Force10 Networksメーカー100-00055-01の使用説明書/サービス説明書
ページ先へ移動 of 132
P-Series Installation and Operation Guide V ersion 2.3.1.2 May 27, 2008 PN: 100-00055-01.
Copyright 2008 Force10 Networks ® All rights reserved. Printe d in the USA. January 2008. Force10 Networks® reserves the r ight to change, mo dify , revi se this publicati on without notice. T rademarks Force10 Networks® and E-Series® ar e registered trademarks of Force10 Networks, In c.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 3 Content s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Preface About this Guide . . . . . . . . . .
4 Contents Mirroring to Another Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Chapter 4 Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 5 Chapter 8 Compiling Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Creating Rules Files . . . . . . . . . .
6 Contents Unix Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 vi Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 7 Objectives This document provid es installation and opera tion instructions for the P-Series P10 appliance. Audience This guide is intended to be used by network engineers. The P10 is a Unix-based product th at runs rule management software based on Linux and FreeBSD.
8 About this Guide Information Symbols Related Document s Additional P-Series documentation is available on the software CD that came with the appliance and in the documentation section of the Force10 website , www .force10networks.com . • P-Series Release Notes Additional Resources • Cox, Kerry and Ger g, Christopher .
P-Series Installation and Operation Guide, version 2.3.1.2 9 Figure 1 P-Series P10 Appliance (Front V iew) IDENTIFY LAN 2 LAN 1 VGA SERIAL USB x2 KEYBOARD MOUSE POWER RJ-45 SERIAL E0 & E1 IP ADDRE.
10 Installation System S pecifications The specifications in Table 1 apply to the P-Series P10 a ppliance, Force10 catalog number PB-10GE-2P . Physical Connections (Power Butto n) This button turns the appliance o n and off. Press and hold the bu tton to tur n off the appliance.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 11 Ste p T a sk 1 Review the system specificat ions and ensure that your operating and storage conditions meet the state d requirement s. 2 Connect the power cable, a ke yboard, and a monito r to the appliance.
12 Installation Booting During booting y ou can select the OS of your choice. The management ports are configured for DHCP and pr obe for an IP address, gateway , and na me server .
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 13 W arning: S top all traf fic from flowing through the appliance, and discon nect all cables from the XFPs before proceeding. Step T ask Command 1 Save earlier configuratio n files and firmware by copying the dir ec to ry /usr/local/pnic to the home directory .
14 Installation 13 Re-compile all rules firmware with the new comp iler located in the directory pnic-compiler. cd upgrade_directory /pnic-compiler gmake 14 Insta ll pre -compiled firmware if need ed.
P-Series Installation and Operation Guide, version 2.3.1.2 15 T o begin inspecting and fi ltering traf fic you must: 1. Select firmware and dynamic rules 2. Set capture/forward policies 3. Check for proper operation by generating traffic across the appliance.
16 Getting Started.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 17 The P-Series P10 Intrusion Detection and Pr evention System ( IDS/IPS ) appliance employs Dynamic Parallel Inspection ( DPI ) technology .
18 Introduction Figure 3 illustrates how all matched packets are copied and transmitte d by mirror ports. Figure 3 F orwarding Engine Detection Engine Packet Data PCI-X Module Packet Data Device Acces.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 19 Firmwar e is a se t of rules that has be en transformed— using a compiler—from Snort syntax into a form suitable for uploading to the FPGA .
20 Introduction Inline Deployment Use the P-Series for inline traf fic inspection in IPS or firewall applications at 10-Gigabit line rate ( Figure 4 ). • For IPS deployment, no special configuratio n is n eed ed; the P-Series is in inline IPS mode by default.
P-Series Installation and Operation Guide, version 2.3.1.2 21 Highly-available Deployment Use optical bypass switches with the P-Series for a hi ghly-available, redundant deployment, as sh own in Figure 6 .
22 Introduction Figure 8 N etwork Tap P-Series P10 fn90033mp P0 10-Gigabit 10-Gigabit Passive Deployment with Aggrega tion using a Network T ap Figure 9 Network Switch with SPAN port P-Series P10 fn90.
P-Series Installation and Operation Guide, version 2.3.1.2 23 Capturing to a Host CPU Captured traffic can be sent to a host C PU throug h a libpcap library interface, where it can be made available to applications for anal ysis. A typical implementation provid es IDS/Snort acceleration beca use of the hardware assist.
24 Introduction Mirroring to Another Device Mirror captured traffic out of the 1-Gigabit mirroring po rts to use the P-Series as an IDS accelerator or as part of an integrated s ecurity monitoring solution.
P-Series Installation and Operation Guide, version 2.3.1.2 25 The GUI can be used to: • Start and stop the DPI • Load firmware • Compile and lo ad dynamic rules • Manage the runtime parameters • Manage the capture/forward policies for rule s Note: Using the GUI requires the super user privilege.
26 Graphical User Interface GUI Commands From the Runtime S tatistics display , you can enter commands to control the DPI (see Ta b l e 3 , or enter the h command from th e GUI comm and line). Figure 13 fn9000010 N/A/1 FlowTimeout=16 Packets/flow=0 Truncation=0 Irq period=5ms CPU(s): 0.
P-Series Installation and Operation Guide, version 2.3.1.2 27 Managing Rules, Policies, and Firmware Enter the m command from the GUI command line (see “GUI Commands” on page 26 ) to invoke a menu that enables you to manage dynami c rules, captur e/forward policies, and firmware.
28 Graphical User Interface Ta b l e 5 describes the four possible combina tions of capture/forward policies. Editing Dynamic Rules with the GUI Dynamic rules are stored in the file rules.custom in the /usr/local/pnic/0 directory . The GUI provides a quick way to access and modify these rules by invoking the vi editor on this file.
P-Series Installation and Operation Guide, version 2.3.1.2 29 T o modify dynamic rules: Figure 15 Editing Dynamic Rules in vi fn90000012 pnic Managing Capture/Forward Policies with the GUI Upon compiling static and dynamic rules, default capture/f orward policies are assigned to each rule.
30 Graphical User Interface Figure 16 fn9000013 Managing Capture/Forward Policies GUI Figure 17 fn9000014 Capture/Forward Policies GUI Selecting Firmware with the GUI Firmwar e is a se t of rules that has be en transformed— using a compiler—from Snort syntax into a form suitable for uploading to the FPGA.
P-Series Installation and Operation Guide, version 2.3.1.2 31 T o select firmware: Figure 18 Manage Firmwa re GUI fn9000015 Runtime S tatistics Runtime statistics are displayed when firmware is uploaded, and traffi c is flowing across the appliance. The GUI presents two views of traffic statistics.
32 Graphical User Interface The remaining lines report the cumula tive number of events and the rate of those events. A description of each line is given in Ta b l e 6 . Figure 19 CPU(s): 0.0% user, 0.0% system, 0.0% nice, 100.0% idle Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 33 Reloading Firmware During firmware reloading, all packets flow regardless of capture/ forward policies, as the policies cannot be enforced during system initialization.
34 Graphical User Interface.
P-Series Installation and Operation Guide, version 2.3.1.2 35 Y ou can mana ge and monitor the P-Series on the web using the Force10 Netwo rks P-Series Node Manager . Launching the P-Series Node Manager Note: The Web-based GUI is best vie wed with a minimum screen resolution of 1280x800.
36 Web-based Manageme nt Figure 21 Lauching the P-Seri es Node Manager Note: S top the secure HTTP service using th e command pnic web-gui-stop (see Appendix A , on page 79 ).
P-Series Installation and Operation Guide, version 2.3.1.2 37 W eb-browser Security Certificates The P-Series Node Manager client and the server communicate via H TTPs.
38 Web-based Manageme nt Monitoring System Performance Monitor system performance from the Home panel ( Figure 23 ). The Home pa nel is displaye d after logging into Node Manager . It displays basic system informat ion, card, interface , and reso urce information, as well as CPU and memory usage over time.
P-Series Installation and Operation Guide, version 2.3.1.2 39 Managing Firmware Images Manage the software image from the Image Management panel ( Figure 24 ). The Image Management panel provides options for compiling and dele ting an image. It displays a list of available images along with the currently applied image and its details.
40 Web-based Manageme nt Figure 25 P-Series Node Manager: Card Ma nagement Panel.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 41 Managing Policies Manage policies from th e Polic y Management panel ( Figure 26 ). The Policy Management pane l provides you with a list of available static and dynamic rules av ailable for the currently ru nning image.
42 Web-based Manageme nt Figure 26 P-Series Node Manager : Policy Managment Panel.
P-Series Installation and Operation Guide, version 2.3.1.2 43 A key aspect of network security de ployment is the ability to monitor the network for security events, analyze them, and perform counter measures.
44 Network Security Monito ring Inst alling the Sguil System T o employ Sguil you mu st: 1. Install the sensor . See page 44 . 2. Install the server . See page 44 . 3. Install the client. See page 45 . Note: Y ou can download the server and client Sguil compone nts directly from the Sguil website at http:/ / sguil.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 45 Uninst alling the Sguil Server T o uninstall the server: Inst alling the Sguil Client Y ou must have the following soft ware installed in your PC befo re installing the Sguil client: • ActiveT cl, Force10 recommends Ac tiveT c l8.
46 Network Security Monito ring Inst allation Files Ta b l e 7 lists the files and directories create d during in stallation t hat are releva nt to running the Sguil system. 3 Config ure the following p a rameters in the file sguil.conf : • Enable (1) or disable (0 ) the debug option • Set the browser p ath.
P-Series Installation and Operation Guide, version 2.3.1.2 47 Running the Sguil System Running the Sguil Sensor Start the Sguil se nsor using the command pnic sguil-sensor-start . Specify the IP address of the Sguil server , and confirm the action, as shown in Figure 29 .
48 Network Security Monito ring • The rule file you are using shou ld be mentioned in snort.c onf file. A sample rule file under rules directory is already added and commented in snort.conf . • Log files are stored in th e installation sub-directory .
P-Series Installation and Operation Guide, version 2.3.1.2 49 Running the Sguil Client T o run the Sguil Client: Figure 31 Running the Sguil Client Ste p T ask 1 Open sguil.tk using the Wish application. A window ap pears, as shown in Figure 31 . 2 S pecify the IP address o f the Sguil server , and your username and p assword.
50 Network Security Monito ring Figure 32 fn90027mp Selecting the Sensor to Mo nitor When the Sguil client starts and the client is prop erly connected to the Sgu il server , the window in Figure 33 appears.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 51 The command line interface (CLI) is an alternative to the GUI for managi ng the appliance.
52 Command Line Inter face This feature can be enabled per channel. When MAC rewrite is enabled, the P10 applia nce classifies the incoming traf fic into one of 256 hash buckets to determ ine the value to be written to the LSB of destination MAC address.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 53 Removing VLAN T ags The P-Series can strip the VLAN tag from incoming pa ckets before they exit the egress port. Enable the feature using the command pnic vlan-remove-enable . The frame CRC is recalculated when this feature is enabled.
54 Command Line Inter face.
P-Series Installation and Operation Guide, version 2.3.1.2 55 The P-Series Network Interface Car d Compiler (pnic-Compiler) produces user-defined firmware for the appliances. The user-defined input is a set of signature-based rule s in Snort syntax, and compilation directives.
56 Compiling Rules T able 8 Compiler Configuration Options Compilation Option Description 1 Ta r g e t D e v i c e Choose the model of your appliance. • The P10 requires type PB-10G-2P (see Fig ure 35 on pa ge 58 ) 2 Match non-IP T raffic Answering Yes to this option matches pa ckets that are not IPv4.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 57 7 Segmentat ion Evasion Rules The pnic-Compiler prepends a set of fixed rules—ca lled evasion.rules — located in the pnic-compiler/rules directory . The rule s help detect attacks which are using strategic TCP s egment ation to avoid detection.
58 Compiling Rules Figure 35 pnic-Compiler Option 1- 6 root@# gmake Makefile:2: mtp_configuration: No such file or directory bin/getparams2.sh Please choose the target device 1) PB-10G-2P #? 1 Do you .
P-Series Installation and Operation Guide, version 2.3.1.2 59 Figure 36 Channel 1 D ynamic rules Please choose how many dynami c rules (5-20 recommended) Dynamic rules are rule s that can be added without recompiling the firmware.
60 Compiling Rules Figure 37 pnic-Compiler Option 8- 9 Please choose the maximum number of byt es per sig nature (1024 recommended). Selecting a small number allows lar ger sets of signatures at the expense of more false posit ives.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 61 Configuration and Generated Files Ta b l e 9 describes the files that are used or generated by the pnic-Compiler . T able 9 Configuration and Generated Files File Description Location pnic_*.
62 Compiling Rules Firmware Filenames The pnic-Compiler creates new firmware — in the /usr /local/pnic/fir mware directory — consisting of four . bit files and eight .
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 63 P-Series rule syntax is based on Snort. Both rule structures are descr ibed in this chapter .
64 Writing Rules • pass directs Snort to ignore the packet. • activate directs Snort to generate an aler t and activate another specified rule. • dynamic directs Snort to disregard the rule until it is activated by another rule. Once activated, the action defaults to log.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 65 Ports Port numbers may be specified by the keyword any , a single port number , ranges, and by negation. any specifies any port. St atic ports are indicated by a si ngle port number , for exam ple, 23 for T elnet.
66 Writing Rules Destination Address and Port The destination address and port follo w the direction operator . The syntax of these parameters are the same as the source address a nd port. See “Source Addresses” on page 64 , and “Ports” on page 65.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 67 depth No No dsize Y es No flags Y es Y es, no wild card flow Y es No fragbits Y es No fragoffset Y es No icmp_id Y es Y es icmp_seq Y es .
68 Writing Rules W r iting S t ateful Rules Stateful matching improves the accuracy of detectio n because it adds ordering when specifying behaviors across multiple matching events. State transitions in the P-Series follow a no n-cyclic pattern; no state transitions may erase any of the previous states.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 69 Pre-match Condition — the S V alue The value in register C f is presented to all the signatur es simultaneously during matching. C f must have all the bits specified by s i (in addition to matching m i ) in order for the signature i to trigger .
70 Writing Rules When a packet is stored in either T emporary Memory or Match Memory , a pointer to the previously stored packet in the same flow (contained in a portion of the flow register C f ) is also stored.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 71 Y ou can inspect Signatures 4, 5, and 6, an d verify th at they trigger a match and place a packet in Match Memory — thus alerting the host — if three consecutiv e packets are seen with size between 0 and 100.
72 Writing Rules The start of the state mach ine is prompted by a SYN ; state 1 is reached if a packet of length greater than 0 but less than 20 is detected; state 2 is reached if a packet of length 1.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 73 Anomalous TCP Flags Some TCP packets with anomalous flags are captured by default to provide scan detection software diagnosis information. Ta b l e 2 4 shows rule s whic h were derived from the Snort scan pre-processor .
74 Writing Rules.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 75 Deploying the P-Series as a Firewall By default the P-Series is an IDS/ IPS system; the P-Series forwards a ll traf fic by default and blocks packets only if it matches a rule. Y o u can deploy the P-Series as a limite d firewall by enabling Drop mod e.
76 Firewall Enabling the Firewall Enable Drop mode using the command pnic default-drop-enable . Disable Drop mode using the command pnic default-drop-disable . These commands are shown in Figure 39 . Figure 39 [root@localhost ~]# pnic default-drop-disable No device number specif ied.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 77 Allowing T raffic through the Firewall T o allow packets through the firewall you must write ru les so that packets that you want the appliance to forward match those rules. Rules can be as simple as a llowing traffic destined to a port.
78 Firewall T able 25 Sample Firewall Rules #permit: let through and do not log to the host #alert: let through and log to the host #deny: DO NOT let throu gh and do not l og to the host #divert: DO N.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 79 The comman d line interfa ce (CLI) is an alternat ive to the GUI for managing the appliance.
80 Appendix A • pnic showconf on pag e 108 • pnic show-firmware s on page 108 • pnic showtech on page 109 • pnic start on page 11 0 • pnic stop on page 111 • pnic temp-mem-disable on pa ge.
P-Series Installation and Operation Guide, version 2.3.1.2 81 Related Commands pnic aggregate-mode-enable Receive both client-to-serv er and server -to-clie nt traffic on one port. T his is the default behavior . Synt ax pnic aggregate-mode-enable [ number ] Disable agg regate m ode using th e command pnic aggregate-mode-disable .
82 Appendix A Parameters Command History Example Figure 42 [root@localhost SW]# pnic apply-firmware No card number specified. Assuming card 0 Do you really want to apply a new firmware for card0 (y/n)? y Please enter the path or name of the firmware to apply: /usr/local/ pnic/firmware/null.
P-Series Installation and Operation Guide, version 2.3.1.2 83 pnic capture-of f Disable the capturing of packet s via direct memory access (DMA). Synt ax pnic capture-off Parameters Command History Example Figure 44 root@# pnic macrewrite-on 0 No channel number specified.
84 Appendix A Example Figure 45 pnic capture-on Command Exa mple root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# pnic capture-on No card number specified.
P-Series Installation and Operation Guide, version 2.3.1.2 85 pnic compilerules T ransform the dyna mic Snort rules contained in /usr/local/pnic/0/rules.
86 Appendix A Example Figure 48 [root@localhost SW]# pnic default-drop-disable No card number specified. Assuming card 0 *** Disabling Default-Packet-Drop on card:0 successful! *** Temporary memory enabled.
P-Series Installation and Operation Guide, version 2.3.1.2 87 Parameters Command History Example Figure 50 [root@localhost pnic]# pnic diag No card number specified. Assuming card 0 Running PNIC diagnostic test needs to stop traffic matching. Do you want to proceed [n/y]? y *** Matching disabled.
88 Appendix A pnic flow-teardown-disable Configure the appliance to reset the state of the flow on ly upon a t imeout. This is the default behavior . Synt ax pnic flow-teardown-disable Command History Example Figure 52 [root@localhost SW]# pnic flow-teardown-disable No card number specified.
P-Series Installation and Operation Guide, version 2.3.1.2 89 Example Figure 53 [root@localhost SW]# pnic flow-teardown-enable No card number specified.
90 Appendix A Related Commands pnic gui Launch the graphical user interface. Synt ax pnic gui Command History pnic macrewrite - on Enable MAC rewriting. pnic macrewrite - off Disable MAC rewriting. pnic updatemacvalue Update the LSB value for a p a rticular hash index value.
P-Series Installation and Operation Guide, version 2.3.1.2 91 Example Figure 55 [root@localhost SW]# pnic gui CPU(s): 0.0% user, 0.0% system, 0.0% nice, 100.
92 Appendix A pnic help Display a list of all available comman ds, their syntax, and descriptions. Synt ax pnic help Command History Example Figure 56 [root@localhost SW]# pnic help No card number specified. Assuming card 0 Usage: pnic function_command <card_num> <channel_num> <force_options> pnic aggregate-mode-disable <0|.
P-Series Installation and Operation Guide, version 2.3.1.2 93 pnic linkdown Disable the physical link. Synt ax pnic linkdown [ number ] [ channel ] Enable a physical link using the command pnic linkup . Parameters Command History Example Figure 57 [root@localhost SW]# pnic linkdown No card number specified.
94 Appendix A Parameters Command History Example Figure 58 [root@localhost SW]# pnic linkup No card number specified. Assuming card 0 No channel number specified.
P-Series Installation and Operation Guide, version 2.3.1.2 95 Example Figure 59 [root@localhost ~]# pnic loadconf No card number specified. Assuming card 0 Loading configurations .
96 Appendix A pnic loadeproms Load the PCI-X and front-end EEPROM s. Synt ax pnic loadeproms [ number ] Parameters Command History Usage Information Use this command to upgrade P CI-X and front-end EEP ROMs to new revisions. Reboot the chassis after executing this command; only then does new firmware take ef fect.
P-Series Installation and Operation Guide, version 2.3.1.2 97 Example Figure 60 [root@localhost ~]# pnic loadparams No card number specified. Assuming card 0 Loading configurations.
98 Appendix A pnic loadrules Upload to the FPGA the dynamic rules fo r both channels encoded in the files /usr/local/pnic/ 0/pnic_{0|1}.bin . Synt ax pnic loadrules [ channel ] Parameters Command Hist.
P-Series Installation and Operation Guide, version 2.3.1.2 99 pnic macrewrite-off Disable MAC rewriting. This is the default behavior . Synt ax pnic macrewrite-off [ number ] [ channe l ] Enable MAC rewritin g using the command pnic macrewri te-on .
100 Appendix A Parameters Default MAC rewrite is disabled by default. The defa ult value for the LSB is the system-assigned hash index value . Command History Example Figure 63 [root@localhost SW]# pnic macrewrite-on No card number specified. Assuming card 0 No channel number specified.
P-Series Installation and Operation Guide, version 2.3.1.2 101 Example Figure 64 root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# pnic off No card number specified.
102 Appendix A pnic params Display the card interface name, device ID, and co ntents of the register on the PCI-X and Master FPGAs. Synt ax pnic params [ number ] Parameters Command History Example Figure 66 [root@localhost SW]# pnic params No card number specified.
P-Series Installation and Operation Guide, version 2.3.1.2 103 Command History Example Figure 67 pnic passive-mo de- disable Command Example [root@localhost SW]# pnic passive-mode-disable No card number specified. Assuming card 0 Channel 0 and 1 are set to work in normal TX/RX mode.
104 Appendix A pnic resetconf Reset the system configuration back to the default settings, wh ich are located in <installation_dir ectory>/SW/misc/pnic.conf . Synt ax pnic resetconf [ number ] Parameters Command History Example Figure 69 [root@localhost ~]# pnic resetconf No card number specified.
P-Series Installation and Operation Guide, version 2.3.1.2 105 • Load the rule firmware • Load the capt ure/b lock configura t ion • Load the runtime param eters • Enable the netw ork interface Synt ax pnic restart Command History Example Figure 70 [root@localhost SW]# pnic restart No card number specified.
106 Appendix A Synt ax pnic sguil-sensor- start [ -f ] Stop the Sguil sensor using the command pnic sguil-sensor-stop . Parameters Command History Example Figure 71 [root@localhost pnic]# pnic sguil-sensor-start Enter the IP address of the Sguil-Server:10.
P-Series Installation and Operation Guide, version 2.3.1.2 107 pnic sguil-sensor-stop Stop the Sguil sensor . Synt ax pnic sguil-sensor- stop [ -f ] Start the Sguil sensor using the command pnic sguil-sensor-start .
108 Appendix A pnic showconf Display configuration paramet ers of the card. Synt ax pnic showconf [ number ] Parameters Command History Example Figure 74 [root@localhost ~]# pnic showconf No card number specified.
P-Series Installation and Operation Guide, version 2.3.1.2 109 Command History Example Figure 75 [root@localhost SW]# pnic show-firmwares No card number specified. Assuming card 0 List of available firmware images: null.xc4vlx200-ff1513.50.50.2048 snort_rules.
110 Appendix A Example Figure 76 [root@localhost pnic]# pnic showtech | more No card number specified. Assuming card 0 ************************************************************ Display date *******.
P-Series Installation and Operation Guide, version 2.3.1.2 111 Example Figure 77 [root@localhost SW]# pnic start No card number specified. Assuming card 0 Interface pnic0 is down Loading pass/block settings .
112 Appendix A pnic temp-mem-disable Disable temporary memory . Synt ax pnic temp-mem-disable [ numbe r ] Enable temporary memo ry using the command pnic temp-mem-enable . Parameters Command History Example Figure 79 [root@localhost SW]# pnic temp-mem-disable No card number specified.
P-Series Installation and Operation Guide, version 2.3.1.2 113 Example Figure 80 [root@localhost SW]# pnic temp-mem-enable No card number specified. Assuming card 0 *** Enabling temporary memory on card:0 successful.
114 Appendix A pnic vlan-remove-disable Disable the VLAN T ag Remove feature. Synt ax pnic vlan-remove-disable Default The VLAN T ag Remove feature is disabled by default. Command History Usage Information This feature is enabled and disabled on both sensing ports.
P-Series Installation and Operation Guide, version 2.3.1.2 115 pnic version Display the driver version. Synt ax pnic version Command History Example Figure 84 pnic version Command Exampl e [root@localhost SW]# pnic version Force10 Networks PNIC Software Version: P_MAIN2.
116 Appendix A Example Figure 85 pnic web-gui-st ar t Command Example [root@localhost pnic]# pnic web-gui-start INFO: Generating SSL certificate for the web-gui application. Generating a 1024 bit RSA private key .........++++++ ......++++++ writing new private key to '/usr/local/pnic-mgmt-lib/sslcert/rootkey.
P-Series Installation and Operation Guide, version 2.3.1.2 117 Example Figure 86 pnic web-gui-stop Command Example [root@localhost pnic]# pnic web-gui-stop Do you really want to stop the web-gui application (y/n)? y Web-gui application has been stopped! [root@localhost pnic]# Related Commands pnic web-gui-start S tart the web serv er .
118 Appendix A.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 119 Ta b l e 2 8 des cribes briefly the valid Snort keywo rd s su pported on the P-Series. For a mo re detailed explanation for these keywords, see the Snort website at http://www .snort.org/docs/snort_manual/ node17.
120 Appendix B flow This keyword applies the rule to a specific traf fic flow direction. The flow can be in one of two states: • established : Trigg er only on established TCP connections. • stateless : Trigger regardless of the state of th e stream processor .
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 121 ttl This keyword checks for the specif ied IP time-to-live value. ttl: [ number { > | < | = } | number - | { - | > | < | = }] number ; uricontent Searches the normalized request URI field for the specified content.
122 Appendix B.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 123 The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in Ta b l e 2 9 an d Ta b l e 3 0 .
124 Appendix C.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 125 Unix Commands Appendix D Basic Unix Commands T able 31 Basic Unix Commands Command Description cd path Changes the current dir ectory to the specified directory .
126 Appendix D vi Commands vi has two modes: • Command Mode : In command mode, commands can be entered which allow yo u to jump to points in a file, search text, and exit the editor . • Insert Mode : Insert mode allows you to create or alter text in a f ile.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 127 Appendix E Glossary ACK An Acknowledgment p acket (ACK) is a packet tha t is sent from the client to th e server to complete a TCP connection.
128 Snort Snort is an open source netwo rk intrusion detec tion and prevention system that uses rules created with a special synt ax to ex amine and control specified tra ffic. SP AN Port Switched Port Analyzer (SP AN) Port is a switch po rt that receives a copy of specific traffic that passes through a switch.
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 129 Manual Pages Information on op erating the appliance can be accessed through manual pages (man pages) with the command man command . The command man pnic displays the man pages on the command line interface; and man pnic displays them on the Ncurses interface.
130 Technical Support Cont acting the T echni cal Assist ance Center Locating P-Series Serial Numbers The P10 serial number is located on a sticker on the back of the unit in the top-right corner (see Figure 2 ), as well as on the left mounting bracket (see Figure 87 ).
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 131 Requesting a Hardware Replacement T o request replacement hardware, follow these steps: Step T ask 1 Determine the part number and serial n umber of the component. 2 Request a Return Materia ls Author ization (RMA) number from T AC by opening a support case.
132 Technical Support.
デバイスForce10 Networks 100-00055-01の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
Force10 Networks 100-00055-01をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはForce10 Networks 100-00055-01の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。Force10 Networks 100-00055-01の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。Force10 Networks 100-00055-01で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
Force10 Networks 100-00055-01を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はForce10 Networks 100-00055-01の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、Force10 Networks 100-00055-01に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちForce10 Networks 100-00055-01デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。