background image

Community string conventions are best suited for management applications that can be configured 
to send SNMP requests for all managed devices to a single address

10

. The primary advantage of 

community string conventions is that there is no need to install a GVI driver, an RGVI client, or a 
SOCKS shim on the management application server. The three-part community string format (e.g. 

community@ZoneRanger@device

) is also useful when managing networks with overlapping 

addresses. The primary disadvantage is that the management application must be configured in an 
atypical way in order to use the proxy. Some management applications require unique addresses for 
each managed device, and do not support the concept of a common proxy address. In these cases, an 
alternative SNMP proxy mechanism will need to be selected.  

SNMPv3 Conversion

The ZoneRanger SNMP Proxy service can be used to proxy SNMPv1 and SNMPv2c requests to 
managed devices. In addition, ZoneRanger can be configured to translate SNMPv1 or SNMPv2c 
requests to SNMPv3 requests, as illustrated in the following figure.

This   feature   enables   authentication   and   encryption   of   SNMP  messages   in   firewall-partitioned 
networks, such as a DMZ, where enhanced security is arguably most needed, while avoiding the 
need to configure or upgrade existing management applications to support SNMPv3. SNMPv3 
conversion can be configured on a per-device basis, so that the additional administrative effort 
required for SNMPv3 can be limited only to those devices where security is most needed.   

It   is   recommended   that   SNMPv3   users   change   the   authentication   and   encryption   passwords 
associated with management devices on a regular basis. To facilitate this, the ZoneRanger web 
interface includes a tool for automatically updating SNMPv3 passwords on managed devices. This 
tool is located on the 

Administration

 > 

SNMP 

page

 SNMPv3 Passwords

 tab of the ZoneRanger 

web interface.    

10

  Community string conventions can also be used when the management application uses different 

addresses   for   different   target   devices.   However,   the   GVI/RGVI,   SOCKS,   or   IP  address   aliasing 
mechanisms are likely to be preferred in such cases, because the need to configure special community 
strings for each device is eliminated.

ZoneRanger 5.5 User's Guide

90

Summary of Contents for zoneranger

Page 1: ...ZoneRanger User s Guide Tavve Software Company www tavve com...

Page 2: ...9 2013 The Apache Software Foundation All Rights reserved Copyright 2003 2012 Sun Microsystems Inc All Rights Reserved V1 2 x enhancements c 2005 Multiplan Consultants Ltd Copyright 2000 Just Objects...

Page 3: ...ZoneRanger 5 5 User s Guide 3...

Page 4: ...y configure and operate ZoneRangers within their networks Topics covered include The ZoneRanger architecture Deployment arrangements and options for ZoneRanger and Ranger Gateway Foundational concepts...

Page 5: ...cessary prerequisite for the rest of this guide Part III ZoneRanger Services describes the proxy and management services provided by ZoneRanger and Ranger Gateway The functionality of each service is...

Page 6: ...er Services 58 Chapter 19 Discovery 58 Chapter 20 Forwarding 61 Chapter 21 FTP Proxy 65 Chapter 22 HTTP HTTPS Proxy 67 Chapter 23 ICMP Proxy 73 Chapter 24 NTP Proxy 74 Chapter 25 Polling 77 Chapter 26...

Page 7: ...Gateway 370 F Accessing ZoneRanger Though the Ranger Gateway 372 G ZoneRanger Technician Access 374 H Installation 375 I Installing Ranger Gateway in Solaris 10 Zones 377 J RGVI Client Installation a...

Page 8: ...application and acts as the interface between the management application and one or more ZoneRangers Ranger Gateway functions as a transparent proxy intercepting and relaying management protocol traff...

Page 9: ...scoSecure ACS and one with a Trap Syslog Receiver that do not have the Ranger Gateway software installed but instead interact with the ZoneRangers using Ranger Gateway software installed on another se...

Page 10: ...approach simplifies management application configuration and enables ZoneRanger and Ranger Gateway to be used with a wide variety of management applications In addition to its role as a management pr...

Page 11: ...authorization are not permitted to access the ZoneRanger text interface Reference documentation for the ZoneRanger text interface is provided in Chapter 32 Ranger Gateway User Interfaces Ranger Gatewa...

Page 12: ...Figure 1 3 Ranger Gateway Command example Reference documentation for the Ranger Gateway command interface is provided in Chapter 36 ZoneRanger 5 5 User s Guide 12...

Page 13: ...ress patterns and using these node groups in a variety of configuration rules particularly forwarding and proxy rules Pooling Redundancy VIP Grouping Mechanisms for providing high availability and or...

Page 14: ...ne a specific list of devices from which only those devices will the ZoneRanger either receive data or send data Each of these concepts and mechanisms are described in further detail in the following...

Page 15: ...owing address pattern 62 1 25 The wildcard character can appear in any part of the address More specific ranges can also be specified such as 64 1 2 25 1 10 Wildcard characters can also be used with h...

Page 16: ...2 10 10 1 10 1 2 10 Address transforms can also perform simple computations For example the following address transform indicates that the first three parts of the resulting address should be 192 168...

Page 17: ...ress transforms always refer to the corresponding part in the input address or hostname as counted from left to right Wildcard and non wildcard characters cannot be combined within a part of an addres...

Page 18: ...wo severity categories are supported Major The problem that has been detected is significant and may affect the ability of the ZoneRanger or Ranger Gateway to provide necessary services Corrective act...

Page 19: ...ZoneRanger appliance will be automatically rebooted This two layer audit approach helps to ensure that ZoneRanger will continue to operate reliably even when unexpected software problems occur Note t...

Page 20: ...way Note that a profile can only be loaded on a ZoneRanger that is at the same software version as the ZoneRanger that created the profile The ZoneRanger web interface can also be used to delete profi...

Page 21: ...and sysLocation Ranger Gateway Backups Backups of the Ranger Gateway configuration can be created and restored using the Ranger Gateway rgBackup command Only backups of the same Ranger Gateway versio...

Page 22: ...ee management applications appl app2 app3 If there were also five specific syslog filters configured on the ZoneRanger to process syslog messages and forward those messages to each of the management a...

Page 23: ...o routers 10 1 1 1 and 10 2 1 50 three servers 10 1 1 22 10 1 1 40 and 10 2 1 18 and one ZoneRanger 10 1 1 100 In order to facilitate different configuration settings for different device types we cou...

Page 24: ...yServers portConfig 2 Local ZoneRanger portConfig 3 Device groups can also contain device groups For example we could define a new group called MyRoutersAndServers as follows MyRoutersAndServers MyRou...

Page 25: ...ces located in firewall partitioned networks as if it was communicating with those devices directly The fact that the requests are intercepted and processed by the Ranger Gateway is effectively hidden...

Page 26: ...is disabled If the GVI service is enabled and the Ranger Gateway software is stopped the route manager will automatically remove any static routes associated with the virtual interface and will reconf...

Page 27: ...er 64 1 2 1 The figure also shows the original default routing rule 0 0 0 0 0 64 1 2 1 and a simple Proxy Map configuration indicating which ZoneRangers should be used to proxy traffic for which devic...

Page 28: ...nd relays this traffic to the Ranger Gateway software using a UDP based communication protocol The primary advantages of RGVI are as follows The processor memory footprint of the RGVI client is consid...

Page 29: ...ace 2 then relays this traffic to the Ranger Gateway server to which it has connected 3 4 Within the Ranger Gateway this traffic is received by the RGVI service which consults with the Proxy Access Co...

Page 30: ...rresponding certificate authorities can be configured using the trustSSL Ranger Gateway command Note that Ranger Gateway to ZoneRanger messaging and RGVI share a common list of trusted certificate aut...

Page 31: ...onnection attempt fails the RGVI client will attempt to connect to a different Ranger Gateway If the RGVI client has successfully connected to a given Ranger Gateway but subsequently loses connectivit...

Page 32: ...er Gateway and ZoneRanger must authenticate each other using SSL certificates 2 The Ranger Gateway and ZoneRanger must be configured with matching passcodes4 SSL authentication when properly configure...

Page 33: ...ateways The number of joining relationships that need to be established then depends on the number of management applications being used and the number of firewall partitioned networks to be managed I...

Page 34: ...e Ranger Gateway License Server is lost the ZoneRanger VM license will eventually be deactivated The Administration License Activation page may also be used to choose a different license to be activat...

Page 35: ...node towards the license limit Nodes can automatically be designated as managed during the discovery process or can be managed or unmanaged manually using the ZoneRanger web interface If the Auto man...

Page 36: ...Manager rules SNMP Disallowed lists Node Groups are maintained on the Configuration Node Management page Node Groups tab of the ZoneRanger Web GUI Node Groups may contain any number of valid address...

Page 37: ...er Gateway that uses the pool is configured with an understanding that each of the ZoneRangers in the pool is equally capable of relaying management protocol traffic to a given set of devices i e the...

Page 38: ...discovery results and device status information are not propagated between redundant ZoneRangers If polling configuration settings associated with discovered devices are modified on one ZoneRanger the...

Page 39: ...the virtual IP address each ZoneRanger also will have its own unique real address As such an alternative to using virtual IP is to configure managed devices to forward management protocol traffic to m...

Page 40: ...ommunity in conjunction with SNMP Get Set proxy if the group name is used in place of the ZoneRanger in the community string the Ranger Gateway will select one of the joined ZoneRangers in the group t...

Page 41: ...aged device and port config name is the name of the port configuration to be used in the second stage In the first stage the Ranger Gateway takes the src address and dest address for a given request a...

Page 42: ...to any of the managed devices the port configuration named portConfig 2 will be used because the destination address pattern will match all destination addresses The portConfig table shows that portCo...

Page 43: ...ll match that rule as opposed to the Default rule In order to restrict the Ranger Gateway so that only traffic originated by applications on the Ranger Gateway server itself will be processed the port...

Page 44: ...can be enabled by adding a port configuration rule specifying TCP as the protocol For example Default TCP 300 310 TCP Note that where TCP is specified as the protocol the ZoneRanger does not provide a...

Page 45: ...Map table using 10 10 4 5 as the destination address then will look for a matching rule in the portConfig table using 22 as the rg port Assuming the default portMap and portConfig configuration the fo...

Page 46: ...ed to be valid When an ICMP ping request is received by the ZoneRanger if ICMP proxy caching is enabled the ZoneRanger will attempt to locate a matching caching configuration rule and a cached result...

Page 47: ...fOperStatus should only be cached for a short period of time if at all while information that is relatively static such as the contact name for a device i e sysContact can reasonably be cached for a r...

Page 48: ...s the target device address associated with the request at the Ranger Gateway to the corresponding device address that the selected ZoneRanger must to communicate with the target device In simple Zone...

Page 49: ...me form of information that indicates the target DMZ device as described in the following examples Management Application 1 could initiate a proxy transaction such an ICMP echo request an SNMP Get req...

Page 50: ...ddress The host name or IP address of the target device for a proxy transaction as indicated to the Ranger Gateway by the management application zoneranger The host name or IP address of a ZoneRanger...

Page 51: ...cified as an address transform Using address patterns and address transforms the active proxy map configuration for the example network could be reduced to the following rg address zoneranger zr addre...

Page 52: ...r the proxyMap command In some cases the target of a proxy transaction might be the ZoneRanger itself e g querying ZoneRanger MIB values via SNMP proxy or accessing the ZoneRanger text interface using...

Page 53: ...d in both DMZ 1 and DMZ 2 and that virtual address spaces 10 1 1 and 10 2 1 have been configured to map to the devices in the two DMZ s Even though this approach requires some amount of effort to mana...

Page 54: ...ntication and authorization requests from a given set of devices ZoneRanger also supports the ability to define multiple server groups and to associate different server groups with different device ad...

Page 55: ...group 2 where the Ranger Gateway instances to be used are installed on separate servers rg3 and rg4 either Ranger Gateway instance can be used to relay traffic to either TACACS RADIUS server so additi...

Page 56: ...roup to handle requests originated by specific devices the following steps would be required Define a new server group e g MyOtherServerGroup Insert proxy rules for the specific IP addresses or IP add...

Page 57: ...ZoneRanger can proxy many different types of outbound data such as SNMP proxy ICMP proxy TCP Proxy etc In the case of a node licensed ZoneRanger the destination of the request will be verified as a m...

Page 58: ...needed or configured to run periodically The first time discovery runs on a ZoneRanger the database is populated based purely on the results of analyzing configured seed nodes and ping ranges On subs...

Page 59: ...che and Broadcast ping enabled suboptions are enabled Auto configure polling for newly discovered nodes is enabled Auto Manage newly discovered nodes is enabled The Seed Node List is populated with a...

Page 60: ...algorithm ZoneRanger also provides a mechanism whereby the user can request that a short list of IP addresses or hostnames be scanned and incrementally added to the database When this mechanism is in...

Page 61: ...tination the source address of the UDP information when it is received by the management application is the address of the Ranger Gateway since it sent the UDP data However The Ranger Gateway can be c...

Page 62: ...ap Previously defined trap known by its name Enterprise ID SNMPv1 Enterprise OID of a trap or an OID prefix If the trap is not SNMPv1 its Enterprise OID is described in RFC 3584 Generic Type SNMPv1 Ge...

Page 63: ...ecurity Level regardless of whether or not there is a configured SNMPv3 user There are some limitations when SNMPv3 users are not configured for SNMPv3 traps and informs 1 Encrypted notifications will...

Page 64: ...log message or forwarded as an SNMP trap If the Cisco Syslog with Max Severity criteria is chosen the correct Cisco trap for the severity is generated Otherwise a Syslog trap with the specified Specif...

Page 65: ...ation layer proxy firewall for FTP traffic enabling FTP clients to exchange files with servers located within firewall partitioned networks The following figure provides a high level overview of an FT...

Page 66: ...han the FTP clients enabling active to passive conversion where possible is recommended from a security perspective because it ensures that all FTP data connections are originated by the ZoneRanger ra...

Page 67: ...r HTTPS requests intended for a managed device to the actual address of the target device or an address that can be uniquely mapped to the target device The management application server is configured...

Page 68: ...sends a SOCKS connection request to the Ranger Gateway indicating the managed device and port to which the client would like to connect The SOCKS server on the Ranger Gateway will check the Proxy Acc...

Page 69: ...button A dialog box will open as shown in the following figure Figure 22 3 Internet Explorer LAN Settings 3 Check the Use a proxy server for your LAN box then click the Advanced button A dialog box wi...

Page 70: ...a ZoneRanger is joined to a Ranger Gateway the Ranger Gateway allocates dedicated ports that can be used to access various services for example HTTP HTTPS SQL Telnet and SSH on the newly joined ZoneRa...

Page 71: ...blish a proxy connection to a joined ZoneRanger simply by connecting to the Ranger Gateway s address specifying the dedicated HTTP or HTTPS port associated with that ZoneRanger as the destination port...

Page 72: ...nd browse via a dedicated HTTP or HTTPS port to the web interface of the selected ZoneRanger by clicking the Browse HTTP or Browse HTTPS buttons on the Status tab of the Ranger Gateway Viewer s main w...

Page 73: ...he ICMP echo request should be allowed and to identify the proxy service to which the ICMP echo request should be forwarded i e ICMP Proxy 4 The ICMP Proxy service in the Ranger Gateway consults with...

Page 74: ...without requiring configuration of firewall rules to allow NTP traffic ZoneRanger s NTP proxy service can be configured to operate in either of two modes 1 The ZoneRanger can obtain its time from a c...

Page 75: ...red on the specified server must include the selected index key pair 5 The ZoneRanger Acts as NTP Server option should be enabled 6 Optionally the Authenticate Client Requests option may be enabled 7...

Page 76: ...e instead of the address of the Ranger Gateway To configure NTP proxy spoofing either use the Ranger Gateway Viewer Configure Gateway Settings menu NTP Proxy area or the configGateway command on the R...

Page 77: ...RIfDown SNMP trap is generated as appropriate If a device is determined to have changed state a tscZRNodeUp or tscZRNodeDown trap will be generated If at least one interface of a device whose previous...

Page 78: ...e the Configuration Polling page TCP Settings tab to configure different polling rates for an individual TCP Port as well as modifying the default TCP port polling rate Polling for a particular TCP po...

Page 79: ...n outage using four ICMP requests over a two minute period Once the device is verified to have failed a tscZRVerifyDown SNMP trap is generated Then once the root cause is determined the tscZRSourceDow...

Page 80: ...er that is able to relay the request to the target device 5 The ZoneRanger forwards the request to the target device 6 The target device generates a response and sends it to the requesting ZoneRanger...

Page 81: ...sent to the address of the target device 10 4 1 2 1 The routing table in the management application server is preconfigured to route traffic destined for the 10 4 1 2 address to the GVI driver The GV...

Page 82: ...ation in any way Another advantage is that the same mechanism can be used for other proxy services such as ICMP proxy or TCP proxy SOCKS SOCKS is a standard protocol for generic TCP and UDP proxy serv...

Page 83: ...roxy with SOCKS The messaging flow for an SNMP proxy request using a SOCKS shim is illustrated in the following figure Note the following from this example The management application requests that a U...

Page 84: ...or SOCKS and reliable SOCKS shims may not be available for the operating system being used In these cases an alternative SNMP proxy access mechanism will need to be selected IP Address Aliasing Most o...

Page 85: ...27 4 ZoneRanger SNMP Proxy with IP Aliasing In order to manage this network addresses 10 2 1 1 10 2 1 2 10 4 1 1 10 4 1 2 and 10 4 1 3 would be configured as IP address aliases on the management appl...

Page 86: ...he Ranger Gateway software is supported The main disadvantage of the IP address aliasing technique is the administrative effort required to add and maintain IP address aliases for all managed devices...

Page 87: ...verlap The IP address of the Ranger Gateway Server is 10 254 1 1 Figure 27 5 ZoneRanger SNMP Proxy with Community String Conventions An example of the messaging flow for an SNMP proxy request is shown...

Page 88: ...y will automatically select a ZoneRanger from this group to relay the request The only difference between formats 1 and 2 is the order of the fields The ability to configure the SNMP Proxy service to...

Page 89: ...he community string and is used in conjunction with the IP address aliasing mechanism In some cases it may be necessary to configure the SNMP proxy service to use a non standard port value in order to...

Page 90: ...sts as illustrated in the following figure This feature enables authentication and encryption of SNMP messages in firewall partitioned networks such as a DMZ where enhanced security is arguably most n...

Page 91: ...s intended for a managed device to the actual address of the target device or an address that can be uniquely mapped to the target device The management application server is configured with static ro...

Page 92: ...4855 on the Ranger Gateway After this connection is established the client application sends a SOCKS connection request to the Ranger Gateway indicating the managed device and port to which the clien...

Page 93: ...d SSH proxy services can also be used to access the ZoneRanger text interface for joined ZoneRangers While the ZoneRanger is able to proxy both Telnet and SSH protocols SSH will typically be the prefe...

Page 94: ...the Ranger Gateway and selected ZoneRanger will relay Telnet or SSH data between the management application s TCP connection to the Ranger Gateway and the ZoneRanger s TCP connection to the target de...

Page 95: ...nnection request to the Ranger Gateway indicating the DMZ device and port to which the client would like to connect The SOCKS server on the Ranger Gateway will check the Proxy Access Control configura...

Page 96: ...e protocol to be used SSH in this example 3 Verify the port value PuTTY will automatically set this value based on the selected protocol You may need to modify this value if the target device uses a n...

Page 97: ...the Open button to establish the SSH session One advantage of SOCKS over GVI RGVI is that it is typically possible to configure the SOCKS client to route traffic for certain ports to the Ranger Gatewa...

Page 98: ...Ranger Gateway server The SSH proxy port can be configured using the configGateway command or the Ranger Gateway Viewer Gateway Settings window Note that by default this feature is disabled and the S...

Page 99: ...SH session The IP address aliasing approach for SSH proxy has the following advantages It can be used in cases where the Ranger Gateway software is installed on a server with an operating system that...

Page 100: ...Gateway s address specifying the dedicated Telnet or SSH port associated with that ZoneRanger as the destination port The following figure illustrates how to use PuTTY to establish an SSH session wit...

Page 101: ...lready used SSH to access the Ranger Gateway itself the first time you access a ZoneRanger using a Ranger Gateway dedicated port an entry is created associating the Ranger Gateway address with the Zon...

Page 102: ...CS and or RADIUS traffic it must be joined to one or more Ranger Gateways and one or more server groups must be defined A server group is a named set of TACACS RADIUS server entries each of which cont...

Page 103: ...y rules for TACACS and RADIUS are configured on the TACACS and RADIUS tabs Configuring ZoneRanger to use TACACS RADIUS It is also possible to configure the ZoneRanger to use TACACS or RADIUS to authen...

Page 104: ...is used to identify the device being accessed Note that the spoofing feature requires GVI or RGVI to be enabled and configured to intercept replies directed back to the managed devices When the spoofi...

Page 105: ...hat server For example if there are two equivalent TACACS RADIUS servers acs1 and acs2 and two Ranger Gateways rg1 and rg2 that can be used to relay requests to those servers the corresponding server...

Page 106: ...ce address spoofing for TACACS In addition the GVI or RGVI service should be enabled and configured to intercept traffic destined for 10 1 1 0 255 255 255 0 5 On rg3 and rg4 ensure that source address...

Page 107: ...up will need to be configured to use the same encryption key Insert IP Address If the TACACS Shared Key has been enabled it is possible to configure the ZoneRanger to insert the requesting device s ad...

Page 108: ...roxy Rules table Each TFTP Proxy request can be processed in one of three ways indicated by Proxy Option 1 None Handle the TFTP requests locally on the ZoneRanger 2 To Gateway Send the TFTP Requests t...

Page 109: ...ox In this case ZoneRanger generates a single use TCP proxy rule based on the SNMP set proxied via the Ranger Gateway Note this feature is triggered by sets using the CISCO CONFIG COPY MIB Cisco IOS s...

Page 110: ...ill also be logged if Traffic logging is enabled to Short On the ZoneRanger the amount of traffic for each Traffic Type for each IP address will also be measured The amount of traffic will also be log...

Page 111: ...h are not in the whitelist will be ignored This includes telnet SSH HTTP and HTTPS requests It is able possible to configure the ZoneRanger to apply the whitelist to Outbound information If enabled Ou...

Page 112: ...which may be used to interaction with the system and are described in detail in the following chapters ZoneRanger Web Interface Chapter 33 Ranger Gateway Viewer Chapter 34 ZoneRanger Text Interface Ch...

Page 113: ...sts of a set of activity indicators which give a indication when a particular ZoneRanger service is in use When an activity indicator flashes ZoneRanger is performing tasks associated with the indicat...

Page 114: ...ds TACACS requests and responses TCP Proxy Outbound Flashes intermittently while ZoneRanger sends TCP requests and responses TFTP Proxy Flashes intermittently while ZoneRanger sends TFTP requests and...

Page 115: ...s in a category appears in a number at the right of the inventory bar for the category You can mouse over the inventory bar to see a count of devices associated with each status Color Description Gree...

Page 116: ...e access to the entire ZoneRanger menu Users with Operator access have access to the Home and View menus The items available in each category are described in the following sections Administration Bac...

Page 117: ...be used to manually start the Discovery process When discovery is in progress the Administration Discovery page displays discovery progress and the Discovery activity indicator on the ZoneRanger dash...

Page 118: ...in progress As discovery progresses the numbers in the Counts column converge for each of the entities begin scanned access1The Recent Events table shows the 25 most recently reported discovery event...

Page 119: ...added devices until a full discovery is executed Profiles You can use the Administration Profiles page to load save and manage ZoneRanger profiles You can save a ZoneRanger profile on the ZoneRanger...

Page 120: ...Activation The Administration License Activation page may be used to activate a ZoneRanger VM so that it may process management traffic A ZoneRanger VM may obtain a license by either retrieving a lic...

Page 121: ...ger Gateway Ranger Gateway The Ranger Gateway License Server Available The number of available licenses of this type Used The number of allocated licenses of this type Expiration The day on which this...

Page 122: ...Pending Token must be entered in the Load License Activation Key section The Pending Token must be provided to Tavve Software which will return an activation key When the activation key is entered and...

Page 123: ...zero since there is some cache overhead Route Management The Administration Route Management page may be used to add and remove network routes from the ZoneRanger Figure 34 10 Administration Route Man...

Page 124: ...rvice dump file to Tavve Support Usually a standard service dump contains all necessary troubleshooting data However Tavve Support might occasionally request a targeted service dump that contains spec...

Page 125: ...f IP addresses which ZoneRanger has determined to have the same SNMPv3 Engine ID Each SNMP Agent t hat supports v3 has a unique Enigne ID associated with that agent When a ZoneRanger issues an SNMP v3...

Page 126: ...must be configured on the Configuration SNMP page Manager tab To change SNMPv3 passwords using the configuration tool perform the following steps from the Administration SNMP page SNMPv3 Passwords tab...

Page 127: ...tion between Ranger Gateways and ZoneRangers use SSL for authentication and encryption of transmitted data The SSL configuration on each ZoneRanger or Ranger Gateway consists of two parts 1 Configurin...

Page 128: ...e file For X 509 Certificate and Private Key you will need the following 1 The PEM file containing the public private key pair for the new certificate 2 The password to read the PEM file 3 The new cer...

Page 129: ...definitions xml Windows install_dir ZRCustom trap definitions xml where install_dir is the directory where the Ranger Gateway software was installed The trap definition file uses a simple NMS neutral...

Page 130: ...proxied through a joined Ranger Gateway User authentication is organized through the use of Server Groups Incoming authentication requests are sent to the TACACS or RADIUS server determined by the no...

Page 131: ...he password is setup The user and the password for the Setup User security level may both be changed The password must contain at least five alphanumeric characters Special characters are not accepted...

Page 132: ...or Node Group see Chapter 2 TACACS requests received by a ZoneRanger and TACACS responses sent by a ZoneRanger can be written to a log file called log tacacsProxy log This log can be downloaded using...

Page 133: ...h a Ranger Gateway using TACACS proxy The Access Mode dropdown determines which method the ZoneRanger should use to authenticate with a TACACS server When authenticating the ZoneRanger itself using TA...

Page 134: ...l TACACS servers ZoneRanger will choose from the listed TACACS servers with which it has most recently authenticated successfully If the current authentication fails the ZoneRanger will use additional...

Page 135: ...one Server Group or may be configured to communicate directly to a RADIUS server The Proxy Rules section is used to define which server group is selected for each incoming RADIUS request Thus ZoneRan...

Page 136: ...henticate directly to a RADIUS server or through a Ranger Gateway using RADIUS proxy The Access Mode dropdown determines which method the ZoneRanger should use to authenticate with a RADIUS server Whe...

Page 137: ...vers if a timeout has not yet occurred An optional RADIUS Shared Key may be specified in the RADIUS Shared Key field to be used to encrypt and decrypt RADIUS messages Configuring Server Groups Server...

Page 138: ...rem_addr field of authentication START authorization REQUEST and accounting REQUEST messages so that TACACS servers can log the original source of the TACACS request In order to use this option all de...

Page 139: ...d Note To use root cause correlation you must check Search for Additional Nodes This examination of network connectivity is required to build the root cause correlation rules Using additional advanced...

Page 140: ...y add to the ZoneRanger databases If Search for additional nodes is enabled on the Options tab the list of seed nodes will also be used as a starting point for additional discovery You can add seed no...

Page 141: ...and interface tables and to addresses found by broadcast pings and root cause path analysis Filtering does not apply to addresses specified in seed nodes In effect seed nodes override filtering Note I...

Page 142: ...efines the different TCP services that the ZoneRanger will discover and monitor The TCP port list on this tab is initially populated with common TCP services Figure 34 30 Configuration Discovery page...

Page 143: ...tab provide a mechanism to map the sysObjectId of discovered devices to a device type enabling you to identify routers and switches Figure 34 31 Configuration Discovery page Device Types tab ZoneRange...

Page 144: ...will ultimately receive the data Must be reachable by the Ranger Gateway Destination Port Port on the Destination Host where the data will be sent Filter Additional filtering options for Trap and Sysl...

Page 145: ...To filter on a certain type of criteria check the box to the left of the criteria label and enter the desired filtering criteria If multiple criteria are selected a Syslog message must match all selec...

Page 146: ...more concisely organize multiple forwarding rules with the same set of destinations Each destination group is comprised of a set of rules Each rule is comprised of a Ranger Gateway or Data Diode and t...

Page 147: ...rap Specific Trap SNMPv1 Specific Type of a trap Trap OID SNMPv2c Trap OID of a trap or an OID prefix Variable Binding Variable binding value of a trap defined by an index starting at 1 An may be used...

Page 148: ...characters will be discarded Warning messages will be logged in the View System Log for discarded syslog messages Discarded messages will be logged if Forwarding logging is set to Short or Full Inbou...

Page 149: ...use in the trusted network This option is only valid for Through Gateway transactions Port Port to use on the remote TFTP server Proxy Option Description None All TFTP transfers are between the clien...

Page 150: ...OS software release 12 0 and the OLD CISCO SYSTEM MIB OLD CISCO FLASH MIB Cisco IOS software release 10 2 and later The SNMP triggered rules timeout field specifies the maximum life span for the SNMP...

Page 151: ...ging levels are Log Level Description None Logging is off Short Message header is logged Full Entire message is logged This NTP Proxy log can be downloaded by the downloadFile command on a Ranger Gate...

Page 152: ...and the Save button is clicked ZoneRanger management services become unavailable for that node For example the node along with its interfaces and TCP ports is no longer polled The node does not appea...

Page 153: ...the Node Group must be prefixed with For example the Node Group webservers would be represented in configurations as webservers Note that Node Groups may not contain hostnames Configuring device type...

Page 154: ...wnloadFile command on a Ranger Gateway The log file is called log tcpProxy log The log file may also be viewed on the View Service Logs page Configuring ICMP Proxy ZoneRanger has the capability to pro...

Page 155: ...ed Store unsuccessful ICMP responses Time to Cache Length of time to store unsuccessful ICMP responses Time Units Units of time to store unsuccessful ICMP responses If an address matches more than one...

Page 156: ...nger group On the Configuration Peers page Group tab the Group Name is used to filter duplicate information from multiple ZoneRangers reporting to the same Ranger Gateway Redundant ZoneRangers always...

Page 157: ...rtual IP address may be shared by redundant ZoneRangers A virtual IP address is a secondary IP address which one of the redundant ZoneRangers is configured to support If that ZoneRanger becomes unavai...

Page 158: ...ilability of the virtual IP address If this timeout is reached another redundant ZoneRanger will assume control of the virtual IP address The Heartbeat Timeout must be at least twice the Heartbeat Int...

Page 159: ...e selected nodes Figure 34 47 Configuration Polling page Interface Settings tab Configuring polling settings The Configuration Polling page Interface Settings tab displays a table of interface polling...

Page 160: ...th individual interfaces or common interface polling settings with groups of interfaces for example all interfaces on a specified node or all interfaces with IP addresses matching a specified wild car...

Page 161: ...P port status propagation for specific services can be enabled or disabled for all nodes If status propagation is enabled TCP port status affects node status Thus if polling fails for one or more TCP...

Page 162: ...n with the specified passcode When joining to a Ranger Gateway from a ZoneRanger the ZoneRanger passcode must be configured to match the Ranger Gateway passcode for the request to succeed If the join...

Page 163: ...a messaging connection to the ZoneRanger but the ZoneRanger will not be allowed to initiate a connection to the Ranger Gateway The typical application of restricted addresses is the case where a Zone...

Page 164: ...ertificate issued by the Tavve internal certificate authority with the following subject identity CN ZoneRanger OU Engineering O Tavve L Morrisville ST North Carolina C US Similarly each Ranger Gatewa...

Page 165: ...ggered by status polling failures that determines which device is the root cause of the problem and which devices are impacted by the root cause device The root cause service divides root cause analys...

Page 166: ...stination to the configured mail server The Send Test Email button can be used to verify that the configuration parameters are correct The Show Advanced Options button can be used to specify the actio...

Page 167: ...ting ZoneRanger such as ZoneRanger1 dmz1 Note The domain in this address cannot be localhost which Ranger Gateway does not recognize Ranger Gateway for sending Email Notifications Ranger Gateway thoug...

Page 168: ...variable bindings This SNMP Proxy log can be downloaded by the downloadFile command on a Ranger Gateway The log file is called log snmpProxy log The log file may also be viewed on the View Service Log...

Page 169: ...me limitations when SNMPv3 users are not configured for SNMPv3 traps and informs 1 The type of notification trap or inform cannot be determined for encrypted notifications 2 Encrypted notifications wi...

Page 170: ...is used that is SNMPv2c requests are converted to SNMPv1 Wildcards specified by may be used at the end of the community string When using wildcards the preceding portion of the community string will b...

Page 171: ...and privacy are applied Auth Protocol Authentication protocol Auth Password Authentication password used if authentication is applied Privacy Protocol Encryption Protocol Privacy Password Encryption p...

Page 172: ...cally add configuration rules to the Manager and User tables based on successful test results Configuring the SNMP Preferred Address Some devices having multiple IP interfaces might be configured so t...

Page 173: ...section a set of Targets OID trees and whether or not to disallow an Get or Set to those Targets When an SNMP Proxy Get or Set request is received with a disallowed OID the OID is removed from the re...

Page 174: ...figuration SNMP page Agent tab The Community String defines the community string to respond to when using SNMPv1 or SNMPv2c The Users list defines which users the ZoneRanger agent will respond to when...

Page 175: ...dicate which addresses should have their SNMP responses cached based on the following information Setting Description OID OID of SNMP request beginning with the listed OID Cache Whether or not cache t...

Page 176: ...e speed However if necessary the interface speed and duplex type may be specified on the IP tab If the ZoneRanger is connected to a 802 1q VLAN trunk the Connect to VLAN trunk check box should be sele...

Page 177: ...This is useful when no DNS server is available If the Secondary DNS enabled check box is checked ZoneRanger acts as a caching DNS server Note Saving any changes on this tab results in a ZoneRanger res...

Page 178: ...the NTP server through the specified Ranger Gateway NTP Server NTP server to use for time synchronization Key Authentication key to use to validate time with NTP server Values are retrieved from NTP K...

Page 179: ...ding on the type of port Below are the service options Service Option Description eth0 and eth1 Enabled for both interfaces disabled Port is disabled Ranger Gateway Only Port is disabled but service i...

Page 180: ...62 used to receive external SNMP traps SSH SSH port 22 used to connect to the ZoneRanger configuration The Ranger Gateway Only disables direct access to SSH but permits proxy access through a joined R...

Page 181: ...d proxied The ZoneRanger can also be configured to monitor thresholds by Traffic Type and to send an SNMP trap if a threshold is exceeded The Configuration Traffic page is used to configure the thresh...

Page 182: ...each one second interval and the highest rate is saved and used to compare with the configured thresholds As an example if the SNMP threshold is configured for 100 requests sec and the interval is 5 m...

Page 183: ...d a threshold is exceeded a ZoneRanger audit message will be displayed as well as a message will be logged in the ZoneRanger System log If the Send a trap when a threshold is exceeded checkbox is chec...

Page 184: ...a threshold is exceeded checkbox is checked the ZoneRanger will also generate an SNMP trap containing information about the exceeded threshold Whitelist ZoneRanger can receive data from many different...

Page 185: ...sts This applies to Discovery Root Cause Diagnostics Join Redundancy requests as well as proxy requests received from joined Ranger Gateways Network servers should as DNS and NTP must also be added to...

Page 186: ...e the Traceroute tool the FindRoute tool uses SNMP to determine the route between hosts The SNMP settings used are those configured on the Configuration SNMP page Insertion Tools ZoneRanger provides a...

Page 187: ...ext is generated The test message is followed by a count of the number of test messages sent since you most recently logged into ZoneRanger If the Syslog Forwarding activity indicator flashes this ind...

Page 188: ...unreachable there could be a significant timeout for each tested TCP port Using the SNMP interface scan diagnostic The SNMP interface scan diagnostic scans the interface table on the specified addres...

Page 189: ...ngs check box Otherwise uncheck the box to specific alternate SNMP information Using the SNMP Engine IDs diagnostic The SNMP Engine IDs diagnostic discovers the SNMP v3 Engine ID for the specified nod...

Page 190: ...ddresses using the SNMP Engine ID of the specified device will also be reported SNMP Engine Ids discovered using this diagnostic page will not be cached SNMP Engine IDs are only cached when discovered...

Page 191: ...n request is performed If use the ZoneRanger s configured values is selected the values for Service Protocol and Command already configured on the ZoneRanger will be used in the authorization request...

Page 192: ...ormance of the command View Database During discovery ZoneRanger builds a database containing information about discovered nodes interfaces networks and TCP ports The View Database page enables you to...

Page 193: ...page enables you to view network reports for resolved IP addresses resolved nodes and devices that support SNMP Figure 34 82 View Network Reports page Viewing the Resolved IP Addresses report The View...

Page 194: ...he list of unresolved nodes The lists are built using IP addresses captured during discovery Figure 34 83 View Network Reports page Resolved Nodes tab During discovery ZoneRanger uses ICMP requests to...

Page 195: ...ere accessible using SNMP and which were not as of the last time discovery was performed To update the report based on current device status and configuration click Test The update process can take a...

Page 196: ...e Diagnostics Ping Scan page for the indicated node or interface Status colors have the following meeting Color Status Green Normal Yellow Marginal Red Critical Blue Unknown Not configured for polling...

Page 197: ...will be removed from the dashboard Each section may also be moved or removed Root Causes The View Root Causes page displays information about outstanding root causes A root cause is the entity underl...

Page 198: ...boxes enable you to specify the time period for which you want to view log entries If you uncheck the From check box the start time is unbounded in other words the start of the period is the time of...

Page 199: ...ul in determining the level of processing a particular service is experiencing Statistics may be updated by using the Refresh Selected button Statistics may be reset set to 0 by using the Reset Select...

Page 200: ...ch match the specified criteria as well as to automatically update the display when a new syslog message is received by the ZoneRanger which matches the criteria To stop automatically updating the dis...

Page 201: ...ns see the system log View System Log System Information The View System Information page displays information about the ZoneRanger system the status of joined Ranger Gateways and the patch history Fi...

Page 202: ...layed in square brackets at the end of the entry The system log contains the following types of entries Status Description INFO Information entries generally report events that occur normally WARN War...

Page 203: ...ally updating the display with the specified criteria click the Stop Updating button The View System Log page will remain in the automatic update mode until the Stop Updating button is clicked or the...

Page 204: ...ffic Data button will cause the display to update when the current measurement interval has changed To stop automatically updating the display click the Stop Updating button The View Traffic Informati...

Page 205: ...al This is reported for up to a 60 second interval Peak traffic analysis can be used to measure the magnitude and duration of traffic bursts A high one second rate accompanied by decreasing rates for...

Page 206: ...adFile command on a Ranger Gateway The log file is called log trapd log The Show Matching Traps and Automatically Update button may be used to view current traps which match the specified criteria as...

Page 207: ...User s Guide The ZoneRanger User s Guide will be displayed in a separate window or tab ZoneRanger 5 5 User s Guide 207...

Page 208: ...nger Gateway Viewer A splash screen will be displayed briefly while the Ranger Gateway Viewer is starting up then the main Ranger Gateway Viewer window will be displayed as shown in the following figu...

Page 209: ...t Mouse over displays a brief summary of audit results Clicking displays a complete summary of audit results Root Cause Status Current ZoneRanger root cause status Mouse over displays a brief summary...

Page 210: ...n the Ranger Gateway is requesting information from the selected ZoneRanger This message normally appears for only a few seconds If it appears for a significant amount of time then the Ranger Gateway...

Page 211: ...lem is resolved for the Ranger Gateway to remove the corresponding audit result and it can take up to a full Ranger Gateway Viewer refresh cycle for the removal of that result to be reflected on the R...

Page 212: ...same effect as clicking the Cancel button The settings pane content for each of the listed categories is described in the following sections Gateway Settings General The Gateway Settings General wind...

Page 213: ...ined ZoneRangers and Ranger Gateways must use the same port HTTP Port Enabled When checked the Ranger Gateway will listen for HTTP requests on the configured HTTP Port and will return a web page listi...

Page 214: ...e managed by the ZoneRanger If the checkbox is disabled the source address in these requests will be the address of the Ranger Gateway The Spoof RADIUS Client Requests checkbox governs the source addr...

Page 215: ...the group name in the Device Group list and click Modify To remove a Device Group right click on the group name in the Device Group list and click Delete Due to the frequency that addresses will be q...

Page 216: ...isabled the source address will be the address of the Ranger Gateway Note The mechanism that the Ranger Gateway uses to spoof source addresses may be prevented by Windows XP security updates so the Sp...

Page 217: ...The GVI Routes list specifies the set of addresses that should be routed to the virtual interface An address may be specified as a entire subnet e g 10 0 0 0 255 255 255 0 or a specific address e g 1...

Page 218: ...value is the number of seconds to wait for a response from the ZoneRanger for each ICMP request Gateway Settings Inbound TCP Proxy The Gateway Settings Inbound TCP Proxy window provides the mechanism...

Page 219: ...e address in TCP proxy requests from ZoneRanger sent from the Ranger Gateway to an application will be the source address of the original sending device managed by the ZoneRanger If the checkbox is di...

Page 220: ...log ICMP Proxy icmpProxy log NetFlow Forwarding netflow log NTP Proxy ntpProxy log Port Map portMap log Proxy Map proxyMap log RADIUS Proxy radiusProxy log RGVI rgvi log sFlow Forwarding sflow log SNM...

Page 221: ...r with the source address of the Ranger Gateway or the source address of the ZoneRanger managed device When the Spoof NTP Client Requests checkbox is enabled the source address in NTP requests sent fr...

Page 222: ...y select any joined ZoneRanger to proxy the request If this option is disabled the Proxy Map service will only select ZoneRangers to handle proxy requests based on configured rules If no matching rule...

Page 223: ...te select the route and click the Delete button The Weight field indicates the relative cost of each proxy map route If there are more than one proxy map routes which match an incoming request the low...

Page 224: ...t device or a translation rule that can be used to calculate the port that should be used based on the rg port When the Transport field is ICMP all of the other fields are ignored To modify the name o...

Page 225: ...te a Port Map rule select any field in the rule and click the Delete button The order of Port Map rules is important since the Port Config ruleset to be used for an incoming request will be the first...

Page 226: ...re configured in this list The Add button displays a new Add RGVI Client dialog window which is used to configure a new entry in the RGVI Clients list Each entry consists of two parts 1 An IP address...

Page 227: ...multiple entries may match a given client so the order of the entries in the RGVI Clients list becomes important Important Note The set or host subnet addresses to be intercepted by an RGVI client is...

Page 228: ...scribed in further detail in Appendix C SOCKS is a standard networking proxy protocol that enables SOCKS aware applications to communicate TCP and UDP protocols through a SOCKS server without requirin...

Page 229: ...tination Port settings can be defined The SSH Proxy Port field specifies the port on which Ranger Gateway will listen for SSH Proxy requests The default is 4822 The SSH Proxy Destination Port field sp...

Page 230: ...cified the hostname or IP address to which status traps should be sent The Destination Port field specifies the destination port that should be used when sending status traps Gateway Settings TFTP Por...

Page 231: ...r managed devices The Write Directory field specifies the directory where TFTP files should be written when proxying files from ZoneRanger managed devices Gateway Settings Traffic The Gateway Settings...

Page 232: ...gory is all of the traffic of a particular type either received from or proxied to all joined ZoneRangers The Per ZoneRanger category is all of the traffic of a particular type either received from or...

Page 233: ...verall or Per ZoneRanger thresholds then an SNMP Trap will be generated if a threshold is exceeded The traffic rate is calculated for each one second interval and the highest rate is compared with the...

Page 234: ...set for 100 requests sec the interval is 5 minutes and a burst of 105 proxy requests occurs during one second and even if no other SNMP requests are received during the 5 minutes the maximum one seco...

Page 235: ...the configuration shown in the previous figure the Ranger Gateway Viewer will simply look to see if any of netscape mozilla firefox or opera can be found using the configured operating system path an...

Page 236: ...the directory where the Ranger Gateway software is installed To transfer a file from the Ranger Gateway to the selected ZoneRanger select the file in the Upload Directory list Then click Upload File T...

Page 237: ...Gateway software is installed Before attempting to apply a patch you must copy the corresponding patch file into the Ranger Gateway s patch directory To upload an available patch select the patch in...

Page 238: ...Shutdown window Help Help Contents The Help Help Contents window contains detailed information about the configuration options available from the Ranger Gateway Viewer This window is also available fr...

Page 239: ...ZoneRanger 5 5 User s Guide 239 Figure 35 32 Help About Ranger Gateway Window...

Page 240: ...have a particular behavior Question Mark Question mark produces contextual help based on the preceding text Backslash Escapes the next character to remove any special processing of the next character...

Page 241: ...orm a tcp or snmp scan shell Shell settings show Display values snmp SNMP settings snmpwalk Perform a diagnostic snmpwalk system System operations tacacs TACACS proxy settings tcp TCP proxy settings t...

Page 242: ...user User to configure user_name User name to configure password Password for user Must be at least 5 characters administrator User is administrator level operator User is operator level no Deletes th...

Page 243: ...ess_host TACACS_Port RADIUS_Auth_Port RADIUS_Acct_Port no group entry ranger_gateway access_host TACACS_Port RADIUS_Auth_Port RADIUS_Acct_Port group entry Adds an access control server to the group ra...

Page 244: ...ry settings on a ZoneRanger To remove a discovery setting use the no form of this command discovery auto manage auto poll exclude network ignored address include network pe riod ping ranger search see...

Page 245: ...aging newly discovered devices discovery auto poll no discovery auto poll auto poll Automatically poll newly discovered devices no Disables automatic polling of newly discovered devices discovery excl...

Page 246: ...ry ping range ip_address_pattern ping range Ping ranges to discover ip_address_pattern IP address pattern to look for new devices no Deletes a ping range discovery search ip route arp cache broadcast...

Page 247: ...ds Example This example shows how to create a set of discovery rules zr discovery auto manage zr discovery auto poll zr discovery include network 10 0 0 0 255 0 0 0 zr discovery exclude network 11 10...

Page 248: ...level netflow generic sflow snmp syslog syslog options trap options Syntax Description dest group Destination Groups log level Logging level for forwarding netflow Netflow forwarding rules generic Ge...

Page 249: ...est group Adds an already defined destination group as a rule group_name Destination group name to add as a rule data diode Adds Data Diode as the destination rule no Removes a destination group entry...

Page 250: ...ZoneRanger should forward Generic UDP packets dest group Forward to destination group group name Destination group to which to forward Generic UDP packets data diode Forward to Data Diode destination...

Page 251: ...enable disable local_port ZoneRanger port to receive syslog messages ranger_gateway Hostname or IP address of a joined Ranger Gateway destination_host Hostname or IP address to which ZoneRanger shoul...

Page 252: ...verity filter convert trap trap_type no convert trap trap_type convert Forward syslog as another type trap_type Trap specific type for non Cisco traps no Deletes the convert filter facility facility n...

Page 253: ...ination_host_port source_addresses enable disable no forward trap local_port ranger_gateway destination_host dest group group name data diode destination_host_port source_addresses enable disable loca...

Page 254: ...r Forward traps matching a filter filter_name Name of the trap filter to use no Deletes the trap filter Examples This example shows how to create a netflow forwarding rule for ZoneRanger port 9996 thr...

Page 255: ...commands to recall zr history 50 icmp To manage the ICMP proxy settings for this ZoneRanger To remove a ICMP proxy setting use the no form of this command icmp cache log level no icmp cache log level...

Page 256: ...minutes hours position index rule ICMP proxy caching rule for this ZoneRanger ip_address_pattern IP address pattern to use for this ICMP proxy rule positive cache Set positive response caching time fo...

Page 257: ...passcode Syntax Description passcode Specifies the passcode passcode Passcode to use for this ZoneRanger Usage Guidelines To set the passcode for this ZoneRanger Example This example shows how to set...

Page 258: ...starting at 1 no Delete message system restricted address rule message system ssl trusted subject word position index no message system ssl trusted subject word position index ssl Configure the SSL Tr...

Page 259: ...group no remove or use default settings group entry ip_address_pattern no group entry ip_address_pattern group entry Adds an ip address pattern to the group ip_address_pattern IP address pattern or an...

Page 260: ...dex position is specified the rule is placed at the bottom of the list ntp client timeout timeout no ntp client timeout timeout client timeout Amount of time a ZoneRanger waits for a message from an N...

Page 261: ...dex Index position of NTP proxy rule starting at 1 no Delete NTP proxy server rule ntp server timeout timeout no ntp server timeout timeout server timeout Amount of time a ZoneRanger waits for a messa...

Page 262: ...terface clause takes an optional index position which determines its place relative to the other rules The indices start at 1 If no index posi tion is specified the rule is placed at the bottom of the...

Page 263: ...s control settings on the ZoneRanger To remove a RADIUS access control setting use the no form of this command radius access control client timeout log level proxy rule server timeout no radius access...

Page 264: ...el none short full no radius log level log level Configure logging level for RADIUS none No logging default short RADIUS message header is logged full RADIUS message is logged no Delete RADIUS log lev...

Page 265: ...ZoneRanger resolve address Syntax Description address Hostname or IP address to resolve Usage Guidelines Command to perform a diagnostic name resolution of a hostname or IP address Example This examp...

Page 266: ...commas ranger gateway Send email through specified Ranger Gateway rg Joined Ranger Gateway through which to send email recipients List of email recipients addresses Email addresses separated by commas...

Page 267: ...e ZoneRanger routing table delete Delete a route from the ZoneRanger routing table view View the ZoneRanger routing table Usage Guidelines Each of the route commands will take effect immediately when...

Page 268: ...w to add and remove a route from the ZoneRanger zr route add 10 1 2 3 255 255 255 255 10 1 2 1 zr route commit 10 1 2 3 255 255 255 255 10 1 2 1 zr route view zr route delete 10 1 2 3 255 255 255 255...

Page 269: ...mand shell level Debug level which is 1 15 Usage Guidelines Command to modify options of the text interface shell Example This example shows how to modify command shell options zr shell output lines 1...

Page 270: ...figuration tftp Display TFTP configuration traffic Display Traffic configuration trap filter Display Trap Filter configuration version Display ZoneRanger version whitelist Display Whitelist configurat...

Page 271: ...ring contact contact_string location loc_string user user_name v1 v2c v3 agent Configure the ZoneRanger SNMP agent community Configure the ZoneRanger SNMP community string comm_string ZoneRanger SNMP...

Page 272: ...SNMP proxy caching rule starting at 1 no Delete SNMP proxy caching log level snmp disallowed ip_address_pattern no snmp disallowed ip_address_pattern disallowed Configure the list of IP addresses disa...

Page 273: ...MP community string v1 Use SNMP v1 for this rule v2 Use SNMP v2 for this rule v3 Use SNMP v3 for this rule user SNMP v3 user to use with this rule timeout Specify how long SNMP request should wait tim...

Page 274: ...ser_name SNMP v3 user name authentication SNMP v3 authentication type md5 Use MD5 authentication sha Use SHA authentication auth_password Authentication password must be at least 8 characters privacy...

Page 275: ...gnostic snmpwalk to a hostname or IP address from the ZoneRanger snmpwalk address v1 v2c v3 Syntax Description address Hostname or IP address to which to make SNMP request Usage Guidelines Command to...

Page 276: ...igure ZoneRanger DNS settings host Configure ZoneRanger host name list port Configure ZoneRanger ports property Configure ZoneRanger properties reboot Reboot ZoneRanger restart Restart ZoneRanger soft...

Page 277: ...p_address IP address with which to associate a hostname hostname Hostname to associate with IP address alias_list List of aliases to associate with IP address May be a space separat ed list enclosed i...

Page 278: ...g level max size proxy rule server timeout Syntax Description access control Configure the TACACS access control for the ZoneRanger itself client timeout Timeout for TACACS client session log level Le...

Page 279: ...Require TACACS authorization request to include command direct server entry Authenticate directly to TACACS server address Hostname or IP address of TACACS server port Port to use for authentication o...

Page 280: ...default short TACACS message header is logged full TACACS message is logged no Delete TACACS log level tacacs proxy rule ip_address_pattern server_group position index no tacacs proxy rule ip_address...

Page 281: ...e FTP sessions to passive sessions log level Configure the TCP proxy logging level Usage Guidelines Each of the TCP commands will take effect immediately when executed tcp ftp active to passive no tcp...

Page 282: ...t Basic information is logged full Additional information including TFTP rule is logged no Disable TFTP proxy logging tftp proxy rule ip_address_pattern read write create to ranger_gateway remote_host...

Page 283: ...To configure the time setting on the ZoneRanger itself To remove a time setting use the no form of this command time gateway ntp time protocol no time gateway ntp time protocol Syntax Description gat...

Page 284: ...ough Ranger Gateway ranger_gateway Retrieve ZoneRanger time from a NTP server through this joined Ranger Gateway ntp_server NTP server name from which to retrieve time key_index Authentication key ind...

Page 285: ...on forwarded Configure the forwarded traffic thresholds interval Interval to check traffic thresholds in seconds log level Level of traffic logging on the ZoneRanger proxied Configure the proxied traf...

Page 286: ...No logging default short Traffic totals are logged at each measurement interval full Traffic counts per IP address are logged at each measurement interval no Delete traffic log level traffic proxied a...

Page 287: ...rue to pass filter any condition At least one condition must be true to pass filter cancel Exit this mode without saving any changes clear conditions Clear all conditions condition Define a new condit...

Page 288: ...filter_name Specify an already defined trap filter no Deletes this condition condition generic type no condition generic type condition Adds a filtering condition generic Specify generic trap conditi...

Page 289: ...n index Specific variable binding index to use to match against trap Starts with 1 value Value of variable binding to use to match against trap no Deletes this condition condition version 1 2c 3 no co...

Page 290: ...lete an IP address pattern enforce outbound requests Blocks all traffic with addresses outside of the whitelist exit exit server group mode saving changes list Lists the IP Address patterns no Disable...

Page 291: ...the commands The commands are installed in the following directories depending on the platform Operating System Directory Linux install_dir bin Solaris install_dir bin Windows install_dir bin where in...

Page 292: ...l of the ZoneRanger or Ranger Gateway debugString Displays debugging information from particular ZoneRanger and Ranger Gateway services deleteRoute Removes an entry from the ZoneRanger routing table d...

Page 293: ...requesting client and the destination address of the target device used in Proxy Access Control proxyMap Manages the contents of the active proxy map as well as the configurations setting of the Proxy...

Page 294: ...rk_mask gateway_addr metric zoneranger specifies the name of the ZoneRanger to add the route network_addr specifies the network IP address of the route to be added network_mask specifies the network m...

Page 295: ...ddr network_mask gateway_addr zoneranger specifies the name of the ZoneRanger to commit the route network_addr specifies the network IP address of the route to be added network_mask specifies the netw...

Page 296: ...s All joined ZoneRangers and Ranger Gateways and redundant ZoneRangers must use the same port netflow_forward_log Level of logging for NetFlow forwarding values none short full ntp_proxy_log Level of...

Page 297: ...g ssh_proxy_port ssh_proxy_port Port on which Ranger Gateway listens for SSH Proxy requests The default is 4822 ssh_proxy_port_enabled Whether or not the Ranger Gateway will listen for SSH proxy reque...

Page 298: ...ts the Ranger Gateway configuration configLicenses configLicenses list load filename export filename list displays the list of licenses loaded on this Ranger Gateway load can be used to load a new set...

Page 299: ...ord kp_password keyEntryPassword ke_password key_file specifies the file in keystore format containing the SSL keys and certificates kp_password specifies the password to access the keystore file ke_p...

Page 300: ...y TACACS servers already configured may be displayed or removed by the configTacacsServers command configTraffic configTraffic subcommand arguments configTraffic configures traffic thresholds enables...

Page 301: ...hecking notify enables and disables notification when a threshold is exceeded per_zr specifies the threshold notification is on a per IP address basis forwarded specifies the threshold notification is...

Page 302: ...ed to the Ranger Gateway debugLevel debugFilter zoneranger set level 1 15 jni set level 1 15 zoneranger specifies the name of the ZoneRanger set sets the overall debug level default is 4 jni sets the...

Page 303: ...be inspected and edited using a text editor then installed on the Ranger Gateway when required modifications have been completed As a convenience a device group called ZoneRanger is available which i...

Page 304: ...group table is used If no output file is speci fied the resulting configuration is automatically copied to the active device group table If an output file is specified the resulting configuration is...

Page 305: ...he specified file and the active device group table is unchanged deviceGroup list in input_file group name address in indicates the name of the input file containing device group information group nam...

Page 306: ...listed If an item is specified with no value the current value of the specified configuration item is displayed If an item and a value are specified the value of the specific configuration item is se...

Page 307: ...ied ZoneRanger discovery starts the discovery service on the specified ZoneRanger or gives the status of a currently running discovery service downloadFile downloadFile zoneranger list filename zonera...

Page 308: ...tart ksh gateway start ksh gateway start ksh starts the Ranger Gateway software This command ignores any arguments Linux and Solaris only gateway stop ksh gateway stop ksh gateway stop ksh stops the R...

Page 309: ...tatus of the GVI service The gvi status subcommand indicates whether the GVI service is currently enabled or disabled and displays any errors or warnings that were generated during the most recent rou...

Page 310: ...ubnet or individual IP address to add to the GVI route list gvi add route subcommand adds one or more subnets or individual IP addresses to GVI route list The route manager within the GVI service main...

Page 311: ...e f option is specified the user is not prompted for confirmation gvi config item value gvi config can be used display or modify configuration items associated with the GVI ser vice The configuration...

Page 312: ...ied the listStatistics command operates on the Ranger Gateway statistics listTcpPorts listTcpPorts zoneranger zoneranger specifies the name of the ZoneRanger from which to list TCP ports optional list...

Page 313: ...ave patchfile Ranger Gateway patch filename as provided by Tavve Support noserver specifies to not check if the Ranger Gateway is running before installation nosave specifies to not save backup of cha...

Page 314: ...include the pat file extension All patches contain an internal timeout so in most cases the timeout does not need to be specified patchZR zoneranger upload timeout seconds patch_number timeout specifi...

Page 315: ...ion about an uploaded patch from the indicated ZoneRanger If the patch information has not been retrieved within the specified timeout period the command will exit patchZR zoneranger listApplied timeo...

Page 316: ...s the name of the input file containing portConfig information out indicates the name of the output file to write portConfig information portConfig copy can be used for the following To copy the conte...

Page 317: ...ates the name of the output file to write portConfig information port config name specifies the name of the port config ruleset transport specifies the protocol of ICMP UDP or TCP rg port specifies th...

Page 318: ...cified text file If no input file is specified the active portConfig table is used If no output file is specified the resulting configuration is automatically copied to the active portConfig table If...

Page 319: ...me transport rg port port config name specifies the name of the port config ruleset transport specifies the protocol of ICMP UDP or TCP rg port specifies the destination port associated with the incom...

Page 320: ...2 SQL ZoneRangerDefault UDP 161 SNMP ZoneRangerDefault ICMP portControl portControl zoneranger list portName setting zoneranger specifies the name of the ZoneRanger list displays the current port sett...

Page 321: ...he name of the input file containing portMap information out indicates the name of the output file to write portMap information portMap copy can be used for the following To copy the content of the ac...

Page 322: ...g rule The portMap remove subcommand can be used to remove one or more rules from the active portMap table or from an offline file The src address and optional dest address and port config name parame...

Page 323: ...read input from the active portMap table or from a specified text file If no input file is specified the active portMap table is used Otherwise the specified input file is used portMap clear f portMap...

Page 324: ...dest address ZoneRanger port config name ZoneRangerDefault rule src address dest address port config name Default port map The portMap commands that read configurations i e copy add remove merge list...

Page 325: ...map as well as the configurations setting of the Proxy Map service The proxyMap command is organized as a set of subcommands each of which supports different parameters and options Most proxyMap subco...

Page 326: ...the copy If no output file is specified the input configuration is automatically copied to the active proxy map If an output file is specified the input configuration is written to the specified file...

Page 327: ...the matching rg address and zoneranger values is removed If no matching entries are found the input configuration will be unchanged The proxyMap remove subcommand can read input from the active proxy...

Page 328: ...l as entries where the rg address value is a matching address pattern The proxyMap list subcommand can read input from the active proxy map or from a specified text file If no input file is specified...

Page 329: ...number greater than or equal to the number of DMZ devices to which proxy requests may be directed via this Ranger Gateway proxyMap test rg address The proxyMap test subcommand performs a query on the...

Page 330: ...s All elements where the rg address value is an address pattern are listed last in the order in which they were originally created Note that there is a slight difference to the way that the proxyMap a...

Page 331: ...is not specified the install_dir backup directory will be used Only a backup of the same Ranger Gateway version may be restored The nostart option causes the Ranger Gateway to NOT restart after the ba...

Page 332: ...roup rgvi add client subcommand specifies which OpenVPN clients may connect to the RGVI service on the Ranger Gateway rgvi remove client client address client address indicates the set of OpenVPN clie...

Page 333: ...0 0 255 10 1 10 0 255 255 255 0 rgvi remove route client address subnet subnet client address indicates the set of OpenVPN client addresses to which to remove routes subnet indicates the subnet or ind...

Page 334: ...name of the zoneranger to perform the service dump i nfo reports the status of the service dump s top stops the service dump t arget performs a targeted service dump servicedump generates a file conta...

Page 335: ...variable binding 1 2 3 1 0 Test 1 snmpRequest p V1TRAP v 1 c public Ce 1 2 3 Cg 6 Cs 42 ZR500 162 1 2 3 1 0 s Test 1 sqlQuery sqlQuery zoneranger s separator tables cols tablename sql_query zoneranger...

Page 336: ...web interface or the uploadConfig command to upload the converted trap definitions trapXmlValidator trapXmlValidator trap_definitions_xml_file trap_definitions_xml_file is a trap definitions xml styl...

Page 337: ...configuration This is used for ZoneRanger communications Option 3 Remove trusted messaging subject trustedSSL removeMessagingSubject number index number specifies the index number of the trusted mess...

Page 338: ...e specified file to the Ranger Gateway configuration Option 9 Remove trusted certificate authority trustedSSL removeCa number indices number specifies the index number of the trusted subject as return...

Page 339: ...nger specifies the name of the ZoneRanger uploadTftpFile uploads a file to the ZoneRanger TFTP directory viewIcmpLatency viewIcmpLatency zoneranger ipAddress1 ipAddressN zoneranger specifies the name...

Page 340: ...hich provide application specific functionality in ZoneRanger Separately licensed features are distributed by Tavve as ZoneRanger patches Each Tavve license patch is specific to the ZoneRanger upon wh...

Page 341: ...ough a Ranger Gateway to the HP OM server in the secure network The HP OM server responses will be proxied through the Ranger Gateway and ZoneRanger back to the HP OM agents HP OM Certificates HP OM a...

Page 342: ...and HP OM servers and the ZoneRanger The Trusted Certificate Authorities section defines which certificates will be trusted The certificate will be verified with one of the configured Certificate Aut...

Page 343: ...agents need to communicate One or more Ranger Gateways may be used to reach a particular management application server in this case HP OM server The Ranger Gateways may be installed on the HP OM serv...

Page 344: ...is specified as a destination ZoneRanger will attempt each destination until it can successfully proxy the request Once ZoneRanger determines a successful management application server destination it...

Page 345: ...stinations Each HP OM Proxy Rule has a set of Destination Management Application Servers which are paths to HP OM Servers The Management Application Server may either be a joined Ranger Gateway as ind...

Page 346: ...HP OM proxy traffic based on the statistics recorded by the ZoneRanger Specific ZoneRanger statistics are also available on the View Statistics page when viewing the TCP Proxy service A Status Indicat...

Page 347: ...ort Basically the ZoneRanger will appear to be the Web server to the Web File agents The ZoneRanger will then proxy those requests through a Ranger Gateway to the Web server in the secure network The...

Page 348: ...d space The star special character represents one or more valid filename characters The special characters list the possible single valid characters For example a c would be valid either an a b or c T...

Page 349: ...le agents need to communicate One or more Ranger Gateways may be used to reach a particular management application server in this case Web server The Ranger Gateways may be installed on the Web server...

Page 350: ...tination until a proxy request fails Web File requests received by a ZoneRanger and Web File responses sent by a ZoneRanger can be written to a log file called log webFileProxy log This log can be vie...

Page 351: ...nt Application Server may either be a joined Ranger Gateway as indicated by a preceding RG or a path to a Management Application Server as configured on the Configuration Ranger Gateway page Mgmt App...

Page 352: ...ffic based on the statistics recorded by the ZoneRanger Specific ZoneRanger statistics are also available on the View Statistics page when viewing the TCP Proxy service A Status Indicator in the Activ...

Page 353: ...ent of Tavve Software Co products This MIB document is supplied AS IS and Tavve Software Co makes no warranty either express or implied as to the use operation condition or performance of the MIB ZONE...

Page 354: ...numeric version as well as SP level if set tscZRInformation 1 tscZRModel OBJECT TYPE SYNTAX DisplayString MAX ACCESS read only STATUS current DESCRIPTION A textual description of the ZoneRanger model...

Page 355: ...tem memory in kilobytes tscZRInformation 9 tscZRPatchStatusTable OBJECT TYPE SYNTAX SEQUENCE OF TscZRPatchStatusEntryEntry MAX ACCESS not accessible STATUS current DESCRIPTION This conceptual table co...

Page 356: ...atewayTable OBJECT TYPE SYNTAX SEQUENCE OF TscZRRangerGatewayEntryEntry MAX ACCESS not accessible STATUS current DESCRIPTION This conceptual table contains a list of Ranger Gateways tscZRInformation 1...

Page 357: ...sible STATUS current DESCRIPTION This conceptual table contains a list of forwarded UDP data tscZRForwardStats 1 tscZRForwardStatsEntry OBJECT TYPE SYNTAX TscZRForwardStatsEntry MAX ACCESS not accessi...

Page 358: ...sponses tscZRSnmpProxyStats 2 tscZRSnmpProxyDiscards OBJECT TYPE SYNTAX Counter32 MAX ACCESS read only STATUS current DESCRIPTION The count of SNMP proxy requests discarded One possible reason is requ...

Page 359: ...IPTION The ZoneRanger Information Group tscZRGroups 1 tscZRMessagingGroup OBJECT GROUP OBJECTS tscZRMessagesDiscarded tscZRMessagesExternalReceived tscZRMessagesExternalSent STATUS current DESCRIPTION...

Page 360: ...ZRVerifyDown Sent after ZoneRanger reports that a root cause node is down tscZRVerifyUp Sent after ZoneRanger reports that a device is again up after being verified down Test trap Trap Description tsc...

Page 361: ...at all interfaces on a node are down tscZRNodeMarginal Sent after ZoneRanger determines that some interfaces on the node are down and some interfaces on the node are up tscZRNodeUnknown Sent after Zon...

Page 362: ...eported node tscZRNodeDeleted Sent by ZoneRanger to report that it deleted the reported node tscZRNodeMerged Sent by ZoneRanger to report that it merged two hostnames tscZRSysContactChanged Sent by Zo...

Page 363: ...in the chain tscDataDiodeSubtendingVMActivat ionExpiring The ZoneRanger detected a subtending ZoneRanger activation that will soon expire tscDataDiodeSubtendingVmNotActi vated The ZoneRanger detected...

Page 364: ...cket tscServiceDegraded A ZoneRanger or Ranger Gateway service is degraded tscServiceFailed A ZoneRanger or Ranger Gateway service failed tscSnmpProtocolViolation The ZoneRanger detected SNMP protocol...

Page 365: ...ain applications such as SSH proxy its overall usefulness tends to be somewhat limited given the number of prevalent management applications that do not provide built in support SOCKS shims can be use...

Page 366: ...ansport i e UDP in this case and destination port associated with the datagram and uses the Proxy Access Control tables to determine whether the datagram should be forwarded to a managed device and if...

Page 367: ...on the same server the IP address aliases can usually be added to the server s loopback interface For example consider the network shown in the following figure Figure D 1 IP Address Aliasing In this...

Page 368: ...agement application server routing table in the figure above could be simplified by configuring a single subnet route 10 10 1 0 24 10 2 1 2 provided that the there are no devices with addresses in the...

Page 369: ...atic routing rules in management servers where applicable Another concern is that operating systems may limit the number of IP address aliases that can be defined As a result this technique may not be...

Page 370: ...ject This initial SSL configuration is provided so that ZoneRangers and Ranger Gateways are able to communicate right out of the box In environments where a high degree of security is required it is r...

Page 371: ...rustSSL command on the Ranger Gateway first add the distinguished name identified in the SSL certificate which was installed on the ZoneRanger by using the Add trusted subject option The default Subje...

Page 372: ...are joined and will remain the same while the ZoneRanger and Ranger Gateway remain joined If they are unjoined and then joined later the ports may change Using Ranger Gateway to access and query the Z...

Page 373: ...each joined ZoneRanger For example suppose the listTcpPorts command returned SSH port 20014 and the Telnet port 20015 for a particular ZoneRanger You would access that ZoneRanger s text interface thro...

Page 374: ...id passcode is entered a shell prompt appears The customer then has operating system level access to the ZoneRanger This level of access remains active until the technician access session is exited Zo...

Page 375: ...H environment variable on Linux and Solaris systems Ranger Gateway requires at least 256MB of RAM In order for the Ranger Gateway software to start properly it must be possible for the software to ide...

Page 376: ...installer Uninstalling Ranger Gateway on Linux and Solaris To uninstall the Ranger Gateway software on Linux and Solaris systems run the following command install_dir UninstallerData Uninstall_Tavve_...

Page 377: ...ty for non global zones to manage network routes the Ranger Gateway GVI will not install in non global zones In order for the Ranger Gateways installed in the non global zones to use GVI in a Solaris...

Page 378: ...ed via one or more ZoneRangers in the same manner as locally intercepted traffic e g via GVI So the end result is an application layer proxy firewall with a VPN based front end as opposed to a simple...

Page 379: ...wing web page http www blastwave org jir blastwave fam Once pkgutil has been installed you can install OpenVPN by simply executing the following command opt csw bin pkgutil pkgutil install openvpn The...

Page 380: ...list of Ranger Gateway candidates as described above In addition you will need to modify the rgviClient conf file to indicate that the rgviClientNoPassword key key file should be used because there is...

Page 381: ...n download the OpenVPN source code and build install using the configure convention as described in the Linux Notes without RPM section on the following web page http www openvpn net index php open so...

Page 382: ...service on the Ranger Gateway by verifying that the IP address associated with RGVI client is listed in the output of the following command executed on the Ranger Gateway server usr tavve gateway bin...

Page 383: ...ng and managing Linux services Information describing this utility can be found at the following URLs http linuxcommand org man_pages chkconfig8 html http www netadmintools com art94 html Microsoft Wi...

Page 384: ...server RangerGatewayInstallDir bin rgvi status Running the OpenVPN Client as a Windows Service If you prefer to run the OpenVPN client as a Windows service copy the following files from the rgvi direc...

Page 385: ...ort as shown in the following figure 4 The welcome page for the Certificate Import Wizard will be displayed Read the information on the welcome page then click the Next button The File to Import page...

Page 386: ...ormation Exchange pfx p12 from the Files of type drop down list then select the rgviClientWindowsService p12 file as shown in the following figure 6 Click the Open button The File to Import page will...

Page 387: ...e Certificate Import Wizard page will be displayed Click the Finish button A confirmation dialog will be displayed indicating that the import was successful Click the OK button The Local Computer Acco...

Page 388: ...les with this extension should be deleted renamed to have a different extension or moved to a different directory To start the OpenVPN service open the Services control panel tool located in the Admin...

Page 389: ...atus of the OpenVPN service by looking in the log file at the following location C Program Files OpenVPN log rgviClientWindowsService log If OpenVPN started and connected to the Ranger Gateway success...

Reviews: