 1.0
Pipe1_Vc1 1.0.1.0
Pipe1_Vc2 1.0.2.0
Pipe2 2.0
Pipe2_Vc1 2.0.1.0
Pipe2_Vc2 2.0.2.0
Pipe3 3.0
Pipe3_Vc1 3.0.1.0
Pipe3_Vc2 3.0.2.0
Now Pipe 3 has been moved up and the table looks as follows:
Introducing MRTG
The MRTG (Multi Router Traffic Grapher) tool is used to monitor the traffic load on
your NetEnforcer and is free for personal use. You can download it from
http://people.ee.ethz.ch/~oetiker/webtools/mrtg. A network manager may view
bandwidth usage on each defined Virtual Channel or Pipe and also on the
internal/external interfaces.
The MRTG tool generates HTML pages that present traffic graphs. Using a standard
Web browser, you can view pages, each containing graphs showing daily, weekly,
monthly and yearly information.
Traffic statistics are generated by NetEnforcer and written in a standard SNMP MIB
format. The MRTG tool, using PERL scripts, polls NetEnforcer using a standard SNMP
GET command and saves the data in the host (management PC) log. The log is
automatically consolidated and while the log saves data for the last two years, it does
not grow over time.
NOTE:
If you want to preserve the highest rates as seen on the daily graph, use the "With Peak" option. This will
show the highest values that were recorded in addition to the averages.
NOTE:
Download sources or binaries from http://people.ee.ethz.ch/~oetiker/webtools/mrtg/.
2. Install PERL if you do not have it installed. PERL for Windows can be downloaded
from http://www.ActiveState.com.
3. If you have not already done so, download the Allot position MIBs and/or ID MIBs
including the Allot configuration file (MRTG_Config_for_MIBs.cfg). This
procedure is described on page 11-8.
NOTE:
Save the .txt files to C:/Mrtg. If you want to save them to another directory, change the directory
defined in the LoadMIBs line in the configuration file. Save the configuration file
(MRTG_Config_for_MIBs.cfg) to C:/MRTG/bin. This directory is generated during the MRTG
installation.
4. If you are using the ID MIBs, you must get the internal IDs for Pipes and Virtual
Channels for which you want to generate MRTG graphs. From the NetEnforcer
Control Panel, click Tools and select Pipe/VC ID Lookup for SNMP. The Pipe/VC
Lookup for SNMP dialog box is displayed:
5. Select a Pipe or Virtual Channel and the ID for the selected item is displayed in the
Entity ID for Selection Above field. Copy and paste the IDs into the configuration
file (MRTG_Config_for_MIBs.cfg).
NOTE:
You could also write down the IDs and then add them to the configuration file.
6. Repeat step 5 to retrieve IDs for all the Pipes and Virtual Channels for which you
want to generate MRTG graphs.
7. Adapt the MRTG_Config_for_MIBs.cfg file to your setup. For example, specify the
NetEnforcer IP address, location of MIB files, SNMP community name and OIDs of
the counters you would like to monitor. Refer to the comments in the allot.cfg file
for more information.
To install MRTG daemon:
• Start MRTG as a daemon, passing path to MRTG_Config_for_MIBs.cfg as a
command line parameter. For example, you install MRTG on Windows in directory
C:\mrtg and you also copy the MRTG_Config_for_MIBs.cfg and MIB files to
C:\mrtg. The following command will start MRTG in Daemon mode with the
proper configuration: Start /b perl C:\mrtg\bin\mrtg C:\mrtg\ MRTG_Config_
for_MIBs.cfg.
NOTE:
The MIB files must be the same as the files on your NetEnforcer. The files may also be found on
NetEnforcer in /usr/local/share/snmp/mibs/.
In general, you can monitor the following NetEnforcer SNMP counters with MRTG:
• vcByteCountIn • vcPacketCountIn
• vcByteCountOut • vcPacketCountOut
• vcByteCountTotal • vcPacketCountTotal
• pipeByteCountIn • pipePacketCountIn
• pipeByteCountOut • pipePacketCountOut
• pipeByteCountTotal • pipePacketCountTotal
• neByteCountIn • nePacketCountIn
• neByteCountOut • nePacketCountOut
• neByteCountTotal • nePacketCountTotal
• Number of connections • Number of new connections per
second
This target refers to the inbound and outbound bytes on the Fallback Pipe in the default
database.
Target[pipe] pipeByteCountIn.1.0.0&pipeByteCountOut.1.0:public@
10.10.10.10:::::2
Options[pipe] growright, nobanner
MaxBytes[pipe] 50000000
Title[pipe] Traffic Analysis for AC
PageTop[pipe] <H1>Traffic Analysis – AC</H1>\n PIPE Out / PIPE In
WithPeak[pipe] d,w,m,y
Suppress[pipe] y,m
This appendix lists the hardware specifications for all NetEnforcer models.
Enhanced Platform
Dimensions
Standard 1U by 19-inch, rack mountable
Height 1.73 in (44 mm)
Width 17.32 in (440 mm)
Depth 11.73 in (298 mm)
Weight 12 lbs (5.5 kg)
Power Requirements
Input Voltage 100 - 240 V
Frequency 47 - 63 Hz
Current 2A
Power consumption
AC-302 53 W
AC-402 70 W
Operating Environment
Temperature 32° F to 104° F (0° to 40° C)
Humidity 5% to 95% (non condensing)
Heat Dissipation
AC-302 181 BTU/Hour
AC-402 240 BTU/Hour
EMI Residential, commercial and light industry.
NOTE:
The weight of the Copper Bypass module is 3.86 lbs (1.75 kg) and the weight of the Fiber Bypass module
is 4.28 lbs (1.94 kg).
Power Requirements
AC-802
Input Voltage 100 - 240 V
Frequency 50/60 Hz
Current 7 - 3.5 A
Power consumption
Operating Environment
AC-802
Temperature 32° F to 104° F (0° to 40° C)
Humidity 5% to 95% (non condensing)
Heat Dissipation
EMI
Bypass Mode
The Enhanced platform models (AC-202 and AC-402) operate with an internal Bypass
element and the AC-802 operates with an external Bypass module. The AC-802 Copper
operates with a Copper Bypass and the AC-802 Fiber operates with a Fiber Bypass.
CAUTION:
NetEnforcer AC-802 must be connected to the appropriate Bypass module. This is to ensure continuous
service in the event of failure.
Bypass Initiation
When a single NetEnforcer is installed, it will go into Bypass mode under the following
conditions:
• Upon a subsystem failure.
• During the booting of NetEnforcer.
• Upon any NetEnforcer power feed failure and power OFF conditions.
• When the Bypass module is not connected properly to the NetEnforcer Backup
connector, even with all other connectors fully plugged. (This is not relevant to the
Enhanced platform.)
NOTES:
NetEnforcers in full Redundancy configuration that have gone into Bypass mode indication upon a
subsystem failure will not restart automatically. It is recommended to perform a reboot.
CAUTION:
NetEnforcer must be connected to the Fiber Bypass module. This is to ensure continuous service in the
event of failure.
IMPORTANT NOTE:
To work properly, NetEnforcer and the Bypass module have to be fully plugged and connected before
power is turned on.
IMPORTANT NOTE:
The Multimode Coupler is not a standard part of NetEnforcer.
Figure B-3 – Connecting NetEnforcer AC-802 Fiber to Fiber Bypass and TAP
1. Connect the fiber cable labeled External from the Bypass module 7 , to the External
1
port on NetEnforcer .
2. Connect the fiber cable labeled Internal from the Bypass module 7 , to the Internal
2
port on NetEnforcer .
3. Connect the D-type connector from the Primary port on the Bypass module 8 , to
3
the Backup port on NetEnforcer .
4. Connect the first Multimode coupler as follows:
• Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps router
(1000Base-SX port).
• Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps switch
(1000Base-SX port).
• Connect the coupler Rx [2] fiber optic cable to the External Rx input of the Fiber
bypass module (5).
The following diagram shows how to connect two NetEnforcers in full Redundancy:
The modes of operation of the indicators are described in the following tables:
For NetEnforcer AC-802 Copper of Fiber connected to a Bypass module, the LED
indicators are as follows:
Standby Active Power Mode Analysis
LED LED LED LED
Primary OFF ON ON ON Primary NetEnforcer is in
Unit Active mode.
Secondary ON OFF ON Secondary NetEnforcer is
Unit in Standby mode, ready to
take over.
Table B-1 – LED Conditions: Copper or Fiber Bypass, Full Redundancy Mode
NOTES:
The NetEnforcer's Ethernet Adapter can detect Ethernet cable disconnection. NetEnforcers in redundant
configuration react to such events by having the Primary NetEnforcer lose control until the next machine
reboot, and the Secondary NetEnforcer becoming the active unit.
If a cable is disconnected, it is recommended to reboot the Primary NetEnforcer after reconnecting the
cable.
NOTE:
When you order an AC-802 model, a Backup Cable is included with the accessory kit.
If the Primary system fails, the Secondary system automatically takes control of the
traffic, and enables its External interface. The LEDs indicate the Secondary system
status change as follows:
• Enhanced Platform and AC-802 model: On the Secondary system, the Standby
LED turns OFF and the Active LED turns ON. (See Table B-2 and Table B-3)
AC-802 Models
To connect two AC-802 NetEnforcers in Full Redundancy:
Before using NetEnforcers in Full Redundancy mode, make sure that the configuration
of both NetEnforcers is identical; except for their IP addresses, which must be unique
for each unit. You can use the Save & Distribute option to distribute the same QoS
policy to both NetEnforcers. For more information, refer to Chapter 8, Defining
Policies.
NOTE:
You can distribute policy to other NetEnforcers, only if they are of the same model as the one from which
you are distributing.
After ensuring identical configuration, test each NetEnforcer (while connected to the
network as a single device) and verify that they are operating identically to one another.
1. Designate one of your NetEnforcers to be the default Primary, and connect the end
of the Backup cable to the Backup connector of the NetEnforcer.
2. Connect the other end of the backup cable to the Primary connector of the Bypass
module.
3. Designate the other NetEnforcer to be the Secondary and connect one end of the
Backup cable to the Backup connector of the Secondary NetEnforcer.
4. Connect the other end of the Backup cable to the Secondary connector of the Bypass
module.
NOTE:
For more information, see the Bypass Modules section in Chapter 2, Installing NetEnforcer.
5. Ensure that the status indicators of both systems are indicating that the systems are
configured correctly, as follows:
• The Active LED of the Primary NetEnforcer is ON.
• The Standby LED of the Primary NetEnforcer is OFF.
• The Active LED of the Secondary NetEnforcer is OFF.
• The Standby LED of the Secondary NetEnforcer is ON.
CAUTION:
When two NetEnforcers are connected in Redundancy mode with a switch on each interface, if the Primary
NetEnforcer fails and the Secondary system takes control of traffic, the redundant unit may take some time
to activate. This is normal switch behavior. The switch will continue to redirect packets to the Primary
NetEnforcer, instead of to the Secondary NetEnforcer.
CAUTION:
Please note that only a certified Allot Communications Service Engineer is authorized to remove the
NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover
from the NetEnforcer, its warranty becomes void.
NOTE:
You can distribute policy to other NetEnforcer s, only if they are of the same model as the one from which
you are distributing.
After ensuring identical configuration, test each NetEnforcer (while connected to the
network as a single device) and verify that they are operating identically to one another.
1. Set the DIP Switches to Full Redundancy mode. See Figure B-6.
2. Designate one of your NetEnforcers to be the default Primary, and connect the end
of the Backup cable marked Primary to the backup connector of the unit. Connect
the other end of the backup cable to the backup connector of the Secondary
NetEnforcer.
3. After booting ensure that the Active LED is ON and the Standby LED is OFF. On
the Secondary NetEnforcer, the Active LED is OFF and the Standby LED is ON.
CAUTION:
When two NetEnforcers are connected in Redundancy mode with a switch on each interface, if the Primary
NetEnforcer fails and the Secondary system takes control of traffic, the redundant unit may take some time
to activate. That this is normal switch behavior. The switch will continue to redirect packets to the Primary
NetEnforcer, instead of to the Secondary NetEnforcer.
Primary Secondary
8 8
7 7
6 6 CONTROL OVER
5 5
4 4
3 BYPASS 3 FLOAT
2 2
ON 1 ON 1
If there is a problem with the Primary NetEnforcer, the box should be disconnected
from the network and the DIP switches on the Secondary NetEnforcer should be set to
standalone configuration.
CAUTION:
Please note that only a certified Allot Communications Service Engineer is authorized to remove the
NetEnforcer cover and change the internal DIP switches. If a non-authorized person removes the cover
from the NetEnforcer, its warranty becomes void.
CAUTION:
In standalone mode, NetEnforcer DIP switches should remain in the factory default settings.
To have the NetEnforcer in standalone mode, switches 1 to 5 are set to ON and switches 6 to 8 are set to
OFF. (To access the DIP Switches, see Appendix C, Hardware Configuration).
This appendix describes how to set the DIP switches for Enhanced Platform models.
CAUTION:
Only a certified Allot Communications Service Engineer is authorized to remove the NetEnforcer cover
and change the internal DIP switches. If a non-authorized person removes the cover from the NetEnforcer,
its warranty becomes void.
In circumstances where you to need to remove the main cover, carefully follow the
instructions below.
The unit is shipped with the factory defaults indicated above. This setup ensures the
normal operation of the Bypass switch (meaning that it is activated upon a failure), and
that the Active status is not forced. For normal device behavior, it is strongly
recommended not to change DIP switch factory settings.
NOTE:
For full Redundancy mode operational needs, DIP switch modifications should be performed with guidance
from an Allot Communications service engineer.
The NetEnforcer and the Bypass module may be mounted in an open or closed standard
19-inch (48.26 mm) rack using the rack-mount bracket kit. This appendix describes how
to prepare the device and rack for installation and how to mount the device in the rack.
CAUTION:
Make sure the wall socket outlet is installed near the equipment and that the socket is easy to access. It is
recommended that the wall power outlet be connected to the building installation protection.
When connecting a NetEnforcer to 120 VAC supply, plug into 15 A service receptacles, type N5/15 or
NEMA 5-15R.
Ambient Temperature
The device has a maximum operation ambient of 104° F (40° C). The ambient
temperatures around the rack should not exceed this temperature.
Airflow
To ensure proper cooling, airflow should be unrestricted within or around the rack.
Keep the area four to six inches behind the enclosure unobstructed. Make sure that there
is proper airflow around all of the NetEnforcer's vent openings.
Reliable Grounding
Make sure that each installation site has a suitable ground connection. Please connect
ground to all the metal racks, enclosures, boxes and raceways. The NetEnforcer
equipment should be reliably grounded through the power supply cord.
Firewall Ports
If your NetEnforcer is working behind a firewall, the following ports must be opened on
the firewall to enable access to the NetEnforcer management functions:
If you want to use secure transmission methods, the following ports must be opened:
Supported Protocols
The following list represents the most common protocols and services supported by
NetEnforcer and available in the default Service Catalog database. There are
thousands of other protocols which are not included and that can be found in the
NetEnforcer Advanced Service Catalog.
The protocols are divided into several groups in the following list in order to ease the
finding and understanding of each protocol. In order to catch-up with the frequent
appearance of new applications and protocols, mainly Peer-to-Peer protocols, a
web-based update for the NetEnforcer Service Catalog is available.
Web
HTTP
Method (e.g. GET, POST)
URL (e.g. File Types)
Host Names
Mime Types
HTTP-PROXY
HTTPS
NNTP-TCP
P2P
KAZAA
KaZaa (V1 & V2)
Grokster
iMesh
Poisned
Diet Kaza
Upload/Download
EDONKEY
eDonkey
eMule
xMule
GNUTELLA
Shareaza
Morpheus
Gnucleus
XoloX
LimeWire
FreeWire
Bearshare
Acquisition
Nova
Phex
Gtk-Gnutella
Upload/Download
Warez
Ares 0
Swapper.NET
ShareAza – supports both gnutella ver 1 and gnutella ver 2
LimeWire
BearShare
freewire (Limewire)
zultrax
Xolox
Morpheus 4
BitTorrent
WINMX
DIRECT CONNECT
Direct connect
DC++
BCDC++
OverNet
MP2P
Motilino
Blubster
Piolet
RockitNet
Winny
Winny 1
Winny 2
HOTLINE
JABBER
MADSTER-AIMSTER
SoulSeek
IM/Chat
MSN-MESSENGER
AOL/ICQ
Yahoo
IRC
Email
POP
POP2
POP3
SMTP
SMTP by Sender/Sender Domain
SMTP by Sender email address/Sender domain
MS Exchange
Passive/Active RPC
IMAP
IMAP2-TCP
IMAP3-TCP
Streaming
RTSP
RTP/AVP
Streaming
RDT
X-PN-TNG
Interleaved
Winamp
MSplayer
Realone
Quicktime
iTunes
NETSHOW
REALAUDIO
Games
ALIENS
ANARCHY
ASHERONS CALL
BLACK AND WHITE
COUNTERSTRIKE
DARK REIGN
DIABLO
DOOM
ELITE FORCE
F16
F22 SIMULATOR
FIGHTERACE
HEXEN
KALI
KOHAN IMMORTAL SOVEREIGNS
MOTORHEAD
MSN GAME
MYTH
NEED FOR SPEED
OPERATION FLASH POINT
OUTLAWS
QUAKE-TCP
SWAT3-TCP
ULTIMA
UNREAL TOURNAMENT
ZNES
TFTP
NETBIOS-IP
NFS
SYSLOG
PRINTER
PRINT-SRV
RCP
SUNRPC
CMD
VoIP
SKYPE
MGCP
Audio/Video/Data
Codec Name (Manual Definition)
H.323
Audio/Video
Gate Keeper
MCU (Centrelized)
codec:H.323 Video Default Codec
codec:H.323 H261 Codec
codec:H.323 H262 Codec
codec:H.323 H263 Codec
codec:H.323 Audio Default Codec
codec:H.323 G711-64K Codec
codec:H.323 G711-56K Codec
codec:H.323 G722-64K Codec
codec:H.323 G722-56K Codec
codec:H.323 G722-48K Codec
codec:H.323 G7231 Codec
codec:H.323 G728 Codec
codec:H.323 G729 Codec
codec:H.323 G711-64K Codec
codec:H.323 G711-56K Codec
codec:H.323 G722-64K Codec
T.120
VOCALTEC-IPHONE
PHILIPS-VC-TCP
Terminal Servers
CITRIX
CITRIX-ICA
CITRIX NFUSE
Citrix User Name
Citrix Publish Application name
Citrix Priority (Print)
CITRIX DATACOLLEC
CITRIX IMA CLIENT
CITRIX MGMTCONSOLE
MS-RDP-CLIENT
PCANYWHERE
TELNET
TELNETS
SSH
RLOGIN
RTELNET
X11-TCP
Transactions/Databases
Oracle
Oracle Service name/DB name
Oracle User name
ORACLE-COAUTHOR
ORACLE-EM1
ORACLE-EM2
ORACLENAMES
ORACLE-NET8CMAN-ADMIN
ORACLE-NET8CMAN
ORACLE-ORASRV
ORACLE-REMOTE-DATABASE
ORACLE-TLISRV
ORACLE-VP1
ORACLE-VP2
SAP
SAP-DIALOGSERVICE
SAP-INFOSERVICE
SAP-ROUTER
SAP-TO-ADABAS
SAP-TO-INFORMIX
SQL
SQL*NET
SQLSERVICE
MS-SQL SERVER
LDAP
LDAPS
CORBA
CORBA-IIOP-TCP
CORBA-IIOP-TCP-SSL
CORBA-IIOP-UDP
CORBA-IIOP-UDP-SSL
CYBERCASH
EXEC
Security
GRE
IPSEC
IPSEC-AH
IPSEC-ESP
PPTP
SUGP
SWIPE
Network Infrastructure
ARP
AUTH
BGP
BOOTP (DHCP)
BOOTP-CLIENT
BOOTP-SERVER
CHARGEN
CMIP
CMIP-AGENT
CMIP-MAN
DNS
ECHO
EGP
FINGER
ICMP
IGMP
Local MGMT
NPP
NTP
OSPF
PPPoE
PPP0E-CONTROL
PPP0E-DISCOVERY
RIP
RMON
SNMP
SNMP-TRAP
SNMP-Mon
TIMESERVER
TIME
WHO
WHOIS
TACACS
RADIUS
RADIUS-AUTH
RADIUS-ACCT
Legacy protocols
NETWARE-IP
APPLETALK
APPLETALK Over IP
GGP
GOPHER
I-NLSP
IPX
IPX Over IP
MS-IPX
NETBEUI
NETWARE
Manolito Clients
Piolet - Search is over UDP port 41170
Blubster
Tunneling
socks2http
httpTunnel
socks 4/5
This appendix describes the command line interface that can be used to configure
NetEnforcer. You can also configure NetEnforcer from a Web browser, described in
Chapter 4, Configuring NetEnforcer.
This CLI command will make the system execute the CLI commands every X
seconds instead of executing them immediately. This improves the efficiency of the
CLI execution process.
IMPORTANT:
It is strongly recommended that you change the default password of the “root” user. For details on how
to change the password, please refer to Chapter 2, Installing NetEnforcer.
Scripts
You can write scripts containing both CLI and Linux commands that will automate the
data entry process. For example, you can write a script that will add 40 rules to 30
different Virtual Channels.
A script can be written on a remote workstation, using your preferred text editor, and
then sent to NetEnforcer using FTP. Alternatively, you can create the script directly on
NetEnforcer using the built in VI editor. In both cases, ensure that the script has Execute
attributes. (For more details on file attributes, please refer to a Linux manual.)
NOTE:
It is recommended that you save your scripts in a new directory on NetEnforcer (for example, /root/scripts),
so that they will not be overwritten should you upgrade your NetEnforcer software in the future.
NOTE:
When working with Pipes, Virtual Channels, Rules or Catalog entries, you must enclose the name of the
Pipe, Virtual Channel, Rule or Catalog entry in quotation marks if it contains more than one word. For
example, go add vc Gold:PipeGold is accepted, as well as go add vc “Gold
Service:PipeGold”. However, the command go add vc Gold Service:PipeGold will
return an error message.
Online Help
If you are unsure as to which parameters are used with a specific command, you can
enter an incomplete command (for example, without the parameters), and the CLI will
list all the available parameters for that action and switch. For example, if you were to
enter the command go add time, you will receive the following output:
Command Descriptions
This section describes the commands available.
{param} – required parameter
[param ] – optional parameter
Parameter Description
Parameter Description
newName The new name to be set to the ToS Catalog entry.
tosName The name of the existing ToS Catalog entry.
tosByte Enumeration of the selected bit numbers with ',' between them:
1 - 8.
Parameter Description
Parameter Description
newName The new name to be set for the Data Source Catalog entry.
dsName The name of the existing Data Source Catalog entry.
location IP/hostname of LDAP/TFTP server.
user The username assigned to the LDAP user.
passwd The password assigned to the LDAP user.
description The description of the data source (optional parameter).
Parameter Description
Parameter Description
newName The new name to be set for the VLAN Catalog entry.
vlanName The name of the existing VLAN Catalog entry.
priority_bits_state Enabling/disabling of the Vlan priority bits: enable, disable.
priority_bits The priority bits number: 0 – 7.
vlan_id_state Enabling/disabling of the Vlan ID: enable, disable.
vlan_id The Vlan ID number: 0 – 4095.
Parameter Description
Parameter Description
newName The new name to be set for the QoS Catalog entry.
qosName The name of the existing QoS Catalog entry.
-prior The priority per VC or Pipe: 1-10 (default: 4).
-max_bw The maximum bandwidth for a VC or Pipe, for example, 10M
or 100K.
-min_bw The minimum bandwidth for a VC or Pipe, for example, 10M
or 100K.
Parameter Description
-avail_bw The available bandwidth for a Full Duplex Pipe, for example,
10M or 100K.
minReserved The minimum bandwidth reserve available: yes or no (default:
no).
tos_admit The name of the ToS Catalog entry to mark the admitted traffic.
tos_in The name of the ToS Catalog entry to mark in-profile traffic.
tos_out The name of the ToS Catalog entry to mark out-of-profile
traffic.
tos_mark The name of the ToS Catalog entry to mark traffic.
maxCon The maximum number of connections allowed on the VC or
Pipe.
admissionCtrl The admission control: reject, drop, admit.
Connection allocation parameters when a traffic shaping method is burst:
maxBw The maximum bandwidth per connection, for example, 10M or
100K.
minBw The minimum bandwidth per connection, for example, 10M or
100K.
size The burst size in K/M bit per second
Connection allocation parameters when a traffic shaping method is cbr:
bw The bandwidth per connection, for example, 10M or 100K.
delay The delay in microseconds: 100 - 1,000,000.
When a type of QoS entry is vc_each or pipe_each, then all of the parameters (except
for –general) require two values separated with a , (comma). The first value is for
inbound traffic and the second is for outbound traffic. If you do not want to specify an
inbound parameter, use a empty field in format, for example, -prior ,2.
Parameter Description
Parameter Description
newName The new name to be set for the Host Catalog entry.
hostName The name of the existing Host Catalog entry.
Parameters to Host Entry of type addresses:
type Type of address: name, range, netaddr, ipaddr, macaddr.
value Address according to the type specified.
interface Interface type : internal, external, anywhere (by default).
Parameter Description
Parameters to Host Entry of type group:
host1,host2 The names of previously defined Host Catalog entries separated
by comma, which will be joined in a group.
Parameters to Host Entry of type ldap:
dataSource The name of the previously defined Data Source Catalog entry.
root LDAP Directory subtree root.
address_attr The addresses attribute name.
name_attr The name attribute name.
filter LDAP Directory search filter.
Parameters to Host Entry of type txtfile:
file The full file path on remote host.
start_row The row number from which to start reading data in a text file.
address_pos The position of address field.
name_pos The position of name field.
delimiter The separator character that separates a text file row into fields:
comma, space, semicolon or other character.
When changing the addresses or group list of the Host Entry, use prefixes ‘-‘ or ‘+’ to
each address or group item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at
beginning for replacing list with entered new one.
For example,
go change host Test1 -ipaddr:2.2.2.2,+range:1.1.1.1-
1.1.1.9 -f
go change host Test2 +host8,-host9 –f
go change host Test2 =host10,host11 –f
When changing the Host Entry of type txtfile or ldap , use empty fields for parameters
you do not want to change.
For example, command to change LDAP filter only:
go change host Test1 ::::servicegroup=gold
Parameter Description
Parameter Description
newName The new name to be set to the ToS Catalog
entry.
tmName The name of the existing ToS Catalog entry.
weekly[:day[:time] ]
monthly[:month_day[:time]]
yearly[:month :month_day[:time]]
time The range of hours and minutes: HH.mm-
HH.mm, allDay (default: allDay).
day The day of the week: sun, mon, tue, wed, thu,
fri, sat. This is valid for weekly time periods.
Parameter Description
When changing the Time Entry, use prefixes ‘– ‘ or ‘+’ to each time item ( ‘– ‘ to
remove item, ‘+’ to add new item ), or prefix ‘=’ once at the beginning for replacing a
list with a new one.
For example,
go add time Test1 daily:10.00-20.00,weekly:5:08.20-20.00
-f
go change time Test1 –daily:10.00-20.00,+monthly:15 -f
go change time Test1 =daily:14.00-20.00,monthly:25 -f
Parameter Description
Parameter Description
newName The new name to be set to the Service Catalog entry.
srvName The name of the existing Service Catalog entry.
–protocol The protocol of Service entry. By default IP:TCP:Other TCP
net The network protocol to be used by the Catalog entry: IP, ARP,
Banyan-Vines, DEC-DECNET, DEC-LAT, DEC-Ethernet,
Appletalk, SNA, IPX, Ipv6, MS-IPX, NetBEUI, ANY, PPPoE-
Discovery, PPPoE-Control or whole number in interval 1 – 65534
ip The transport protocol, if the Network Protocol is IP only: TCP, UDP,
EIGRP, ICMP, IGMP, EGP, RSVP, OSPFIGP, SIPP-ESP, SIPP-
AH, I-NLSP, SWIPE, GGP, GRE, ANY or whole number in interval
1 - 255
app The name of the Application protocol when the Transport Protocol is
TCP or UDP only
–dst_ports The list of ports on the destination host at which the traffic should
arrive: x, x-y.
-port_type The Port type: all, other, list.
-coll_filter The Collection filter: service, appl.
content Value Format of the Content is: <type:value>. Content Types and
Values are depending on the Application.
Parameter Description
Acceptable Contents to the Application HTTP are:
• url
• method - with one of values CONNECT, DELETE, GET,
HEAD, OPTIONS, POST, PUT, TRACE
• host
• content-type - command 'go list content' shows the all of
acceptable values
Acceptable Contents to the Application FTP are:
• command - with one of values Download, Upload, Other
• file
Acceptable Contents to the Application Oracle are:
• service
• user
Acceptable Contents to the Application Citrix are:
• appl
• user
• Priority - with one of values High, Medium, Low, Print Traffic
Acceptable Contents to the Application H.323 are:
• codec - with one of values H.323 G711-64K Codec, H.323 G711-
56K Codec, H.323 G722-64K Codec, H.323 G722-56K Codec,
H.323 G722-48K Codec, H.323 G7231 Codec, H.323 G728
Codec, H.323 G729 Codec, H.323 H261 Codec, H.323 H262
Codec, H.323 H263 Codec, H.323 Audio Default Codec, H.323
Video Default Codec
Acceptable Contents to the Application KaZaA and Gnutella are:
• Direction - with one of values Upload, Download
Acceptable Contents to the Application Citrix ICA are:
• Priority - with one of values High, Medium, Low, Print Traffic
Parameter Description
Acceptable Contents to the Application SMTP are:
• domains_file - with name of the file containing domains
• Domains
Acceptable Contents to the Application Citrix NFuse are:
• appl
• user
• Priority - with one of values High, Medium, Low, Print Traffic
Acceptable Contents to the Application MGCP are:
• codec
• Media Type - with one of values Audio, Video, Application,
Data, All
When changing the port list of Service Entry, use prefixes ‘– ‘ or ‘+’ to each port
number or port range (‘– ‘ to remove port, ‘+’ to add new port), or prefix ‘=’ once at
beginning for replacing ports list with entered new one. The same prefixes should be
used for update the Service Group list and Content Inspection list.
For example,
go add service Test1:appl –dst_ports 333,3456-3460 -f
go change service Test1 –dst_ports +2222-2228,-333
go change service Test1 –dst_ports =2222-2228,4444 -f
Parameter Description
Parameter Description
newName The new name to be set to the Connection Control Catalog entry.
cocName The name of the existing Connection Control Catalog entry.
Host Hostname or IP address of Load Balancing/Cache server.
NoSrvAction No Server action: drop, reject, pass-as-is (by default).
Parameters to Connection Control entry of type lb only:
Technique The load balancing technique being used: rr, fa, wrr (by
default).
PortUse The load balancing port being used: original (by default),
assigned, fixed:<PortNumber>
Backup Whether to activate load balancing on server failure: yes, no (by
default).
Sticky The timeout (in seconds) for sticky connections: 0 - 999999.
Port The port number on load balancing server.
Weight The weight number on load balancing server, when Technique is
defined as wrr.
When changing the servers list of the Connection Control entry, use prefixes ‘-‘ or ‘+’
for each server item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at the
beginning when replacing a list with a new one.
For example,
go add coc Test1:lb:wrr:fixed:777 –servers 10.1.1.4::3 -f
go change coc Test1 –servers –10.1.1.4::3,+10.1.1.10::5 -f
Parameter Description
Parameter Description
newName The new name to be set for the Pipe or Virtual Channel.
PName The name of the existing Pipe.
VcName The name of the existing Virtual Channel.
State The status of the Pipe, Virtual Channel or Rule: enable, disable
(default: enable)
-expand The location of the Host Catalog entry for template expansion: none
(no template), src, dst.
-src The Connection Source condition of the Pipe or Virtual Channel:
any entry from the Host Catalog. (default: Any)
-dst The Connection Destination condition of the Pipe or Virtual
Channel: any entry from the Host Catalog. (default: Any)
-service The Service condition of the Pipe or Virtual Channel: any entry
from the Service Catalog. (default: All IP)
-time The Time condition of the Pipe or Virtual Channel: any entry from
the Time Catalog. (default: Anytime)
-tos The ToS condition of the Pipe or Virtual Channel: any entry from
the TOS Catalog. (default: Ignore)
-vlan The Vlan condition of the Pipe or Virtual Channel: any entry from
the Vlan Catalog. (default: Any)
-qos The QoS action of the Pipe or Virtual Channel: any entry from the
QoS Catalog. (default: Normal Priority – Pipe/ Normal Priority –
Virtual Channel)
-access The Access action of the Pipe or Virtual Channel: Accept, Reject,
Drop (default: Accept.).
-coc The Connection Control action of the Virtual Channel: any entry
name from the Connection Control Catalog.
Parameter Description
-dir The direction of traffic to which the Pipe or Virtual Channel applies:
1, 2. (default: 2)
-offset The position of the Pipe, Virtual Channel or Rule – offset from first
position in the policy table
When adding a new Pipe or Virtual Channel without parameter ‘-offset’ , it will be
added on next to last position (before Fallback Pipe/VC).
List
The list action displays the entries defined in the different Catalogs.
Commands available:
• go list {object} [-full]
Parameter Description
Object Parameter Description
host -full Displays the contents of the Host Catalog. If ‘-full’
parameter is specified, additional information is shown
for entries from LDAP/Text file Data Source
time - Displays the contents of the Time Catalog.
tos - Displays the contents of the ToS Catalog.
qos - Displays the contents of the QoS Catalog.
service -full Displays the contents of the Service Catalog.
datasrc - Displays the contents of the Data Source Catalog.
vlan - Displays the contents of the Vlan Catalog.
coc - Displays the contents of the Connection Control
Catalog.
Configuration Settings
The config action enables you to configure NetEnforcer. A description of the switches
and parameters available are shown below.
Commands available:
• go config key {Key}
• go config nic -internal link -external link –mgmt link
• go config access_control {host_list}
• go config snmp –community read:write:trap -trap_dest Dest -contact Contact
–location Loc
• go config vlan { vlan_env:vlan_id}
• go config ips –h Hostname –d Domain -g Gateway -ip ip:mask –dns dns1:dns2 –ts
ts1:ts2:ts3 –mgmt check -reject_ip ip:mask|none
• go config access_link -internal link -external link
• go config policy_srv –auto_refresh X -save_refresh check
• go config monitoring –resolve_dns check -sample_period sp
• go config coc –pass_through check -retries server:service -timeout
server:service:connect
Parameter Description
Config Tab Parameter Description
key Key The new box activation key or none.
access_control Host_list Update the list of hosts allowed access to
NetEnforcer. Any hosts not entered into this list
will be barred access to NetEnforcer. The format
is IP addresses/host names with prefix –(minus)
or + (plus) separated by , (comma) or all.
For example, go config access_control –
10.10.10.1, +10.10.10.2.
snmp –community The SNMP read, write and trap community.
This appendix describes some common situations that may occur when using
NetEnforcer and how to deal with them.
Problem Solution
No Link with the NetEnforcer
I cannot ping to the NetEnforcer and cannot Ensure that you are connected with the correct
see a link on the interfaces of the NetEnforcer. cables. If NetEnforcer is directly connected to
another device, such as a router, firewall or
PC, you should be connected using a cross
cable. A straight cable is used when
connecting to a hub or a switch.
No Link with the NetEnforcer/Link Up, Link Down
My link with the NetEnforcer appears to keep This is probably due to the fact that the two
disconnecting. I see huge packet loss when I NICs (NetEnforcer's and its connected device)
ping and I can also see the link light going off are not synchronized properly. It is mandatory
intermittently. to set both the NetEnforcer's NIC and the
adjacent device's NIC to the same speed and
Duplex mode. This can be done via the
NetEnforcer Setup Menu (Network
configuration, Manual configuration),
described in Chapter 2, Installing
NetEnforcer. Alternatively, the NIC settings
can be changed via the browser interface in
the Configuration window (Advanced view)
under the NIC tab, described in Chapter 4,
Configuring NetEnforcer.
Problem Solution
Cannot Access the NetEnforcer
I can ping through the NetEnforcer and Check that your IP routing is defined correctly
browse to the Internet but I am unable to on the NetEnforcer. The Default Gateway
access the NetEnforcer directly via telnet or definition should refer to the default gateway
the browser interface. used by your clients from different subnets, to
access the subnet on which the NetEnforcer
sits.
Monitoring Graph does not Appear Accurate
I defined CBR for a connection but the The monitoring graph has two display modes,
monitoring graph always displays the "Average" and "Active Average".
throughput as less than this value. In general
The "Average" option displays an average
the values displayed in the monitoring chart
throughput rate over the whole sample time,
appear to be inaccurate.
meaning total bytes sent (or received)/one
sample time. The result is that if a connection
is only sending traffic for a third of that time
period, the actual throughput rate over the
whole sample time will be reduced to a third
of its actual rate.
The "Active Average" option displays the
throughput rate only for the time period that
the connection was sending traffic. This
provides a 'true' representation of the
throughput rate.
In order to change the display mode, select the
appropriate monitoring mode from the View
menu.
Problem Solution
Host IPs / Names are not added to the Access Control List
When I add an IP address to the access control This problem is as a result of the browser
list via the Configuration window (Access cache size being too small. To change the
Control tab), it disappears when I select Add. cache size, follow the instructions below:
For Microsoft Internet Explorer:
1. From the Tools menu, select Internet
Options.
2. Select the General tab and then select
Settings from the Temporary Internet Files
section.
3. Ensure that the Amount of disk space to
be used is at least 10 Kbytes.
4. Click OK to return to the General tab, and
click OK again to close the Internet
Options dialog box.
5. Restart Internet Explorer.
For Netscape Navigator:
1. From the Edit menu, choose Preferences.
2. In the Categories window, click on the
plus ("+") sign next to Advanced, and
select Cache.
3. Ensure that the Disk Cache is set to at
least 10 Kbytes, and click OK.
4. Restart Navigator.
Problem Solution
Changing the RadiusServerPort
My Radius server does not run on the default 1. Open the Configuration window
port. I would like to export my accounting (Advanced View).
data to the radius server. How do I do this?
2. Select the RADIUS Setup tab.
3. In the Primary RADIUS Server Host
Name/IP Address field, enter the IP
address/host name of your RADIUS server
and the port number that the server runs
on. For example, if your RADIUS server
runs on port 2222 and the IP address of the
server is 1.2.3.4 then you would enter the
information as follows: 1.2.3.4:2222.
Applications Disconnect with Low Priority
I am trying to run a particular application but The difference between the highest priority
every time I try to do anything it disconnects. applications and the lowest priority
The only Quality of Service definition I have applications should usually be very small (1-2
defined is Priority 1. I have many high steps). Large differences in priority (9 or 10
priority applications, some with guaranteed steps) for many applications may cause
bandwidth definitions. excessive timeouts. If your link is congested,
then applications with very low priorities will
be assigned only small bandwidth allocations.
In some cases, this bandwidth is not enough
for the application to function and so it
becomes "starved" and eventually times out.
Unable to Connect to the NetEnforcer via HyperTerminal
I am trying to connect to the NetEnforcer via In some cases you may need to ground the
HyperTerminal. All my settings are correct NetEnforcer. At the rear of the NetEnforcer
but I am still not able to access the there is a ground connector. Connect this to a
NetEnforcer. grounding cable and try the HyperTerminal
connection again.
Problem Solution
Software Version and AC Model
How do I find out what NetEnforcer model I Open the Configuration window and select
have and what software version it is running. the Product IDs and Key tab. The model is
listed under Product Name and the version
under Version.
Backup of VC Table and Configuration Information
How do I back up my policy data and Refer to Chapter 4, Configuring NetEnforcer,
configuration information? Additional Configuration Options.
What Does Raw TCP mean?
In the protocol distribution window of the The NetEnforcer reports TCP traffic as Raw
monitoring graph I see "Raw TCP." What when it does not see all packets within a
does this mean? connection. This can be when NetEnforcer is
rebooted, since it becomes active while many
connections are already active. In this case,
the amount of Raw TCP traffic will decrease
over time as existing connections are closed
and new connections are opened. Another
cause of Raw TCP traffic is if NetEnforcer is
sitting in a 'meshed' network. This means that
the packets can take more than one path to
reach the same destination. In this case not all
packets will pass through NetEnforcer. In any
situation where NetEnforcer only receives
part of the packets within a connection, the
traffic will be reported as RAW.
Problem Solution
Maximum per VC is exceeded
I have defined a maximum per VC of 10Kbps. A regular packet size is 12Kb. Therefore if
In the Inbound monitoring graph I always see you define a maximum value lower than 12
more than 10Kbps. you will still see a throughput of at least
12Kbps.
Glossary of Terms
Access Control
An action that specifies the access for a connection. You can select the Access
Control to accept, drop, or reject a connection.
Access Link
Internal and External logical interfaces. Access links may be smaller or equal to the
Ethernet Adapter values.
Action
The operation performed on a connection once it matches a rule. A combination of
Access Control, QoS and Connection Control.
Address – IP
A list of logical entities representing IP Version 4 (IPv4) addresses, which are
comprised of 32 bits.
Address – MAC
A list of logical entities representing Media Access Control (MAC) addresses, which
are comprised of a 48-bit source or destination address. The source address is the
sender's globally unique device address.
Admin
The default user name for administrating NetEnforcer, with the default password
allot. It is strongly recommended to change this password.
Admission Control
A step in every flow activation, when the required bandwidth is allocated (or not)
according to user demand (minimum bandwidth and maximum number of
connections) and system state.
Application Binding
The process of finding the correct application type for a flow (in case the flow is
TCP or UDP).
Application Recognition
The classification of protocols/applications by their unique "signature".
Application Type
The application type is defined by the destination port number.
Backplane Watchdog Timer
The backplane internal hardware timer that initiates the bypass in case there was no
software visit (the software visit restarts the timer).
Bandwidth
A parameter that defines the rate at which data flows.
Blocked Queue
A queue that holds packets that are over the maximum bandwidth defined for the
connection/Virtual Channel/Pipe.
Borrowing Bandwidth
A Pipe/Virtual Channel defined with a minimum bandwidth will receive only the
minimum necessary bandwidth, even if that value falls below the guaranteed
minimum. For example, if a Virtual Channel is currently defined for 100 Kb
minimum but needs only 50 Kb, 50 Kb is all that will be reserved, and the remainder
of the bandwidth will be allocated to another Virtual Channel. This means that
unused bandwidth is never wasted.
Burst Mode
When burst size is defined, the system will allow traffic to burst for a certain amount
of time, but the average traffic for the whole period will still be bounded by the
maximum.
Cache Redirection (CacheEnforcer)
A network device that intercepts client HTTP requests and forwards them to one or
more cache servers.
Catalog
A list of user-defined entries used when defining Pipes, Virtual Channels and rules
in the Policy Editor.
CBR
See Constant Bit Rate.
Centralized Monitoring and Accounting
Provision of centralized policy-based accounting and remote monitoring services.
The Allot Communications NetPolicy provides a comprehensive, policy-based
system that allows the network manager to define, in a concise and organized
fashion, policies that automatically effect change on specific equipment in the
network environment.
Classification
The procedure by which a flow or connection is associated to a Pipe and a Virtual
Channel. This procedure occurs every time a new flow passes through NetEnforcer.
Classification Element
Definition of partial criteria for a match to an attribute of network traffic. One rule is
a set of five classification elements or conditions. See Condition.
COC
See Connection Control.
Condition
A criteria with which to classify traffic. Conditions include Connection Source,
Connection Destination, Service, ToS, and Time.
Connection
A flow from a source to a destination and from the destination back to the source.
Connection Control
Defines whether a flow is directed to Load balancing, cache redirection, or
pass as is.
Connection Control Catalog
A Catalog that enables the user to define different load-balancing and
cache-redirection definitions.
Constant Bit Rate
Offers constant throughput. When CBR is defined, the system will not allow traffic
to exceed the maximum boundary defined.
Constant Connection
Offers constant throughput. When CBR is defined, the system will not allow traffic
to exceed the maximum boundary defined.
Content Inspection
The ability to analyze packet content on a per-flow basis. This feature is the
capability to filter packets per user’s content requests. Content based packet
classification is based on any combination of source address, destination address,
protocol, type, or content URL, including URL patterns.
Delay
Specifies the maximum delay that a packet stays in NetEnforcer. If the packet
exceeds this delay, the packet is discarded.
DDoS Attack
Distributed Denial of Service Attack. These attacks are more intense and damaging
than DoS attacks. In DDoS attacks, multiple machines unknowingly participate in an
attack against a single host target.
DHCP
Dynamic Host Configuration Protocol. Used for automated allocation, configuration
and management of IP addresses and TCP/IP protocol stack parameters.
DoS Attack
Denial of Service Attack. Most DoS attacks are overloading servers with redundant
traffic. All servers can handle traffic volume up to a maximum, beyond which they
become disabled.
Drop
All packets are dropped. The user is disconnected and may see the message
Connection timed-out.
Flow
A series of packets with common attributes. Since these attributes do not change in
time, it is possible to identify a flow by its first packet only. TCP and UDP flows are
identified by the IP and port of the source and destination. Any other IP flow is
identified by the source IP, destination IP and protocol number. Non-IP flows are
identified by protocol number only. See Connection.
Flow Attribute
Data belonging to a flow that differentiates that flow from others.
Fraggle Attack
When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast
addresses, all of it having a fake source address. This is a simple rewrite of the
Smurf code.
Guaranteed Bandwidth
A per-connection parameter, which means that every connection will be granted
“N bytes/bits per second”.
Host Catalog
A Catalog that enables the user to define the Connection Source and Connection
Destination, two of the classification elements or conditions of a rule. Hosts can be
network IP addresses, IP address ranges, host names, IP Subnet addresses or MAC
addresses.
Inbound Traffic
Traffic that flows into the External link and out from the Internal link.
Java Applet
A program written in the Java™ (Sun Microsystems Inc trademark) language. The
applet's code is transferred to your system and executed by the browser's Java
Virtual Machine (JVM) (see more at: http://java.sun.com/applets/).
Light Directory Access Protocol (LDAP)
A standard communication protocol that allows clients, servers and applications to
access directory services. NetEnforcer includes an LDAP client for communication
with the LDAP directory.
Load Balancing
A mechanism that enables balancing traffic between different servers. All traffic is
directed to a single IP, but the load-balancer smartly divides the traffic between the
different servers.
Maximum Bandwidth
A parameter that defines the upper limit of the bandwidth provision of NetEnforcer,
a Pipe, a Virtual Channel or a connection. NetEnforcer ensures that the bandwidth
will not exceed this value.
Minimum Bandwidth
A parameter that defines the lower limit of bandwidth provision, and states that
NetEnforcer will provide a particular Pipe, Virtual Channel or connection with “at
least N bytes/bits per second”. NetEnforcer guarantees that the bandwidth will not
fall below this value.
Monitor
The default basic user name for monitoring NetEnforcer, with the default password
allot. It is strongly recommended to change this password.
MPLS
Multi-protocol Label Switching. This protocol, relevant in networking technology,
provides scalable infrastructure for the Internet. MPLS uses the concept of label
switching to create a 'virtual circuit' between two-end points. The main use of MPLS
is to create high quality VPNs (Virtual Private Networks). In addition, MPLS may
be used to allow integrated-access services such as voice/video and data over IP.
MRTG
Multirouter Traffic Grapher. The MRTG tool generates HTML pages that present
traffic statistic graphs. Using a standard Web browser, you can view pages, each
containing graphs showing daily, weekly, monthly and yearly information.
NetHistory
A software module that enables the user to view network behavior at any time in the
past.
NIC
Network Interface Card. Located in one device and physically connected to the
Ethernet cable going into another device.
Number of Connections
The number of open connections (sessions from the software point of view) in
NetEnforcer.
ODBC
Microsoft Open Database Connectivity interface. An application programming
interface (API) for database access. It uses Structured Query Language (SQL) as its
database access language.
Outbound Traffic
Traffic that flows into the Internal link and out from the External link.
P2P Applications
These "Peer-to-Peer" applications turn network clients into servers, using expensive
WAN bandwidth and potentially distributing worms throughout the network.
Napster is a well-known P2P application.
Packets Per Second (PPS)
The number of packets that were sent by NetEnforcer in a second.
Per Flow Queuing (PFQ)
Allot Communications QoS algorithm that defines a process where the scheduler
empties the queue according to each flow policy and fairness. Allot Communications
implements a smart queue scheduling algorithm, with accurate timing for receiving
and sending packets. The timing is such that the applications on both sides are within
the timing tolerances, while NetEnforcer precisely controls the bandwidth.
Allot Communications PFQ maximizes WAN link utilization and minimizes
bandwidth waste. Allot Communications utilizes standard mechanisms built in to the
TCP to maximize WAN utilization. It also uses a unique combination of PFQ and
Smart Queue Scheduling to precisely control bandwidth for both the incoming and
outgoing traffic. Policies are based on a variety of criteria, including when needed,
data located within the traffic, and so on.
Ping of Death
When an attacker sends illegitimate, oversized ICMP (ping) packets. These attacks
are targeted at specific TCP stacks that cannot handle this type of packet and
overload the victim's servers.
Pipe
A grouping of traffic defined by conditions (rules) and actions that owns
sub-groupings called Virtual Channels.
Policy
The regulation of access to network resources and services based on (business)
administrative criteria.
Policy Server
A server which administers QoS requests and sends out information necessary
(policy) to enforce QoS.
Port Number
A 16-bit integer appended to a message and passed between client and server
transport layers.
Priority
A parameter that identifies the relative importance of traffic on a particular Pipe or
Virtual Channel compared to other Pipes or Virtual Channels. Priority does not
explicitly define the speed of communication, but assigns a weight value, for
example, for every 2 bytes of priority 3, send 4 bytes of priority 7. It does not define
how long it takes to send priority 7 or priority 3 bytes.
Process Watchdog
A software process that is responsible for keeping the system in a normal operation
state. It watches the aliveness of processes and restarts a process or the whole system
when required.
QoS
See Quality of Service.
QoS Action
Defines a level of bandwidth agreement using parameters such as
minimum/maximum bandwidth, priority, and so on. You can select the QoS action
for Pipes, Virtual Channels and connections.
QoS Catalog
A Catalog that enables the user to define possible values for the QoS action.
QoS Gateway
Provision of end-to-end policy enforcement and management via standards-based
signal provisioning protocols, including Differentiated Services, ToS, RSVP, MPLS,
and 802.1P.
QoS of UDP Traffic
Allot Communications supports QoS for UDP traffic by using the token bucket
mechanism (for CBR sessions), combined with the leaky bucket mechanism (to
supply rate limits).
Quality of Service
Enforcing a network policy that will impact bandwidth, delay (jitter), or traffic
reliability.
Queuing
Method used by routers to control the flow of traffic. Packets are placed in holding
queues and retransmitted based on CBQ and WFQ algorithms. When traffic
overflows the queue, packets are discarded to reduce network congestion.
RADIUS
Remote Authentication Dial In User Services protocol. Specifies accounting, log and
analysis parameters for IP users accessing via dial in services.
Redundancy Configuration
A configuration in which two NetEnforcers are connected in parallel using a flat
cable. If one NetEnforcer goes down, the other one takes over immediately. One
NetEnforcer is automatically the primary system (defined by the flat cable
hardware), and the Primary and Active LEDs on the front panel are lit. The other
NetEnforcer is the secondary system, and the Secondary LED on the front panel is
lit. The flat cable is connected between the Backup connectors.
Reject
All packets are dropped. In TCP traffic, an RST packet is sent to the client and the
user may see the message Connection Closed by Server.
Reserve on Demand
A minimum bandwidth demand mode that reserves allocated bandwidth and, even if
it is not all used or required, does not provide it for other traffic.
Rule
A combination of classification elements or conditions comprised of Connection
Source, Connection Destination, Service, TOS and Time. Together these conditions
form complete criteria for classifying network traffic. Conjunction is made with the
AND operator.
Rule Matching
The process of finding the first matching rule for a flow or connection.
Schedule Queue
A queue in which the packets wait to be transmitted. The schedule is defined by the
minimum bandwidth and priority parameters.
Service
Protocol- or application-based criteria for traffic classification.
Service Catalog
A Catalog that enables the user to define possible values for the Service condition. It
includes a list of different network/transport/applications protocols defined by the
protocol number (L2, L3, L4 or L5 layer) and destination port number (L4).
Smurf Attack
When a perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast
addresses, using a fake source address. The source address will be flooded with
simultaneous replies.
SNMP
Simple Network Management Protocol. Sets up the rules for exchanging network
information through messages (which contain variables with values). The following
types of messages are defined: read, write and trap.
Spanning Tree
A link management protocol that provides path redundancy while preventing
undesirable loops in the network.
Spoofing
When an attacker uses a fake Internet address so that the source address of an IP
packet is not the actual source. An attacker from outside of the network (meaning,
from the Internet) may send packets with a source address on the LAN. This
deceives the internal servers into identifying the attacker as a legitimate internal
network user and the internal address becomes the victim. Spoofing is used in most
of the well-known DOS attacks.
Standalone Configuration
A configuration in which only one NetEnforcer is connected to the network (in
contrast to the redundancy configuration). In case of system crash, NetEnforcer
becomes a wire, meaning that NetEnforcer continues to forward traffic without
performing policy enforcement functions.
SYN Attack
When an attacker sends a series of SYN requests to a target (victim). The target
sends a SYN ACK in response and waits for an ACK to come back to complete the
session set up. Since the source address was fake, the response never comes, filling
the victim's memory buffers so that it can no longer accept legitimate session
requests.
Template – Virtual Channel or Pipe
A master Virtual Channel or Pipe that represents a class of Virtual Channels or
Pipes, that only differ in one of their Host catalog conditions.
Time Catalog
A Catalog that enables the user to define possible values for the Time condition.
NetEnforcer is capable of classifying traffic based on packet and time parameters.
ToS
See Type of Service.
ToS Catalog
A Catalog that enables the user to define possible values for the ToS condition.
Traffic Classification
NetEnforcer classifies traffic per IP source/destination including networks, subnets,
hostnames, list and ranges of addresses; TCP/UDP ports including lists of ports, port
ranges and HTTP header parameters; URL (including wildcards - *), methods, host
names (in the header) and FTP control to data connection correlation.
Type of Service
A byte in the IP header that defines the Type of Service that should be given to that
packet. Two types are implemented: IP Precedence bits (mostly in Cisco equipment)
or DiffServ (IETF standard). When used for IP Precedence, utilizes bits 0-2 to
signify 8 priority values 0-7. When used as DiffServ Code Point Description
(DSCP), utilizes only 6 out of the 8 bits. IP Precedence and DiffServ are prioritizing
methods for IP traffic going through the network.
By setting the Type of Service (ToS) bits in accordance with network policy,
end-to-end QoS can be achieved in a heterogeneous environment.
Virtual Channel
A grouping of traffic defined by conditions (rules) and actions that can be owned by
Pipes.
Virtual Connection
Class of network traffic that defines traffic classification criteria and policies.
VLAN
Virtual Local Area Network refers to LANs that are interconnected by a virtual
Layer 2. The NetEnforcer enables you to apply VLAN tags to its management
traffic. VLANs are commonly used with campus environment networks. This
enables network changes to be made without physically moving cables or
equipment.
Well-Known Ports
Some services are conventionally assigned a permanent port number. For a well-
known port list see, for example: http://www.isi.edu/in-notes/iana/assignments/port-
numbers.
Worms
This self-propagating code floods networks with email and adds Registry entries to
users' clients. Worms may be transmitted via email, sharing infected files, or via
Internet Chat. Worms take advantage of "back doors" or "holes" in popularly used
email software and operation systems. "Malicious" worms may also erase or hide
certain types of files.
Toolbar
Alerts Editor, 9-17 V
Alerts Log, 9-21
Configuration Window, 4-9 Verifying Configuration, 4-49
Monitoring Window, 6-15 Virtual Channels, 1-10, 8-4
Policy Editor, 8-13 Access Control, 8-5
TOS Catalog, 7-57 Adding, 8-24
Free Format, 7-61 Creating Templates, 8-32
Predefined Entries, 7-59 Examples, 8-9
Traffic Classification, 1-5 Policy Editor, 8-11
Traffic Shaping, 7-77 Quality of Service Catalog, 7-75
Traps, 11-2, 11-4 Virtual Channels Distribution
Configuring Destinations, 11-4 Monitoring Graph, 6-27
VLAN
U Configuration, 4-41
Setup, 4-41
Unpacking VLAN Catalog, 7-63
Enhanced Platform, 2-17
High Availability Platform, 2-3
Utilization Monitoring Graph, 6-32