Manuals
/
Force10 Networks
/
Computer Equipment
/
Network Card
Force10 Networks
100-00055-01
manual
Models:
100-00055-01
1
42
132
132
Download
132 pages
61.04 Kb
39
40
41
42
43
44
45
46
<
>
Specification
Install
Compiler Errors
Information Symbols
Configuration
Pnic resetconf
Command Line Reference
Accessing iSupport Services
Pnic updatemacvalue
Pnic aggregate-mode-disable
Page 42
Image 42
Figure 26
P-Series
Node Manager: Policy Managment Panel
42
Web-based
Management
Page 41
Page 43
Page 42
Image 42
Page 41
Page 43
Contents
Series Installation and Operation Guide
Copyright 2008 Force10 Networks
Contents
Contents
Graphical User Interface
Command Line Reference
Glossary
Conventions
Objectives
Audience
Convention Description Keyword
Related Documents
Information Symbols
Symbol Warning Description
Additional Resources
Label Description
This LED is blue when the hard disk is accessed
This LED is green when the power is on
This LED is not used
System Specifications
Physical Connections
PB-10GE-2P
Step Task
Once the appliance is booted
Booting
Configuration
Security Check
Tar xvzf PTPS-PMAIN
Gmake install
Cp -Rf /usr/local/pnic/ /home
Cd SW
Re-compile all rules firmware with the new compiler
Cd upgradedirectory/pnic-compiler
Install pre-compiled firmware if needed
Located in the directory pnic-compiler
Returning to the Default Configuration
Chapter Getting Started
Getting Started
Chapter Introduction
Hardware Architecture Overview
Rx1 Tx1 Mirror
Types of Rules
Sample Rules and Firmware
Introduction
Sample Rules Files
Rule Management
Deploying the P-Series
Rule Set Description
Inline Deployment
Fail-safe Deployment
Highly-available Deployment
Passive Deployment
Capturing Matched Traffic
Series supports capturing matched traffic for analysis
Capturing to a Host CPU
Capturing Matched Traffic via the libpcap Interface
Mirroring to Another Device
Creating an IDS Accelerator with the P-Series
Invoke the GUI by entering the command pnic gui
Graphical User Interface
GUI Commands
GUI Commands
Command Description
Managing Rules, Policies, and Firmware
Rule Management GUI
Policy Capture
Editing Dynamic Rules with the GUI
Option Description
Permit Deny
Managing Capture/Forward Policies with the GUI
To modify dynamic rules
Selecting Firmware with the GUI
Managing Capture/Forward Policies GUI
Runtime Statistics
To select firmware
Select Manage Firmware see Figure
Runtime Statistics for Channel 0 and 1-FPGA Loaded
Reloading Firmware
Runtime Statistics Description
Statistic Description
Graphical User Interface
Web-based Management
Launching the P-Series Node Manager
Lauching the P-Series Node Manager Web-based Management
Managing the P-Series using Node Manager
Web-browser Security Certificates
Series Node Manager has four major management capabilities
Monitoring System Performance
Series Node Manager Home Panel Web-based Management
Managing Firmware Images
Managing the Network Interface Card
Page
Managing Policies
Page
Network Security Monitoring
Installing the Sguil System
Installing the Sguil Sensor
Installing the Sguil Server
Source the server configuration file. The default
Installing the Sguil Client
To uninstall the server
Wish
File Location Sensor
Installation Files
Sguil Files and Directories
Server
Running the Sguil System
Running the Sguil Sensor
Running the Sguil Server
Task Script
Running the Sguil Client
To run the Sguil Client
Selecting the Sensor to Monitor
MAC Rewriting
CLI Commands
Editing Dynamic Rules with the CLI
Change directories to /usr/local/pnic/0
Command Line Interface
Rewriting Destination MAC Addresses to Load Balance
Removing Vlan Tags
Command Line Interface
Compiling Rules
Creating Rules Files
Rules Capacity
To complile rules
Compilation Option Description
Content matching
Positives
Enter command gmake from pnic-compilerdirectory
Pnic-Compiler Option
Summary of configuration
Starting and Stopping the pnic-Compiler
Configuration and Generated Files
Configuration and Generated Files
File Description Location
Describes each of the elements in this format
Compiler Errors
Firmware Filenames
Firmware Filename Description
Snort Rule Syntax
Snort Rule Headers
Snort Rule Syntax
Protocol
Ports
Snort Rule Options
Series Rule Syntax
Series Supported Snort Keywords
Keyword Static Dynamic
Seq Yes
Yes Only /8/16/24/32 masks
Yes Yes, no ranges
Writing Stateful Rules
Stateful Matching
Pre-match Condition the S Value
Stateful Rule Examples
Support for Snorts flow Keyword
Handling Segmentation Evasion
Support for Snorts within Keyword
Anomalous TCP Flags
Writing Rules
Chapter Firewall
Deploying the P-Series as a Firewall
Enabling the Firewall
Firewall
Allowing Traffic through the Firewall
Writing Rules for a Firewall Deployment
Sample Firewall Rules
Appendix a Command Line Reference
Pnic aggregate-mode-disable
Pnic aggregate-mode-disable number
Appendix a
Different ports. This is the default behavior
Pnic aggregate-mode-enable
Pnic aggregate-mode-enable number
Pnic apply-firmware
Pnic apply-firmware Command Example
Display the available firmware
Pnic capture-off
Pnic capture-off
Pnic capture-on
Syntax pnic capture-on
Pnic cardstatus number
Display the configuration parameters of the system
Pnic cardstatus
Display the driver version
Pnic compilerules
Pnic default-drop-disable
Pnic default-drop-disable number
Pnic compilerules number
Run diagnostic tests on the card
Pnic default-drop-enable
Enable firewall functionality
Pnic diag
Pnic diag Command Example
Example pnic diag Command Example
Pnic flow-teardown-disable
Pnic flow-teardown-disable
Pnic flow-teardown-enable
Pnic flow-teardown-enable
Example pnic flow-teardown-enable Command Example
Pnic getmachashindex
Pnic getmachashindex number
Pnic gui
Launch the graphical user interface
Syntax pnic gui
Pnic gui Command Example
Pnic help
Pnic help
Pnic linkdown
Pnic linkup
Pnic loadconf
Pnic loadconf number
Pnic loadconf Address Mapping
Address Corresponding Parameter
Load the PCI-X and front-end EEPROMs
Pnic loadeproms
Pnic loadparams deprecated
Pnic loadeproms number
Pnic loadparams Command Example
Loadparams Address Mapping
Pnic loadrules
Pnic loadrules channel
Disable MAC rewriting using the command pnic macrewrite-off
Disable MAC rewriting. This is the default behavior
Enable MAC rewriting using the command pnic macrewrite-on
Pnic macrewrite-off
Pnic off deprecated
Syntax pnic off
100 Appendix a
Pnic on deprecated
Example pnic off Command Example
Enable the capturing of packets via direct memory access
Pnic on
Pnic params
Pnic passive-mode-disable
Syntax pnic passive-mode-disable number
Pnic params number
Example pnic passive-mode-disable Command Example
Pnic passive-mode-enable
Configure the ports to only receive traffic
Configure the ports to only receive traffic
Pnic restart
Pnic resetconf
Pnic resetconf number
Stop capturing and matching
Start the Sguil sensor
Series Installation and Operation Guide, version 105
Pnic sguil-sensor-start
Pnic restart
Pnic sguil-sensor-start -f
Stop the Sguil sensor
Series Installation and Operation Guide, version 107
Pnic sguil-sensor-stop
Pnic sguil-sensor-stop -f
Pnic show-firmwares
Display configuration parameters of the card
Pnic showconf
List the available firmware images
Apply a specific firmware to the card
Series Installation and Operation Guide, version 109
Pnic showtech
Pnic showtech number filename.dat
Pnic start
Disable the network interface using the command pnic stop
Example pnic showtech Command Example
Pnic start number
Disable the network interface
Turn off capture and disable the network interface
Enable the network interface using the command pnic start
Pnic stop
Disable temporary memory
Pnic temp-mem-disable
Pnic temp-mem-enable
Enable temporary memory. This is the default behavior
Pnic updatemacvalue number
Pnic updatemacvalue
Disable temporary memory
Specifies an LSB value for a particular hash index
Disable the Vlan Tag Remove feature
Pnic vlan-remove-disable
Pnic vlan-remove-enable
Vlan Tag Remove feature is disabled by default
Pnic web-gui-start
Disable the web server using the command pnic web-gui-stop
Pnic version
Display the driver version
Stop the web server
Pnic web-gui-stop
Stop the web server
Pnic web-gui-stop -f
Series Installation and Operation Guide, version 117
Start the web server
118 Appendix a
Ack Checks for a specific TCP acknowledgment number
Description of P-Series Snort Keywords
Keyword Description Rule Syntax
Flags!*+ FSRPAU120
Icmp seq number
Flow establishedstateless
Icmp idnumber
Ipproto ! name number
Uricontent ! datastring
Ttl This keyword checks for the specified IP time-to-live
122 Appendix B
Meta Rules for Channel 0 and Channel
Meta Rules
Evasion Rules
124 Appendix C
Passwd
Unix Commands
Logout
Pwd
Set number no
Vi Commands
? text
Number
Garbage
Dynamic Rules
Flow
Collection
State
Snort
Span Port
Static Rules
Manual Pages
Accessing iSupport Services
Series Installation and Operation Guide, version 129
ISupport Website
Contacting the Technical Assistance Center
Locating P-Series Serial Numbers
Requesting a Hardware Replacement
To request replacement hardware, follow these steps
132 Technical Support
Top
Page
Image
Contents
