Manuals
/
Force10 Networks
/
Computer Equipment
/
Network Card
Force10 Networks
100-00055-01
manual
Series Installation and Operation Guide
Models:
100-00055-01
1
1
132
132
Download
132 pages
61.04 Kb
1
2
3
4
5
6
7
8
<
>
Specs
Install
Compiler Errors
Information Symbols
Configuration
Pnic resetconf
Command Line Reference
Accessing iSupport Services
Pnic updatemacvalue
Pnic aggregate-mode-disable
Page 1
Image 1
P-Series
Installation and Operation Guide
Version 2.3.1.2
May 27, 2008
PN:
100-00055-01
Page 2
Page 1
Image 1
Page 2
Contents
Series Installation and Operation Guide
Copyright 2008 Force10 Networks
Contents
Graphical User Interface
Contents
Command Line Reference
Glossary
Audience
Objectives
Conventions
Convention Description Keyword
Symbol Warning Description
Information Symbols
Related Documents
Additional Resources
This LED is green when the power is on
This LED is blue when the hard disk is accessed
Label Description
This LED is not used
Physical Connections
System Specifications
PB-10GE-2P
Step Task
Configuration
Booting
Once the appliance is booted
Security Check
Cp -Rf /usr/local/pnic/ /home
Gmake install
Tar xvzf PTPS-PMAIN
Cd SW
Install pre-compiled firmware if needed
Cd upgradedirectory/pnic-compiler
Re-compile all rules firmware with the new compiler
Located in the directory pnic-compiler
Chapter Getting Started
Returning to the Default Configuration
Getting Started
Hardware Architecture Overview
Chapter Introduction
Sample Rules and Firmware
Types of Rules
Rx1 Tx1 Mirror
Introduction
Deploying the P-Series
Rule Management
Sample Rules Files
Rule Set Description
Fail-safe Deployment
Inline Deployment
Passive Deployment
Highly-available Deployment
Series supports capturing matched traffic for analysis
Capturing Matched Traffic
Capturing Matched Traffic via the libpcap Interface
Capturing to a Host CPU
Creating an IDS Accelerator with the P-Series
Mirroring to Another Device
Graphical User Interface
Invoke the GUI by entering the command pnic gui
GUI Commands
GUI Commands
Command Description
Rule Management GUI
Managing Rules, Policies, and Firmware
Option Description
Editing Dynamic Rules with the GUI
Policy Capture
Permit Deny
To modify dynamic rules
Managing Capture/Forward Policies with the GUI
Managing Capture/Forward Policies GUI
Selecting Firmware with the GUI
To select firmware
Runtime Statistics
Select Manage Firmware see Figure
Runtime Statistics for Channel 0 and 1-FPGA Loaded
Runtime Statistics Description
Reloading Firmware
Statistic Description
Graphical User Interface
Launching the P-Series Node Manager
Web-based Management
Lauching the P-Series Node Manager Web-based Management
Web-browser Security Certificates
Managing the P-Series using Node Manager
Series Node Manager has four major management capabilities
Series Node Manager Home Panel Web-based Management
Monitoring System Performance
Managing the Network Interface Card
Managing Firmware Images
Page
Managing Policies
Page
Network Security Monitoring
Installing the Sguil Sensor
Installing the Sguil System
Installing the Sguil Server
To uninstall the server
Installing the Sguil Client
Source the server configuration file. The default
Wish
Sguil Files and Directories
Installation Files
File Location Sensor
Server
Running the Sguil Sensor
Running the Sguil System
Task Script
Running the Sguil Server
To run the Sguil Client
Running the Sguil Client
Selecting the Sensor to Monitor
Editing Dynamic Rules with the CLI
CLI Commands
MAC Rewriting
Change directories to /usr/local/pnic/0
Rewriting Destination MAC Addresses to Load Balance
Command Line Interface
Removing Vlan Tags
Command Line Interface
Rules Capacity
Creating Rules Files
Compiling Rules
To complile rules
Compilation Option Description
Positives
Content matching
Enter command gmake from pnic-compilerdirectory
Pnic-Compiler Option
Starting and Stopping the pnic-Compiler
Summary of configuration
Configuration and Generated Files
Configuration and Generated Files
File Description Location
Firmware Filenames
Compiler Errors
Describes each of the elements in this format
Firmware Filename Description
Snort Rule Headers
Snort Rule Syntax
Snort Rule Syntax
Protocol
Ports
Series Supported Snort Keywords
Series Rule Syntax
Snort Rule Options
Keyword Static Dynamic
Yes Only /8/16/24/32 masks
Seq Yes
Yes Yes, no ranges
Stateful Matching
Writing Stateful Rules
Pre-match Condition the S Value
Stateful Rule Examples
Handling Segmentation Evasion
Support for Snorts flow Keyword
Support for Snorts within Keyword
Anomalous TCP Flags
Writing Rules
Deploying the P-Series as a Firewall
Chapter Firewall
Firewall
Enabling the Firewall
Writing Rules for a Firewall Deployment
Allowing Traffic through the Firewall
Sample Firewall Rules
Appendix a Command Line Reference
Pnic aggregate-mode-disable number
Pnic aggregate-mode-disable
Appendix a
Pnic aggregate-mode-enable number
Pnic aggregate-mode-enable
Different ports. This is the default behavior
Pnic apply-firmware
Display the available firmware
Pnic apply-firmware Command Example
Pnic capture-on
Pnic capture-off
Pnic capture-off
Syntax pnic capture-on
Pnic cardstatus
Display the configuration parameters of the system
Pnic cardstatus number
Display the driver version
Pnic default-drop-disable number
Pnic default-drop-disable
Pnic compilerules
Pnic compilerules number
Enable firewall functionality
Pnic default-drop-enable
Run diagnostic tests on the card
Pnic diag
Example pnic diag Command Example
Pnic diag Command Example
Pnic flow-teardown-enable
Pnic flow-teardown-disable
Pnic flow-teardown-disable
Pnic flow-teardown-enable
Pnic getmachashindex
Example pnic flow-teardown-enable Command Example
Pnic getmachashindex number
Launch the graphical user interface
Pnic gui
Syntax pnic gui
Pnic gui Command Example
Pnic help
Pnic help
Pnic linkup
Pnic linkdown
Pnic loadconf number
Pnic loadconf
Address Corresponding Parameter
Pnic loadconf Address Mapping
Pnic loadparams deprecated
Pnic loadeproms
Load the PCI-X and front-end EEPROMs
Pnic loadeproms number
Loadparams Address Mapping
Pnic loadparams Command Example
Pnic loadrules channel
Pnic loadrules
Enable MAC rewriting using the command pnic macrewrite-on
Disable MAC rewriting. This is the default behavior
Disable MAC rewriting using the command pnic macrewrite-off
Pnic macrewrite-off
Syntax pnic off
Pnic off deprecated
100 Appendix a
Enable the capturing of packets via direct memory access
Example pnic off Command Example
Pnic on deprecated
Pnic on
Syntax pnic passive-mode-disable number
Pnic passive-mode-disable
Pnic params
Pnic params number
Configure the ports to only receive traffic
Pnic passive-mode-enable
Example pnic passive-mode-disable Command Example
Configure the ports to only receive traffic
Pnic resetconf number
Pnic resetconf
Pnic restart
Stop capturing and matching
Pnic sguil-sensor-start
Series Installation and Operation Guide, version 105
Start the Sguil sensor
Pnic restart
Pnic sguil-sensor-start -f
Pnic sguil-sensor-stop
Series Installation and Operation Guide, version 107
Stop the Sguil sensor
Pnic sguil-sensor-stop -f
Pnic showconf
Display configuration parameters of the card
Pnic show-firmwares
List the available firmware images
Pnic showtech
Series Installation and Operation Guide, version 109
Apply a specific firmware to the card
Pnic showtech number filename.dat
Example pnic showtech Command Example
Disable the network interface using the command pnic stop
Pnic start
Pnic start number
Enable the network interface using the command pnic start
Turn off capture and disable the network interface
Disable the network interface
Pnic stop
Pnic temp-mem-enable
Pnic temp-mem-disable
Disable temporary memory
Enable temporary memory. This is the default behavior
Disable temporary memory
Pnic updatemacvalue
Pnic updatemacvalue number
Specifies an LSB value for a particular hash index
Pnic vlan-remove-enable
Pnic vlan-remove-disable
Disable the Vlan Tag Remove feature
Vlan Tag Remove feature is disabled by default
Pnic version
Disable the web server using the command pnic web-gui-stop
Pnic web-gui-start
Display the driver version
Stop the web server
Pnic web-gui-stop
Stop the web server
Pnic web-gui-stop -f
Start the web server
Series Installation and Operation Guide, version 117
118 Appendix a
Keyword Description Rule Syntax
Description of P-Series Snort Keywords
Ack Checks for a specific TCP acknowledgment number
Flags!*+ FSRPAU120
Icmp idnumber
Flow establishedstateless
Icmp seq number
Ipproto ! name number
Ttl This keyword checks for the specified IP time-to-live
Uricontent ! datastring
122 Appendix B
Meta Rules
Meta Rules for Channel 0 and Channel
Evasion Rules
124 Appendix C
Logout
Unix Commands
Passwd
Pwd
? text
Vi Commands
Set number no
Number
Flow
Dynamic Rules
Garbage
Collection
Span Port
Snort
State
Static Rules
Series Installation and Operation Guide, version 129
Accessing iSupport Services
Manual Pages
ISupport Website
Locating P-Series Serial Numbers
Contacting the Technical Assistance Center
To request replacement hardware, follow these steps
Requesting a Hardware Replacement
132 Technical Support
Top
Page
Image
Contents
